Banking Security

Why the prioritisation of breach identification and containment are crucial elements of every cyber defence strategy

One of the most significant elements of the current cyber threat landscape is the amount of time it takes to actually detect and contain a breach. In a study published last year by IBM security and the Ponemon Institute, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. The research found that it took an average of 168 days to identify a data breach and 67 days to contain it.

The key problem is that in today’s climate few attacks are aimed solely on an organisation’s external defences. This is because, with data security legislation at the strongest it has ever been, external defences like firewalls and network security are usually reasonably robust. So cyber criminals use more subtle tactics, exploiting human error. If an employee opens a malware-laden phishing email or some deceptive social engineering has enabled an attacker to infiltrate malicious codes, the effects may not be evident for some time. This gives malicious attackers the opportunity to explore and exploit the system from within, delivering even more devastating consequences over time.

Given that the current MTTI metrics show that breaches can remain undetected for an average of five and a half months, this provides hackers with ample time to develop their strategy and exploit the weaknesses they detect. So although it will always be necessary to have robust external defences in place, organisations would do well to push the identification of attacks further up the priority list.

The other issue is, of course, containment. The current MTTC metrics show that the average breach, once identified, takes over two months to be contained. The reputational and financial implications of this delay cannot be underestimated.

While building both an external and internal defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken, and valuable time is not lost.

At SRM, our consultants use their vast expertise to proactively protect systems before an attack occurs. Working with a Retained Forensics specialist facilitates a strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential internal vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses, so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie, including the human element, and helps a business to build an agile defence around them.

 

To find out more about SRM’s Retained Forensics and Incident Response services contact Mark Nordstrom on 03450 21 21 51 or mark.nordstrom@srm-solutions.com

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

Cyber insurance may be null and void with ‘due care’

Pen testing: seeing both the wood and the trees

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

PCI – Europe Community Meeting Barcelona 24 – 26 October 2017

James Hopper and Paul Brennecker of SRM will be attending the Europe Community Meeting in Barcelona 24th – 26th October. Organised by the Payment Card Industry Security Standards Council (PCI SCC) the focus of the three day event will be the security of payment card data. Those who are attending are invited to make appointments with James and Paul to discuss any specific issues they may have and receive free advice from two of the industry’s experts.

James Hopper

James is skilled at providing strategic insight into the management and implementation of business-wide information security solutions. He is a clear-thinking no-nonsense problem-solver with wide experience in both the corporate and SME markets.

James joined SRM in 2016 and brings extensive senior management experience from within the worlds of Consultancy and IT. Previously with a large FTSE 100 Outsourcing Company as a Managing Consultant and the Operations & Innovation Director for a large NHS Organisation, he has overseen the scoping and implementation of plans from the very small to extensive national projects. His experience also includes delivery of major IT Transformation Programmes and senior assurance roles.

Paul Brennecker

Paul is a PCI DSS compliance guru. He regularly speaks at PCI conferences and writes on issues relating to card payment security. He is also a practising senior Information Security Consultant at SRM. He is currently engaged with a number of high-profile organisations, assisting them with their compliance programmes. Ranging from programme management, and mobilisation of their PCI DSS compliance projects, Paul also advises clients on their information security policies, their implementation and training requirements. Paul has considerable skill at conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems.

Paul joined SRM in March 2008 from Barclaycard. As their former PCI Compliance Manager, Paul successfully drove the compliance programme forward and worked closely with both VISA and MasterCard to raise awareness of the standard and was a regular key-note speaker at the industry’s security forums. Due to his substantial network of colleagues and industry contacts Paul is a well-known and highly respected consultant, recognised for his approachable manner and depth of knowledge.

Simply email james.hopper@srm-solutions.com or paul.brennecker@srm-solutions.com to make an appointment.

US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks

Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.

In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.

As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.

What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.

As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.

 

How poor data-stripping can expose organisations to Spear Phishing attacks

A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.

This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.

In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.

This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.

Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.

This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.

It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.

Bespoke Penetration Testing

SRM Blog