US, UK big banks to simulate mega-hacker cyber-attack

I wonder

Will they simulate what happens when a major wholesale bank's settlement systems break irretrievably, and all those with the knowledge to repair it are either long retired or have had their jobs outsourced to some third world provider? If I were a betting man, I'd readily offer you evens on this scenario occurring some time in the next 5 years.

Cart, horse etc

Sigh. I understand that pen tests are sexy in the eyes of the media, but if an organisation's security model is not based on a foundation of good security processes, two things will happen:

1 - if they "pass": a thoroughly false sense of security

2 - if they "fail": no proper way to address and integrate the findings.

A quick pen test shakedown may give you an idea of the (absence) of standards at a bank, but it certainly should not be used to "prove" the security of a bank. Passing a pen test merely means that at a specific moment in time, a specific set of specialists with a specific set of skills examining a specific entry path using specific techniques could not find anything wrong. However, each occurrence of "specific" signifies a variable that can invalidate the result.

In bank you also have the problem that especially the larger ones operate on the principle of "just enough" - there will only be budget for just enough security to escape liability in case they get hacked, and that means they are forever teetering on the edge of NOT good enough. The smaller, private ones are a bit more binary: they either have nothing at all, or they have gone paranoid and usually overspend.

The latter are quite fun to work with because they have usually been sold crud they don't need, but are at least willing to listen to a reasoned argument so you can pull them into shape with not too much of a fight - their aim is usually protecting the customer as every single one matters (big banks couldn't care less about customers as far as I can tell, but that is not exactly news to anyone).

Bonus question: will this just be yet another IT exercise or will they also look for people that can access and manipulate data and payments? Especially broken processes can give people the wrong set of privileges - that's how so much bank data was stolen.

W&nking Shark II?

Is it just me that glanced at this and thought it was called W&nking Shark II? It's 09:00 and no coffee yet, that's my excuse.

Luckily my ICR will only show www.theregister.co.uk and not the content of this post, as it's just like an itemised phone bill don't you know.

They do this when pushed.

After I wrote some ground up maths modelling of a bird flu pandemic and how it would interact with the insurance/pensions business the Regulators went from "don't worry about it, all under control, and no, we won't tell you what the plans are" to suddenly requesting full detailed plans from the insurers (when they realised I'd be publishing and that there would be questions) to a full scale resilience test within weeks of publication

I think that somewhere, someone who knows both the regulators and the practical side of banking infrastructure has done something similar and got their attention.

What sort of test?

Reports in the mainstream media gave the impression that they were trying to explain that a penetration test was going to be carried out.

The hundred people in a room makes me think a bunch of executives are going to be saying "oh yes, that will all be taken care of" until someone pats them on the head.

Golden opportunity

The test'll be all "wink and nod", as in:

"Look what we could've done to your system."

"Yes, we'll definitely have to set up fixing that soon."

But... If a blackhat uses this opportunity as a cloak to raid, it'll be:

"Ah yes, you got us good, definitely have to fix that. Now, can we have our data back?"

"Uh, what are you talking about? We didn't do that.".

"... Bugger!"