Learning Library

← Back to Library

Bank Heist Analogy for Cybersecurity

5m • Unknown Channel • security • tutorial • beginner • Watch on YouTube ↗

Key Points

Modern criminals target digital assets “online” rather than physical cash, shifting the focus of security from bank vaults to IT systems.
A threat is any action that can disrupt normal operations, with the threat actor being the robber in a bank scenario or the malware creator/distributor in a cyber context.
Vulnerabilities are system weaknesses—such as glass windows in banks or software bugs in computers—that can be exploited through various methods like breaking the glass or deploying malicious code.
Exploits leverage these vulnerabilities (e.g., a rock or crowbar for a window, malware for a software flaw), and assessing the associated risk helps quantify potential damage and guide protective measures.

Sections

Full Transcript

# Bank Heist Analogy for Cybersecurity **Source:** [https://www.youtube.com/watch?v=8zSoyAmHHc4](https://www.youtube.com/watch?v=8zSoyAmHHc4) **Duration:** 00:05:39 ## Summary - Modern criminals target digital assets “online” rather than physical cash, shifting the focus of security from bank vaults to IT systems. - A threat is any action that can disrupt normal operations, with the threat actor being the robber in a bank scenario or the malware creator/distributor in a cyber context. - Vulnerabilities are system weaknesses—such as glass windows in banks or software bugs in computers—that can be exploited through various methods like breaking the glass or deploying malicious code. - Exploits leverage these vulnerabilities (e.g., a rock or crowbar for a window, malware for a software flaw), and assessing the associated risk helps quantify potential damage and guide protective measures. ## Sections - [00:00:00](https://www.youtube.com/watch?v=8zSoyAmHHc4&t=0s) **Untitled Section** - - [00:03:09](https://www.youtube.com/watch?v=8zSoyAmHHc4&t=189s) **Risk Assessment and Security Controls** - The speaker explains how risk is evaluated by considering likelihood, cost, and frequency, and outlines technical, administrative, and procedural controls used in banking and IT environments to mitigate threats. ## Full Transcript

0:01The story goes that the infamous bank robber, Willie [Sutton], was once asked, "Why do you rob banks?" 0:06And he responded, "Because that's where the money is." 0:11Makes a lot of sense, right? 0:12Well, but that's not really where the money is these days. 0:15Your local branch might have some money, for sure. 0:18But where's the big money? 0:20It's not in the bank. 0:21It's online. 0:22It's in their IT systems. 0:24It's digitized. 0:25It's ones and zeros. 0:26So, if we're going to look at security, let's take a look at an analogy 0:30that begins with a bank and the threats that we see there. 0:35And let's take a look at what its similar IT component would be. 0:40So what do we face in each of these? 0:42Well, it starts off with this notion of threats. 0:45So what is a threat? 0:48Well, a threat is anything that is an action that could undo the operation of the system. 0:54It threatens the operation-- normal operation --of the system; gives an adverse effect. 1:00So we could have threats that, in the case of a bank, well, it might be a robbery. 1:07And in an IT system, it could be a break in. 1:10Or, it could be, let's say it's a malware campaign. 1:13So that's the overall overarching threat, there's an analogy here. 1:18Now, the next thing we have to think about is the threat actor. 1:22In the case of the bank, that's the robber. 1:26In the case of the IT example with a malware campaign, 1:29it's the person who wrote the malware or who is distributing the malware. 1:34Next thing to consider: vulnerabilities. 1:37So vulnerabilities are anything that are weaknesses in the system. 1:42What's a weakness in the system of a bank? 1:44Well, banks have windows, and windows are made of glass, and glass is weak. 1:49We'll talk about how that can be exploited coming up. 1:52But that's the vulnerability, is the glass. 1:55How about the tellers themselves? 1:57They could be threatened to give over the money. 2:00Other things could be procedures, like when the money truck arrives. 2:04Do we have the path from the truck into the vault and vice versa well secured? 2:10If the procedures are not right, then we could be vulnerable. 2:13So what would be the IT example in this case? 2:16Well, if we're talking about a malware campaign, it's probably taking advantage of some bug in the software. 2:23So there's some vulnerability that has been introduced in the software itself. 2:28So next thing to consider is an exploit. 2:33So what would an exploit be? 2:34In the case of a window, you could throw a rock through it. 2:38Well, you can also throw brick through it. 2:40Or you could throw a crowbar through it. 2:42Those are three different exploits exploiting the same underlying vulnerability that glass is breakable. 2:49Now we have the same kind of thing that can happen on IT systems. 2:52But the exploit in the case of a malware attack is going to be some code-- the malware itself 2:58--that leverages the underlying vulnerability in, say, the operating system, or in an application. 3:04So it's going to do some kind of nefarious activity, overriding memory or something like that. 3:09So that's our exploit. 3:11Then we've got a consideration of risk. 3:15Risk is basically quantifying and looking at what is the issue here. 3:20What's the likelihood that this thing will happen? 3:23What's the cost if it in fact does happen? 3:26What's the probability? 3:27What's the frequency? 3:29Those are the things that we consider in risk. 3:31And we have that both in the bank example and we have that in the IT example. 3:36And then ultimately we look at things like controls; or sometimes we call these countermeasures in security. 3:43Now in the bank, we're going to look at certain types of controls that are specific to that environment. 3:49Like we're going to put alarms on the bank, we're going to put cameras, we're going to put guards in the bank. 3:54What are we going to do in the IT system? 3:56Well, there's different kinds of controls that we can put in cases here. 4:00So, in fact, these controls are of three different types. 4:07One is a technical control. 4:10An administrative control. 4:14And a procedural control. 4:17So a technical control would be examples of things like we say, we're going to patch all of our software. 4:23We're going to put anti-virus on all of our systems. 4:26We're going to use an endpoint detection and response system as well, or in lieu of antivirus. 4:32We're going to put something like a backup system so that we can recover data if it's been compromised. 4:38We're going to have things like user training so that users know not to click on links 4:42and fall for phishing attacks and things like that and end up in fact infecting their systems. 4:47We could have other things like a SIEM-- security information event management system. 4:51--or an XDR-- extended detection response system --that's essentially like the alarm system 4:55that's looking and allowing us to do investigation across the IT environment. 5:00And then we would have something for incident response. 5:03What are we going to do once we have the problem? 5:05How do we respond to it? 5:07And that's what we call a SOAR, in the IT example-- a security orchestration and automation and response platform 5:13--that allows us to bring all of these things together. 5:17So these are the things we have to consider, if we were securing a bank, or if we're securing an IT system. 5:23And now that the money is not so much in the bank, it's in the IT system. 5:28This is what we have to focus our efforts on. 5:32Thanks for watching. 5:33Please remember to like this video and subscribe to this channel so we can continue to bring you content that matters to you.