Test and Exercise

Incident Response & Forensic Expertise Webinar – Would your business survive a cyber-attack or security breach?

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, do you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach?

Watch this recording of the informative webinar where Alan Batey, Head of the SRM forensic team, takes you through:

  • What is a retained Incident and Forensic response service?
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A

To view, click this link.

 

The A to E of cyber maturity

In a recent report, the Philippine government’s Department of Information and Communications Technology (created in 2016) outlined a scale of cyber resilience based on an A to E grading system. With ‘A’ being the most robust in terms of cyber security maturity and ‘E’ being the weakest, it put the Philippines in class D. The reasoning behind this grade stems from the fact that they are reactive to attack using only the available tools and technologies. They do not proactively seek out vulnerabilities and exploit them to ascertain the extent of a weakness. Nor do they deploy cutting edge strategies or prepare for the process of remediation to address the issues ahead of time.

This reactive approach is not limited to the Philippines. Far from it. In fact, these same principles can be applied to a frightening number of organisations across the globe. Those who simply react are always behind the curve, attempting to patch and mediate the impact of attacks on an ad hoc basis. An immature organisation focuses simply on prevention and regulatory compliance but with limited co-ordination, using basic technology and simple configurations.

In contrast, those with cyber maturity demonstrate their vigilance by employing a proactive strategy rather than simply waiting for a breach to occur. So what are the characteristics of cyber maturity?

  • To begin with, in a mature organisation, cyber security is not seen as something that should be done, but is already embedded within the fabric and culture.
  • Information and cyber security is not the responsibility of an overstretched CISO, who reports only to the head of the IT department. It is in the hands of a CISO who is well resourced, supported and who exerts confident influence at board level.
  • Information security policy and testing is documented and has a formal structure, using automated tools, regularly scanning systems and web applications to identify any vulnerabilities in a proactive way.
  • A mature organisation has built-in enterprise security technology architecture and strict focus on incident prevention, detection and response; regularly undertaking advanced and manual penetration testing to uncover weaknesses in the ever-changing scope.
  • Business Continuity and Disaster Recovery Planning are integral to a mature organisation, together with the associated training across all staff, not just those within an IT or infosec department.

Our recent blog post on the topic of the NHS’ response to WannaCry highlights a ‘work in progress’ but certainly an admirable move towards cyber security maturity. Their plans centre around Test and Exercise methods, and are inclusive of annual Red Team Engagements to push their plans to the limits and ensure complete peace of mind.

SRM’s Test and Exercise (T & E) team works with all sizes and types of organisation to achieve cyber maturity. With wide experience in other areas of information security consultancy the T & E programme is not conducted in isolation but within the wider context of a client’s business activity. Every project is bespoke and our team includes consultants who are CREST ethical security testers as well as those with the Offensive Security Certified Professional (OSCP) qualification. Additionally, we often work with CISOs and organisations to develop and implement proactive robust and innovative T & E plans.

For more information on our T & E team, visit our website.

See a recording of our webinar: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?

Or see our blog:

What we can all learn from the NHS response to WannaCry

Three stages to building a robust defence against external threats

Cyber resilience: it’s a board level issue

Webinar Wednesday 30th May 3pm: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?

Register for the free SRM webinar here.

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, it is time to question if you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach.

Join us for this informative free webinar where Alan Batey, Head of the SRM forensic team, will take you through:

  • What is a retained Incident and Forensic response service? 
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A.

Register for the free webinar here.

What we can all learn from the NHS response to WannaCry

To be truly resilient against potential attacks, it is not enough to simply look at patching the last one, but to anticipate the next. When commenting on the news that the NHS had not fared well in the recent round of cyber security checks, Matt Hancock, Secretary of State for Digital, Culture, Media and Sport summed up the issue.

He said on BBC Radio 4 last month that ‘The NHS has made improvements since the WannaCry attack last year, but one of the challenges in cyber security is that the criminals and the malicious actors who are trying to harm our space are moving fast, and you have to run to stay still. You can’t just make one update, you’ve got to constantly be updating’. NHS cyber security chiefs described their existing practices as ‘relatively unsophisticated’, and admitted that 88 of the 236 trusts that were assessed by NHS Digital failed to pass the required cyber security standards.

