HKMA's Cyber Fortification Initiative (CFI) – Part 1

In the past, I seldom express any opinion on public policy matters here, but a press releases [1] of Hong Kong Monetary Authority (HKMA) on May 18 drawn my attention because it has initiated a significant impact to the development of cyber security policy to all financial institutions, including payment system organisations, clearing houses, exchanges, stock brokers and investment firms in Hong Kong [2]. I have strong feeling that HKMA, Hong Kong Institute of Bankers (HKIB) and Hong Kong Applied Science and Technology Research Institute (ASTRI) (hereafter called the “Party”) is taking wrong steps to help financial industry in combating the new emerging cyber threats. They may have good intentions, but the proposal is put into wrong hands, or they may be mis-leaded by organizations that are not practicing hand-on cyber security in the past.

According to the session 4 of the Consultation draft of C-RAF (the “Paper”) found on the Internet [3], HKMA introduces a new iCAST (intelligence-led Cyber Attack Simulation Testing) framework (aka intelligence based, less constrained and focuses on the more sophisticated and persistent attacks [or APT-type attacks described in session 4.2 of the Paper]” in a simulated security testing framework), which is heavily promoted by CREST [4]. Even though the Paper did not indicate that the proposed iCAST is an exact copy of CBEST [5], by comparing the CBEST Implementation Guide [9] and section 4.4 of the Paper, we can easily see that iCAST is rooted (aka copy and paste) from CBEST.   I have no clue why CBEST is selected, but the framework that is adapted by Bank of England may be one of the major push.  I even heard rumors saying that central banks of Australia [6], Singapore [7] and Malaysia [8] are also pushing the same framework like what HKMA has proposed.  However, after a quick research, it did not support such claims.

According to CBEST FAQ & Implementation Guide [10] [9], to be accredited onto the CBEST scheme, vendorsneed to be certified by CREST Certified Simulated Attack Manager (CCSAM), or CREST Certified Simulated Attack Specialist (CCSAS) qualifications to supplement existing penetration testing standards, and a CREST Certified Threat Intelligence Manager (CCTIM) qualification to supplement threat intelligence standards [12].  There are no clear requirements for CREST Registered Penetration Tester (CRT) or CREST Penetration Security Analyst (CPSA) for getting CBEST scheme certified.  Of course, it is logical to assume qualified and recognized professionals should perform the penetration testing with CPSA and CRT designations.  Based on the CBEST launch Speech, the Executive Director, Resolution, Bank of England [11], the intelligence funneled from UK Governmentand accredited commercial providersis the key in designing the intelligence-led penetration testing and CRESTand Digital Shadows are selected for accredited the standards for CBEST.  Hence, it can be clearly concluded that CBEST placed higher requirements on accredited threat intelligence than the testing methods/procedures or testing tools. Also, all key resources of CBEST and Syllabus or Notes for Candidates of CREST examinations did not mention any training facilities requirements (aka the simulated labs or so-called CyberRange promoted by ASTRI)

According to the presentation slides of HKIB announced at the “Cyber Security Summit 2016”, HKMA will work with HKIB and ASTRI to launch a training and certification programme, the Professional Development Programme (PDP), in cybersecurity with the support from CREST [fig. 1 & 2].

Fig. 1

Fig. 2
In section 5.2.1 of the Paper and fig. [3], HKMA further declared that the new training and certification programme will be developed by HKIB and ASTRI, which will classify the certifications into 3-levels of iCAST tester, iCAST manager and ‘foundation’ professionals (I think this class of certification is rooted from FFIEC Cybersecurity Assessment Tool from the Federal Financial Institutions Examination Council AND Framework for Improving Critical Infrastructure Cybersecurity from NIST but not from CREST).   Professionals who have obtained relevant certificates under these training programmes will be considered as having the required an expertise to perform C-RAF.
Fig. 3
In view of such examination structure, I think HKMA is actually to launch or develop new examinations (or called iCAST exams) by borrow examination requirements from CREST penetrating examinations and standards from NIST and FFIEC and it is unlikely an exact copy of CREST CRT/CPSA or CCSA
M/CCSAS and CCTIM.   HKMA also indicates professionals who obtained other qualifications in related fields may also be regarded as having the required expertise to perform the assessments and testing under C-RAF. I have just found CREST announced to allow Offensive Security’s OSCPcertification [13] to be granted CERST CRT (Pen) equivalency [14] by paying £350 fee to CREST.

As one of the Cyber Security professionals in Hong Kong, I am awaiting some answers from HKMA or the Party, mainly but not limited to the following:

  • Why only CBEST is specially referred or selected or promoted in the Paper? (It is only used by Bank of England at this moment and Malaysia central bank seems accept existing certifications of GIAC, CISSP, OSCP, ECEH, ECHFI) [8]
  • Is iCAST professionals will be awarded certification by CREST directly? (Unlike Australia and Singapore to introduce the CREST certification, HKMA or the Party is developing a new iCAST exams that is developed by HKIB and ASTRI with support from CREST)
  • Is CREST going to grant iCAST examinations equivalency to CREST CRT/CPSA? (The Paper never mentioned iCAST status with comparison to CREST, but I even heard sufficient rumors that iCAST is only CREST equal to a Hong Kong tailor-made penetrating testing certification)
  • Is CREST going to make iCAST examinations equivalent to CCSAM/CCSAS and CCTIM? (if iCAST did not include these parts, it is only a partial CBEST which implies it is not the same scheme promoting by Bank of England and all implying selection logic will fail)
  • How come the training programming is going to be administrated by HKIB, a banking organisation without any knowledge of Cyber Security?
  • How come ASTRI, as a research institution without clear prior cyber security working hand-on experience is selected to provide training facilities? (I heard some selection arguments because ASTRI have a simulated lab called Cyber Range and they are government body.  However, there is no specific requirements set by CREST for lab facilities and government bodies, like HKCERT has been practicing cyber security and threat alerts for over 20 years in the past, why they are not selected? Actually, CREST suggest Courses of Offensive Security Virtual Labs and CISSP in their CCSAS certification)
  • [*updated 29/6*] Last but not least, I hope HKMA is not really considering to make CISP as an equivalent to iCAST. 
I think there is NO urgent needs and in-appropriate for HKMA to create (or introduce in their term) the Professional Development Programme (PDP) which included in the Cyber Fortification Initiative (CFI) [15] because:

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips