Feeds

Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark II

Stress test will check IT resilience - but not physical security

SANS - Survey on application security programs

Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.

Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.

"Waking Shark II" will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms' staff will coordinate the "attack" from a single room, the people familiar with the matter said.

Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.

The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.

Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.

"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," Professor Stupples told El Reg. "DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."

The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.

"They are stress testing systems against known threats," he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.

Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.

“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.

"Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.

"Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats," he added. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.