Most organisation have either regulatory / industry requirement to do penetration testing on annual basis or when significant change happen to their environment. Whilst this is consider a good practise, the coverage of the test usual include the technology infrastructure both externally and internally. The question remaining how many organisation test their own people?
In today world of beefy technological security solutions, penetrating the external perimeter (for traditional model) is very hard comparing to the previous years. This also apply the same to the cloud services. As the results, the attackers, have focused their attacks on people, who as you may know present the weakest link in the security chain such attacks including spear phishing etc.
Business understand this but regardless they have not invest in protecting people with security controls such as security awareness training , and targeted security training per job role e.g. CEO specific training, Bank Teller specific trainings. Failure to do so open doors for attackers.
So next time you do penetration test, ensure you include the people testing, and this can be social engineering test by specialised organisations. while these tests can be done once a year, the organisations are encourage to have internal tests done at least quarterly to keep human at very defensive mindset to understand that security attacks can happen anytime and they are the one targeted the most.
Incident Response (IR) is the decision away from having your business go down under or resurface after a few hours.
Most organisations have IR shelved somewhere collecting dust. The IR is good to the extent to be shown to auditors for compliance tick box, however not to the extend to save the business when it comes the time to do so.
We have heard a lot of stories on the internet and front-pages of data breaches, the most prevalent theme is the difference between detection time and discovery time, that is the time when the incident actually happen(when the hacker breached your systems and resides in) and the time when the organisation when actually discovery the breach happen. Organisation takes long to detect the breaches and when they do, they can’t get their IR plan running as expected. This boils down due to the fact that the IR plan have not been tested on frequent basis (not annually :), this need to be more frequent than that).
IR coordination activities is not only to be managed by the cybersecurity department, the activities need to be organisation wide, this should include senior management (CxO officers), public relation, business units, IT and cybersecurity departments.
My 2cents, organisation need to to the below when comes to IR
– Draft IR plan which should include all the critical business unit
– The IR plan should have communication plan and assign the ultimate decision maker e.g. CEO, CIO or C-Level executive
– Test different scenarios e.g. state-sponsored attacks, physical attacks, insider attacks etc.
– Test more than twice a year (not table top exercise, actual war games)
– Improve your plan once tested, from the lesson learned.
I am PCI QSA,
part of PCI assessment require assessment of physical security controls for
systems, this include but not limited to visit facilities e.g. data centres,
computer rooms where CDE is hosted. I have had a good share of visiting these
data centres and computer rooms. I have seen the best physical security
controls from acoustic wire, bomb shelters, shutter proof windows, mantrap
insider the mantraps, to the computer rooms locked with a key which is not
under any dual control. While most of the data centre are secure by design, the
service offerings from these data centre are also standard, including offering
dedicated suites, shared halls, shared cabinet (yes, not open your eyes wide
open) and some other companies will basically say or my system and data are in
the cloud (where? AWS, yes where? I don’t know, let’s ask our account manager).
organisation e.g. merchants and service providers who have system hosted by
third party co-location providers, may or may not understand the offering in
detail or the security department may not be involved in the decision making or
the client may have no idea from physical security point of view how the data
centre security looks like, it worthy visiting it.
- This is where the all the suite
is dedicated to an organisation.
- Security controls like CCTV and
access controls are pretty tight.
- This is where a shared space, a
bunch of racks from different customer are on shared space.
- What to look out for, how the
cabinets are secured, some are secured with padlock with keys, other with
padlock with combination, other both, and I have even since fingerprints.
- Sometimes CCTV are not
installed on the aisle, for the fear of seeing client system? How? I don’t know
- Organisation should understand
the co-location services offered.
- Should visit the data centre if
- Security dept. should be
involved in making decision in selecting security controls.
- It is best to have controls
such as frequently / quarterly auditing including checking the inventory, and
have automated security controls to check for system tampering, and whether any
physical devices have been plugged to the data centre.
The UK National Cyber Security Centre (NCSC) have published the 10 steps to Cyber Security (originally published by CESG) in 2012. The 10 steps are basic security controls that that organisations can use to build a security program as minimum baseline.
The ten steps are build arounf the risk management regime and as follows.
- Network Security
- User education and Awareness
- Malware prevention
- Removable media controls
- secure configuration
- managing user priviledges
- incident management
- home and mobile working
While these may seem very basic and every organisation should already have in place, you will be suprised how many organisations they dont have these controls in place, including small and large organisations.
From experience point of view, most organisation they dont have mature security programs and they want to make a big jump, without starting with the basics! The proper way is to start small and build up the security program, and it should be top down approach, which the 10 steps to cybersecurity start with Risk Management Regime which should be driven by the senior management.
To explore more, visit https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security