Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark II
Stress test will check IT resilience - but not physical security
Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.
Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.
"Waking Shark II" will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms' staff will coordinate the "attack" from a single room, the people familiar with the matter said.
Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.
The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.
Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.
"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," Professor Stupples told El Reg. "DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."
The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.
"They are stress testing systems against known threats," he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.
Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.
“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.
"Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.
"Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats," he added. ®