Feeds

back to article We want it HARDER: City bankers survive simulated cyber-war

A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems. Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers. The overall results …

COMMENTS

This topic is closed for new posts.
Silver badge

Make it more real

"... the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on ..."

I'd want to see a greater emphasis on bankers being kidnapped on their way to work or from their homes, then being 'pressured' to reveal their passwords, etc. I'm a firm believer in 'worst case' testing.

6
1
Silver badge

Re: Make it more real

I would further add the scenario, probably the most likely, whereby the attackers have inside help.

Imagine the advantage of hacking into an institution when one of your drinking buddies is the BOFH.

3
0

Re: Make it more real

There's a few problems with that:

a) They're likely to fight back, meaning someone gets hurt

b) They probably can't recall their own passwords. Even if they could, traders & bankers have very little access to systems to actually do anything - sure, you can book a trade, but you can't setup a new counterparty, their cash accounting, settlement instructions, confirmations process, and actually have the trade paid out.

What you'd actually need to do would be obtain a variety of IT staff and a few Ops & finance people.

Unless you just wanted to go for the small change (tens of millions), then you could hack into a retail bank instead.

2
1
Roo
Silver badge

Re: Make it more real

"I'd want to see a greater emphasis on bankers being kidnapped on their way to work or from their homes,"

I suspect that you are not the only one who would like to see that happen, in fact I think that there would be a long queue of people volunteering for that job. ;)

More seriously though, if a firm were to try a surprise abduction on one of their golden boys, it would end up in court, possibly at the behest of the CPS.

0
0
Bronze badge

Re: Make it more real

<snip>

"More seriously though, if a firm were to try a surprise abduction on one of their golden boys, it would end up in court, possibly at the behest of the CPS."

Such things happen. Normally permission is granted way in advance and a surprise exercise is launched when the victim least expects it.

I do not think that bankers are a good target. I would go to the finance department and work my way through the lot of them. Once I had done that in a satisfactory manner and the body count had been sufficiently high, I would call in a lot of journalists and launch a surprise exercise on them. Lawyers would be next and if I could just factor in a few thousand estate agents then the world would be a pink and fluffy place full of bunny rabbits and clouds.

0
0
Gold badge
WTF?

""Attacked" banks were criticised for not calling the police, "

So the police not involved?

You're looking at massive counts under the Computer Misuse Act, potential massive theft and PC Plod is not to be called.

Because a Police response is considered "unnecessary" perhaps?

Personally I doubt these exercises will be realistic enough until there is a real risk of one of the participants going bankrupt and not getting a government bailout.

But that's just me.

2
0
Anonymous Coward

Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers, such as BT, in the exercise.

How are these two sentences different?

(Phorm. Kit from certain overseas vendors etc)

1
1
Silver badge

The Elephant in the Room

Successfully defending the indefensible and offensive is never going to be an acceptable reality, and just like military type war games, is anything practised in simulated stress testing, never ever going to reflect and give insight on what is going to virtually happen in the real world.

And surely regulators and intelligence chiefs know and are advising all on that, and the fact that there is nothing that can be done to mitigate and/or stop such as a smart attack on a systemically flawed system.

1
3
This topic is closed for new posts.