Friday 8 June 2018

Battle Plans - 5 Missions to Prepare for a Cyber-Attack

Written By Will Lambert

Credit -

In my previous blog post, (The Human Element) it was discussed that Security Awareness Training was widely accepted as the best answer to the question of social engineers. Yes, social engineering is now, and will be for some time, the weapon of choice within a cyber criminal’s arsenal, but it must not be forgotten that the cyberspace domain has a wide variety of weaponry and tactics available to adversaries.
As an organisation, you will need to prepare for all cyber artillery at an adversaries’ disposal. I will illustrate the Top Five Missions, which form the Operation - Cyber Security Training. This Operation is essential to an organisation in fortifying defences in advance of a cyber-attack.

1.      Senior Executive / Board Level Security Training

Mission Objective: Top Brass to Champion Cyber Defence.

Similar to any military organisation, the direction of defence will be set by the senior leadership team. Administrating effective training to your top brass, your Generals, Admirals, Air Chief Marshals, will be invaluable in strengthening a businesses’ resilience to cyber-attacks. Board Level Security Training should explain effectively to a senior management team why they need to take the threats presented from the cyber domain seriously. Showing where appropriate, real life examples of how cyber attacks disrupt business, how common tactics, techniques and procedures (TTPs) in use by cyber attackers have had both short and long term disastrous effects. Stumped business growth due to obliterated customer trust after businesses have lost vast amounts of consumer data, just one of the many reasons the top brass should champion cyber defence in your organisation

Mission Reward: By getting the correct message at the top, senior management will allow reasonable, proportionate and effective preparatory works to bolster your cyber stance. A leader leads by example, not by force.

2.      Security Awareness Training
Mission Objective: Ready the Front-line Troops for Battle

Your users, regardless of rank or position, will need to be aware of the risks associated with IT systems. You may well have various walls, fences, and access controls (firewalls, email protection, ACLs) at your disposal to aid in the defence of the realm, but battles are rarely won with perimeter defences. The boots on the ground, those on the front-line who make decisions at the time of attack are key in preventing the battle in the first place - effective Security Awareness Training will aid in this critical decision-making process of your front-line troops. Ready the troops through equipping them with the knowledge of dangerous attack vectors and how to protect themselves, and subsequently the business from social engineers, vishing, phishing, malware, etc. Through this knowledge transfer, your troops will be able to prevent an attack from realisation in the first instance. According to Verizon's 2018 Data Breach Investigations Report, 90% of cyber-attacks begin with phishing, but not all troops are aware of this common attack. It will take only one soldier to fall for a phishing email to undo all of the in situ perimeter defences.

Mission Reward: Lowered risk of successful attack through imparting knowledge to boots on the ground of common attack vectors and how to shield against them. Know your enemy, know his sword.

3.      Secure Code Training
Mission Objective: Instil Pride and Confidence in Your Insignia

Think about any digital product you build, own, or at least place your mark upon. Whether they be applications, websites or any other software, they will carry your brand. Regardless of coding  language, if the code which has written the digital asset is not secure, it could be vulnerable to attack. Similar to aircraft or warship construction, you will need to train the engineers who subsequently build, secure, and then lastly review the final product for vulnerabilities. Secure Code Training will heighten the skills of developers in recognising vulnerabilities in code, ensuring that your digital assets are resistant to attack. The number of software vulnerabilities in code can be reduced, but never eliminated. This is due in large to the play off within the CIA Triad - the Confidentiality, Integrity and Availability of your product will come down to what you want your aircraft to do. Your aircraft can be tremendously stealthy, heavily armoured, extremely fast but not all three at the same time. Don’t forget, as with any good adaption of any software development methodology, Secure Code Review by external validators must be included to provide an extra layer of assurance. It is your insignia on these assets, if it gets shot down, your brand will be damaged. Depending on the magnitude of the attack, perhaps irreparably.

Mission Reward: Secured products are less vulnerable to attack, thus protecting your brand. Prevention is better than the cure.

