The information security industry has raised concerns over the UK’s latest test of the financial infrastructure’s resilience to cyber attack.
IT workers say the exercise is a good opportunity to iron out flaws before the UK’s cyber defences are tested to the limits by attackers, but many believe testing should happen more regularly – the last such test was last conducted two years ago. Meanwhile, others say the exercise is lacking in some respects, and have questioned how the organisers are defining cyber attacks.
John Yeo, European director at Trustwave, said that with so many people and paper-based activity focusing on policies and procedures, the exercise may be more of a logistical planning exercise rather than a simulated practice run.
“What needs to be implemented are real-world attack scenarios that truly test the businesses’ incident response plans,” he said.
The test will reportedly simulate how well firms can coordinate and communicate with one another, but Yeo said the more important issue is what they are communicating about, and what happens when an attack is more subversive, and not immediately obvious when it strikes.
“Most organisations that suffer a breach do not realise for some time that they have been hit, let alone where the attack originated from, and how it works,” he said.
In the 2013 Trustwave Global Security Report, security researchers revealed that in 2012 it took approximately 210 days for an organisation to realise it had been attacked.
“It is crucial that businesses have the proper security controls in place so they can not only help prevent an attack but also, if an attack occurs, identify it and respond in an appropriate and measured manner,” said Yeo.
More on cyber attacks
“They also need to understand the techniques they should execute to restore their business, to minimise the impact of such an attack,” he said.
Others questioned the lack of focus on insider threats.
“To combat insider threats, firms need to invest in employee security training and awareness programmes to avoid accidental breaches,” said Peter Armstrong, director of cyber security at Thales UK.
“Organisations should also consider a number of IT administered employee controls, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system,” he said.
Others felt the exercise should have included a greater degree of government involvement.
“With cyber attacks becoming more complex, it is important for government agencies, such as GCHQ and MI5, to be involved in these preparations as private and public sectors must combine their expertise to thwart ever-more sophisticated hackers,” said Jarno Limnell, Director of cyber security at Stonesoft, a McAfee Group company.
Will the test be thorough?
Some security industry representatives have questioned whether the exercise goes far enough.
Richard Horne, cyber security partner at PricewaterhouseCoopers (PwC) said an exercise such as Waking Shark 2 helps to highlight the scale of the challenge.
“But it will take a lot of detailed technical work and testing - coordinated across the industry - to really understand all the interdependencies and develop meaningful containment and recovery plans,” he said.
Some security industry representatives say the real value in the exercise will lie in the analysis of how systems and processes performed.
It is important for organisations to look at the risks cyber threats pose and iron out their own individual scenarios for dealing with an attack.
David Emm, Kaspersky Lab
“It is essential for participants to examine how the scenario played out and what lessons can be learnt for the future,” said David Emm, senior security researcher at Kaspersky Lab.
“It is important for organisations in all sectors to look at the risks cyber threats pose and iron out their own individual scenarios for dealing with an attack,” he said.
Ross Brewer, vice president and managing director for international markets at LogRhythm said that while the financial sector is taking a step in the right direction, it would only be worthwhile if the lessons learned are acted upon and shared with a wider audience.
“Far too many organisations still rely on reactive security measures when they should be constantly prepared for an attack, and it is likely this exercise will prove this to be an outdated thought process,” he said.
Monitoring the network
According to Brewer, the only way to ensure businesses have the best possible chance of keeping today’s sophisticated threats out is through 24/7 monitoring of all network activity.
“Any business that holds off will regret that decision – and by then, when it is a real attack and not a test, it will be too late,” he said.
Andrew Miller, chief operating officer at Corero Network Security, said one of the biggest benefits from the exercise will not necessarily be about banks learning to defend against cyber attacks, but learning to co-operate.
“There needs to be more information-sharing within financial organisations on the latest threats and attacks they are facing, so they can develop a knowledge pool on how to protect against them,” he said.
More on security
Miller said those organisations that work together to develop comprehensive defences are far more likely to remain secure than those that “go it alone”.
However, he said with the increasing threat of cyber-crime, from a consumer’s perspective, banks need to demonstrate in plain terms that they can protect customers’ data.
“I would argue that today’s test is not about whether any of the financial institutions pass or fail the test, but it is about them learning where there are weaknesses, and what areas of the business need to be improved upon to ensure business continue as normal in the event of a real attack,” he said.
More focus on fraud
But Alan Carter, director of cloud services at SecureData, has questioned whether anything of value can come out of the exercise, when banks get attacked every day and are coping with these threats.
Banks are also conducting routine penetration testing and vulnerability scanning and cyber security is already a huge part of every financial organisation’s strategy.
“It is not immediately obvious what motives are behind Operation Waking Shark 2, and it remains to be seen whether this day of testing will change how they operate on a day-to-day basis,” he said.
Operation Waking Shark 2 is most likely to be viewed by those in the industry as a futile attempt by a government department to gain some positive publicity
Alan Carter, SecureData
Carter said National Fraud Association figures suggest the government should focus more broadly on fraud, with banking fraud accounting for just over 0.5% of the £73bn lost to fraud in 2011.
“Bear in mind those figures include fraud that is largely unrelated to bank IT systems, such as card skimming, and we can see the Government clearly has bigger fish to fry,” he said.
Cyber security is already routine procedure for banks and CISOs will already have implemented effective strategies to minimalise the risk, said Carter.
“Operation Waking Shark 2 is most likely to be viewed by those in the industry as a futile attempt by a government department to gain some positive publicity, but in doing so it is likely to heap unwanted attention and extra pressure on security managers, ultimately punishing them for the good work they are already doing,” he said.
A report on the outcome of Operation Waking Shark 2 is expected to be released either in December 2013 or early in 2014.