Feeds

We want it HARDER: City bankers survive simulated cyber-war

Finance firms reckon Waking Shark II should have featured espionage & malware threats

Bridging the IT gap between rising business demands and ageing tools

A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.

Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers.

The overall results were an improvement on those from the original Waking Shark exercise, which took place in 2011, while still giving plenty of scope for improvement, according to an official report (PDF) on the exercise from the Bank of England.

"The exercise successfully demonstrated cross-sector communications and coordination through the CMBCG [Cross Market Business Continuity Group], information sharing through the use of the CISP [Cyber Security Information Security Partnership] platform and enabled participants to better understand the requirements of the UK Financial Authorities," the report concludes, while adding that banks' communications was hampered by a lack of an overall clearing house (co-ordinator) for cyber threat information.

"Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident," the report recommends.

Other problems identified during the stress-test exercise, which took place over four hours, but was designed to reflect a three day attack involving denial of service and malware elements, included confusion about the (then) Financial Services Authority. "Attacked" banks were criticised for not calling the police, a breach of agreed procedures.

The Bank of England outlined the scenario played out during the simulated attacks – which, contrary to earlier reports, did not test the cyber resilience of high street banks – for the first time.

The scenario was based on a concerted cyber-attack against the UK financial sector by a hostile nation state with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure. Although the impacts caused by the cyber-attacks would have had an international as well as a UK dimension, for the purposes of the exercise, the scope of the exercise was restricted to management of the UK impacts.

The scenario was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).

The three-day period was broken into phases, playing out various technical and business impacts from the scenario. The scenario examined how firms would manage their response to the cyber-attacks both on a technical level (in particular information-sharing amongst the firms via the CISP tool), and from a business perspective.

Elements of the cyberwar exercise included distributed denial of service attacks "causing the firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently available" as well as APT and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes. All this had knock-on effects on trading and reconciliation systems.

This all looks, at least on paper, to be fairly challenging, yet the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers, such as BT, in the exercise.

Adrian Culley, technical consultant at anti-botnet firm Damballa and formerly of Scotland Yard’s Computer Crime Unit, said banks had a long way to go before their malware protections were up to scratch.

“UK Financial Institutions have real active infection inside their networks now, Culley said. "Caphaw is an example of one such very prevalent Advanced Attack, there are many others."

"Despite Waking Shark II there appears to be a disconnect between [Business Secretary Vince] Cable's very timely warning, and banks actually holding accessible, actionable intelligence. How they are planning to ever respond decisively without such intelligence? These bodies are part of UK Critical National Infrastructure, and both active attacks, and the threat of attack, are real. Banks need this information to detect active infections and prevent them becoming breaches. It is clear many of them do not have this.”

Breachaholics encouraged to join 10-step programme

After a summit of regulators and intelligence chiefs on Wednesday, Cable warned of the more widespread vulnerability of Britain's critical national infrastructure to cyber-attack. The regulators - which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom - were briefed on the threat posed to systems by GCHQ boss, Sir Iain Lobban.

Cable called on regulators to oversee the adoption of more robust cyber security measures. Firms were encouraged to "undertake a self-assessment against the ‘10 steps’; take up membership of the Cyber Security Information Security Partnership, or CISP; manage cyber risk in their supply chains by driving adoption of the HMG Preferred Organisational Standard for Cyber Security."

KPMG security expert Stephen Bonner warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.

“Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached," Bonner, a partner in KPMG’s Information Protection and Business Resilience team, commented. "But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.

KPMG said the rising number of attacks targeting cyber vulnerabilities presents a growing danger to financial institutions.

"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.” ®

Application security programs and practises

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.