4.      Incident Response Plan Training
Mission Objective: Develop Your Immediate Action Drills

Unfortunately, no matter what you do, some attacks will still penetrate your defences. Immediate Action drills are used to define what your troops, including your top brass, should do when under attack. Cyber attackers have a wide variety of weaponry they can leverage against you. The use of different weapons will require different responses or Immediate Actions (IA) on your part. IAs to a Malware attack will differ from IAs in response to a Distributed Denial of Service (DDoS) attack. Incident Responses should be carefully considered, with a full appreciation of handling an attack from its conception (preparation, detection and analysis), through the handling stages (containment, eradication and recovery), to the conclusion (post incident review, lessons learned). Your senior leadership will need to know what role they play in handling a cyber-attack, especially with regard to crisis communications, both internal and external to the business. When under attack, the chain of command can be disrupted with miscommunication across the net running rampant. We have seen examples of this in recent months, due to the of lack of preparedness for a cyber-attack, or even underappreciation of the level of damage a cyber-attack can inflict on a business. Collectively, these IA drills are referred to as the Business Continuity Plan (BCP).

Mission Reward: Developed IA drills prepare a business in advance of a cyber-attack. In times of peace, victory is paid for in sweat, courage and preparation.

5.      Incident Response Testing
Mission Objective: Field Training to Test Your IA Drills

There are 6 methods you can use to field test your BCP:

1.         BCP Walkthrough
The most basic form of Incident Response plan testing. This focuses on simply reading the BCP in its entirety to ensure it is complete. A simple sanity check  to ensure there are no fundamental shortcomings.

2.         Read-Through Checklist
This tests for successful recovery. Usually performed in conjunction with a walk-through, its aim is focused on ensuring an organisation can acquire relevant resource upon which successful recovery is dependant.

3.         Structured Walk-through
The structured walk-through test is usually performed with a single team; it allows for individuals who are more knowledgeable about systems and services targeted for recovery, to be tested for deeper understanding. Any noticeable omissions, gaps, assumptions, technical missteps, etc. that would hinder the recovery of business systems will be unearthed.

4.         Simulation Test / Walk-through Drill
A simulated disaster is posed to the team with which they must respond and go through the motions of recovering the business. By far the most popular version of field training for most organisations – this type of testing requires representatives from most, if not all areas of the business, not just team leaders. This field exercise is designed to stress test your BCP, linking in other elements like the Business Recovery Plan, Disaster Recovery Plan and Crisis Communications Plan.

5.         Parallel Processing
Used in environments where transactional data is key. Typically, this test will involve the recovery of systems at an alternative site, by use of backups. In this type of testing, the primary site is not affected, and end clients should not notice any difference during the switch over which occurs as part of the BCP test.  

6.         Partial / Complete Business Interruption
Highest dependability test of all. This type of test involves initiating your BCP if your primary facility was unable to function. All business functions will cease at the primary site, provoking the business to regroup to an alternative site (if available), or recover systems at the primary site to BAU standard.

Mission Reward: Fortify your BCP through exposure and remediation of weakness in your IA drills. Most battles are won before they are fought.

Operation – Cyber Security Training - Summary
This Operation is essential for any organisation to defend, detect, deter, and recover quickly from cyber-attacks. The training should take the best format possible – face-to-face. This format permits students to question and become immersed in the training, allowing maximum understanding of the weaponry, TTPs and IAs pertinent in domain of cybersecurity.

"It is an unfortunate fact that we can secure peace only by preparing for war."
John F Kennedy

Tuesday 5 June 2018

The dust has settled, the world hasn’t ended, but what next?

GDPR – For some it will have felt like a bit of an uphill battle, but now the dust has settled, the world hasn’t ended, what happens next? Read on for 4 steps that’ll make sure you’re not caught out…

As he dusted off his laptop and prised open the lid, David racked his brain to remember his password. No surprise there, David always struggled to remember, but after two weeks off it felt more like Mastermind than a familiar series of letters, numbers and special characters! Five, six, seven attempts and he was in! He was a bit nervous, sweaty-palmed in fact. That familiar feeling of trepidation he got when returning to work after a long break. What surprises awaited him? Had Jeanne from Accounts remembered to pay his supplier invoice? Had Russell the Marketing Intern emailed the entire database by mistake? But this time it was different, it was more than that… because David was the company’s new Data Protection Officer!

