Bank Attacks Expose Security GapsToo Much Focus on Compliance, Not Enough on Security
Organizations everywhere should be concerned about distributed denial of service attacks and other emerging cyberthreats. But most are too focused on compliance to pay enough attention to fraud and security fundamentals, says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.
"I'm really firm on the fact that we need to lose this pre-consideration that standards and compliance will deliver security," says Walker in an interview with Information Security Media Group's Tracy Kitten [transcript below].
"I would like to see more investment in operational security," he says.
Recent DDoS attacks that have affected online-banking sites at leading U.S.-based institutions are getting international attention.
But Walker says European institutions are not taking the steps their American brethren have to address emerging DDoS threats. Banks in Europe have spent so much time focused on standards and compliance, they've lost sight of security, he says. In fact, operational security is lacking in a number of areas, and most security teams at European banks are far behind where similar teams are in the U.S.
"We need to start to understand what technical-operational security really is, and we need to lose this love affair we've been in for so long now with standards and compliance," Walker says. "I believe we need to go back to basics. We need to start to understand what technical-operational security really is."
Organizations internationally need to improve their information-sharing and collaboration efforts as well, he says. And they could learn quite a bit from examples being set by banking institutions in the U.S. "But above all, we need a body to report these [breach] incidents to," Walker says.
During this interview, Walker discusses:
- Why the threats facing U.S. banking institutions pose increasing concerns for banks in all developed countries;
- Why European institutions are ill-equipped to defend themselves;
- How more information sharing and international collaboration will increase global cybersecurity.
Walker is an independent security professional based in London who holds security certifications from ENISA and ISACA. Over the course of his career, Walker has delivered more than 60 global presentations about cybersecurity, and has published numerous papers and articles.
DDoS Attacks: Who's Responsible?
TRACY KITTEN: The attacks that hit U.S. banking institutions in the last few weeks have been suspected of being backed by Iran. Do you believe that was in fact the case?
JOHN WALKER: Certainly there's a high probability that this is where they're coming from, but there are other volatile places in the world as well, like North Korea and China and so on. I think we live in that age now where we must realize that the computer can be used to inflict pain or cyberconflict.
One of the things I would draw back on is there has been a lot of talk about this threat that's coming and evolving. This threat has actually been there for some considerable time. I've been aware of cyberattacks going on for the last five years, maybe not the level we see today, but up to five years ago I was seeing cyberattacks come in from hijacked Chinese newspapers, for instance, against U.K. financial institutions.
KITTEN: How are organizations and institutions in other parts of the world, such as Europe, viewing these attacks that are hitting U.S. banks?
WALKER: I think they're observing them. Also, in a number of cases, they're facing them in the U.K. There has been a rise in cyberextortion. I know of at least two organizations that have been suffering cyberextortion for some considerable time; one case was followed by a reasonably successful DDoS attack. The problem I've seen with cyberextortion is nobody wants to talk about it in the public, so we never hear about it. And when these attacks do come in, they're not handled well. I know of one example in the U.K., and it was treated absolutely appallingly, involving a discussion with the attackers and conversations about what they knew. It was a real reflection of the immaturity in that particular case of the senior security personnel.
Who's Better Prepared?
KITTEN: Do you see activity in the U.S. being more advanced when it comes to addressing some of these cyberthreats?
WALKER: I certainly do. I was going to say before that question came up, that the U.S. is a lot more advanced in operational-technical security than the U.K. That's my opinion. Maybe some would differ with me; but from the people I know in the U.S. and the operatives I've worked with, I've certainly seen them to be a little bit more prepared. The U.K. has become a little bit of a slave to the good old PCI-DSS [Payment Card Industry Data Security Standard], and I believe this is another problem we've encountered in some parts of the industry where PCI has been seen as security. In actual fact, it's not. I believe the PCI effort has certainly detracted from the investment in operational security.
KITTEN: You've mentioned denial of service attacks and then talked about the fact that you've seen an incident that wasn't handled quite so well. What do you think is the greatest worry when it comes to some of the denial of service attacks that are being waged against institutions in Europe?
WALKER: In the U.K., we've not actually done anything about things. Again, we've been very happy with compliance and standards, and I've certainly seen some lacking areas. For instance, I don't know if many organizations do have a complete robust CERT in place to deal with incidents as they come in. Everything seems to be dealt with, in my experience, on a piecemeal basis. When the attack happens, people start to think about what we should be doing, when, in actual fact, what they really need at the time is some kind of process; they need to know how to deal with it before it happens. But on a number of occasions I've seen this happen, where it's like the headless chicken spinning around.
KITTEN: Are banking institutions in Europe worried they might be targeted like banks in the U.S.?
WALKER: I believe they're worried. I think this is where we come down to this factor of a little bit more visibility. One of the factors in the U.K. that we've had a lot of debate over for a long, long time is actually whom to report breaches or attacks to. What we need is a portal; we need more collaboration. In fact, we need more collaboration, no matter what the nation is, across borders so we know what's going on. We need more information-sharing. But above all, we need somebody to go to, a body to report these incidents to, and there actually isn't today anything that's really robust enough to do that.
There have been a number of occasions of late where the notification of a breach has only come out because it got out. It became public and then notification came, which is a bit of a chicken-and-egg situation. In the U.S., you've had some good legislation regarding notification; that's the kind of material we need in the U.K. or Europe. There's work going on now in areas of governance, but it's not very popular; and when it comes down to it, people just don't want to share their insecurities.
Information Sharing, Collaboration
KITTEN: What would you say institutions in other parts of the world could learn from what's being done here in the U.S. to share information and collaborate?
WALKER: I would certainly look toward the way the U.S. has been operating in a very open format for a number of years. It may be painful at the time, but it does deserve to serve security. And we would be well-advised to be a little bit more transparent in reporting. There's an old feeling in the U.K. that you don't air dirty laundry in public, which means if you can cover it up, in some cases, you may wish to do that. Again, I've had first-hand experience with one particular company where they had a breach losing 35,000 bank records on an unencrypted laptop; the risk assessment conducted by the director of security was that they had no evidence that the data had been compromised, therefore, they didn't need to report it. Clearly, that's misdirection.
KITTEN: How concerned should we be that other industries, as well as international organizations that fall outside banking, might be targeted?
WALKER: I believe we have this across the floor of industry, be it financial or government. This is happening today, and I believe we really are now starting to see the signs of people waiting to say, "We do have a real risk." Quoting something from Richard Clarke's book on cyberwar, "The genie's out of the bottle," and it's going to be very difficult to get it back in there.
KITTEN: What advice could you share for international organizations about addressing cyberthreats?
WALKER: I've written on it a number of times, and am really firm on the fact that we need to lose this attention, this pre-consideration, that standards and compliance will deliver security. They deliver compliance. I would like to see more investment in operational security. Sometimes in organizations, some of the junior members are a lot more skilled in technology than the senior staff. That senior staff often does not know or won't even admit they do not understand technical security. I believe we need to get back to basics. We need to start to understand what technical-operational security really is, and we need to lose this love affair we've been in for so long with standards and compliance.