UK banks to get independent pen-testing?

News by Steve Gold

The UK's Bank of England (BoE) is reportedly planning to carry out a major pen-testing exercise in the Autumn.

Last year's Bank of England cyber security exercise - Waking Shark II, carried out on November 12 – identified several weaknesses in the financial sector's responses to a sustained attack, particularly the lack of cooperation between banks. 

Now the Bank, whose report on the exercise was issued in early February, has reportedly outlined plans to carry out a pen testing programme, drawing around 20 of the UK's major banks into the operation. 

Last November's Waking Shark II was billed as a rehearsal for the wholesale banking sector, including investment banks and key financial market infrastructures. 

Organised by the Securities Industry Business Continuity Management Group, the test was designed to simulate an attack on the UK's financial services architecture, and involved 200 people from around 20 institutions, including investment banks, financial market companies and several government agencies. 

The Bank is now said to be talking about moving beyond the original remit of Waking Shark II and organising an ethical hacking pen test that will use real-life scenarios to see how prepared 20 of the UK's clearing banks and financial organisations are. understands that several pen-testing companies have been invited - with confidential agreements in place - to tender for the tests. 

A spokesperson for the BoE's press office refused to comment on a Financial Times report about the pen-testing plans. 

 “We're not commenting, nor are we giving any extra steerage on this. The FT did not get the story from us,” she said. 

The Financial Times, however, quoted two people "familiar with the process" as saying that the latest security exercise will involve the Royal Bank of Scotland, a number of leading insurers and financial infrastructure providers such as the London Stock Exchange. 

Unconfirmed reports suggest that other banks - notably HSBC and Lloyds - are also being approached to take part in the test, which will likely take place in the autumn of this year. 

Commenting on the news that a major pen test of the UK's financial infrastructure is being planned, Marc Lee, EMEA director with Courion, said that whilst the plan is a good idea, banks need to look at the bigger picture and have a strong security culture in place to deal with the increasing number of cyber attacks. 

“Looking at individual bank security systems is a good idea for phase two of these cyber war games. Banks' infrastructure is increasingly under attack, and that's not going to change," he said. 

Lee went on to say that banks need strong, reliable systems in place to quickly identify any security vulnerabilities and take appropriate actions to prevent a breach and avoid financial and reputational damage. 

Professor John Walker, a visiting professor with Nottingham Trent University's School of Science and Technology, was not impressed with the news, saying that Waking Shark II confirmed that the BoE is leaking data - and perhaps worse - its managers do not understand the technology being used to target their systems. 

It is, he said, ironic that the BoE is supposed to be on the regulators on the security and allied financial services front, yet they are open to the simplest of social engineering attacks. 

Walker - who is also director of CSIRT and Cyber Forensics with Integral Xssurance, a security consultancy - went on to say that the BoE needs to practice what it preaches and implement better security on its own systems, before it tells the clearing banks and other agencies how to secure their systems. 

Tim Keanini, CTO with Lancope, was more sanguine about the BoE's chances of success with its pen testing plans, saying that a critical part of being incident response ready is to perform pen-testing drills. 

"Historically, fire prevention has required organisations around the world perform regular drills and, when you think about it, these same organisations are more likely to get hit by a cyber-incident each year than they are a major fire," he said adding that the exercises create cross departmental readiness - where less mistakes are made during the real events. 

Lamar Bailey, director of security R&D with Tripwire, was also positive about the BoE's plans, saying that the plans are something he encourages every business to do at least a couple times a year. 

"Most enterprises have well defined security response plans but when an incident arises no one remembers the procedures or how to initiate the plan. Testing responsiveness and ability to carry out a response plan is key to minimising the impact an attack will have on an organisation," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews