Test and Exercise

The Industrial Revolution v4.1: with increased opportunity comes increased vulnerability

If history teaches us one thing it is that there is no going back. It started with the First Industrial Revolution which used water and steam power to mechanise production. This was followed by the Second which used electricity and the Third which used electronics and information technology. With the Fourth Industrial Revolution we have seen a fusion of digital technologies, the use of the Cloud and extensive data management. But arguably we are now entering an additional phase which includes the integration of physical devices, vehicles, home appliances embedded with electronics, software, sensors, actuators and connectivity, sometimes known as The Internet of Things. This is the Industrial Revolution v4.1.

This new era of technological revolution presents unprecedented opportunities for innovation, diversification, agility and cost optimisation. Yet with these increased opportunities also comes an increased level of vulnerability.

The latest report by Kapersky (2018) provides some statistics around the global cost of data breaches, revealing that the average business now spends 27 per cent of its IT budget on cyber defence. This investment is essential given the potential financial losses likely to be incurred in the event of a breach.

In addition to the cost of the breaches themselves in terms of fines and lost revenue, the report shows that for larger organisations the damage goes even deeper with an average loss of $144,000 due to damage to their credit rating and higher insurance premiums and an additional spend of $113,000 on Public Relations exposure to repair and rebuild brand damage following a breach.

We must therefore also ask ourselves how organisations can defend themselves and be resilient to the inevitable attacks. There are four key areas:

1. Testing: Penetration Testing using a synergy of automated and manual testing to investigate and explore vulnerabilities, identifying potential areas of weakness; Red Teaming: using the skills of highly qualified individuals to simulate a real-world attack, designed to assess the suitability of the current security programme and offer remediation advice where appropriate;

2. Disaster Recovery: taking a strategic approach to managing staff in the event of a successful attack, minimising damage to brand reputation and safeguarding the interests of key stakeholders;

3. Retained Forensic Remote Support: having access to a specialist team 24/7, 365 days of the year to provide professional, pragmatic and strategic support in the event of any type of incident, enabling organisations to focus on maintaining business as usual;

4. Business Continuity: developing a Business Continuity Management (BCM) plan which is applied consistently across the entire enterprise with senior management’s support to make a significant difference in the ability of the organisation to achieve high level cyber resilience, protecting financial and reputational assets.

SRM provides the full range of these services using the integrated specialisms of highly-qualified and experienced consultants. Working with organisations to enhance their data security and to demystify the threat landscape, our team brings market-leading knowledge with a first class service.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

The flaw in the plan: business continuity management

Penetration testing: man vs machine

What is Red Team Engagement?

The A to E of cyber maturity

How phishing scams are getting schools into deep water

While many schools are concerned about the advent of the General Data Protection Regulation (GDPR) and what it means for the collection and holding of data, permissions and consent, they may be overlooking its key purpose: to keep data safe. This is particularly relevant at a time when schools are increasingly becoming targets for cyber criminals. According to recent research by specialist schools insurer Ecclesiastical Insurance 20 per cent of educational establishments have been targeted. While universities, on the whole, are better equipped to defend against attacks, schools are significantly more vulnerable; due largely to the ‘soft target’ presented by teachers and parents who are ill-equipped to deal with online fraudsters.

The report concludes that naivity is a key problem with many school communities still being largely unsuspecting of how cyber criminals operate. This presents very real implications for the safeguarding of data and children and, by default, adherence to GDPR. Security around social media is a particular problem, providing potential hackers with detailed information with which to bait their phishing hooks.

Common attacks include phishing scams where individuals are tricked into providing information which allows criminals access to the school system. Data theft is sometimes the goal and children’s medical records are, for example, reported to be lucratively traded on the Dark Web, providing details for fraudulent official documents. Sometimes the intention behind the attack is, however, purely financial with emails requesting payments providing links to rogue websites. A new type of scam has also developed called ‘whaling’ where finance directors or bursars are conned into transferring thousands of pounds into fake accounts.

Private schools are particular targets due to the high fees and in 2017 Insurance Times reported a scam where parents were sent fake emails which conned them into sending fee payments into the criminals’ account. In these instances, private schools are particularly at risk of damaging their reputations.

Yet, in institutions which trade in education, it is education regarding online safety that is the main problem. This is because, no matter how effective the online security strategy, it is the human element which most commonly leads to system breaches. Continuous and constant education – including awareness and training programmes – need to be in place to reduce the risk.

A key element is education around social media. Schools and educational trusts should prioritise providing strict guidelines for social media postings and other forms of publishing. This is because phishing expeditions frequently start with social media. Hackers use the information posted online to send relevant-sounding emails which create the impression of being legitimate, encouraging people to open and act upon them.

Phishing scams also enable hackers to gain access to the internal school systems. While these may be well-defended on the perimeter with firewalls and access restrictions, a simple phishing exercise can con individuals with restricted access into divulging further information. Once inside the system, cyber criminals may encounter little in the way of additional defences.

Phishing scams and social media are just one element of the problem facing schools. There are many important aspects to adhering to GDPR and building a robust online defence and we will be posting further blogs on this topic. If you wish to receive these please follow us on Linkedin.

Incident Response & Forensic Expertise Webinar – Would your business survive a cyber-attack or security breach?

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, do you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach?

Watch this recording of the informative webinar where Alan Batey, Head of the SRM forensic team, takes you through:

  • What is a retained Incident and Forensic response service?
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A

To view, click this link.

 

The A to E of cyber maturity

In a recent report, the Philippine government’s Department of Information and Communications Technology (created in 2016) outlined a scale of cyber resilience based on an A to E grading system. With ‘A’ being the most robust in terms of cyber security maturity and ‘E’ being the weakest, it put the Philippines in class D. The reasoning behind this grade stems from the fact that they are reactive to attack using only the available tools and technologies. They do not proactively seek out vulnerabilities and exploit them to ascertain the extent of a weakness. Nor do they deploy cutting edge strategies or prepare for the process of remediation to address the issues ahead of time.

This reactive approach is not limited to the Philippines. Far from it. In fact, these same principles can be applied to a frightening number of organisations across the globe. Those who simply react are always behind the curve, attempting to patch and mediate the impact of attacks on an ad hoc basis. An immature organisation focuses simply on prevention and regulatory compliance but with limited co-ordination, using basic technology and simple configurations.

In contrast, those with cyber maturity demonstrate their vigilance by employing a proactive strategy rather than simply waiting for a breach to occur. So what are the characteristics of cyber maturity?

  • To begin with, in a mature organisation, cyber security is not seen as something that should be done, but is already embedded within the fabric and culture.
  • Information and cyber security is not the responsibility of an overstretched CISO, who reports only to the head of the IT department. It is in the hands of a CISO who is well resourced, supported and who exerts confident influence at board level.
  • Information security policy and testing is documented and has a formal structure, using automated tools, regularly scanning systems and web applications to identify any vulnerabilities in a proactive way.
  • A mature organisation has built-in enterprise security technology architecture and strict focus on incident prevention, detection and response; regularly undertaking advanced and manual penetration testing to uncover weaknesses in the ever-changing scope.
  • Business Continuity and Disaster Recovery Planning are integral to a mature organisation, together with the associated training across all staff, not just those within an IT or infosec department.

Our recent blog post on the topic of the NHS’ response to WannaCry highlights a ‘work in progress’ but certainly an admirable move towards cyber security maturity. Their plans centre around Test and Exercise methods, and are inclusive of annual Red Team Engagements to push their plans to the limits and ensure complete peace of mind.

SRM’s Test and Exercise (T & E) team works with all sizes and types of organisation to achieve cyber maturity. With wide experience in other areas of information security consultancy the T & E programme is not conducted in isolation but within the wider context of a client’s business activity. Every project is bespoke and our team includes consultants who are CREST ethical security testers as well as those with the Offensive Security Certified Professional (OSCP) qualification. Additionally, we often work with CISOs and organisations to develop and implement proactive robust and innovative T & E plans.

For more information on our T & E team, visit our website.

See a recording of our webinar: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?

Or see our blog:

What we can all learn from the NHS response to WannaCry

Three stages to building a robust defence against external threats

Cyber resilience: it’s a board level issue

Webinar Wednesday 30th May 3pm: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?

Register for the free SRM webinar here.

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, it is time to question if you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach.

Join us for this informative free webinar where Alan Batey, Head of the SRM forensic team, will take you through:

  • What is a retained Incident and Forensic response service? 
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A.

Register for the free webinar here.

SRM Blog