What’s Beyond Zero Trust?

Melanie Green (host):

I got this text once, from my bank telling me $100 dollars was deposited into my account. Naturally, I clicked the link in the body of the text. Because, free money right? It rerouted me to what looked like my online banking webpage. And at the time I was out running errands so I closed it and forgot about it. Later that day, I even remember checking my balance -- sort of hopeful that it had spiked. It hadn’t. Two months later,, I’m looking at all my takeout charges on my banking app and thinking that I eat way too much ramen. But then I notice that my account is hundreds of dollars off. There are about 12 charges totalling $267 from places like Nebraska and Mexico City. I’ve never been to either so I sort of panic and call my bank. Turns out it was a scam. My bank froze my account and the funds were returned later. That link in the text? It was a phishing scheme that led hackers right to my banking information. I got off easy though. It’s estimated that cyber criminals steal more than a trillion dollars each year. - That’s right trillion with a “T”. And how does it happen? What’s the weak link in the system? Well, look in the mirror my friend. We are more gullible than we think. My name is Melanie Green. You’re listening to Remote Works, an original podcast by Citrix. We're back after a few weeks away with family and friends. In this episode, cyber security, how it relates to remote work, and how hackers nearly made off with over a billion dollars.

 

Geoff White:

Cyber crime is constantly evolving and there are new cyber crimes and so on. The key thing that the absolute bottom line rock solid way hackers get in, is by emails. Sending out dodgy emails. It's the sort of germ laden sneeze in the elevator.

 

Melanie Green (host):

That’s Investigative journalist Geoff White. He has been on the cyber security beat for years.  He’s seen it all -- He knows how hackers leverage our weaknesses to breach our security. And he’s got some great stories that show us just how easy it is - and how big the payoff can be for the bad guys.  One of the biggest - and most unbelievable - stories Geoff covered in his work has become known as  the Bangladesh Bank heist.  It happened in 2015.

 

Melanie Green (host): Can you walk me through step by step the breach at the Bangladesh bank?

 

Geoff White: How long have you got? How many steps do you want to take?

 

Melanie Green (host): How long do you have Geoff? I could talk about this all day.

 

Geoff White: Bangladesh bank is the national bank of that country. They have billions of dollars of money. It is the country's store of money and a lot of their dollar reserves were stored in New York because basically Bangladesh Bank has accounts around the world including an account at the New York Fed in New York obviously and that’s where they keep their dollars.  So if Bangladesh bank wants to pay somebody in dollars, they use their account at the New York Fed and they tell the New York Fed, ‘please transfer X amount to person Y’ and they send those messages from Bangladesh bank to New York Bank via a thing called SWIFT.

 

Melanie Green (host):

SWIFT is short for The Society for Worldwide Interbank Financial Telecommunication. Just the name tells you that it’s legit. It’s basically how banks talk to each other and tell each other to make payments.  The hackers wanted to get access to the SWIFT system. But how? I mean, you’ve got to figure that a bank would have some serious security in place to protect those billions of dollars. Right?

 

Geoff White:

There was a phishing email. Depressingly enough this did work in 2015. According to the FBI, an email was sent to English bank from a job applicant saying I'd like a job. Here's my CV. It was in a zip file, which obviously makes things more difficult because, for antivirus to see behind a zip file, you have to download the zip file, unzip it unpack it, let it execute and so on. So I think the zip file element of this was probably part of it. Employee downloads the zip file, unpacks it, gets infected. And so that’s, January, February, 2015, thereabouts. The hackers then spent a year before they actually took the money out. Which when you think about it, it's an incredibly risky thing to do.

 

Melanie Green (host):

So what were the hackers up to that year before they pulled the heist on the Bangladesh Bank? 

 

Geoff White:

What we now know, what we believe, is that that was the year in which they were lining up the bank accounts they were going to use to launder the money. They knew they could get into the Bangladesh bank. They knew they could steal some money because where do we put it once we've once we've stolen it? So then they phished their way around Bangladesh bank. They start looking for passwords. Cause if you think about it, who have they hacked there?  They've hacked maybe a human resources person. That's who you're going to email your CV to. So gradually they start going from that computer they've hacked and they start bootstrapping their way around the organization, stealing a password here, logging into a computer there. Gets them more passwords. They gradually sort of escalate the privileges until they get to the computer that runs SWIFT, that's actually sending the SWIFT messages, which it seems was connected to the internet and probably shouldn't have been. But this allows the hackers to start sending SWIFT messages. So they are inside Bangladesh Bank systems. They then say to the bank in New York where the dollars are stored, please transfer, and then they had 36 different transactions totalling, almost a billion dollars, 951 million dollars. Which was going to go out to 36 accounts around the world that, the hackers or people working with them, had set up to receive all of that money. So this was going to be the billion dollar bank heist.

