Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Hackers to probe cyber crime defenses at British banks

Reprints
Hackers to probe cyber crime defenses at British banks

(Reuters) — In the next few months, hackers will try to penetrate the cyber defenses of Britain's major banks and steal information about millions of customers. But for once they'll be welcome.

Banks are on red alert after cyber criminals obtained details of 83 million clients from JPMorgan Chase & Co. this year, and Britain's leading lenders have signed up for tests that let teams of certified hackers attack at will.

The cyber war games will mark a major escalation in how banks test defenses in a high-stakes battle with criminals.

"It's the first time that banks are having their systems tested for security threats in a live environment as opposed to a simulated or isolated one," said Stephen Bonner, a partner in the cyber security team at KPMG L.L.P.

Cyber crime costs the global economy $445 billion a year, and the bill is rising, according to the Center for Strategic and International Studies, which said it damages trade, competitiveness and innovation across industries.

Banks are particularly vulnerable, despite spending hundreds of millions of dollars a year on cyber defenses. Increasingly sophisticated criminals are trying to steal money or client data, cause havoc in financial markets or score political points.

"A defender has to block every possible route of entry, and the attacker only has to find one. That's the position the banks are still in — the world is so connected now, they have to look in every direction to protect themselves," said Paul Docherty, technical director at Portcullis Computer Security Ltd., a consultancy that has been accredited to run the tests.

The Bank of England is behind the initiative. In June, it outlined a new framework called CBEST for handling the growing cyber threat. It includes sharing intelligence from government agencies such as Britain's GCHQ with companies and encouraging more intense testing of financial institutions.

In the first such move by a leading central bank, the Bank of England will set the guidelines but leave banks to agree with the firms carrying out the tests how far their "attack teams" can infiltrate bank systems.

An "attack team" would typically be four to six people, including a project manager and an attack specialist at the sharp end trying to breach systems. Only a few bank employees will be aware an attack is coming.

"It's taking examples of what we see out in the wilds in the threat landscape and applying those to realistic attack scenarios on financial firms," said Adrian Nish, head of cyber threat intelligence at BAE Systems Applied Intelligence .

CREST, which is responsible for accrediting firms to do cyber security testing in Britain, has approved four firms to run these so-called Simulated Targeted Attack and Response, or STAR, services, and more are expected to be accredited soon, industry sources said. Besides Portcullis, BT Group, Context Information Security and Nettitude are the other three.

Britain's biggest banks are among more than 30 financial firms lining up to go through the STAR test.

Pilot tests have begun, and the vast majority of institutions are expected to have completed the process by the end of 2015, one of the sources said. The tests will also involve insurance companies, financial exchanges and payments systems operators.

"The financial sector has realized it needs to up its game and this is the logical progress," said Mr. Docherty.

The test starts with a vulnerability assessment to spot where risks are and set out a plan to probe those areas. This is followed by security testing, or penetration testing, to try and exploit weaknesses during a process that could take three to six months.

Other key infrastructure industries such as energy, telecoms and defense could follow the Bank of England's CBEST plan.

London's Metropolitan Police last month launched a new cyber crime and fraud team that will have up to 500 officers. The City of London police have linked with the New York District Attorney's Office to bolster their defenses and next year plan to deploy staff permanently in each other's offices.

CBEST aims to encourage information-sharing between government agencies and companies, and between firms — who have been criticized for being slow to share information on dangers.

"For the last 20 or more years, hackers, attackers and that community have been sharing information and selling things to each other whilst finding ways to co-exist and grow, whereas industry has been slow to embrace collaboration," said Mr. Docherty.

Andrew Gracie, the Bank of England executive in charge of CBEST, warned in June he would take action against any bank that was inadequately prepared for the cyber threat. Some officials have said banks should face prosecution if they allow their systems to be breached.

Read Next

  • Bank of England steps up fight against cyber crime

    (Reuters) — The Bank of England sought to bolster the financial industry's defenses against cyber attacks on Tuesday when it announced a new framework to spot and test possible weak points at lenders.