The telecoms firm BT has launched “BT Assure Ethical Hacking for Finance”. The company calls it a new security service designed to test the exposure of financial services to cyber-attacks.
Data held by retail and investor banks and insurance companies makes them among the most attractive targets for hackers and cyber-criminals, BT says. This risk has intensified as more and more retail financial services move online and electronic trading is one the rise.
BT says that its Assure Ethical Hacking for Finance uses mature methodologies that mimic those of “black hats” or malicious attackers to provide a range of tests targeted at the various entry points to a bank’s IT as well as perceived “weak points”. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems. BT tests and verifies systems that can access the network and checks for risks of human failure, for example by using social engineering to test how employees apply policies.
The new service draws on the telco’s ethical hacking expertise from work with large financial institutions in the US for nearly two decades. Within the confines of rules of engagement, BT’s ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers; intercept and modify mobile cheque deposit data; reverse engineer proprietary encryption streams; generate enormous, valid gift cards with payment details from other test accounts; create admin accounts by having an employee simply open an email; escape remote access sessions and get shell access to systems, including subsequent establishment of tunnels into the company; transfer funds between unauthorized test accounts or harvest complete account data for all users by attacking machine-to-machine communications.
The aim is to identify vulnerabilities that would impact an organisation’s primary business processes and thus its brand and reputation. The new Assure ‘Ethical Hacking for Finance’ will enable BT to use CREST ( www.crest-approved.org) certified Simulated Targeted Attack and Response (STAR) services. BT was in 2014 one of the first accredited by CREST to provide STAR services.
Working alongside the Bank of England (BoE), UK Government and industry, CREST developed the STAR framework to deliver controlled cyber-security testing.
Mark Hughes, president of BT Security, said: “The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers. We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit.”
