The recent April 2018 Trustwave Global Security Report reveals new global trends in the world of cyber hacking; most notably a move away from smaller high volume point-of-sale (POS) hacks in favour of more sophisticated attacks on larger service providers and their corporations’ head offices, using phishing and social engineering. Attacks on corporate and internal networks increased by 7 per cent to 50 per cent. Within the corporate or franchise networks, the most common cause of compromise was phishing and social engineering which accounted for 55 per cent of attacks.
Perhaps even more alarming, however, is the reported number of breaches instigated by ‘insiders’. The latest Verizon Data Breach Investigations Report (April 2018), found that 25 per cent of all attacks are perpetrated by insiders who intentionally allow access to systems, or exploit systems themselves, for reasons of financial gain, espionage or simple misuse.
So, how can an organisation protect itself from phishing and social engineering? Or from malicious insider threats? A short term strategy would be to establish systems which regularly monitor and provide alerts in the event of attack. In this way, at least the organisation will have early warning if an issue occurs. But it is rather like bolting the stable door after the proverbial horse has already bolted, leaving a swathe of chaos, financial loss and reputational damage in its wake.
Where breaches are accidental, a strategic approach would include education. This is particularly important when social engineering and phishing attacks often target all levels within a company, including junior staff, hoping to gain data on more senior staff. This is sometimes seen as ‘CEO fraud’ which tricks senior executives into authorising fraudulent financial transactions. Everyone within an organisation must be aware of the potential risk of accidentally divulging sensitive information.
To develop a level of resilience against phishing and social engineering attacks, however, a more aggressive form of defence should be an integral aspect of any defence strategy. This would include a robust test and exercise programme, which uses a synergy of automated and manual penetration testing to identify vulnerabilities and explore these to identify specific areas of weakness. Using this approach, with the right professional guidance, an organisation will be able to anticipate and build in levels of protection.
When a breach is deliberately engineered by an organisation insider, however, these steps may not be sufficient. Given that the insider has access to privileged information about a system, they are in a unique position to develop and exploit undiscovered potential weaknesses. This is where the Red Team comes in.
Red Team engagement provides real-world attack simulations, designed to assess and significantly improve the effectiveness of an entire information security programme. This is achieved through a combination of simulated social engineering attacks; both physical and technical, as well as network and application attacks developed specifically for an organisation and delivered by highly trained ethical hackers. The benefit of this approach is that it allows organisations to validate their protection, monitoring and response solutions.
SRM has an unrivalled reputation in all aspects of Test and Exercise as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mindset of a genuine hacker.
To find out more about SRM’s Test and Exercise services (including Red Team) visit our website.
See a recording of our webinar ‘GDPR: the roles of manual and automated penetration testing’
Or see our blog:
Or contact Mark Nordstrom at firstname.lastname@example.org or on 03450 21 21 51.