Introducing Curious Frank - Scottish Business Resilience Centre

0 downloads 240 Views 282KB Size Report
at Abertay University where they provide the only pure Ethical Hacking degree course in the. UK. ... discover what infor
Introducing Curious Frank: Our enhanced ethical hacking cyber services

5 years ago SBRC (who deliver innovation and preventative services to business) set out to look for real innovation which would provide business with accessible, dynamic and confidential cyber services which they would be unable to access elsewhere. We found this at Abertay University where they provide the only pure Ethical Hacking degree course in the UK. We found what we were looking for in highly skilled, creative, trusted students. By providing amazing, still-learning students to business at affordable cost, we are also able to financially assist these future vital students through their degrees. So it’s a win-win. Two years ago, Europol named SBRC as being the second best practice business model in Europe and the London Mayor’s Office asked the CEO of SBRC to set up a similar model in London. The model is now almost 5 years old and has expanded even further in order to support the growing demand from the business community.

So what do we offer?

Individual Footprint In order to carry out a successful spear phishing campaign, hackers will gather as much information on their intended target as possible prior to launching the attack. This allows them to craft individual, realistic and plausible emails in order to trick victims in to clicking links or downloading malicious attachments. Our Individual Footprint service replicates many of the techniques used by hackers to discover what information you expose online about yourself. This service provides you with a detailed report on each individual and suggestions to either be aware of the information that is leaked publicly or to take action to minimise details that you do not want exposed. This report may reveal sensitive information on the target such as work history, past addresses, family members and friends and associates.

Corporate Footprint A corporate footprint will determine how much data an attacker can enumerate for a targeted attack against your company. This would constitute part of the reconnaissance phase of an attack and could be used to map your network or corporate structure. This assessment searches for public facing business data, employee data and external facing computer systems such as email servers or websites. This data is useful for spear-phishing, further exploitation and gaining internal network access. A corporate footprint allows you to evaluate the risks associated with public facing information and will provides suitable recommendations on reducing possible attack vectors.

Remote Testing This phase replicates an attempt by an attacker to gain access to your network and systems from a remote location. Without accessing your premises our consultants will build on the information discovered during the Corporate Footprint to attempt to see what vulnerabilities could be exploited by an attacker. This exercise highlights an organisations ability to defend against attacks on their internet facing systems, which can be silently exploited by an off-site attacker. A full report highlighting weaknesses found and suggestions for improved security is supplied.

Internal Testing An internal security assessment consists of recreating an intrusion attempt both as an external attacker, after having breached the external security perimeter, or as a malicious intruder, such as a rogue cleaner or visitor. This includes vulnerability scanning and other on-site services such as port access control and testing for insecure WiFi. This assessment illustrates a company’s resilience towards an internal attack from within their computer network whilst identifying and offering solutions to existing configuration and system deployment issues.

Web Application Testing Similar to an External Test, this services will examine data processed through your online portal is dealt with securely. This service will check for known vulnerabilities and weaknesses that may put company or customer data at risk and offer suggestions for improvement to help protect your and your customers’ data.

Table Top Exercises How well would your organisation deal with an ongoing attack? This scenario based exercise will walk your technical and business teams to test your response to an ongoing attack. Who would you contact first? Which members of the team would deal with press statements? Are the actions you plan to take the best way forward?

Awareness Training Our team of hackers is available to help raise awareness with all staff from Directors to new Employees on the threats that they face on a daily basis. The sessions will include live demonstrations of the techniques used by hackers to steal information and install malware on systems. These sessions have proved popular in the past thanks to the simple and straight forward advice given to help protect users and your business systems.

Security Policy Review Are your organisations security policies up to date and robust? This service will review your current security polices and offer the latest advice on best practice to help protect your network and users from attack. The service can look at all aspects of your current policies,

from acceptable use of social media to password policies and offer suggestions to improve what is currently in place.

SwiftPass Users can supply us with a list of keywords and an email address and the software will constantly monitor various places on the internet to see where and when these words appear. The service will then email users on a daily basis to highlight links that their keywords have appeared and also let them know if it looks like their account has been compromised. If it has an email alert will be sent to let the user know that they should change their password as soon as possible. This will help give users an early warning that an attacker may have access to one or more of their online accounts and allow preventative measures to put in place, hopefully before any data is compromised. This low cost service gives users peace of mind that their accounts are being actively monitored to help them protect their accounts online.

And what have people said about us?

