If prevention is to be an achievable goal we cannot rely on static defences
SRM is at the PCI London event in London on 25th January, presenting on The Synergy Between Automated and Manual Penetration Testing.
How a responsive Test and Exercise strategy requires the synergy of both automated and manual testing to keep pace with a constantly evolving threat environment
Prevention is undoubtedly better than cure, particularly in the context of a potentially damaging data breach. In a world where the threat landscape is constantly changing, however, if prevention is to be an achievable goal, we cannot simply rely on static defences. Our defences need to evolve in line with the ever-changing threats and vulnerabilities we face and the only way to identify these is to act counter-intuitively. We need to challenge our own procedures and attack our own defences. If we do not, someone else surely will.
Using these offensive techniques enables us to validate the capability of our existing responses and, even more importantly, identify areas for improvement. A responsive strategic approach to data security requires constantly updated intelligence which can only be provided by a combination of both automated and manual test and exercise tools. Neither is fully effective without the other. The key is the synergy of the two: we cannot mount an effective defence without employing both the speed and rigour of the automated tool and the agility and ingenuity of the human mind. After all, hackers use both so we must too.
The first essential tool in the attack arsenal is the automated vulnerability test. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, this identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.
A penetration test effectively opens the doors which have been identified in the vulnerability scan and explores deep into the underlying infrastructure to examine what is lurking behind them. Designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’, it goes to the next level by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security.
More broadly, a full penetration test of an organisations infrastructure utilises the value of automated tests to lay the groundwork at the start of the process. Expert penetration testers will then put themselves into the mind of potential attackers, exploring and exploiting all opportunities. An individual or team of testers are able to think laterally; they can both analyse and synthesise. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack.
The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.
Red Team engagement
To continue the analogy of the doors: if pen testing opens the doors to see what is behind them, Red Team engagement goes through the doors and explores the room, the house and the street beyond, getting completely into the mind-set of the potential hacker.
The key difference between a penetration test and Red Team engagement is therefore the extent of the scope. So, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’
The Red Team focuses on the objective of the engagement and examines it from many different angles pulling together a plan of attack using a range of different techniques and abilities. It tests procedural, social and physical components of security in addition to technical controls. Replicating the wider view an actual attack would have, the Red Team uses an adversarial mind set to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques, they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professional (OSCP) the world’s first completely hands-on offensive information security certification. OSCP challenges students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
When you combine the benefits of a best in class web vulnerability scanner updated within hours of new threats emerging, able to be run ‘on demand’ and OSCP trained experienced penetration testers it’s a powerful combination to help stay safe in today’s ever-changing world of cyber threats.
There is no one-size-fits-all solution. The importance of accurate scoping at the outset of the exercise cannot be overemphasised because every organisation faces its own unique challenges in terms of regulations, risks and vulnerabilities. What is more, in a world where data security is constantly evolving in response to new and ever more ingenious attacks, an organisation’s test and exercise strategy needs to reflect this. If your incumbent data security provider cannot demonstrate the required agility, you must ask yourself whether your requirements are being met.
SRM partners with industry-leading vulnerability scan provider AppCheck to deliver both the automated and manual elements of a bespoke test and exercise strategy. SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services. For further information please contact Mark Nordstrom at firstname.lastname@example.org or phone 03450 21 21 51.
GDPR: the world will not stand still on 25th May 2018
The 25th May 2018 is not an end date. Far from it. It marks the beginning of a new era in data protection but one that will continue to evolve as our online world continues to develop. So, although organisations will be required to be compliant with the General Data Protection Regulation (GDPR) from that date, it is an ongoing process, not Armageddon.
In the words of the ICO’s Information Commissioner Elizabeth Denham: ‘It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’
For organisations with GDPR firmly on their radar it seems primary focus is on reaching a level of compliance come GDPR Day 1, but about Day 2 and beyond? Those who are fully compliant by 25th May will need to work hard to remain compliant. Those who are not yet completely ready will need to work even harder to reach and maintain compliance or risk substantial fines. The key factor to remember, however, is that it will be nigh on impossible to achieve perfect maintenance of absolute compliance. So, take comfort from the fact that the ICO has stated that those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action.
So, while absolute compliance may be an intended aim, what organisations really need to focus on is the fact that they can demonstrate the thinking and the steps they have taken to be compliant. That is not to say that anyone will get ‘A’ for effort if no practical steps have been taken.
As Elizabeth Denham explains, there is no excuse when it comes to GDPR: ‘’There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date…We all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there…’
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
VirtualCISOtm is proving a popular option for businesses which require broad levels of expertise to complement existing skill sets and roles in a flexible manner.
To find out where you are in terms of GDPR readiness, complete our free online GDPR Self Assessment Questionnaire.
To find out more about what SRM’s GDPR can do for you, contact Mark Nordstrom (email@example.com) or 03450 21 21 5https://blog.srm-solutions.com/are-you-ready-for-gdpr/1 or check out our website.
Or read our blog:
GDPR: a question of confidence
GDPR has been developed to protect us from breaches like Uber
After GDPR what will happen to ICO notification fees?
Are you ready for GDPR?
It is one thing knowing that the General Data Protection Regulation is coming and that compliance is mandatory from 25th May 2018. It is quite another to know exactly what you need to do in order to be fully compliant. This Self Assessment Questionnaire has been developed to outline the key areas that need to be addressed and to provide a guide as to your current state of GDPR readiness.
