Feeds

Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark II

Stress test will check IT resilience - but not physical security

Build a business case: developing custom apps

Financial firms and banks across London will be hit with a cyber war game scenario tomorrow to test how well they could hold up under a major IT attack.

Sources whispered to Reuters that the cyber stress test already known to be taking place sometime this month would actually hit the finance sector on 12 November.

"Waking Shark II" will hit companies with a series of announcements and scenarios to mimic how a massive cyber attack might play out on stock exchanges and social media. Regulators, government officials and other financial firms' staff will coordinate the "attack" from a single room, the people familiar with the matter said.

Hundreds of bank workers will then fight the simulated attacks from their offices. Scenarios are likely to include how banks can ensure the availability of cash at ATMs, how they could deal with a liquidity squeeze in the wholesale market and how well they can communicate and coordinate with each other.

The exercise comes two years after the first Operation Waking Shark, which was run by the Financial Services Authority. News of the latest cyber war game first came last month, courtesy of the Daily Telegraph.

Professor David Stupples, head of centre for cybersecurity sciences at City University, London, said the exercise ought to involve tests against physical security, whose importance was illustrated by recent attacks where cybercrooks placed hardware keyloggers on the systems of high street banks.

"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," Professor Stupples told El Reg. "DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."

The tests are been devised and run by computer ops people and greater imagination was needed to introduce scenarios such as the potential involvement of disenchanted employees, according to Professor Stupples.

"They are stress testing systems against known threats," he said adding that elements of the unpredictable ought to be included to properly test the robustness of banking systems against a greater range of attack scenarios.

Barry Shteiman, director of security strategy at datacentre security firm Imperva, was much more positive about the planned focus of the stress test exercise.

“I commend the Bank of England, the Treasury and Financial Conduct Authority for this great idea. In the past few years, we’ve seen some focused and proactive security programs in the UK.

"Notable are some of the contained DDoS mitigation campaigns that test bank readiness and business continuity planning exercises where employees work remotely and the data centre moves to DR (disaster recovery mode) to ensure that the business still functions under disaster conditions.

"Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats," he added. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?