 

Melanie Green (host):

Yes, a billion dollars. Imagine being that employee who clicked on the zip attachment.  You think to yourself - who would do that? Well, according to Rob Sadowski, a lot of us. Rob is the trust and security lead at Google Cloud. 

 

Rob Sadowski:

You know, as humans we’re naturally curious, you know, sometimes we want to click on a link that looks intriguing or we want to be helpful and respond to a call that, someone says they need help with something and they need a password. So you know, I think that we always have to recognize there will be times where this genuine human condition just leads us to do things that may not be the best things in terms of security. So what we can't do is rely completely on someone being who they say they are. In other words, we need to first have really, really strong authentication to establish again that a user is who he or she says they are, but we can't just rely on authentication and identity.

 

Melanie Green (host):

Rob Sadowski and Google’s Beyond Corp have partnered with Citrix to build something called “zero trust networks”.

 

Akhilesh Dhawan:

Zero trust security is kind of based on a principle for, of, never trust, always verify.

 

Melanie Green (host):

Meet Akhilesh Dhawan.  He’s the Citrix Head of Product Marketing for Workspace Security. 

 

Akhilesh Dhawan:

There is no concept of a trusted user or a trusted URL or a trusted device which is true in the older models of security where I'm trusting you because you're using a managed device. Or if you're using a corporate device that you will do no wrong in the system after you log in. 

 

Melanie Green (host):

So zero trust is a way to prevent the kind of cyber hacking that allowed hackers to pull off their phishing scam and have direct access to the Bangladesh Bank’s billions. I’m sure that they were dreaming of mai-tais on the beach. But then….

 

Geoff White:

A couple of things went wrong. Firstly, some of the money went to the Philippines, um, 81 million dollars. It went to a bank in a street called Jupiter Street, which is in Manila.  It's in the finance district. Jupiter happens to have also been on a U.S. government watch list for, for anti-terror money laundering kind of stuff.

 

Melanie Green (host):

That raised some alarm bells. Authorities took a closer look. 

 

Geoff White:

So people started looking through the transactions and going, ‘Hang on. These transactions are quite a lot of money’. New York Fed who's texting back or messaging back to Bangladesh Bank saying, ‘Sure you want to transfer this money?’ The problem was the weekend in Bangladesh. Friday, Saturday the weekend in Bangladesh. So as the New York Fed was messaging on a Friday, they weren't getting any reception back from Bangladesh. So gradually the heist  starts to grind to a halt, but 81 million dollars in the money slips through, ends up in four accounts in the Philippines.

 

Melanie Green (host):

That 81 million dollars - was then laundered through various casinos.

 

Geoff White:

What started it all off is an email sent by a job applicant with a CV attached. And somebody in Bangladesh bank clicked on the email and opened it.

 

Melanie Green (host):

So what’s the 81-million dollar lesson here? If you said, don’t open attachments from someone you don’t know, you’d be right -- but there’s more to learn. And a lot of it applies to remote work.

 

Geoff White:

What's interesting with people working from home is, they're more isolated. They're often working with each other digitally. I might send you an email that says, ‘Hey, uh, you need to update your software.’ You know, click here and you might think, Oh, well, you know, Geoff in a few days, but yeah, it looks like it comes from him. So that social engineering piece for people who work at home, a little more isolated from their organizations, their companies, and their colleagues, that social engineering stuff really sort of feeds in. And the other thing is. People working from home, they're disrupted, their working patterns are disrupted. So as a hacker, I might send somebody an email you know, that they would spot instantly at work, as I say, update your settings here, or, you know, click here for your annual bonus report. At work you might look at that email and think, ‘Oh, that's, I'm not clicking on that. That's a phishing email.’ But at home because you're working from home because your, your company systems and processes are completely different to how they normally are, you might look and think, well, yeah, maybe our bonuses are being handed out via email. And maybe I do need to click that because you're not quite sure what's normal.  We’re in abnormal circumstances, all of us. And that I think the hackers are preying on in terms of social, uh, social engineering, social manipulation

 

Melanie Green (host):

Yeah, last week, I got an email from my boss that was a total phishing email, and I almost clicked the link. Me who already knows all of that information.

 

Geoff White:

It's easy to do. This is this thing, the tragedy of it is, you know, to use the cliche phrase - the hackers only have to be right once, whereas the defendants have to be right every time.

 

Melanie Green (host):

That’s scary -  The biggest vulnerability IS the human vulnerability. But zero trust may have an answer for that. 

