How Resilient Is Our Banking System? [ML B-Side]

What is the most critical of all critical infrastructure? Is it Electricity? Water Supply? According to Jeff Engle, CEO of Conquest Cyber, it's our Banking and Finance systems. Jeff spoke with Nate Nelson, our Senior Producer, about the resilience of our financial system, worst-case scenarios, and will backups be able to save our butts if and when?

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Jeff Engle

President & CEO, Conquest Cyber

Business leader. Resiliency Evangelist. CISO & Board advisor. Risk management & Jiu Jitsu Black Belt. Special Operations Veteran.

How Resilient Is Our Banking System?

Transcription edited by John William Dall

[Ran] Hi and welcome to Cybereasons Malicious Life, B-sides. My name is Ran Levi. Here in malicious life, we  often talk about critical infrastructure in the context of cyber security, electricity, communications, hospitals and the like. We also covered the financial sector, but if Jeff Engel, our guest today, is right, we certainly didn’t give the banking system the focus it deserves. Because according to Jeff, our financial system is the most critical of critical infrastructures and he has some pretty good arguments going for him.

Jeff Engel is the CEO of Conquest Cyber, a firm specializing in cyber resiliency and special operations veteran. He spoke with Nate Nelson, our senior producer, about the resilience of our financial system. What are the worst-case scenarios for attacks on the banking system? Are security regulations good enough to face such threats and will backups be able to save our butts – if and when?

Enjoy the interview.


[Nate] Jeff, how about you tell the people a little about yourself. 

[Jeff] So I’m Jeff Engel, I am the president of Conquest Cyber. My background, I grew up in the army. Came in pre-9-11, very recently pre-9-11, and then ended up spending most of my military career in Iraq with a little bit of time in Afghanistan and the Horn of Africa. Spent my formative years in special operations doing counterterrorism, counter weapons and mass destruction, and then ended up at the Defense Threat Reduction Agency where I did mission assurance vulnerability assessments and did a little bit of time moonlighting, doing some cyber red teamwork. 

[Nate] As a military guy, as a critical infrastructure guy, of everything you see out there, all the threats we face today to sectors at the core of how we live, which is the one that keeps you up the most at night? 

[Jeff] Financial services as a sector is definitely the one that gives me the greatest pause. When you look at the financial services sector specifically, the controls that have been put in place and the focus around cybersecurity and resiliency, I think are more mature than many of the other critical infrastructure sectors. So when you look at the specific individualized events and the resiliency that that sector has, I think it’s probably the most mature and greater than all of the other critical sectors. 

[Nate] Then what’s the issue?

[Jeff] The challenge of that sector and the reason it keeps me up at night is that while being the most mature, it has the greatest potential impact on the way that we live, at large. You could shut down a power grid in a particular area, and the people in that area are affected. The private companies who run those power grid elements, whether it be a primary district power distribution or other, are going to be impacted, and then there’s going to be an appropriate response to bringing everything back online, and it’ll be a blip on the radar. Similarly, we saw with water treatment in South Florida, the infection, the use of malware, was caught, Thankfully, it was changing the sodium chloride content in the water supply. But even that was treated as an individual blip on the radar. If that were to be done at large across other critical sectors, whether, you know, it be ransomware, malware, other types of attack, it has significant implications, but it doesn’t cause a complete collapse of our societal infrastructure.

Financial services has the potential to do that, and I think that that’s one of the reasons that it’s been given more attention and is more mature, but I’ve spent my career looking at these things. There’s nothing that can’t be defeated when given enough focus and attention, and that’s the sector that, if it were advantageous for an adversary to do what it takes to bring it down, it would be hard, if not impossible, for us to recover to the same way of life that we have today. 

[Nate] Spill it out, though. What is the real worst case scenario here?

[Jeff] The dollar stops being the international standard. The vast majority of the country goes into a state of poverty, and the US loses its place on the national stage, and the risks to all other aspects of American life increase significantly. 

[Nate] As terrifying as that sounds, Jeff, I’ve only ever heard of financial services providers being hacked in relatively superficial ways, like customer personal data is leaked, for example. With the tools and technologies we have available today. Is the kind of scenario that you’re  describing there really plausible?

[Jeff] A 100%. The level of sophistication that adversaries have, we could have a significant event today. I believe the reason that there has not been a more significant event within the financial services sector is not by lack of ability, but the other side of this, lack of intent. So, to give you the specific example, SolarWinds, that was discovered not because there was broad-scale utilization of that attack access point, but because it was discovered by Mandiant that posts some investigations with FBI, and then everybody started looking for it. 

So that’s an example of you place a capability into the ecosystem, and you don’t activate it, because the implications of acting on that vulnerability go  eyond the risk tolerance of the threat actor. So, do they have the ability today? A 100%. Do they have the intention today? No, because it’s more valuable as a threat than it is dealing with the consequences of taking the action.

[Nate] All right. Let’s go into the details, because I think many of our listeners have an understanding of how IT networks work, how data flows between systems in a conventional sense. But I really don’t know how financial systems work. For example, my savings account, my retirement account, where is it sitting? Who has access to it? Who’s transmitting it to where? You know, can you map these data flows for me, so I can get a sense of how this whole sort of picture comes together?

[Jeff] At a high level, there’s records of your accounts. Typically that record of your account, if it’s being traded in the open  market, which many of them are not most. That system is typically managed by some entity, where they’re tracking day-to-day basis, the inputs, what’s happening in the market with those specific accounts. All that is automated, right? And typically at the end of the trading day, that record is then sent to a repository to be able to record it and validate that this account should have seen this level of appreciation. And then that record is kept for historical purposes, be able to start the next trading day.

So, that input-output process typically touches many hands. There’s the broker agent who’s determining where that money may go that day. It goes into the company’s system. It ends up being associated to a trading platform. That trading platform generates reporting at the end of the day, goes back in at the end of the night, and those records are then recorded. 

Now technically, the technical systems that are being used from that, those numbers are being passed all over the place. Many of the large financial institutions and record-keeping organizations, they’re using things like old IBM mainframes to do the record-keeping, and then they’re being passed through internet systems and internal company proprietary software that’s being developed and pushed over to trading systems that are tracking those on a day-to-day, moment-by-moment basis.

[Nate] For me, the most interesting thing that you just said there was how many hands this data passes through, because logically, that seems like it would mean that we have a really, kind of, wide attack surface in this industry. So, I’m not going to ask you to give people any tips or anything, but Jeff, could you tell me how an attacker theoretically would penetrate any given hole in this wide net?

[Jeff] The entrance into that system is really you transferring your money to somebody who’s supposed to be managing it in the markets for you. That element has seen significant amounts of fraud. It’s also possible for that element to be a nefarious insider who is part of a legitimate organization that may have nefarious intention to transfer money to siphon it off, to give false reports while they’re pushing money out to bank accounts and the Caymans. That point of entry, particularly in organizations that don’t have major investments in robust monitoring of users and operate more on a, you know, these are my trusted agents. They’re part of my organization basis. There’s a high potential for nefarious activity to occur there and for that to result in one to 10 to 100+ individuals being impacted.And that obviously may have implications on that elements of our financial services industry, if there’s trust and confidence lost.

[Nate] And what about the sort of larger scale attacks?

[Jeff] So once you get past that level and that kind of entry point, the first transaction of your money into someone else’s hands, you know, it gets into their supply chain and who’s building and operating those software systems that they’re using to enable that tracking transfer and management, you know, of your money. That supply chain, you know, is as we’ve seen in recent time with things like SolarWinds and (Siemens) Gamesa and others, it’s susceptible to attack. It’s susceptible to both hacking from the outside and for manipulation by an insider that may want to have an impact on your ones and zeros, right?

So, even at that and that entry point, there’s both insider risk and, you know, supply chain compromise introduces a potential opportunity for somebody with ill intent to go and access your funds or manipulate that and ultimately could have major implications if there’s trust lost in that stage of the financial services process.

After you get past that level and you start to get into the transactions, right, you get away from the direct human interface of people who may actually know who you are and you get into a world where you’re simply, you know, numbers and addresses, you know, and birth dates that identify you as a user. So, as you get into that world, the ability to go and verify that you’re actually the one, without somebody compromising the official record, now becomes a more significant risk factor. And that stage, you’re seeing a high potential for a nefarious insider or even a cicada type model if you wanted to get into something that had more significant geopolitical implications.

And you can plant resources in those software companies that supply chain and inside of these organizations that are doing these transaction verifications and even in the IT elements of those organizations that have a level of access that if not properly tracked 100% of the time could result in them being able to manipulate both the data, you know, can enable more ransomware attacks, which impacts availability, they can release data if it was advantageous to them. But where it really starts to become potentially challenging for our way of life is when they start messing with the integrity of that system.

[Nate] So what do institutions do? How do they respond if that happens?

[Jeff] Really once you get past that initial threshold of “this is the broker that I work with” or “this is my community bank” and you get into that system, there’s very little that can be done by those resources that actually have a relationship with you to protect you. And there’s very little recourse for the, you know, the internal network there, that turn the financial system be able to really trace down what happened if it was done at a really large scale. So, when you look at the need for a 100% coverage 24-7-365 and tracking both the internal and external attack surfaces, as well as the internal and external attack surface for your supply chain, start to see that the problem there of doing that, it’s very significant, if not insurmountable.

[Nate] And do these organizations understand this reality? Do they understand just how vulnerable they could potentially be?

[Jeff] Just to give you a specific example, the IRS had their FISMA IG report from 2021. And this is the, you know, they’ve got more access to your data and more connectivity to this financial system than probably any other organization. And their cybersecurity scores were basically not effective in supply chain risk management functions and not effective in the information systems continuous monitoring area.

[Nate] I imagine though that there must be some kind of fault tolerance here, right? Like institutions have, you know, like untouchable backups that they could rely on if that worst case scenario does come to fruition.

