Test and Exercise

Why the prioritisation of breach identification and containment are crucial elements of every cyber defence strategy

One of the most significant elements of the current cyber threat landscape is the amount of time it takes to actually detect and contain a breach. In a study published last year by IBM security and the Ponemon Institute, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. The research found that it took an average of 168 days to identify a data breach and 67 days to contain it.

The key problem is that in today’s climate few attacks are aimed solely on an organisation’s external defences. This is because, with data security legislation at the strongest it has ever been, external defences like firewalls and network security are usually reasonably robust. So cyber criminals use more subtle tactics, exploiting human error. If an employee opens a malware-laden phishing email or some deceptive social engineering has enabled an attacker to infiltrate malicious codes, the effects may not be evident for some time. This gives malicious attackers the opportunity to explore and exploit the system from within, delivering even more devastating consequences over time.

Given that the current MTTI metrics show that breaches can remain undetected for an average of five and a half months, this provides hackers with ample time to develop their strategy and exploit the weaknesses they detect. So although it will always be necessary to have robust external defences in place, organisations would do well to push the identification of attacks further up the priority list.

The other issue is, of course, containment. The current MTTC metrics show that the average breach, once identified, takes over two months to be contained. The reputational and financial implications of this delay cannot be underestimated.

While building both an external and internal defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken, and valuable time is not lost.

At SRM, our consultants use their vast expertise to proactively protect systems before an attack occurs. Working with a Retained Forensics specialist facilitates a strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential internal vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses, so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie, including the human element, and helps a business to build an agile defence around them.


To find out more about SRM’s Retained Forensics and Incident Response services contact Mark Nordstrom on 03450 21 21 51 or mark.nordstrom@srm-solutions.com

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

Cyber insurance may be null and void with ‘due care’

Pen testing: seeing both the wood and the trees

GDPR and data security in the gambling industry

This article first appeared in the Q3 edition of Casino & Gaming International  (CGi )(www.cgimagazine.com/latestedition) and appears here with their kind permission.

As the implications of the General Data Protection Regulation sink in, Paul Brennecker examines its impact on the gambling industry and explains how it is not simply a compliance exercise but an industry-wide altered mind-set that is the key to effective data security.


The gambling industry has always been a target for criminals, both in reality and in fiction. From The Sting to Ocean’s Eleven and Lock, Stock and Two Smoking Barrels, the world of cinema has long relished the idea of cunning criminals taking on the casino and winning. There is something inherently satisfying about attractive and engaging rogues beating seemingly anonymous gambling enterprises in what is perceived to be an almost victim-less crime. In the fictional world of Hollywood, the inevitable sequels roll out reflecting, probably unintentionally, the reality of the situation: that repeated breaches are increasingly experienced by casinos and gaming enterprises. What they do not necessarily show, however, is the other reality: that in the new era of online gambling the victims are very real. They are the individuals whose personal data is stolen.

Cyber-attacks come in many forms but they can broadly be categorised into those that disrupt operations, such as distributed denial of service (DDOS) attacks, where infected computers flood the network with traffic. There are also those that are aimed at data theft, targeting customer data, especially financial information like credit card details, which can be sold on the dark web or used for identity fraud, and ransomware attacks. This type of credential abuse is particularly concerning in the gaming industry because it leads to loss of reputation and clients transferring their online business to other providers.

Although the adversarial threat is significant, the threat posed by insiders, often trusted employees, can pose an even greater risk to a business. With privileged access employees can intentionally or unintentionally be involved in a targeted breach of data. Staff in the gambling industry have a tendency to switch roles between competitors, requiring a robust ‘Joiners, Movers, Leavers’ process. It also necessitates a heightened awareness of data leakage from within each organisation.


Under the new GDPR framework which became EU law in May of this year, in the event of a data breach, firms can be fined up to 4% of revenue (or 20m Euros, whichever is higher). Since the terms of GDPR were first known, much has been written about it and the impact it has on the way companies manage their data. Yet, there is an important misconception which need to be addressed.

Contrary to current public perception, there is actually no such thing as GDPR compliance. It is a regulation which requires data systems to be safe but it is open to interpretation and provides nothing in the way of detailed guidance. Nor is there an annual review to validate compliance.

On the other hand, the Payment Card Industry (PCI) Data Security Standard (DSS), which regulates the gaming industry to ensure that payment card details are used with best practice and kept secure, does provide a detailed framework which specifies what needs to be done and how. PCI DSS even provides regular updates and guidance on reviews. Those who are PCI DSS compliant are therefore well on the way to meeting the requirements of GDPR. It is the role of Chief Information Security Officers (CISOs), Data Protection Officers (DPOs) and their advisers to work out where the gaps exist to ensure that an organisation adheres to GDPR in practice.

