Making Cyber Security Assurance Relevant</h4> Rarely a day goes by without cyber security being in the headlines. Over the last decade there has been a steady stream of stories of organizations being compromised by cyber criminals, hacktivists and hostile foreign states. The internet brings as many risks as it does opportunities. Barriers to entry for would-be hackers are low; malware tool-kits reduce the technical ability required to conduct hacking attacks, allowing relatively unskilled hackers to conduct damaging attacks. In parallel, states use cyber attacks to gain deniable access to the networks of foreign governments, corporations and militaries to steal secrets and intellectual property for their own political, commercial, economic and intelligence gain.</p> Ticking the Box</h4> For the last decade or so the majority of organizations, particularly those across the financial sector who typically have a more mature cyber security posture, have regularly conducted penetration testing. Penetration testing involves ‘ethical hackers’ probing the defenses of corporate networks, looking for vulnerabilities in infrastructure and applications which could be exploited to allow access. Such tests are a necessary pillar of security assurance testing, but they are widely viewed as a commodity. In fact all penetration tests are not the same. The tools used and skill level of individuals conducting tests varies widely, and price should not be seen as the only differentiator. This is an opportunity for organizations to better understand risk, not simply a security box-ticking exercise. The problem is that while penetration testing is necessary, it shouldn’t be seen as a silver bullet to keep hackers out. It certainly is helpful in identifying security issues, but it only stops attacks via the vectors tested and if attackers aren’t seeking to exploit those vectors, the value is limited.</p> CBEST of Breed Testing?</h4> A recent initiative in the UK led by the Bank of England has attempted to raise the value of testing. The CBEST scheme (pronounced ‘see best’) seeks to get UK financial institutions to carry out tests that reflect the techniques being used in the real world attacks. The testing methodology was agreed by CREST, a non-profit which provides guidance and standards to the UK technical security industry, and consulted penetration testing companies and suppliers of threat intelligence. The STAR (Simulated Targeted Attack and Response) tests attempt to replicate the attacks being aimed at the financial industry through using tools and techniques seen ‘in the wild’.</p> The change in thinking comes from the fact that many compromises nowadays do not stem from hackers (regardless of motivation) exploiting vulnerabilities in infrastructure. Indeed, the vast majority of targeted attacks carried out by state attackers begin with an email. The email will contain social engineering to convince the target to click on a link or open an attachment to give the attacker remote access. That individual may be the target of the attack, or it may simply be that the attackers are getting a ‘foot in the door’, from where they escalate their privileges to access data anywhere on the network. It makes sense that the tests reflect threat actor activity.</p> The scheme still has shortcomings of course. It relies on threat intelligence companies getting a complete view of the threat actor activities, which is difficult to achieve. It also relies on penetration testing companies being able to accurately replicate these tests fairly; it would be easy to use more advanced tools to ensure defenses can be evaded. Compromising a network demonstrates the skills of the tester and allows for greater revenue generating consulting opportunities. The Bank of England and CREST must ensure that accredited companies operate within the spirit of the scheme.</p> Knowledge is Power</h4> While the IT department and security specialists have their role to play, countering the damaging effects of a cyber attack starts by understanding your critical data and the motivations of the various threat actors potentially trying to steal or damage it. Cyber security is no longer an IT problem, but rather a business issue. The IT department will not necessarily know about mergers and acquisitions, bids for contracts and negotiating positions or IP in development, but the board will.</p> Protecting data doesn’t start with a penetration test. It starts when the organization looks at what data is critical to the business and what data others might wish to steal; the two are not necessarily the same thing. Understanding where sensitive data is stored, who generates it, and how it is processed will help determine how best to protect it. The board should clarify whether those without a valid ‘need to know’ have access to quantify the insider risk, and question whether third parties have access. Will the data be sensitive for the long term (intellectual property for example) or the short term (contract details)? This may change the way the data is handled and the protections applied to it. Would competitors or foreign states benefit from stealing the data? Is there evidence of hacktivists looking to damage the company’s reputation?</p> Knowing the threat actors helps understand the types of attacks you may be subjected to and the sophistication level and vectors of those attacks. That will help the business prioritize relevant testing. Threat intelligence and participation in information sharing groups, especially those focused on a single sector, will help inform the business of evolving threats and may even provide signatures of attacks which can be detected and disrupted before impact occurs. Those who share the most tend to receive the most.</p> The New ‘Business as Usual’</h4> Cyber-attacks are here to stay and no amount of law enforcement effort, legislation or international agreements will stop them. Organizations must learn to treat attacks as a business risk, deal with compromises as part of their regular business processes, and apply the same rigor to protecting data and understanding threat actors in the online world as they do in the physical world. Technology has its part to play, but it is the business that must drive the security assurance agenda and invest in resources to make testing relevant.</p> Article contributed by Rob Sloan, Cyber Thought Leadership, Dow Jones</em>.</p> Read the White Paper here</a></p>