SRM Blog

Grey Monday

How a correctly-scoped penetration test will future-proof your organisation from real world cyber attacks.

In the aftermath of Black Friday comes Grey Monday. The day of reckoning. Because although shoppers were at their most active on Friday; so were attackers.

If you are confident that your defences held out then you will watch the unravelling news stories with some satisfaction. But you will also be under pressure from stakeholders to ensure that your organisation will continue to protect itself into the future. This cannot be the case if your defences rely on the intelligence provided through automated penetration tests.

Because there is a fatal flaw. Automated penetration tests will only reveal potential vulnerabilities against predictable or automated attacks. They do not allow for the infinite flexibility and agility of a human mind with malicious intent. And in the real world this is your greatest threat.

Simple compliance with industry standards, with or without the use of automated penetration testing technologies, will not provide protection against a motivated and determined human attacker.

So what is the answer? Human intelligence. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are no match. For, although automated scans and technologies are invaluable tools, it is the human mind that can think laterally, that can both analyse and synthesise and can scope a penetration test so that it is truly effective against the human attacker.

That is why we are offering a free vulnerability assessment to establish a true picture of your potential risks and to identify attack vectors within your specific cyber environment. Simply email us.

On completion of your free assessment you will receive a comprehensive report; the test results will be explained to you by an experienced Information Security consultant. This will provide you with the information required to scope a penetration test which is truly effective.

The Internet of Things and how your doorbell might just be attacking Amazon

We hear a lot about the Internet of Things (IoT) on the web nowadays and the TV is full of adverts for Central heating systems that you can control from your smartphone or tablet. There are Wifi enabled doorbells that contact you on your phone when the postman is leaving you a package at home and IoT light bulbs and power sockets can be bought at your local DIY store nowadays too. It looks as though this is mainstream now, and not just for us techie blokes who like something new to talk about in the pub.

 
The big unanswered question at the moment is how safe are these things? There have been some horror stories about Wifi enabled Baby monitors exposing images of sleeping children to the world and the most recent case of the Mirai malware found on IoT devices demonstrates just how susceptible any internet connected device can be to exploit. In the Mirai case, malware was deployed to various devices globally but it seems that a large proportion of them may have been IoT devices. The malware was responsible for a huge Distributed Denial of Service Attack (DDoS) aimed at the domain name server, Dyn on October 21st. This in turn disrupted services as far and wide as Amazon, Netflix, Paypal, Twitter and Github…serious stuff then, but how on earth did this happen?
To the average user, these IoT devices are just appliances that you plug in and forget about, so how could they be developed into a threat? Well, by their very nature, they are not to be thought of in the same way that I think about my good old fashioned Duallit Toaster. These devices are intelligent and programmable and can be susceptible to malware in the same way as your desktop computer. The same security precautions should be taken to ensure that they do not pose a threat.

 

The Mirai Malware turns the infected device into a member of Botnet, a collection of devices that can communicate with one another for various means, (the word Botnet is derived from the words Robotic and Network.) This piece of malware has been responsible for several DDoS attacks in the last 12 months but the attack of the 21st Oct seems to have been the most significant in size. It would appear that the number of IoT devices that are becoming infected is on the increase and there is strength in numbers – in fact, Botnets rely on this.

 
So, what can be done? Well, it is often hard to tell if your Webcam or Doorbell has become infected as it still operates as normal. It might get a bit temperamental at times, (but don’t we all). It is important however to ensure that the firmware is updated regularly and that any default passwords and accounts are removed upon installation. The Malware checks for open default accounts and utilises these to gain control of the device. It has been the advice of many security experts over the years but now it really does hit home – Remove any default accounts and passwords from any device before you intend to use it and check that the firmware is kept up to date. It might go against the grain to patch your doorbell or your webcam but it might just be possible that it is launching at attack on a global website, whilst you sip your coffee……food for thought indeed!

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

How a CISO can exert influence at board level

Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” As he is perhaps best remembered for his infamous ear-biting antics, he is unlikely to be a role model for many of today’s Chief Information Security Officers (CISOs), but the former heavyweight boxing champion does have a point. The biggest challenge faced by CISOs today is not the need to defend against known risk, but to identify the potential gaps in their own strategy. In short, to intuit what may be the ‘unknown unknowns’.

Because it is not simply a question of rolling with the punches. Like any good boxer, the CISO’s best defence is anticipation. They need to step back from individual skirmishes and establish a strategic defence from potential blows which may not even have yet been considered, even by their opponents. And the most valuable skill they can possess to facilitate this? It is not a heavyweight knowledge of the information security domain, but the ability to influence.

For while protection against known risks can, to an extent, be delegated to the wider CISO team, the senior CISO cannot dodge the essential forward-thinking leadership role required. They cannot simply oversee comprehensive risk analysis, the integration of appropriate security tools and the development of a security culture; they must also ensure that they influence in such a way that priority is given to the organisation’s defensive strategy.

So, in addition to a high level of technical expertise, a thorough understanding of the business model and an ability to mitigate risk, the CISO needs to articulate the state of information security to the company stakeholders and lead employees. They need to do this to ensure that resources are available to defend against the (as yet) unknown. And for this the CISO must possess influence; and that influence needs to be at board level.

