Wall Street sets example for testing security defenses

Wall Street plans to hold a simulated cyberattack against equity markets this month that experts hope will set an example of how industries should test their defenses against assailants.

Called Quantum Dawn 2, the drill will involve big Wall Street firms and government agencies, including the Federal Reserve, the Department of Homeland Security (DHS), the Treasury Department and the Securities and Exchange Commission (SEC). About 50 entities are participating in the June 28 exercise, organized by the Securities Industry and Financial Markets Association (SIFMA).

Production systems will not be used in the drill. Instead, the exercise will be conducted through software all the participants will access over the Internet from their respective locations, said Karl Schimmeck, vice president of financial services operations at SIFMA. The software will simulate different types of attacks, such as a distributed denial of service (DDoS) assault against the infrastructure of the banks, brokerages and exchanges.

The firms that make up Wall Street are considered critical infrastructure that could cripple the nation’s economy if they were severely damaged by terrorists or cybercriminals. Wall Street’s importance, wealth and regulatory oversight have made it a leader in security preparedness.

In the upcoming drill, participants will have to identify the attack, determine how it is affecting their infrastructure and the impact on the equity market and then decide how to respond, Schimmeck said. In general, SIFMA is hoping the firms will test their playbooks, processes and response mechanisms, while also finding more efficient ways to share real-time information in getting help from each other and government agencies.

[In Depth: Why we can’t stop malicious insiders]

In 2011, the first Quantum Dawn exercise had all the participants in one conference room. The second drill has all the firms and government players in their own offices, forcing them to use more realistic forms of communications.

“Being able to communicate over the phone and email are absolutely critical,” Schimmeck said.

Since last September, many large U.S. financial institutions have been fending off several waves of DDoS attacks from assailants claiming to be an Islamic hacktivist group. While the attackers have failed in causing major disruptions, they have forced banks to put aside their rivalries and share information for their own collective good, Schimmeck said.

“There’s no competitive advantage in this. We look at the industry as this one whole,” Schimmeck said. “You want to defend it and protect it. And an attack on one bank is an attack on all banks.”

While attack simulation is not the norm in other industries, it should be, said Avivah Litan, an analyst with Gartner. Such drills can reveal security holes, as well as test communication channels.

“Doing a practice run is really the best way to test your disaster recovery and business continuity practices,” she said. “It’s one thing to put them on paper. It’s another thing to practice them.”

Rich Bolstridge, chief strategist of financial services at Akamai Technologies, agreed wth Litan, saying, “Other industries should take note of this simulation.”

“Many industries right now are not ready to go off and do these simulations,” he said. “But for critical infrastructure systems, they do need to be putting this on their roadmap.”

While Wall Street is out in front, smaller banks and credit unions have generally been behind in maintaining a sufficient level of preparedness, Litan said. Part of the reason is their dependence on third-party service providers for running online services. Some of those providers have not done a good job in preparing the banks or themselves against attacks.

In 2011, Fidelity National Information Services, a major processor of prepaid debit cards, disclosed a breach in which the company incurred a loss of $13 million in a cyberheist involving the use of stolen cards at ATMs. 

“These smaller banks really need to put pressure on their processors to simulate these kinds of attacks,” Litan said. “From all signs, [processors] don’t pay enough attention to security and defense.”