While the PCI DSS compliance process is undeniably useful, it must be likened to an MOT; it only applies to a given moment in time.  One ill-conceived change of control request or alteration to the process can render that compliance invalid. Ongoing testing and maintenance is essential and this is best managed through an altered corporate mind-set which embeds data security at every level of the organisation.


GDPR and PCI DSS complement one another and, if managed holistically, can deliver immense benefits to efficiency and reputation, while also mitigating the potential damage of a breach. But given the fact that PCI DSS compliance simply provides validation of compliance at a given moment in time, the key to data security is not to focus on specific compliance targets, following a tick box exercise once a year, but to develop a corporate mind-set which features a ‘compliance out of the box’ approach and has ongoing updating and maintenance built in.

This altered mind-set requires a company-wide strategy which is developed at board level and then disseminated in practical, simple form to each and every employee or partner of the business. For this to be a realistic goal, the responsibility for data security cannot simply be devolved to the CISO or DPO; nor should it be seen as something which is only in the scope of the IT department. To be truly effective, it is the responsibility of the each and every member of the board to drive and oversee the organisation’s data security responsibilities. Data security should be on the agenda at every board meeting.

Realistically, however, given the complexity of data security and compliance processes, specific ownership will be in the hands of these technically qualified individuals. Yet they will not be able to effectively exert influence at board level unless they are provided with the specialist support and resource. Much like the support provided to the financial department by corporate accountants or the support given to the legal department by specialist legal teams, the CISO needs to have access to specialist data security support to provide strategic guidance and technical abilities to enhance the scope of the operation.


One of the key elements of data security is the development of a robust defence strategy. It is not enough, however, to develop a strategy and build a defence based on what is already known. Cyber criminals are ingenious and exploit not simply known threats and vulnerabilities, but they also have ways to detect those which are not yet known or understood. Those who only use their own understanding to develop a defence will therefore be limited by the extent of their own knowledge. Testing and challenging that knowledge on an ongoing basis is an essential element. This is where a continual programme of Threat Monitoring, Penetration Testing and the use of Retained Forensics comes in.

Threat monitoring is the process of observing the changing nature of cyber-attacks. All commercial websites will be probed for vulnerabilities, initially by automated tools and once something significant is found, a more concerted manual attack may be launched. Having alerts and being set up to monitor the nature of these attacks and countering them is essential for players in the online gaming space.

The next step is regular Penetration Testing, which needs to include both automated and manual elements. After all, the criminal community uses both advanced scanning tools to identify potential areas of weakness as well as the additional sophistication of the human mind to develop and explore these vulnerabilities.

Imagine a room with an almost limitless number of doors. The automated penetration test will identify which doors conceal potential vulnerabilities. The manual tester then prises these doors open and looks at what is behind them.

Taking the analogy a step further, Red Teaming will push the doors wide open and delve and explore into what is behind them. Red Team testers have ethical hacking qualifications from industry respected bodies such as CREST and OSCP and use their sophisticated skills to root around and uncover hitherto unforeseen vulnerabilities.

Armed with this information, the process of closing off potential opportunities for cyber criminals before they are even exposed can begin. In this way a data security strategy can be developed which anticipates vulnerabilities before they are discovered, rather than simply reacting to those which are already known.

These experts will work in partnership with a specialist Retained Team to manage the defence process. In some specialist consultancies the Red Team will also be part of the Retained Forensic capability to help ensure that the process is be an ongoing one, with regular exposure to testing built in. Engaging a Retained Forensics team not only assists in managing a continually evolving the strategic defence but builds in resilience to potential attack.

Given the unrelenting ingenuity of attackers, it is impossible to ever consider an organisation to be immune from attack. The strategy should therefore include detailed plans if this eventuality occurs, particularly for the prompt reporting in the event of a breach. GDPR requires any breach to be reported to the relevant regulatory authority within 72 hours and failure to do so will result in punitive action being taken.

When it comes to issues of business continuity, disaster recovery and containment, having a Retained Forensics team on hand, with a thorough knowledge of the organisation’s systems, means they will be able to manage this process swiftly, thereby limiting any potential damage.

It is also worth noting that not only will the engagement of a Retained Forensics team facilitate the ongoing testing of system security and provide strategic intelligence for effective maintenance and development, it also demonstrates to the relevant authorities that a robust, ongoing process is in place, thereby reducing the level of potential fines.


GDPR should not be considered an encumbrance or an onerous chore. It has been developed to build in safeguards to data security systems protecting both the organisations and their customers from cybercrime. Those who embrace it with enthusiasm, building an ongoing test and exercise regime into their systems, will benefit from enhanced reputation and customer loyalty. Those who make data security the responsibility of all members of the board and who develop a constantly evolving defence strategy can demonstrate to both customers and the regulatory authorities that they take security seriously. They are also in the best possible shape to resist potential attacks, or deflect or reduce the impact of one, making an investment in GDPR and cyber resilience a sound business decision.

