Penetration testing just got serious for the UK financial services sector. With the lessons from the Waking Shark and Waking Shark II stress tests of 2012 and 2013 to mull over, the Bank of England, the Financial Conduct Authority (FCA) and CESG have decided to up the ante for financial services firms by quietly insisting they adopt something called CBEST.
Described as framework for intelligence-led penetration testing, it sounds routine enough but that masks a profound change in emphasis for a sector that is now viewed as too big to be allowed to fall over.
From now on, simple penetration testing won’t be enough on its own and firms will be expected to pay for a new kind of assessment based on working out whether their security can withstand scenarios based on real (i.e. detected) attacks. This is still pen-testing in a conceptual sense but it’s probably more accurate to see it as a form of threat simulation. Carried out by one of a clutch of CBEST-accredited specialists, the threats will be modelled from real intelligence compiled by government, the bank’s own internal departments or suggested by the pen-testing firm.
It sounds like pretty heavy stuff, even for finance houses that are used to being on the receiving end of state-of-the-art attacks ranging from the everyday and awkward to the stealthy and sophisticated. Traditionally, pen tests are procured for one of a number of reasons such as the need to react to a past incident, the arrival of a new or upgraded system, or simply to prove that a system is working as it’s supposed to. CBEST adds the detection of real-world attack scenarios to this list.
“CBEST is about replicating real-world attacks and seeing whether they are possible,” sums up Alex Fidgen, director of one of the accredited testing providers, MWR InfoSecurity.
“The whole point about CBEST is systemic risk. It is not simply about securing the bank because that’s secondary.”
In his view, the impetus behind the scheme is for the Bank of England’s Financial Policy Committee to get reassurance that the sector can withstand the sort of attacks capable of bringing it to a standstill. This echoes this week's call from the British Bankers’ Association (BBA) that institutions and government share cyber-threat data more effectively, put out by the body to show the Bank of England that it is on message.
The question is what banks get out of it at their end. This kind of scenario testing is something banks have been carrying out informally for some years so for some of them at least CBEST is really just a channel through which the authorities acquire a feedback mechanism.
The principle behind CBEST might be well understood for some but as with the SME-oriented Cyber-Essentials scheme launched by the Government last week, the implication is that after a bedding-in period performing a CBEST assessment will be compulsory even if the scheme’s prospectus avoids using the overbearing ‘c’ word.
Perhaps, then, the significance of CBEST is what it signals about the handle that the UK Government wants to put on a financial services that is facing up to a range of potentially serious threats. Disaster probably won’t strike, everyone hopes, but the potential for trouble is far greater than in the past. Its significance is that it offers global customers doing business with the UK’s vast financial services sector extra assurance that the authorities are on top of risk. Other nations ignore this at their peril.
According to Ian Glover of the Council for Registered Ethical Security Testers (CREST), which is helping to coordinate the accreditation of CBEST as it did with Cyber Essentials, the UK finds itself in a leading position.
“For the first time CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,” says Glover.
“Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST.”
CREST’s role in this will be key because it forms a necessary check that the tests being conducted under CBEST do what they are claimed to do.
As with Cyber Essentials, uncertainties remains, starting with the frequency with which CBEST testing needs to be carried out be meaningful and whether the sheer size and complexity of some institutions makes it even possible to run accurate simulations.Can realworld attacks ever be consistently modelled when attackers are so creative and resourceful? There’s also the question of whether the idea will be extended to other sectors also deemed by the Government to be important. Behind the bullish press releases, there is still a some ‘run it and see’ in CBEST.