Test and Exercise

Free live webinar: GDPR – the roles of manual and automated penetration testing

15:00 – 15:45 Thursday 8th March 2018

Have you tested to check your GDPR compliance?

A key aspect of GDPR compliance is demonstrating that your systems are secure. Penetration testing is a vital tool but with automated and manual tests both available which best serves your purpose?

In this 35 minute webinar, with time for questions, co-hosted with AppCheck, SRM’s Test and Exercise expert Andrew Linn outlines how a structured synergy of both will deliver the optimum result.

The webinar will cover:

  • The crucial role of automated testing
  • Automated and manual testing synergies
  • The manual component
  • Beyond the penetration test

There will be a live Q&A at the end and Andrew Linn will answer any specific questions relating to your business or sector.

How to register

The live webinar is at 3pm on Thursday 8th March and is free. You are simply required to register your attendance via this link:

https://register.gotowebinar.com/register/1342453508719907585

 

If prevention is to be an achievable goal we cannot rely on static defences

SRM is at the PCI London event in London on 25th January, presenting on The Synergy Between Automated and Manual Penetration Testing. 

How a responsive Test and Exercise strategy requires the synergy of both automated and manual testing to keep pace with a constantly evolving threat environment

Prevention is undoubtedly better than cure, particularly in the context of a potentially damaging data breach. In a world where the threat landscape is constantly changing, however, if prevention is to be an achievable goal, we cannot simply rely on static defences. Our defences need to evolve in line with the ever-changing threats and vulnerabilities we face and the only way to identify these is to act counter-intuitively. We need to challenge our own procedures and attack our own defences. If we do not, someone else surely will.

Using these offensive techniques enables us to validate the capability of our existing responses and, even more importantly, identify areas for improvement. A responsive strategic approach to data security requires constantly updated intelligence which can only be provided by a combination of both automated and manual test and exercise tools. Neither is fully effective without the other. The key is the synergy of the two: we cannot mount an effective defence without employing both the speed and rigour of the automated tool and the agility and ingenuity of the human mind. After all, hackers use both so we must too.

Vulnerability testing

The first essential tool in the attack arsenal is the automated vulnerability test. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, this identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.

Penetration testing

A penetration test effectively opens the doors which have been identified in the vulnerability scan and explores deep into the underlying infrastructure to examine what is lurking behind them. Designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’, it goes to the next level by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security.

More broadly, a full penetration test of an organisations infrastructure utilises the value of automated tests to lay the groundwork at the start of the process. Expert penetration testers will then put themselves into the mind of potential attackers, exploring and exploiting all opportunities. An individual or team of testers are able to think laterally; they can both analyse and synthesise.  As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.

A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack.

The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.

Red Team engagement

To continue the analogy of the doors: if pen testing opens the doors to see what is behind them, Red Team engagement goes through the doors and explores the room, the house and the street beyond, getting completely into the mind-set of the potential hacker.

The key difference between a penetration test and Red Team engagement is therefore the extent of the scope. So, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’

The Red Team focuses on the objective of the engagement and examines it from many different angles pulling together a plan of attack using a range of different techniques and abilities. It tests procedural, social and physical components of security in addition to technical controls. Replicating the wider view an actual attack would have, the Red Team uses an adversarial mind set to determine strategy and policy making.

In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques, they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.

In addition to a rigorous examination of the organisation’s security controls, Red Team engagement will exercise incident detection, response and management.  This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.

Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professional (OSCP) the world’s first completely hands-on offensive information security certification. OSCP challenges students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

When you combine the benefits of a best in class web vulnerability scanner updated within hours of new threats emerging, able to be run ‘on demand’ and OSCP trained experienced penetration testers it’s a powerful combination to help stay safe in today’s ever-changing world of cyber threats.

Conclusion

There is no one-size-fits-all solution. The importance of accurate scoping at the outset of the exercise cannot be overemphasised because every organisation faces its own unique challenges in terms of regulations, risks and vulnerabilities. What is more, in a world where data security is constantly evolving in response to new and ever more ingenious attacks, an organisation’s test and exercise strategy needs to reflect this. If your incumbent data security provider cannot demonstrate the required agility, you must ask yourself whether your requirements are being met.

