The UK finance industry has launched a cyber security framework for sharing detailed threat intelligence, testing cyber security and benchmarking financial service providers.
The CBEST framework was developed by the Council of Registered Ethical Security Testers (Crest) and cyber intelligence company Digital Shadows in collaboration with the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority (FCA).
The framework is the first of its kind to be led by any of the world’s central banks and comes less than a week after the government officially launched its Cyber Essentials Scheme, also supported by Crest.
Crest provides internationally recognised certifications for organisations and individuals providing penetration testing, cyber incident response and security architecture services.
Launching the framework at the Bankers Association in London, Andrew Gracie, executive director of resolution at the Bank of England, emphasised the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber attacks on their core systems.
CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine the UK’s financial stability.
Testing critical assets
Read more about Crest
- Video: Crest - David King on the launch of the penetration testing accreditation body
- CESG certification scheme aims to boost public-sector consultants
- UK government launches cyber security support scheme
- CESG defends CCP as UK cyber security skills foundation
- First UK Certified Incident Response firms named
- Government partners with security services to launch Cyber Incident Response schemes
The framework will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are.
CBEST puts in place measures that allow organisations to conduct controlled, targeted and intelligence-led tests on critical assets without harm.
“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of Crest,
“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by government and commercial intelligence providers as posing a genuine threat to important financial institutions.”
James Chappell, chief technology officer at Digital Shadows said CBEST is best viewed as a tool designed to put UK financial sector institutions on the front foot by bringing together best in class suppliers to subject them to as near “real life” as possible threat scenarios.
“The crucial lessons learned through these tests will ensure they are better prepared should they come under real attack,” he said.
Cyber threat intelligence
According to Glover, CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence-based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services.
Competence and accreditation
CBEST benefits to the UK financial sector
- Access to advanced, detailed cyber threat intelligence;
- Access to knowledgeable, skilled and competent cyber threat intelligence analysts with detailed understanding of financial services;
- Realistic penetration tests that replicate sophisticated, current attacks based on current cyber threat intelligence;
- Access to highly qualified penetration testers that understand how to conduct technically difficult testing activities while ensuring no damage or risk;
- Confidence in the methodologies used by the companies in CBEST for conducting tests;
- Confidence that the results and the information accessed by the testers will be protected;
- Standard key performance indicators used to assess the maturity of the organisation’s ability to detect and respond to cyber attacks;
- Access to benchmark information, through key performance indicators, used to assess other parts of the financial services industry;
- A framework underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.
The inclusion of specific cyber threat intelligence is aimed at ensuring that the tests replicate as closely as possible the evolving threat landscape.
Crest has helped to develop the new accreditation standards for CBEST penetration testing, based on the stringent standards for assessing the capabilities, policies and procedures of Crest member companies.
CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.
“For the first time Crest requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,” said Glover.
“Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries.
“Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by Crest.”
According to Glover, CBEST has the full support of the UK financial authorities and will provide significant benefits to the UK’s financial sector.
Details of CBEST approved cyber threat intelligence service suppliers and penetration testing companies can be found on the Crest website.
These organisations will be described as being Crest STAR Members to allow the scheme to be extended beyond financial services to other parts of the critical national infrastructure.