This morning, BT announced the global launch of BT Assure Ethical Hacking for Finance, a new security service specifically designed to test the exposure of financial services organisations to cyber attacks.
The wealth of valuable and sensitive personal data held by financial organisations, among them retail and investor banks and insurance companies, makes them among the most attractive targets for today’s malicious hackers and cyber criminals. This risk has intensified in recent years as more and more retail financial services move into the online space and electronic trading is on the rise.
BT Assure Ethical Hacking for Finance uses mature methodologies that mimic those of ‘black hats’ or malicious attackers to provide a range of tests targeted at the various entry points to a bank’s IT systems as well as the perceived ‘weak points’ of an organisation. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems.
BT not only tests and verifies systems that can access the network but also checks for risks of human failure, for example by using social engineering to test how employees apply the policies and procedures in place.
The new service draws on the ethical hacking expertise gained by BT’s close working with large financial institutions in the US across nearly two decades. Within the confines of strict rules of engagement, BT’s ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers, intercept and modify mobile cheque deposit data, reverse engineer proprietary encryption streams, generate enormous, valid gift cards with payment details from other test accounts, create admin accounts by having an employee simply open an e-mail, escape remote access sessions and gain shell access to systems (including the subsequent establishment of tunnels into the company), transfer funds between unauthorised test accounts or harvest complete account data for all users by attacking machine-to-machine communications.
The ultimate objective is to identify vulnerabilities that would impact an organisation’s primary business processes and, therefore, both its brand and reputation.
Simulated Targeted Attack and Response
The new BT Assure Ethical Hacking for Finance service will enable BT to use CREST (www.crest-approved.org) certified Simulated Targeted Attack and Response (STAR) services to help financial services companies develop the most robust security solutions, ensuring sensitive customer data remains secure.
In 2014, BT was one of the first companies in the world accredited by CREST to provide STAR services.
Working alongside the Bank of England, UK Government and industry, CREST developed the STAR framework to deliver controlled, bespoke and intelligence-led cyber security testing. STAR incorporates advanced penetration testing and threat intelligence services to more accurately replicate cyber security threats to critical assets.
Speaking about this latest development, Mark Hughes (president of BT Security) informed Risk UK: “The prospect of accessing confidential financial information is a powerful lure for hackers. Few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers.”
Hughes added: “We encourage all financial institutions to put themselves through a rigorous series of cyber security simulations whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit.”
BT has a strong, award-winning, global team of security specialists in place, including ethical hacking consultants who provide a standardised method to test systems by imitating hacker attacks, reporting identified vulnerabilities and providing clear remediation steps that customers can use to quickly patch applications and affected systems.