We want it HARDER: City bankers survive simulated cyber-war

Finance firms reckon Waking Shark II should have featured espionage & malware threats

Combat fraud and increase customer satisfaction

A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.

Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers.

The overall results were an improvement on those from the original Waking Shark exercise, which took place in 2011, while still giving plenty of scope for improvement, according to an official report (PDF) on the exercise from the Bank of England.

"The exercise successfully demonstrated cross-sector communications and coordination through the CMBCG [Cross Market Business Continuity Group], information sharing through the use of the CISP [Cyber Security Information Security Partnership] platform and enabled participants to better understand the requirements of the UK Financial Authorities," the report concludes, while adding that banks' communications was hampered by a lack of an overall clearing house (co-ordinator) for cyber threat information.

"Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident," the report recommends.

Other problems identified during the stress-test exercise, which took place over four hours, but was designed to reflect a three day attack involving denial of service and malware elements, included confusion about the (then) Financial Services Authority. "Attacked" banks were criticised for not calling the police, a breach of agreed procedures.

The Bank of England outlined the scenario played out during the simulated attacks – which, contrary to earlier reports, did not test the cyber resilience of high street banks – for the first time.

The scenario was based on a concerted cyber-attack against the UK financial sector by a hostile nation state with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure. Although the impacts caused by the cyber-attacks would have had an international as well as a UK dimension, for the purposes of the exercise, the scope of the exercise was restricted to management of the UK impacts.

The scenario was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).

The three-day period was broken into phases, playing out various technical and business impacts from the scenario. The scenario examined how firms would manage their response to the cyber-attacks both on a technical level (in particular information-sharing amongst the firms via the CISP tool), and from a business perspective.

Elements of the cyberwar exercise included distributed denial of service attacks "causing the firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently available" as well as APT and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes. All this had knock-on effects on trading and reconciliation systems.

This all looks, at least on paper, to be fairly challenging, yet the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers, such as BT, in the exercise.

Adrian Culley, technical consultant at anti-botnet firm Damballa and formerly of Scotland Yard’s Computer Crime Unit, said banks had a long way to go before their malware protections were up to scratch.

“UK Financial Institutions have real active infection inside their networks now, Culley said. "Caphaw is an example of one such very prevalent Advanced Attack, there are many others."

"Despite Waking Shark II there appears to be a disconnect between [Business Secretary Vince] Cable's very timely warning, and banks actually holding accessible, actionable intelligence. How they are planning to ever respond decisively without such intelligence? These bodies are part of UK Critical National Infrastructure, and both active attacks, and the threat of attack, are real. Banks need this information to detect active infections and prevent them becoming breaches. It is clear many of them do not have this.”

Breachaholics encouraged to join 10-step programme

After a summit of regulators and intelligence chiefs on Wednesday, Cable warned of the more widespread vulnerability of Britain's critical national infrastructure to cyber-attack. The regulators - which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom - were briefed on the threat posed to systems by GCHQ boss, Sir Iain Lobban.

Cable called on regulators to oversee the adoption of more robust cyber security measures. Firms were encouraged to "undertake a self-assessment against the ‘10 steps’; take up membership of the Cyber Security Information Security Partnership, or CISP; manage cyber risk in their supply chains by driving adoption of the HMG Preferred Organisational Standard for Cyber Security."

KPMG security expert Stephen Bonner warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.

“Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached," Bonner, a partner in KPMG’s Information Protection and Business Resilience team, commented. "But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.

KPMG said the rising number of attacks targeting cyber vulnerabilities presents a growing danger to financial institutions.

"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.” ®

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.