How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks
The recent April 2018 Trustwave Global Security Report reveals new global trends in the world of cyber hacking; most notably a move away from smaller high volume point-of-sale (POS) hacks in favour of more sophisticated attacks on larger service providers and their corporations’ head offices, using phishing and social engineering. Attacks on corporate and internal networks increased by 7 per cent to 50 per cent. Within the corporate or franchise networks, the most common cause of compromise was phishing and social engineering which accounted for 55 per cent of attacks.
Perhaps even more alarming, however, is the reported number of breaches instigated by ‘insiders’. The latest Verizon Data Breach Investigations Report (April 2018), found that 25 per cent of all attacks are perpetrated by insiders who intentionally allow access to systems, or exploit systems themselves, for reasons of financial gain, espionage or simple misuse.
So, how can an organisation protect itself from phishing and social engineering? Or from malicious insider threats? A short term strategy would be to establish systems which regularly monitor and provide alerts in the event of attack. In this way, at least the organisation will have early warning if an issue occurs. But it is rather like bolting the stable door after the proverbial horse has already bolted, leaving a swathe of chaos, financial loss and reputational damage in its wake.
Where breaches are accidental, a strategic approach would include education. This is particularly important when social engineering and phishing attacks often target all levels within a company, including junior staff, hoping to gain data on more senior staff. This is sometimes seen as ‘CEO fraud’ which tricks senior executives into authorising fraudulent financial transactions. Everyone within an organisation must be aware of the potential risk of accidentally divulging sensitive information.
To develop a level of resilience against phishing and social engineering attacks, however, a more aggressive form of defence should be an integral aspect of any defence strategy. This would include a robust test and exercise programme, which uses a synergy of automated and manual penetration testing to identify vulnerabilities and explore these to identify specific areas of weakness. Using this approach, with the right professional guidance, an organisation will be able to anticipate and build in levels of protection.
When a breach is deliberately engineered by an organisation insider, however, these steps may not be sufficient. Given that the insider has access to privileged information about a system, they are in a unique position to develop and exploit undiscovered potential weaknesses. This is where the Red Team comes in.
Red Team engagement provides real-world attack simulations, designed to assess and significantly improve the effectiveness of an entire information security programme. This is achieved through a combination of simulated social engineering attacks; both physical and technical, as well as network and application attacks developed specifically for an organisation and delivered by highly trained ethical hackers. The benefit of this approach is that it allows organisations to validate their protection, monitoring and response solutions.
SRM has an unrivalled reputation in all aspects of Test and Exercise as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mindset of a genuine hacker.
To find out more about SRM’s Test and Exercise services (including Red Team) visit our website.
See a recording of our webinar ‘GDPR: the roles of manual and automated penetration testing’
Or see our blog:
Penetration testing: man vs machine
What is Red Team engagement?
If prevention is to be an achievable goal we cannot rely on static defences
Or contact Mark Nordstrom at email@example.com or on 03450 21 21 51.
PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?
More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.
The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.
So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.
Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.
If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.
SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.
Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.
For more information on SRM’s PCI services please visit our website.
Or visit our blog:
Network intrusions are on the increase: time to engage a Retained Forensic specialist
Free live webinar: GDPR – the roles of manual and automated penetration testing
15:00 – 15:45 Thursday 8th March 2018
Have you tested to check your GDPR compliance?
A key aspect of GDPR compliance is demonstrating that your systems are secure. Penetration testing is a vital tool but with automated and manual tests both available which best serves your purpose?
In this 35 minute webinar, with time for questions, co-hosted with AppCheck, SRM’s Test and Exercise expert Andrew Linn outlines how a structured synergy of both will deliver the optimum result.
The webinar will cover:
- The crucial role of automated testing
- Automated and manual testing synergies
- The manual component
- Beyond the penetration test
There will be a live Q&A at the end and Andrew Linn will answer any specific questions relating to your business or sector.
How to register
The live webinar is at 3pm on Thursday 8th March and is free. You are simply required to register your attendance via this link:
Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie
As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.
The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.
Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).
As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.
The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998. Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.
Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.
Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.
SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
SRM’s step by step self-assessment guide to GDPR readiness
For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.
Or see our blog:
GDPR: the world will not stand still on 25th May 2018
GDPR: a question of confidence
After GDPR, what will happen to ICO notification fees?
Coinhive attacks and how to prepare for the (almost) inevitable
This week’s report that more than 5,000 websites, including that of the Information Commissioner’s Office (ICO) have been hacked, shows that it really can happen to anyone. Other affected websites where malware took over the processing power of their user’s devices include the Student Loans Company, the council website for Manchester City, Camden and Croydon and the home page of the United States Courts. Although the initial reaction may be one of schadenfreude – pleasure in someone else’s misfortune – a more measured response would be to realise and accept that hackers are now so ingenious and creative that everyone, including those with top class cyber defence, is likely to be subject to attack at some point.
This latest hack involved a piece of cryptocurrency mining malware, called Coinhive, which ran in the background while the webpages of the hacked organisations were open. This forced visitors’ computers to run the mining programme which can then be used to gain small fractions of cryptocurrency from each victim.
So, how can we protect ourselves? The honest answer is that we can’t fully. What we can do, however, is to be prepared for the probability that our systems will be attacked at some point and to reduce the potential impact this will have. Developing a robust Incident Response protocol is an important start and here a Retained Forensic (RF) service will be of immense benefit. With a detailed knowledge of your systems, an RF team is able to mitigate the damage swiftly and effectively.
Damage limitation is crucial but, in the long term, building additional layers of security into your system’s architecture is also key. We need to ensure we are not giving away information without meaning to. We should also consider our defensive architecture but it is important that we balance the need for security with the practical requirement for our systems to be functional and easily navigable.
Achieving this balance is a complex issue. SRM’s VirtualCISO (vCISOtm) service can resource and support the incumbent CISO or DPO in managing this task. From providing expert strategic guidance to taking on the full CISO role, our vCISOtm team has many years’ experience in providing robust yet agile defences. We work with our clients across a range of services including Incident Response, Retained PFI, Digital Forensic Investigation and Security Breach, Incident Management and Containment Support.
To find our more, visit our website or contact Mark Nordstrom on 03450 21 21 51 or firstname.lastname@example.org