How To Sign Arkansas Banking PDF

How to industry sign banking arkansas pdf myself

hi everyone we'll be waiting two to three minutes before starting the webinar to accommodate for the rest of the attendees who are in the middle of connecting welcome everyone thanks for joining us and thanks for being part of our community my name is valencia and i'll be your host for today just a few reminders before we start if you have a issues viewing the stream at any time during the presentation and you're using the web browser version of teams please refresh your browser if you use it the desktop app of themes please exit and rejoin please note that this webinar is being recorded and will be shared publicly we will post the recordings on our community at aka dot ms security webinars and all the links that i'll be referencing they're already published in the im q a site and where you can reference close the captions in several languages are available during the live broadcast and you can enable them by clicking on the cc button located at the lower right corner of your screen please feel free to ask questions at any time by typing them in the live event q a window simply by clicking on the ask question button be aware that any questions you post will be publicly visible uh however if you prefer you can post your question anonymously by checking the box right below where you entered we love to hear your feedback on how we can improve these webinars which you can do so at aka dot ms slash security webinar feedback i would also like to invite you to join our public community by visiting aka dot ms security community that's the best way to ensure you don't miss any future webinars or major announcements on our community you can speak directly to our engineering teams that create our security products you'll be able to influence our product designs and get early access to changes by doing things like participating in private previews which by the way you can sign up at aka dot ms security prp you can request features give feedback review our product roadmaps register for events or just join webinars like this we believe that the best way to improve our products is by removing any barriers between you and the people that create them so we hope you'll join us in the today's session eden coven will revisit here with us a costly lesson that is in cyber security history that is the billion-dollar central bank haste eden is a principal program manager with the azure security team and without further ado i'll turn it over to him eden the floor is yours thank you so much and good morning everyone for those in the us good afternoon good night for international audience and i'm so excited to be able to talk to you today about two of my favorite topics cyber security and international finance and i've come here today to share with you what i think is a not only a true story but really a mesmerizing story of what can happen when banks get their security wrong and it applies not only to banks but way beyond that as you will see this is an event that happened exactly five years ago so that makes it a very good opportunity to examine what happened and to learn from it with the benefit of hindsight i want to welcome you to bangladesh that is the venue of the day that is um the venue of the largest cyber bank heist to date bangladesh's you may or may not know is a developing country it's uh on the bay of bengal bordered by india to the west and myanmar to the east and it's uh not a big country by any means at least not territorially it's half the size of philadelphia you can see in this overlay and it's only a little larger than virginia but it's many many times more populated it's crowded it's poor and it faces disastrous flooding and harsh consequences by rising sea levels and i'm saying all that to make it clear that when our story takes place bangladesh has pressing needs even before kovid and some of the recent hardships and it has pretty meager funds with which it can and has to meet these needs every penny and every dollar in its state coffers are essential to the livelihood of its more than 160 million inhabitants what you see here is the south of dhaka which is the capital city and the building right here with the green circle around it is known as bangladesh bank it's a central bank pretty much like the us federal reserve it acts as the banker of the government it manages the country's foreign reserves it controls the money supply the taka their local currency and it's the lender of last resort to other local banks it also regulates financial institutions and does a lot more now like many other central banks bangladesh bank maintains most of its international deposits its reserves in new york it has an account with the new york fed and it uses that account to conduct the vast majority of bangladesh's international transactions this is an account that as of that day five years ago had more than 25 billion dollars it's the money of the people by the people and for the people of the republic of bangladesh let's take a little look inside we're going to friday february 5th 2016. bangladesh is a majority muslim country so friday and saturday are the days off which means that everybody's away except for the on-call manager on that day that manager was mr zubair bin huda remember this name and as part of his duty he inspects the back office systems at the accounting and budgeting department which is the most restricted part of the bank and part of his routine duties is to look at the printer he approaches the printer and he notices something odd this is a printer that's responsible for capturing each of the bank's wire transfers and usually they're just a couple of those in a day in a work day this is a weekend mind you um and today that printer was working overtime and each of its confirmations looked like gibberish this wasn't the first or the second glitch that he's seen with the printer so he didn't make too much of it he filed the service call for a technician turned off the lights and headed home in time for the friday family dinner next day saturday it's uh february 6 and it's still the weekend and mr binuda is still the on-call manager he's back at the bank and this time with a technician they decide to head over to what's known as the swift room which has the servers that are connected to that printer because after all