UK Banks Told To Reveal Tech Meltdown Plans

UK banks have been told to explain how they would cope with a technology failure or cyber-attack. From a report: The Bank of England and the Financial Conduct Authority have given financial firms three months to detail how they would respond if their systems failed. Some TSB customers were left unable to access online banking for more than a month following a botched systems upgrade in April. Banks could be ordered to take action if their plans are judged to be poor. The Bank of England and FCA have emphasised that senior management at banks will be held accountable for prolonged disruption to services.

Re:Security by Obscurity

Security by Obscurity is just another name for no security.

To make use of a rude example: Tell me your credit card number, expiration date, security code, full name, social security number, and full address.

Security often is keeping information confidential. "Security by obscurity" is a rule of thumb for only having confidentiality is insufficient. Having no confidentiality is equally insufficient.

To give an example about what might happen during a disaster recovery effort with an attacker that knows the plan: the attacker would know what services you are running, where, the configurations; where the cold/warm/hot site is, it's configuration, it's security, and how data gets there. Imagine how easy it would be for an attacker to set up a MITM between a main site and a recovery site, or just physically infiltrate and compromise the hardware when he knows no one will be there.

Giving out your recovery plan is no wiser than a general that gives the enemy army his battle plan.