Bank of England to hire penetration testers to attack financial firms

library
crime | hacking | security

The Bank of England this year will hire penetration testers to poke and kick at the computer-system defences of more than 20 major UK banks and other financial players.

Sources familiar with the programme told the Financial Times (registration required to view article) that it’s going to enlist testers certified by CREST, a not-for-profit organisation that represents the infosec industry.

Financial institutions have already proved susceptible to what’s being called the latest, biggest security threat since the birth of the internet: the OpenSSL Heartbleed buffer overflow vulnerability.

One such was American Funds, the third largest US mutual fund family, which last week advised some customers to change user names and passwords.

According to Business Recorder, the company emailed about 825,000 clients to tell them that they’d been exposed to “a very narrow window of risk” and advised that they change user names, passwords, and security questions and delete their browsing histories.

Canada’s tax agency, the Canada Revenue Agency, also recently announced that 900 social insurance numbers (SINs) were stolen by hackers exploiting Heartbleed over a six-hour period.

Andrew Gracie, the director of the UK’s special resolution unit within the Bank of England, will reportedly oversee the UK pen testing programme.

The Financial Times reports that the testing will build on the lessons of Operation Waking Shark 2, a simulation of a major cyber attack on UK financial firms that was carried out in London on 12 November 2013.

The four-hour exercise simulated attack by a hostile nation state on the UK’s financial sector, set to cover a three-day period, the last day of which coincided with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).

BoE reported (PDF) the lessons learned from Waking Shark 2 in February.

The exercise pointed to three main areas for future work:

The need to identify a single industry body to coordinate communications.
Making sure that firms know that they need to report major incidents to regulators right away.
Fine-tuning and getting used to working with the Cyber Security Information Sharing Partnership (CISP) platform – a data threat sharing platform – used during the exercise.

According to The Financial Times, Waking Shark 2 involved 220 people, 20 institutions and infrastructure providers, and a host of government agencies, but it didn’t target individual companies’ systems.

In fact, this is the first time that UK banking authorities are taking on the task of testing for vulnerabilities in this broad fashion, as opposed to the typical scenario of having firms conduct their own, internal penetration testing, the news outlet reports.

Is your own organisation looking at pen testing? Perhaps while casting a frightened eye toward Heartbleed, in particular?

As Sophos’ Ross McKerchar pointed out when he gave these tips on how to manage cost-effective pen testing, this stuff can very quickly get very pricey.

Focusing on testing the right things in the right manner is key to getting the best bang for your buck, he says.

What about us security civilians? Can we pen-test our own systems?

Well, yes… carefully.

Serious penetration testing can really mess up a site. When done on a business level, nightmares such as crashing servers, exposing sensitive data, corrupting crucial production data or causing other damage by mimicking the actions of malicious attackers can ensue.

Home users don’t have such broad risk areas, but it’s still wise to proceed with caution.

Naked Security has these tips for home users to penetration test their own computers.

As Lee Munson notes, pen testing can be as simple as asking somebody to try to guess your passwords. If even a technically unsophisticated person can guess that you’re using “password” or “123456” (please tell us you’re not), you know you’ve got some work to do!

Check lists of the most commonly used passwords.

See any of yours on there? Change them! Use upper and lowercase letters, numbers and special characters, and make them as long as possible.

And yes, I know, that list dates back to 2010. Unfortunately, the top favorites haven’t changed much!