Feeds

UK bankers prep for cyberwar: Will simulate ATTACK on system

One-day op will test stock market, payment bods' resistance to hackers

Protecting users from Firesheep and other Sidejacking attacks with SSL

UK banks, the stock market and payment providers will undergo extensive stress tests in November that are designed to test their responses to cyber-attacks.

The exercise is designed to test the state of preparedness of the UK's financial system in responding to cyber attacks, which are only growing more complex over time.

Operation Waking Shark 2 is due to take place in mid-November and will involve every high street bank taking part in a one-day “war game” featuring simulated cyber attacks designed to mimic the tactics of both state-sponsored hackers as well as cyber criminals, the Daily Telegraph reports.

The exercise comes two years after the Financial Services Authority ran the original Operation Waking Shark exercise.

Alex Mifsud, chief exec of payments firm Ixaris, said protection against cyber attacks needs to extend beyond simply making sure bank systems remain available in the face of a denial of service attack or similar high profile assault.

“Financial institutions now suffer cyber intrusions on a regular basis: we only have to remember the May arrests for the $45m that were stolen from ATMs around the world, or the £1.3m cyber theft against Barclays in April," Mifsud said. "Organised and extensive stress tests on the cyber defences of the UK’s banks and payments service providers are therefore to be welcomed and will help ensure that successful attacks are minimised."

“Besides the obvious physical and IT security, a sound cyber strategy should include training staff for ‘social engineering’ attacks (such as that perpetrated against Barclays in May), two-factor authentication to prevent password capture, maker-checker (whereby an individual employee / computer submits an action while another must approve it) for sensitive data entry such as changes in account ownership or large transactions, and external monitoring for unusual behaviour such as large transactions or high volumes of transactions in a given period that cannot be tampered with – even if the machine or process being monitored is compromised,” added Mifsud.

“While there is no silver bullet to protecting a financial institution from cyber attack, there are several best practice measures that can easily be applied to minimise risk.”

Ashley Stephenson, chief exec of Corero Network Security, referenced a series of DDoS attacks against US banks mounted by the Izz ad-Din al-Qassam Cyber Fighters as part of what it dubbed Operation Ababil and supposedly motivated by the presence of that video on YouTube.

"In the past year we have seen several publicly visible examples of 'hacktivists' bringing down banking websites, but these incidents are just the tip of the iceberg," Stephenson said. "The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."

"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with “action plans” in the event of a cyber-attack by the first quarter of 2014," he added.

Darren Anstee, a team manager at DDoS mitigation firm Arbor Networks, said that training exercise will help to identify security weaknesses.

“This initiative will help organisations to identify any weaknesses in their defences and operational procedures, and will help them to ensure that they are sufficiently prepared should a real attack arise," Anstee commented. "Running regular exercises to evaluate incident response is hugely important. Any organisation can be a target for a cyber-attack, but banks are a particular target due to the very nature of their business and the key part they play in the economy."

"Banks are targeted frequently, and with increasingly sophisticated multi-tool, multi-vector attacks; whether the attacks are motivated ideologically or for financial gain, the onus is on the financial industry to protect the availability and integrity of their systems – and they should be testing their processes frequently, on a per-organisation basis, to ensure this.

“One of the things which Operation Ababil has taught us, though, is that in some cases vulnerabilities are only uncovered when multiple organisations are targeted concurrently, and these larger exercises have a key part to play in identifying potential bottlenecks in networks and services," he added. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.