GDPR: a question of confidence
In a recent interview with SC Media, Amazon Web Services (AWS) Chief Information Security Officer (CISO) Stephen Schmidt explains how his organisation is set up for full General Data Protection Regulation (GDPR) compliance. Not only does Schmidt say that 72 hour reporting holds no fears for Amazon but that all other requirements of GDPR are well in hand. Yet, leading up to 25th May 2018, few others can have such self-belief. So how can other organisations achieve similar levels of confidence?
In short, professional CISO support will provide expert guidance on building GDPR compliance into an organisation’s systems in the most cost-effective and robust manner. The first step is to know your environment and to scope what data you hold and where it is. This is a major component of then being able to move forward and determine what needs to be done and where. SRM offers both strategic level CISO support and a Virtual CISO (vCISOTM) service for smaller organisations unable to employ a resident CISO.
So, as the implementation of the General Data Protection Regulation draws closer and organisations across the UK consider their state of preparedness, it is perhaps worth considering why Stephen Schmidt is so confident that his company is ready.
A former FBI intelligence analyst, Schmidt’s confidence is not the only unusual thing about him. Firstly, he has held the CISO post at AWS for over ten years which, considering the average CISO is only in post for 2.2 years, is remarkable in itself. The second notable thing about him is that he considers it a ‘wonderful job’; not the view expressed by many resident CISOs who feel acute stress knowing that when it comes to security and compliance the buck really does stop with them. The fact is, however, that resident CISOs of this calibre are hard to find and expensive to retain.
To read the full interview with Stephen Schmidt, see here. In summary, however, he makes (among many others) the following points:
- ‘We comply with the law in every jurisdiction in which we operate… Unlike some other folks, we don’t have to bolt privacy controls onto our services afterwards – they’re built from the beginning. Which means it’s much easier for us to be compliant with things like GDPR.’
- ‘The guiding principle here is, our customers own their data. It’s something that we give them a lot of tools on how to protect. It’s an area where we give them a lot of opportunity to encrypt, appropriately, and control their own encryption keys if they wish, and it’s up to the customer then to choose “How do I want to manage my privacy?” and “how do I want to manage access to information?”’
- ‘We do the same things that anybody else should be doing, that is, know your environment intimately, monitor it thoroughly, alarm when things exceed your normalcy thresholds, and most importantly, have a very narrowly confined long term blast radius so that if something does go wrong it can find the critical error.’
What can be learned from this? Well, firstly that GDPR compliance goes far deeper than simply a tick box exercise. Secondly, that unless you are as experienced as Mr Schmidt, it is advisable to seek professional CISO support.
SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from GDPR compliance to disaster recovery.
If you would like to find out more about gaining GDPR confidence, contact Mark Nordstrom at firstname.lastname@example.org or phone 03450 21 21 51.
Visit our website:
Or read our blog:
UK research highlights the lack of Chief Data Officers at C-Suite level
After GDPR, what will happen to ICO notification fees?
How a CISO can exert influence at board level
Gibson & Co launches eDiscovery service
(left to right: Mark Nordstrom (SRM), Jane Gibson, James Hopper (SRM), Toby Gibson, Tom Fairfax (SRM), Alan Batey (SRM)
(Press release 11/01/18)
Leading North East litigation practice Gibson & Co. has invested in a world class eDiscovery service to support client litigation cases. By partnering with Gosforth-based Security Risk Management (SRM) Ltd, Gibson & Co. obtains access to its own Relativity platform, the market leading eDiscovery solution, coupled with the technical and forensic expertise and experience of a highly regarded and established eDiscovery provider.
A vital tool in the management of electronically stored data (ESI) as evidence in litigation, eDiscovery is the process of sifting, sorting, reducing and redacting data for legal expert review in a way that meets the ultimate test of court acceptance.
Tom Fairfax, Managing Director of SRM, says: ‘Gibsons wanted to go further than simply buying into an eDiscovery platform; they wanted to be able to provide their clients with an exceptional service experience from the outset. By working in partnership with SRM they are able to provide a cost-effective and fully managed process which optimises the best available technology while also using the forensic skills of an expert team. In this way, the initial stages which usually take several weeks are completed in just a few hours.’
Toby Gibson, partner at Gibson & Co. says: ‘We face two important and related challenges to our litigation practice. The first is costs pressure from clients. The second is how to make best use of the available technology. Our cases often involve the management of a large volume of data and we need to store, review and use that data as efficiently as possible. In SRM we have found a partner that has been able to provide a bespoke product to meet that technology challenge. We are convinced that we have an excellent collaboration tool in Relativity which will be of potential benefit to all of our clients. This partnership will make us more efficient via the inherent collaboration benefits while keeping costs down. We are delighted to have teamed up with SRM.’
The SRM eDiscovery team is made up of forensic professionals drawn from law enforcement, government agencies and the military with over 60 years’ combined eDiscovery experience. SRM has conducted thousands of successful eDiscovery projects since the company established in 2002. Gibson & Co. is ranked highly by the Legal500 as an ‘incredibly well-regarded’ litigation team. In 2018, Chambers & Partners awarded both Toby and Jane Gibson ‘Top Ranked’ lawyer status for the seventh year running.