Wednesday, January 23, 2013
Four hundred and forty-six financial institutions participated in the CAPP test, in which simulated attacks included online bank account takeovers, DDoS attacks, altered automated clearing house files, fraudulent wire transfer requests and the loss/theft of personally identifiable customer information. The tabletop exercise, during which no actual attempts were made to penetrate FIs' systems, was conducted over two three-day periods in the fall of 2012.
Once the tests were completed, the FS-ISAC compiled the results and distributed them to its members. The organization stressed that the participating FIs took the tests anonymously, and that the results were aggregated to show overall security trends and not to single out any individual institution's security strengths or weaknesses. The FS-ISAC said the goal of the exercise, which has been administered annually over the last three years, is to help FIs evaluate their own security practices and facilitate the sharing of knowledge and the development of security best practices industrywide.
Charles Bretz, FS-ISAC Director of Payment Risk, said CAPP tests are facilitated via WebEx online conferences. On each day of the exercise, FIs' incident response teams are sent links to recorded WebEx sessions. The sessions then present simulations of conference calls between response teams and their FIs that concern cyber attacks.
Each day of the test, response teams are asked 15 to 20 multiple choice questions, Bretz said. The answers supplied by the teams are entered into an online survey tool. The answers are tabulated and the FS-ISAC publishes the results confidentially among its members about a month later, at which point FIs can compare their attack responses against the anonymous, aggregated responses of their peers.
Bretz said, "Let's say a team self-graded and said, 'Boy, we really screwed up this. We're not ready in this area.' Well, they realize that and take corrective action because it was done in a safe, confidential environment."
To test FIs' capacity to respond to ever more sophisticated attacks, the FS-ISAC threw them "curveballs" in the form of complex attacks, where response teams would have to deal with multiple threats at the same time, such as a simultaneous account takeover and DDoS attack. "The threats that we put in the exercise are based on the current threats that have been anonymously reported by our members," Bretz said. "So these are real-world threats. These are not contrived hypotheticals. These are the threats the industry is facing. And they change every year."
The cyber security stakes seem only to be growing. On Jan. 22, 2013, BankInfoSecurity reported that Muslim "hactivist" group, the Izz ad-Din al-Qassam Cyber Fighters, recently targeted PNC Financial Services Group, Fifth Third Bank and JPMorgan Chase & Co. with DDoS attacks. The report said the hactivists have been inundating U.S. banks with cyber attacks since September 2012.
A December 2012 report conducted by the Ponemon Institute and sponsored by Corero Network Security suggested FIs are not up to the task, as they lack effective security technology to deal with new threats. The report, A Study of Retail Banks & DDoS Attacks, said information technology survey respondents reported their FIs still rely on traditional technology, with 35 percent of respondents specifying firewalls.
"The belief that traditional perimeter security technologies such as firewalls are able to protect against today's DDoS attacks is lulling not only financial institutions but organizations across every sector into a false sense of security," said Corero President Marty Meyer,. "Many organizations assume traditional firewalls can provide protection against DDoS and Zero-Day exploits at the perimeter, yet this is not what they were designed to do and therefore attacks are still getting through."
However, the FS-ISAC has a different view. "FS-ISAC members are reporting that they have implemented defense in depth," Bretz said. "They are not relying on a single technique or just a few techniques, but multiple risk mitigation processes. This layered defense approach may involve traditional security techniques as well as advanced techniques. The effectiveness of this approach is not in any single method but in the synergy between these methods."
FS-ISAC members are also reporting that they are adding additional security layers in response to new threat information being shared among the members, according to Bretz.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.