.jpg)
3 May, 2017
Hong Kong is playing a leading role in advancing the cyber security industry in Asia, with cyber security testing high on the agenda
As the size and scale of cyber attacks on financial institutions continues to intensify, the Hong Kong Monetary Authority (HKMA) recently took the initiative by launching a Cybersecurity Fortification Initiative (CFI) with three key pillars. One of these pillars is a cyber-resilience assessment framework (C-RAF) designed to identify threats to financial institutions and test defences against those threats. Paul Jackson and Matt Bartoldus, Managing Director of Stroz Friedberg company Gotham Digital Science, looks at similar exercises in the UK and what the lessons that are being learned, especially in terms of testing and developing cyber defences.
What is C-RAF, and should financial institutions be worried?
It's a risk assessment exercise. They are not trying to point the finger at anyone or issue fines, they just want to find out the state of readiness of the industry in the face of cyber security threats. They are looking to establish the most likely scenarios where organisations get breached – it's a threat intelligence exercise with a testing component.
The end goal is to understand where the next phase of work needs to be done to mitigate the risks around a major security incident: will it be detected, how ready are organisations to react, and are they reacting in a way which ensures resiliency?
Should firms hire consultants to help respond to the HKMA's questionnaire?
No, the HKMA is looking for an honest assessment of where banks and other financial institutions are in terms of cyber security. It's fine to have advisors look over it, but there's no point trying to make things look better than they are. In fact, the Bank of England ran a similar exercise and stipulated that organisations must fill out the questionnaire themselves.
What is the likely outcome? Will UK and HK banks get a clean bill of cyber health?
In our experience, that is extremely unlikely. As part of our security advisory work we often carry out cyber security testing where we replicate attacks and it's very rare we can't gain access. That goes for clients across all industries. HKMA are leading the charge in getting the cyber security industry to develop in the region. It's important to develop local market capabilities, because the threat landscape is constantly evolving.
What is cyber security testing and how can it help companies improve preparedness for a data attack?
As the name suggests, cyber security testing is where an organisation's defences are probed by an outside team in order to find out if they can withstand cyber attacks, and expose any weaknesses before they are found by criminals. As companies' digital activities scaled up and cyber criminals became more sophisticated, early 'penetration testing' evolved to become 'Red Team testing', where one group of cyber security professionals plans a simulated attack and another – typically the in-house team – tries to detect it and react appropriately. Because cybercrime is always evolving, it's important that we match what is happening in the real world. We build our own malware, which although not as malicious in terms of what it does, is still designed to penetrate a system and mimic the unauthorised accesses that hackers are trying to achieve.
Do these exercises just look at remote, digital threats, or are they physical too?
Cyber criminals use all kinds of ruses to gain initial access to a company's systems. Often, the weak point is the human element, and that's where things like phishing and social engineering are used. We mimic this during Red Team exercises. For example, LinkedIn is one of the most powerful social engineering tools there is. We've used it to gain access to emails and personal information of clients' employees. Much in-house preventative security is now focused on detecting when that is happening and countering it.
Sometime we go even further, by actually dressing up as telecoms engineers and try and get physical access to our client's buildings. It's important to highlight that kind of security weakness too.
Can you bring cyber security testing in house?
Many large organisations have looked at the cost of bringing in cyber security advisers and decided to bring it in-house. We have helped some of our clients by setting up internal teams. They are great for routine matters, like payment card industry testing and internal compliance. However, an external expert perspective helps strengthen the overall security posture. Hence a combination of both is probably the most effective and cost-efficient.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
