Wall Street sets example for testing security defenses

Wall Street plans to hold a simulated cyberattack against equity markets this month that experts hope will set an example of how industries should test their defenses against assailants.

Called Quantum Dawn 2, the drill will involve big Wall Street firms and government agencies, including the Federal Reserve, the Department of Homeland Security (DHS), the Treasury Department and the Securities and Exchange Commission (SEC). About 50 entities are participating in the June 28 exercise, organized by the Securities Industry and Financial Markets Association (SIFMA).

Production systems will not be used in the drill. Instead, the exercise will be conducted through software all the participants will access over the Internet from their respective locations, said Karl Schimmeck, vice president of financial services operations at SIFMA. The software will simulate different types of attacks, such as a distributed denial of service (DDoS) assault against the infrastructure of the banks, brokerages and exchanges.

The firms that make up Wall Street are considered critical infrastructure that could cripple the nation's economy if they were severely damaged by terrorists or cybercriminals. Wall Street's importance, wealth and regulatory oversight have made it a leader in security preparedness.

In the upcoming drill, participants will have to identify the attack, determine how it is affecting their infrastructure and the impact on the equity market and then decide how to respond, Schimmeck said. In general, SIFMA is hoping the firms will test their playbooks, processes and response mechanisms, while also finding more efficient ways to share real-time information in getting help from each other and government agencies.

[In Depth: Why we can't stop malicious insiders]

In 2011, the first Quantum Dawn exercise had all the participants in one conference room. The second drill has all the firms and government players in their own offices, forcing them to use more realistic forms of communications.

"Being able to communicate over the phone and email are absolutely critical," Schimmeck said.

Since last September, many large U.S. financial institutions have been fending off several waves of DDoS attacks from assailants claiming to be an Islamic hacktivist group. While the attackers have failed in causing major disruptions, they have forced banks to put aside their rivalries and share information for their own collective good, Schimmeck said.

"There's no competitive advantage in this. We look at the industry as this one whole," Schimmeck said. "You want to defend it and protect it. And an attack on one bank is an attack on all banks."

While attack simulation is not the norm in other industries, it should be, said Avivah Litan, an analyst with Gartner. Such drills can reveal security holes, as well as test communication channels.

"Doing a practice run is really the best way to test your disaster recovery and business continuity practices," she said. "It's one thing to put them on paper. It's another thing to practice them."

Rich Bolstridge, chief strategist of financial services at Akamai Technologies, agreed wth Litan, saying, "Other industries should take note of this simulation."

"Many industries right now are not ready to go off and do these simulations," he said. "But for critical infrastructure systems, they do need to be putting this on their roadmap."

While Wall Street is out in front, smaller banks and credit unions have generally been behind in maintaining a sufficient level of preparedness, Litan said. Part of the reason is their dependence on third-party service providers for running online services. Some of those providers have not done a good job in preparing the banks or themselves against attacks.

In 2011, Fidelity National Information Services, a major processor of prepaid debit cards, disclosed a breach in which the company incurred a loss of $13 million in a cyberheist involving the use of stolen cards at ATMs.

"These smaller banks really need to put pressure on their processors to simulate these kinds of attacks," Litan said. "From all signs, [processors] don't pay enough attention to security and defense."

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysoftwareData Protection | Network SecurityQuantum Dawn 2quantumdata protectionwall streetQuantum Dawn

More about Akamai TechnologiesAkamai TechnologiesFidelity NationalGartnerQuantumSECSecurities and Exchange CommissionWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts