(Translated from the original Italian)
In these days it has been discussed about a possible Iranian cyber offensive against US banks immediately denied by government of Teheran, the event raised the discussion on the real level of security of banking systems.
Financial institutions are considerable privileged targets for a cyber attacks, banking system is a critical asset for a nation and its paralysis could damage economic activities.
Under these premises it's simple to understand the need to address banking in the cyber strategy of every country, it's fundamental to protect financial institutions thanks to a strict collaboration between them and governments agencies.
The failure of the this collaboration could exposes to risks to homeland security, that is exactly what is happened in US where financial services institutions don’t haven't informed law enforcement about having been victimized by cyber attacks.
The news has been provided by a top Department of Justice official after the observed attacks against Bank of America and JPMorgan Chase.
In US all states have adopted laws requiring that companies victims of incident to notify information to their customers in order to proper response to the event. Recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to propose a national recognized procedure to respond to data breaches.
Governments networks are privileged targets for several type of attackers, foreign state-sponsored hackers, hacktivists and cyber criminals are increasing the frequency of the attacks, mainly with cyber espionage purpose, to expose government information or to steal intellectual properties in critic sectors such as the defense.
Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of FS-ISAC, is convinced that we will assist to an increase of cyber attacks against banking sector, banks of all sizes should prepare now for increasing offensive.
"They could be subject to a threat," he says.
Lanny Breuer, assistant attorney general for the department’s criminal division, defined cybercrime one of the most serious threats to national security declaring :
“is so hard to get a handle on because a lot of it is perpetrated by those working abroad who are skilled at what they do, and the anti-virus software most of us use only protects us from known vulnerabilities.”
Sophisticated malware and botnets are threatening principal computer networks of all sectors, mainly the banking one, and it is very hard to distinguish state-sponsored attacks from cyber criminal offensives.
The concern for the wave of cyber attacks is high, consider that The Financial Services Information Sharing and Analysis Center, an industry security group has recently raised its threat level for cyber attacks to “high” from “elevated.”
Serious repercussions could also be observed on the user's perspective, the discovery of continuous vulnerabilities in tools such as web browsers requires great attention by the customers that have to keep updated their systems also thanks to a prompt alerting services of the banks.
The fear of being victims of computer fraud could turn away the user from online services with a major impact on banks, that’s why financial institutions are introducing new technologies to protect user such as multi purpose authentication tokens and hardened browsers.
To complicate the scenario is the recent and rapid introduction of financial services available on social network platforms and on mobile environment, both suffer leak of security and poor awareness level of their user creating favorable conditions for cyber crimes.
Breuer also highlighted the difficulty to conduct investigations on crimes for the nature itself of the events that occur in limited time and for the impossibility to collect clues respecting privacy rights that delay the collection of evidences after a cyber attack.
Let's consider for example that Internet Service Providers (ISPs) are not obliged to retain their data for any specific amount of time and if investigation are not conducted immediately after the incident in many cases it is impossible to access to useful data.
How to mitiate risks?
It's desirable a joint commitment of banking institutes, governments and also the customers.
- From the institution perspective it must be enhanced a vigilance network to identify ongoing attacks and alert the community to put in place the needed counter measures.
- Of course banking IT sector and government must be trained to response to the new wave of attacks that is why I suggest also in the staff the presence of cyber security experts and hackers, the war must be fought with same weapons.
- Education of employees is another crucial aspect, they must be prevented APT attacks started for example with classic phishing campaign.
- "Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices."
- Promote awareness campaign for customers that must be conscious of the incoming cyber threats and the effort spent by banks to prevent the attacks. Users must be educated in the proper use of new technologies and must be informed on the evolution of the cyber threats and related risks.
Banking institutes must understand that we are in the cyber war era and they are privileged targets for cybercrime and state-sponsored attacks.