Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

The changing threat landscape

Jamal-Elmellas

Mapping and anticipating emerging threats can help inform crisis response but don’t be lulled into a false sense of security by compliance, or divert resources into fighting fraud fads, says Jamal Elmellas.

Jamal-ElmellasEisenhower once said “We will bankrupt ourselves in the vain search for absolute security”, a statement as applicable to the enterprise as it is to the state. No network can ever be totally secure and any enterprise pouring time, money and resource into trying to achieve that goal risks chasing a phantom menace. How then to focus security spend? Contextual security is a phrase that is commonly used and suggests organisations should look at sector-specific threats. Monitoring and mapping threats as they emerge can provide some predictive capabilities but this crystal ball gazing should always be underpinned with sound security policies and processes backed by the business.

DDoS attacks have been reported widely by the media over recent months and there have been cautionary tales warning of a banking Armageddon this year. A recent report by the Ponemon Institute suggests financial institutions are unprepared for an expected onslaught of DDoS attacks this year, mainly because of an over reliance upon point solutions such as firewalls, and calls for more investment in DDoS tools. This warning seemed to be substantiated by a DDoS attack which caused 249 hours of downtime for US banks during a six week run in February and March. Initiated up to a year ago, the fraud involved regular attacks which extracted credit card details to clone cards. Each onslaught sought to overload bank websites in order to draw IT resource away from the target data before accessing bank systems.

A simple Google search will throw up other examples such as Heartland Payment Systems across the pond and closer to home the beleaguered HSBC, which most recently suffered a DDoS attack in October that took down the bank’s servers, affecting customer internet banking worldwide (the year before, the bank’s network was also hit, affecting ATM services, and it was fined £3million back in 2009 for a major data breach of customer data).

Reliance on compliance

But while network attacks are an issue, there is a more endemic problem here, namely an over reliance culturally on compliance. While compliance is a good starting point, the ever-changing threat spectrum calls for a more proactive approach. How we protect against these threats needs to evolve. Financial organisations need to move beyond the compliance remit to look at how best to embed security throughout their operational processes. This can be achieved through the application of effective risk management, protective monitoring and the use of appropriate and proportionate security controls.

Essentially attacks will happen and in an information age the direction of the attacks will normally follow the money. One need look no further than the recent $45 million debit card hack which took place over a reported seven months where credit limits were raised to allow ATM withdrawals. Despite the existence of PCI DSS security compliance, the hackers were able to circumvent the security controls in place. This suggests that the sector tends to rely too heavily on prescriptive compliance controls for protection. Perhaps we should be asking does business actually have the ability to identify a compromise and/or track trending hacker activity to anticipate such an attack?

Embedded security

Attacks are inevitable and will happen: seeking to prevent them is futile. What is important is that these organisations have the ability to identify an attack as quickly as possible and prevent a compromise. Real business security is essentially about the business process being monitored and anomalies being highlighted; this is not a new paradigm, it has been in existence throughout the history of business. Effective security has never been about products but about process and security has to be built into key business processes. By overlaying security onto the business process it is possible to embed security process into the operational functions of the business and this in turn heightens awareness of suspect activity on the network.

Looking forward, we can expect attacks to become more sophisticated, more focused and globally ambitious. Targets are being pinpointed as cyber criminals seek to find the weakest link in the information process chain within which financial institutions have their operations and systems. These are spread across different continents, providing the criminal with the ability to sabotage systems globally. APTs (Advanced Persistent Threats) are also becoming more of an issue, as evidenced by Operation Shady Rat. A sophisticated cyber attack that penetrates network defenses, APTs can remain undetected for a considerable amount of time, siphoning data from the network, deploying trojans to gain control of end-user devices or conducting SSL man-in-the-middle/man-in-the-browser attacks. Such as Spy Eye, for example, which not only steals passwords to access bank accounts but even creates bogus statements to cover its tracks.

Don’t believe the hype

Yet forewarned does not necessarily mean forearmed. The financial sector needs to ensure it doesn’t overreact to the current scaremongering as a knee-jerk reaction can cost time and resources. Anonymous recently threatened a DDoS attack against US banks on 7 May but this did not materialise. A DDoS attack may render a bank temporarily impotent but if it has the measures in place to mitigate reputational damage and ensure the crown jewels – the data – remain protected it can withstand the assault.

Understanding the risks is crucial and it is also the only way to justify security investment. We need to fight the perception of security as an inconvenience and an additional cost and open executive eyes to security as an enabler that can dampen and channel these attacks.

Jamal Elmellas is Technical Director for independent security consultancy, Auriga Consulting Ltd ( www.aurigaconsulting.com ) which has carried out security projects on behalf of major financial organisations in the UK

 

 

 

 

 

 

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post