Monetary Authority of Singapore Mandates: How to Select a Pentester to Ensure Compliance

The financial penalties for violations can be really high, and here's what you can do to avoid them.

The Monetary Authority of Singapore (MAS) is Singapore's central bank, responsible for overseeing overall money supply and economic growth in the country. The MAS is also in charge of regulating financial institutions (FIs) such as banks, capital markets, insurance and payment providers.

Adoption of digital technologies has improved the reach of Singapore's FIs, made it easier for customers to access their services, and, in the process, increased their market share. However, digital transformation is not without pitfalls. Without adequate security for their computer systems and networks, FIs might be vulnerable to attempts by cybercriminals to gain unauthorized access to internal systems and steal critical data. This could include customers' personally identifiable information (e.g., credit card number, account number, taxpayer identification number). Where a breach of personal data is likely to cause significant harm to customers, affected customers might sue the FI for damages. Apart from such financial loss, data breaches can erode customers' trust in an FI and, in the worst cases, even ruin the business. Cyberattacks (so-called distributed denial-of-service attack, DDoS) targeting an FI's servers can disrupt customers' access to the FI's services and halt day-to-day operations. That's not the end of the story.

Penalties for violating MAS standards

Depending on the severity of the personal data breach, the country's Personal Data Protection Commission (PDPC) could slap penalties on the erring FI. This apart, the MAS might impose fines on the FI ranging from $7,500 for every single day during which a cybersecurity lapse occurs to $75,000. So protecting the network boundaries and securing Internet-facing assets and services (such as banking, trading, insurance) is paramount for FIs in Singapore.

The MAS "Technology Risk Management Guidelines 13.2" require all FIs to evaluate their security by performing penetration testing (pentest) of the previously mentioned assets on an annual basis or whenever these systems undergo major changes or updates. Notably, this pentest is a cyber exercise over and above the MAS-prescribed quarterly vulnerability assessments (under 13.1). The objective of the pentest is to ascertain how well-placed an FI is in foiling an offensive cyber maneuver targeting its information, systems, and networks.

Pentest: What's covered?

The MAS-mandated annual pentest applies to all of an FI's services, applications, and services that are accessible from the Internet. Where such functions (or part thereof) have been moved to an external vendor, the pentest applies to the outsourced provider or third-party as well. The pentest is to be conducted on the environment responsible for providing services to external customers (production environment), and proper protective measures should be in place during the currency of the pentest to safeguard the production environment. When it comes to internal (non-Internet-facing) services at FIs, the pentest is optional.

Who should do the pentest?

Qualified in-house resources or third-parties are eligible to carry out the prescribed pentest. A point to note is that internal resources or external pentest providers who have been previously involved in the installation, maintenance, or support of the FI's Internet-facing assets are not eligible to perform this pentest. For assessments carried out by independent testers (i.e., testing resources not previously associated with the assets to be pentested) within the organization, the FI should consider engaging third-party pentesting providers from time to time.

What should the pentest cover?

MAS's cyber risk management guidelines mandate a combination of black box and gray box pentests for FIs. In a black box pentest, using a network scanner, the security assessor identifies and proceeds to examine vulnerable assets (e.g., operating systems, ports, services, applications) in the FI's Internet-facing environment that could be potentially exploited by a hacker operating from outside the organization's network. The pentester's understanding of the target system, in this case, is limited to IP address ranges and known URLs.

Gray box pentest, another MAS requirement, is a step up in the pentesting hierarchy. Unlike black box testing, in gray box testing, the security assessor enjoys the same access credentials as a customer (of, say, an online banking service). The pentester is provided the required URL. The gray box testing in this case is limited to the FI's business-to-customer (B2C) services (e.g., online retail banking, online corporate banking, online securities trading). Essentially, a black box pentester considers the Internet-facing assets from the perspective of an external ethical hacker, while a gray box tester has the access and knowledge levels of a user within the target system.

The MAS advisory on cyber risk management also suggests that FIs launch "bug bounty" programs with attractive cash awards to complement the annual pentest. So, ethical hackers ("white hats") will feel encouraged to 'hack' the FI's Internet-facing infrastructure to discover and report vulnerabilities. The pentest exercise, together with the bug bounty program, will help bolster the overall security of the FI's online assets.

How to choose a pentester for MAS security compliance

Often, FIs struggle to pick the right pentester who can ensure their online assets meet the stringent standards laid down by MAS. Cybersecurity experts are in short supply, but that doesn't mean an FI must accept pentesters with substandard degrees and qualification mismatches. It is certainly not easy to propose a complete range of skills for pentesters that FIs engage for this cyber exercise. Below are some skill sets and experience levels that should be top of mind for chief technology officers/chief information officers (CTOs/CIOs) at FIs when selecting pentesters.

Technical certifications

Look for certifications that serve as living proof of a pentester's practical knowledge of a broad range of security vulnerabilities, as well as her/his demonstrated experience in effectively dealing with them. These include certifications from UK-based CREST as well as Offensive Security and SANS Institute, both based in the US.

CREST; CREST Registered Penetration Tester;The candidate is expected to find a range of reported or publicly disclosed vulnerabilities across common networks, applications, and databases. ;CREST Certified Web Application Tester; The candidate is assessed for her/his potential to discover a broad spectrum of vulnerabilities in custom web applications and confirm their impact. ;CREST Certified Infrastructure Tester;The candidate’s ability to evaluate vulnerabilities and flaws at the network and operating system level is a key aspect of this assessment. Offensive Security;Offensive Security Certified Professional (OSCP);This certification assesses the candidate’s demonstrated skills and practical understanding of pentesting. ;Offensive Security Wireless Professional (OSWP);Candidates are tested for their ability to pinpoint encryptions and vulnerabilities in Wi-Fi (IEEE 802.11) networks within a limited span of time. ;Offensive Security Certified Expert (OSCE);The candidate must clear a rigorous 2-day-long test covering exploit development, antivirus evasion techniques, and vulnerability exploitation in web-based applications. ;Offensive Security Exploitation Expert (OSEE);Candidates get this certification at the end of dedicated lab tests involving unknown vulnerabilities and development of exploits in under 72 hours. ;Offensive Security Web Expert (OSWE);The candidate is required to demonstrate comprehensive skills in exploiting apps that can be accessed over the Internet. SANS Institute;GIAC Mobile Device Security Analyst (GMOB);Certificate holders would have demonstrated understanding of how to assess mobile device/application security and deal with mobile malware. ;GIAC Penetration Tester (GPEN);Certificate holders’ skill sets have been tested in real-world pentesting environments. ;GIAC Exploit Researcher and Advanced Penetration Tester (GXPN);This certificate validates that the holder is capable of conducting advanced pentests and “white hat” maneuvers to bolster system security. ;GIAC Assessing and Auditing Wireless Networks (GAWN);This certification specifically tests the candidate’s proficiency in assessing wireless network security and exploiting vulnerabilities therein. ;GIAC Web Application Penetration Tester (GWAPT);This certificate is considered demonstrable proof of a pentester’s practical skill in dealing with web application security issues, including various exploits.

Real-world experience

No certification can be a substitute for experience in real-world pentesting scenarios. A proven track record in black box and gray box pentests is a key consideration for FIs when selecting security assessors. Needless to say, the experience of a pentester must be relevant to the pentesting exercise for which she/he is being considered. There should be some degree of correlation between previous pentesting projects and the current one in terms of the nature and size of the network, systems, and applications. Ideally, the pentester must be one with prior experience in the use of mobile application pentesting tools and techniques if the FI intends the current exercise to cover mobile data security vulnerabilities.

The number of previous engagements in which the pentester has been actively involved, the testing methodology, and the breadth and depth of work undertaken are the other important selection criteria. Technical interviews can help host organizations get a measure of the pentester's knowledge of pentesting and problem-solving skills. Even so, we highly recommend that FIs make use of a vulnerability lab for a first-hand assessment of how well the skills of prospective pentesters weigh up against 'attackers.' Seasoned cybersecurity experts blog on cybersecurity issues and are often invited speakers at technical security conferences. Such thought leadership exercises demonstrate their in-depth understanding of cybersecurity assessments, including pentesting.

At the end of the day, pentesting as per MAS mandates involves dozens of assessments. Who the FI chooses to work with is going to make all the difference between success and partial success in pentesting.

At Cyberlands, our security engineers have years of pentesting experience working for large, medium, and small players in financial services. We find and fix security vulnerabilities with all speed, denying threat actors the opportunity to con FIs and damage their hard-won reputation. Our rates are very competitive as well. Reach out to our Cyberlands team now!

Cyberlands.io Team