Last month, the details of a sophisticated attack on Barclays Bank branch in April became clearer. A total of £1.3m was stolen from the Swiss Cottage branch in London by a gang based in a ‘control room’ in Marleybone.
A bogus repairman had planted a KVM (keyboard-video-mouse) device on a PC inside the bank’s network, allowing money to be transferred remotely with the use of a 3G router.
There is no doubt that cyber criminals are becoming increasingly savvy, and new techniques are constantly being developed to steal – be it money, data or otherwise.
Barclays certainly wasn’t the first bank to be targeted by cyber thieves and it surely won’t be the last. It will happen again. They simply must be ready.
The exercise, dubbed Operation Waking Shark 2, should be the most extensive cyber threat exercise in two years as the authorities test the preparedness of the financial system to survive a sustained online attack.
It should prove to be revealing, as it will either assure banks that their defences are adequate or, hopefully, highlight the weakness that require reinforcement.
Ashley Stephenson, CEO of Corero Network Security describes the coordinated cyber stress test against UK banks and financial institutions as a welcome step forward in the fight against cybercrime.
He says: "In the past year we have seen several publicly visible examples of ‘hacktivists’ bringing down banking websites, but these incidents are just the tip of the iceberg. The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks."
"We highly commend the Bank of England’s Financial Policy Committee (FPC) for being proactive and ordering regulators to come up with "action plans" in the event of a cyber-attack by the first quarter of 2014."
John Yeo, EMEA Director at Trustwave, concurs, adding: "It’s great to see financial organisations such as the Bank of England, and the Treasury taking cyber-security so seriously, and in particular that they will be conducting a simulated cyber-attack on payments and markets systems.
"The Bank of England’s Financial Policy Committee (FPC) have also ordered regulators to come up with "action plans" in the event of a cyber-attack by the first quarter of 2014. However, it is of concern that the FPC feels these needs to be ordered in the first place, as one would have expected that all financial institutions should have robust and far-reaching incident response plans already in place."
Geoff Webb, director of solution strategy, NetIQ, also has a word of warning for the banks due to take part in the cyber attack tests.
"While it’s great to see the leading banks preparing for cyber attacks through simulations like Operation Waking Shark 2, the banks need to recognise that they are already likely to have been breached," he explains. "It might sound alarmist, but given that no firewall can guarantee to keep out all intruders, banks have to assume that cyber criminals are already inside their network."
The skill of modern cyber-criminals lies in the fact that they can be almost indistinguishable from genuine employees. Once inside an organisation’s perimeter they immediately aim to elevate their own authorisation levels to those of a privileged employee, using that clearance to steal valuable information.
"As a result, talking about inside and outside threats to banking security is an increasingly outdated way of thinking," Webb adds. "Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity."
Exactly what threats will be tested during next month’s testing remains to be seen and, more than likely will never officially be made public.
But according to Trustwave’s 2013 Global Security Report, the primary data type targeted by attackers in both 2011 and 2012 was personal/customer data – especially payment card related data.
Yeo notes: "There is a well-established underground marketplace for stolen payment card data; it is bought and sold quickly for use in fraudulent transactions. Having said that, we are starting to see sophisticated cyber-attacks aimed at penetrating banks and financial institutions, so the results of the stress test will certainly make interesting reading."
Stephenson believes that a major focus during the tests will be to monitor how banks carry on ‘business as usual’ while being repeatedly attacked.
"An important success criterion for the tests when dealing with Denial of Service attacks is that organisations must demonstrate that they can deal with the attack whilst maintaining regular services," he says. "
The FPC highlights this goal by indicating the Bank of England must ensure it is able to operate if its own systems are attacked. For the most part, recently disclosed attacks against banks have largely been the result of Distributed Denial of Service attacks launched by hacktivist groups, which are publicly visible inconvenience to customers.
"However, a more significant disruption to critical financial services such as the stock market or the Bank of England from a cyber-attack could have a far wider impact on the industry and country as a whole."
Dorian Wiskow, client managing director, financial services, Fujitsu UK & Ireland, thinks that, whatever the outcome of the extensive testing exercise next month, it seems to indicate that cyber security is becoming a number one priority for the financial sector.
"It is vitally important that cyber security tops the priority list for IT departments within the UK’s financial service organisations," he explains. "Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures.
"CIOs in the banking industry are facing an unenviable challenge – securing these multi-channel environments while ensuring customer experience does not suffer – and this is an incredibly difficult challenge to overcome.
"What is paramount here is that the industry does not overlook or get complacent about security or place it in the ‘too big to fix’ category. Research we carried out revealed that security does not feature in the top three CIO priorities. With the sophistication of cyber-attacks and the number of threats increasing exponentially – can the industry afford for it not to be the number one priority?"
The answer to that has to be ‘no’ and, in mid-November at least, it will be at the top of all UK banks’ agendas as they engage in their cybercrime ‘war game’.