 

Rob Sadowski:

We have to adhere to the good security principle of defense in depth, right? We have multiple layers of security or in a zero trust sense, there are multiple things that we do in order to allow you to access a system or a resource. So for example, if a hacker is able to trick a user into revealing their credentials or revealing their password - but our system says, okay, you not only have to know the username and password, but you have to be coming in from a device that we know about from a network location that we know about, or be coming in at a certain time of day - then all of the hacker basically has to have all of those things exactly right to be able to gain access to the system. So it's those multiple layers of security or those multiple layers of trust that we build in order to give that access. And so that's how we get around some of the potential human errors that can lead to security challenges.

 

Melanie Green (host):

But with so many of us moving out of the office, we’ve lost a big defence tool. When everyone is working together, you can create an internal network. It’s like your own walled digital city. That wall made it easier to keep hackers out.

 

Rob Sadowski:

We used to rely primarily on the network perimeter or the border to act as a border when we were in the office. So when you're in the office, you're on the corporate network, there's a lot of protection we can build into that network. So I guess the real question is, is that, where do you put that perimeter? Where do you draw that border? It's not around the corporate network. It's not around the office. Um, it's kinda that the perimeter has really disappeared. And so we have to have a mechanism to have the same level of protection or hopefully even better protection without relying on, being on and being in, you know, being on the corporate network and being inside an office. And that's really the security challenge that has come to the fore here in 2020.

 

Melanie Green (host);

But even with the best security, we humans have a way of being fooled.

 

Geoff White:

So you could do all these things, all these expensive systems changes to stop it happening. Or you can also educate your employees and say, look, if you get a CV from somebody, it's a zip file, please don't open it, send it to IT first.

 

Melanie Green (host):

So there’s a handy tip sheet on how not to get hacked.  And there’s another pretty clever way to suss out potential human error. It’s called ethical hacking. That’s Nick Aleks’ passion. He’s the CEO of Aleks Security Cyber Intelligence in Toronto. Nick is hired by companies to assess their security practices and systems so they can avoid being hacked like the Bangladesh Bank was. They do it by playing the role of hackers. They test clients' systems - and they test the people who use them. It can be as simple as sending an email.

 

Nick Aleks:

What we're seeing now are huge trends in phishing emails, where people spoofing executives at companies pretending to be your CEO. If people aren't careful in not seeing where this email’s coming from, they will give out their phone number and give out their information. And this will allow attackers to be able to start social engineering and getting people to divulge information.

 

Melanie Green (host): How does social engineering work?

 

Nick Aleks: It's an attack tailored to people's weaknesses. And people have a lot of weaknesses, whether it's fame, fortune, curiosity, fear. Every single day, we go through certain emotions that are easily exploited by people who have looked at our Facebook and LinkedIn profiles and really understand what our likes are, what our dislikes are, who our friends are, what activities we like and they can craft attacks that are very much sophisticated enough where we'd be susceptible to falling for them.

 

Melanie Green (host):

That’s all well and good. But we all know that hacking only happens to the “other guy” - like the poor employee who downloaded the fake CV from our bank robbers. But could WE be fooled? Well, there’s only one way to find out. We decided to try a little social experiment. A while back, we invited Nick to try to hack into somebody’s system. The potential victim?  Hmmm, who should it be? Oh, I know. My boss Geoff. Ready, set, attack!

 

Nick Aleks:

I originally started with a social engineering spear phishing attack where I registered for a domain that was very close to the one that he owns. So he has his own website and I registered one that was very similar to his. So I wanted to essentially create a fake website where I'd clone his website and then change around certain details. And then as I changed details of his website in the cloned version, I was going to send him an email saying, ‘Hey, Geoff, it seems like there was some suspicious activity on your website. Would you like to restore to the latest backup of your website? Because it looks like there was some unauthorized changes. To see what those unauthorized changes are click here.’ I was able to send out that email. I was able to see that he clicked the link. He got a good laugh out of seeing the changes on his website. Cause it just said Geoff has been hacked all over his website, so he laughed about it.  He was about to click the backup button and he noticed that something was being downloaded onto his computer. Because his guard was up and he knew that this was coming, he never actually clicked that particular payload which would have given me access to his entire computer. So kudos to Geoff for not falling for it. But he was curious enough to click and open up the email as well as download the attachment.

 

Melanie Green (host): Given what you just said, I mean, what's the one thing that you wish the average person or employee knew?

 

Nick Aleks: If I can speak to every remote worker there now, working remotely doesn't mean we can't uphold the same level of privacy and security for our customers. If we follow some really simple rules, we can ensure that customer's data is as protected and kept private. Then if we were at the office. So try to avoid public wifi. You never know who's peering over your shoulder or who else might be on that network, sniffing packets and seeing what you're seeing. I'd also recommend that everyone keep their work data on their work computers.

