
The Big Ones We Don't Hear About
Banks don't want you to know their systems are insecure.
You must have divulged your PIN sir.
Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study. The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, …
"Banks must make more effort to retrain or re-skill their employees," he said. "Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems."
What employees? When you've outsourced all this stuff to some nice chaps in India and made your employees redundant, it is clearly not your problem any more (well - that's what the salesman from the outsourcing outfit said).
While it sounds so common and reasonable that most people will accept it as truth without further thinking about it, blaming legacy systems for vulnerabilities is actually pretty absurd. Whatever else can be said against legacy systems, at least they are pretty secure against outside hacker attacks. What's highly vulnerable is the contemporary Windows and Linux stuff running on X86 servers (PC technology), over the recent years many tons of such stuff have been bolted onto the legacy systems and it is exactly here where the hackers come in.
Yes and no - there is actually a problem that has by now acquired the title "legacy" as well: general security management. There is no innovation, yet the bad guys continue to find new ways to crawl inside. The whole APT term is about doing this step by step, whereas banks seem to be more focused on going through the correct motions to avoid liability, making security people into nothing more than glorified administrators. That is no longer enough.