E-Safety

Why get ISO27001 certification?

We are sometimes asked the question, why get ISO27001 certification? The answer is that the ISO standard, and ISO 27001 compliance in particular, demonstrates that your organisation takes information security seriously. This ultimately enhances your reputation and delivers greater business opportunities because ISO27001 lowers the risk for other people of doing business with you.

Certification means a third party accredited independent auditor has performed an assessment of all processes and controls and confirms that operations are in alignment with the comprehensive ISO27001 certification standard. If a company is implementing ISO27001, it demonstrates that careful consideration has been given to what could endanger confidentiality, integrity and the availability of information. Once those risks are known, it is about ensuring that security measures have been implemented in order to decrease them to an acceptable level.

Another benefit of this certification is that, unlike GDPR, which does not have an actual compliance process, ISO27001 provides very clear direction. In this way it can be a useful starting point for ongoing adherence to GDPR. ISO27001 concentrates on policies and processes, including all legal, physical and technical controls involved in an organisation’s information risk management processes. Its value is that it creates a robust environment to protect both staff and customer information assets. But of equal value is the fact that it also provides evidence to potential customers and partner organisations that your company prioritises the security of the information it holds.

Of course, undertaking compliance with ISO27001 can be a rather intimidating prospect.  The ISO standards require risk assessments to be conducted, together with the design and implementation of a comprehensive suite of information security controls. It also requires other forms of risk management to address company and architecture security risks on an ongoing basis. This involves the implementation of any necessary changes to policies and processes (ISO27001) and controls (ISO27002). A cost-effective way to negotiate the rigours of the ISO27001 accreditation process is to seek professional help from specialists with proven track record in achieving the standard.

If you are wondering ‘why get ISO27001 certification?’ you should discuss your requirements with us. The SRM team are experienced in all aspects of ISO27001 accreditation. Starting with a gap analysis which establishes a level of security readiness, we can recommend a prioritised remediation plan based on what gaps there are. We are able to assist with any activities that need to be undertaken and provide guidance all the way up to a pre-audit assessment. Finally, our team can offer on-site audit support if needed, to give you complete peace of mind that your organisation’s ISO 27001 accreditation is achieved and maintained.

To discuss ISO27001 or other certifications, contact the SRM team on 03450 21 21 51.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

The NIS Directive: who does it apply to and what will it mean?

Cyber resilience: it’s a board level issue

Protecting your cyber soul

By Tom Fairfax, Managing Director

If you were asked to sell your soul to a stranger…. what price would you ask?

The ancient Egyptians believed that a person’s soul had multiple parts, ranging from the spiritual to the physical; the bit they hadn’t discovered was the digital component.  Regardless of one’s personal belief, each of us carries a very real and hugely valuable intangible asset in the form of our personal identity and the information that forms part of it.  This asset is incredibly vulnerable in the cyber environment and once compromised is effectively irretrievable.  Think of this as our cyber soul. It contains our very digital essence, our unique identity, our access to our resources and secrets, and represents the means to impersonate us or take control of parts of our life, our possessions or our good name and reputation.

The environment we call cyberspace represents a complex web of connected technology sharing information with and without human interaction.   This environment is inaccessible to our naked senses; we cannot see, hear or feel in it without assistance.  Critically, it is contested, and is populated by a global population of strangers, many of whom are explicitly seeking to compromise us.  It is to this environment that we expose our cyber souls.  The only question is – what protection or consideration do we give our valuable information assets before publishing them into the wild?

We are asked to share parts of our cyber souls on a daily basis.  A myriad of commercial, official and social platforms request and sometimes require information.  Some we hope we can trust – and in some cases we need to make a risk-based decision. But how much thought do you give before deciding what information to share and with whom you entrust this sliver of your essence?  A brief glance at the Information Commissioner’s Office (ICO) enforcement page is instructive and shows that no organisation can be assumed to be safe.  A brief perusal of the causes of breach shows that breaches are not confined to failures of technology but often result from individual and collective human frailty.  This is not new.

This raises another, possibly more important question. How much explicit effort do you spend on protecting the personal information that other people and businesses entrust to you?  The ICO website shows a number of instances where something as seemingly innocent as a breach of email etiquette has resulted in the exposure of personal information, and a direct, if inadvertent compromise of people’s  sensitive information.  Fines and sanctions are damaging, but we must not forget the fundamental breach of trust.

