Monthly Archive March 2017

If Brexit means Brexit, what does GDPR mean?

Politicians do tend to favour soundbites and Theresa May is no exception. So when she said that “Brexit means Brexit” some nodded their heads as if this simple statement explained everything. Others, and in particular Chief Information Security Officers (CISOs), may have found this statement inadequate when it comes to explaining exactly how the Brexit vote affects their responsibilities for data protection.

It’s not just soundbites which populate the post Brexit vote world, however; acronyms also feature heavily and the most important of them all is GDPR. The General Data Protection Regulation was drawn up pre-Brexit but is still on track to be adopted in the UK in May 2018 regardless of the timing of Britain’s exit from the EU.

The UK government will have the option to adopt it; but regardless of whether it does or not, GDPR will still apply to all organisations or businesses that hold or handle the data of any citizen within the European Economic Area (EEA). This means that any organisation handling EEA personal data and doing EEA business will be regulated under GDPR by a ‘supervisory authority’ in the EEA.  This would be on top of any data protection laws in the UK.

If GDPR is enacted in the UK, which seems likely, it will replace the current Data Protection Act (DPA) 1998. If it is not then tighter privacy laws which reflect the rules contained within the GDPR are still going to come into effect, perhaps in the form of an enhanced DPA. So there really is no escaping the inevitable and it is important that organisations start the plan for the adoption of the GDPR or its equivalent from May 2018 onwards or face the consequences. Because in short, what GDPR means is business. It imposes mandatory high tempo reporting of breaches and also carries significant fines for those organisations who fail to fulfil their obligations. These can be up to 20m Euros or 4% of global turnover.

As a first step, organisations should review and update their current administrative and technical controls. Most importantly under GDPR’s accountability heading, organisations need to demonstrate information security compliance; and under GDPR’s mandatory breach reporting requirement, solid detective controls need to be implemented.

If you need help, SRM provides three types of service. Our Virtual CISO service (VirtualCISOTM) has been developed to provide a board level / SMT strategic advisory role and provides a cost effective route to accessing the full range of SRM professional services supporting, resourcing and advising on all practical and strategic aspects of Information Security including GDPR compliance. We also now provide VirtualISM to support and enhance the role of Information Security Manager and provides the umbrella under which we deliver our delivery consultants expertise, providing you with an experienced ‘active’ resource to effectively deliver your initiatives and projects.

Our portfolio of classic compliance, consultancy and incident response services are all available as single or multiple service offerings tailored to your specific requirements. The blend of a VirtualCISOTM and VirtualISM can provide a truly value add service to an organisation which perhaps cannot or does not wish to directly employ either role. In short, we can provide the strategic direction and support combined with experienced delivery consultants you need to help you seize the initiative in this Brexit world.

Calling in the Red Team: going above and beyond the vulnerability scan and penetration test

By Kane Cutler

In the world of information security which is riddled with acronyms, the deceptively simple ‘Red Team’ may take a little explaining. Breaking down the initial letters of industry terms usually provides a clear indication of the service provided. But the term Red Team has its origins in the US intelligence community and its actual meaning is a little more mysterious. In that context, a Red Team explores alternative futures, challenging an organisation to improve its effectiveness. In our context, a Red Team provides real-world attack simulations designed to assess and significantly improve the effectiveness of an entire information security programme.

So, once you have undertaken a vulnerability assessment followed by a penetration test, engaging a Red Team is the next step. Its purpose is to go beyond the basic measures, subjecting your in-scope systems/applications to more advanced, persistent and bespoke attack scenarios.

The key difference between a penetration test and Red Team engagement is the extent of scope; thus replicating the wider view an actual attack would have. Because, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, a Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’

As a result, Red Team engagement includes a wide variety of applications, systems, people and physical locations within the scope of testing. Naturally the extent to which the Red Team will operate and engage will be defined by you, but it will take a wider view of potential attack vectors and mirror a persistent attacker. A Red Team engagement will therefore have free rein in terms of attempting to gain access to the defined goal whilst ensuring a controlled approach through in depth scoping.

In addition to the activities included as part of a vulnerability assessment and penetration test the Red Team will also employ a variety of other attack methods – such as Open Source Intelligence Review (OSINT) Phishing, Vishing, Smishing, Wireless Exploitation, Physical Testing and ‘Drop Box’ placement. Naturally the use and scope of these attack vectors will be driven by client requirements and the defined goal.

The benefits of this approach is that it allows you to validate your protection, monitoring and response solutions or processes. This assists in ensuring your organisation can respond to an emulated ‘real-world’ attack where varying avenues of approach can be used, rather than a limited focus on a single system.

The ultimate goal is to use offensive techniques to enable you to identify areas for improvement and/or to validate the capability of your response.

In the event that some of the attack methods don’t fit with your requirements (e.g. you don’t want Physical Intrusion/’Drop Box’ placement) then a Red Team approach may not be for you yet. However, SRM are able to fully tailor a testing solution that fits your needs in order to provide the most value to you. Where physical testing is not in scope you may better benefit from penetration testing with a wider scope defined, coupled with Phishing.

If you feel any of the above may be of benefit to you and your organisation, or if you simply would like to hear more please don’t hesitate to get in touch.

 

SRM Blog

SRM Blog