11.5 C
London
Friday, October 20, 2017
Home Tags England

Tag: England

UK banks have been participating in a simulated cyber attack run by the Bank of England in a bid to test their defences. Called Operation Waking Shark II, it followed a similar initiative two years ago and focused on investment banking operations, the cash machine network, a potential liquidity squeeze and the likely fallout across social media. In addition to the Bank of England, the Treasury, Financial Conduct Authority and staff at various financial institutions – including High Street banks – were involved. "Waking Shark II will bombard firms with a series of announcements and scenarios, such as how a major attack on computer systems might hit stock exchanges and unfold on social media. It will be co-ordinated from a single room housing regulators, government officials and staff from banks and other financial firms," according to Reuters. The March 2011 event, according to Reuters, "involved 'a concerted cyber attack upon the financial sector' that disrupted wholesale and retail payments and online services, and included more than 3,500 people, according to an evaluation published the next year." It was a much smaller operation, held in the auditorium of Credit Suisse at Canary Wharf. The Financial Policy Committee of the Bank of England in September mandated that the financial services industry must "ensure that there [is] a concrete plan in place to deliver a high level of protection against cyber attacks for each institution at the core of the financial system, including banks and infrastructure providers, recognising the need to adapt to evolving threats." The exercise, though, was criticised for not covering physical threats, such as the recent attacks on branches of Santander and Barclays in which the attackers attached keystroke logging devices to PCs after tricking their way into the branches. It also failed to address the kind of social engineering aspect of many attacks in which attackers – whether insiders or outsiders – persuade staff to divulge login details. For example, US National Security Agency whistleblower Edward Snowden scooped up colleagues' login and password details by claiming he needed them to perform his systems administrator role.
The decisions taken by the financial and economic wizards whose jobs involve keeping the UK economy on track are underpinned by data and analytics from the Bank of England. Computer Weekly speaks to the bank's new CIO about the IT challenges and opportunities. John Finch (pictured) has been CIO of the Bank of England since September 2013. Previously he worked at Experian.  “It has been a huge opportunity coming to the Bank of England," he says, "to gain a different set of experiences and meet a different group of people." The Bank of England is considered a very traditional organisation. From an IT point of view, Finch says it is "conservative from an appetite for risk perspective, which is different to the private sector". That said, he says the Bank of England has made significant investment in analytics to capture data for making fiscal policy decisions: "Analytics is a major part of what we do. In some cases we capture data that is fed into clever econometric models run by economists. But there are also standard off-the-shelf analytics tools to provide time-series data and trend analysis. "We have some deeply analytical systems that capture data to provide intelligence to the people who look at the bank, the economy, and to make interest rates decisions." Along with the responsibility for supporting the analytics behind fiscal policy, IT at the Bank of England also covers traditional banking functions such as high-volume transaction systems. It runs the critical national infrastructure for the clearing of intra-bank payments.  "The bank is quite active on the exchange markets, the money markets and the guilds markets because it does a lot of the banking for government," he says. Challenges for IT in banking Clearing and commercial banks are massive organisations that have grown through acquisitions, with all of the complications of using different suites of systems, and have a diverse and ageing technology stack.  As a consequence, Finch says a lot of stress is placed on the technology and the banks have huge sets of requirements from their businesses, such as when retail banks release new products.  On top of these challenges, he says there is also increasing compliance, legislation and oversight due to the credit meltdown, all of which affect IT. New government policy, such as the Help to Buy programme for getting people on the property ladder, means banks need a new mortgage product.

The mortgage systems have to take into account the new way the deposit threshold is calculated. "These are very difficult [IT] environments for the tech people in the banking industry," says Finch. Banking, like many industries, relies heavily on legacy systems. "People have never been able to go back and rework their legacy systems," the CIO says, pointing out that the main reason is due to the pace of change. "They are growing and need to focus on new areas." During the recent Gartner Symposium in Barcelona, one of the hot topics discussed was two-speed IT, where the IT department splits off innovation from core operations.  A lot of people who work here do the job out of a sense of public duty to create a stable banking system John Finch, Bank of England Finch says the Bank of England clearing system is one such core IT system – it must remain 100% available, so there is little room for a Google-like approach to innovating, which encourages free thinking and projects are allowed to fail.  But he sees an opportunity for innovation in other areas of IT. Finch believes the concept of a digital social enterprise could benefit the Bank of England. "Now that we have good intranet knowledge management technologies, organisations are starting to coalesce around content," he says.

A user could create a document and tag it, and another user can then be alerted, as in a Twitter stream, when the document has been published or updated. "It is kind of like an internal Facebook with a knowledge enterprise tied in with mobility." For the Bank of England, such a system could enhance records management. "The digital strategy going forward will lay on social distribution of documents where you can tag a document and comment on it," says Finch. The changing role of the CIO The role of CIO at the Bank of England is primarily to look after the real-time systems that make up the UK payment's infrastructure.  "There is an element of the role in making sure these system run well, and that they are secure and protected.

The CIO role also covers cyber security to protect commercially sensitive information that the Bank of England holds," says Finch.  The UK economy could be disrupted if such information were to be leaked before it was officially announced. Another key aspect of the CIO role is to develop an information and data strategy to determine how the Bank of England will capture data going forward.  "A hundred years ago people would have captured data manually. But with more information online, and from different sources, the bank [needs to find a way to] make use of this new [digital] data." For Finch, the most important part of the role is leading and energising the team of 450 permanent IT staff at the Bank of England and developing talent. "As the remit of the bank changes, we want to be in a position to develop and support the business," he says. "A lot of the folks in my team genuinely want to do the right thing for the good of society and the economy.

A lot of people who work here do the job out of a sense of public duty to create a stable banking system.

A really critical part of my role as CIO is to be able to provide a great environment for the team to develop their careers," says Finch. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Security experts have welcomed the most extensive cyber threat exercise in two years to test the preparedness of the financial infrastructure to withstand a sustained cyber attack. In a similar move, New York staged Quantum Dawn 2 in July 2013 to simulate how firms would cope with a cyber attack in markets. On 12 November 2013, Operation Waking Shark 2 will test thousands of staff at London’s major financial institutions with a simulated cyber attack on systems on which the UK’s financial system depends. The Bank of England, the Treasury and the Financial Conduct Authority will monitor responses to assess the ability of the UK’s core financial services providers to withstand cyber attacks. The exercise is designed to test the resilience of UK banks, the stock market and payment providers to identify areas where improvement is needed. Simulations are likely to test how banks ensure the availability of cash from ATM machines; how they deal with a liquidity squeeze in the wholesale market; and how well firms communicate with authorities and each other, with a particular focus on investment banking operations, according to Reuters. The seventh financial sector cyber exercise by UK authorities comes amid growing international concern about the safety of financial markets in the face of increasingly sophisticated cyber attacks. In September 2013, Scott Borg, chief of the US Cyber Consequences Unit, said he believed manipulation of international financial markets will be the next evolution of cyber crime. A recent report from the Treasury said the financial system had a number of potential vulnerabilities, reflecting its high degree of interconnectedness, its reliance on centralised market infrastructure and complex legacy IT systems. In the light of the report, the Bank of England’s Financial Policy Committee (FPC) has given banks and organisations core to the financial system six months to outline their strategies to protect against potential cyber attacks. Banks are increasingly being targeted by criminals who target financial systems. In September, Barclays and Santander were targeted by cyber criminals using a keyboard video mouse (KVM) switch to gain remote control of bank computers. The Santander attempt was foiled, but £1.3m was transferred out of accounts at Barclays before police tracked down the gang. Multi-channel complexity “It is vitally important that cyber security tops the priority list for IT departments in the UK’s financial service organisations – so the news that capabilities in the UK will be tested is welcome,” said Dorian Wiskow, client managing director, financial services, Fujitsu UK & Ireland. “Not only are banks operating with legacy systems that in some cases have been in existence for many years,  it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures,” he said. According to Wiskow, CIOs in the banking industry are facing the difficult challenge of securing multi-channel environments, while ensuring customer experience does not suffer. What is paramount here is that the industry does not overlook or get complacent about security or place it in the ‘too big to fix’ category,” he said. Barry Shteiman, director of security strategy at Imperva also welcomed the exercise, saying it shows authorities realise that the threat is real, is growing, and is a risk for the UK financial industry. Contingency plans He said it was important to have a committee planning security controls, cyber attack response steps and a high-level protection plan. “This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats.

