Skip to navigation

DataBreachToday.com

spacer
  • USA
  • UK
  • Europe
  • India
  • Asia
  • Sign In
  • Subscribe
spacer Join us for our Exclusive State of Healthcare Information Security Briefing & Reception @ RSA 2013 - Limited Seating">Join us for our Exclusive State of Healthcare Information Security Briefing & Reception @ RSA 2013 - Limited Seating »
  • Home
  • Articles

Bank Attacks Expose Security Gaps

Too Much Focus on Compliance, Not Enough on Security

By Jeffrey Roman, October 29, 2012. Follow Jeffrey @ISMG_News
Credit Eligible
  • spacer spacer
  • spacer
  • spacer spacer spacer
spacer
Listen To This Interview

Organizations everywhere should be concerned about distributed denial of service attacks and other emerging cyberthreats. But most are too focused on compliance to pay enough attention to fraud and security fundamentals, says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.

"I'm really firm on the fact that we need to lose this pre-consideration that standards and compliance will deliver security," says Walker in an interview with Information Security Media Group's Tracy Kitten [transcript below].

Related Content

  • NIST Updating Security Controls
  • Preview: RSA Conference 2013
  • BYOD: Secure the Network
  • How to Keep Mobile Health Data Secure
  • Know Thy Attackers

Related Whitepapers

  • Prepare For Anywhere, Anytime, Any-Device Engagement With A Stateless Mobile Architecture
  • BYOD & the Year of Mobile Security
  • The Threat Within: The Case for Zero Trust Access Control
  • Detecting APT Activity with Network Traffic Analysis
  • Solutions for Financial Institutions - Delivering Benefits and Measurable Returns

"I would like to see more investment in operational security," he says.

Recent DDoS attacks that have affected online-banking sites at leading U.S.-based institutions are getting international attention.

But Walker says European institutions are not taking the steps their American brethren have to address emerging DDoS threats. Banks in Europe have spent so much time focused on standards and compliance, they've lost sight of security, he says. In fact, operational security is lacking in a number of areas, and most security teams at European banks are far behind where similar teams are in the U.S.

"We need to start to understand what technical-operational security really is, and we need to lose this love affair we've been in for so long now with standards and compliance," Walker says. "I believe we need to go back to basics. We need to start to understand what technical-operational security really is."

Organizations internationally need to improve their information-sharing and collaboration efforts as well, he says. And they could learn quite a bit from examples being set by banking institutions in the U.S. "But above all, we need a body to report these [breach] incidents to," Walker says.

During this interview, Walker discusses:

  • Why the threats facing U.S. banking institutions pose increasing concerns for banks in all developed countries;
  • Why European institutions are ill-equipped to defend themselves;
  • How more information sharing and international collaboration will increase global cybersecurity.

Walker is an independent security professional based in London who holds security certifications from ENISA and ISACA. Over the course of his career, Walker has delivered more than 60 global presentations about cybersecurity, and has published numerous papers and articles.

DDoS Attacks: Who's Responsible?

TRACY KITTEN: The attacks that hit U.S. banking institutions in the last few weeks have been suspected of being backed by Iran. Do you believe that was in fact the case?

JOHN WALKER: Certainly there's a high probability that this is where they're coming from, but there are other volatile places in the world as well, like North Korea and China and so on. I think we live in that age now where we must realize that the computer can be used to inflict pain or cyberconflict.

One of the things I would draw back on is there has been a lot of talk about this threat that's coming and evolving. This threat has actually been there for some considerable time. I've been aware of cyberattacks going on for the last five years, maybe not the level we see today, but up to five years ago I was seeing cyberattacks come in from hijacked Chinese newspapers, for instance, against U.K. financial institutions.

International Concern

KITTEN: How are organizations and institutions in other parts of the world, such as Europe, viewing these attacks that are hitting U.S. banks?

WALKER: I think they're observing them. Also, in a number of cases, they're facing them in the U.K. There has been a rise in cyberextortion. I know of at least two organizations that have been suffering cyberextortion for some considerable time; one case was followed by a reasonably successful DDoS attack. The problem I've seen with cyberextortion is nobody wants to talk about it in the public, so we never hear about it. And when these attacks do come in, they're not handled well. I know of one example in the U.K., and it was treated absolutely appallingly, involving a discussion with the attackers and conversations about what they knew. It was a real reflection of the immaturity in that particular case of the senior security personnel.

Who's Better Prepared?

KITTEN: Do you see activity in the U.S. being more advanced when it comes to addressing some of these cyberthreats?

View on 1 page Next
  • 1
  • 2
  • 3

Follow Jeffrey Roman on Twitter: @ISMG_News

  • spacer spacer
  • spacer
  • spacer spacer spacer
ARTICLE ID Theft Scam Run from Prison

Customers of Bank of America, Citibank and the former Washington Mutual Bank were taken for...

Latest Tweets and Mentions

ARTICLE ID Theft Scam Run from Prison

Customers of Bank of America, Citibank and the former Washington Mutual Bank were taken for...

The ISMG Network

  • spacer
    Webinar

    Dept. of Health & Human Services HIPAA Audits: How to Prepare

  • spacer
    Interview

    HIPAA Omnibus: The Liability Chain

    Expert Explains Compliance Flow

  • spacer
    Whitepaper

    The New Cybercrime Battle Basics: Learn to Defend Your Company from New Online Fraud Threats

  • spacer
    Article

    Career Transitions: Making Big Moves

    How Two Financial Security Experts Made Career Shifts

  • spacer
    Article

    CISOs and the BYOD Challenge

    Top-of-Mind Concerns to Address in 2013

  • spacer
    Whitepaper

    Transaction Anomaly Prevention - Stopping Malware at the Door

  • spacer
    Interview

    HIPAA Omnibus: Business Associate Tasks

    Expert Explains What Steps to Take

  • spacer
    Whitepaper

    Making Mobility Matter in Healthcare Data Security

  • spacer
    Article

    Arrests, Lawsuit in Hospital ID Thefts

    Fraud Incidents Point to Need for Preventive Measures

  • spacer
    Article

    Overcoming the 'People' Challenge

    How Security Leaders Are Focusing on the Weakest Link

prev next