DOES THE BANK OF ENGLAND’S CYBER CRIME TESTING GO FAR ENOUGH?
The Bank of England recently announced its latest cyber security initiative to help protect the UK’s financial institutions. The plan involves employing a team of ethical “white hat” hackers to test the perimeter cyber security of more than 20 major banks and financial institutions, reported to include RBS and the London Stock Exchange.
This round of testing is the latest in a series of cyber defence exercises designed to protect the UK’s financial services industry from the growing threat of cyber attacks. The Bank of England’s most recent exercise follows November’s “Operation Waking Shark II” – a simulated cyber attack designed to test the resilience of UK banks, payment providers and the stock market.
Clearly the financial services industry as a whole is well aware of the risks posed by cyber crime, and a KPMG report from 2013 shows the potential scale of the risk. The report stated that the next major shock to the economy “could come from an, as yet, unforeseen event, such as a massive systems outage or a new breed of cyber attack.” When talking about cyber attacks on a scale which could potentially trigger the next financial crisis, it’s easy to see why the industry in the UK is taking the cyber threat so seriously.
All of this helps to explain why the Bank of England has embarked on its most recent programme to shore up banks’ defences. Ethical hackers share the same skills as their criminal cousins, but use their talents for good – often to find weaknesses in companies’ IT security. Ethical hackers can think and act like the bad guys (some are even former hackers), but rather than doing harm to companies they act as consultants and help to improve IT security measures and strategies.
In this exercise, ethical hackers will be used to investigate the firewalls and perimeter defences of the country’s major financial institutions to look for weaknesses and holes which could be exploited by cyber criminals. This type of exercise is known as “penetration testing” and it’s useful to a point because a secure perimeter is still a very good way to keep the bad guys out. But does it go far enough?
Well, penetration testing is fine up to a point. But no firewall on earth can claim to be 100 per cent effective, meaning banks have to assume that skilled and determined hackers will breach that perimeter and get inside the network. It is worth remembering at this point that state-sponsored cyber crime is on the increase: teams of highly-skilled hackers who are extremely well funded by governments with the intention of disrupting other nations.
So despite your best efforts, the fact is that these guys are likely to get inside your network. Once they’re inside, the question then becomes: how do you spot them and mitigate the risk and damage they can cause? The first thing a skilled hacker will do is make themselves look like one of your employees; a wolf in sheep’s clothing, making them even more difficult to locate and neutralise. Some organisations look to identify the tools a hacker is using, but this method is flawed as it’s easy to build unidentifiable tools. What can be spotted and tracked however is the unusual activity and behaviour that a hacker demonstrates. For example, is there a particularly high level of traffic going to an area of the bank or is data moving in new ways around the business? The ability to spot and identify signs such as these give banks a far greater chance of detecting an attack.
This boils down to ensuring that the IT department is carefully controlling what employees can access, ensuring that it is only what is strictly necessary. For example, if an individual moves departments, the set of rights that they had previously may no longer be necessary. While seemingly a straightforward process, many businesses and financial services institutions struggle to implement this properly, leaving themselves exposed.
By limiting access across an organisation, it is easier to spot hackers who have masked themselves as employees looking to steal resources. Once this process is in place, it’s far easier for the IT team to identify suspicious hacker behaviour, mitigating their impact.
The latest cyber security initiative by the Bank of England should be commended in many respects, but it’s potentially placing emphasis upon the wrong areas of security. Perimeter defences will inevitably be breached as a firewall will never be 100% effective. However, by investing heavily in these areas of cyber security, the insider threats that could cause significantly more damage are being overlooked. If access rights and privileges are monitored and managed closely by IT, a bank will be in a far stronger position to spot threats and take action against them.
The Bank of England is right to employ cyber security initiatives as online crime poses a great threat to financial security and stability. But the Bank of England needs to take a broader view, shifting focus away from the perimeters of financial institutions to the potential dangers posed by insider threats.