Pen testing: seeing both the wood and the trees

If recent well-documented breaches tell us anything it is that even organisations with large budgets and skilled cyber security teams can miss something. In spite of their best efforts, data breaches have occurred in some very high-profile organisations in recent months; damaging their system security, exposing their customers’ data and with it their reputations. This is not because they are not doing their level best to safeguard data. Far from it. It is likely that every ounce of available resource was put into developing and maintaining their online security, knowing how precious it is to the future of their business. So how is it that hackers continue to outsmart these highly resourced teams?

The problem is not with the teams’ experience or depth of knowledge but often with their level of familiarity. The phrase ‘can’t see the wood for the trees’ applies here: sometimes those who are deeply involved in the detail of a project can’t step back and see the bigger picture.

Resident teams may have developed the website from scratch and know every detail of its functionality. They may have been working diligently for some time on safeguarding data and developing defences in line with regulations and reported attack trends. As soon as attacks are reported, patches are brought out and defensive strategies are employed. But what happens when a hacker or blogger devotes some specific attention to the site?  Will they find the one flaw in the emergency change; the one time that input validation was not addressed; the one coding flaw that the designers, too familiar with the code, overlooked?

A fresh pair of eyes, on the other hand, is not hampered by familiarity. An experienced and highly skilled penetration tester will not think like a defender, but rather thinks like an attacker. They don’t focus on where the forest fires have already started but on how and where they could be ignited. They use a synergy of automated tools and manual testing to identify potential vulnerabilities and investigate, explore and develop these in such a way that a high proportion of vulnerabilities can be anticipated and patched before a hacker discovers them. This is because our consultants can put themselves into the mind-set of a motivated hacker by identifying, investigating, exploring and exploiting potentially vulnerable areas so that defences can be put in place before a breach occurs.

A qualified and experienced pen tester also has the advantage of not only seeing your system in its entirety, but of seeing many other systems and many other vulnerabilities. To continue the metaphor: their view extends beyond one specific forest, taking in a bird’s eye view of the many miles of trees and forests belonging to other organisations. From this vantage point they not only see the attack trends as they develop but can anticipate the location of future forest fires.

If a breach does occur, however, evidence of a robust testing programme will mitigate the level of fines imposed by regulatory authorities under GDPR. Furthermore, engaging a Retained Forensics service (working as part of the test and exercise team) provides an organisation with effective and swift mitigation strategies, thereby minimising the potential impact of a suspected or actual attack.

To find out more about SRM’s Test and Exercise team visit our website.

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Cyber insurance may be null and void with ‘due care’

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

What is Red Team engagement?

Cyber insurance may be null and void without ‘due care’

There is a worrying trend in the world of cyber safety. Many companies believe that cyber insurance will protect against any damage associated with a breach. It is vital that senior board members are aware, however, that if they fail to take reasonable precautions their insurance investment could well be null and void.

Leading business insurer Allianz estimates that the cyber insurance market in Europe alone is on track to be worth nearly $1 billion by the end of 2018, mirroring the rapid expansion of the US cyber insurance market. Although the global insurance industry sees it as a valuable new market full of opportunity they are, predictably, measuring their response with caution.

Cyber insurance has, in the past, been considered a safety net in the event of a breach. But as the incidence of cyber breaches continues to rise so has the level of caution demonstrated by both the government and the insurance industry. In fact, while governments are promoting the cyber insurance market, especially in the US and the UK, they are also using the insurance market as a lever to drive much needed cyber security improvements in the business sector.

According to Phil Huggins, Vice President of Security Science at Stroz Friedberg: ‘Their [the government’s] expectation is that this will align risk assessments with good practice, while incentivising good risk management, thereby reducing the need for direct government involvement and regulation. The recent launch by the UK Government of the ‘UK cyber security: the role of insurance in managing and mitigating the risk’ report is just the latest manifestation of this strategy.’

The strategy is working. Insurers are incentivising behaviours that reduce the potential for harm, including the term ‘due care’. This refers to the precautions ‘a person of ordinary prudence’ would take to safeguard their systems. Demonstrable cyber resilience has become a requirement for cyber insurance and this in turn is driving an increased demand for Retained Forensics.

The essence of Retained Forensics is to develop cyber resilience through the engagement of a small team of industry professionals who are fully briefed about the scope of an organisation’s network and infrastructure. This enables them to:

  • establish, direct and manage a full test and exercise programme;
  • ensure high level management of cyber defences across all network and infrastructure;
  • be on hand and ready to assist in putting the agreed action plan in place in the event of a breach. In this way, the 72 hour reporting element of GDPR will be achievable and the mitigation process will be well in hand before the deadline.

