With TIBER-EU, the European Central Bank has published a framework with which companies in the financial sector can better arm themselves against cyber attacks in order to avoid economic damage. A company’s own cyber security can be checked using so-called “Red Team” penetration tests. Compared to a simple security analysis, this has the advantage that external attackers work with professional attack methods under real conditions. This reveals how far they can penetrate the existing infrastructure and to what extent the organization could be damaged. Our SRC experts will prepare your company optimally and individually for the implementation of a TIBER EU test.
In detail: What is TIBER-EU?
TIBER-EU enables organizations to carry out threat and intelligence-led penetration tests. This type of penetration test is designed to imitate the highly agile attack methods of actual attackers. This enables organizations to develop better prevention, security and control measures and respond more quickly to threats. This strengthens their own cyber resilience. The TIBER-EU test resembles a military-style exercise. Attackers (Red Teams) and the defending organization (Blue Teams) fight each other within a previously defined test scope. The Red Team attempts to attack the critical business functions and business processes of an organization, steal data and disrupt the live operation of the organization’s productive systems. This includes attacks against information technology systems as well as targeted attacks against employees and process structures.
What is not allowed in a TIBER-EU test?
The TIBER-EU tests should use methods that are close to reality. However, despite its proximity to reality, such a test must not overstep the boundaries under any circumstances. It is not yet completely clear which attack methods will be explicitly prohibited or permitted by the TIBER-DE guide, which is still under development. For a first impression, the Dutch TIBER-NL and Belgian TIBER-BE-Guidethese prohibite.g:
- the destruction of devices,
- uncontrolled modification of data and programs,
- Endangering the continuity of critical business functions,
- Blackmail attempts against employees,
- Threats against employees and
- Bribery of employees of the organization and
- the publication of (partial) results of a TIBER-EU test.
What will ultimately be in the TIBER-DE guide remains to be seen. In principle, however, it can be assumed that there will be parallels to the guides listed above.
Who is TIBER-EU aimed at?
TIBER-EU is primarily aimed at financial market infrastructures, organizations and institutions that operate within financial market infrastructures. These are, for example, banks, insurance companies, payment service providers, clearing houses, central securities depositories, credit rating agencies, stock exchanges or payment institutions. If these organizations outsource critical business functions to IT service providers, TIBER-EU is also aimed at them. Secondarily, other sectors, such as electricity network operators or telecommunications providers, could also be obliged to carry out TIBER-EU tests as part of harmonization measures.
Are you ready for a TIBER test?
To successfully implement a TIBER test, organizations must properly observe, implement and master the necessary technical, organizational and data protection measures.
Against the background of their extensive financial market, IT security and compliance expertise, our SRC experts offer you optimal and individual consulting services. With the experience gained from countless penetration tests, banking compliance and information security management projects we are happy to guide you through the entire process of a TIBER test. You can find more information here.