the printer seems fine maybe the problem is with the server what you see here is called the swift terminal and it's a very sensitive system because it's used to wire the government's money to foreign bank accounts and it's also connected to that printer so they approach this system and being the duty manager binhuda has the credentials for this so he tries to log in but the application crashes time and time again and it grows increasingly frustrated because it's not only the printer that's misbehaving something else is going wrong so binhuda decides to scan the accounting department's inbox maybe theirs maybe in that inbox there is some notification about a known service disruption with swift so he goes back to the office and lo and behold there is a message awaiting from the federal reserve and it's been sitting there for about a day and it says something like our audit systems have been have detected highly unusual wire activity uh we have therefore placed a hold on most transfers get in touch with our accounts outline this doesn't sound good the federal reserve is saying that it's investigating suspicious orders and it's made by the bank to private accounts in asia binoda really has no idea what this is about because bangladesh bank doesn't send payment instructions on weekends and this had to be a mistake but how does he contact this accounts hotline or the accounts investigator that is not clear and as binhuda plans his next steps the technician strikes gold she's able to extract a recent log generated on that swift machine and opening that log it looks like there are records of a batch of outgoing wire transactions and they total almost 1 billion dollars binuda sifts through these records to understand where these alleged orders are headed one transaction says pen asia banking and a lot of the others are saying result commercial banking corporation but which banks are these and where the associated banks bank accounts what in the world is going on pinuda and the technician get back to their open space and search the web to understand who these institutions are it turns out that these are two commercial banks one is in sri lanka and the other is in the philippines and looking through their historical records bangladesh bank has never transacted with any of them in fact most of its business it does directly with other central banks but these are not central banks so it seems like a major software problem with that swift terminal likely a bug compounded by the fact that they couldn't even log on to the terminal so at 2 p.m binhuda emails a swift case manager in belgium to report what he calls a big problem now we also try to call the fed in new york but the phone number that he found online wouldn't answer on a weekend so he resorted to an email address and a fax number that he found on their website he wrote a rush demand to the feds to stop processing all of these alleged payments with references to those same entries that he saw on the swift blog and after sending the email they struggled a little with the fax machine but finally got that done and with a sigh of relief binoda shut down his computer and went home for what was left of that pretty disturbing afternoon next day it's sunday the 7th of february and the start of the week in bangladesh binhuda briefs his management about the past weekend's events and pretty soon it was clear to everyone that funds were being siphoned and the bank grew increasingly panicked rushed meetings were held managers redoubled been huda's efforts in trying to stop all payments to rizal or known by the acronym rcbc result commercial banking corporation that's the one in the philippines and they also did the same for pan asia bank in sri lanka fortunately they managed to get hold of pani pen asia bank and they confirmed that a payment of 20 million dollars had reached them but they decided to place it on hold because something with the payment order was fishy but the other bank our cbc in the philippines whose name was on transfers totaling many hundreds of millions of dollars was entirely unreachable that sunday would come to be known in the bank as terrible sundays it's monday february 8th in new york and the fed is finally back from the weekend over the weekend bangladesh banks sent them urgent orders to stop all payments but when fed employees finally saw them it was actually too late to undo the damage by that time several orders were already deposited with rcbc in the philippines and meanwhile 2 000 miles away from bangladesh is our cbc bank according to the fed 81 million dollars from bangladesh were already deposited to our cbc bank accounts in the philippines the chinese or lunar new year is a national holiday in many countries across asia including the philippines and the 8th of february was exactly that day like most other businesses banks are closed on that day and dozens of messages from bangladesh bank that were sent to our cbc were simply ignored none of them were reading time to stop the ongoing fraud and while these bangladeshi bureaucrats and state officials were busy writing and moving letters around the perpetrators were having a field day this is entertainment city in manila it's a notorious haven for funny money and within hours of the bangladeshi funds reaching accounts at rcbc the money was transferred into gambling accounts at the solaire resort and casino and once it got there unregistered gamesters would cash out the money as chips place bets and ultimately convert it all back into untraceable cash it ended up being one of the biggest bank thefts in history robbing the bangladeshi government of more than 80 million dollars now it's time to go behind the scenes and let's try to understand how this happened and what we can all learn from this and last but not least i'm sure you guys are curious what do we know about the group behind all this the story of this cyber heist begins not in february of 2016 but at least nine months earlier this is the skyline of metro manila in the philippines it's also known as makati city and the tower which i've circled here is the headquarters of rcbc which by now were somewhat familiar with on tuesday may the 5th 2015 four bank accounts were opened at rcbc with a 500 deposit in each they were opened by fake identities using fake addresses and they would lay dormant until nine months later in february of 