The importance of pen testing as part of your ISO or Cyber Essentials journey
No one wants to fail their application for ISO 27001 accreditation, and for some the possibility is unthinkable, to the point where they are reluctant to kickstart the process.
It’s easy to be daunted by the potential hours and financial investment that any security certification journey will take to complete. But these stakes should not be a cause for a delay, only a good motivator for getting everything right first time.
Where pen tests and ISO accreditation meet
The emergence of hybrid working has increased the risk of cyber threats on businesses and their customers. This, met with increased scrutiny about how organisations manage personal data, has caused the number of people seeking out ISO 27001 certification to accelerate rapidly.
Having ISO accreditation proves you have great data security, but it can also double up as great promotional material. Just as pen tests can give you a competitive advantage, ISO accreditation can sway the attention of companies seeking ISO accredited partners and software. This is particularly common with public contracts, where ISO 27001 certification is often a necessity.
ISO compliance demonstrates continual monitoring and awareness of security best practices. And although pen tests are not explicitly referenced to gain accreditation, it’s heavily implied.
Another similar accreditation is Cyber Essentials. Slightly different from ISO, it provides cover to a wider audience, when ISO may be better suited to software or finance companies where security risks are of greater importance.
Even so, Cyber Essentials still suggests organisations need a thorough pen test to qualify - a critical step to implement if you want to pass with flying colours first time.
Part one: self assessment (Cyber Essentials only)
An in-depth self assessment will determine how ready your company is for certification. You’ll be questioned on whether you have the right information security objectives and how willing and able your management team is to contribute to the effectiveness of these objectives.
Most importantly, you’ll be asked what steps you take to mitigate, eradicate or manage risks, and whether you have a programme in place to ensure your information security measures and processes are constantly monitored and improved.
We recommend completing a pen test before you even begin the initial self assessment. You can see where vulnerabilities lie and what loose ends need to be tied up, so you can minimise delays and maximise your chances of success out of the gate. To learn more, check out our thoughts on what pen tests are right for your business and how much they cost.
Part two: gathering evidence
Gathering evidence is the harder part, and is also the stage where most organisations throw in the towel. This part of the journey requires a huge chunk of people’s time, from the admin hours needed to assemble the documentation, to the investment needed to implement the software, hardware, and essential tests.
Here’s where we would suggest getting a second pen test. The first you completed before the self-assessment will highlight the areas that you need to address, and once you’ve taken action, the second pen test will provide some of the evidence that certification requires.
Our CREST-certified testers will reassess for any vulnerabilities, and provided your organisation took all the actions recommended in the initial test, it’s highly likely you’ll be provided with a Datavax cover letter to show that your security could not be breached by the simulated threat our ethical hackers provide, and this can be used as evidence to strengthen your application.
Once all your evidence has been compiled, an auditor will review your documentation and assess the success of your information security management.
The benefits of perfecting your processes the first time round
The board of your company may have postponed the first step of your ISO or Cyber Essentials journey, but after a pen test you can set off with confidence and quickly make strides towards accreditation.
Make the security certification journey as painless as possible and ensure a first time pass with an independent pen test carried out by a CREST-certified tester. As we’re independent, we won’t try to sell you solutions after your test, we’ll only provide a detailed report with recommendations that you can address internally or procure according to your own budget.
When your organisation comes to renew your ISO 27001 or Cyber Essentials accreditation three years later, we’ll be ready to test your defences again. You’l be staying on top of the latest threats and if any vulnerabilities emerged in the three years since you were issued ISO certification, we’ll be able to find them so your accreditation remains uninterrupted.
To learn more about how Datavax can help you along the security certification journey, get in touch.
Beyond compliance: The business benefits of penetration testing
It goes without saying that the biggest benefit of carrying out regular penetration tests is protecting your business and customers from an attack and data breach. However, there are also a number of other benefits businesses can leverage.
Compliance is also crucial to avoid facing fines – from GDPR to PCI DSS and SWIFT CSP – but compliance and protection from an attack are far from the only factors to consider here. If you’re looking for funding, looking to be acquired, or simply looking to land more deals, it might be time to consider the business benefits of penetration testing.
Peace of mind
Pen-testing can highlight where your team needs training, where your software needs updating and where your system needs restructuring. Crucially, independent pen testers can make these recommendations without trying to sell you a solution.
Ultimately this gives you peace of mind. Once your team’s cybersecurity strategy has been thoroughly tested with both manual pen tests and automated tools, you’ll know what you’re working with. You can see what’s not working, improve your protocols and setup, and ensure a continuity of security throughout your organisation. Then you can keep building your company without worrying about cracks in the foundation.
Attracting and keeping customers
It’s not only your organisation that will appreciate a pen tested infrastructure. You’re also able to pass on that peace of mind to your clients – reassuring them that their data is safe with you.
Large organisations are aware of the risks involved in trusting other companies with their data. Some of our own clients require cover letters for the companies they work with, and they won’t link their data to your organisation unless they can see you’ve either had a clean pen test or you’re addressing any issues that were found.
So if you can promote the fact that you’ve had pen testing done to prospective clients, you’ll be more likely to get through their quality assurance gate. And once you’re through it, you’ll be able to appeal to other key stakeholders too, particularly strategic and financial partners, who need to feel at ease before they give the go ahead.
Attracting investors
Speaking of financial partners, it’s here that the rubber can really hit the road. Companies looking to merge with or buy other businesses often won't even consider acquisitions that they can't qualify as being data-secure.
Shareholders can be equally discerning. If Series A or Series B funding is in your long term plans, you need to act like a billion dollar company before you’re treated like one. That means having a robust information security strategy and being able to prove it’s airtight.
Protecting your brand
The pandemic has made it clear that businesses need to look beyond present efficiency to create systems that are robust for the future. So while your brand may be high and dry to date, you can’t afford to roll the dice on your reputation tomorrow.
Thorough penetration testing can ensure you avoid more than GDPR fines. It can ensure you steer clear of irreparable damage to your brand. If vulnerabilities are uncovered in testing, especially if they come up more than once, you’ll know how you need to act to mitigate risk. You’ll be able to address the issues, create a long term continuity plan, and keep growing long into the future.
A blueprint for data security success
So whether your destination is acquisition, funding or converting more leads, a bias-free audit can set your company in the right direction. Your IT teams might have carried you this far. But scanning for blind spots will do them a favour in the long run – and inspire trust in all onlookers, too.
Datavax is a trusted, neutral, and CREST-certified cybersecurity partner. To learn more, don’t hesitate to get in touch.
Independent penetration testing: what we do and why
If you’re looking for penetration testing for your organisation, you’re unlikely to want to compromise. You’re dealing with highly sensitive data - medical, financial or personal - and the risk of disclosure doesn’t bear thinking about.
Except, of course, you have thought about it. You’ve built a highly secure system to protect against malware and supply chain attacks. You just need an authority to examine whether your infrastructure is watertight.
At Datavax we leverage established practices, certified testers and the latest security tools to uphold the highest standards of testing.
We’re independent, and that’s unusual
A lot of companies that provide penetration testing are also trying to sell you something.
Like a mechanic at a garage, they’ll check over your car, see what’s amiss and then offer to fix everything. Now a very trustworthy mechanic might give you a very honest quote. But in general, there’s a reason that MOTs and NCTs take place independently from those who make a living fixing the problems they find.
It’s the same with penetration testing. If a tester’s priorities are split between finding issues and fixing them, their assessments may not be entirely without bias. At Datavax, we’ve chosen to offer testing alone so that you can have full confidence in our findings.
Our Red Team approach simulates a real cyber threat
When it comes to what we can find, we believe we have the edge.
Ultimately when you’re trying to protect against hackers who may be highly proficient, you want testers who are highly proficient too. Testers who are capable of finding any and all security weaknesses ethically before they’re discovered illegally.
Hackers are humans, capable of using human creativity to exploit exposed vulnerabilities. So our testers, likewise, don’t rely solely on automatic tools for our tests.
Now, we do make use of some of the strongest tools available, including Burp Suite Spider, Nikto and Dirbuster. But for our web application testing, automation only accounts for 25% of our Red Team penetration method. Our CREST-certified testers (the Red Team), expend most of their efforts creatively using this auto-gathered information to see if they can get past the security of your organisation (the Blue Team), simulating a real-world threat.
We uncover security gaps that other teams might not find
Our ethical hackers are, if we may say so, some of the best in the field. Our team has a mixture of certifications including CREST and have extensive experience in testing methodologies. We also put a senior penetration tester on every project to ensure we don't miss even the most complex or hard-to-find vulnerabilities.
And we do find them. We’ve found cookies that would have allowed a hacker to create a new Administrator level account and wreak havoc. We’ve identified a cached post-authenticated client session that would allow for PII information leaks. We’ve even discovered an SQL Injection that enabled us to download a database table full of unencrypted credit card information - for hundreds of customers.
Because the companies in question hired us, the gaps in security were discovered by ethical hackers, and not the other kind. They didn’t have to pay out fines, deal with reputation damage, or face a single hiccup in their operations. They could simply address the issue and continue to serve their customers with peace of mind.
We’re personally on hand from start to finish
Even when you know that the test is necessary, that the threat is a simulated one, and that you’re hiring a CREST-certified team, it’s still a little unnerving to let anyone hack your organisation.
That’s why we ensure you have a dedicated contact from the early scoping stages right through to the end of the project. Your project manager will help demystify the process, be on hand to answer any questions, notify you if any critical issues are found, and ensure the entire project is efficient.
Your dedicated project manager will never close a project until you are happy and your team understands both our reporting and the actions they need to take. We want to offer support for as long as we can be useful and make the experience as positive as possible.
Some penetration testing companies might choose to be faceless but from our perspective our people are an important part of the package. While the human side of what we do might not seem as important as our technical rigour, the companies we work with come to highly value it:
“Working with the team at Datavax was a joy. From the outset they were warm, friendly and professional, and provided clear feedback and advice.” - Chief Technology Officer
“Datavax were very easy to deal with. All queries and requests were responded to promptly and in a pleasant and helpful manner.” - Credit Union Manager
“Datavax provided an excellent service from beginning to end.” - Chief Operating Officer
We provide a senior tester every step of the way
You won’t only get a project manager from the get go, you’ll also get a senior tester.
Your IT team, CTO, COO or consultant will be able to ask our senior tester highly technical questions. In return, they’ll be able to ask your team questions that a less experienced tester wouldn’t know or be confident enough to ask. This senior input enables us to scope out your infrastructure in a more defined way. As a result, you get a more accurate quote and our team will be able to put their efforts where it counts.
When you need to bundle several tests together (web, app and social engineering, for instance) a senior tester will have the experience needed to schedule these according to your priorities. If a less experienced tester was left to do this, it would be much more of a guessing game. But our team setup enables you to get better value in a clearer timeframe.
Finally, our experience and responsiveness ensures no time is wasted. During the scoping stages, a senior tester might highlight an issue that you can sort straight away, even before we begin testing. Also, once testing begins, if critical gaps are discovered in your security, our team will feed this back to you in real time so you resolve the issue fast.
To learn more about what we do and how we do it, don’t hesitate to get in touch.
Cybersecurity for hybrid working: A senior leader’s guide
Cybersecurity for hybrid working: A senior leader’s guide
Every company is already a couple of chapters into their own work from home story, and for many the plot has taken a turn toward hybrid. But no matter how flexible the arrangement, if your organisation gives employees the option to work from home, you need to ensure your company is not taking a flexible approach to cybersecurity too.
It’s not only an issue for IT teams, but for anyone in leadership. After all, the most secure organisations have done more than purchase the right security software. They have also addressed gaps in employee awareness, set comprehensive policies in place, and have found ways to reinforce best practice company-wide.
Employee awareness
Let’s be clear about this: If your staff don’t understand the risks, all your cybersecurity processes are redundant.
It’s tough to get everyone on the same page. As a HP Wolf Security report has it, over 50% of employees are more worried about deadlines than a data breach. Because of these mismatched priorities, employees can perceive restrictions to be unnecessary obstacles to their own workflows, particularly when other aspects of hybrid working are often orientated around their preferences.
It’s no surprise, perhaps, that 83% of IT teams believe home working to be a “ticking time bomb” for a network breach. And despite their best efforts, 69% of IT teams said they’re made to feel like the bad guys for imposing security restrictions.
What are your employees’ general at-home technology habits like? Do they know about phishing, or other major cybersecurity concepts? Have you ever tried testing them?
If you’re uncertain how to motivate your employees to follow best practice, the threat of ransomware might tip them over the edge. As we saw in the HSE phishing crisis, employees need to operate by a zero trust principle. They need to assume they will be targeted by hackers, and unless employees exercise caution, they could bring their entire organisation to a standstill.
"The most important factor when it comes to cyber security across a hybrid working model is communication and a strong culture of security awareness. You can have the best policies in the world, but if those aren't known and understood by every member of your workforce then they may as well not exist.
The most successful organisations are those in which every team member has a respect for cyber and information security, and understands where to go for help and how to report concerns. Whether those things are written in to policies is almost irrelevant."
CTO - i3PT
Policy and procedure
Awareness alone won’t protect against every hybrid working security risk. You’ll also want to consider what policies you can put in place to set the standard, promote best practice and mitigate the damage should the worst happen.
Too many organisations rush into buying cybersecurity software, without really knowing what their vulnerabilities are. But simply getting comprehensive policies down on paper – from IT security to remote access and encryption – can help your organisation to assess where you are not yet compliant and where you need to take further steps.
Role based access
One of the first security principles you should be aware of, and set processes in place for, is the principle of least privilege. Each employee in your organisation – and beyond, in the supply chain – should only have access to the data they need to do their role. This is known as RBAC, Role Based Access Control.
In a small organisation, you can afford to give each employee tailored permissions, while in a larger organisation you may organise it by management level and by department – giving finance access to one set of data, the engineering department another.
VPNs
You also need specific protocols around hybrid working. Employees should always be connected to the company VPN (Virtual Private Network) at all times. This creates a secure encrypted tunnel between their workstation and your workplace, and it shouldn’t be turned off for a second.
On the other hand, free VPNs are an absolute no go, and this needs to be enshrined in your policy. These VPNs, often used to access international streaming services or other blocked content, are full of holes. Your employees might see it as a helpful hack to watch US Netflix, but for their ingenuity they might be hacked in return.
Hardware and software
But even a company VPN is little help as protection if your employees are accessing that VPN from a device full of malware. If an employee’s children are using the same laptop or phone to download from untrustworthy sources at weekends, there’s no telling what’s on it. While Apple’s App Store is relatively regulated, the Google Play Store is a wild west.
In a hybrid world, the boundaries are blurring between employees' personal and work lives, and it can be hard to know where they draw the line.
Without the right support, too, digital poverty may force remote employees to go occasionally to public places to fulfil their job requirements, connecting to unknown routers or other insecure hardware.
A way to mitigate this is to put policies in place to ensure all your employees have the home infrastructure they need, including updated IoT-enabled devices, like printers, webcams, and routers. This isn’t one to overlook, particularly if you’re looking to get cybersecurity certification. Cyber Essentials, for instance, require employees’ routers to be relatively new, otherwise your company will be deemed too vulnerable for their standards.
How to reinforce best practice
Communicating the gravitas of your policies to a remote team isn’t always simple. It requires more than a company-wide email or a team message – which employees can all too easily ignore. So how can you convince them to take it seriously?
One avenue is training. You could consider putting your company through Cyber Essentials, or ensuring your development teams are aware of OWASP. At a bare minimum, training should get many of your employees using two-factor authentication and updating their software regularly. But there will almost always be employees who don’t show, don’t listen or don’t implement what they’ve been taught.
Here penetration testing can be of great help, enabling you to:
- Discover which employees are most at risk so that you can intervene.
- Assess the unique vulnerabilities of your organisation, which will inform your policies and the actions you need to take as a company.
- Reinforce best practice by setting up monitoring to automatically notify employees when they act outside of company policy.
We’ve been trusted, neutral, and CREST-certified cybersecurity partners to a variety of companies over the years, and we can help your organisation too. To learn more, don’t hesitate to get in touch.
5 lessons Medtech companies can learn from the HSE phishing crisis
In May, Ireland’s public health service, the HSE, was plunged into disarray. Servers were shut down, referrals ground to a halt, and an entire maternity hospital was put out of operation. Even now, patients are unable to find out whether their own personal data was compromised.
All of this happened because one member of staff clicked on a phishing email. Except, of course, they’re hardly to blame. The HSE crisis was the result of a number of connecting issues - issues which may affect all medtech companies to one degree or another.
Now the HSE is, of course, a huge public body that’s notoriously underfunded. So the implications for private medtech startups won’t exactly run in parallel. Nevertheless, all medtech companies are handling similarly sensitive information, and the consequences of a cyber attack could be equally severe.
