In Russia, hackers may be involved in measures to strengthen control over the stability of credit institutions to cyber attacks. IT-auditors may be obliged in a test mode to crack the security systems of Russian banks with the involvement of white hackers.
Artem Sychev, Deputy head of the information security department of the Central Bank, said that the regulator, together with the FSB and the Federal Service for Technical and Export Control, is currently developing standards to assess the quality of work of independent companies that verify the reliability of bank infrastructure.
The representative of the Central Bank refused to clarify any details, however, sources say that one of the main standards for IT auditors will be a “full simulation of cyber attacks” with the participation of specialists with the same skills as potential hackers.
It is assumed that during such tests, specialists will reproduce the actions of real attackers, from penetration into the company’s network to gain full control over its infrastructure or individual applications.
The head of the information security department of the Moscow Credit Bank Vyacheslav Kasimov agreed that the only way to qualitatively assess the security of the Bank’s IT system can only be a complete simulation of a hacker attack.
Banks often make checks of their stability not for themselves, but for the regulator, so it has the right to set its own rules for conducting IT-audit, said Viktor Dostov, head of the Electronic Money Association.
According to Dostov, additional control will strengthen the protection of Russian money in the conditions of regular leakage of information from credit organizations.
Earlier E Hacking News reported that the Central Bank has a new punishment for banks for poor cyber defense. It will launch a new feature for credit institutions, it will be the risk profile on the level of information security. Depending on the risk profile on the level of cyber security, the Central Bank will give recommendations to banks. A financial institution that receives a low-risk profile will have consequences ranging from enhanced supervision to penalties.