Feeds

Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark II

Stress test will check IT resilience - but not physical security

Reducing security risks from open source software

Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.

Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.

"Waking Shark II" will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms' staff will coordinate the "attack" from a single room, the people familiar with the matter said.

Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.

The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.

Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.

"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," Professor Stupples told El Reg. "DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."

The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.

"They are stress testing systems against known threats," he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.

Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.

“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.

"Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.

"Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats," he added. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.