Sector: Insurance

Client Challenge

As an insurance company, operating across three continents, the client was having regular security incidents involving the compromise of user desktop and laptop devices. These were being caused by a combination of user behaviour and weaknesses in IT management.

Although the client engaged with ECSC security consultants to understand the root-causes of these incidents and to improve internal processes, they also wanted to improve the speed of response to incidents.

The client had already purchased a vendor log collection and alerting system. However, this was being managed by a single person, so response to alerts was dependent upon that single person's working hours - not satisfactory when cyber security breaches can lead to loss of personal data. Reasonable progress had been made on the logging system configuration, although too many alerts were being generated for the client to be able to correctly identify the most important events.

In addition, where an internal security issue was uncovered, the response required (usually to isolate the device from the network) was again dependent upon IT teams that didn't cover 24/7/365.

ECSC Solution

Although in most cases, ECSC's technologies offer significant security functionality and cost benefits, in the instance where a vendor solution has only recently been purchased, its retention can make sense. In this case, the existing vendor system was also on ECSC's Select Vendor List. This means that ECSC has extensive experience in its configuration, and will continue to support it from the ECSC Security Operations Centres (SOCs) in the UK and Australia.

ECSC helped to improve the configuration of the vendor logging solution, and integrated it into the ECSC SOCs 24/7/365 monitoring, alert and response systems. This meant that the client received significantly less alerts, as ECSC engineers only highlighted significant events that needed investigation.

Where ECSC delivers a 24/7/365 monitoring and alerting solution, escalation to the ECSC incident response team normally only happens infrequently, in response to serious issues that cannot be managed by the client's own IT (or security) function. However, for this client, with regular user device compromises, a pre-agreed incident response to access the network and isolate compromised devices was put in place.

This meant that rapid response to incidents could be carried out 24/7/365 by the ECSC SOC Engineers without having to wake an on-call engineer within the client's organisation. If this happened during the night or weekend, devices were then secured, with communication to the relevant IT support desk for the start of their next working day.

In addition to alerting, reporting, and incident response to support the client technical teams, ECSC also delivered regular senior management briefings to help the leadership team understand the current security issues, and root-causes. This was an important communication to gain management support for ongoing cyber security improvements.

Key Benefits

  • 24/7/365 SOC monitoring and incident response
  • Vendor system integrated with ECSC technologies
  • Custom incident response to isolate compromised internal devices
  • Consultancy support to identify root-causes and reduce repeat incidents

Sector: Public Sector Service Provider

Client Challenge

Among our clients, it is reassuring to find that cyber security is increasingly becoming the responsibility of the most senior level of the business. Of course what our clients are finding is that cyber security is also becoming a priority to their own clients, with many insisting they comply to a range of standards before they can be considered as a potential supplier.

In this instance, a mid-sized public sector service provider, dealing with a number of public sector contracts, needed to achieve CE certification to meet specific assurances for a number of clients before they could make a coveted pre-approved supplier list.

This organisation had limited IT resource and certainly no cyber security team to understand exactly what was required of them; what they did understand was that their competitors, as early adopters to the CE scheme, were gaining market advantage by demonstrating their cyber security protection.

ECSC Solution

Cyber Essentials projects are generally quite short, tailored to the size of the organisation. The main focus is on cyber security breach prevention, and doing sensible things that are known to work. It doesn't normally involve significant investment in new security systems and never requires additional staffing.

A focus on the external Internet firewall uncovered significant vulnerabilities associated with systems that shouldn't have been exposed to potential hackers. This was a good example of IT 'making it work', without knowledge of the security implications. These weaknesses were corrected, with an appropriate firewall configuration quickly developed by ECSC and implemented.

As most CE clients have not undertaken in-depth cyber security penetration testing, they are often unaware of technical vulnerabilities. The CE requirement for vulnerability scanning is a great starting point to show where technical weaknesses are present. The remediation of these vulnerabilities usually involves the introduction of a more rigorous approach to system patching and secure system configuration. This process helps the IT team understand the importance of these processes in breach prevention.

Further analysis also showed many legacy access controls, with previous users retaining access with weak password controls. These were quickly corrected, as ex-employees can pose a significant risk.

Through introducing these controls, the senior management team started to understand the importance of the improvements, and appreciated the cost-effective approach of CE. They are now looking at a wider ISO 27001 certification programme, to give wider control of information security. This will help with their future GDPR compliance and open up further sales opportunities.

Key Benefits

  • Achieving a standard to support sales expansion
  • Giving increasing confidence to existing customers
  • Raising levels of cyber security protection
  • Gaining management support and increasing understanding

Sector: University

Client Challenge

A university invited organisations to quote to carry out a penetration test. The university had put together an initial scope of work stating their expectations for the exercise.

Universities have thousands of student users who require access to their network, in addition to hundreds of employees and support functions requiring varying levels of access, and multiple and remote users, meaning they are faced with a huge task when it comes to their cyber security. Their networks need to be accessible for long hours and, because of the nature of their student user-base, unusual activity is hard to pin-point.

