24 June 2014
The Bank of England (BoE) has launched a new framework to test for cyber vulnerabilities to help identify areas of vulnerability in the financial sector.
Part of the BoE’s response to the Financial Policy Committee’s recommendation to test and improve resilience to cyber-attack, the new framework is called CBEST and uses intelligence from Government and accredited commercial providers to identify potential attackers to a particular financial institution.
It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test there will be workshops for the firm to work through the results with the testers and supervisors.
CBEST provides access to considered and consistent cyber threat intelligence, ethically and legally sourced from organisations that have been assessed against rigorous standards; access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector; realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence; standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber-attacks; and access to benchmark information that can be used to assess other parts of the financial services industry.
The combination of these will allow a firm to understand where they are vulnerable. They will then be better prepared to implement remediation plans. The inclusion of specific cyber threat intelligence will ensure that the tests replicate, as closely as possible, the evolving threat landscape and therefore will remain relevant.
According to the BoE, CBEST differs from other security testing currently undertaken by the financial services sector because it uses real threat intelligence and focuses on the more sophisticated and persistent attacks on critical systems and essential services.