This is threat intelligence in its simplest and most effective form,” said Shteiman. This also means that the government will potentially have a way to regulate and measure the cyber security state based on an educated study of best practices, he said, which will lead to financial information and estates being secured in a much more focused way. “This is what the PCI Data Security Standard (PCI DSS) has done with credit card companies and clearing houses to lower the risk of a breach. It had an important effect in making sure that every business that wishes to keep credit card information or transact in high volumes, is required to secure itself or be fined,” said Shteiman. Adrian Culley, ex-Detective with Scotland Yard's cyber crime unit and global technical consultant at security firm Damballa said banks face advanced threats on a daily basis and often face challenges in dealing with these effectively. “Early detection and containment is paramount, because the fact is that these are complex systems and threats are designed to bypass even the most secure networks.

The threat will remain diverse, blended and sophisticated.  So must the response,” he said. Network breach Geoff Webb, director, solution strategy at security firm NetIQ, said was it is good to see banks preparing for cyber attacks, they need to recognise that they are already likely to have been breached. “It might sound alarmist, but given that no firewall can guarantee to keep out all intruders, banks have to assume that cyber criminals are already inside their network,” he said. According to Webb, the skill of modern cyber criminals lies in the fact that they can be almost indistinguishable from genuine employees. “Once inside an organisation’s perimeter they immediately aim to elevate their own authorisation levels to those of a privileged employee, using that clearance to steal valuable information,” he said. For this reason, Web said talking about inside and outside threats to banking security is an increasingly outdated way of thinking. “Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity,” he said. A report on the outcome of Operation Waking Shark 2 is to expected to be released either in December 2013 or early in 2014. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
A GP has voiced her concerns about the NHS's controversial new system for collecting and analysing data, Care.data, questioning why the health service needs to obtain so much data from the UK's citizens. Dr. Jane Lothian, GP and medical secretary at Northumberland Local Media Committee (LMC), told Computing that while the Summary Care Record programme was just about justified, the amount of information that NHS England now wants to obtain in its Care.data programme seems excessive. The Summary Care Record contains information about the medicines patients take, allergies they suffer from and any bad reactions to medicines they have had. Care.data is far wider reaching, and Lothian believes this could be inappropriate, even if it is anonymised like the NHS claims it is, particularly because there hasn't been clarity on the secondary use of that data by third parties. "Everything will be coded; the better the practice, the more they will code the data, so some practices might even code the narrative, so it gives the Health and Social Care Information Centre (HSCIC) a lot of information. It's all OK if it's going to be used for public health planning, but there has been suggestions that the data might be accessible to third parties," she said. Sensitive data on patients would also be obtained, and Lothian believes that even with measures in place to anonymise data, certain patients' records could be identifiable. "Does everyone want to release diagnoses of sexual transmitted diseases, sexual function problems, mental health problems, and very detailed drug lists?" she asked. "[The LMC] has always accepted and encouraged the use of data for planning health care, but the extraction for potentially identifiable information - and I know the NHS has said that there are many layers of anonymisation, which I believe, but it is just a very big change from the medication and allergies in the Summary Care records, to the whole of somebody's medical records - you just wonder why so much detail is needed," she said. Lothian did however welcome the NHS's decision to splash out £1m in sending out leaflets to householders to explain the plan. NHS England had initially told Computing that GPs were to raise awareness on their own. "As GP practices, we are much happier that information-giving will be taken out of our hands, and for something as big as this, it shouldn't be done on a local level anyway," she said.
BT, government intelligence agency GCHQ and the new National Crime Agency (NCA) are to join forces to test the cream of the UK’s amateur cyber security talent to find the next generation of cyber defenders. Experts from each organisation are to work together to design the final of this year’s Cyber Security Challenge UK, set to take place in March 2014. Stephanie Daman, CEO, Cyber Security Challenge UK, said: “To have such a diverse and high-profile combination of organisations working together to test the next generation of cyber security professionals suggests the final is going to be our most exciting yet.” The final will test the skills of the UK’s most talented amateur cyber defenders in a two-day competition to find the latest UK cyber security champion. Finalists will need to use technical, interpersonal and decision-making skills in a simulated work environment to solve the sort of problems cyber security professionals encounter every day. Some 42 finalists have been identified during 10 months of virtual and face-to-face competitions, including the UK’s first civilian cyber security training camps held across England and Scotland in September 2013. However, some places in the final are still open to any UK national not currently working as a cyber-security professional. To qualify, candidates must register with the challenge and prove their talent by playing one or more of the upcoming virtual qualifier competitions. The Cyber Security Challenge UK began in 2010 as three competitions run by a small group of supporters from industry, government and academia to address the shortage of UK cyber security practitioners. Now in its fourth year, the challenge has grown its range of competitions to represent the variety of skills demanded in the profession and is backed by over 75 sponsors. BT’s cyber director Bob Nowill said the Cyber Security Challenge and similar initiatives are key to encouraging people to develop their cyber skills and build a career in an interesting area of security. Jonathan Hoyle, GCHQ's director general for government and industry cyber security, said competitors include a mix of self-taught talent who bring an unconventional and innovative approach to the challenges.  “That innovation is really important to the UK in tackling cyber threats today and in the future,” he said. Prizes for the competition include year-long placements at GCHQ to gain experience in fighting cyber crime. With the sponsors’ support the challenge has handed out more than £200,000 of career enabling prizes to over 100 of the UK’s leading amateur cyber defenders, some of whom have moved into the profession. Lee Miles, deputy head of the NCA, said the competition provided a unique opportunity to bring together some of the UK’s most talented amateurs in cyber security. “These sorts of initiatives are vital for attracting talented people to consider careers in security and in law enforcement,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
NHS England’s new system for collecting and analysing data, Care.data, will allow primary care data from GP practices to be shared with the new Health and Social Care Information Centre (HSCIC) and clinical care groups (CCGs).