Now few would argue with an irate Tyson but in reality his approach is not usually the best model for those wishing to exert board level influence. Influence comes from confidence – both inner confidence and the ability to engender confidence in others. If fellow board members consider the CISO to be fully informed and strategically prepared, they are more likely to listen attentively. If they feel that funding and time are requested in a pragmatic way, with no unnecessary extras, then they are more likely to allocate resources.

The VirtualCISOTM, developed by SRM to meet this need, provides CISOs with all the resources and tools necessary to fulfil their role at the highest level. But it also provides strategic guidance from a designated highly qualified industry expert with an excellent knowledge of the wider sector and a detailed knowledge of the businesses with which they are working. Through collaboration and understanding, a detailed and cost effective road map can be developed, arming the CISO with the muscle required for board level influence.

The buck stops here: advice for the new CISO on campus

As Universities return for the beginning of a new academic year, never has the role of Chief Information Security Officers (CISOs) been more important. Some will be continuing an ongoing strategic campaign while others may be settling into new roles and, quite frankly, may be wondering what on earth they have let themselves in for.

Because not only are they expected to be responsible for the strategic leadership of the University’s information security program, they are also required to anticipate and respond to the fastest-moving environment on campus without ever getting it wrong. For just one breach will have huge financial consequences and a catastrophic impact on the reputation of the University.

Like any business, a University’s reputation is a precious, and marketable, asset. And like any other business, its employees have other jobs to concentrate on. Those who work in a University environment know that academics are not always the most collaborative of souls; some even likening managing whole-campus efforts to that most difficult of tasks, namely herding cats.

Yet, working in collaboration with everyone from the maintenance crew to the senior professors is essential. Because, without their full involvement, precious information cannot be protected from some of the most intelligent and ingenious minds of a generation who, for whatever reason, have opted to use their talents for the Dark Side. Cyber criminals and the webs they weave are not only brilliantly clever, they are also constantly evolving.

So, where should a newly appointed CISO begin? Here is a suggested plan of action for the first 30 days:

  1. People: get to know the people you need to have good working relationships with. These will include your colleagues in the IT department as well as key stakeholders across all other departments;
  1. Job description: review your job description. This will tell you what is expected of you but it is important to ascertain what may have been omitted so that you can pre-empt any resource issues;
  1. Resource: assess the resources of the IT security department and review its existing services and activities. Now is the time to establish what you have or are reasonably able to establish as well as what additional resource or expertise you may need to contract in;
  1. Guidance: access all available guidance but be cautious about believing everything you read. Prioritise advice provided by industry experts with a proven track record and experience in this particular field;
  1. Belt and braces: think strategically about how your department can, from the outset, fulfil its designated role: ensuring the safety of all personal data, information and systems. The buck stops here.
  1. Register with SRM to receive updates on the role of CISOs in Universities.

VirtualCISO: the philosophy of product development

The Dalai Lama said: ‘When you talk, you are only repeating what you already know. But if you listen, you may learn something new’. It is, of course, doubtful that he was thinking of the world of information security when he came up with these words of wisdom, but they can and do apply to all of us involved in this constantly evolving industry. And nowhere more so than in the sphere of product development. After all, coming up with a product or service because it makes sense to the developer is a bit like repeating what you already know. Whereas, working on a new service with major input from existing clients, responding to a genuine gap or problem, will in turn meet a genuine need.

That is how SRM set about developing its VirtualCISOTM service. As an organisation, we do not sell products or impose structures on clients; we work with them. And through this approach, we build good working relationships based on a thorough knowledge of their businesses and the understanding that we are there to support, guide and facilitate them in achieving their goals. Our consultants never sell services or products their clients do not need. In short, they don’t talk; they listen.

So it was a natural development when our consultants were increasingly hearing requests from Chief Information Security Officers (CISOs) for support with their roles. At one end of the spectrum are those who simply want the whole problem effectively managed by an expert team. Others, for example, know what they need but want strategic guidance for long term plans or support in the board room. Because as the world of cybersecurity becomes increasingly challenging, so has the role of CISO. In blunt terms, the buck stops with them and that is particularly daunting when that individual is to be held accountable for any single breach of the company’s defences.

Through collaboration and listening we know that the challenges faced by different CISOs varies. But by pooling the accumulated wisdom of their collective experience, as well as the knowledge of our highly experienced consultants, we are developing a service which will provide users with an unrivalled resource to address specifically identified existing problems while also enabling them to pre-empt potential future issues.

After a development phase lasting many months, we are delighted to be able to say that the VirtualCISOTM will soon be launched to a wider market. We have worked with, listened and responded to the needs of all types of business: large corporates, SMEs and micro businesses as well as national government, health and educational institutions. And while their specific requirements may vary, the VirtualCISOTM has been developed to be flexible and responsive to this wide range of need.

Look out for an announcement at the beginning of Q4 2016 that the VirtualCISOTM is live. If, in the meantime, you would like to be involved with the last stages of product development or have any specific questions, please contact us.