IT penetration tests and audits offer an effective risk control against internal and external attacks and when combined with social engineering techniques they can be used to test the effectiveness of security procedures while boosting security awareness.
NCC Group is a CBEST Penetration Testing provider and CREST STAR (Simulated Target Attack & Response) provider.
However, real hackers don’t play fair and many of the rules of engagement used in traditional penetration tests require testers to stop some way short of the activities that a sophisticated, patient and determined hacker would undertake to gain access.
This is usually because tests are often procured primarily as ‘Business As Usual’ audits rather than as tools used to answer the question at board level: “Are we secure?”
Cyber-attacks are a common occurrence and the need for investment in security is greater than ever as a result of this. Companies need expert assurance that their investment is working all the time in a fully realistic scenario, not just while the scheduled penetration test is going on.
Most penetration tests are conducted within a specified time-limit and this can restrict the testers from attempting certain types of attacks that can last for weeks.
The idea behind the CREST STAR (Simulated Target Attack & Response) approach is that with time, expertise, persistence and custom bespoke attack development, security measures can be subjected to real-world testing to provide assurance that the investment in technology and training is working. The STAR service, by design, is not restricted by traditional methods and therefore provides the most realistic security test available in the market today.
The standards used in the CREST STAR initiative are also used in CREST’S CBEST scheme.
CBEST is a new framework from the Bank of England (BoE) that delivers intelligence-led penetration tests against the critical systems of financial institutions.
The aim is to protect against threats to financial systems that are of systematic importance to the UK economy.
The tests will replicate the tactics, techniques and procedures of known threat actors that are perceived as posing a significant and specific threat to the financial institution in question.
The BoE and accredited commercial providers combine intelligence about existing cyber threats to ensure that the threats mimic those that are being carried out by cyber criminals in real-life scenarios.
Standard key performance indicators will be used to assess the maturity of an organisation’s ability to detect and respond to cyber-attacks. This will then highlight any vulnerabilities so that organisations can improve resilience. During the practical testing work the ability of the institution to detect and respond to the attack will also be monitored.
CBEST will provide access to consistent cyber threat intelligence that has been ethically and legally sourced from organisations that have been tested against rigorous standards along with access to benchmark information that can be used to evaluate other parts of the financial services industry.
Why is CBEST different from other security testing?
CBEST uses real threat intelligence and focuses on more sophisticated and persistent attacks on essential services and critical systems.
Boards of financial firms, regulators and infrastructure providers that use the CBEST scheme will improve their understanding of the types of cyber-attacks that could impact the UK’s financial stability.
They will also show the extent that such attacks could have and whether the recovery processes in place will be effective.
Differences between CREST STAR and CBEST
The CREST STAR scheme audits companies to the same standards as CBEST. However, there are two differences with the first being that any reports generated from a CREST STAR assignment will not be circulated among the UK Financial Authorities. This means that organisations can prepare for CBEST without having to involve regulators.
But it is worth noting that if weaknesses are discovered within organisations cyber security capabilities as part of a CREST STAR assessment, they may have to disclose the weaknesses to their regulator under existing agreements.
A significant difference between CBEST and STAR engagements is that the UK Financial Authorities will have access to specific Government cyber threat intelligence which may be available as part of a CBEST test but that will not be available under a CREST STAR test where the regulation as no direct involvement.
STAR/CBEST providers have to go through additional levels of assurance in order to deliver intelligence-led security assessments.
Providers have to have more rigorous requirements, a revised code of conduct and the penetration testing team have to undergo extra levels of assessments to ensure that they can safely and accurately mirror real-life scenarios while undertaking the necessary due-diligence to mitigate the inherent risks that arise due to the nature of these engagements.