February 15, 2014
As the results for Operation Waking Shark II were published, IT personnel in banks, law firms and other organisations in the financial services sector could be forgiven for pondering; what exactly have we learnt from this?
What was the purpose of Waking Shark II - was it a test for the industry? Perhaps it was a lesson in cybersecurity which served to school those involved in protecting the country's financial assets? Or was it a mere revision process - going over ground which is already covered daily by IT security staff?
Regardless of Waking Shark II's motives, some of the findings within the BoE's short report will provide the industry with a sense of renewed optimism around cyber security.
One of chief reasons for this shot in the arm lies in one word, and one which is perhaps not often associated with the financial sector. ‘Collaboration' featured several times in the BoE's summary, and such an approach can be no bad thing for the banks. It's even suggested that an industry body is to be allocated the task of managing communications across the sector during an incident. Regardless of whether this happens, the communication and information sharing process can and will be a vital part of combating future security threats.
Understandably though, any organisation, regardless of the industry, can be cagey when it comes to sharing sensitive information with competitors, but the banks are setting an example. IT departments from other industries should sit up and take note of the collaboration aspect of the Waking Shark exercise.
Right now, the financial sector's IT security is under intense scrutiny, but others working with the likes of the Centre for the Protection of National Infrastructure (CPNI) to protect more critical assets could soon find themselves having to cope with the same pressures. Gas, water and electricity suppliers for example all have far more to lose than the banks should any of their physical infrastructures be compromised, so a collaborative approach for these industries and many others is essential in order to thwart cyber threats in future.
This positive vibe around collaboration however, doesn't necessary reverberate throughout the report. A slightly woolly nature and lack of detail are understandable given that revealing specifics would essentially be arming the enemy, but the analysis and summary when it comes to DDoS attacks and APT's is almost blasé.
APTs, for example, are not easily detectable and to suggest that these type of threats will just suddenly surface after just three days of testing is naïve. In fact, the average time it takes to detect an active APT is around 400 days, meaning it's far from simply running a tool in order to discover them.
With this in mind, it seems we should consider what was actually tested and achieved in this three-day exercise. Frankly, it's almost bizarre that, in such a short report, the very specific issues of DDoS attacks and APTs are talked about in the vein as policies and other far broader issues. Surely a more refined scope of testing would yield more tangible outcomes.
Perhaps though, experiments like this shouldn't focus on IT security at all. Instead, would it not be more beneficial to concentrate on issues which affect the end-user more directly? Take the seemingly omnipresent hardware failures (due to an over-reliance on technology and various banks using the same infrastructure) which cause multiple banks to deny customers' access to their money for example.
Tax payers forked out a lot of money testing something as specific as APTs for this exercise, but would this not have been better spent investigating the root of problems which take down a national bank for an entire afternoon?
There's no doubting that Operation Waking Shark II has raised some important issues about how the financial industry copes with cyber warfare, but ultimately we need to see a more concerted effort to see these findings have any real impact.
Perhaps, instead of a one-off exercise, it should be an ongoing one? Maybe we are set to see banks collaborating on a daily basis in a bid to reduce the risk of cyber threats? If this was to be the case and it has encouraged organisation's to work together, will there ever be a need for a Waking Shark III?
Waking Shark II has certainly produced more concrete evidence than its predecessor, but there is clearly more homework to be done to ensure it doesn't fail any future cyber security examinations.
Contributed by Alan Carter, cloud services director at SecureData.