SRM has an international reputation for providing the full range of Retained Forensics services including automated and manual penetration testing, Red Teaming, Incident Management, Disaster Recovery and Business Continuity Management. Through Retained Forensics, ‘due care’ can be demonstrated making an organisation not only less likely to suffer a breach, but able to demonstrate best practice in the event of an insurance claim.

To receive regular updates on issues relating to cyber security follow us on Linkedin.

See our website.

View our recent live webinar Incident Response & Forensic Expertise – would your business survive a cyber-attack or security breach?

Or check out our recent blogs:

The GDPR compliance fallacy

The A to E of cyber maturity

How PCI compliance puts you on course for GDPR



Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

By Paul Brennecker, Principal Security Consultant and Lead QSA

Paul Brennecker gave a presentation at PCI London on 5th July 2018 and this article first appeared in that event’s publication. 

All too often the engagement of a Forensic Investigator is a distress purchase, made at a time of crisis when a breach has already occurred. Yet, waiting until there is a full blown emergency means organisations are missing out on the added value that specialist Retained Forensics professionals can bring.

Forensic Investigators don’t just operate in a crisis. When engaged to provide a Retained service, they can also help to develop a resilient defence strategy. This combines developing and delivering a full strategic cyber defence plan with Incident Response management. Their strategic guidance and practical knowledge enables them to help organisations reduce the level of impact while also meeting legal and regulatory responsibilities in the event of a breach.

In the event of a breach being reported, the Information Commissioner’s Office has made clear that it will look at the level of security in place, as well as the Incident Response strategy when considering the fines it will impose.

With forward planning it is possible to ensure that you get the maximum return for your investment and also secure the service that is best for your business. In business terms, a distress purchase is defined as a purchase made at some critical point, usually during a failure of other unplanned event. This is like buying a plastic cape when caught out in heavy rain: it is unlikely to be the best waterproof nor the best value for money but the purchase was forced by extreme circumstances. Similarly, that present bought in the late afternoon on Christmas Eve may turn out to be the most expensive gift ever purchased.

In today’s cyber security landscape such critical points come, not surprisingly, when least expected. No one can know when a breach or a security incident will take place. One day you are blissfully unaware of its existence; the next you are in a state of crisis with much to do in a very short period of time. This is particularly the case under the terms of GDPR which requires data breaches to be reported within 72 hours. GDPR also requires that you implement robust breach detection, investigation and internal reporting procedures.

One of the first tasks is to secure and contain the breach – a specialist job which can be time consuming and confusing – and for this an industry specialist must be appointed. There are not a vast number of suppliers to speak to. For example, when it comes to a PCI data breach, there are only eight companies in the UK which hold the necessary certifications required by the acquiring banks.

A cyber mature organisation knows that it is not enough to simply be reactive, however. Their aim is to anticipate the critical point and to scope, develop and implement a company-wide cyber security strategy which is constantly challenged and re-enforced. This type of strategic plan will help to ensure effective business continuity and protect from loss of income and reputation.

Working with a Retained Forensics specialist facilitates this strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie and helps a business to build a robust defence around them.

The world of cybercrime does not stand still, however, and so defences must be continually reviewed and challenged to ensure they are as up to date as possible. So, although PCI compliance for example, is a vital annual check, it does not claim to guarantee that adequate defences are in place all year round. A more resilient strategy therefore uses a regular Test and Exercise programme to keep the process agile and responsive.

Where it is advisable to go a level deeper, organisations can also consider Red Team engagement. Red Teaming is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations not only to identify where a potential attack might take place but also builds in a level of resilience by identifying where potential future vulnerabilities may lie.

The mature organisation works with Retained Forensics to scope the requirements of their business, making it possible to manage the whole process in a timely and cost-effective manner. While building a robust defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to stage an event, to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken and time is not lost.

A Retained Forensics team will also undertake the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR. In this way any damage and disruption will be swiftly minimised and mediated.

Given the benefits of engaging a Retained Forensics service, it is perhaps surprising that some still overlook it, simply engaging a Forensic Investigator when compelled to in the event of a breach. The reason for this is perhaps that the challenge of managing third parties to achieve and maintain the various data standards and compliance is ever increasing, meaning that the procurement of services to assist in the event of a data breach is often overlooked.

Those who plan for the worst while hoping for the best, however, reap significant benefits and have the time to engage with a professional Retained Forensics service before a crisis occurs. By planning ahead, they ensure that they get the maximum return for their outlay and also secure the service that is the best for their business.

SRM Blog