City bankers survive simulated cyber-war A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems. Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers. The overall …
"... the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on ..."
I'd want to see a greater emphasis on bankers being kidnapped on their way to work or from their homes, then being 'pressured' to reveal their passwords, etc. I'm a firm believer in 'worst case' testing.
There's a few problems with that:
a) They're likely to fight back, meaning someone gets hurt
b) They probably can't recall their own passwords. Even if they could, traders & bankers have very little access to systems to actually do anything - sure, you can book a trade, but you can't setup a new counterparty, their cash accounting, settlement instructions, confirmations process, and actually have the trade paid out.
What you'd actually need to do would be obtain a variety of IT staff and a few Ops & finance people.
Unless you just wanted to go for the small change (tens of millions), then you could hack into a retail bank instead.
"I'd want to see a greater emphasis on bankers being kidnapped on their way to work or from their homes,"
I suspect that you are not the only one who would like to see that happen, in fact I think that there would be a long queue of people volunteering for that job. ;)
More seriously though, if a firm were to try a surprise abduction on one of their golden boys, it would end up in court, possibly at the behest of the CPS.
<snip>
"More seriously though, if a firm were to try a surprise abduction on one of their golden boys, it would end up in court, possibly at the behest of the CPS."
Such things happen. Normally permission is granted way in advance and a surprise exercise is launched when the victim least expects it.
I do not think that bankers are a good target. I would go to the finance department and work my way through the lot of them. Once I had done that in a satisfactory manner and the body count had been sufficiently high, I would call in a lot of journalists and launch a surprise exercise on them. Lawyers would be next and if I could just factor in a few thousand estate agents then the world would be a pink and fluffy place full of bunny rabbits and clouds.
So the police not involved?
You're looking at massive counts under the Computer Misuse Act, potential massive theft and PC Plod is not to be called.
Because a Police response is considered "unnecessary" perhaps?
Personally I doubt these exercises will be realistic enough until there is a real risk of one of the participants going bankrupt and not getting a government bailout.
But that's just me.
Successfully defending the indefensible and offensive is never going to be an acceptable reality, and just like military type war games, is anything practised in simulated stress testing, never ever going to reflect and give insight on what is going to virtually happen in the real world.
And surely regulators and intelligence chiefs know and are advising all on that, and the fact that there is nothing that can be done to mitigate and/or stop such as a smart attack on a systemically flawed system.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
