I've been watching the news surrounding one of the UK's major retail banks aghast.

I could ask "how could they let this happen" but it's obvious why it happened, and very sad. 

We have a major UK institution in crisis through ineffective security and archaic data architecture. 

First of all there was a data breach following a system upgrade. This resulted in customers being able to see other people's accounts. Secondly, the same customers then watched helplessly as their own savings were plundered by hackers. 
It's evident that something went very wrong here, and then continued to fail because the organisation were unable to contain problem.

There are so many issues here that it's difficult to know where to start but the following is evident. 



Good practice around version upgrades and product enhancements

New updates should never be applied to live databases. Legislation in banking precludes it, but it's never good practice in any industry.

Bank databases are huge, and the development overhead of spinning up instances can be overwhelming. It's tempting to flout legislation and simply apply new changes and hope for the best. This is evidently what happened here. 


Security Retro-Fit


Simply adding an overlay to an old database with "flat" security around it is chronically insufficient. A minor glitch in one or other of the authenticating tables should never be sufficient to cause records to open inappropriately - such as one user  seeing another's private details, as seen during this breach

If security is retro-fitted, it needs to be multi-layered to ensure that authentication is repeatedly checked against various markers, this will render breaches of this type impossible. 


Bank Databases are Huge. And Old.

Age is a major factor. Bank databases have been built over many years and new functions have been added over legacy technologies. 

The underlying databases haven't evolved. This is predominantly due to the cost and the massive upheaval involved, but as the database is a fundamental tool of the trade, and investment is critical.

We recently implemented multilayer security throughout the architecture of a brand new database environment for a financial institution. It would simply not have been possible to apply the same levels of protection to a legacy system. 

What Should have Happened

In most instances a replacement programme would likely be cheaper and certainly have more longevity than papering over the cracks and hoping it doesn't rain. Modern architecture around big data can avoid this problem. Solutions are available which make spinning multiple instances for test and dev quick and easy. 

Either way it's a lesson for any institution looking to implement security updates and upgrades, do it properly - if you don't your business reputation, if not your entire business, is at risk.

If you'd like an off the record chat about updating your database security, or anything else security related, you can book into my diary here.

Best wishes,

Liz

10 Security Maxims Debunked

11 Jul 2018

    IT Security is a huge and daunting topic, it takes an expert to stay on top of everything!  So much information, so much conflicting advice, it's difficult to know where to start, but not all advice is good advice.  There are some common messages that we really don't like. Here's our top ten ways that our industry is getting it...

Optimisation - Making the Most of Existing Tools

20 Jun 2018

  One of the most annoying things I see on a daily basis is companies with great security products – huge capital expenditure, spent wisely on market-leading products which are great assets, but which are totally under-utilised and going to waste because the infrastructure, fundamentally hasn't been set up correctly. ​ Even worse, we sometimes...

Lessons from a UK Bank Data Breach

20 Jun 2018

I've been watching the news surrounding one of the UK's major retail banks aghast. I could ask "how could they let this happen" but it's obvious why it happened, and very sad. We have a major UK institution in crisis through ineffective security and archaic data architecture.  First of all there was a data breach following a system upgrade....

Troubleshooting - The Most Expedient Improvement

20 Jun 2018

  If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Troubleshooting Team. When you have a solution which isn’t working correctly, or you just don’t think it’s performing well enough, it’s common for organisations to think that a rip and replace strategy is better than spending the time to resolve...

HR: The Front Line in Network Security

20 Jun 2018

  HR has a huge role to play in the security of your networks   Yes, Human Resources. For all the effort your organisation expends to implement robust IT policies and infrastructure, the biggest threat to an organisation’s safety comes from its people. Whether through malice, ignorance or human error; the people in your businesses are the...

;