2016. it's not unusual for cyber criminals to be very patient when it suits them for the perpetrators after opening these accounts the next step was to breach the network of bangladesh bank and gaining access to one of the systems was their initial objective there are many ways to accomplish this and the truth is it remains unclear what specific method they used but it was very likely one of the following the first is maybe they exploited a vulnerability in the networking gear why am i saying this because the bank happened to use cheap home routers that were running all software to connect itself both internally and externally it had no dedicated firewall and was essentially exposed to the open internet this makes it easy for a remote attacker to fingerprint which hardware is used and then to find known vulnerabilities and penetrate the network's perimeter and that's how you can get to some system inside the network another likely option perhaps even more likely is spear phishing the attackers likely send scam emails carrying zero-day malware to bank employees if these employees open these emails it installed malware this requires a virus that can evade email threat scanners if such scanners are even present and to take advantage of unpatched vulnerabilities we've actually seen this happen in an earlier and smaller attack on a vietnamese bank by a very similar group which compromised a previously unknown document rendering weakness in the foxy pdf reader overall fishing and social engineering still drive about 90 percent of all successful breaches so this is the most vulnerable category another classic is removable media it works similar to spearfishing but it lets the attackers get around email filters it still requires a zero-day exploit and some clever ploy to get that physical device into a system inside the network this is probably why you should never accept a usb flash drive as an unsolicited freebie and uh lastly i want to mention that there were also speculations of collusion meaning an insider job like other developing countries bangladesh's government and their banking institutions they're notoriously plagued by corruption in a recent corruption perceptions index by transparency international bangladesh ranks in the bottom queen tile of all countries and that means that bank frauds are more prone to happen insiders can turn from being regulators and game keepers to wrongdoers and poachers however they managed to get inside once the attackers made it into the perimeter they systematically moved throughout the network in search of valuable data and priced assets this is what we call lateral movement as soon as they compromised the first machine the attackers downloaded malware tools that gave them a connection to a command and control server and this basically gave them ongoing visibility and ongoing control the attackers now had a compromised system and a beachhead from which they could scout the rest of the network and spread into additional systems they analyze network communications and try to blend in with legitimate traffic in order to establish a profile of what systems were nearby what roles those systems had and what known vulnerability the software of those systems was vulnerable to and armed with all this information and probably a few key loggers just for good measure the next objective was to capture local admin credentials from one of these infected machines as the attackers made their advance in a cautious process that took many weeks they targeted additional accounts in order to facilitate the next stages of the breach and by doing so they could now spy over the network and continue to spread laterally across it searching for higher value data and higher value systems using those compromised admin credentials they could do all this for long periods of time and remain undetected whenever they identified an interesting target sorry they would again escalate privileges to install malicious remote control software in continuing their conquest it was a rinse and repeat process but all along their goal was clear what they really wanted was to penetrate the systems connected to swift so i've been mentioning swift but what is swift so swift stands for the society of worldwide interbank financial telecommunications not very useful i'm aware so in layman's speak this is a secure platform to enable international money transfers it's used by thousands of institutions from medium banks and large banks to basically all of the world's central banks but the most surprising element of swift which few people really know is that it doesn't actually move any money instead swift is a secure platform for messages about money transfers let me explain if bangladesh bank legitimately wants to send money to the philippines it will send them a swift message with all of the details the message would also be sent to the federal reserve in new york because it has bank accounts for both bangladesh's central bank and the philippines moving money between these two accounts is actually a matter for the federal reserve in new york if the sending bank and the receiving bank don't have an account with the same institution such as the fed in new york then swift will help identify what they call a corresponding bank this is an additional link in a longer chain which will bridge the two banks together it's like routing packets between endpoints if the packets are not on the same network then you need to route them through one or more switches these are the corresponding banks swift itself operates a closed messaging network for all of its member banks and it passes tens of millions of those messages every day it's responsible for sanction screening and for enforcing anti-terrorism requirements in fact it's one of the main tools that the previous american administration used to impose sanctions on countries like iran but there's one thing that swift didn't do he didn't try to detect fraud payments made by one institution to another institution are usually automated in fact it's common to have something known as straight through processing from a person's request made through their bank's website and immediately onto the swift network without many checks or balances to protect the system what swift does do is it makes sweeping security recommendations and many different best practices which includes asking banks and member institutions to have a swift a dedicated room for swift equipment with 24 7 monitoring to utilize layered authentication protocols complex passwords multi-factor authentication and more and more but evidently it didn't require these all tank members can enjoy access to swift independent of their internal security practices to my knowledge the core swift network is very secure but that may or may not apply to the thousands of member bank terminals in other words thieves don't have to attack the core network which is highly fortified instead they can attempt to compromise the systems that feed in and out of the swift network and that would include bangladesh bank and it's uh systems in the swift room that we've seen earlier so what did it require to take over that swift terminal banks typically separate their swift systems from the rest of their i.t network and until october of 2015 bangladesh bank did exactly that but then they decided to launch a new service called real-time growth settlements for faster clearing and it was just something to speed up money transfers a lot of banks rolled that at the same time but as a result they made the fatal mistake of connecting their id network to their swift connected systems so this removed the air gap that existed between the two networks it gave attackers an easy path from the compromised i.t systems to the highly sensitive swift machines the attackers managed to successfully log in as local admins and they did this using account credentials that they've already stolen what they then did was install sysmon from windows sys internals it's a tool that helps you monitor different activities like creating processes opening network connections changing files things like that and this allowed the attackers to learn how financial messages were sent and to identify which other services were in use and one service that the attackers discovered was related to the printers every time an order was sent or received it was automatically dispatched to the printer that we saw and to keep everything under the radar the attackers use their privileged access to misconfigure the printer so when binuda noticed that the printer wasn't working correctly he assumed it was a printer problem not an indication of an ongoing attack once inside the swift system the attackers also captured the digital certificates that are required to send messages and also the static passwords that were used to protect these certificates unlike other banks bangladesh relied on a single factor of authentication that static password and it was far easier to crack with the necessary credentials in hand and knowledge of the processes which the attackers gathered over months they were now able to master it as legitimate and authorized users put simply the attackers could now send payment messages that would get to and be honored by the core swift network to capture the certificates to meddle with the printer and and more and more what they did was to inject malware code that they specifically wrote for the swift terminal it was a custom-made tool for the job and it shows intimate knowledge of the swift alliance software which is what about 20 percent of swift members use including bangladesh because the malware was written from scratch it was unfamiliar to existing virus protection programs and went by unnoticed that piece of malware was thoroughly analyzed by bae systems and it tells us quite a lot really about how professional cyber criminals think and how they operate it used for example an encrypted configuration file called gpca.that which had a variety of information in it including transaction ids and even the ip address of the command and control center that ip address as it turns out was registered in egypt which created another layer of separation between the attackers who were not from egypt and the command and control center one of the modules that the malware was targeting was in oracle database dll dll that library was responsible for reading the swift alliance database path from the registry to it was responsible for starting the database and for performing various database backup and restore operations now to skip over the database authentication checks what the malware did was exchange the swift alliance software in memory this allowed it to bypass a critical security check which was an if statement simply by overriding two bytes that stood for jump not zero j and z by making this little memory change they not only thwarted the security check but by doing this in memory instead of disk it would be much harder to detect the hack and with little tricks like this the malware was able to grant itself the ability to covertly execute database transactions within the victims network in other words they subverted perfectly normal business processes in order to remain undetected and to delay any suspicion by the victims that something was going on in practice some of these measures ended up destabilizing the swift alliance software causing it to crash and as a result the investigation cycle started earlier than the attackers really wanted but it was still at least a day later than it could have been with the access that they appropriated the attackers then used stolen swift credentials to send fraudulent payment instructions and on thursday the 4th of february they initiated 35 forged transactions let's try to understand what ended up happening with them starting on the left-hand side the first four transactions were to rcbc in the philippines and the next one was to pan asia banking in sri lanka the new york fed acted on all five and transferred the funds which totaled 101 million dollars taken out of bangladesh's account the next 30 transactions were flagged by the fed is odd after all this was an unusually high number of payment instructions and the transfer requests were for were to private entities rather than central banks and that made the fed suspicious so they decided to place these transactions on hold pending further investigation and further clarifications from bangladesh this was a single man-made decision by one employee and it reduced the scope of the highest by as you can see 850 million dollars a single person's decision now of the 101 million that did go through the loan transaction to sri lanka of 20 million dollars failed to go through some clerk at penn asia bank saw an uncommonly large payment for shalika foundation that was a small ngo and he smartly decided to hold the order and to request further clarification from deutsche bank which was the corresponding bank that was used for moving the money from the new york fed to pan asia in sri lanka deutsche bank took a closer look and discovered that the word foundation was misspelled as foundation with an a so they blocked the order and sent bangladesh a notification even though the bigger impact of the attack was avoided due to the attacker's mistake relying on poor spelling should not be a security policy but bangladesh wasn't nearly as fortunate with the philippines the carefully timed attack ensured that our cbc would be out for days after the crime took place and by that time rcbc saw those stop payment orders from bangladesh well the money had already been piped away into those local casinos that we saw in currency exchanges in fact a million or two were even withdrawn in greenbacks and carried out by four higher armored truck vendors the choice of the philippines was far from accidental in a 2017 report from the state department they described the philippines as a major money laundering site and they know that criminal groups use filipino banks and especially casinos to transfer illicit funds to offshore accounts as a matter of standard business practice that has since changed only a small part of those 81 million dollars were ever recovered and this wasn't just the work of a cyber crime ring once money hit rcbc people trucks and shipments moved in the real world across borders there are only a few known actors in the world that can pull off a criminal operation of this size and complexity who was it the perpetrators excuse me that they're known as the lazarus group and to date they've been involved in financially motivated attacks on about 20 different countries they've hacked banks casinos brokerages crypto exchanges and most recently pharmaceuticals working on cov19 vaccines and therapeutics this group is thought to comprise of four related units each has a different objective but they all deal with cyber operations the attack on bangladesh comes from a unit called apt-38 all lazarus groups are allegedly linked to the dprk which is the official name of north korea and despite efforts by the us government to stop them apt 38 remains active and dangerous to institutions all over the world now the the list of mistakes that bangladesh bank made can fill up entire cabinets from poorly defined policies to outright security negligence and just bad decision making in real time there was everything but if you think that bangladesh stands out in this think again as the digital revolution and digital transformation expands globally and cuts across more and more industries organizations that were never this digitally sophisticated are connecting digitizing and migrating to the cloud so it's vital that we all learn from these costly lessons and that we make sure that we and our customers and partners do not repeat bangladesh's mistakes so let me review with you the main blunders and the main learnings from this case and i'm going to split them into two categories the first four lessons are really for i.t and network administrators and the last four lessons are useful and actionable for anyone who works on any kind of online service the first mistake and it remains a very common one is to give standard users admin accounts as a best practice standard users shouldn't be admins of their machines when you give people admin rights you also give the same rights to any malware that infects the system and find it finds its way to the system32 folder as an example there is a there are many ways in fact to remove local admin rights while still letting users elevate privileges when they need to do something such as install certain software drivers with uh windows and active directory there are many ways and tools to manage local group memberships for example to do this you could do this with group policy you could do this with laps the local admin password solution but the bottom line is as much as possible keep standard business users to standard accounts as we know admin accounts protect the most sensitive assets and data so we have to be super vigilant about their use because if all other lines of defense fail our best bet is to detect abnormal use of those privileged accounts bangladesh recorded some very odd login accounts login attempts excuse me um they log these attempts but they never reviewed them and never did anything with them there are many many ways to take advantage of this data there are security tools that go by many different names from behavioral analytics to anomaly detection and threat intelligence microsoft has such tools including azure sentinel which uses ai to hunt for suspicious activities across hybrid id infrastructures we also offer azure defender as a hybrid cloud protection platform every network or every cloud deployment should use solutions like these there is really no excuse not to do that but that's not all because for sensitive systems like that swift machine they have to be segmented off the rest of the it network as we mentioned and this is often the case with retailers who have separate environments for their payment cards or if you're a utility you air gap your industrial control systems once these systems are separated from the standard network remote access should only be allowed using a designated and hardened hardened jump server using this approach organizations can prevent malware from bouncing from its user endpoints to sensitive systems and organizations often do this by isolating domains so devices inside a domain reject unsolicited traffic coming from outside devices it's common to do this with ipsec and security rules um network admins can create logical modes around sensitive machines even if they're on the same physical network so i highly urge you to look at your segmentation policy and another valuable defense is to control which applications are allowed on endpoints because this would let you prevent unknown and malicious software from infiltrating the environment and you could do this with things like windows defender application control if you're running server 16 and later or windows 10 and it ensures that only explicitly approved software and drivers can run if