CREST, the not-for-profit organisation that represents the technical information security industry, has been working with UK Financial Authorities – Bank of England (BoE), Her Majesty’s Treasury, and the Financial Conduct Authority – to develop CBEST, a new framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers.
CBEST is the first of initiative of its type to be led by any of the world’s central banks. In a speech today to the Bankers Association, Andrew Gracie, Executive Director Resolution, at the Bank of England, stressed the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber-attacks on their core systems.
CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK. It will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are. CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm.
‘Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,’ said Ian Glover, president of CREST. ‘CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.’
CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services. The inclusion of specific cyber threat intelligence will ensures that the tests ensure that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.
CREST has helped to develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to achieve. CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.
‘For the first time CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,’ explains Glover. ‘Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST.’