EU Banks Not Prepared for AttacksExperts Cite Inadequate Controls, Information Sharing
Website outages that so far have targeted five leading U.S. banks should serve as a warning to global institutions of cyberthreats to come.
Yet, major European institutions are not prepared to prevent or respond to such attacks, according to fraud and security experts at the European Network and Information Security Agency and Barclays, one of the world's leading banks.
"What I see so much in Europe, especially in the U.K., is that no one wants to talk about the attacks they're seeing," says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.
Walker says European institutions are closely watching the attacks aimed at the U.S. But few have taken adequate steps to address their own security risks.
"The American operatives seem to be more tuned in with cybersecurity," he says. "It seems institutions in the U.S. are more technical."
In recent days, U.S. Bank, PNC, Wells Fargo, Bank of America and Chase Bank have all suffered online-banking and website outages believed to be linked to denial of service attacks waged against them by the group known as Izz ad-Din al-Qassam Cyber Fighters (see More U.S. Banks Report Online Woes).
Although the original Pastebin post is no longer visible, the alleged attackers taking credit for the Wells takedown say other large institutions in Israel, France and United Kingdom will be next if the U.S. does not remove the "Innocence of Muslims" video from the Web. The brief YouTube video, referred to by Izz ad-Din al-Qassam as casting a negative light on Islam, has reportedly been removed by Google in some countries but not the U.S. and other markets, where freedom of expression violates no laws.
If or when those attacks do hit, most European banks are not equipped to effectively mitigate their risk, Walker says. "They are completely relying on firewalls for protections," he says. And if an attack gets through firewalls, then the hackers have access to everything, because too many banks do not have any other controls in place.
"This is a really big problem here," Walker says. "There are some very big companies in the U.K. that have been targeted by groups in China and Egypt with denial of service attacks, and yet there seems to be resistance to talk about this opening and address the security issue."
U.S. Sets Cybersecurity Example
In the United States, on the other hand, open information sharing and collaboration between the Federal Bureau of Investigation and financial groups such as the Financial Services Information Sharing and Analysis Center, as well as among the financial institutions themselves, is having a positive impact.
Neira Jones, a financial and cyberfraud expert who oversees payments security for Barclays, says European banks could learn quite a bit about cybersecurity and breach notification from the U.S. examples.
"The difference between the States and Europe, in general, is that in most U.S. states you have disclosure laws," Jones says.
Some of that will soon change, when the new European Union Data Protections Laws take effect, she says. But in the U.K. and most parts of Europe, when it comes to breaches, disclosure remains a problem.
"In the U.S., if someone is directly affected by a DDoS attack, they're more open to posting it on social networks," Jones says. "The environment is more open to communicating about attacks."