Mark Hughes, BT Security
"We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit."
BT has announced the global launch of "BT Assure Ethical Hacking for Finance", a new security service designed to test the exposure of financial services organisations to cyber-attacks.
The wealth of valuable and sensitive personal data held by financial organisations, such as retail and investor banks and insurance companies, makes them among the most attractive targets for malicious hackers and cyber-criminals. This risk has intensified in recent years as more and more retail financial services move online and electronic trading is one the rise.
Assure Ethical Hacking for Finance uses mature methodologies that mimic those of "black hats" or malicious attackers to provide a range of tests targeted at the various entry points to a bank's IT systems as well as perceived "weak points" of an organisation. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems. BT not only tests and verifies systems that can access the network but also checks for risks of human failure, for example by using social engineering to test how employees apply the policies in place.
The new service draws on the ethical hacking expertise gained by working closely with large financial institutions in the U.S. for nearly two decades. Within the confines of strict rules of engagement, BT's ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers; intercept and modify mobile cheque deposit data; reverse engineer proprietary encryption streams; generate enormous, valid gift cards with payment details from other test accounts; create admin accounts by having an employee simply open an email; escape remote access sessions and get shell access to systems, including subsequent establishment of tunnels into the company; transfer funds between unauthorized test accounts or harvest complete account data for all users by attacking machine-to-machine communications.
The ultimate objective is to identify vulnerabilities that would impact an organisation's primary business processes and thus its brand and reputation.
The new Assure 'Ethical Hacking for Finance' will enable BT to use CREST (www.crest-approved.org)  certified Simulated Targeted Attack and Response (STAR) services to help financial services firms to develop the most robust security solutions, ensuring sensitive customer data remains secure. BT was in 2014 one of the first companies in the world accredited by CREST to provide STAR services.
Working alongside the Bank of England (BoE), UK Government and industry, CREST developed the STAR framework to deliver controlled bespoke, intelligence-led cyber security testing. STAR incorporates advanced penetration testing and threat intelligence services to more accurately replicate cyber security threats to critical assets.
Mark Hughes, president of BT Security, said: "The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers. We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit."
 Other real world examples can be found via our case study
 CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry. More information here.