Announcements
Voting is now open!
Members, make your selections in the annual (ISC)² Board of Directors election. Vote Now! Voting is open until Sept. 22.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Banks told to attack themselves

Hi All

 

Now this is an interesting strategy from Australia, which will probably creep into New Zealand as well, given that Australian Banks control New Zealand ones - but due to the APRA and BS11 regulations they have to work independently and be up and running with 6 hours to ensure that financial transactions keep going.

 

https://www.afr.com/companies/financial-services/banks-ordered-to-simulate-cyber-attacks-20201209-p5...

 

a). Someone is going to make a regular monetary sum out of this, unless they do it internally

 

b) How to ensure objectivity and rotation to ensure that they don't get into a group think situation or attempt to repeat the results from the previous test and find a subsequent compromise which then comes under investigation and vast penalties.

 

c). Use it as a training opportunity for Universities, and Hackathons to see what they can?

 

Regards

 

Caute_cautim

Tags (2)
7 Replies
Beads
Advocate I

Re: Banks told to attack themselves

Much like my rules for auditing, I don't want to see the same person more than once every two years, nor do I want to see the same testing regimen used over and over again. I have no idea how large, small or incestuous the New Zealand/Australian banking industry is by size or business relationship may be. Putting good starting rules and controls shouldn't be a high hurdle to cross here provided you have a third party bank or regulator overseeing the audit process.

 

If you are able to successfully self regulate you need to be able to prove your good works to the public by self-certifying the results and publicizing the redacted or cleaned up results for public inspection. Hiding the results will only make you appear to be hiding something and we already have enough of that. Explanation of the results should be simple and complete enough for the public to understand but not a roadmap as to how to compromise the institution your trying to protect. Yes, its tricky to pull off but that's why we have lots of smart people in the room.

 

As for outside hack-a-thons and what not goes. Having worked for major US banks as both an auditor and architect means seeing any real hacking attempts are not made by college level students, not without substantial assistance as much banking losses are due to fraud and fraudulent wire transfers not direct hacking. Perhaps its different outside of the US as I have no foreign banking experience.

 

Good luck with the solution.

 

- b/eads

 

 

rslade
Influencer II

Re: Banks told to attack themselves

> Beads (Advocate I) posted a new reply in Industry News on 12-11-2020 10:28 AM in the (ISC)² Community :

 

> I have no idea how large, small or incestuous the
> New Zealand/Australian banking industry is by size or business relationship
> may be.

 

As far as I can tell, pretty much all of the banking industry is fairly incestuous ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Beads
Advocate I

Re: Banks told to attack themselves

M & A has a tendency to do that, yeah. Since I am only familiar with the US side I thought I'd bring it up for comment.

 

- b/eads

dcontesti
Community Champion

Re: Banks told to attack themselves

So Rob, I disagree with you in general.  I believe there is a huge difference in banks and their relationships.  Why do I day this:  Canada and the US have diversely different banking rules/regs.

 

see:

 

https://www.visualcapitalist.com/canada-u-s-banking-differences/

 

In the US, banks may well be incestuous (with 7000 different banks, it is inevitable).  

 

The concept of attacking one's own organization is not new (hence why we have penetration testing companies and CEH.

 

The problem with self testing is getting management to buy into it.

 

Not wild about using Universities/hackatons to do the testing but it is an option.

 

Will be interesting to see how this all flushes out.

 

d

 

rslade
Influencer II

Re: Banks told to attack themselves

> dcontesti (Community Champion) posted a new reply in Industry News on 12-11-2020 06:10 PM in the (ISC)² Community :

> So Rob, I disagree with you in general.

So what else is new? 🙂

> I believe there is a huge difference in banks and their relationships.  Why
> do I day this:  Canada and the US have diversely different banking
> rules/regs.

Well, I'm not talking about regs (or even mergers and acquisitions, Brent), I'm
talking more about actual incest. (I'm rather amazed we've been able to talk about
this for all this time without falling afoul of the dreaded "community" pr0n filter.)
Banks tend to try and keep social interactions within the bank, or the bank
community. I assume this is kind of an attempt to deal with insider attacks: keep
your enemies really, really, really close and they won't be able to do anything.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
has/bin: The proper term for out-of-date software on Unix/Linux
systems -https://twitter.com/SecurityHumor/status/552175603374637056
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Re: Banks told to attack themselves ( (ISC)² Community Subscription Update)

(And, Diana, of course I kid because I know you can take it, and are one of the
people whose posts I do take seriously 🙂

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Once you were a child. Once you knew what inquiry was for.
There was a time when you asked questions because you wanted
answers and were glad when you had found them. Become that child
again: even now. - C. S. Lewis, `The Great Divorce'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

Re: Banks told to attack themselves ( (ISC)² Community Subscription Update)

Rob,

 

I know you jest....never worry there.....I will always push back 

 

d