Lessons in War
Protecting your cyber soul
By Tom Fairfax, Managing Director
If you were asked to sell your soul to a stranger…. what price would you ask?
The ancient Egyptians believed that a person’s soul had multiple parts, ranging from the spiritual to the physical; the bit they hadn’t discovered was the digital component. Regardless of one’s personal belief, each of us carries a very real and hugely valuable intangible asset in the form of our personal identity and the information that forms part of it. This asset is incredibly vulnerable in the cyber environment and once compromised is effectively irretrievable. Think of this as our cyber soul. It contains our very digital essence, our unique identity, our access to our resources and secrets, and represents the means to impersonate us or take control of parts of our life, our possessions or our good name and reputation.
The environment we call cyberspace represents a complex web of connected technology sharing information with and without human interaction. This environment is inaccessible to our naked senses; we cannot see, hear or feel in it without assistance. Critically, it is contested, and is populated by a global population of strangers, many of whom are explicitly seeking to compromise us. It is to this environment that we expose our cyber souls. The only question is – what protection or consideration do we give our valuable information assets before publishing them into the wild?
We are asked to share parts of our cyber souls on a daily basis. A myriad of commercial, official and social platforms request and sometimes require information. Some we hope we can trust – and in some cases we need to make a risk-based decision. But how much thought do you give before deciding what information to share and with whom you entrust this sliver of your essence? A brief glance at the Information Commissioner’s Office (ICO) enforcement page is instructive and shows that no organisation can be assumed to be safe. A brief perusal of the causes of breach shows that breaches are not confined to failures of technology but often result from individual and collective human frailty. This is not new.
This raises another, possibly more important question. How much explicit effort do you spend on protecting the personal information that other people and businesses entrust to you? The ICO website shows a number of instances where something as seemingly innocent as a breach of email etiquette has resulted in the exposure of personal information, and a direct, if inadvertent compromise of people’s sensitive information. Fines and sanctions are damaging, but we must not forget the fundamental breach of trust.
Information Security and data protection are disciplines that enable us to protect our own cyber souls and those with which we have been entrusted by others. They are still seen by many as an administrative irritation but they are a fundamental part of our personal responsibility as members of society. No-one can guarantee that they will be 100 per cent safe; indeed such a claim is a good indication that the problem has not been understood.
We can, however, exert a degree of critical judgement on every occasion that we are asked to share parts of our soul. Trust should not be assumed.
If prevention is to be an achievable goal we cannot rely on static defences
SRM is at the PCI London event in London on 25th January, presenting on The Synergy Between Automated and Manual Penetration Testing.
How a responsive Test and Exercise strategy requires the synergy of both automated and manual testing to keep pace with a constantly evolving threat environment
Prevention is undoubtedly better than cure, particularly in the context of a potentially damaging data breach. In a world where the threat landscape is constantly changing, however, if prevention is to be an achievable goal, we cannot simply rely on static defences. Our defences need to evolve in line with the ever-changing threats and vulnerabilities we face and the only way to identify these is to act counter-intuitively. We need to challenge our own procedures and attack our own defences. If we do not, someone else surely will.
Using these offensive techniques enables us to validate the capability of our existing responses and, even more importantly, identify areas for improvement. A responsive strategic approach to data security requires constantly updated intelligence which can only be provided by a combination of both automated and manual test and exercise tools. Neither is fully effective without the other. The key is the synergy of the two: we cannot mount an effective defence without employing both the speed and rigour of the automated tool and the agility and ingenuity of the human mind. After all, hackers use both so we must too.
The first essential tool in the attack arsenal is the automated vulnerability test. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, this identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.
A penetration test effectively opens the doors which have been identified in the vulnerability scan and explores deep into the underlying infrastructure to examine what is lurking behind them. Designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’, it goes to the next level by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security.
More broadly, a full penetration test of an organisations infrastructure utilises the value of automated tests to lay the groundwork at the start of the process. Expert penetration testers will then put themselves into the mind of potential attackers, exploring and exploiting all opportunities. An individual or team of testers are able to think laterally; they can both analyse and synthesise. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack.
The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.
Red Team engagement
To continue the analogy of the doors: if pen testing opens the doors to see what is behind them, Red Team engagement goes through the doors and explores the room, the house and the street beyond, getting completely into the mind-set of the potential hacker.
The key difference between a penetration test and Red Team engagement is therefore the extent of the scope. So, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’
The Red Team focuses on the objective of the engagement and examines it from many different angles pulling together a plan of attack using a range of different techniques and abilities. It tests procedural, social and physical components of security in addition to technical controls. Replicating the wider view an actual attack would have, the Red Team uses an adversarial mind set to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques, they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professional (OSCP) the world’s first completely hands-on offensive information security certification. OSCP challenges students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
When you combine the benefits of a best in class web vulnerability scanner updated within hours of new threats emerging, able to be run ‘on demand’ and OSCP trained experienced penetration testers it’s a powerful combination to help stay safe in today’s ever-changing world of cyber threats.