A cursory glance at his inbox revealed that the endless procession of Privacy Statement emails had dried up. There were no emails marked urgent from the GDPR Taskforce that David had headed up before jetting off on his holiday, and even a pat on back from his boss. A job well done. David breathed a sigh of relief, he’d done it. The GDPR deadline had passed, and the world hadn’t ended! Phew! So, we can all go back to our day jobs now, right? Or so David thought…  

It’s safe to say that David won’t have been the only one returning to work a little nervous, after the deadline. It’s also safe to say that he won’t be the only one who’s now thinking, job done. With so much focus on the 25th May and the relief to get it all done, you could almost forgive him (almost). But what next? The truth is, that the job has only just started. GDPR is ongoing and the UK Data Protection Act is only just around the corner. Compliance needs to be managed, monitored and maintained, which is no mean feat!

It’s important to remember though, that amongst all the scaremongering and big brand faux pas, the regulation has the data subject’s interests at heart and it’s the safety of their data that the overriding principle looks to protect, so it’s well worth the effort. The regulation isn’t designed to restrict business, but instead empower it to better protect customer data. Data Privacy Impact Assessments allow companies to document and assess their risks, the obligation to train staff on a regular basis will reduce the amount of human error leading to data breaches. The need to demonstrate your commitment to Information Security may include increasing the amount of manual penetration testing the follow-on actions will reduce your vulnerabilities, lessening the likelihood of breach through hacking.

You can be sure that despite all these best efforts, there will be eagle-eyed journalists up and down the country with their pens poised (or should that be tablets twitching), ready to report on the first big brand that falls from grace, with gusto. So, what can you do to make sure it’s not your brand name in the media spotlight? That it’s not your reputation being dragged mercilessly through the tabloids?

These 4 steps will go a long way to ensure it’s not you.

1.   Check you’ve got the basics right      
Whenever there’s change to process and procedure it’s always best practice to review whether they have been a success. Have all changes been implemented? Communicated to all the relevant staff members? Do those staff members understand them? Are they being followed? And are you documenting this to demonstrate to the regulator? It sounds obvious, but you’d be surprised how many organisations don’t.

2.   Are you set-up to manage GDPR?     
There are a whole host of activities that need to be performed on a regular basis. Whether that’s process led, such as Data Subject Access Requests, reporting of data breaches, or action led such as testing for vulnerabilities, or tracking network access and behaviour, or training led such as regular basis security awareness training to make staff members aware of the latest threats to your data security. Governance including regular reporting are key here. Do you know what ‘good’ looks like? How will you know whether you are succeeding? Have you set GDPR objectives? And are they SMART? Are you reporting against them, if yes, then who do they get reported to? Can searches for structured and unstructured data be done within 28 days? Do you have the frameworks in place to track all of this and drive continuous improvement? If this all sounds a bit daunting, then that’s because it requires commitment and dedicated resource. It’s a lot of work but ultimately these are essential to remaining compliant… and with the wealth of services out there to help there will be no excuses for the ICO, should they ever come knocking.    

3.   Have you really changed?      
So, you’ve checked your deliverables for day one and things look like they are all working. You’ve even set up regular reporting and have some frameworks in place to make sure there is some Governance, but have you really changed? The most effective way to embed change is by changing business culture itself… it’s also the hardest to achieve! But there are ways that you can address this. Do you really have buy-in at the most senior level? Leading by example goes a long way. Are you going to carry out regular risk assessments? Is the Senior Management team part of your Governance process? Do you have regular (not yearly, but quarterly) training for existing staff and new starters? Do you reward positive behaviour relating to Information Security? These are just a few ways that you can start to change your businesses DNA and your overall security posture. 

4.   If you have really changed (or are starting to), well done! Now how about a business standard?

You’ve seen the light (and your business has too), and together you are embracing GDPR and ready to reap the rewards that come with improved data security and Governance. Psttt (don’t tell everyone) … you now have the chance to turn this into a competitive advantage.  There are plenty of business standards out there that look great on a company’s CV (ISO 27001 or BS 10012, for example). And you can bet if you’re doing ISO 20071 you are doing GDPR, and a lot more. You can choose to align to these standards and shout about it to your clients, suppliers etc… but the real value comes when you are fully accredited. Yes, there’s a cost attached to this, but it is sure to set you aside from some of your competitors and could be the deciding factor that clinches your next big deal.