Feeds

UK bankers prep for cyberwar: Will simulate ATTACK on system

One-day op will test stock market, payment bods' resistance to hackers

Top 5 reasons to deploy VMware with Tegile

UK banks, the stock market and payment providers will undergo extensive stress tests in November that are designed to test their responses to cyber-attacks.

The exercise is designed to test the state of preparedness of the UK's financial system in responding to cyber attacks, which are only growing more complex over time.

Operation Waking Shark 2 is due to take place in mid-November and will involve every high street bank taking part in a one-day “war game” featuring simulated cyber attacks designed to mimic the tactics of both state-sponsored hackers as well as cyber criminals, the Daily Telegraph reports.

The exercise comes two years after the Financial Services Authority ran the original Operation Waking Shark exercise.

Alex Mifsud, chief exec of payments firm Ixaris, said protection against cyber attacks needs to extend beyond simply making sure bank systems remain available in the face of a denial of service attack or similar high profile assault.

“Financial institutions now suffer cyber intrusions on a regular basis: we only have to remember the May arrests for the $45m that were stolen from ATMs around the world, or the £1.3m cyber theft against Barclays in April," Mifsud said. "Organised and extensive stress tests on the cyber defences of the UK’s banks and payments service providers are therefore to be welcomed and will help ensure that successful attacks are minimised."

“Besides the obvious physical and IT security, a sound cyber strategy should include training staff for ‘social engineering’ attacks (such as that perpetrated against Barclays in May), two-factor authentication to prevent password capture, maker-checker (whereby an individual employee / computer submits an action while another must approve it) for sensitive data entry such as changes in account ownership or large transactions, and external monitoring for unusual behaviour such as large transactions or high volumes of transactions in a given period that cannot be tampered with – even if the machine or process being monitored is compromised,” added Mifsud.

“While there is no silver bullet to protecting a financial institution from cyber attack, there are several best practice measures that can easily be applied to minimise risk.”

Ashley Stephenson, chief exec of Corero Network Security, referenced a series of DDoS attacks against US banks mounted by the Izz ad-Din al-Qassam Cyber Fighters as part of what it dubbed Operation Ababil and supposedly motivated by the presence of that video on YouTube.

"In the past year we have seen several publicly visible examples of 'hacktivists' bringing down banking websites, but these incidents are just the tip of the iceberg," Stephenson said. "The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."

"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with “action plans” in the event of a cyber-attack by the first quarter of 2014," he added.

Darren Anstee, a team manager at DDoS mitigation firm Arbor Networks, said that training exercise will help to identify security weaknesses.

“This initiative will help organisations to identify any weaknesses in their defences and operational procedures, and will help them to ensure that they are sufficiently prepared should a real attack arise," Anstee commented. "Running regular exercises to evaluate incident response is hugely important. Any organisation can be a target for a cyber-attack, but banks are a particular target due to the very nature of their business and the key part they play in the economy."

"Banks are targeted frequently, and with increasingly sophisticated multi-tool, multi-vector attacks; whether the attacks are motivated ideologically or for financial gain, the onus is on the financial industry to protect the availability and integrity of their systems – and they should be testing their processes frequently, on a per-organisation basis, to ensure this.

“One of the things which Operation Ababil has taught us, though, is that in some cases vulnerabilities are only uncovered when multiple organisations are targeted concurrently, and these larger exercises have a key part to play in identifying potential bottlenecks in networks and services," he added. ®

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.