There is no one-size-fits-all solution. The importance of accurate scoping at the outset of the exercise cannot be overemphasised because every organisation faces its own unique challenges in terms of regulations, risks and vulnerabilities. What is more, in a world where data security is constantly evolving in response to new and ever more ingenious attacks, an organisation’s test and exercise strategy needs to reflect this. If your incumbent data security provider cannot demonstrate the required agility, you must ask yourself whether your requirements are being met.
SRM partners with industry-leading vulnerability scan provider AppCheck to deliver both the automated and manual elements of a bespoke test and exercise strategy. SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services. For further information please contact Mark Nordstrom at email@example.com or phone 03450 21 21 51.
Can Decision Cycles help us maintain the initiative in cyberspace?
As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.
For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.
The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.
Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!
In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.
This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.
Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.
All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.
If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.
This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.
What is Red Team engagement?
By Andrew Linn, Principal Consultant
The news this year has been full of high profile hacks on large organisations. These have included viral and ransomware attacks which have brought associative notoriety to a number of mysterious hacking groups and their victims: Shadow Brokers captured US National Security Agency (NSA) tools in April while The Mr Smith hackers breached HBO’s security in August.
Of course, anyone reading the news knows these were not isolated incidents. Other notable attacks included WannaCry ransomware, various forms of Petya malware and Cloudbleed. With ingenuity, intelligence and malicious intent on their side, hacker groups use their collective skills to exploit any weaknesses in an organisation’s cyber defences. So how can an organisation defend itself from the bad guys? By working with the good guys through Red Team engagement.
To counteract the offensive strategies of gifted hackers, you need equally gifted counter-hackers. Red Teaming is not a penetration test; it is more of a philosophy which involves acting as a potential adversary. The Red Team focuses on the objective of the engagement and examines this from a number of different angles pulling together a plan of attack using a range of different techniques and abilities; testing procedural, social and physical components of security in addition to technical controls. Penetration testing techniques and skills form one aspect of Red Teaming but the service goes well beyond that; to the use of an adversarial mindset to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, a Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professionals (OSCP). At SRM OSCP training is part of our ongoing professional development programme.
It’s not a question of if, but when
Why board level commitment is a vital part of cyber defence
It is difficult to defend against an attacker who only needs to succeed once. Security systems might defend an organisation 99 times out of 100 but faced with a relentless campaign which identifies and targets any cracks, it is almost inevitable that at some point, somewhere, the attacker will succeed.
Data and personal information are valuable commodities and their theft is the most common form of cyberattack. Recent high profile hacks have demonstrated the vulnerability of even very large organisations like TalkTalk and the NHS. These prompted the Government in November 2016 to announce a £1.9 billion investment to help UK businesses protect themselves.
Imminent new legislation is also in place to help provide organisations with a robust data protection framework in which to operate. If the hackers are the criminals, these are the laws that the relevant authorities (the Information Commissioner’s Office) enforce. Failure to comply with the new Data Protection Bill and General Data Protection Regulation (GDPR) from May 2018 will result in significantly higher levels of fines. And this has certainly focused the attention of many of the FTSE 350 boards surveyed in the recent Government Cyber Health Check.
The report found that awareness of GDPR is good, with 97 per cent of firms saying they are aware of the new regulation. But levels of readiness vary. 71 per cent said they are ‘somewhat prepared’ to meet the requirements of GDPR but only 6 per cent are confident that they are fully prepared.
This is perhaps not surprising given that only 13 per cent say that GDPR is regularly considered at board meetings. This is dangerous thinking. When it comes to data protection it is simply not reasonable or effective to make it the sole responsibility of the IT department. The same is true of cyber defence. These are board level issues and need to be embedded into the board’s approach.
It is no longer acceptable to simply be reactive; every board should be proactive and include an assessment of the current risk and review any potential security issues on its agenda on a regular basis. A security sub group can effectively manage this vital aspect of the business but it must have board level endorsement and input. The aim should be to implement a company-wide cyber security strategy which is constantly challenged and re-enforced.
Given the fact that the threat landscape is always changing, another essential element of every organisation’s cyber defence should include a strategic plan in the event of breach. To minimise its impact swift remedial action is vital. A strategic plan will help to ensure effective business continuity and protect from loss of income and reputation. This plan may include working with Retained Forensics (PFI) experts. Not only can they assist the board in the implementation of a robust and strategic defence, but if (or when) a breach occurs their detailed knowledge of a company’s systems will ensure business continuity and minimise the damage to finances and reputation.
How a retained PFI can mitigate risks
Government 2017 Cyber Security Health Check reveals many FTSE 350 companies are not prepared