The Waking Shark 2 exercise has been described as a waste of time.
In an email to IT Security Guru, Professor John Walker, a member of the British Computer Society Elite Group, said that he did not feel that Waking Shark 2 was a success as “it did not reflect the real world” and that banks “still have massive issues”.
Walker said: “They were exposed as the Bank of England do not understand the real issues. If you are going to deal with real world, dangerous people, you need to understand the matters in hand. But then maybe, to play at it to keep people happy, then I am sure it’s worth every penny.
“I know from speaking to those involved. This was about doing something for the public, and not for security – but sadly, that is the world we live in and why the cyber criminals are winning.”
Walker said that there were issues with a lack of investment and massive exposures at the Bank of England to social engineering attacks, while there is a lack of process and procedures and also internal security issues with configurations.
“How can so many be fooled by what was a massage of the issues,” he asked. “This is becoming the travesty of cyber security with massive fails, and yet we are praising those responsible to allowing it to happen. The question is, is cyber security about fixing, or about PR?”
Commenting, Sarb Sembhi, analyst and director of Incoming Thought and ISACA London Security Group member, told IT Security Guru that he felt Waking Shark 2 was a “resilience exercise for the industry not to find a single organisation that is weak, but to show there is no single point of failure.”
He said that Waking Shark 2’s findings about future tests being harder were right, but as this was only the second effort, it may be the case that in a few years the tests are stronger. “It is still early days and the organisers don’t want to put people off or be so rigorous that they find holes and have to identify them in the report,” he said.
“It is an exercise which tried to find out that if one failed, was this a single point of failure or was it a slight to the whole system. If there was one failure on a financial institution, then the network should survive.”