 

Melanie Green (host):

Great tips from ethical hacker Nick Aleks. I admit I’ve spent many hours working at the local cafe while nursing a latte. I’ll stop using the free wifi. That’s a simple step I can take.  But Akilesh Dhawan says that security is not just about making employees follow rules. In fact, if security becomes too onerous, employees are tempted to - you know -  just forget about it.

 

Akhilesh Dhawan:

So, our security over a period of time has gotten this reputation of getting in the way of getting work done.

 

Melanie Green (host):

That’s particularly relevant now that we’re working remotely.

 

Akhilesh Dhawan:

Now with the new way where, you know, most of the employees are remote, they’re  already stressed out with a ton of things that they have they've been asked to do. A lot of these employees are struggling with so many things going around. And I think security, the way that is implemented today is just making it worse for them. They are not able to get their work done. They have to log in different times for certain applications. The experience of accessing those applications is not consistent. The devices they can use are not supported, um, and so on and so forth. And that is just adding to the stress levels for, for employees. And this is kind of the things that we are looking from Citrix is how do we help these employees and these customers improve the way that users can get their work done faster and, and keeping the security as an invisible force behind the scene making sure that it doesn't stand in the way of getting the work done.

 

Melanie Green (host):

So Akhilesh and his team take that invisible, seamless kind of security seriously when it comes to remote work.  Specifically - what they want to avoid is employees having to log in from multiple plugins and access points.

 

Akhilesh Dhawan:

We are giving them one single access point. So that they can come one time to login to Citrix workspace and get access to all their applications, whether they are hosted in the data center or whether these applications are traditional virtual applications, So all of those applications can now be presented in, in your workspace. So that's one way we are looking at making lives easier for these employees. And now not only do they get unified access, but the look and feel is the same, it's the same security policies.

 

Melanie Green (host):

But what does it take to make employees' lives easier? It actually takes partnerships with companies working in this security space. The goal is to keep the infrastructure already in place, instead of having to rip out and replace with new ones.

 

Rob Sadowski:

I think that partnerships are essential because no one is going to be building a zero trust system from scratch. One of the key areas of partnerships is to make sure that security information, especially about people and devices is able to be leveraged by a new zero trust system, a policy manager or policy controller something like that. That's a key piece. Another thing is making sure that we can use zero trust models to protect all different types of resources. So whether it's an application, whether it's a virtual machine, you know, how do we do the connectivity between those things? That's another really important area of integration and partnerships to make sure that everything that that users might want to access - those systems, those apps, those resources - can all be part of a system like that. Security has to be user friendly because if it's not, what happens is that users look to circumvent it. No one wants to jump through hoops. As we're designing any system, right, not just a security system or an application, we have to, you know, we have to put the user first, we have to be user centric.

 

Akhilesh Dhawan:

So any device you're using, whether it's your Android or your iPhone, your Mac windows, you know, a lot of times you have all these different devices. But with workspace, the look and feel, and the way you log in, is exactly the same across all devices. So you log in one time, on your device and you can access all your applications, all your data, anything that you need for your corporate work to be done, you have everything in one place.

 

Melanie Green (host):

User friendly. One login. No surprises. That's going to cut down on a lot of frustration. And it's definitely going to keep us safer in this remote work world. But back to the eighty-one million dollar question for a moment.  I now know that even the tightest security comes up against its greatest vulnerability: the human psyche.  Zero trust really helps solve that problem. I can’t help but wonder though -- Is it even possible to be one hundred percent secure?  Can anonymous hackers pull off a billion dollar bank heist in the future? Geoff White says that’s the big question that companies grapple with these days.

 

Geoff White:

Possibly supercomputers will put us ahead of hacking for a little while, but hackers will sort of catch up to it. And the other thing is, you know, technology gets smarter. Human beings evolved considerably less quickly in my experience. So, you know, who's got the password to the supercomputer? Should I hack the supercomputer or should I try and trick the guy who's got the password into giving me the password? So I don't think anything can ever be secure, but a friend of mine, a contact of mine came up with a great sort of phrase. I was saying, look, it cybercrime is just there. It's a tax that you pay on modern life. We just got to accept this. And he said, he said, it's like being a gardener, but you have to keep the weeds down. If you don't deal with the weeds in your garden, you just end up overrun by weeds. So, no, you're never going to get rid of all the weeds in your garden, but if you don't do something about it, you're just going to end up with a garden of weeds. In terms of our personal finances, our personal data and our security, we don't want to end up with a weed garden. So unfortunately you have to do the work, even though we know it's never going to be a hundred percent effective.

 

Melanie Green (host):

You’ve been listening to Remote Works, an original podcast by Citrix. Subscribe and come back in two weeks when we trace one woman’s path to burnout and the route she took to leave it behind. That’s at Citrix dot com slash remote works.