Feeds

UK bankers prep for cyberwar: Will simulate ATTACK on system

One-day op will test stock market, payment bods' resistance to hackers

The essential guide to IT transformation

UK banks, the stock market and payment providers will undergo extensive stress tests in November that are designed to test their responses to cyber-attacks.

The exercise is designed to test the state of preparedness of the UK's financial system in responding to cyber attacks, which are only growing more complex over time.

Operation Waking Shark 2 is due to take place in mid-November and will involve every high street bank taking part in a one-day “war game” featuring simulated cyber attacks designed to mimic the tactics of both state-sponsored hackers as well as cyber criminals, the Daily Telegraph reports.

The exercise comes two years after the Financial Services Authority ran the original Operation Waking Shark exercise.

Alex Mifsud, chief exec of payments firm Ixaris, said protection against cyber attacks needs to extend beyond simply making sure bank systems remain available in the face of a denial of service attack or similar high profile assault.

“Financial institutions now suffer cyber intrusions on a regular basis: we only have to remember the May arrests for the $45m that were stolen from ATMs around the world, or the £1.3m cyber theft against Barclays in April," Mifsud said. "Organised and extensive stress tests on the cyber defences of the UK’s banks and payments service providers are therefore to be welcomed and will help ensure that successful attacks are minimised."

“Besides the obvious physical and IT security, a sound cyber strategy should include training staff for ‘social engineering’ attacks (such as that perpetrated against Barclays in May), two-factor authentication to prevent password capture, maker-checker (whereby an individual employee / computer submits an action while another must approve it) for sensitive data entry such as changes in account ownership or large transactions, and external monitoring for unusual behaviour such as large transactions or high volumes of transactions in a given period that cannot be tampered with – even if the machine or process being monitored is compromised,” added Mifsud.

“While there is no silver bullet to protecting a financial institution from cyber attack, there are several best practice measures that can easily be applied to minimise risk.”

Ashley Stephenson, chief exec of Corero Network Security, referenced a series of DDoS attacks against US banks mounted by the Izz ad-Din al-Qassam Cyber Fighters as part of what it dubbed Operation Ababil and supposedly motivated by the presence of that video on YouTube.

"In the past year we have seen several publicly visible examples of 'hacktivists' bringing down banking websites, but these incidents are just the tip of the iceberg," Stephenson said. "The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."

"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with “action plans” in the event of a cyber-attack by the first quarter of 2014," he added.

Darren Anstee, a team manager at DDoS mitigation firm Arbor Networks, said that training exercise will help to identify security weaknesses.

“This initiative will help organisations to identify any weaknesses in their defences and operational procedures, and will help them to ensure that they are sufficiently prepared should a real attack arise," Anstee commented. "Running regular exercises to evaluate incident response is hugely important. Any organisation can be a target for a cyber-attack, but banks are a particular target due to the very nature of their business and the key part they play in the economy."

"Banks are targeted frequently, and with increasingly sophisticated multi-tool, multi-vector attacks; whether the attacks are motivated ideologically or for financial gain, the onus is on the financial industry to protect the availability and integrity of their systems – and they should be testing their processes frequently, on a per-organisation basis, to ensure this.

“One of the things which Operation Ababil has taught us, though, is that in some cases vulnerabilities are only uncovered when multiple organisations are targeted concurrently, and these larger exercises have a key part to play in identifying potential bottlenecks in networks and services," he added. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?