This week saw the announcement of the CBEST framework, designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the cyber attacks.
Backed by the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority, it will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are.
CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm. It also forms part of the UK Cyber Strategy objectives (Cabinet Office, 2011), in particular on being more resilient to cyber attack, and on enhancing the UK’s cyber security knowledge. We asked the industry what they thought of these plans.
James Chappell, chief technology officer at Digital Shadows
“Digital Shadows has worked with the Bank of England to develop the CBEST threat framework and model. This is best viewed as a tool designed to put UK financial sector institutions on the front foot by bringing together best in class suppliers to subject them to as near ‘real life’ as possible threat scenarios. The crucial lessons learned through these tests will ensure they are better prepared should they come under real attack.
“To be effective, CBEST tests must be based on realistic, threat-informed scenarios. The Bank of England is therefore seeking to form partnerships with commercial suppliers of threat intelligence and security testing services to help establish a ‘best practice’ approach to defining and executing the tests. Essentially the threat intelligence service suppliers will provide threat intelligence to security testers, augmented by Government support, who will use it to target their attacks.”
Ian Glover, President of CREST
“Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of cond
uct administered by CREST.”
Richard Horne, cyber security partner at PwC
“Banking processes have been transformed by technology and continue to evolve. But there is a growing risk to the sector from cyber crime. Cyber attacks will keep on increasing unless there is a concerted effort and co-ordination across the financial services sector. Only a market-wide response will help tackle the very real threats posed by cyber attacks to the banking industry. The value in this new test is the ability to simulate real attack techniques and evaluate the effectiveness of controls in preventing and detecting the attacks.”
Darren Anstee, director of solutions architects at Arbor Networks
“The launch of the new CBEST framework is welcome as intelligence led, more persistent test scenarios will provide a better way for organisations to assess and improve their overall security posture. Helping the management teams within financial organisations to better understand the threats they face, and the gaps in their current security solutions, services and processes will be invaluable.”
Anthony Duffy, director of retail banking at Fujitsu UK & Ireland
“With the sophistication of cyber attacks and the number of threats increasing, financial services organisations understand the need to remain robust in their security. This news of the UK financial sector launching a new cyber security framework is, therefore, very welcome.
“The financial services industry increasingly sees cyber crime as a top priority. No wonder, as recent research from Fujitsu UK & Ireland suggests that one in four consumers would switch banks due to an IT failure, and a security breach, which leads to the loss of personal information, could lead to a massive seven in ten choosing to switch their banks.”
Matt Middleton-Leal, regional director, UK and Ireland at CyberArk
“The CBEST framework is much needed for financial organisations operating in the UK and we commend the Bank of England for taking such a proactive step to mitigate cyber attacks. The media is bombarded with security hype and horror stories and it’s great to see the Bank of England utilising security intelligence to support an industry that is so critical to the economic fabric of Britain.
“One of the clear tactics in the framework seems to be to look for breaches which could start out being fairly minor and drill down into more sensitive data and controls, as the hacker moves around the internal systems. This highlights the significance of privileged account security, and emphasises the damage that can be caused when a hacker is emulating such a powerful user.
“The CBEST is a great step forward for protecting the financial services industry, but organisations need to remember that hackers may already have gained access to their network. Banks can’t wait to protect themselves from cyber attacks and they need to start by limiting and securing access to what’s most valuable.”
Tim Anderson, commercial director at Portcullis
“One of the key features of the framework is an agreed approach to testing high value systems. “Historically, the fear of downtime made it challenging to test key systems, which is counter productive because these systems are considered key for a reason and therefore likely to be targeted. There has also been a move to break the constraints of typical assurance projects, which were often focused around particular systems rather than particular threats.
“By taking a more threat-centric approach and reviewing the same systems that would be involved in a real-world attack, including high value systems, it is possible for organisations to get a better understanding of their current security posture in relation to sophisticated, persistent attacks.”
Martin Sutherland, Managing Director, BAE Systems Applied Intelligence
“The launch of CBEST is a very positive step forward given the particular relevance of the cyber threat to the UK financial services sector. For financial institutions to be able to protect themselves and their customers successfully, effective sharing of best practice and intelligence is essential in the battle against an ever-evolving threat.
“Recent attacks have highlighted just how prevalent and pervasive the cyber threat really is. The ability to steal vast quantities of personal data, access critical networks and attack multiple targets simultaneously is now providing organised criminal groups with a wealth of opportunities to exploit, with the potential to cause great damage to businesses, individuals and the economy as whole.
“
CBEST will undoubtedly provide a highly effective framework that will help the UK finance sector to better understand the threat it faces. BAE Systems Applied Intelligence, through its membership of the Council of Registered Ethical Security Testers (CREST) has played an active part in developing the CBEST intelligence-led cyber security assessment framework, which really raises the bar in the assurance of the UK’s critical financial institutions’ ability to resist cyber attacks and helps to put the UK at the vanguard of the fight against digital criminality.”
Geoff Webb, senior director, solution strategy, NetIQ
“The Bank of England’s new CBEST framework is a step forward in cyber security for the banking industry, using real threat intelligence to measure a bank’s ability to resist a sophisticated cyber attack. However, what financial institutions and the Bank of England need to recognise is that even the best IT security infrastructure can be vulnerable to attack.
“These insider threats target users within the organisation that have access to sensitive data in order to gain a foothold and steal data. As a result it is now vital that financial institutions are deploying fully integrated solutions that ensure any access to sensitive data is authorised with access controls and real-time security monitoring. This gives security teams the intelligence necessary to most quickly recognise and disrupt an attack before significant damage is done and data is stolen. The CBEST framework needs to take account of the insider threat and measure the ability of institutions to detect and react to them. Not doing so will result in an unclear picture of the real weaknesses of financial institutions.”