Business 1 CEO feedback from small trading organisation – large amount of monthly online transactions equating to £12 million per year “I am delighted that I had the cyber review carried out, even though it highlighted weaknesses in our system. I had been naively confident before then as we had, what I assumed, to be very secure systems, particularly relating to personal details and financial transactions. We routinely use an external IT supplier and pay for this ongoing service on a retainer basis. The ethical hackers within one day discovered the following:    

That the software we had been told would encrypt data was not doing so – and never had. That our router had not been configured correctly and they were able to breach our system. That the most basic system passwords had never been changed since installation by the IT supplier. That although our IT supplier told us they had blocked all routine use of USBs, they had not done so and sections of the team were routinely bringing in information on sticks.

As a result of the hackers being on site, I completely changed my confidence in our security. I knew what to question and could show the evidence to our IT supplier. I could talk knowledgeably and

hold the IT supplier to account. I am about to ask the hackers to come back again a year on and review it. It showed me how weak our system had been and how careless the IT supplier had been. They were quite taken aback by the evidence I showed them in the report. I was very impressed with the professionalism and ttention to protocol the staff from the SBRC showed and the efficient way they went about their business. Their report on their findings was clear and concise and made sensible recommendations to rectify the issues they discovered. I'm much happier knowing that I've mitigated the risk to my business through engaging the SBRC ethical hackers.

Business 2 CEO feedback from small company who primarily trades online – financial services sector (members wholly reliant on security of business system) The Scottish Business Resilience Centre has helped us understand both our physical security needs as well as our cyber security needs through internal and external assessment. The information gained by these assessments has been invaluable to helping us to better understand and mitigate any risks and to help us establish systems and policy to better improve the security and safety of member’s personal information and the security of our premises as well. A security assessment was carried out by SBRC in August of 2014 to establish the level of protection that existed and remedy any weaknesses. The objectives of this were to review:    

All Security Procedures and Policies to ensure that employees, contractors and visitors adhere to specific guidance provided within The access security of the client’s internal network The security of critical network infrastructure and systems, both internal and external to the client The overall level of effectiveness and direction of the client’s IT security stance.

We had taken steps to secure the work environment but the steps taken were not at a standard that was yet sufficient. The scope of the assessment itself looked at evaluating existing services running on its network and determines which, if any, are unnecessary. It also looked at establishing threats to us, both intentional i.e. DDOS (Distributed Denial of Service Attacks) and unintentional i.e. equipment failures. SBRC staff looked at employees’ habits and workspaces to assess the risks posed by things such as password hints, downloading of files from the internet and the locking of systems when away from their workstations. Recommendations were passed on to better help us develop policy and procedures to deal with risks as well as allowing them to better understand what to train staff and volunteers on to better mitigate these risks from occurring in the future. SBRC staff also assessed the security of the network and our hardware by conducting tests from remote facing systems from outside the network. This involved probing the network to find systems

contained within and to then assess whether these were vulnerable to any known exploits. The tests themselves were not limited to just physical computers but to all networked hardware, from printers to internal security cameras, as any hardware introduced to a network could open up a basis for an exploit to occur. Finding from this assessment has allowed for the IT services provider to action exploits that were found to be patched where necessary and certain out of date functions that the servers held be removed altogether. The third part of the assessment looked at access security, this covered things such as an intruders or insiders physical ability to introduce or tamper with existing infrastructure. An example being a person’s ability to network an unregulated device to free network ports contained within the office. The risks assessed were reported back to us to allow us to put in place additional measures to mitigate any risks and to better develop their policies regarding unregulated devices such as laptops and USB devices. In the fourth part of the assessment SBRC staff looked at the configuration of IT infrastructure with us to assess any possible vulnerabilities that existed. Things such as blank passwords or misconfigured user profiles were highlighted in the assessment. This allowed us and our IT service provider to implement changes to further secure our data and systems from possible exploits. The final parts of the security audit looked at policies, data protection and Wi-Fi security. Although we had always advised our colleagues to use strong passwords in everyday use of our systems a physical policy did not exist. We used the recommendations of the assessment to develop a policy and training for its staff to further back up the existing stance on password complexity. It was also advised to further introduce more data encryption throughout the file system that we currently maintain. Further recommendations on improving the Wi-Fi Security were also made and acted upon by us to further secure our systems from intrusion. The assessment as a whole has allowed us to take the steps necessary to further improves our ability to secure our members information, our own data and our reputable position within the community. Whilst not all vulnerabilities found were critical, the simple application of standard solutions and recommendations to certain problems has allowed us to tighten our security at minimal cost to the business and help to prevent unauthorised access from within or from outside its premises. We look forward to further its involvement with the SBRC to improve our capabilities in securing all aspects of our day to day business, physical or otherwise.

Business 3 CEO feedback from a company who trades property online and handles a high volume of personal data Working with the ethical hackers from the Scottish Business Resilience Centre provided us with digital security information on a number of key business areas. It also provided us with an excellent report of recommendations which led to a number of changes in policy including how we engage our team on two different sites in online security and training.

We transact property through a website platform and, as such, have a constantly changing business environment with many thousands of properties for sale or rent. The nature of the business means that we handle a high volume of personal data. We asked the hackers to carry out both internal and external testing on the business. We have what I would regard as being a strong IT team of 9 capable people including system developers, coders network and software specialists and they had appeared quite confident that we were already doing what was needed to protect our business and customer interests. The hackers were with us for two and a half days. During that time they made some fairly stark discoveries which in the course on ongoing daily activity, we simply might not have seen and certainly would not have had the time to assess. As CEO I was keen to understand how prepared we were to withstand an external attack but also what more we could do by way of routine backup. The scope of the assessment was limited to online activity and the output then fed into our risk register which is now regularly considered and reviewed at Board level as part of the Group Audit and Risk Committee agenda. The recommendations report was very clear as was their briefing on an ongoing basis to our team. They had a naturally inclusive manner and were able to ascertain various findings just from speaking to people about how the business works. The key findings that stood out for me and which we subsequently addressed were:     

User passwords for one area were being stored online – these were discovered by the team proving they were not secure enough. There was poor password hygiene – not an uncommon situation but one of which we were unaware The server had not been updated for some time The main server configuration was redundant and as a result backups were not happening. This was a key risk and something of which I was unaware. Patching was badly out of date

The experience of working with the ethical hackers made me question things far more and ensured a more structured approach to online risk mitigation was adopted. I would strongly encourage all business leaders to engage in this type of activity and use ethical hackers to assess the security and integrity of IT and online systems. The approach of the team from the Scottish Business Resilience Centre was professional, respectful, measured and any criticism which was generated was constructive and beneficial. The in-house team were delighted to work alongside the visiting team and were extremely impressed with the approach taken. It also allowed other stake-holders including Board members and member companies to be reassured that a key business driver, and thus an important risk, was in good hands.

Business 4 Feedback from the Head of IT at a Legal Firm who have used SBRC

Three months ago we asked The Scottish Business Resilience Centre to bring in their ethical hacking and digital forensic students to help us look at our systems, processes and policy. We are an established legal firm and there was a degree of nervousness prior to them attending, however, having been through the process from start to finish I would recommend them to any company. They are due to come back to us again to review the internal improvements we have made as a result of their report and recommendations. The whole process took three days and in addition we had telephone conversations beforehand and a questionnaire which we completed. At the end of it I received a comprehensive report and recommendations. The students were also available to make the changes and improvements had I chosen that as an option. We hold extremely sensitive data and had recently been through a merger, buying another law firm. This was part of the rationale for having the hacking team with us. I was keen to understand as Head of IT how the merger had worked from the perspective of integrating two systems and two sets of data. We also operate across five sites. So we had significant challenges. I had also talked to Mandy before engaging with the hackers and went over exactly what our landscape looked like. We agreed on the data that they would focus on and we chose an external penetration test to see how easy it would be to access sensitive client data. I also wanted to understand more about how employees saw their own internal responsibility for security and adhering to policies. Again, this required quite a high degree of trust on my part as the report could have been potentially quite sensitive from my own perspective. Actually, the outcome helped us to understand physical and people needs as well as our digital security needs. Despite the fact that I have a permanent on site team managing all these aspects, there were items that we missed, there were upgrades that the team had bypassed and we had not revisited all routers following the merger. In fact some of the systems we inherited were just not fit for purpose and the report was useful in backing up my own view of this, in fact it led to swifter action as I had the report as collateral for the senior management team. People I took the decision to give the student free reign to talk to employees about their understanding of IT security, what the policies were and how they regarded these policies. This was very instructive. The students handled this with maturity and spent time simply asking people casual questions. Not surprisingly given the merger, there were different levels of understanding and it gave us a clear matrix of business and training requirements. I was then able to set in place an annual programme of training as well as a planned programme of technical improvements. People will continue to be one of our largest risks going forwards and we are very conscious of insider threat issues. One of the employees actually had all the passwords written down and inside her top drawer so we had a steep hill to climb. Physical and Processes Before the pen test I had been very conscious of the team coming in and thought we had done what was necessary to make sure the physical premises were secure. The team were able to gain access to

CCTV camera controls very quickly however and to also show up which phone lines had not been checked adequately. On some aspects of the pen test I was pleased with how we came out and in that sense it was a positive and reassuring exercise. On other aspects it was a bit frustrating that basics hadn’t been checked, patches and configurations. I also used the process to look at our own crisis management readiness. We were not as ready as we should have been to be honest. We looked again at offsite storage, access to data, backups and new policies. We also put more from this into our training plan and budget for the year. No company wants to hear that they need more budget for IT, but the people side of it is so important. If we lose one client’s data, we lose our whole reputation.

Mandy Haeburn-Little CEO [email protected] www.curious-frank.com