Feeds

Bank of England seeks 'HACKERS' to defend vaults against e-thieves

Report: 20 major cash-holders to be probed by white hats

Bridging the IT gap between rising business demands and ageing tools

The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 "major" banks and other financial institutions, it has been reported.

The move appears to be a response to lessons learned during the Waking Shark II security response exercise last November. The exercise put merchant banks and other institutions in the City at the wrong end of a simulated cyber-attacks and didn't involve retail banks, as explained in an BoE statement issued at the time.

But according to the reports, this is about to change.

According to sources who spoke to the Financial Times (behind paywall), the Bank of England's “ethical hackers” will attack 20 major banks and other financial institutions in the new round of cyber resiliency tests. Unnamed government-accredited penetration testing firms will be involved. The FT speculated that the Royal Bank of Scotland and the London Stock Exchange would participate, but there have been no confirmations.

Adrian Beck, security programme manager EMEA at cloud-based application security company Veracode, welcomed the reported move.

"It’s encouraging to see the Bank of England taking a lead on protecting the UK’s critical national infrastructure by overseeing ethical hacking programmes," Beck said.

He added: "Ethical hacking, in the form of penetration testing, is one way to expose software coding errors in an organisation’s applications, along with other vulnerabilities that threaten critical data. All businesses, whether in the public or private sector, should consider the benefits of investing in ethical hacking as part of an application security programme."

Marc Lee, director EMEA at infosec firm Courion said that penetration testing can only go so far and banks need to look at the bigger picture by taking precautions to defend against internal as well as external threats.

"The focus shouldn’t be solely on detecting and preventing external attacks," Lee explained. "It’s important to recognise that threats can often stem from insider hacktivists or a weak security culture in the back office [that] leaves sensitive data and apps open to abuse or theft."

"Looking at the bigger security picture, the majority of serious data breaches use stolen or misused legitimate access privileges. Banks need strong, reliable systems in place to quickly identify any security vulnerabilities and take appropriate actions to prevent a breach and avoid financial and reputational damage,” he added.

Ross Brewer, vice president and managing director for international markets at security tools firm LogRhythm, commented: "The financial sector is taking a positive step here, which many other organisations need to learn from. As they play such a critical role in society, it would be disastrous for one of our leading banks to suffer a significant data breach.

"We only have to look at recent large-scale data breaches, such as [that of] Target in the US, to see just how devastating and long-lasting this can be. Given the level of trust businesses and consumers place in banks, a successful attack on a financial firm would be even worse." ®

Seven Steps to Software Security

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.