FSS Expands Blind Penetration Testing for Financial Sector to Twice a Year... Responding to AI Threats Like 'Mythos'

As hacking threats based on artificial intelligence (AI), such as Mythos, continue to rise, the financial authorities will expand the number of blind penetration testing exercises for the financial sector to two sessions this year.

원본보기 아이콘

The Financial Supervisory Service announced on the 30th that, together with the Financial Security Institute, it will conduct the first-half blind penetration test for the financial sector during May and June.

Blind penetration testing is a training exercise designed to strengthen the financial sector’s capabilities for proactive and preventive responses to cyber threats. The exercises are conducted without prior notification of the timing or targets of the attacks. White hat hackers launch surprise attacks to assess the ability of financial companies to detect and defend against hacking attempts and to evaluate their emergency response systems.

The Financial Supervisory Service has decided to increase the frequency of the training from once a year to twice a year, reflecting the increasingly sophisticated cyber threats and recent security breach patterns in the financial sector. The scope of the training-including targets, duration, and types of simulated attacks-will be expanded to make the exercises more rigorous. The second training session will be held in the second half of the year.

In particular, this training will, for the first time, introduce 'AI red teaming,' which uncovers vulnerabilities by simulating attacks from a hacker's perspective. This will assess the ability of financial companies to respond to new security threats such as the potential for information leakage and abnormal response inducement that may occur during the provision of generative AI services.

Additionally, the training will focus on evaluating the capabilities to detect and block hacking attempts and the adequacy and speed of internal response procedures through surprise DDoS attacks, server hacking, and simulated penetration exercises. The adequacy of external access infrastructure, network vulnerabilities, and security updates will also be closely examined.

The Financial Supervisory Service plans to take immediate corrective action for any vulnerabilities identified during the assessment. Common vulnerabilities will be shared with other financial companies to strengthen the overall security capabilities of the financial sector.

In particular, the agency will continuously monitor new AI-based cyber threats, including the potential exploitation of high-performance AI models such as Mythos, which was released by Anthropic, and plans to incorporate such findings into future training sessions.

Lee Jongo, Deputy Vice Governor for Digital & IT at the Financial Supervisory Service, stated, "This training has greatly expanded in terms of frequency, duration, and scope, and has enhanced its effectiveness by broadening the assessment of major vulnerabilities that lead to security breaches to include customer-facing AI services. It will contribute to strengthening the financial sector's ability to respond to cyber threats and to preventing security incidents."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.