Bankers Understand the Offense, But Not Defense
American Banker recently ran an interesting article about the attack patterns of many recent hacks as they apply to the banking industry. They hit the nail on the head with regard to the attack pattern, but seem to miss the point when it comes to defense. They posit that masking "quiet" surgical attacks with "loud" brute-force or DDoS attacks is the new standard and I can't argue with the logic - it was certainly the case in the Sony attacks and seems to be a common M.O. these days from the numerous examples the article cites. If I were going to hack a bank, this is certainly the way I'd go about it. Unfortunately the article misses the point of security entirely in its suggestions for remediation of the problem. We have a tendency, whenever a new hole is found in the banking boat, to slap a patch over it and keep right on sailing - but at some point there is more patch than boat left and the boat must be rebuilt or it will crumble and sink. In this author's opinion, the problem goes deeper than the banks themselves, it goes all the way down to the currency.