Introduction to Professional Services
In the fast evolving world of IT infrastructure, the importance of the correct hardware in your business, is equalled if not becoming outweighed by the critical nature of supporting software and policies. For example, cyber security threats and ever-increasing regulatory compliance are now the leading factors in deciding how a network is configured, made resilient and protected. Ultimately the integrity of your infrastructure directly affects the integrity of your data, so the policies you employ with your business around data protection, compliance and security may well end up defining the hardware you use.
Scan Professional Services offers advice on all these inter-related topics to ensure you consider all the potential impacts when setting up a new, or expanding an existing infrastructure.
How Secure is your Business?
They say there are only two types of company – those who have suffered a cyber-attack; and those who don’t know they have. A good place to begin to understand the current state of your levels of protection is a security audit, and here at Scan we have a number of options to help you through this:
Cyber Essentials Self-Assessment Assistant
Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. This scheme is in place to allow you to prove to yourselves and your customer base that you are following security best practice. The self-assessment is broken down into 10-steps to review the current security set-up of your company.
- User Education and Awareness
- User Access Control
- Secure configuration of systems
- Home and mobile working
- User Access Control
- Secure configuration of systems
- Proactive Monitoring of your Network
- Malware Protection
- Network Security
- Risk Management
- Vulnerability Testing
For more advanced auditing, Scan recognises two major standards for measuring security maturity and either can be used to audit your current posture and highlight areas that could be improved. Both security audit approaches involve a 3-day onsite visit.
1. The National Institute of Standards and Technology Special Publication (SP 800-53)
The Information Technology Laboratory (ITL) within the National Institute of Standards and Technology (NIST) is a research facility dedicated to formulating tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. The Special Report 800-53 details a process for selecting controls to protect organisational operations, assets and individuals from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors. It is these guidelines that our consultants use to determine where issues may lie within your organisations security. The typical audit points are:
2. The SANS Institute Centre for Internet Security Critical Controls
The Centre for Internet Security (CIS) is an organisation dedicated to enhancing the cybersecurity readiness and response for public and private sector companies. The approach that our security consultants adopt during their audit is based around identifying, developing, validating, promoting and sustaining the best practices in cybersecurity. The aim is to ultimately supply world-class security solutions to prevent and rapidly respond to cyber incidents. The typical audit points our consultants would look at are:
So you think you’re Secure?
Being secure on paper has no bearing in a real world attack, so our team of consultants would recommend that your vulnerability is tested – this can be done in a number of ways:
This is where you don’t give us any information about a specific application or system you want to test and we try to break into the application or system within a given time frame. We act as the ‘uninformed’ attacker against you. This would lead to a more realistic attack and highlight the easiest ways into your system or application.
This would involve you sharing all the information about a system or application and we use our skills to try to find the gaps. We would require time with the developers, source code and information about the surrounding networks. This may include a code audit (see below). This is done so that you, as the owner, can allow us, as the ‘attacker’, to hone the scope of the test to specific flaws in the application or system. Although not as realistic as an attack it can highlight areas you have previously missed when protecting the system or application.
This is a mixture of blackbox and whitebox. This may be where you provide some information about the system or application, such as an IP address or network credentials, and we try to ‘attack’ the system or application. Although this may seem like cheating, it is a common attack method nowadays. People are able to buy credentials online with ease, what is to say we couldn’t do the same during blackbox testing.
Wireless is now considered a requirement for most office situations, as people require a connection to the Internet at all times, combined with the ability to roam around the office environment without losing connectivity. However, it is also considered a major risk to a security of a company. If designed poorly or altered after installation, then it can result in data being accessible to a nefarious attacker looking for an easy way in. We will review your wireless set up and perform scans to see where vulnerabilities are, and if any data can be breached.
A lot of vulnerabilities relate to program code itself. This is either as it is released, due to changes or how it reacts once live in the application. This may be due to a change introducing bugs or it may not have been correctly tested to start with. Often the issues can cause the application to be open to attack as the code reacts in an insecure way once live. Our Professional Services Team can carry out this review for you – often fresh eyes will spot things missed by those creating the code in the first instance.
Understanding your vulnerabilities is only half the story, as it is also key to know the consequences too - your data is the critical aspect of your business, and preventing its loss should be just as critical. Whether you have a requirement to comply with an industry regulator or you simply want to adopt best practice to minimise risks to your data, the challenges to keeping your most valuable asset safe should be viewed in two tiers:
1. Potential ingress and egress points in your company could lead to unintentional or malicious leaks. Examples include poorly configured firewalls or content control proxy servers.
2. Those who access the data may be malicious employees carrying out industrial espionage or misguided employees misplacing data. Poorly written policies around document control or lack of security awareness could lead to accidental leakages.
Secure Network Design
Naturally, if given the chance it is better to inherently build in protection as you plan an infrastructure project – key elements to consider are:
Disaster Recovery and Business Continuity
Do you know how long your business could be out of action for, before it becomes too much to recover from? Often companies assume there would be no long term impact if they were down for a day, but what about a week or month? What if your site was suddenly out of action for an unknown amount of time? Our consultants can help you plan for this. We would assess what risk your company faces and assess what factors could result in an outage – elements such as flooding, service interruption or sickness/pandemic situations. We would then help you decide how long you can afford to be out for and finally work out a way to make sure you are up and running again within that time frame.
Disaster Recovery and Business Continuity
Do you know what elements of your business are critical for your company to trade? How do you then protect these components, not only from attack, but also from service issues? Many companies will understand what elements are essential to keep them trading, but often protect these at different layers in isolation to each other. For instance, the application itself will be protected by writing secure code, and the system it sits on will be protected by keeping it up to date and patched. But what about the network it sits on, the service provider that you use and how the users access the application? Anything from human error to an organised attack can kill a component. The concept of MLNS is to develop the understanding of the component end to end to find ways to protect it in a cost effective fixes - thus allowing the component to survive.
Your systems must be available for use at all time, so how do you know when something goes wrong in your network? Is it when you get the call to say something doesn't work? Scan Professional Services can help you implement a solution that will either send SMS (text) or email alerts when a system goes down. Not only can you set it to do this when a failure occurs but also if it reaches a specific quota, when a service, such as logging, turns off or when a user has reached their quota of failed logon attempts.
Digital Forensics & Incident Response
Should the worst happen and you experience a cyber-attack, Scan can also assist here. When you initially contact the Scan Incident Response team, we will attempt to locate the initial cause, eradicate the threat from your network, highlight any issues that result from the breach and finally bring you back to normal business practices. The technical investigation of the incident is our entry-level service, whereas a full incident management wrap, where we drive your team and offer internal communications to address the incident, can be specified as an additional service.
We are also able to offer a follow-up service, involving a Post Incident Review (PIR), which allows our consultants to review the incident holistically and build a remediation plan to stop it happening again.
Scan Incident Responders will always follow industry best practice to secure as much evidence as possible regarding the incident – this will allow your company to pursue a legal case if the need should arise. We are also able to offer professional witness services to support the evidence at court using the law enforcement experience we have within our team.
Computer Forensic Examination
Should you have a requirement in your business following an incident, the Scan Professional Services team has the ability to forensically examine your computers to help in situations where you may need to attribute evidence to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright cases), or authenticate documents. If there is a suspicion that something is untoward this service provides the opportunity to take a forensically sound copy of that data and to store it in case it is required for investigation in the future. This service can be achieved covertly. The unit cost is based on lab acquisition of the forensic image, followed by storage in a secure evidence storage facility, free of charge up to 6 months.
Successful handling of a security situation within your company requires individuals to be specifically trained in a number of technical areas including filesystem implementation, operating system design and knowledge of possible network and host attack vectors. The Scan Professional Services team can deliver various training courses to cover both the theory of digital forensics and incident response, as well as offering training to gain hands-on experience using the same types of evidence and situations you would see in a real world event. We can also offer bespoke training in consultation with clients. Everybody involved in Scan Professional Security Training is a specialist in their own field, having gained that experience through a law enforcement, military, intelligence or specialist career.