The penetration test – a test of faith?
By Kane Cutler, PCI QSA, Tiger QSTM, CEH
Although statistics show that skydiving is a relatively safe pastime, things do sometimes go wrong. Since 2004 653 people have lost their lives and in spite of improved safety guidelines, two of the four fatalities suffered by the world’s skydivers last year were the result of parachute malfunctions. The relevance of this to the penetration test may seem tenuous, but consider this: each of the individuals who lost their lives almost certainly had faith in their equipment. In the same way, people managing organisations may have faith that their cyber security is fail safe, yet the evidence proves that faith in an untested environment is not always well-placed.
So when considering the questions of risk, those responsible for cybersecurity should ensure that the effectiveness of any plan for protecting applications and infrastructure goes beyond simple faith. The penetration test is a crucial tool in this safeguarding process. But before considering what a penetration test is, it is worth looking at what it is not. It is not a vulnerability scan, a compliance audit or a security assessment; penetration testing stands apart from these efforts in a few critical ways.
A penetration test does not stop at simply uncovering vulnerabilities: it goes to the next step by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security. Simply being compliant does not ensure real-world protection.
A penetration test is designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’ Automated tools and process frameworks may give some degree of reassurance but they do not allow for the infinitely flexible nature of a human mind that is armed with motive and determination. So it is the human mind that is also the most effective defence. An individual or team of testers are able to think laterally; they can both analyse and synthesise. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.
Some automated penetration tests limit their scope to only one target via one vector. A full penetration test allows for multiple attack vectors to be explored against the same target. Often it is the combination of information or vulnerabilities across different systems that will lead to a successful compromise. While the automated test may have provided some valuable results, these results are only useful within the same context the test was conducted.
A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack. But for it to be truly effective, establishing the scope of the penetration test at the outset is key.
The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore and compromise the organisation’s assets.
The importance of determining the right kind of penetration test for an organisation and its scope cannot be overstated. Ultimately, if we care about the security of people and data, it is the real world threat that counts rather than any box ticking exercise.
Learning to love the new EU cyber security regulations
2015 ended on a bombshell of legislative changes creating an air of unwelcome uncertainty for businesses. Yet, they need not be a cause for concern. The announcement of the new EU cyber security regulations on the 8th of December 2015 should present no problem to those who have already embraced PCI DSS. And on the 15th of December, we were in fact introduced to a clearer, broader and more relevant Data Protection Act. And while its arrival has raised a number of complex questions and anxiety towards how to address them, the dynamic nature of our industry and the unrelenting pace at which we implement change suggests that we are better equipped to prepare for what lies ahead.
In fact, these moves by EU regulators are a welcome justification of the work that we do. And for businesses, taking a holistic approach to the multiple compliance requirements will result in a much reduced workload for staff, a less-onerous financial commitment and will provide a better planned response to any unwelcome (but probably inevitable) incident.
What is more, time is on our side. The changes to the Data Protection Act are set to take place by 2018, giving us ample opportunity to regroup and continue to lead the way in cyber security practices.
The common issues surrounding PCI-DSS, General Data Protection Regulation (GDPR) and General Cyber Security Regulations are probably old news to you. However the new components of the data protection law have highlighted the importance of having strategies in place to address them. We must implement the best, and plan for the worst.
Whether embarking on a new PCI compliance program, or reviewing the controls in an already compliant environment, the same principle should apply: identify the scope and document it. Our initial advice is always the same:
- Know what data you store;
- Identify all areas where that data is stored (backups, local storage and even historic paper files);
- Identify how this data is protected;
- Document this in a formal risk assessment – leaving no stone unturned;
- Most importantly – identify whether that data needs to be retained it at all.
As compliance with the PCI DSS for any entity that stores, processes or transmits card payment information has been mandatory for some years now, there are many organisations that have embedded this into business as usual practice. PCI DSS is only a baseline to follow after all. These companies are now looking at taking this to the next level and using this ‘best practice’ across all data repositories. These are the people that will be one step ahead of the game when the new EU rules come into play.
Children’s web usage increases
by Michelle Ali
Time spent online exceeds time spent watching TV -2016 Statistics on Children’s use of the Web
The year 2015 was described by the research agency Childwise as one of “landmark change” due to the significant increase seen in the amount of time children spend online. It is the vulnerability associated with this ever-increasing usage of online services by children that was the inspiration behind SRM’s Virtual E-safety officer (VE-SO) portal.
According to an annual survey which tracked children’s media behaviour in the UK (based on 2,000 5-16 year olds), there was a 50% increase in the ownership of tablets by 5 – 16 year olds compared to the previous year (2014).
According to the Childwise Monitor report 2016:
- 7-16 year olds spend 3 hours a day online and only 2.1 hours watching TV
- 15-16 year olds spend 4.8 hours online a day
- 60% of children watch TV via phone tablet or laptop
- 38% of children do most of their viewing on demand
- Among 15-16 year olds, less than 25% watch TV whilst it is broadcasting
- 32% had no favourite TV programme
- Among television services, Netflix emerged as the most popular choice overtaking all conventional TV Channels
- When asked about their viewing in the previous week, 50% had watched programmes on Netflix, 47% had watched programmes on ITV 1 and 46% had watched programmes on BBC 1.
- YouTube is used every day by almost half of 16 year olds
- 74% use YouTube to watch programmes whereas 40% use IPlayer to watch programmes.
Parents – Things to think about
The maturity of broadcasting allows it to be a much safer means of entertainment for your children. There are rules and regulations that are put in place to ensure the content you child is exposed to is appropriate. The boundless nature of the internet, however, means these same regulations cannot be put in place to protect your child as anyone can upload anything online.
An example of a regulation that has been put in place to protect what your child views is the Watershed. This ensures that your child in not exposed to adult content before 9pm. Examples of adult content include, but are not limited to, graphic violence, horror, strong language, nudity, sexual intercourse, gambling and drug use, or references to these themes without necessarily portraying them. In most countries, the same set of rules also applies to advertisements on radios and television, both for the content of the commercial and the nature of the product or service being advertised.
The boundless nature of the internet means that there is no law restricting what can be shown and what time it can be shown. Nevertheless, companies like YouTube take it upon themselves to stop children from viewing certain videos by having age restrictions in place. YouTube uses the age on an account to determine what content a user is exposed to. However, this can easily be overcome by simply opening a fake account with a false age (above the age of 18). Furthermore, there are millions of video providers that don’t implement age restrictions and give access to all visitors
The internet by its very nature provides little or nothing in the way of monitoring or protection for young people, unlike the regulated broadcasting organisations. More and more young people are using it for entertainment. There are many child monitoring tools that allow you to see what your child is being exposed to as well as imposing limits at your discretion. Currently, this is the best way to protect your child from inappropriate content.
There are many products out there to help parents monitor and control the content their child has access to. A good example is K9 webprotection. This is a free monitoring tool that allows parents to control what their child is exposed to using many features such as filtering content and blocking sites ECT. Products like this allow parents to make their children’s internet a safer place.