topic Re: Banks told to attack themselves in Industry News

Banks told to attack themselves

Caute_cautim — Mon, 09 Oct 2023 09:43:41 GMT

Hi All

Now this is an interesting strategy from Australia, which will probably creep into New Zealand as well, given that Australian Banks control New Zealand ones - but due to the APRA and BS11 regulations they have to work independently and be up and running with 6 hours to ensure that financial transactions keep going.

https://www.afr.com/companies/financial-services/banks-ordered-to-simulate-cyber-attacks-20201209-p56lun#:~:text=Banks%20have%20been%20ordered%20to,against%20institutions%20to%20expose%20weaknesses

a). Someone is going to make a regular monetary sum out of this, unless they do it internally

b) How to ensure objectivity and rotation to ensure that they don't get into a group think situation or attempt to repeat the results from the previous test and find a subsequent compromise which then comes under investigation and vast penalties.

c). Use it as a training opportunity for Universities, and Hackathons to see what they can?

Regards

Caute_cautim

Re: Banks told to attack themselves

Beads — Fri, 11 Dec 2020 15:28:18 GMT

Much like my rules for auditing, I don't want to see the same person more than once every two years, nor do I want to see the same testing regimen used over and over again. I have no idea how large, small or incestuous the New Zealand/Australian banking industry is by size or business relationship may be. Putting good starting rules and controls shouldn't be a high hurdle to cross here provided you have a third party bank or regulator overseeing the audit process.

If you are able to successfully self regulate you need to be able to prove your good works to the public by self-certifying the results and publicizing the redacted or cleaned up results for public inspection. Hiding the results will only make you appear to be hiding something and we already have enough of that. Explanation of the results should be simple and complete enough for the public to understand but not a roadmap as to how to compromise the institution your trying to protect. Yes, its tricky to pull off but that's why we have lots of smart people in the room.

As for outside hack-a-thons and what not goes. Having worked for major US banks as both an auditor and architect means seeing any real hacking attempts are not made by college level students, not without substantial assistance as much banking losses are due to fraud and fraudulent wire transfers not direct hacking. Perhaps its different outside of the US as I have no foreign banking experience.

Good luck with the solution.

- b/eads

Re: Banks told to attack themselves

rslade — Fri, 11 Dec 2020 18:25:50 GMT

> Beads (Advocate I) posted a new reply in Industry News on 12-11-2020 10:28 AM in the (ISC)Â² Community :

> I have no idea how large, small or incestuous the
> New Zealand/Australian banking industry is by size or business relationship
> may be.

As far as I can tell, pretty much all of the banking industry is fairly incestuous ...

Re: Banks told to attack themselves

Beads — Fri, 11 Dec 2020 21:38:16 GMT

M & A has a tendency to do that, yeah. Since I am only familiar with the US side I thought I'd bring it up for comment.

- b/eads

Re: Banks told to attack themselves

dcontesti — Fri, 11 Dec 2020 23:10:55 GMT

So Rob, I disagree with you in general. I believe there is a huge difference in banks and their relationships. Why do I day this: Canada and the US have diversely different banking rules/regs.

see:

https://www.visualcapitalist.com/canada-u-s-banking-differences/

In the US, banks may well be incestuous (with 7000 different banks, it is inevitable).

The concept of attacking one's own organization is not new (hence why we have penetration testing companies and CEH.

The problem with self testing is getting management to buy into it.

Not wild about using Universities/hackatons to do the testing but it is an option.

Will be interesting to see how this all flushes out.

Re: Banks told to attack themselves

rslade — Sat, 12 Dec 2020 18:52:18 GMT

> dcontesti (Community Champion) posted a new reply in Industry News on 12-11-2020 06:10 PM in the (ISC)Â² Community :

> So Rob, I disagree with you in general.

So what else is new? 🙂

> I believe there is a huge difference in banks and their relationships. Why
> do I day this: Canada and the US have diversely different banking
> rules/regs.

Well, I'm not talking about regs (or even mergers and acquisitions, Brent), I'm
talking more about actual incest. (I'm rather amazed we've been able to talk about
this for all this time without falling afoul of the dreaded "community" pr0n filter.)
Banks tend to try and keep social interactions within the bank, or the bank
community. I assume this is kind of an attempt to deal with insider attacks: keep
your enemies really, really, really close and they won't be able to do anything.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
has/bin: The proper term for out-of-date software on Unix/Linux
systems -https://twitter.com/SecurityHumor/status/552175603374637056
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Banks told to attack themselves ( (ISC)Â² Community Subscription Update)

rslade — Sat, 12 Dec 2020 18:55:18 GMT

(And, Diana, of course I kid because I know you can take it, and are one of the
people whose posts I do take seriously 🙂

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Once you were a child. Once you knew what inquiry was for.
There was a time when you asked questions because you wanted
answers and were glad when you had found them. Become that child
again: even now. - C. S. Lewis, `The Great Divorce'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Banks told to attack themselves ( (ISC)Â² Community Subscription Update)

dcontesti — Sat, 12 Dec 2020 19:53:57 GMT

Rob,

I know you jest....never worry there.....I will always push back