The finance sector could face simulated attacks by ethical hackers on behalf of financial regulators to better identify cyber security weaknesses.
A recent article in the Financial Times reported the Bank of England (BoE) has outlined plans to carry out a pen testing programme to see how prepared 20 of the country's financial organisations are.
Last year the BoE ran a cyber security exercise, Waking Shark II, to assess the ability of the UK's financial services architecture to withstand cyber attacks. The exercise highlighted several weaknesses in the sector's responses to a sustained attack, including the lack of co-operation between banks.
Reports suggest that the latest exercise, which is likely to take place in the autumn of this year, will involve leading banks, insurers and financial infrastructure providers.
Roy Hills, NTA Monitor technical director, said: "The Bank of England has publicly said that cyber attacks are the biggest risk to banks, so testing the resilience and robustness of the IT infrastructure of financial organisations and their partners is vital in ensuring a secure environment.
"Performing regular penetration testing to identify vulnerabilities and prevent a breach is a critical part of being incident response ready. In fact every business should undertake penetration testing at least once or twice a year. This will give firms a clear picture on any potential security weaknesses and risks in their systems, and show what steps need to be taken to minimise those vulnerabilities."
Analysis of 100,000 security incidents over the past 10 years shows that 92 per cent of cyber attacks can be traced to nine basic attack patterns that vary from industry to industry, according to the latest Verizon Data Breach Investigations Report (DBIR).
The nine threats are miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control systems); insider/privilege misuse; physical theft/loss; web app attacks; denial of service attacks; cyber espionage; point-of-sale intrusions; and payment card skimmers.
Drilling down further, the report identified that on average three patterns cover 72 per cent of the security incidents in any industry. In the financial services sector, 75 per cent of the incidents come from web application attacks, distributed denial of service (DDoS) and card skimming, while 54 per cent of all manufacturing attacks are attributed to cyber-espionage and DDOS.
The ramifications of the Heartbleed bug are being felt months after the flaw was uncovered. Around two-thirds of the world's websites may have been affected by the security fault, which can be exploited to steal passwords, usernames, credit card details, encryption keys and other sensitive data, without leaving a trace.
Heartbleed was revealed by researchers from Codenomicon back in April, who discovered the coding error in OpenSSL - a security standard encrypting communications between users and servers. OpenSSL sends out a 'heartbeat' extension to verify the connection between two servers or devices. However the flaw allows hackers to send malformed heartbeat requests, leaving sensitive information vulnerable to attack.
The security bug left vendors scrambling to patch vulnerable products, websites and services. Roy Hills, NTA Monitor technical director, said: "The bug is far-reaching and could take months for patches to be applied to every product and application. Heartbleed went undetected for two years and no one is sure whether, or how much, it is has been exploited during that period.
"It's going to be a slow process and the problem has not been helped by conflicting advice around what individuals and organisations should do to protect themselves."
A recent survey by IT firm Trend Micro has revealed a lack of awareness from organisations on changes to EU data laws.
A poll of 850 senior IT decision makers across Europe revealed limited knowledge about the EU Data Protection Regulation. Of the 250 British respondents, 50 per cent were unaware of the impending legislation and just 10 per cent said they fully understood what steps their organisation needs to take to achieve compliance.
More than eight in 10 British respondents (85 per cent) believe their organisation faces significant challenges to comply with the data protection regulation, with a quarter saying they don't think it's realistic to adhere to.
The new legislation aims to reform data protection, strengthen online privacy rights and boost Europe's digital economy. If the regulations are broken, fines could be as high as €10 million, or five per cent of global revenue.
Just a few weeks after Microsoft formally stopped support for Windows XP, they were forced to release an emergency out-of-band patch for IE.
Despite claiming they would issue no more security updates after the cut-off date of 8 April, the threat was deemed to be too great to not issue a security update. Microsoft said a patch was released because the vulnerability was spotted so soon after the support deadline date.
The patch was issued to deal with a zero-day flaw in IE that was being used to target out-of-support XP machines by a sophisticated advanced persistent threat (APT) group.
Research by AppSense suggests that as many as 75 per cent of British organisations are running the XP operating system, in some capacity, beyond the support deadline, with some sectors more reliant than others. EHI Intelligence calculated in September 2013 that 85 per cent of the 800,000 PCs in the NHS alone were still running on XP at the time. By contrast, 14 per cent were on Windows 7 and 1 per cent on Windows 8.