Now this is an interesting strategy from Australia, which will probably creep into New Zealand as well, given that Australian Banks control New Zealand ones - but due to the APRA and BS11 regulations they have to work independently and be up and running with 6 hours to ensure that financial transactions keep going.
a). Someone is going to make a regular monetary sum out of this, unless they do it internally
b) How to ensure objectivity and rotation to ensure that they don't get into a group think situation or attempt to repeat the results from the previous test and find a subsequent compromise which then comes under investigation and vast penalties.
c). Use it as a training opportunity for Universities, and Hackathons to see what they can?
Much like my rules for auditing, I don't want to see the same person more than once every two years, nor do I want to see the same testing regimen used over and over again. I have no idea how large, small or incestuous the New Zealand/Australian banking industry is by size or business relationship may be. Putting good starting rules and controls shouldn't be a high hurdle to cross here provided you have a third party bank or regulator overseeing the audit process.
If you are able to successfully self regulate you need to be able to prove your good works to the public by self-certifying the results and publicizing the redacted or cleaned up results for public inspection. Hiding the results will only make you appear to be hiding something and we already have enough of that. Explanation of the results should be simple and complete enough for the public to understand but not a roadmap as to how to compromise the institution your trying to protect. Yes, its tricky to pull off but that's why we have lots of smart people in the room.
As for outside hack-a-thons and what not goes. Having worked for major US banks as both an auditor and architect means seeing any real hacking attempts are not made by college level students, not without substantial assistance as much banking losses are due to fraud and fraudulent wire transfers not direct hacking. Perhaps its different outside of the US as I have no foreign banking experience.
Good luck with the solution.
> Beads (Advocate I) posted a new reply in Industry News on 12-11-2020 10:28 AM in the (ISC)Â² Community :
> I have no idea how large, small or incestuous the
> New Zealand/Australian banking industry is by size or business relationship
> may be.
As far as I can tell, pretty much all of the banking industry is fairly incestuous ...
So Rob, I disagree with you in general. I believe there is a huge difference in banks and their relationships. Why do I day this: Canada and the US have diversely different banking rules/regs.
In the US, banks may well be incestuous (with 7000 different banks, it is inevitable).
The concept of attacking one's own organization is not new (hence why we have penetration testing companies and CEH.
The problem with self testing is getting management to buy into it.
Not wild about using Universities/hackatons to do the testing but it is an option.
Will be interesting to see how this all flushes out.