As part of the initial project, ECSC conducted some research into the university and found data containing vital contact information for 3000 users, including phone numbers and email addresses, accessible to anyone from the Internet. This was alarming for our tester to discover, knowing the implications from an access perspective; however, is not unusual for large organisations.

The university chose ECSC to carry out their penetration test based on the quotation and ECSC's long standing security credentials. Having worked with a number of UK universities to help improve their cyber security, meant we had a greater understanding of their network complexity and user needs.

ECSC Solution

Penetration tests are carried out by an accredited security tester according to a scope defined by the client; we helped the university to further refine the scope of their testing project and developed an understanding of their specific network complexities.

ECSC carried out further investigation, using the previously acquired contact details to conduct a 'Brute Force attack' against multiple external portals. The sheer number of usernames already available gave our tester a high chance of gaining access; the ECSC tester gained access easily to an account where the privileges were then escalated. Full control of the university network was then gained, including access to over 100,000 hashed passwords. The hashes were put through a password cracking process and within the allocated testing time over 60,000 were cracked.

Had this easily exploitable vulnerability been identified by a malicious attacker rather than in the course of a penetration test commissioned by the university, the resulting reputational damages, financial losses and fines imposed by regulatory bodies could have been catastrophic. The remediation activity required to reduce the risk of this happening included:

  • A review of information storage, process and access rights
  • Putting protective measures in place regarding access to contact information
  • Educating users on the use of more complex passwords
  • Re-testing to ensure remediation activities have been effective

ECSC continues to work with the university to improve their cyber security posture. By developing a relationship with this client we help to ensure the most effective use of budget and prioritise areas of improvement.

Key Benefits

  • Gain an insight into your network vulnerabilities
  • Helps to maintain contractual obligations and standards such as PCI DSS and ISO 27001

Sector: Professional Services Organisation

Client Challenge

An organisation that provides secure professional services to blue chip clients was concerned that they were susceptible to a data breach, and weren't sure where best to focus their efforts in improving security. While they had capable IT staff in place, the focus was predominantly based on 'making things work' rather than 'making things secure'.

They also found it difficult to make a case to the board for the budget and resources required to support cyber security. The technical output from security assessments that were being conducted, such as penetration testing, was difficult to translate into language that their board could understand, and was not sufficient to provide any clarity as to how best to improve security based on a prioritised approach.

ECSC Solution

ECSC was engaged in 2015 to conduct an initial Cyber Security Review in order both to identify deficiencies in the organisation's cyber security defences, and to help determine a plan to achieve an appropriate level of security in the coming years.

The outcome of the review showed that there were significant gaps that needed to be addressed, and while security was being considered in pockets of the business, there was no consistent approach. Using the priority recommendations in our report, the organisation had a clear plan of action for improvement, and the board had a clear picture of where the organisation was and where it needed to be.

Since that initial review, ECSC has been engaged to perform a repeat exercise every year. With each review, areas that have been addressed can be reviewed, and a new plan of action agreed for the following year. The findings of the review form a prominent part of board reporting, giving the board assurance that data is being protected and demonstrating the significant progress the organisation has made.

Key Benefits

  • An understanding of gaps in the organisation's Cyber Security countermeasures.
  • A framework through which to focus improvement activities, and measure the effects of security initiatives undertaken.
  • The ability to report at board level on progress made, and on required future activities.
  • An assurance that their data, and that of their clients, is being adequately protected.

Sector: Rail Franchise

Client Challenge

For a rail franchise, card payments usually come through one of four routes:

  • Online ticket sales
  • Automated station ticket machines
  • Station ticket counters
  • On-train ticket and refreshment sales

The ECSC client had outsourced its online sales to a certified provider, but this still left the remaining payment 'channels', each of which needed to communicate across the rail company's IT network, including multiple stations.

Unfortunately, investigation by ECSC QSAs showed that there was significant PCI DSS non-compliance within the payment card systems, and significant security vulnerabilities. As these were supplied as part of long-standing third-party management contracts, the ability to make these compliant, and secure, was going to be difficult and time consuming, leaving a significant risk of a serious breach.

The UK rail model requires each rail franchise to be run as a separate entity that can be handed over to the next franchise owner. This means that most IT departments are limited in size, and security expertise, and don't have the staffing to meet 24/7/365 security monitoring requirements of the PCI DSS.

ECSC Solution

The ECSC client had outsourced its online sales to a certified provider, but this still left the remaining payment 'channels', each of which needed to communicate across the rail company's IT network, including multiple stations.

This solution involved managing perimeter security devices, including firewalls, an Intrusion Detection System (IDS), and log collection, together with network switch management.

Each device was built, and fully documented, to the PCI DSS requirements, and ongoing management processes aligned to the standard. This allowed the client to increase their overall compliance level, prevent a serious data breach, and demonstrate compliance progress to their bank.

Each component was then monitored and managed by the ECSC global 24/7/365 Security Operations Centres. These currently operate from the UK and Australia, giving 'follow the sun' hands and eyes support.

Key Benefits

  • Non-compliant, insecure payment systems isolated and protected
  • 24/7/365 SOC monitoring and incident response
  • System designed by PCI QSAs
  • Delivered and managed by a PCI Level-1 Certified Service Provider