bangladesh used it or something similar to this it could have blocked the malware from spreading so easily throughout the network and now let's take a look at the four things that you should do for your service that bangladesh bank neglected and this is really for everyone i think so for sensitive systems you can't go too hard on securing your accounts and credentials so what are the four best practices really for securing these credentials number one is protect your credentials in one central trustworthy safe so identify what that's safe will be for your for your organization and use it for all your credentials then the second thing would be to control access based on role and on adjusting time basis so think of it as nly the relevant personnel and only when needed the next thing which we always say is to use multiple authentication factors because that helps against phishing and password reuse and the fourth is to rotate credentials this helps you invalidate any potentially compromised credentials if bangladesh had even some of these measures in place then taking over the swift terminal would have been a challenge of another magnitude azure provides these capabilities with azure key vault and that should be your trustworthy safe in the cloud if you ask me bangladesh bank like other banks was as we explained at the edge of the swift network but what about the core of the network regardless of what service you run if you have a centralized architecture let's say like swift then the core of your network is a treasure trove for high quality signals so take advantage of that and how do you do that well one way is to run big data analysis and to try to identify sophisticated threats and flagged them for audit this is essentially what the fed did for 30 of the 35 payment orders but swift didn't do it swifted all the data it didn't make use of that data to identify potential fraudulent activity the second thing you could do is to use your core network to send out-of-band reports of major events so don't trust the end points and the terminals because they can be compromised too think of other ways maybe sending an sms message to a designated account officer the seventh lesson of the eighth and this is similar with um many different breaches is that organizations should never rely on the perimeter or the so-called walled garden approach you should always assume that your network or your v-net will get penetrated we call it a zoom bridge and you can trust actors inside your network as a result that's when planning should really start how do i prevent lateral movement how do i defend against a compromised user account what is the blast radius in this case these are all questions we have to ask ourselves and the right approach is strong identity and access management we say at microsoft that identity is the control plane at the center of our trust is authenticating and establishing trust in the user's identity so never protect your resources based on network access but based on identity and azure active directory has everything you need for that kind of zero trust networking make sure you define granular access controls based on the sensitivity of your data and if you utilize it well azure active directory is an excellent path to implementing a zero trust approach there are many other great solutions from akamai to z-scaler choose your own and implement as many of it as much of it as you can for zero trust networking and lastly be ready to respond even if you're even when you are least ready it's my long-winded way to say always be ready attackers seek weaknesses they ask themselves when is my target at its weakest lazarus exploited a perfect storm weekend in bangladesh followed by holiday in the philippines the best defense my friends is to be ready all the time responding in the same way 24 7 365 days a year and you do that by creating incidence response incident response playbooks irps okay for every service even for problems that seem very innocent so include questions if you were bangladesh like how do i reach the fed on a weekend what if it happens on a week and then you you need to reach out to them that should be part of the playbook or questions like what should i do if the swift printer fails do i just open a service call and get back to it tomorrow or do i go to the swift server right away and look at the logs these are all things that should be thought of well ahead of time the attack on bangladesh bank demonstrated plenty of advanced planning but the methods that they used were not so sophisticated they made mistakes and everything was preventable as part of the shared responsibility model which we employ on on the cloud so if you're doing cloud computing you know you share responsibility with your cloud provider we all need to make full use of the security tools and practices that come available as part of that shared responsibility model i mentioned a few of them these tools are out there and we encourage you to use them in order to action out some of these lessons crime syndicates like lazarus they're monitoring all kinds of organizations i want to be very clear about this and all kinds of institutions if you have something of value whether that is cash laying around or the formula for your monoclonal antibodies whatever your organization is working on you might be on their radar so let's make sure to be ahead of the curve by adopting best practices making use of the best available tools and remaining vigilant and always a little bit paranoid thank you so much thank you eden i will take this opportunity and share my screen to update the audience on some upcoming events and basically just go through a public community landing page so this is our landing page basically let me just share here the link with you all and you probably heard me many times referencing to the aka dot ms slash security community so basically uh the the best way to ensure that you don't miss any future major announcements that goes on in with our products that we support so we have the webinar section and that's the aka.ms security webinars this is basically where we list all the upcoming webinars as well as maintain a repository of our uh past webinars such as this one will be we'll make it onto the list here and it will be under the recordings broken down by uh by a product whereas for this for this webinar this will fall