ECSC’s Protect approach is designed to help you identify your security vulnerabilities, assess your risk, and develop an appropriate action plan of improvements to protect your systems. Our testing and assurance services encompass a wide range of technical and non-technical measures to provide a comprehensive picture of your security posture.
Having robust testing in place and regular reviews of your systems, shows your clients that you take your cyber security seriously. Combined with any certifications, you may, need to meet your contractual or regulatory obligations and you will be in a strong position to protect your data.
In our experience, successful testing involves not only the discovery of individual vulnerabilities, but also understanding the risk they present in their specific operational context. To fully understand your risk exposure, understanding what testing you need to undergo is paramount.
What is penetration testing?
In broad terms, penetration testing refers to the practice of adopting hackers' tools and techniques to test your own security and identify weaknesses that could be exploited by malicious actors to disrupt business activities or compromise sensitive data.
Benefits of Penetration Testing
Penetration testing has a number of benefits to help support your security and compliance objectives. These include:
- Detect Vulnerabilities - Allows you to identify and fix security weaknesses before they are exploited by malicious actors.
- Compliance - Security standards such as ISO 27001 or PCI DSS mandate or recommend regular penetration testing. Penetration testing reports allow you to evidence meeting this requirement; in addition, you will also be able to evidence any improvements implemented as a result of testing. This helps you meet your compliance obligations and also avoid any potential penalties.
- Prevent downtime Downtime due to having systems taken off-line by an attack or while an internal incident response investigation is conducted can be extremely costly. Penetration testing allows you to proactively identify vulnerabilities that could lead to this scenario.
- Avoid reputational and financial damage - Any data breach must be reported to the ICO and could lead to a substantial fine under the General Data Protection Regulation 2018, as well as reputational damage. Understanding security weaknesses will help prevent any potential breaches.
Types of Penetration Testing
There are a number of layers to penetration testing but these can be largely categorised as internal or external testing.
Internal testing compromises an approach of manual testing combined with wider vulnerability testing. A manual tests purpose is to identify security weaknesses in your IT systems starting with wired connectivity to your network with the aim to compromise your domain. This is then followed with a vulnerability assessment to identify any security gaps such as missing security patches and system misconfiguration.
External testing can occur both on and off site. The purpose of this test is to identify and comprehensively test points of potential attacks by accessing your internet based systems. The test will identify the vulnerabilities of these systems and inform you of how they can be exploited to gain access to sensitive information.
ECSC can test your internal and external networks, and any other applications, to find security vulnerabilities. The vulnerabilities identified by a penetration test enable you to see the weaknesses in your organisation and target your resources accordingly to prevent a breach in the future.
As well as external and internal testing, penetration testing incorporates multiple types of test with differing objectives and methodologies. The main types are vulnerability assessments, Wi-Fi testing, configuration & device build reviews, web application testing & Mobile Application Testing.
When Should We Carry Out Penetration Testing?
Penetration testing is a 'point in time assessment', providing a snapshot of your security posture at the point of testing. As new security vulnerabilities are constantly being discovered and published, both penetration testing and vulnerability assessments should be conducted regularly. Most security specialists will recommend at least annual penetration tests, though there other factors to consider:
- When was the last time we did a Pen test? If the answer is more that a year ago and there are no ongoing security changes, you should arrange a test.
- We've made changes to our systems, e.g. new/updated software. Any time you make a change to your infrastructure, ECSC advises that a pen test is conducted to ensure you are aware of your vulnerabilities.
- Compliance have set a rigorous testing schedule which is more frequent than annually. Some organisations have business or regulatory obligations to undertake more regular penetration testing. In this case, always follow the schedule provided by your compliance team.
- Penetration testing isn't a business priority. In some organisations, penetration testing isn't high on the list of priorities or factored in to annual budgets. This may make it difficult to arrange testing, but the benefits of the test will far outweigh the costs of any potential breach. See some of the benefits above.
We've all seen how a cyber security breach can cripple IT systems with more stories appearing in the news everyday. It is important that cyber security is taken seriously and that everyone within your organisation is aware of how well the organisation is protected and what measures are currently in place.
Our Cyber Security Review is designed to assess the key aspects of your IT security related infrastructure, processes and technical management capabilities, and balance these against the cyber threats that are most relevant to your business.
Understanding your risks
A myth of cyber security breaches is that organisations are targeted because of what they do, the information they hold and their public profile but in reality it is much simpler. Organisations get hacked because they are vulnerable.
Ask your security team how many potential scans and attacks your firewalls block in a single day. Only once an attacker is inside, do they see what is available for their efforts. The nature of your business will influence the risks you face, however most organisations have similar challenges and related risks.
To truly understand your risks and what a serious breach would entail, it is worth considering the following:
- What systems may be compromised?
- What data could be lost?
- How would the media report such an event?
Once you have an understanding of your risks, a Cyber Security Review can help you prioritise any changes and scope what systems you need to have to ensure robust security.
Cyber Essentials is a UK government scheme which helps you to guard against the most common cyber threats (comprising up to 80% of IT security breaches) and demonstrate a commitment to cyber security.
In order to bid for central government contracts that involve handling sensitive and personal information or the provision of certain technical products and services, Cyber Essentials certification has been mandatory since 1st October 2014.
The five key controls of the scheme are:
- Malware protection
- Secure configuration
- Access control
- Patch management
- Boundary firewalls and internet gateways
ECSC works in partnership with the NCSC and IASME, providing consultancy and certification for both Cyber Essentials (Part 1) and Cyber Essentials Plus (Part 2) accreditation.
Assessing your security
The basic assessment is comprised of a vulnerability scan and a Self-Assessment Questionnaire, which aims to assess the effectiveness of currently deployed security measured.
The self-assessment questionnaire serves two purposes; to gain technical scoping information and to assess the effectiveness of your current security controls.
Cyber Essentials PLUS
Cyber Essentials PLUS is the same as the basic Cyber Essentials Assessment with the addition of a series of on-site technical assessments. The on-site technical assessments are used to verify your answers and ensure you are protected against various attack scenarios.
This extra stage of independent testing gives you even greater peace of mind that your security reaches a certain standard, and is particularly recommended for organisations holding confidential information.
What is Social Engineering?
The weakest link in any organisation’s defences is often its employees. Both technical and process based security controls can be effectively bypassed if someone on the inside is unwittingly co-opted by a hacker who is then able to leverage the victim’s insider knowledge or privileges to advance an attack.
Such attacks involve tricking targets into disclosing sensitive information or carrying out specific actions, often by impersonating legitimate users, internal departments or clients to exploit existing trust relationships. Common attack vectors include email or telephone phishing and spoofed websites, used to capture employee login details or deploy a malware payload.
Types of Social Engineering
There are a number of ways hackers will attempt to gain access to your organisation, some of these are:
- Phishing - tends to be an email that mimics a person or organisation that you know in order to convince you that the source is legitimate. The email will include a link to click, a file to download or ask the person to perform a task which results in confidential data being shared.
- Baiting - usually takes the form of something you want, or need, being offered either via email or peer-to-peer sites in download form. The download then contains infected software which can be used to gain access to your sensitive data.
- Scareware - involves the victim being bombarded with false or fictitious threats. These can take the form of pop ups when searching the web indicating that your computer is infected with a virus. The pop up then suggests that software is downloaded to 'fix' the virus but is in fact harmful spyware or malware.
Social Engineering Testing
Social engineering testing benchmarks your resilience against such threats, testing both staff awareness and the effectiveness of technical controls.
Breaches of information security often comprise more than technical IT security failures, with research showing that almost half of all security breaches have a social engineering element alongside technical means.
We can combine Social Engineering with other forms of testing such as Penetration Testing, to gain a comprehensive overview of both the human and the technical weaknesses within your organisation.
Bespoke Testing Scenarios
Our Social Engineering Testing is designed by Ian Mann, author of Hacking the Human. His extensive experience in the field has enabled him to pioneer new approaches to social engineering testing. This includes the ECSC model of risk assessment, personalised attack vectors, and in-depth results analysis as well as our new service PhishingNet.
Our bespoke approach means direction will always be taken from yourself as to which areas to focus on or avoid. If you haven't undertaken any testing, we would recommend an initial strategy based on general testing with minimal information required in advance.
No matter how effectively you construct a security perimeter, it is likely that certain critical applications have to be visible to facilitate your operations. With the usual time pressures on software developers, and considering that most developers are not security specialists, the focus tends to be on the functionality of the software and not security elements. It is no surprise that practically all software contains holes waiting to be exploited by someone with the right knowledge, tools and intent.
What is a code Audit?
A code audit or code review is the process of analysing and testing your current code to identify and discover any potential security weaknesses, bugs and errors. The investigation can occur in a number of ways: an audit, manual testing or a mixture of both.
The scope of code analysis can be wide, so prior to the start of any assessment, we perform an initial investigation to uncover likely weaknesses, and help you develop an appropriate specification for auditing.
Improving for the Future
As part of our Code Audit service, we can help you construct rigorous code security standards and specifications that you can use to ensure your developers deliver more secure code in future. This can be particularly helpful in outsourced software development situations, as it is a way of ensuring consistency across all your projects, especially in terms of the security standards you adhere to.