EXCLUSIVE: ‘Testing times’ – Anthony Long, Nettitude ‘The Fintech Magazine’
Firms should consider their choices carefully when asking a company to punch a big hole in their cyber defences to test their resilience. Here, Nettitude’s Anthony Long, Head of Threat Intelligence & Advisory Consulting outlines the options
The TIBER framework is different to many earlier cybersecurity testing procedures. Instead of working in an isolated environment, separate from main operations, TIBER is live.
Providing far more meaningful results, TIBER tests companies’ systems in the real world. This adds a level of risk that must be managed meticulously, both by the organisation and its testing provider. The consequences of not doing so are serious. CBEST was the first testing framework to operate in a live environment. Specialist red teams have been highly trained (and CREST-accredited) to deliver CBEST testing that’s secure, legally compliant, and ethical. At Nettitude, we believe the TIBER framework must learn from this high level of service.
So, finding the right TIBER test provider for your financial organisation is crucial. You’ll want a secure test, but there’s huge value in knowing how to act on the results to protect your operations. An obvious question exists: should you opt for a local provider in your country or choose a larger, global tester?
We consider both here.
It can be tempting to keep TIBER testing local. A familiar provider in the same country can seem reassuring. If timelines are tight, engaging an existing provider will be faster than appointing a new one. They’ll already know how you operate and won’t have language differences or limited cultural insight. But local testing providers are, by their very nature, smaller operators. When handling live TIBER testing, this is a risk. Generally, local operators have less testing experience, smaller teams and fewer qualified individuals.
Also, their knowledge of cybersecurity beyond finance could be limited. This might not seem significant, but they’ll lack the broader insight of new and emerging risks that financial organisations and their regulators are yet to consider. A local TIBER tester could seem like the more convenient option. But you might find it’s a less safe one.
Just like many financial organisations, global TIBER test providers operate in many countries. Global banks and other institutions often hold data in a handful of geographic locations and engaging a provider experienced in handling cross-border issues is a big advantage.
Safely moving data between countries requires knowledge of local laws and legal requirements in various regions. Global providers have more experience of this, so your exposure is managed. In addition to multi-country operations, larger providers have multi-industry and multi-testing experience to draw from – working across a much wider landscape means their exposure to risk will be greater. Only by experiencing risk can you become proficient at managing it. Smaller operators might be able to handle high risk in theory, but have they ever experienced it? Nobody wants to be a guinea pig.
When carrying out TIBER testing, a big hole is effectively punched through the defences of the financial organisation – in a live environment. Should the provider not secure that hole for its exclusive use, the vulnerability remains open for third parties to infiltrate and do incredible harm. The risk is very real. Your TIBER test provider must demonstrate sufficient experience in operational security to keep your organisation safe during all stages of testing. Global providers are more likely to have larger, higher-qualified teams who’ve handled this level of risk many times.
Get more value from TIBER testing
Carrying out a TIBER test is one part of the service you’ll require. Granted, it’s a significant one, but you’ll get the greatest value from your investment by choosing a provider that will project manage your testing, from concept to action plan. The TIBER test results, in isolation, are of limited use. The value comes from understanding them and determining what mitigation and future actions you must put in place.
Written in technical language, your corporate team might not, in any case, understand ‘raw’ test results. When your project is fully managed, your attack manager delivers the findings in meaningful language that everyone understands. They’ll highlight risks and recommended actions, alongside plenty of guidance and support. Testing providers that manage your project will ensure the output matches your regulator’s expectations. That means working with a fit-for-purpose TIBER framework and within the boundaries required. Regulators will also want outputs that they can directly compare with other test results. Only then can meaningful conversations be had, heightening cybersecurity across the global finance sector.
8 questions you should ask prospective TIBER test providers
For most, shortlisting TIBER providers is not an everyday activity. We’ve put together eight questions you should ask every provider you’re considering. By doing so, you’ll identify the best one for your financial organisation.
What testing experience do they have?
Understand their testing experience in the finance sector but ask about experience in other industries, too. It can significantly widen their cyber risk knowledge. What types of testing have they carried out? Have they completed live tests (CBEST is another well-known live testing framework)? Ask about their cross-border experience – especially if your organisation operates in many countries.
What qualifications do have their team have?
Assess the people you’ll be working closely with. Not just attack specialists – consider intelligence managers and attack managers, too. Are you confident of their qualifications and experience? CREST established a series of qualifications for CBEST providers to achieve. No such qualifications are currently necessary for TIBER testing, but qualified individuals will reduce your risk.
Can you speak to others they’ve worked with?
There’s nothing better than understanding how the provider’s testing helped other financial organisations. Take time to plan a couple of conversations.
What insurances and risk management procedures do they have in place?
Ask how they will manage the risk of a live test. How will they keep your organisation safe from outside attacks during testing? Do they security-check their staff to ensure safe practice?
What schemes are they members of?
Shortlist providers that are members of (or familiar with) schemes that matter to your organisation. Your regulators will welcome this assurance. Also, look for general cybersecurity schemes that add credibility. Common schemes include:
CBEST: UK finance
GBEST: UK government
iCAST: Hong Kong
FEER: Saudi Arabia
Do they understand the legalities and ethics around TIBER testing?
The TIBER framework can use technology, processes and people. Knowing what’s legally acceptable in your region is important. Operating ethically is also crucial when using people.
How will you receive your results?
Ask for assurance that you’ll receive results written in a way that your team understands. Just technical reports limits the value of testing.
How will they help your organisation after testing?
If you do nothing with your test results, you lose huge value. And yet, the results can be hard to interpret on your own. Understand the support you’ll receive after testing is complete. Will they help you understand the outcomes? Will they help you formulate a plan?
Your greatest value lies in post-test planning and action. By having sufficient support in this area, you’ll develop the strength of your organisation.