The Bank of England has released its annual CBEST thematic, which reports gaps, some of them ‘foundational’, observed in the cyber defences of financial firms and Financial Market Infrastructures (FMIs).
The document describes cyber hygiene as not a one-time exercise but a continuous effort; given the evolving threat landscape, tactical fixes alone are insufficient. It says: “While quick remediation may address immediate vulnerabilities, it often leaves underlying weaknesses unaddressed.”
The document advises that to reduce the likelihood of severe cyberattacks firms and should look to harden operating systems, including by patching vulnerabilities and securely configuring key applications. Firms and FMIs can reduce the impact of unauthorised access to sensitive systems and information by strengthening credentials management, enforcing strong passwords, considering the use of multi-factor authentication (MFA), preventing or detecting insecure credential storage, and through appropriate segmentation of networks.
Early detection and effective monitoring, alerting and response processes are key to reducing the impact from cyberattacks. Firms and FMIs should implement risk-based remediation plans with oversight from risk managers and internal auditors to ensure the successful remediation of technical findings, including vulnerabilities.
Comment
Carl Hunt, director at the supply chain risk and resilience consultancy Beyond Blue, said what is most striking is that a large number of the thematic issues have endured for many years including shortcomings in Identity and Access Management (IAM), network segmentation, and ‘training and awareness’.
He said: “It seems that many financial firms still lack the ability to successfully detect and effectively respond to attacks, due in part to attackers’ ability to obfuscate their attacks, but also down to poor tuning of detection rules. Ultimately CBESTs are limited point in time assessments, albeit identifying 469 successful tactics across 13 CBESTs.
“Is there an alternative which is more comprehensive and might drive genuine improvements in cyber security? The answer lies in a blend of automated control assessment and testing, a clear line of sight to threat and attack tactics, and monitoring of risk and remediation progress. External tests such as CBEST are always valuable, but they need to be seen as augmenting effective internal security testing and improvement processes.”
Background
A CBEST Implementation Guide provides guidance on remediation planning. CBEST assessments are delivered by CREST accredited providers. More at the CREST website (the CBEST accreditation and certification body). Visit https://www.crest-approved.org/. CREST (click here for UK council members) is a not-for-profit membership body representing the cyber security industry.