[Jeff] You know, there may be backups, there may be a system of record, you know, there may be some continuous monitoring, but the adversaries are evolving and technology is evolving more rapidly than the systems we’ve put in to defend against them. I have a saying that compliance significantly trails the broad realization of risk. So, if there’s basically attack mechanisms that are put in place that are not activated, right, that’s the whole cicada concept, right? And this is, like I mentioned earlier, if you want to really have a strong geopolitical tool, it’s the resources that you have in place that you could deploy that you don’t, that give me the greatest pause. And given the fact that technology is advancing so rapidly and adversaries are gaining traction, you know, on defenders so significantly, the fact that we have not been able to keep up with historical compliance requirements and regulations and maintain robust systems just means that that problem is getting worse every day.

So while there may be backups, those backups can just as easily be compromised. Most of the time backups are not actually resilient against the types of threats that an organization would face, you know, enabling a malicious actor to gain both access into the primary and the backup system at the same time just negated the value of the backup as it relates to that particular threat profile. It may be great if you get, you know, if you have a data center get hit by a hurricane and you can cut over, but if that persistent access that enables real time, you know, duplication of that data is a mechanism for lateral movement for an adversary, your backup system isn’t going to enable you to be any more resilient against that adversary than you would if that was your singular system.

So that’s the struggle that exists, and why, even as this system is, you know, more mature, it’s got more regulation, more oversight than many of the other sectors within critical infrastructure, it still keeps me up at night that there are so many hands on a transaction.There is so much regulation that becomes the focus, you know, so basically we’re blocking the punch that was already thrown, rather than looking at what we should be designing our systems around in terms of the threats that are out there on the horizon.

[Nate] Am I to understand by that last point, what you mean is that because the cybersecurity regulations are so dense, organizations are more focused on meeting regulatory standards than doing the actual jobs of cybersecurity?

[Jeff] Absolutely. I think that compliance becomes an objective rather than an afterthought. As long as compliance is the objective, you’re trying to keep up with what happened years ago rather than thinking about, what you need to be dealing with today, whether or not your program is effective against the adversaries that lay and wait, they could be basically positioning to take the system down and most organizations view it from their individual perspective. Can I protect my system? Can I avoid being the slowest gazelle? Can I meet my compliance requirements so I can keep the Feds off my back? And can I provide a great user experience for my customers? That is all important, but when you start to realize that there is no individual organization that can survive basically a broad scale attack on the system, and the trust and confidence placed in that system, we should be driving towards more of an integrated security mesh across the financial services sectors, that look at what’s happening and what’s coming on the horizon, and realizing that just because there isn’t an actuation of the attack today, doesn’t mean that there aren’t people, both nefarious insiders, parts of the supply chain and outside actors, that are really positioning resources, doing intelligence preparation of their future battlefield and operational preparation of that environment, to be able to activate that sophisticated complex multi-staged attack to be able to bring down our financial system, as soon as it was in their political interest to do so.

[Nate] Okay, but do we know that or do we assume that because they must be?

[Jeff] I’ve spent the last 20 years thinking about the greatest threats to national security. So it started with weapons of mass destruction, counter-terrorism, counter-WMD, now cyber. And, when you see what’s playing out on the world stage, when it is in the interests of an actor, to believe that that is not being pre-positioned with us, I think that’s naive.When it was in China’s political interest, they shut down the power grid in India. And when it was in Russia’s interest, they’re were basically doing broad-scale malware attacks against Ukraine. So when you look at that and you take a step back, the reality of them being inside of our networks and being able to activate those types of attacks is something that would be hard to argue.

[Nate] All right. So then what should we be doing? What actions can be taken to start to remedy this problem?

[Jeff] So better information sharing is, you know, better education. All of that is kind of the talking points of the cybersecurity industry. They are that for a reason, but I think there needs to be a mind-set shift in mobilization across all risk executives in the national critical functions to say, “we’re going to have to take care of this stuff ourselves”, because where the government is able to intervene, you know, when you’re talking about hundreds of thousands of organizations, they will. But in many cases, they’re not going to be able to provide the level of support and assistance needed.

[Nate] Jeff, is there any final point that you’d like to leave us with?

[Jeff] Absolutely. I think it’s important to remember that there’s constantly going to be threats. You know, there’s nuclear missiles all over the world. There’s counterterrorism organizations and elite special operations units, you know, in our country, as well as in those of our adversaries or potential adversaries. There are bad people out there who want to do bad things. But, why we do what we do, is to protect our way of life, which means that you don’t have to sit there and constantly think about all the bad things that can happen or pull off all of your money out of the bank, because you don’t have confidence in, you know, cyber for our financial services. If we all realize that we’re in kind of a state of quasi-war and cyberspace, it doesn’t mean that everybody should be getting, you know, digging a foxhole and getting months supplies of food and rations. It’s really that we should be doing our part when we can and understand that sometimes the things that we do are more exploitable and more detrimental in response to fear than if we just let the people who are focused on this do their job. And then when it comes our time, we do our part.