After the high profile breach of RSA, the Commonwealth Bank's security chief Gary Blair asked his team if it could be the next victim.
The CISO wanted to know if Australia's biggest bank understood its enemies and had the means to fend off sophisticated attacks.
The question asked 18 months ago instigated a comprehensive threat analysis review which would detail the risks posed by organised criminals, terrorists, hackers and hacktivists and the means by which they might target Commbank.
Core to the project was the construction of a fault tree analysis, built on existing metholdolgies but richly customised for the Commonwealth Bank.
The tree contained hundreds of branches, or nodes, which detailed the possible avenues of attack for any of seven antagonists.
It detailed what the bank considered a "catastrophic event" in which capable attackers would seek data most valuable to the bank.
There were intersections where the intention of hackers crossed paths with what the bank sought to keep most secure.
"We were following the RSA breach [which] really kicked off this methodology in determining what scenarios could have a catastrophic impact to our organisation,” Ian Green of the Commonwealth Bank’s Computer Emergency Response Team told SC.
“It starts off with the threat actors which could potentially cause a catastrophic scenario, and then an impact analysis to understand what the business cares about.
“For example, a targeted and prolonged DDoS against web facing channels could be an extreme scenario.”
The work had helped bolster an existing robust security program at the bank by accurately identifying areas most in need of investment.
Moreover, the fault tree serves as a clear way for the security team to decisively demonstrate risk to the executive board during its quarterly security meetings.
“We report risk to the board on a quarterly basis. This exercise is a great way to communicate posture," he said.
The banks' team of experienced security professionals had also gotten their hands dirty in red team penetration tests in which they assumed the position of attackers and attempted to hack as far into the bank's core systems as possible.
They designed their own attacks tools, and even a botnet to launch sustained distributed denial of service (DDoS) attacks against the banks' web facing systems.
Sharing is caring
In an effort to boost security postures across the industry, the Commonwealth Bank has made its extensive fault tree and threat model available to other organisations.
Blair has even engaged in talks with Big Four rival banks and those in the second tier so they may adopt the model and improve their own security postures.
“We’re now ready to collaborate with the rest of the industry, and get others using the methodology,” Green said.
The security team has opened an invite only LinkedIn group dubbed Extreme Cyber Scenario Planning through which security professionals can join to access the tree.
Among the members are Westpac and Adelaide Bank.
Once members are vetted as being part of an organisation which would benefit from the model, credentials are provided to access a portal run by the bank. From there, security pros can customise their own trees and models to suit their organisations.
Green, speaking to SC from the RSA conference in San Francisco, encouraged the industry to sign up.
“There are different levels of access, ranging from full end-to-end scenarios to sharing full tree scenarios to organisations on a case-by-case basis.”
Copyright © SC Magazine, Australia
Issue: 345 | December 2015