Posts by: Julia Wailes-Fairbairn

Cyber resilience: it’s a board level issue

The problem with cyber resilience is in the name. When it comes to managing the risk posed by potential hackers and the requirement for robust testing and defence protocols, it is often frequently parked under the responsibility of the IT department. But cyber resilience is not simply something for the IT department to worry about: it should be a cause for concern for the whole board. It is a business consideration, not simply an IT one, affecting business continuity and the bottom line as well as having the potential to damage an organisation’s reputation and the very core of its business operation.

Yet recent research by management consultancy Deloitte reveals that only one in five FTSE 100 companies share detail of their testing and online business protection plans with their boards on a regular basis. In fact, the research shows that only 21 per cent of UK Blue Chip businesses regularly share security updates with their boards.

There may be good reason for this. At first glance, providing details of their penetration testing strategy, which identifies vulnerabilities within their IT systems, may be thought to provide potential hackers with valuable information. But this outlook is simplistic. Boards and investors require the reassurance that a meticulous and robust cyber resilience strategy is in place, even though they do not, and should not, require precise detail.

A more likely reason for the low profile of cyber resilience planning is the much-publicised skills shortage of cyber expertise within organisations. Deloitte found that only 8 per cent of companies had a member of the board with specialist technology or cybersecurity experience. A similar figure applies to the number of companies that also disclose having a Chief Information Security Officer (CISO) within their executive team. But if the IT department is not equipped or does not have C-Suite influence, then there is a huge potential problem. Boards should therefore look to supplementing their resource with skilled professional expertise with the required skillset and the capability of engaging board level involvement.

This is simply applying the same resource to the IT department which other departments already have. The financial department has board level representation and external expertise in the form of professional accountancy firms. No one expects the legal department to handle all the organisation’s legal requirements; professional and specialist expertise is required. A similar level of resource should be provided when it comes to cyber security. Not only should the CISO have board-level influence, but they should be supported by experienced professionals. Cyber resilience specialists have a much wider range of knowledge and experience than just one organisation, and are able to add significant value. This is not only because they can direct expenditure to meet precise requirements, but also because they can anticipate future threats.

While IT departments may currently be adequately resourced to manage on a day-to-day basis, it is not enough to simply protect against known threats. Penetration testing must go several steps further because organisations are vulnerable to a vast range of threats which are unknown and unforeseen. Experienced professionals will use a combination of automated testing, to identify the threat areas, and manual testing to develop, explore and investigate these vulnerabilities. Only in this way can organisations have any level of defence against unknown threats.

Every member of the board has an invested interest in the development and delivery of a robust cyber resilience strategy. If in doubt, each and every member of the board should ensure that it is on the agenda at every board meeting.

SRM has an unrivalled reputation in the delivery of all types of information security, including cyber resilience. With a keen awareness of how organisations operate, our team works with minimal disruption and maximum effect, providing an outstanding level of defence. However, no one can (or should) provide total guarantees; but be assured that having a retained expert with a detailed working knowledge of an organisation’s systems, means that meticulous mitigation plans will be in place and swift remedial action taken in the event of an attack, reducing its impact and minimising its disruption.

For more information on our consultancy services see our website.

Our see our blog:

Shipping news: how to manage a ransomware attack

It’s not a question of if, but when

What is Red Team engagement?

For a no obligation discussion about how SRM can support your business, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or phone 03450 21 2151.

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

The recent April 2018 Trustwave Global Security Report reveals new global trends in the world of cyber hacking; most notably a move away from smaller high volume point-of-sale (POS) hacks in favour of more sophisticated attacks on larger service providers and their corporations’ head offices, using phishing and social engineering. Attacks on corporate and internal networks increased by 7 per cent to 50 per cent. Within the corporate or franchise networks, the most common cause of compromise was phishing and social engineering which accounted for 55 per cent of attacks.

Perhaps even more alarming, however, is the reported number of breaches instigated by ‘insiders’. The latest Verizon Data Breach Investigations Report (April 2018), found that 25 per cent of all attacks are perpetrated by insiders who intentionally allow access to systems, or exploit systems themselves, for reasons of financial gain, espionage or simple misuse.

So, how can an organisation protect itself from phishing and social engineering? Or from malicious insider threats? A short term strategy would be to establish systems which regularly monitor and provide alerts in the event of attack. In this way, at least the organisation will have early warning if an issue occurs. But it is rather like bolting the stable door after the proverbial horse has already bolted, leaving a swathe of chaos, financial loss and reputational damage in its wake.