SRM partners with industry-leading vulnerability scan provider AppCheck to deliver both the automated and manual elements of a bespoke test and exercise strategy. SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services. For further information please contact Mark Nordstrom at mark.nordstrom@srm-solutions.com  or phone 03450 21 21 51.

Shipping news: how to manage a ransomware attack

Disproving the idea that there is no such thing as bad publicity, the shipping company Clarksons is doing its level best to limit the PR damage caused by a recent ransomware attack. They have so far done an admirable job, demonstrating that transparency is key in the early days of a breach.

Firstly, the world’s largest ship broker has admitted to the fact that the breach has taken place and that data is soon to be released. Secondly the company has clearly setting out the steps they are taking to minimise the potential damage. They have announced that they have taken immediate steps to manage the incident and are working with specialist police and data security experts. The initial investigation has shown that unauthorised access was gained via a single and isolated user account which has now been disabled.

At the moment, the exact extent of the data stolen is unknown but, having refused to pay a ransom to the hacker who carried out a criminal attack on the company’s computer systems, a large scale leakage of private data is to be expected.

In the short term, the company has been hit by the announcement. Shares in Clarksons fell by more than 2 per cent, despite the company’s insistence that the hack would not affect its ability to do business. In the longer term, however, their diligent and principled stance should stand them in good stead. Hiding a breach from the media and even more importantly, those who have potentially been affected, is much more damaging in the longer term. Consider Uber’s recent exposure for having tried to cover up a large scale breach.

Issues of cybersecurity are now at the forefront of most board agendas. The imminent enactment of the EU General Data Protection Regulation (GDPR) in May is bringing the issue into even sharper focus. Under the terms of GDPR and the proposed UK Data Protection Bill, fines will be significantly higher if an organisation is considered to have been negligent in the event of a breach. Investments in providing support and resource to Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is now considered a cost-effective investment.

Yet in today’s digital and commercial landscape even the best-resourced companies will be prey to this type of criminal attack. The most important thing is to recognise this probability and ensure that a proactive approach is taken to both defence and, in the event of an attack, incident response.

A robust defence will include an expert scoping of the system which identifies gaps in compliance and security. This is likely to include advanced penetration testing as well as retained forensics. Having a cyber security specialist involved in the correct mapping and identification of data means that, in the event of an unforeseen attack, they have the knowledge and capability to minimise and mitigate the effect of the incident swiftly. As the Clarksons incident demonstrates, the ability to deploy an immediate response is an important element of damage limitation.

For more information:

Retained forensics

GDPR

Disaster recovery

Or see some of our blogs:

What is Red Team engagement?

It’s not a question of if, but when

US statistics warn of new trends in cybercrime: how retained PFI can mitigate the risks

What is Red Team engagement?

By Andrew Linn, Principal Consultant

The news this year has been full of high profile hacks on large organisations. These have included viral and ransomware attacks which have brought associative notoriety to a number of mysterious hacking groups and their victims: Shadow Brokers captured US National Security Agency (NSA) tools in April while The Mr Smith hackers breached HBO’s security in August.

Of course, anyone reading the news knows these were not isolated incidents. Other notable attacks included WannaCry ransomware, various forms of Petya malware and Cloudbleed. With ingenuity, intelligence and malicious intent on their side, hacker groups use their collective skills to exploit any weaknesses in an organisation’s cyber defences. So how can an organisation defend itself from the bad guys? By working with the good guys through Red Team engagement.

To counteract the offensive strategies of gifted hackers, you need equally gifted counter-hackers. Red Teaming is not a penetration test; it is more of a philosophy which involves acting as a potential adversary. The Red Team focuses on the objective of the engagement and examines this from a number of different angles pulling together a plan of attack using a range of different techniques and abilities; testing procedural, social and physical components of security in addition to technical controls. Penetration testing techniques and skills form one aspect of Red Teaming but the service goes well beyond that; to the use of an adversarial mindset to determine strategy and policy making.

In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.

In addition to a rigorous examination of the organisation’s security controls, a Red Team engagement will exercise incident detection, response and management.  This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.

Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professionals (OSCP). At SRM OSCP training is part of our ongoing professional development programme.

 

How poor data-stripping can expose organisations to Spear Phishing attacks

A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.

This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.

In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.

This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.

Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.

This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.

It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.

Bespoke Penetration Testing

SRM Blog