UK banks to stress test readiness for major cyberattack

Operation Waking Shark 2

Only days after the authorities gave UK-based banks a time limit to come up with cyberattack defence plans, details have emerged of a major stress test of current financial systems set for next month.

Dubbed 'Operation Waking Shark 2', according to The Daily Telegraph the test day will simulate a "severe" attack on payment providers, banks and markets to sniff out weaknesses in defence strategies, communications, and procedures.

This follows on from the smaller Waking Shark exercise that took place on the afternoon of 11 March 2011 which uncovered confusion about which bodies organisations should use to communicate with one another in the event of an attack.

Banks were also reportedly unclear about the relative roles of the Financial Services Authority (succeeded by the Financial Conduct Authority), the Serious Organised Crime Agency (now the National Crime Agency) and the Centre for the Protection of National Infrastructure (CPNI).

The size of the exercise has been greatly expanded from around 100 people that took part in 2011's exercise to a reported "several thousand" in the November 2013 follow-up.

Banks whose performance is found to be weaker than their peers will be asked to invest in better systems, the newspaper said.

"Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures," commented Fujitsu UK client managing director, Dorian Wiskow.

"What is paramount here is that the industry does not overlook or get complacent about security or place it in the "too big to fix" category," he said.

According to Dana Tamir, director of enterprise security at Trusteer, banks were now a major target for a variety of attackers.

"Recent cyber-attacks on US banks have caused losses estimated in millions of dollars. Both the frequency and sophistication of such attacks is increasing. Cyber criminals are using all means available, including DDoS attacks that target the online banking systems from the outside, and advanced malware that enables the attacker to gain control over an internal employee endpoint, and attack these systems from the inside," he said.

Motivations included commercial manipulation, data theft and the emerging threat of ideological and political opposition.

Last week, it emerged that the authorities recently demanded banks to create convincing cyberdefence plans by the end of the first quarter of 2014. But not everyone is convinced that the model is fool-proof.

"Talking about inside and outside threats to banking security is an increasingly outdated way of thinking," commented Geoff Webb of NetIQ.

"Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Financial Conduct Authority

More about Dana AustraliaFujitsuNetIQNetIQTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts