Elements of a Cyber Security Programme


A cyber security programme is something on the TV right?

Let's not get into how inaccurately the media portray my fellow hackers... Instead, shall we just say that we come in all shapes and sizes, much like every other profession and vocation on the planet.

In a professional context, a cyber and information security programme is simply an ongoing sequence of tasks that enables you to assess the level of information and cyber security you have and gain assurance that this level is appropriate. The tasks range significantly depending on the context and requirements of the commissioning organisation. For example, one assurance task could be that of being assessed against the PCI-DSS, however, if you don't have any dealings with card payments, this is completely inappropriate. Both of these types of tasks are almost exclusively completed by an independent organisation, this is to help prove objectivity in the results which can then provide a high level of assurance. We can help with all elements of your cyber and information security programme.

The following sections describe some of the elements that you could include in a cyber and information security programme. There are almost certainly more activities, and they don't have to be done in this particular order, however, this is a good place to start. The first thing you will want to know is about the cost of each of these tasks. Not wanting to be evasive, however, it's impossible to say without some details about the scope. As always, pick up the phone and call us to chat about the best options for you.

External Penetration Test

Most organisations carry most of their cyber risk with unknown that's from across the Internet. This is solely because of the sheer quantity of potential attackers that you are exposed to when connected to the Internet. An external-only penetration test can be used to start a cyber security programme because it starts with the most prolific threat. If you haven't done much testing before, this is a really good place to start because, in most cases, it's a nice bite-sized chunk to help youget your head around how the process works, what the results look like and what you need to do about the information when you receive it.

Any penetration test is an activity that attempts to break into (or penetrate) a given set of systems. An external penetration test specifies that the systems in-scope for testing are the ones that are exposed to the Internet. Typically this activity just relates to the infrastructure in place to run systems such as email services, VPNs and remote access facilities as well as the servers that run web sites.

Web Application Penetration Test

A Web Application Penetration Test is where we attempt to break into a specific web application. Typically, this separated from an external penetration test because the web site or application is at least an order of magnitude more complex that the infrastructure that runs it. Splitting the two tasks allows the organisation to correct the problems identified in either task, take a sigh of relief, regroup and move onto the next task.

Web application testing is a different set of actions than infrastructure testing. The core concepts are similar, however, the tools, techniques and procedures are very different. The focus of who is at risk is also usually different: infrastructure tests the security of the organisation, web application tests also assess how vulnerable the users of the web application are and these users are not always members of staff at your organisation.

Internal Penetration Test

Internal penetration tests assess two things: what happens when (not if - because it will happen) an attacker gains access to your internal network; and, what happens if an employee turns rogue. It involves probing some, or all, of the systems that live on the inside of your organisation's network perimeter. Often companies have done an "OK" job of protecting themselves from attack over the Internet, internally however, is often a completely different story.

Internal penetration tests are usually fairly unconstrained, both in terms of what can be attacked, but also in terms of what the goal is. It is up to us, the consultant hacker, to work out what is the most sensitive and important to the organisation. Don't worry though, we always treat the information we find with sensitivity, for example, we only take the minimum amount of data to be able to show the outcomes in our reports, and if we put this data in our reports the data is always anonymised.

These internal penetration tests are the most likely place for interesting "chained" vulnerabilities to be found which can lead to some significant concerns. A chained vulnerability is where one minor vulnerability, leads to another minor vulnerability, which might lead to yet another minor vulnerability, but in total, the minor vulnerabilities equal a big vulnerability.

Wireless networks testing / Network segregation testing

One very important element of cyber security is correct network segregation / segmentation. This is because it is desirable to stop a successful attacker from being able to spread around the inside of your network. This is most effectively completed by simply separating the network so that it is not possible to communicate with areas that there is no legitimate requirement for. This work is similar to wireless network assessments, as commonly, one part of a wireless assessment is proving that it is difficult for guests using your wireless networks to access the internal network. These two activities help show defence-in-depth.

External and Internal Vulnerability Assessment

Vulnerability assessments are useful in three circumstances: where budget constraints don't allow for penetration testing at all; to periodically check the vulnerability level of computer systems to make sure things haven't developed obvious holes; and where sampled penetration testing is performed because comprehensive penetration testing would be prohibitively expensive owing to the sheer scale of the network.

Performing a vulnerability scan is where specific tools are launched against a target in one of two ways: authenticated or unauthenticated. Authenticated is where the vulnerability scanning software logs into the system and performs a deep search for potential issues, whilst unauthenticated scanning just looks at what problems can be determined about the services that are exposed to the network. Typically, internal vulnerability scans are authenticated, and external vulnerability scans are unauthenticated. This is because there should be very little exposed to the Internet that the vulnerability scanner can log into in order to in the first place.

ISO 27001 Compliance Assessment

ISO 27001 is a great tool for organisations in several ways. Firstly: it is a process whereby the challenges of cyber and information security don't get stuck as the responsibility of an IT manager or other member of technical staff. Instead ISO 27001 can create a channel for those technical staff to raise concerns to upper management for them to either, formally accept the risks presented, or to find funding to get them corrected; secondly, it shows clients that security is being taken seriously and that there are management processes in place to keep on top of it; and finally, it helps organisations recognise the cyber security issues that they are presented with.

This standard doesn't try to delve into the highly technical areas of cyber security, instead, it looks at the management of cyber and information security with an organisation and provides some structure. You might find that this is something you need to achieve really early on in order to get the structure needed for the technical aspects of cyber and information security. However, lots of organisations want it the other way round, they would rather get "greater security" by dealing with the first wave of technical issues and then put in the management structure afterwards to keep the good practices going.

Digital and Physical Social Engineering Tests

These two types of work are where the people at the organisation are put to the test. Instead of working out if there are technical vulnerabilities, we look at how well members of staff can cope with people trying to get them to agree to do things that they normally wouldn't. Examples of physical social engineering could include: being let through reception without being greeted by a member of staff; or having someone hold open the back door for you as they go out to smoke. Digital social engineering tests could include performing a semi-targeted email phishing campaign where all members of staff are sent messages for them to click on a link; or a very targeted spear-phishing campaign where you build up a rapport with individuals and get them to open links to malicious web sites, or open malicious documents they have been emailed.

Build Standard Assessment

To performing a build standard assessment, the assessor takes a copy of a desktop, laptop or server, or any other device, and looks at the configuration to work out if it is weak to any known problems. The assessor can then go further, looking at ways of hardening the build so that unknown, or future vulnerabilities are less effective. The assessment is performed from many different attacking perspectives, for example, simple attacks such as theft of the device, all the way to how easy it would be for nation states to spy on network communications.

Adversarial Red Team / Blue Team exercise

The ultimate is performing an adversarial red team vs blue team exercise. This is because the organisation gets to test the incident response strategy and capabilities of technical staff. Generally speaking, cyber security specialists don't talk about "if" an attack takes place, but "when". With this mind-set, it becomes very clear why knowing how easy it is for technical staff to detect an attack, how they respond to it, and what technical failures there were in terms of forensic capabilities is important.

General good things we do

For all work we do, unless you actively don't want one, you will get a report and a debrief so you can ask questions both from a technical and management perspective. We don't want you to ever feel like you are out-of-the-loop about the "dark art" of penetration testing or compliance: if you understand the science, you will be better equipped to deal with it now and into the future.

When performing testing tasks (as opposed to compliance tasks), we always try to exploit what we find, as long as we are confident that we won't cause any disruption. This is so that we are able to assess how serious a vulnerability is really is. There might be reasons why exploitation is not possible during a test, but still be reported as a concern, this will be supported by our experience. Unfortunately, there is always an element of risk of disruption to any testing activity: that goes with the territory. We will work with you to make sure this risk is minimised wherever possible.

The above pieces of work just encompass the discovery process, actually fixing the issues found can be a huge job depending on how much there is to do and how complex it is. For this reason, the different stages can between a few months and take years to complete: it all depends on how keen you are to get things into a good state. It is also possible to combine multiple elements into the same exercise: for example, you might want to perform an internal and external penetration test, and a wireless networks and network segregation test, and a digital social engineering test.