In spite of the negative publicity surrounding the event, the report did state that WannaCry’s lasting effect would have been significantly more widespread, had it not been so quickly disabled. With this issue front of mind, the Former Chairman of NHS Digital still blamed ‘a lack of focus and a lack of taking it seriously’.

So what actions are in the pipeline in order to safeguard the UK’s health service? Of course, every hospital authority will be ensuring that all software update patches are installed, after this proved to be the crippling weakness of the 80 trusts affected in last year’s cryptoworm attack. The majority of trusts had acted on this but the hesitation came from the potential implications and disruption to other IT and medical equipment.

Along with praising the initial response, it should be said that the robust plans going forward are setting the bar for others to follow. A cyber security ‘handbook’ is being issued to all employees, along with ongoing staff training and development; bringing the issue to the forefront and ensuring that everyone has their part to play.

Robust Incident Response, Business Continuity and Disaster Recovery plans are soon to be in place, reducing disruption to the operations even further in the event of an attack. This is to be reviewed and changed annually, in line with industry best-practice. It will work in tandem with both an annual ‘cyber incident rehearsal’ and Red Team-style engagements using ethical hacking teams that will consistently carry out both manual and automated penetration testing to the NHS networks. Finally, this links to their plans to appoint a CISO, after recognising that cyber security is indeed a board level issue and should be dealt with as such, as soon as possible.

It is these key practises that businesses across the globe should be looking to adopt into their next information security strategies. If your organisation is looking to mirror the proactive efforts of the NHS, SRM’s specialist solutions encompass the full scope of the governance, risk and compliance agenda. The trusted partner of government agencies, high street brands and SMEs alike, our bespoke and consultative approach enables our clients to achieve peace of mind.

To discuss how our services can help you stay safe in cyberspace, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or 03450 21 21 51. Or visit our website.

Read more:

Three stages to building a robust defence against external threats

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

Three stages to building a robust defence against external threats

The news has been full of concerns that foreign powers are using state-sponsored hacking as a means to undermine the infrastructure of foreign powers. While it is irresponsible to scaremonger or imply that all UK organisations are at risk from a targeted hostile cyber security campaign by state sponsored hacking, it is worth every organisation taking a moment to imagine how it might fare if it were indeed attacked and use these principles to guide their defence strategy.

At the outset, however, we must consider what we are being told. In an unprecedented joint statement last week the US Department of Homeland Security, the FBI and the UK National Cyber Security Centre warned of malicious cyber activity orchestrated by state-sponsored Russian hackers who are targeting everything from network infrastructure devices to social media and even small businesses.

In November 2017, in a speech in the defence resource debate in the House of Lords, dot com entrepreneur Martha Lane Fox, who now sits in the Lords as Baroness Lane-Fox of Soho and recently joined the Joint Committee of National Security, quoted the academic John Naughton. His theory of modern warfare discusses the use of hacking as a weapon against an enemy society, identifying Russia, China and to a lesser degree North Korea as the nations most threatening to our security.

Of course, for most organisations, it is not an international super power that threatens their security, but reward-orientated hackers looking for financial gain or valuable intelligence. The same principles, however, apply whether defending against a Russian state-sponsored hacking campaign, an organised criminal hacking outfit or a lone individual.

Firstly, the only way to build a robust defence is to identify an organisation’s weaknesses and vulnerabilities. This is done through advanced penetration testing, using a synergy of automated testing, to identify potential vulnerabilities, and manual testing to exploit and develop those weaknesses so the gaps can be plugged.

Secondly, to go a level deeper, organisations should consider Red Team engagement. This is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations to not only identify where a potential attack might take place but also builds in a level of resilience because the Red Team will identify where future vulnerabilities may lie.

The third level of defence is perhaps counter-intuitive: it is to plan for a successful attack. Where a Retained Forensics team has been engaged, through the process of developing robust defences, they will be completely familiar with a system and, as an aspect of this, will be able to develop a strategy in the event of defences being breached. This will include the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. In this way any damage and disruption will be swiftly minimised and mediated.

SRM has an unrivalled reputation in all aspects of Test and Exercise and Retained Forensics as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mind-set of a genuine hacker.

For more information on SRM’s Penetration Testing, Red Team and Retained Forensics services contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or 03450 21 21 51. Or visit our website.

Read more:

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

Penetration testing: man vs machine

What is Red Team engagement?

 

 

 

SRM Blog