The aim is for the data to be matched with secondary care data, anonymised and shared with clinical researchers. An NHS England spokesman told Computing that the data would provide an “evidence base to support commissioners to develop better treatment and ways of working, leading to improved outcomes and quality of care for patients”. GPs were told that they have eight weeks to inform patients that their data is going to be harvested, and while NHS England says that this is a “flexible” time period, it also assumes that a patient has opted in to the scheme if it is not notified of an objection. “Patients have to register their objection in order for their data not to be sent to the secure HSCIC environment,” the NHS England spokesman said. Health Secretary Jeremy Hunt said that patients who object to data being shared will have a flag put onto their records. But independent think tank 2020health has called for the programme to be postponed and replaced by a system in which patients can only opt in after they have been consulted on the scheme’s procedures and goals. And many GPs fear that the current system for opting out could leave them vulnerable to lawsuits from patients who are unaware that they have been opted in to share their data. But Richard Cumbley, partner at law firm Linklaters, said that HSCIC – not GPs – would be responsible if a patient did file a complaint, even though GPs have been tasked with raising awareness of the scheme. “The HSCIC has the power to request information from other people who provide healthcare, it can force people to hand information over, and GPs are not in a position to say that they might hand some of the data over,” he said. “[GPs] don’t need to tell people that they’ve had to hand [patients’ data] over if they’ve had a mandatory request from someone else.

They may face criticism, and a complaint or a claim is possible, but it is the HSCIC that will be in the firing line,” he added. The Information Commissioner’s Office (ICO) is working with the HSCIC to ensure that it abides by the Data Protection Act (DPA), by taking appropriate technical and organisational measures.