Where breaches are accidental, a strategic approach would include education. This is particularly important when social engineering and phishing attacks often target all levels within a company, including junior staff, hoping to gain data on more senior staff. This is sometimes seen as ‘CEO fraud’ which tricks senior executives into authorising fraudulent financial transactions. Everyone within an organisation must be aware of the potential risk of accidentally divulging sensitive information.

To develop a level of resilience against phishing and social engineering attacks, however, a more aggressive form of defence should be an integral aspect of any defence strategy. This would include a robust test and exercise programme, which uses a synergy of automated and manual penetration testing to identify vulnerabilities and explore these to identify specific areas of weakness. Using this approach, with the right professional guidance, an organisation will be able to anticipate and build in levels of protection.

When a breach is deliberately engineered by an organisation insider, however, these steps may not be sufficient. Given that the insider has access to privileged information about a system, they are in a unique position to develop and exploit undiscovered potential weaknesses. This is where the Red Team comes in.

Red Team engagement provides real-world attack simulations, designed to assess and significantly improve the effectiveness of an entire information security programme. This is achieved through a combination of simulated social engineering attacks; both physical and technical, as well as network and application attacks developed specifically for an organisation and delivered by highly trained ethical hackers. The benefit of this approach is that it allows organisations to validate their protection, monitoring and response solutions.

SRM has an unrivalled reputation in all aspects of Test and Exercise as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mindset of a genuine hacker.

To find out more about SRM’s Test and Exercise services (including Red Team) visit our website.

See a recording of our webinar ‘GDPR: the roles of manual and automated penetration testing’

Or see our blog:

Penetration testing: man vs machine

What is Red Team engagement?

If prevention is to be an achievable goal we cannot rely on static defences

Or contact Mark Nordstrom at mark.nordstrom@srm-solutions.com or on 03450 21 21 51.

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

eDisclosure webinar: seven reasons why your firm should consider a managed service

SRM is hosting a free eDisclosure webinar on Wednesday 18th April at 3pm.

We find ourselves in an ever changing eDisclosure landscape. Join us for our upcoming webinar during which the head of our eDisclosure team Colin Gray will explore the seven reasons why your firm should consider a managed service rather than addressing eDisclosure on an ad hoc basis.

All you need to do is register here.

Penetration testing: man vs machine

We already know that the concept of thinking like a potential hacker is the basis of penetration testing. But merely thinking like a hacker is not enough. We must also act like a hacker. They do not simply rely on their own intuitive genius to breach the systems of target organisations. They use a combination of automated tools and human intelligence to deliver their devastating results. So we must emulate this approach to secure our own defences. It is not a question of man or machine; like the hackers we must use a synergy of both.

When the whole HBO Game of Thrones attack occurred last August Mr Smith of the so-called White Hat Hackers issued a statement which made the point that his organisation invested $400 – $500,000 dollars a year on purchasing automated exploit tools. They then used the information this provided to arm their human hackers with the information required to further develop and exploit the weaknesses they discovered.

So when we at SRM develop a penetration testing strategy we use both automated tools and manual testing to deliver the best results.

Automation has a vital role to play and lays the groundwork for the penetration test. No human can deliver the rapid results that an automated tool can. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, it identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.

To take the analogy a step further, the penetration test, conducted by highly-trained and experienced individuals, then opens the doors that have been identified and explores deep into the underlying infrastructure to examine what is lurking behind them. At the most sophisticated level of penetration testing (Red Team engagement) we then turn that thought process on its head and also test the procedural, social and physical components to replicate the wider view of an attack. Using an adversarial mind set, we think like a motivated hacker and help to develop strategy and policy making which anticipates as yet unconsidered vulnerabilities.

To find out more about the synergy of automated and manual penetration testing, see our pre-recorded webinar in conjunction with AppCheck, our automated tool partner. In this 30 minute webinar which took place on 8th March, Andrew Linn of SRM and James Nelson of AppCheck explain how both man and machine have a role to play in a resilient defence strategy.

To log in to the webinar GDPR: the roles of manual and automated penetration testing, click here.

Or visit our blog:

What is Red Team engagement?

If prevention is to be an achievable goal we cannot rely on static defences

Or see our website Test and Exercise pages.

 

SRM Blog

SRM Blog