Security experts welcome the news that UK banks are preparing to engage in a cyber ‘war game’ in an effort to prepare for the real thing.
Last month, the details of a sophisticated attack on Barclays Bank branch in April became clearer. A total of £1.3m was stolen from the Swiss Cottage branch in London by a gang based in a ‘control room’ in Marleybone.
A bogus repairman had planted a KVM (keyboard-video-mouse) device on a PC inside the bank’s network, allowing money to be transferred remotely with the use of a 3G router.
There is no doubt that cyber criminals are becoming increasingly savvy, and new techniques are constantly being developed to steal – be it money, data or otherwise.
Barclays certainly wasn’t the first bank to be targeted by cyber thieves and it surely won’t be the last. It will happen again. They simply must be ready.
The exercise, dubbed Operation Waking Shark 2, should be the most extensive cyber threat exercise in two years as the authorities test the preparedness of the financial system to survive a sustained online attack.
It should prove to be revealing, as it will either assure banks that their defences are adequate or, hopefully, highlight the weakness that require reinforcement.
Ashley Stephenson, CEO of Corero Network Security describes the coordinated cyber stress test against UK banks and financial institutions as a welcome step forward in the fight against cybercrime.
He says: "In the past year we have seen several publicly visible examples of ‘hacktivists’ bringing down banking websites, but these incidents are just the tip of the iceberg. The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."
"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with "action plans" in the event of a cyber-attack by the first quarter of 2014."
John Yeo, EMEA Director at Trustwave, concurs, adding: "It’s great to see financial organisations such as the Bank of England, and the Treasury taking cyber-security so seriously, and in particular that they will be conducting a simulated cyber-attack on payments and markets systems.
"The Bank of England’s Financial Policy Committee (FPC) have also ordered regulators to come up with "action plans" in the event of a cyber-attack by the first quarter of 2014. However, it is of concern that the FPC feels these needs to be ordered in the first place, as one would have expected that all financial institutions should have robust and far-reaching incident response plans already in place."
Geoff Webb, director of solution strategy, NetIQ, also has a word of warning for the banks due to take part in the cyber attack tests.
"While it’s great to see the leading banks preparing for cyber attacks through simulations like Operation Waking Shark 2, the banks need to recognise that they are already likely to have been breached," he explains. "It might sound alarmist, but given that no firewall can guarantee to keep out all intruders, banks have to assume that cyber criminals are already inside their network."
The skill of modern cyber-criminals lies in the fact that they can be almost indistinguishable from genuine employees. Once inside an organisation’s perimeter they immediately aim to elevate their own authorisation levels to those of a privileged employee, using that clearance to steal valuable information.
"As a result, talking about inside and outside threats to banking security is an increasingly outdated way of thinking," Webb adds. "Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity."