News

BT helps global financial industry keep data secure with new ethical hacking service

DC15-415 (16 September 2015)

BT brings in CREST STAR certified security testing to protect financial organisations from cyber threats

BT today announced the global launch of “BT Assure Ethical Hacking for Finance”, a new security service designed to test the exposure of financial services organisations to cyber-attacks.

The wealth of valuable and sensitive personal data held by financial organisations, such as retail and investor banks and insurance companies, makes them among the most attractive targets for malicious hackers and cyber-criminals. This risk has intensified in recent years as more and more retail financial services move online and electronic trading is on the rise.

Assure Ethical Hacking for Finance uses mature methodologies that mimic those of "black hats" or malicious attackers to provide a range of tests targeted at the various entry points to a bank’s IT systems as well as perceived “weak points” of an organisation. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems. BT not only tests and verifies systems that can access the network but also checks for risks of human failure, for example by using social engineering to test how employees apply the policies in place.

The new service draws on the ethical hacking expertise gained by working closely with large financial institutions in the U.S. for nearly two decades. Within the confines of strict rules of engagement, BT's ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers; intercept and modify mobile cheque deposit data; reverse engineer proprietary encryption streams; generate enormous, valid gift cards with payment details from other test accounts; create admin accounts by having an employee simply open an email; escape remote access sessions and get shell access to systems, including subsequent establishment of tunnels into the company; transfer funds between unauthorized test accounts or harvest complete account data for all users by attacking machine-to-machine communications.1

Cyber threats in retail banking

The ultimate objective is to identify vulnerabilities that would impact an organisation’s primary business processes and thus its brand and reputation.

The new Assure ‘Ethical Hacking for Finance’ will enable BT to use CREST (www.crest-approved.org)2 certified Simulated Targeted Attack and Response (STAR) services to help financial services firms to develop the most robust security solutions, ensuring sensitive customer data remains secure. BT was in 2014 one of the first companies in the world accredited by CREST to provide STAR services.

Working alongside the Bank of England (BoE), UK Government and industry, CREST developed the STAR framework to deliver controlled bespoke, intelligence-led cyber security testing. STAR incorporates advanced penetration testing and threat intelligence services to more accurately replicate cyber security threats to critical assets.

BannerMark Hughes, president of BT Security, said: “The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers. We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit.”

BT has a strong, award-winning, global team of security specialists, including ethical hacking consultants, who provide a standardised method to test systems by imitating hacker attacks, reporting identified vulnerabilities and providing clear remediation steps that customers can use to quickly patch applications and affected systems.


1Other real world examples can be found via our case study.
2CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry. More information here.

BT Security

BT Security is building on 70 years’ experience of helping organisations around the globe and across all sectors get ahead of the threat curve and reduce the uncertainty and complexity of security. We provide an end-to-end capability to help organisations enjoy higher levels of security at a time when security budgets are not keeping pace with the threat landscape.

The sophistication of our security operations means that we think about the assets, the people, and the processes, and combine these with both network and security intelligence to help our customers stay ahead of the security risks. BT Security protects both BT and its customers. These customers are advised by a global team of 2,000 security practitioners and professional services consultants. To find out more about BT Security, visit www.bt.com/security.

For more information on BT’s Ethical Hacking expertise, visit bt.com/btassure/ethical-hacking

About BT

BT’s purpose is to use the power of communications to make a better world. It is one of the world’s leading providers of communications services and solutions, serving customers in more than 170 countries. Its principal activities include the provision of networked IT services globally; local, national and international telecommunications services to its customers for use at home, at work and on the move; broadband, TV and internet products and services; and converged fixed/mobile products and services. BT consists principally of five customer-facing lines of business: BT Global Services, BT Business, BT Consumer, BT Wholesale and Openreach.

For the year ended 31 March 2015, BT Group’s reported revenue was £17,979m with reported profit before taxation of £2,645m.

British Telecommunications plc (BT) is a wholly-owned subsidiary of BT Group plc and encompasses virtually all businesses and assets of the BT Group. BT Group plc is listed on stock exchanges in London and New York.

For more information, visit www.btplc.com.

For further information

Alan Ball
Head of Global PR
alan.ball@bt.com

Resources

Case study

BT Assure Ethical Hacking

PDF - 525 KB

Ethical hacking ensures customers can bank on online services from a global financial institution