Skip to main content

Bank of England to simulate cyber war attacks in Operation Waking Shark 3

The Bank of England is to test banking organisations' vulnerabilities as part of a broader assessment of the reliability of its computer infrastructure.

According to a report by the FT, this is part of an assessment of more than 20 major banks and other financial players in the UK. The scenarios will draw on intelligence reports of the latest threats from attackers and be overseen by Andrew Gracie, the director of the UK's special resolution unit within the Bank of England (BoE).

Troy Gill, senior security analyst at AppRiver, praised the bank's initiative, as it emphasises the importance of incident response. "It is not just enough to monitor the network with an IDS, you need to have a qualified team monitoring the alerts and responding appropriately because without this the device can be useless.

So, in the case of a bank being compromised, incident response time can make all the difference of when it comes to finding and eliminating the attackers presence before they have time to exfiltrate sensitive data."

This follows Operation Waking Shark 2, which took place in November 2013. In that exercise, the three day period saw financial services companies face DDoS attacks, targeted and PC wipe attacks, issues with end-of-day market data pricing files for some equities markets, issues with Central Counterparty Clearing processes for fixed income, and issues associated with processes used to instruct payments through agent banks and manage balances in accounts at agent banks.

TK Keanini, CTO at Lancope said repeating this exercise is crucial to success. "A critical part of being Incident Response Ready is to perform these drills. Historically, fire prevention has required organisations around the world perform regular drills and, when you think about it, these same organisations are more likely to get hit by a cyber-incident each year than they are a major fire.

Rahul Kashyap, Chief Security Architect at Bromium concluded that this exercise will ultimately protect the end user. "Penetration testing of on-line applications is a must. Ethical hackers that attack enterprise sites with the specific goal of identifying bugs or vulnerabilities can help to stem the rising tide of breaches, helping to protect consumers and enterprise brand loyalty."

Dan Raywood is editor of the IT Security Guru