What's wrong with CBEST?
CBEST has its critics - and defenders - as the industry grapples with how best to ensure critical infrastructure deploys best practice, as Tom Reeve reports
Does CBEST go far enough?
Gone are the days when all a bank had to do to secure its assets was build an impregnable vault and hire some heavies to protect it. Now some of the oldest institutions in the world are having to get to grips with something called “cyber” security, a term which some bankers readily admit they were unfamiliar with up until a few years ago.
These days it's truly on the agenda, with £700 million being spent annually on cyber-security by the financial industry in the UK alone, according to the British Banking Association (BBA) and PricewaterhouseCoopers (PwC).
With that much being spent – and a recognition that cyber-crime is a threat to not only the growth but the very stability of the sector – the Financial Policy Committee of the Bank of England issued a recommendation in 2013 that the cyber-resilience of the UK financial sector should be subjected to robust penetration testing.
There's nothing new about the concept of pen-testing, but against critical systems, there were always two things holding the industry back from performing realistic simulated attacks.
First, there was a reluctance to unleash the simulated attackers – called red teams – against production systems for fear that the test might accidentally bring the real-life system crashing to its knees. At the same time, there was a recognition that only targetting dummy systems might fail to discover the hidden vulnerabilities which are the bread and butter of the criminal hacker.
Secondly, there was a belief that simulated attackers often don't have access to the latest threat intelligence, so that they would, in short, be missing out on the most up-to-date attack tools. UK financial authorities including the Bank of England, HM Treasury and the Financial Conduct Authority (FCA) created CBEST as a framework for conducting realistic attacks against real infrastructure.
They wanted to ensure that there were four parties involved in testing the resilience of institutions that they judged to be essential to the stability of the UK financial system: the Bank of England, the intelligence community, private sector cyber-security practitioners and the financial institution itself.
It was decided that the intelligence community, represented by GCHQ and commercial providers, would provide the threat intelligence to make the tests as realistic as possible. The tests would be conducted by practitioners who were certified by CREST (Council for Registered Ethical Security Testers) as certified simulated attack managers (CCSAM) and certified simulated attack specialists (CCSAS), using a plan that had been agreed by all parties involved.
Difference of opinion
But does CBEST go far enough? Not according to some people including the chief technology officer at Intelligent Environments, a company with a 15-year pedigree in bank security solutions.
CTO Clayton Locke, writing in an opinion piece published on SCMagazineUK.com, says CBEST is a strong step forward for cyber-security but he laments the fact that it doesn't go far enough. He calls for the introduction of a financial services industry data security standard, modelled on the PCI DSS for the card payment industry.
“Even though CBEST has robust certification requirements for testing companies, it does not provide a certification standard for the financial services institution itself,” Locke says. “Although the [Bank of England] sees the tests as critical to maintaining the integrity of the financial system, performing an assessment is entirely voluntary.”
He adds: “Making these assessments voluntary highlights an inherent weakness in the financial services industry outside of payment cards. It would be stronger to make the assessments compulsory, as is the case for PCI DSS.”
Disagreeing with Locke is Ian Glover, president of CREST, the organisation that's been given the task of certifying the individuals who will be conducting the CBEST penetration tests.
Glover says CBEST has enjoyed very high levels of support from the financial services industry but doubts it would have received such support if it had been made compulsory from the beginning.
“Financial institutions that have been subject to CBEST activities have provided very positive feedback and many organisations in financial services and other sectors are asking how they can carry out similar activities. There has also been significant interest from overseas,” Glover says. “All parties involved in these activities have common aims, to validate the security arrangements and where appropriate recommend and implement improvements for critical systems and processes. Working in collaboration towards a common aim is much more effective than mandating.”
Also arguing for voluntary compliance is Darren Anstee, director of solutions architects at Arbor Networks. “The problem with mandatory compliance requirements is that security becomes focused on meeting the standard, rather than reducing business risk,” he says. “Once compliance criteria are met it can become increasingly difficult to justify additional expenditure on security.”
Locke's critique of CBEST doesn't end there, however. He believes that accountability to the consumer is fundamentally lacking from the programme. While organisations can be – and have been – held accountable for data breaches by the Information Commissioner's Office (ICO), there is no requirement to make a formal disclosure in the event of a data breach.
“Rather than be proactive in taking accountability for security breach and data loss, the typical approach is to downplay the losses and focus on controlling damage to reputation,” he says.
He welcomes the prospect of amendments to the EU General Data Protection Regulation which, “will require any company with European dealings that suffers a data breach to inform both the regulator and affected individuals ‘without undue delay'”.
In this case, while Anstee has some sympathy for the organisations affected and the potential harm to their reputations, he supports Locke's view that the balance should be tipped in favour of consumers.
And Glover says CREST is sympathetic to this view, as well.
In the final analysis, Locke believes the industry needs a set of cyber-security standards that are specific to financial services and that ultimately this might lead to the creation of an FSI DSS. “By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cyber-crime threat than any single company could do alone,” he says.
Whether there are too many standards or the industry is too complex to fit under a single regulatory umbrella remains to be seen, but one thing they can all agree on is that the current system is the CBEST that we've got.