The scenario involved simulating a three–day attack on our financial system, including denial of service attacks on the global websites of major banks, the penetration of secure networks by hackers, and problems with core payment systems. Some 220 people were involved in this war game exercise, which included 14 investment banks and major lenders, as well as providers of financial infrastructure and representatives of the Bank of England, the Financial Conduct Authority and the Treasury.
I am in favour of such exercises and believe that these types of events should be repeated with much more regularity to ensure that we are adequately testing our defences. Cyber-attacks have long been identified as one of the biggest problems for our banking industry and major financial services groups face regular attacks on their systems from a variety of sources, including both criminal gangs and foreign governments. Most of these attacks are relatively small–scale but some have led to severe security breaches and the collapse of core systems. The problem will only increase as we now face exponential growth in identities, both in the number and types of identities such as people, devices, apps, social, mobile and cloud – all of which have the potential to be compromised. Attacks continue to grow in sophistication. No longer a playground for juvenile hackers, we now have nation-state, organised crime and hacktivists to contend with. Of course all the traditional forms of protection such as anti-virus, next generation firewalls and so on are completely necessary. Such measures, however, will only protect a bank against 80 to 90 per cent of attacks. And, it’s the ten to 20 per cent of attacks that make it through where banks need to focus on protecting the identities and the transactions of individuals, which is an area that Waking Shark hasn’t particularly focused on. Today’s threats require stronger means of authentication than simple usernames and passwords, particularly for high risk financial transactions such as wire transfers. Single factor authentication is not enough to protect against current online account fraud and identity attacks. In general, today’s banks are relying on usernames/passwords and then possibly some form of knowledge-based authentication (i.e. question and answer, password replay, PIN). Online fraud and identity attacks are frequently the result of the exploitation of single-factor authentication or weak multi-factor authentication schemes. In my experience the authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods and I would urge banks to look at strong and advanced authentication layers. Layering factors of authentication can increase security and help limit vulnerability to identity attacks. Properly designed and implemented strong and advanced authentication methods are more reliable, are stronger deterrents to fraud. If that is the case, the question is why don’t many banks deploy more effective strong and advanced authentication today? Based on most financial institution’s innate ability to manage risk through business means, most have considered this level of security a low priority given the cost and resources required to manage and deploy strong and advanced authentication solutions. In addition, traditional solutions have not always provided the flexibility and ease of use. Banks have seen security as a way to protect themselves, rather than a means to build customer loyalty and competitive advantage in the marketplace. Often, worries that users will find the process of authenticating with multiple factors complicated or intimidating have inhibited the use of these authentication methods. But as risks increase, the true importance and necessity of strong and advanced authentication are much clearer. That said, the issue of user acceptance must remain in the forefront of all authentication decisions. Determining which additional factors to apply and how to implement them with the least possible stress on users requires a thorough assessment of risk, careful selection and planning. There are many authentication methods, ranging from simple single factor authentication in the form of usernames and passwords to sophisticated strong and advanced authentication mechanisms. Each method delivers a different balance point between cost, security and user complexity. With malware phishing and online attacks set to increase, it is vital that consumer confidence is maintained and that online identities are protected. At the same time, the issue of user acceptance must remain in the forefront of all authentication decisions. An effective strong and advanced authentication deployment must be easy to use and have customer acceptance no matter how many or which factors are being used other-wise this will cause other issues for banks. Moving forward I believe that exercises like Waking Shark also need to look at all areas of security including authentication rather than just the big cyber-attacks. At Entrust we recommend a layered approach to security. Firewalls, endpoint security (AV), network monitoring and other technologies are all useful tools. But people and policies are just as important as the tools and enterprises can employ all of these layers and still only have 80 to 90 per cent protection – protecting the identity we believe is still missing from many security layering strategies and must be addressed. Mark Reeves is SVP International for Entrust.Image source
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.