With TIBER-EU, the European Central Bank has published a framework with which companies of the financial sector can better protect themselves against cyber attacks in order to avoid economic damage. The own cyber security can be checked by so-called “Red Team” penetration tests. Compared to a simple security analysis, this has the benefit that external attackers work under real conditions with professional attack methods. This reveals how far they can penetrate the existing infrastructure and to what extent the organisation could be damaged. Our SRC experts prepare your company optimally and individually for the execution of a TIBER-EU test.
In detail: What is TIBER-EU?
TIBER-EU serves to enable organisations to perform so-called threat or intelligence led penetration tests. This type of penetration test is intended to imitate the highly agile attack methods of actual attackers. This enables organisations to develop better prevention, security and control measures and to respond more quickly to threats. This strengthens their own cyber resilience. The TIBER-EU test resembles a military exercise. Attackers (Red Teams) and the defending organisation (Blue Teams) fight each other within the framework of a previously defined test scope. The Red Team attempts to attack an organisation’s critical business functions and processes, steal data and disrupt the live operation of that organisation’s production systems. This includes attacks against information technology systems as well as targeted attacks against employees and process structures.
What is not allowed in a TIBER-EU test?
Within the framework of the TIBER-EU tests, realistic methods are to be used. However, despite its realistic nature, such a test must not go beyond limits. It is not yet completely clear which attack methods are explicitly prohibited or permitted by the TIBER-DE-Guide, which is still in development. Taking the Dutch TIBER-NL- or Belgian TIBER-BE-Guide as a basis for a first impression, they prohibit e.g:
- the destruction of equipment,
- uncontrolled modification of data and programmes,
- endangering the continuity of critical business functions,
- blackmail attempts against employees,
- threats against employees and
- bribery of employees of the organisation and
- the publication of (partial) results of a TIBER-EU test.
What will finally be found in the TIBER-DE Guide remains to be seen. In principle, however, it can be assumed that there will be parallels to the guides listed above.
To whom is TIBER-EU addressed?
TIBER-EU is primarily addressed to financial market infrastructures, organisations and institutions operating within financial market infrastructures. These include banks, insurance companies, payment service providers, clearing houses, central securities depositories, credit rating agencies, stock exchanges and payment institutions. If these organisations outsource critical business functions to IT service providers, TIBER-EU also addresses them. Secondary, harmonisation measures could also oblige other sectors, such as electricity network operators or telecommunications providers, to carry out TIBER-EU tests.
Ready for a TIBER test?
To successfully perform a TIBER test, organisations must properly observe, implement and master the necessary technical, organisational and data protection measures.
Against the background of their extensive financial market, IT security and compliance expertise, our SRC experts offer you optimal and individual consulting services. With the experience gained from countless penetration tests, bank compliance and information security management projects, we are happy to accompany you through the entire process flow of a TIBER test. Further information can be found here.