Information Security and data protection are disciplines that enable us to protect our own cyber souls and those with which we have been entrusted by others.  They are still seen by many as an administrative irritation but they are a fundamental part of our personal responsibility as members of society.   No-one can guarantee that they will be 100 per cent safe; indeed such a claim is a good indication that the problem has not been understood.

We can, however, exert a degree of critical judgement on every occasion that we are asked to share parts of our soul.  Trust should not be assumed.

Why the prioritisation of breach identification and containment are crucial elements of every cyber defence strategy

One of the most significant elements of the current cyber threat landscape is the amount of time it takes to actually detect and contain a breach. In a study published last year by IBM security and the Ponemon Institute, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. The research found that it took an average of 168 days to identify a data breach and 67 days to contain it.

The key problem is that in today’s climate few attacks are aimed solely on an organisation’s external defences. This is because, with data security legislation at the strongest it has ever been, external defences like firewalls and network security are usually reasonably robust. So cyber criminals use more subtle tactics, exploiting human error. If an employee opens a malware-laden phishing email or some deceptive social engineering has enabled an attacker to infiltrate malicious codes, the effects may not be evident for some time. This gives malicious attackers the opportunity to explore and exploit the system from within, delivering even more devastating consequences over time.

Given that the current MTTI metrics show that breaches can remain undetected for an average of five and a half months, this provides hackers with ample time to develop their strategy and exploit the weaknesses they detect. So although it will always be necessary to have robust external defences in place, organisations would do well to push the identification of attacks further up the priority list.

The other issue is, of course, containment. The current MTTC metrics show that the average breach, once identified, takes over two months to be contained. The reputational and financial implications of this delay cannot be underestimated.

While building both an external and internal defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken, and valuable time is not lost.

At SRM, our consultants use their vast expertise to proactively protect systems before an attack occurs. Working with a Retained Forensics specialist facilitates a strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential internal vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses, so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie, including the human element, and helps a business to build an agile defence around them.

 

To find out more about SRM’s Retained Forensics and Incident Response services contact Mark Nordstrom on 03450 21 21 51 or mark.nordstrom@srm-solutions.com

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

Cyber insurance may be null and void with ‘due care’

Pen testing: seeing both the wood and the trees

Schools are being targeted by cyber criminals: 6 ways to shore up online defences

In 2017 the Independent Schools’ Bursars Association (ISBA), which supports over 1,000 senior management staff in schools, stated that cyberattacks in schools can no longer be considered ‘isolated incidents’. ISBA’s Chief Exec David Woodgate went on to say that he is concerned that fraudsters are ‘one step ahead’.

He is absolutely right. While schools lag behind universities in their approach to cyber defence, cyber criminals are constantly evolving and refining their skills. Unlike most people employed in the education system, they do not have day jobs to distract their focus. So what can school authorities do to protect against such ingenious criminal minds? Here are six important things to consider.

1. Accept responsibility

Firstly, school boards must embrace the responsibility. A Department for Education spokesperson recently reiterated that ‘schools are directly responsible for the security of all digital information they collate, store and retain.’ This does not, however, simply refer to the IT department but should extend to the board of governors, the school administrators, the staff, the pupils and the parents. Above all, however, it is the senior leadership that is responsible for safeguarding in schools and, as such, cyber security should be on the agenda at every meeting of school governors and senior teams.

2. Know your system

Knowing precisely what hardware and software is being used on the networks is important but senior leadership should also ensure that configuration changes are authorised, documented and implemented appropriately. It is crucial that only approved users can make changes. Software updates and security patches should also be implemented quickly, and systems monitored for unusual activity which could be an indication of an intruder. Criminal incidents should be reported to the police. Breaches must be reported to the relevant statutory authorities within 72 hours under the terms of GDPR.

3. Control user profiles

Access to sensitive information should only be given to specific individuals. Wherever possible, the ability to share information should also be limited to these specified people. Where individuals are provided with access, their privileges should be managed, and they should be provided with the minimum level of access required to do their job. When staff leave, their access should be revoked promptly.

4. Protect the system

Strong firewalls and internet gateways should be in place to protect school networks and these should be constantly monitored and regularly tested.

