The Bank of England has launched a new way to measure the financial sector’s ability to withstand cyber attacks.
In a June 10 speech at the British Bankers’ Association, Andrew Gracie, Executive Director, Resolution at the Bank of England, formally launched a new framework to help identify areas where the financial sector could be vulnerable to cyber-attack. This is part of the Bank of England’s response to the Financial Policy Committee’s recommendation to test and improve resilience to cyber-attack. Grice likened the work on cyber to the City’s physical counter-terrorism measures of recent years, on the principle that because it has not happened, does not mean it will not; and that measures must remain robust, up-to-date and consistently applied throughout a firm. He contrasted virtual with physical security: “Unlike physical attacks, which are likely to be localised, the impact of a successful cyber attack on the financial system as a whole is potentially more serious from a financial stability point of view. We will still be interested, of course, in firms’ backup plans in the event of a cyber attack. Indeed to the extent that a cyber attack could simultaneously take out a firm’s primary and secondary sites this is an important issue to address. But we will be as interested in a firm’s upstream defences and capacity to withstand or to respond to threats.”
The new framework called CBEST uses intelligence from Government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attackers use, to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test there will be workshops for the firm to work through the results with the testers and supervisors.
The bank says that CBEST provides:
access to considered and consistent cyber threat intelligence, ethically and legally sourced from organisations that have been assessed against standards;
access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector;
realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber-attacks; and
access to benchmark information that can be used to assess other parts of the financial services industry.
The hope is that specific cyber threat intelligence will ensure that the tests replicate, as closely as possible, the evolving threat landscape and therefore will remain relevant. According to the bank, CBEST differs from other security testing by the financial services sector because it uses real threat intelligence and focuses on the more sophisticated and persistent attacks on critical systems and essential services. The implementation of CBEST will help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber-attack that could undermine financial stability in the UK, the extent to which the UK financial sector is vulnerable to those attacks and how effective the detection and recovery processes are.
In his speech, Andrew Gracie said: “The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”
The Bank of England has worked with the Council for Registered Ethical Security Testers (CREST), a not-for-profit body that represents the technical information security industry and Digital Shadows, a cyber-intelligence company, to develop new accreditation standards. This is the bank says the first time that commercial cyber intelligence providers will be subject to accreditation standards which are bound by enforceable codes of conduct and supported by a range of CBEST documents on security testing and cyber threat intelligence.
For the speech in full visit – http://www.bankofengland.co.uk/publications/Documents/speeches/2014/speech735.pdf
Among other speakers at a BBA conference on cyber risk were Peter Troy, Director of Security Operations at Barclays; Craig Balding who recently joined Barclays as Group MD for Cyber Risk; and Don Randall, Chief Information Security Officer at the Bank Of England.
Comments
Jason Hart, VP Cloud Solutions, at SafeNet
“However, any future initiative does need to have a strong panel with clear leadership to be successful. There needs to be an agreed framework, clear goals and objectives and mutual desire for a positive output. Input from across the financial and banking industry, government and third party vendors is also crucial. PCI is a good example of where collaboration across multiple organisations led to an industry-wide shift. Finally, organisations need to be continually vigilant to the threats they face and more specifically deploy breach prevention solutions and be sure that if an attack does occur, data is encrypted and the breach is a secure one. The foundation of a strong security strategy starts with the most important cyber targets: the data and individuals who have access to that data.”
Don Smith, director of technology, at Dell SecureWorks, said: “It has become clear that the current cyber-security testing methods used in the financial sector are not sufficient to protect organisations against more sophisticated attacks. CBEST differs because testing will be based on threat intelligence and an understanding of the real threat, something that is all too often overlooked.
Testing will only be truly useful if it is based on, or conducted in conjunction with comprehensive threat intelligence. What’s more, organisations must ensure that threat intelligence services are tailored to their environment and delivered by an intelligence provider that is continuously monitoring the cyber threat landscape. This, in combination with the activation of a simulated targeted attack, will help to ensure organisations are ready should the worst happen. Cyberattacks are constantly evolving and in such a changeable security landscape, intelligence- led testing is the only way to prepare defences against the most persistent and sophisticated attacks.”
Darren Anstee, director of solutions architects at Arbor Networks, said: “The launch of the new CBEST framework is welcome as intelligence led, more persistent test scenarios will provide a better way for organisations to assess and improve their overall security posture. Helping the management teams within financial organisations to better understand the threats they face, and the gaps in their current security solutions, services and processes will be invaluable. Earlier this year Arbor sponsored some research from the Economist Intelligence unit that looked at how prepared organisations are to deal with cyber-threats; the top way in which participant organisations felt they could improve their preparedness was by getting a better understanding of the threats that are out there – and one of the goals of this framework seems to map right onto that.”
Anthony Duffy, director of retail banking at Fujitsu UK and Ireland, said: “With the sophistication of cyber-attacks and the number of threats increasing, financial services organisations understand the need to remain robust in their security. This news of the UK financial sector launching a new cyber security framework is, therefore, very welcome. The financial services industry increasingly sees cyber crime as a top priority. No wonder, as recent research from Fujitsu UK & Ireland suggests that one in four consumers would switch banks due to an IT failure, and a security breach, which leads to the loss of personal information, could lead to a massive seven in ten choosing to switch their banks.”
Matt Middleton-Leal, regional director, UK & I at CyberArk, said: “The CBEST framework is much needed for financial organisations operating in the UK and we commend the Bank of England for taking such a proactive step to mitigate cyber attacks. The media is bombarded with security hype and horror stories and it’s great to see the Bank of England utilising security intelligence to support an industry that is so critical to the economic fabric of Britain.
“One of the clear tactics in the framework seems to be to look for breaches which could start out being fairly minor and drill down into more sensitive data and controls, as the hacker moves around the internal systems. This highlights the significance of privileged account security, and emphasises the damage that can be caused when a hacker is emulating such a powerful user. The CBEST is a great step forward for protecting the financial services industry, but organisations need to remember that hackers may already have gained access to their network. Banks can’t wait to protect themselves from cyber attacks and they need to start by limiting and securing access to what’s most valuable.”
And Richard Horne, cyber security partner at PwC, said: “Banking processes have been transformed by technology and continue to evolve. But there is a growing risk to the sector from cyber crime. Cyber attacks will keep on increasing unless there is a concerted effort and co-ordination across the financial services sector. Only a market-wide response will help tackle the very real threats posed by cyber attacks to the banking industry. The value in this new test is the ability to simulate real attack techniques and evaluate the effectiveness of controls in preventing and detecting the attacks.”
