Although there has been no official announcement, the word on the street is that Operation Waking Shark 2 took place yesterday – an exercise in which UK banks launched the most extensive cyber threat exercise in two years.
The exercise has been designed to test how prepared the the financial system is to survive a sustained online attack.
The test was to be monitored by the Bank of England, Treasury and Financial Conduct Authority to assess the ability of Britain’s core financial services providers (banks, the stock market and payment providers) to withstand attacks by cyber criminals as well as state sponsored attacks on the UK.
Every high street bank was expected to be take part in the one day "war game", simulating the impact of a major cyber-attack on the payments and market systems on which the UK’s financial system depends.
I’ve been chatting to quite a few people about Waking Shark 2 over the past few weeks.
Malwarebytes, is one security software company, believes the UK can learn a lot from the US banking industry in terms of DDoS protection.
A spokesperson for the company said: "The UK banking industry can learn a lot from US Banks as they’ve been hit hard in terms of volume and intensity of attacks. The damage caused cannot be ignored as a few hours of outage can cost millions of dollars.
"To put it simply, the UK finance industry needs to pull together and take a joined-up approach. Trying to tackle such a large issue in isolation is never going to be as effective as a collaboration. US banks and other financial institutions have realised this and are working together effectively. It is good to see the UK following suit for the greater good."
John Yeo, EMEA director at Trustwave, said: "It is great to see financial institutions taking cyber security so seriously and actively encouraging organisations to take a proactive approach to tackling potential cyber threats.
"It would be interesting to know how the organisers of this test are defining ‘cyber-attacks’. The term is broad since attacks have different profiles and indicators, for example, whilst a Distributed Denial of Service (DDoS) attack is reasonably obvious when it strikes, customised malware is not and each different attack vector poses different challenges. With so many people and paper-based activity focusing on policies and procedures, this exercise may be more of a logistical planning exercise instead of a simulated practice run.
"What needs to be implemented are real world attack scenarios that truly test the businesses’ incident response plans. For example, it has been widely reported that the simulations may include how well firms can coordinate and communicate with one another, and how banks can ensure the availability of cash in ATMs.
"The more important issue is what are they communicating about, and what happens when an attack is more subversive, and not immediately obvious when it strikes? In our experience, the majority of organisations that suffer a breach do not realise for some time that they have been hit, let alone where the attack originated from, and how it works."
We’re keen to find out more about exactly what has been tested, if indeed the exercise did take place yesterday as rumored. And how prepared is the banking sector?
We’ll keep digging around and let you know what we come up with.