If it fails to do so, it will be fined up to £500,000 by the ICO. Data goldmine? Gayna Hart, managing director at software solutions provider Quicksilva, believes that researchers and systems developers should be charged for access to the anonymised data because of its “huge value”. “The maintenance, management and volume of data is going to cost a lot of money, and the NHS needs to be getting some return on that,” she said. Pharmaceutical companies, for example, could reap huge benefits when developing drugs.“There is usually intellectual property in that drug which lasts for a number of years, and if they can speed up time to market for those drugs, then there would be value in that data – and value for patients as well,” Hart suggested. But while third parties won’t get access to any personal information – just anonymised data – it could be used by insurance firms or marketing companies because it isn’t regulated by statute.

Therefore, health insurance firms could charge residents of an area known to have a high rate of heart disease, more than those living in a town with a lower rate. That may make patients generally more keen to opt out – if they ever find out they have that choice. Essex GP Dr John Cormack told medical news site GPOnline that posters and leaflets in surgeries and FAQs on GP websites are not an adequate way of telling patients they can opt out of having data extracted from GP systems. And NHS England has left GPs to raise awareness on their own. “If patients or members of the public have any concerns they can talk to their GP practice – we will be providing further information to support GP practices shortly,” a spokesman said. Campaigners are urging GPs to send a letter to each household, with a choice for individuals to opt in or opt out.

If HSCIC and GPs decide against this, they may well see a host of lawsuits in future from outraged patients who wanted to keep their data private. @Sooraj_Shah
The Home Office has said it is working with the biggest mobile phone firms in a bid to implement new security features that would make handsets less attractive to thieves. Crime prevention minister Norman Baker met with the likes of Samsung, Google, A...
UK banks are to take part in a one-day, extensive cyber threat exercise that will test the ability of the financial system to withstand a major cyber attack. The exercise, dubbed Operation Waking Shark 2, is scheduled for mid-November, with all high s...
All major UK banks are to take part in the most extensive cyber threat exercise in two years to test their ability to survive a sustained online attack. There is growing international concern about the safety of financial markets in the face of increasingly sophisticated cyber attacks. In September, Scott Borg, chief of the US Cyber Consequences Unit, said he believed manipulation of international financial markets will be the next evolution of cyber crime. There is a limit to the amount of money criminals can make through theft and credit card fraud, he told a joint session of the ASIS International and(ISC)2 annual congresses in Chicago. Operation Waking Shark 2 is scheduled for mid-November and will simulate a major cyber attack on the payments and markets systems on which the UK’s financial system depends, according to the Telegraph. The test is to be monitored by the Bank of England, Treasury and Financial Conduct Authority to assess the ability of the UK’s core financial services providers to withstand cyber attacks. The first Operation Waking Shark was conducted two years ago under the now defunct Financial Services Authority (FSA). Finding and fixing financial system vulnerabilities The latest exercise is designed to test the resilience of UK banks, the stock market and payment providers and identify areas where improvement is needed. A recent report from the Treasury said the financial system had a number of potential vulnerabilities, reflecting its high degree of interconnectedness, its reliance on centralised market infrastructure, and its sometimes complex legacy IT systems. In the light of the report, the Bank of England’s Financial Policy Committee (FPC) has given banks and organisations core to the financial system six months to outline their strategies to protect against potential cyber attacks. The FPC also said the Bank of England must ensure it is able to operate if its own systems are attacked. In June, Andrew Haldane, director of financial stability at the Bank of England and FPC member, said cyber attacks were the top risk for UK banks. Concerns over cyber attacks top even those around the Eurozone crisis and the UK’s banks must do more to protect themselves, Haldane told parliament’s Treasury Select Committee. Cyber attacks a real threat to banks In September, Barclays and Santander were targeted by cyber criminals using a keyboard video mouse (KVM) switch to gain remote control of bank computers. The Santander attempt was foiled, but £1.3m was transferred out of accounts at Barclays before police tracked down the gang. In May, the scale of the threat was highlighted when US federal authorities charged eight hackers in connection with a $45m pre-paid debit card fraud scheme. In a similar heist in 2008, a gang took money from cash machines in 49 cities around the world using cloned debit cards. The thefts stemmed from a data breach at RBS WorldPay, in which hackers stole the personal data of 1.5 million card holders a month earlier. In July 2012, a Deloitte financial services industry report revealed that nearly a quarter of the world's banks had been hit by security breaches in the preceding 12 months. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Directors at banks and organisations core to the financial system have six months to outline their strategies to protect against potential cyber attacks, according to the minutes of a recent Bank of England Financial Policy Committee (FPC) meeting. The FPC is demanding that board members address this rather than passing responsibility to IT departments. The meeting minutes referred to a recent report from the Treasury on the progress being made to make the financial system more resilient to cyber attack – it said “the threat had many dimensions and was growing”. “The financial system had a number of potential vulnerabilities, reflecting its high degree of interconnectedness, its reliance on centralised market infrastructure, and its sometimes complex legacy IT systems,” read the FPC meeting minutes. The committee said effective steps had been taken, including general guidance on best practice, and the approach outlined by the Treasury was moving things in the right direction. But it now wants a “concrete plan in place to deliver a high level of protection against cyber attacks for each institution at the core of the financial system, including banks and infrastructure providers, recognising the need to adapt to evolving threats”. It recommended that these action plans was completed by the first quarter of next year and that a progress report to the FPC from the relevant regulatory boards be completed by the end of 2013. During the meeting, the Bank of England said it planned to review its own resilience in relation to cyber attacks. One security source said the UK financial system is continuously under cyber attack. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
London Metropolitan Police have arrested 12 men in connection with a foiled attempt to steal millions of pounds by taking remote control of a computer at Santander. The London-based cyber criminal gang fitted a device known as a keyboard video mouse switch (KVM) to a computer in a Santander branch in Surrey Quays shopping centre in southeast London. The inexpensive device allows a user to control multiple computers from one keyboard, video monitor and mouse, and would have allowed the cybercriminals to take control of the bank’s computer remotely. The attack presents several important lessons for banks and other organisations to learn about the need for physical protections, as well as up to date cyber attack prevention technologies. But the Met Police said a "time-critical, dynamic response" by detectives and bank officials had thwarted a "very significant and audacious cyber-enabled offence" that could have cost Santander millions. A spokesman for the Met said it was not clear whether any money was taken, but the bank told Sky News "no money was ever at risk." Police arrested 11 men in Hounslow and another in Victoria, whilst searches were carried out in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slough, where property was seized. A Santander spokesman said: "Like all high street banks, Santander works very closely with the police and other authorities to help prevent fraud. "Through this co-operation, Santander was aware of the possibility of the attack connected to the arrests.

The attempt to fit the device to the computer in the Surrey Quays Branch was undertaken by a bogus maintenance engineer pretending to be from a third party." The bank confirmed no Santander staff were involved. "We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests," added the spokesman.  These arrests prove the ease with which anybody can conduct what is described as a very significant and audacious cyber-enabled offence, said Raj Samani, chief technical officer for McAfee in Europe. “Simply plugging in a physical device that can be attained from any number of legitimate outlets demonstrates that the bar required to be a ‘cyber-criminal’ is probably at its lowest level,” he said. For organisations this demonstrates the need to continually ensure that appropriate physical security controls are deployed, said Samani. Companies need to be much more careful about who they grant physical access to when it comes to their offices, and how closely such people are monitored, said independent computer security expert Graham Cluley. “They also need to foster an environment where staff don’t feel uncomfortable asking people to show their credentials if they are an unfamiliar face,” he wrote in a blog post. Greg Day vice president and chief technology officer at FireEye for Europe said with USB being a standard for so many hardware devices, and with monitors often including USB hubs, the scope of what data could be collected has certainly increased to include keyboard and mouse inputs. “Equally with the ever increasing capabilities of mobile bandwidth you could now stream the data off the device via, for example, 4G or Wi-Fi to the attacker,” he said. Attackers need physical access to install the device, but these are typically small and once installed can easily go unnoticed, said Day. “Organisations don't typically physically check the connections on their systems for additional devices,” he said. Chris McIntosh, CEO of ViaSat UK, believes this is a sign of the times and that attacks will become increasingly bespoke. He said organisations needed to consider almost every eventuality and the best way to be secure is to assume that attacks will succeed and aim to spot and deal with them. “As we have seen, such attacks will become increasingly targeted: essentially bespoke strategies designed to identify and exploit the weakest link in a particular target’s security – whether that is its employees, its laptops or the fact that there is no need to breach a firewall if you can instead physically infiltrate a less-protected area of the business,” said McIntosh. The sheer volume of attacks means some form of penetration is inevitable, he said, and organisations’ strategies should reflect this He added using network visualisation and monitoring tools, for example, could ensure that any unexpected movement or transmission of data is swiftly spotted and investigated. “We cannot immunise against cyber-attacks, but we can certainly spot the symptoms and treat them swiftly,” he said. The past 18 months has seen a spate of attacks against banks across the world, including the highly complex global financial services fraud ring that hit the US banking system. Uncovered by McAfee and Guardian Analytics in June 2012, this attack delivered Zeus and SpyEye variants using automated techniques. McAfee said it showed fraudsters were moving toward cloud-based servers with multifaceted automation. More on cyber attacks on banks Cyber attacks top banking risk, says Bank of England Cyber attack could be next shock to UK banks, warns KPMG UK losing cyber war Cyber threats affect banks worldwide Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
The National Security Agency has found ways to break or work around much of the encryption that guards information on the Internet, according to published reports. The National Security Agency, the U.S. government organization tasked with gathering intelligence from adversaries' communications and protecting domestic communications, has the capability to peer into far more Internet communications than previously thought, according to a report published on Sept. 6 and based on documents leaked by former NSA contractor Edward Snowden. Using a variety of tactics—including coercing vendors to provide access to their products, compromising corporate network infrastructure, or hunting down and exploiting vulnerabilities—the secretive agency can access content that had previously been considered safely protected by encryption, a New York Times article stated. While the leaked memos do not indicate a break in any specific encryption technology, the various strategies, collectively known under the code name "Bullrun," have allowed the NSA to effectively circumvent much of the security protecting communications. Messages that could not be broken have been stored until the agency is able to decrypt them, the memos stated. "For the past decade, NSA has led an aggressive, multi-pronged effort to break widely used Internet encryption technologies," said a 2010 memo distributed among employees of England's Government Communications Headquarters (GCHQ), the British counterpart to the NSA, according to the New York Times. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." The NSA's Bullrun program allows the NSA to effectively target protected information and find ways to either collect the information before it's encrypted or exploit vulnerabilities in the technology used to encrypt the data, including the browser encryption Security Sockets Layer (SSL), virtual private networks used by almost all companies and the security protecting smartphone communications, according to the memos leaked by Snowden. Such revelations will likely hurt U.S. companies abroad, according to recent studies. The attacks are not thought to be a single capability, but a collection of tactics that allow the NSA to cobble together an effective decryption strategy on a case-by-case basis. Many makers of security and networking products, for example, have a way for their support staff to get into a customer's product to update the appliance or device.

While not considered a backdoor, if the NSA is able to get access to that functionality, it could easily be used to access communications, says Chris Wysopal, chief technology officer for Veracode, an application security firm. The document describing Bullrun discusses "implants" in vendor technology, but it is not clear whether the NSA has worked with vendors to access the technology or compromised the technology on its own, he said. "It could be that they are putting an implant in on a network where they can then access things in the clear, or it could be putting an implant somewhere in the supply chain where they can get at keys or other parts of the technology—it's vague," Wysopal said. "If it's at the vendor, then that's pretty scary." The NSA's apparent goal to store mass quantities of encrypted data from the Internet for later decryption is a laudable goal to combat terrorism, but worrisome for the average citizen, Pierluigi Stella, chief technology officer of managed security services provider Network Box USA, said in an email to eWEEK. "The point here isn't whether we should worry about consumers or not; we should consider this from the 'citizens' point of view," he said. "The NSA can and will store everything we send on the internet, not only in clear text but also encrypted. ...

If we are to give away a bit of our freedom, it'd better be for very, very good reason, and in a very well controlled way, to ensure no one can ever abuse this collection of information."