Feeds

Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark II

Stress test will check IT resilience - but not physical security

Choosing a cloud hosting partner with confidence

Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.

Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.

"Waking Shark II" will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms' staff will coordinate the "attack" from a single room, the people familiar with the matter said.

Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.

The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.

Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.

"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," Professor Stupples told El Reg. "DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."

The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.

"They are stress testing systems against known threats," he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.

Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.

“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.

"Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.

"Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats," he added. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.