Hadi Hosn, Head of Security Strategy and GRC,Dell SecureWorks EMEA
Cyber attacks seem to hit the headlines every day, affecting businesses across all regions and industries. It’s not surprising that the financial sector, which holds a wealth of sensitive data, has become one of the main targets with large UK based financial institutions falling victim to hackers this year. Following the attack on Sony Pictures last year, a number of financial institutions organised a dummy run on their networks using controlled malware to test their cyber security; the results left them fearful for their security measures and these businesses realised the need to further develop their defences. This is where the CBEST framework comes into play.
CBEST was established by the UK Financial Authorities (Bank of England, Her Majesty’s Treasure and the Financial Conduct Authority)to provide a set of criteria against which financial institutions can test the strength of their security procedures. Under this scheme, cyber security vendors work closely with financial institutions and help them develop best practices which prevent and minimise cyber-attacks, testing critical assets without harming or damaging the institution. For those who haven’t yet committed to the scheme, understanding CBEST may be a little overwhelming – but it should not be. CBEST can be broken down into two simple parts: the information phase, and the penetration phase. Below, we will take a look at what both stages involve and what organisations starting out through the process can expect.
Gathering the facts: the information phase
It is vital that organisations understand how publicallyavailable information can be used against them. In the CBEST framework, gathering open source intelligence (OSI) demonstrates how hackers can tailor their approach to ensure that they get access to privileged data. For example, a hacker may choose to infiltrate the human resource department of a national bank, and will begin by profiling the head of department with information available through LinkedIn. The threat actor will be able to see their target’s contact details, their business associates,and the companies they work with. A trawl through Twitter mightreveal the target’s interests andindustry events that he or she hasrecently attended. This information, combined with other tools, can help to form the basis of a very effective social engineering campaign.
Businesses also need to understand the wider perspective of the cyber security industry, and how current trends can influence hackers to tailor their approach.Within the CBEST framework, this is where intelligence gathered by specialised security companies providing threat intelligence capabilities comes into play. Security service providers can offer the best advice possible if they have the very latest, most up to date information to hand.This cyber threat intelligence is built up over years of experience and research and given that CBEST security providers should aim to present their findings within four to six weeks, this experience will play a significant supporting role to the OSI carried out by the security provider. The key objective of the specialised Threat Intelligence is to determine the Threat Groups that would actively target the financial institution and their associated tactics, techniques and procedures (TTPs).
Making a test run: the penetration phase
Once the security vendor has gathered and consolidated its research, they can then work together with a Testing provider to create an exemplar scenario for the bank to run against their systems, demonstrating the effectiveness of hackers. For example, sophisticated organised crime groups which use spear-phishing emails to deliver remote access trojans to an endpoint, steal credentials and gain a foothold on systems of those who have responsibilities in the payments workflows. This allows them to steal large amounts of money by initiating, reviewing and approving transactions from the machines of those responsible without them ever knowing. The testing organization will replicate this threat scenario and try to demonstrate to the financial institution that the above is possible.
Developing future security strategies
After the test scenario is completed, the institution and the cyber security firms sit together with the findings to discuss next steps. At this stage, open communication is an essential part of the process; the security firm must feel comfortable discussing the flaws and faults in the financial institution’s network in a frank and open manner, whilst the financial institution must be ready to make best use of the improvement opportunities available. It is critical to have a feedback loop and improvement programme as a deliverable from these engagements to ensure the financial institution continuously improves and evolves security controls across the organisation.
With so much at stake, getting cyber security right is essentialto protect the assets of millions of customers across the world. The best way of doing this is by being willing to share information and create a platform for discussion between institutions and vendors. Financial institutions must also be ready to make best use of the insight provided through CBEST and other frameworksto make the right improvements for the future. Whether that means training employees on cyber security, deploying new firewalls or hiring a managed security service provider, this opportunity allows them to develop an informed strategy which protects both their assets and their reputation.