into the miscellaneous security webinars so for the upcoming webinars what i would like to uh highlight is the one on march 16. sulo will share with us her journey and advice on how to increase the diversity in cyber security uh sue is the author of raven a young adult hacker novel which is inspiring girls and other under represented groups to enter stem fields this webinar will be the first in a series on diversity and inclusion in cyber security so we hope to see you then going back to the to the security community page we have the video section this is basically where we have the bite size videos taking you to the to our youtube channel uh a same channel where we keep our recordings and then if you would like to become part of our email list which we normally send out at least once a month uh announcing our or upcoming events you can do so and then we have other helpful information such as the ninja training done for different products and then we have the uh podcast the private communities here with our private communities you can sign up and you can skip speak directly to our engineering teams that actually create our security products and you'll be able also to influence our product designs and get early access to changes so that's all i had to share and then you have other informations as a github for each product so going back to eden i see you're refreshing yourself and looks like you may be ready to to to answer some questions or yeah we can take some questions absolutely so the first question was it not investigated to find out uh what did happen so uh there were many different investigations as you can imagine this was a this comprised of so many different elements you had elements in the philippines in sri lanka the fed swift and obviously in bangladesh and beyond that so many different investigations were carried out including by private institutions i mentioned bae systems that was one of them uh to give you some idea of the events that followed in the five years past bangladesh bank itself filed several civil suits mostly against rcbc in the philippines uh filipino authorities if i'm not mistaken find our cbc for its negligence of duty about 20 million dollars of that 15 million dollars were awarded back to bangladesh bank as relief money um it was found that rcbc was negligent in failing to flag these dormant accounts that show the sudden surge of activity um in general when you see when you're a bank and you see sudden bursts of activity these are excellent triggers for compliance audits rcbc never went through the hassle of auditing that um so yes investigations certainly took place um but the money most of it was not recovered i believe that as of now at least 66 million dollars out of the 81 million dollars were never returned back to bangladesh the next question was um was the ngo transfer just a donation or is it likely an organization controlled by one of the attackers that's a good question i do not know i would presume that the 20 million dollars that were sent to the ngo were sent with the intent of cashing that money out so i would imagine that that ngo was either compromised or through some other means lazarus would have been able to get the money out of that ngo's account these are my speculations it's not based on any uh credible material that i've seen the next question is was microsoft involved in the incident response and remediation of the attack i presume so microsoft was not involved this was and this was not on a cloud environment at least not on the microsoft cloud environment this was an on-premises deployment the bank of bangladesh used microsoft software as i believe every central bank does to some extent and we were not involved in this to my awareness and the last question that i'm seeing here is um how would the fed in the u.s have stopped the transfer that point is not clear you mentioned that it was too late for them on the next day so um first of all the fed was not found guilty in any misconduct here just to be clear the fed received what seemed like legitimate requests from bangladesh bank to move money to other accounts and it did that for five of those 35 requests now why didn't he do it for 30 requests simply because it made this a good decision that they seemed suspicious now we could have said well why didn't it flag all 35 transactions or maybe any number larger than 30 why didn't why did it all only flag 30 transactions as suspicious transactions so i think they could have done a little bit more they've like i explained they saved 850 from moving into the wrong accounts i think they could have done it for more than that amount it's all about its fraud detection systems ideally i think the fed had enough data and historical information and the ability to correlate transactions to tell that even the first five transactions should not have gone through without confirmation they placed 30 transactions on hold that was great i think they could have done it possibly for a few more transactions and since 2016 when this has happened both the federal reserve and swift have significantly ramped up many of their measures in order to flag transactions that seem illegitimate and to respond to them more quickly one example of um a very positive operational step that the fed took is that they instituted a 24 7 hotline to deal with exactly these types of emergencies and this is set up for the 250 or so central banks of the world so if the next bin huda sees an email telling him that suspicious activity was detected he doesn't have to wait two days until he can get in touch with the fed and try to reverse the transactions one thing to note is that when the money moves from the fed to a receiving bank that money is still available to be reversed back until it gets uh withdrawn and what happened in the case of rcbc as soon as the money hit our cbc accounts it was immediately moved out either to regional branch accounts or rcbc or just cashed out as greenbacks so that's why the feds could really not do much about the 80 million dollars that moved to rcbc i hope that explains that thank you so much eden for an excellent presentation and uh thank you to the rest of the team who helped answering the questions but most of all i want to thank all of you for being a part of our community and for joining us on webinars like this and we hope to see you next time goodbye