The UK finance industry has launched a cyber security framework for sharing detailed threat intelligence, testing cyber security and benchmarking financial service providers.
The CBEST framework was developed by the Council of Registered Ethical Security Testers (Crest) in collaboration with the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority (FCA).
The framework is the first of its kind to be led by any of the world’s central banks and comes less than a week after the government officially launched its Cyber Essentials Scheme, also supported by Crest.
Crest provides internationally recognised certifications for organisations and individuals providing penetration testing, cyber incident response and security architecture services.
Launching the framework at the Bankers Association in London, Andrew Gracie, executive director of resolution at the Bank of England, emphasised the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber attacks on their core systems.
CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine the UK’s financial stability.
Testing critical assets
The framework will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are.
CBEST puts in place measures that allow organisations to conduct controlled, targeted and intelligence-led tests on critical assets without harm.
“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of Crest,
“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by government and commercial intelligence providers as posing a genuine threat to important financial institutions.”
Cyber threat intelligence
According to Glover, CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence-based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services.
Competence and accreditation
The inclusion of specific cyber threat intelligence is aimed at ensuring that the tests replicate as closely as possible the evolving threat landscape.
Crest has helped to develop the new accreditation standards for CBEST penetration testing, based on the stringent standards for assessing the capabilities, policies and procedures of Crest member companies.
CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.
“For the first time Crest requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,” said Glover.
“Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries.
“Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by Crest.”
According to Glover, CBEST has the full support of the UK financial authorities and will provide significant benefits to the UK’s financial sector.
Details of CBEST approved cyber threat intelligence service suppliers and penetration testing companies can be found on the Crest website.
These organisations will be described as being Crest STAR Members to allow the scheme to be extended beyond financial services to other parts of the critical national infrastructure.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK