Bank of England works with CREST to deliver cyber-security framework

London, UK – 10 June 2014: CREST, the not-for-profit organisation that represents the technical information security industry, has been working with UK Financial Authorities – Bank of England (BoE), Her Majesty’s Treasury, and the Financial Conduct Authority – to develop CBEST, a new framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers.

CBEST is the first of initiative of its type to be led by any of the world’s central banks. In a speech today to the Bankers Association, Andrew Gracie, Executive Director Resolution,  at the Bank of England, stressed the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber-attacks on their core systems.

CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK. It will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are.  CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm.

“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of CREST. “CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”

CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services.  The inclusion of specific cyber threat intelligence will ensures that the tests ensure that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.

CREST has helped to develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to achieve.    CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.

“For the first time CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,” explains Glover.  “Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries.  Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST.”

CBEST has the full support of the UK Financial Authorities and will provide significant benefits to the UK’s financial sector.  These include:

  • access to advanced and detailed  cyber threat intelligence;
  • access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector;
  • realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
  • access to highly qualified penetration testers that understand how to conduct  technically difficult testing activities whilst ensuring that no damage or risk is caused;
  • confidence in the methodologies utilised by the companies within CBEST for conducting these sophisticated and sensitive tests;
  • confidence that the results and the information accessed by the testers will protected;
  • standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber attacks;
  • access to benchmark information, through the key performance indicators, that can be utilised to assess other parts of the financial services industry;
  • a framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.

Details of the CREST approved cyber threat intelligence service suppliers and penetration testing companies can be found on the CREST website here.  These organisations will be described as being CREST STAR members to allow the scheme to be extended beyond financial services to other parts of the critical national infrastructure.  Additional information on all aspects of CBEST and STAR is also available on the website.