Just as simulating dependent systems using Service Virtualization methods can help to identify where software might fail, simulating security responses can be used effectively to harden companies against all manner of cyber threats.
UK financial organizations recently conducted a security process simulation to identify potential problems and improve their response to a full-fledged cyber attack from a nation state.
The Waking Shark II operation was one of the largest cyber security tests conducted. It included participants from dozens of UK financial institutions along with government agencies including the Bank of England’s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA).
The “war games”-style scenario was a concerted cyber-attack against the UK financial sector by a hostile nation-state with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure.
The goal was to find solutions to various problems, including the need to ensure availability of cash from ATMs and cope with a liquidity freeze in the wholesale financial market. This was intended to be a more challenging and comprehensive exercise than the first Waking Shark operation in 2011 and the Market Wide Exercise in 2006.
While those previous operations left the industry more prepared to mitigate the damage from such an attack, there remained room for improvement.
Simulating the Security Process
The participants focused on cross-sector communications and coordination through the Cyber Security Information Sharing Partnership (CISP) platform. The platform provides companies with an emergency hotline for coordinating in the wake of a cyber attack.
The CISP platform also supports a simulator to mimic many aspects of the bank’s financial information systems, allowing them to run a three-day scenario in only four hours. This allowed operations staff to focus on the procedures for addressing problems and identify areas for improvement.
The CISP platform was launched in March 2013, and this was the first time it was put to the test by a large number of participants. There are currently 250 large firms using the system. The CISP organization is working to bring in the top 500 firms and organizations throughout the financial industry by the end of 2014.
The technical and business problems that were simulated included:
- A Distributed Denial of Service (DDoS) attack, which caused global websites and Internet facing systems to become unresponsive.
- Advanced Persistent Threat (APT) attacks, in which malware wiped PCs and disrupted internal networks.
- Scrambling of end-of-day market data pricing files, which created challenges for margin calculations.
- A disruption of Central Counterparty Clearing processes for fixed income data, which created liquidity and funding issues.
- Disruption of processes used to instruct payment and manage balances in accounts at agent banks.
Other Causes for Concern
The CISP organization also has expressed concern about a number of other vulnerabilities and emerging threats faced by banks worldwide.
For example, a large proportion of the financial industry in the UK has yet to upgrade to newer, more secure, operating systems. The use of Windows XP on many banking computers will become a growing risk as Microsoft cuts back support for the OS. These will be easier to compromise as knowledge of unpatched vulnerabilities grows.
The wide use of Windows XP computers owned by individuals could also lead to a growing population of drone computers for launching large-scale DDOS attacks.
Also of concern, the personal information and login credentials for more than 4,000 bank and finance executives was posted online. Bank executives need to be more proactive in making sure that all of the compromised individuals are notified and can take appropriate action.
Waking Shark II showed once again the value of having reliable simulation capabilities, such as Service Virtualization, to prepare for – and prevent – worst-case scenarios.