June 10, 2014 - CREST, the not-for-profit organisation that represents the technical information security industry, has been working with UK Financial Authorities - Bank of England (BoE), Her Majesty's Treasury, and the Financial Conduct Authority - to develop CBEST, a new framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers.

CBEST is the first of initiative of its type to be led by any of the world's central banks. In a speech today to the Bankers Association, Andrew Gracie, Executive Director Resolution, at the Bank of England, stressed the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber-attacks on their core systems.

CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK. It will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are. CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm.

"Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets," said Ian Glover, president of CREST. "CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions."

CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services. The inclusion of specific cyber threat intelligence will ensure that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.

CREST has helped to develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to achieve. CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.

"For the first time CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced," explains Glover. "Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST."

CBEST has the full support of the UK Financial Authorities and will provide significant benefits to the UK’s financial sector. These include:

• access to advanced and detailed cyber threat intelligence;
• access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector;
• realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
• access to highly qualified penetration testers that understand how to conduct technically difficult testing activities whilst ensuring that no damage or risk is caused;
• confidence in the methodologies utilised by the companies within CBEST for conducting these sophisticated and sensitive tests;
• confidence that the results and the information accessed by the testers will protected;
• standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber attacks;
• access to benchmark information, through the key performance indicators, that can be utilised to assess other parts of the financial services industry;
• a framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.

Details of CBEST approved cyber threat intelligence service suppliers and penetration testing companies can be found on the CREST website, www.crest-approved.org. These organisations will be described as being CREST STAR members to allow the scheme to be extended beyond financial services to other parts of the critical national infrastructure. Additional information on all aspects of CBEST and STAR is also available on the website.

Darren Anstee, director of solutions architects at Arbor Networks comments, "The launch of the new CBEST framework is welcome as intelligence led, more persistent test scenarios will provide a better way for organisations to assess and improve their overall security posture.  Helping the management teams within financial organisations to better understand the threats they face, and the gaps in their current security solutions, services and processes will be invaluable.  Earlier this year Arbor sponsored some research from the Economist Intelligence unit that looked at how prepared organisations are to deal with cyber-threats; the top way in which participant organisations felt they could improve their preparedness was by getting a better understanding of the threats that are out there - and one of the goals of this framework seems to map right onto that."

Anthony Duffy, director of retail banking at Fujitsu UK & Ireland comments, " With the sophistication of cyber-attacks and the number of threats increasing, financial services organisations understand the need to remain robust in their security. This news of the UK financial sector launching a new cyber security framework is, therefore, very welcome.

The financial services industry increasingly sees cyber crime as a top priority. No wonder, as recent research from Fujitsu UK & Ireland suggests that one in four consumers would switch banks due to an IT failure, and a security breach, which leads to the loss of personal information, could lead to a massive seven in ten choosing to switch their banks."

Martin Sutherland, Managing Director, BAE Systems Applied Intelligence, said: “The launch of CBEST is a very positive step forward given the particular relevance of the cyber threat to the UK financial services sector. For financial institutions to be able to protect themselves and their customers successfully, effective sharing of best practice and intelligence is essential in the battle against an ever-evolving threat.

“Recent attacks have highlighted just how prevalent and pervasive the cyber threat really is. The ability to steal vast quantities of personal data, access critical networks and attack multiple targets simultaneously is now providing organised criminal groups with a wealth of opportunities to exploit, with the potential to cause great damage to businesses, individuals and the economy as whole.

“CBEST will undoubtedly provide a highly effective framework that will help the UK finance sector to better understand the threat it faces. BAE Systems Applied Intelligence, through its membership of the Council of Registered Ethical Security Testers (CREST)  has played an active part in developing the CBEST intelligence-led cyber security assessment framework, which really raises the bar in the assurance of the UK’s critical financial institutions’ ability to resist cyber attacks and helps to put the UK at the vanguard of the fight against digital criminality.”

Matt Middleton-Leal, regional director, UK & Ireland at CyberArk, comments: “The CBEST framework is much needed for financial organisations operating in the UK and we commend the Bank of England for taking such a proactive step to mitigate cyber attacks.  The media is bombarded with security hype and horror stories and it’s great to see the Bank of England utilising security intelligence to support an industry that is so critical to the economic fabric of Britain.

“One of the clear tactics in the framework seems to be to look for breaches which could start out being fairly minor and drill down into more sensitive data and controls, as the hacker moves around the internal systems.  This highlights the significance of privileged account security, and emphasises the damage that can be caused when a hacker is emulating such a powerful user.

“The CBEST is a great step forward for protecting the financial services industry, but organisations need to remember that hackers may already have gained access to their network.  Banks can’t wait to protect themselves from cyber attacks and they need to start by limiting and securing access to what’s most valuable.”