EU Banks Not Prepared for Attacks

Experts Cite Inadequate Controls, Information Sharing Tracy Kitten (FraudBlogger) • September 28, 2012    
EU Banks Not Prepared for Attacks

Website outages that so far have targeted five leading U.S. banks should serve as a warning to global institutions of cyberthreats to come.

See Also: MITRE and XDR Integration | Enhancing Threat Detection and Prioritization of Advanced Threats

Yet, major European institutions are not prepared to prevent or respond to such attacks, according to fraud and security experts at the European Network and Information Security Agency and Barclays, one of the world's leading banks.

"What I see so much in Europe, especially in the U.K., is that no one wants to talk about the attacks they're seeing," says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.

Walker says European institutions are closely watching the attacks aimed at the U.S. But few have taken adequate steps to address their own security risks.

"The American operatives seem to be more tuned in with cybersecurity," he says. "It seems institutions in the U.S. are more technical."

Escalating Attacks

In recent days, U.S. Bank, PNC, Wells Fargo, Bank of America and Chase Bank have all suffered online-banking and website outages believed to be linked to denial of service attacks waged against them by the group known as Izz ad-Din al-Qassam Cyber Fighters (see More U.S. Banks Report Online Woes).

Although the original Pastebin post is no longer visible, the alleged attackers taking credit for the Wells takedown say other large institutions in Israel, France and United Kingdom will be next if the U.S. does not remove the "Innocence of Muslims" video from the Web. The brief YouTube video, referred to by Izz ad-Din al-Qassam as casting a negative light on Islam, has reportedly been removed by Google in some countries but not the U.S. and other markets, where freedom of expression violates no laws.

If or when those attacks do hit, most European banks are not equipped to effectively mitigate their risk, Walker says. "They are completely relying on firewalls for protections," he says. And if an attack gets through firewalls, then the hackers have access to everything, because too many banks do not have any other controls in place.

"This is a really big problem here," Walker says. "There are some very big companies in the U.K. that have been targeted by groups in China and Egypt with denial of service attacks, and yet there seems to be resistance to talk about this opening and address the security issue."

U.S. Sets Cybersecurity Example

In the United States, on the other hand, open information sharing and collaboration between the Federal Bureau of Investigation and financial groups such as the Financial Services Information Sharing and Analysis Center, as well as among the financial institutions themselves, is having a positive impact.

Neira Jones, a financial and cyberfraud expert who oversees payments security for Barclays, says European banks could learn quite a bit about cybersecurity and breach notification from the U.S. examples.

"The difference between the States and Europe, in general, is that in most U.S. states you have disclosure laws," Jones says.

Some of that will soon change, when the new European Union Data Protections Laws take effect, she says. But in the U.K. and most parts of Europe, when it comes to breaches, disclosure remains a problem.

"In the U.S., if someone is directly affected by a DDoS attack, they're more open to posting it on social networks," Jones says. "The environment is more open to communicating about attacks."

Previous
More U.S. Banks Report Online Woes
Next
Attacks Put Banks on Alert

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.



Around the Network

Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Inside Look: FDA's Cyber Review Process for Medical Devices
Inside Look: FDA's Cyber Review Process for Medical Devices
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Zero Trust, Auditability and Identity Governance
Zero Trust, Auditability and Identity Governance
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
The State of Security Leadership
The State of Security Leadership
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ddos.inforisktoday.com, you agree to our use of cookies.