Only days after the authorities gave UK-based banks a time limit to come up with cyberattack defence plans, details have emerged of a major stress test of current financial systems set for next month.
Dubbed ‘Operation Waking Shark 2', according to The Daily Telegraph the test day will simulate a “severe” attack on payment providers, banks and markets to sniff out weaknesses in defence strategies, communications, and procedures.
This follows on from the smaller Waking Shark exercise that took place on the afternoon of 11 March 2011 which uncovered confusion about which bodies organisations should use to communicate with one another in the event of an attack.
Banks were also reportedly unclear about the relative roles of the Financial Services Authority (succeeded by the Financial Conduct Authority), the Serious Organised Crime Agency (now the National Crime Agency) and the Centre for the Protection of National Infrastructure (CPNI).
The size of the exercise has been greatly expanded from around 100 people that took part in 2011’s exercise to a reported “several thousand” in the November 2013 follow-up.
Banks whose performance is found to be weaker than their peers will be asked to invest in better systems, the newspaper said.
“Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures,” commented Fujitsu UK client managing director, Dorian Wiskow.
“What is paramount here is that the industry does not overlook or get complacent about security or place it in the “too big to fix” category,” he said.
According to Dana Tamir, director of enterprise security at Trusteer, banks were now a major target for a variety of attackers.
“Recent cyber-attacks on US banks have caused losses estimated in millions of dollars. Both the frequency and sophistication of such attacks is increasing. Cyber criminals are using all means available, including DDoS attacks that target the online banking systems from the outside, and advanced malware that enables the attacker to gain control over an internal employee endpoint, and attack these systems from the inside," he said.
Motivations included commercial manipulation, data theft and the emerging threat of ideological and political opposition.
Last week, it emerged that the authorities recently demanded banks to create convincing cyberdefence plans by the end of the first quarter of 2014. But not everyone is convinced that the model is fool-proof.
“Talking about inside and outside threats to banking security is an increasingly outdated way of thinking,” commented Geoff Webb of NetIQ.
“Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity.”