Feeds

UK bankers prep for cyberwar: Will simulate ATTACK on system

One-day op will test stock market, payment bods' resistance to hackers

Website security in corporate America

UK banks, the stock market and payment providers will undergo extensive stress tests in November that are designed to test their responses to cyber-attacks.

The exercise is designed to test the state of preparedness of the UK's financial system in responding to cyber attacks, which are only growing more complex over time.

Operation Waking Shark 2 is due to take place in mid-November and will involve every high street bank taking part in a one-day “war game” featuring simulated cyber attacks designed to mimic the tactics of both state-sponsored hackers as well as cyber criminals, the Daily Telegraph reports.

The exercise comes two years after the Financial Services Authority ran the original Operation Waking Shark exercise.

Alex Mifsud, chief exec of payments firm Ixaris, said protection against cyber attacks needs to extend beyond simply making sure bank systems remain available in the face of a denial of service attack or similar high profile assault.

“Financial institutions now suffer cyber intrusions on a regular basis: we only have to remember the May arrests for the $45m that were stolen from ATMs around the world, or the £1.3m cyber theft against Barclays in April," Mifsud said. "Organised and extensive stress tests on the cyber defences of the UK’s banks and payments service providers are therefore to be welcomed and will help ensure that successful attacks are minimised."

“Besides the obvious physical and IT security, a sound cyber strategy should include training staff for ‘social engineering’ attacks (such as that perpetrated against Barclays in May), two-factor authentication to prevent password capture, maker-checker (whereby an individual employee / computer submits an action while another must approve it) for sensitive data entry such as changes in account ownership or large transactions, and external monitoring for unusual behaviour such as large transactions or high volumes of transactions in a given period that cannot be tampered with – even if the machine or process being monitored is compromised,” added Mifsud.

“While there is no silver bullet to protecting a financial institution from cyber attack, there are several best practice measures that can easily be applied to minimise risk.”

Ashley Stephenson, chief exec of Corero Network Security, referenced a series of DDoS attacks against US banks mounted by the Izz ad-Din al-Qassam Cyber Fighters as part of what it dubbed Operation Ababil and supposedly motivated by the presence of that video on YouTube.

"In the past year we have seen several publicly visible examples of 'hacktivists' bringing down banking websites, but these incidents are just the tip of the iceberg," Stephenson said. "The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."

"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with “action plans” in the event of a cyber-attack by the first quarter of 2014," he added.

Darren Anstee, a team manager at DDoS mitigation firm Arbor Networks, said that training exercise will help to identify security weaknesses.

“This initiative will help organisations to identify any weaknesses in their defences and operational procedures, and will help them to ensure that they are sufficiently prepared should a real attack arise," Anstee commented. "Running regular exercises to evaluate incident response is hugely important. Any organisation can be a target for a cyber-attack, but banks are a particular target due to the very nature of their business and the key part they play in the economy."

"Banks are targeted frequently, and with increasingly sophisticated multi-tool, multi-vector attacks; whether the attacks are motivated ideologically or for financial gain, the onus is on the financial industry to protect the availability and integrity of their systems – and they should be testing their processes frequently, on a per-organisation basis, to ensure this.

“One of the things which Operation Ababil has taught us, though, is that in some cases vulnerabilities are only uncovered when multiple organisations are targeted concurrently, and these larger exercises have a key part to play in identifying potential bottlenecks in networks and services," he added. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.