Bank Attacks Expose Security Gaps

Too Much Focus on Compliance, Not Enough on Security

By , October 29, 2012.
Bank Attacks Expose Security Gaps

Organizations everywhere should be concerned about distributed denial of service attacks and other emerging cyberthreats. But most are too focused on compliance to pay enough attention to fraud and security fundamentals, says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.

See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

"I'm really firm on the fact that we need to lose this pre-consideration that standards and compliance will deliver security," says Walker in an interview with Information Security Media Group's Tracy Kitten [transcript below].

"I would like to see more investment in operational security," he says.

Recent DDoS attacks that have affected online-banking sites at leading U.S.-based institutions are getting international attention.

But Walker says European institutions are not taking the steps their American brethren have to address emerging DDoS threats. Banks in Europe have spent so much time focused on standards and compliance, they've lost sight of security, he says. In fact, operational security is lacking in a number of areas, and most security teams at European banks are far behind where similar teams are in the U.S.

"We need to start to understand what technical-operational security really is, and we need to lose this love affair we've been in for so long now with standards and compliance," Walker says. "I believe we need to go back to basics. We need to start to understand what technical-operational security really is."

Organizations internationally need to improve their information-sharing and collaboration efforts as well, he says. And they could learn quite a bit from examples being set by banking institutions in the U.S. "But above all, we need a body to report these [breach] incidents to," Walker says.

During this interview, Walker discusses:

  • Why the threats facing U.S. banking institutions pose increasing concerns for banks in all developed countries;
  • Why European institutions are ill-equipped to defend themselves;
  • How more information sharing and international collaboration will increase global cybersecurity.

Walker is an independent security professional based in London who holds security certifications from ENISA and ISACA. Over the course of his career, Walker has delivered more than 60 global presentations about cybersecurity, and has published numerous papers and articles.

DDoS Attacks: Who's Responsible?

TRACY KITTEN: The attacks that hit U.S. banking institutions in the last few weeks have been suspected of being backed by Iran. Do you believe that was in fact the case?

JOHN WALKER: Certainly there's a high probability that this is where they're coming from, but there are other volatile places in the world as well, like North Korea and China and so on. I think we live in that age now where we must realize that the computer can be used to inflict pain or cyberconflict.

One of the things I would draw back on is there has been a lot of talk about this threat that's coming and evolving. This threat has actually been there for some considerable time. I've been aware of cyberattacks going on for the last five years, maybe not the level we see today, but up to five years ago I was seeing cyberattacks come in from hijacked Chinese newspapers, for instance, against U.K. financial institutions.

International Concern

KITTEN: How are organizations and institutions in other parts of the world, such as Europe, viewing these attacks that are hitting U.S. banks?

WALKER: I think they're observing them. Also, in a number of cases, they're facing them in the U.K. There has been a rise in cyberextortion. I know of at least two organizations that have been suffering cyberextortion for some considerable time; one case was followed by a reasonably successful DDoS attack. The problem I've seen with cyberextortion is nobody wants to talk about it in the public, so we never hear about it. And when these attacks do come in, they're not handled well. I know of one example in the U.K., and it was treated absolutely appallingly, involving a discussion with the attackers and conversations about what they knew. It was a real reflection of the immaturity in that particular case of the senior security personnel.

Who's Better Prepared?

KITTEN: Do you see activity in the U.S. being more advanced when it comes to addressing some of these cyberthreats?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Biggest-Ever Data Breach: 3 Charged

The U.S. Justice Department has charged three men - two are in custody - for hacks against email...

Latest Tweets and Mentions

ARTICLE Biggest-Ever Data Breach: 3 Charged

The U.S. Justice Department has charged three men - two are in custody - for hacks against email...

The ISMG Network