It is essential to ensure that antivirus software and security mechanisms are up to date and that protocols for frequent password changes and the use of multifactor authentication for sensitive information is enforced.  This means that if a criminal does obtain access to a system, their progress is stalled by encryption tools.

It is not just the internal system which requires protection. Consider the physical security of a system: the hard drives, internet routers, servers and other devices on which data can be stored. School equipment can be targeted by thieves during holiday periods so any device holding sensitive data should be encrypted and stored in an appropriate security cabinet constructed for the purpose.

It is also advisable to limit the use of public-cloud-based services such as OneDrive and Dropbox as well as the widespread use of portable storage devices such as SD cards and memory sticks but, if there is no alternative, such mechanisms must use strong encryption and robust key management procedures.

5. Invest in expertise

The school bursar is not expected to be solely responsible for every aspect of financial planning. Professional accountancy firms provide additional resource and support. In a similar way, those responsible for a school’s data protection require support at both the strategic and practical levels from industry specialists.

6. Be proactive

Rather than wait for a cybercriminal to test the school’s defences, be proactive: conduct regular penetration testing on the system. When done correctly, this is not an off-the-shelf exercise, but employs a synergy of automated and manual testing to deliver the best results. A specialist consultancy will be able to scope the exercise and conduct the testing in a cost-effective and non-disruptive manner.

Red Team engagement can prove highly useful to further investigate vulnerabilities that have been identified. By using simulated exercises around social engineering, all staff can be briefed on best practise, and their role in the team, should an incident arise. The intelligence gained from these exercises means that a proactive and robust defence can be developed, protecting your data as well as your reputation.

To discuss improving your cyber resilience, contact the SRM team on 03450 21 21 51

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

How phishing scams are getting schools in deep water

Cyber resilience: it’s a board level issue

The key to GDPR is common sense

Pen testing: seeing both the wood and the trees

If recent well-documented breaches tell us anything it is that even organisations with large budgets and skilled cyber security teams can miss something. In spite of their best efforts, data breaches have occurred in some very high-profile organisations in recent months; damaging their system security, exposing their customers’ data and with it their reputations. This is not because they are not doing their level best to safeguard data. Far from it. It is likely that every ounce of available resource was put into developing and maintaining their online security, knowing how precious it is to the future of their business. So how is it that hackers continue to outsmart these highly resourced teams?

The problem is not with the teams’ experience or depth of knowledge but often with their level of familiarity. The phrase ‘can’t see the wood for the trees’ applies here: sometimes those who are deeply involved in the detail of a project can’t step back and see the bigger picture.

Resident teams may have developed the website from scratch and know every detail of its functionality. They may have been working diligently for some time on safeguarding data and developing defences in line with regulations and reported attack trends. As soon as attacks are reported, patches are brought out and defensive strategies are employed. But what happens when a hacker or blogger devotes some specific attention to the site?  Will they find the one flaw in the emergency change; the one time that input validation was not addressed; the one coding flaw that the designers, too familiar with the code, overlooked?

A fresh pair of eyes, on the other hand, is not hampered by familiarity. An experienced and highly skilled penetration tester will not think like a defender, but rather thinks like an attacker. They don’t focus on where the forest fires have already started but on how and where they could be ignited. They use a synergy of automated tools and manual testing to identify potential vulnerabilities and investigate, explore and develop these in such a way that a high proportion of vulnerabilities can be anticipated and patched before a hacker discovers them. This is because our consultants can put themselves into the mind-set of a motivated hacker by identifying, investigating, exploring and exploiting potentially vulnerable areas so that defences can be put in place before a breach occurs.

A qualified and experienced pen tester also has the advantage of not only seeing your system in its entirety, but of seeing many other systems and many other vulnerabilities. To continue the metaphor: their view extends beyond one specific forest, taking in a bird’s eye view of the many miles of trees and forests belonging to other organisations. From this vantage point they not only see the attack trends as they develop but can anticipate the location of future forest fires.

If a breach does occur, however, evidence of a robust testing programme will mitigate the level of fines imposed by regulatory authorities under GDPR. Furthermore, engaging a Retained Forensics service (working as part of the test and exercise team) provides an organisation with effective and swift mitigation strategies, thereby minimising the potential impact of a suspected or actual attack.

To find out more about SRM’s Test and Exercise team visit our website.

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Cyber insurance may be null and void with ‘due care’

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

What is Red Team engagement?

SRM Blog