What we can all learn from the NHS response to WannaCry
To be truly resilient against potential attacks, it is not enough to simply look at patching the last one, but to anticipate the next. When commenting on the news that the NHS had not fared well in the recent round of cyber security checks, Matt Hancock, Secretary of State for Digital, Culture, Media and Sport summed up the issue.
He said on BBC Radio 4 last month that ‘The NHS has made improvements since the WannaCry attack last year, but one of the challenges in cyber security is that the criminals and the malicious actors who are trying to harm our space are moving fast, and you have to run to stay still. You can’t just make one update, you’ve got to constantly be updating’. NHS cyber security chiefs described their existing practices as ‘relatively unsophisticated’, and admitted that 88 of the 236 trusts that were assessed by NHS Digital failed to pass the required cyber security standards.
In spite of the negative publicity surrounding the event, the report did state that WannaCry’s lasting effect would have been significantly more widespread, had it not been so quickly disabled. With this issue front of mind, the Former Chairman of NHS Digital still blamed ‘a lack of focus and a lack of taking it seriously’.
So what actions are in the pipeline in order to safeguard the UK’s health service? Of course, every hospital authority will be ensuring that all software update patches are installed, after this proved to be the crippling weakness of the 80 trusts affected in last year’s cryptoworm attack. The majority of trusts had acted on this but the hesitation came from the potential implications and disruption to other IT and medical equipment.
Along with praising the initial response, it should be said that the robust plans going forward are setting the bar for others to follow. A cyber security ‘handbook’ is being issued to all employees, along with ongoing staff training and development; bringing the issue to the forefront and ensuring that everyone has their part to play.
Robust Incident Response, Business Continuity and Disaster Recovery plans are soon to be in place, reducing disruption to the operations even further in the event of an attack. This is to be reviewed and changed annually, in line with industry best-practice. It will work in tandem with both an annual ‘cyber incident rehearsal’ and Red Team-style engagements using ethical hacking teams that will consistently carry out both manual and automated penetration testing to the NHS networks. Finally, this links to their plans to appoint a CISO, after recognising that cyber security is indeed a board level issue and should be dealt with as such, as soon as possible.
It is these key practises that businesses across the globe should be looking to adopt into their next information security strategies. If your organisation is looking to mirror the proactive efforts of the NHS, SRM’s specialist solutions encompass the full scope of the governance, risk and compliance agenda. The trusted partner of government agencies, high street brands and SMEs alike, our bespoke and consultative approach enables our clients to achieve peace of mind.
To discuss how our services can help you stay safe in cyberspace, contact Mark Nordstrom on firstname.lastname@example.org or 03450 21 21 51. Or visit our website.
Three stages to building a robust defence against external threats
How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks
How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks
The recent April 2018 Trustwave Global Security Report reveals new global trends in the world of cyber hacking; most notably a move away from smaller high volume point-of-sale (POS) hacks in favour of more sophisticated attacks on larger service providers and their corporations’ head offices, using phishing and social engineering. Attacks on corporate and internal networks increased by 7 per cent to 50 per cent. Within the corporate or franchise networks, the most common cause of compromise was phishing and social engineering which accounted for 55 per cent of attacks.
Perhaps even more alarming, however, is the reported number of breaches instigated by ‘insiders’. The latest Verizon Data Breach Investigations Report (April 2018), found that 25 per cent of all attacks are perpetrated by insiders who intentionally allow access to systems, or exploit systems themselves, for reasons of financial gain, espionage or simple misuse.
So, how can an organisation protect itself from phishing and social engineering? Or from malicious insider threats? A short term strategy would be to establish systems which regularly monitor and provide alerts in the event of attack. In this way, at least the organisation will have early warning if an issue occurs. But it is rather like bolting the stable door after the proverbial horse has already bolted, leaving a swathe of chaos, financial loss and reputational damage in its wake.
Where breaches are accidental, a strategic approach would include education. This is particularly important when social engineering and phishing attacks often target all levels within a company, including junior staff, hoping to gain data on more senior staff. This is sometimes seen as ‘CEO fraud’ which tricks senior executives into authorising fraudulent financial transactions. Everyone within an organisation must be aware of the potential risk of accidentally divulging sensitive information.
To develop a level of resilience against phishing and social engineering attacks, however, a more aggressive form of defence should be an integral aspect of any defence strategy. This would include a robust test and exercise programme, which uses a synergy of automated and manual penetration testing to identify vulnerabilities and explore these to identify specific areas of weakness. Using this approach, with the right professional guidance, an organisation will be able to anticipate and build in levels of protection.
When a breach is deliberately engineered by an organisation insider, however, these steps may not be sufficient. Given that the insider has access to privileged information about a system, they are in a unique position to develop and exploit undiscovered potential weaknesses. This is where the Red Team comes in.
Red Team engagement provides real-world attack simulations, designed to assess and significantly improve the effectiveness of an entire information security programme. This is achieved through a combination of simulated social engineering attacks; both physical and technical, as well as network and application attacks developed specifically for an organisation and delivered by highly trained ethical hackers. The benefit of this approach is that it allows organisations to validate their protection, monitoring and response solutions.
SRM has an unrivalled reputation in all aspects of Test and Exercise as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mindset of a genuine hacker.
To find out more about SRM’s Test and Exercise services (including Red Team) visit our website.
See a recording of our webinar ‘GDPR: the roles of manual and automated penetration testing’
Or see our blog:
Penetration testing: man vs machine
What is Red Team engagement?
If prevention is to be an achievable goal we cannot rely on static defences
Or contact Mark Nordstrom at email@example.com or on 03450 21 21 51.
PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?
More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.
The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.
So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.
Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.
If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.
SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.
Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.
For more information on SRM’s PCI services please visit our website.
Or visit our blog:
Network intrusions are on the increase: time to engage a Retained Forensic specialist
Free live webinar: GDPR – the roles of manual and automated penetration testing
15:00 – 15:45 Thursday 8th March 2018
Have you tested to check your GDPR compliance?
A key aspect of GDPR compliance is demonstrating that your systems are secure. Penetration testing is a vital tool but with automated and manual tests both available which best serves your purpose?
In this 35 minute webinar, with time for questions, co-hosted with AppCheck, SRM’s Test and Exercise expert Andrew Linn outlines how a structured synergy of both will deliver the optimum result.
The webinar will cover:
- The crucial role of automated testing
- Automated and manual testing synergies
- The manual component
- Beyond the penetration test
There will be a live Q&A at the end and Andrew Linn will answer any specific questions relating to your business or sector.
How to register
The live webinar is at 3pm on Thursday 8th March and is free. You are simply required to register your attendance via this link:
Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie
As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.
The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.
Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).
As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.
The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998. Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.
Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.
Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.
SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
SRM’s step by step self-assessment guide to GDPR readiness
For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.
Or see our blog:
GDPR: the world will not stand still on 25th May 2018
GDPR: a question of confidence
After GDPR, what will happen to ICO notification fees?