1) It’s a question of when, not if
With the HSE crisis, the situation was made worse by slow response times. After the confusion, the various public bodies soon found they had no way of closing down or limiting the information the hackers had accessed.
In some ways, response protocols should be bread and butter security, even though they aren’t required under GDPR. If your Standard Operating Procedures aren’t already in place, we strongly recommend nailing them down, including your disaster recovery plans.
With the right failsafes around hosting, too, you can ensure your systems are not shut down completely in the event of an attack.
2) The latest patches are needed but there may still be gaps
Much of the criticism thrown at the HSE surrounded their use of Windows 7. It was running on many of their workstations, largely because a number of applications were dependent on that operating system.
Legacy systems are typically more of an issue in the public than the private sector. But it’s still good practice to prepare to update systems sooner rather than later. One of our customer’s products will be unsupported by Google when they stop supporting former versions of Android, so our customer is already preparing the product to ensure it will remain compliant and secure in years to come.
While we don’t find many legacy systems in our penetration tests, we do uncover a number of issues related to data patches and updates. Either software hasn’t received the latest patch or interdependencies are brought crashing down by an update. To ensure infrastructure that was secure yesterday is still secure today, medtech companies need to monitor these updates and test for vulnerabilities regularly.
3) Humans need to be as secure as software
It’s not just applications that need updating, it’s the people using them too. Software products can help serve as an early warning system to protect against phishing but they will never be completely foolproof against a sophisticated attack.
Of course, with over 100,000 staff, the HSE had far more phishing targets than the average medtech company. But that doesn’t mean the threat is any less real for you. To keep the virtual gates locked against unwelcome visitors, cyber security training should be part of any medtech company’s growth strategy.
Testing for your organisation could include identifying employees who are at risk of phishing attacks and assessing what level of training is needed based upon your employees’ activity.
4) A small breach can become a big one
The HSE crisis was almost certainly the result of a spear phishing attack rather than the generic emails that are easily sifted out by a spam filter.
In a targeted spear campaign, an attacker might use real information about your employees to masquerade as one of them. If the hacker has gathered enough information through a correspondence leak, they may even be able to refer to a recent conversation about an ongoing issue in your organisation. Their forged communication can be very convincing.
The risk is amplified in a remote working situation. And while more secure communication tools like Teams and Slack help here, they only go so far to bridge this gap. When you cannot quickly glance over at a colleague - who has apparently sent a Slack message that looks slightly off - you might not check in with them before you click the link they’ve sent.
5) Hybrid working will appeal to hackers
Finally, because HSE’s data was so decentralised, a number of weak points existed in their systems. For medtech companies continuing to work remotely, or pivoting to hybrid, this will be an important issue to bear in mind.
When you have more than one area where you’re storing information - and they link together in some way - there will be vulnerabilities that wouldn’t exist if the information was centralised.
On the other hand, while a single centralised system might seem like a bigger target, it’s far easier to protect. So long as you have enough safeguards covering a single vulnerable point, you mitigate the risk.
When Datavax began working remotely, we understood what we were up against. We quickly implemented company-wide antivirus software and paid for a company to install patch management software on all our workstations. This notifies our employees if any application or system goes out of date. It also enables us to keep track of our infrastructure as if it was all under one roof.
Ultimately, the more links in the chain you have, the more security you need. Your systems are likely much more secure than the HSE’s were in May but you still want to pass with flying colours every time an audit is done.
----
To check that your security is rock solid, you may want an independent penetration test. To learn more, don’t hesitate to get in touch.
5 steps to effectively combining manual penetration tests and automated tools
5 steps to effectively combining manual penetration tests and automated tools.
Business leaders often compare automated vulnerability scanning and penetration testing, but the comparison itself is often flawed. The reality is that both approaches play a critical role in implementing a proactive cybersecurity strategy. While automated solutions help overcome the challenges of scale, which is crucial given the scope and complexity of today’s enterprise computing infrastructures, penetration testing brings that vital human element into the mix.
It is all very well identifying vulnerabilities with vulnerability scanning, but that can only go so far. Actually exploiting those vulnerabilities helps businesses uncover and remediate the most severe and advanced threats.
To that end, here is what a proactive cybersecurity strategy looks like in 5 key steps, utilising both annual penetration test approaches and automated tools.
- Security experts will gather information about your business and its IT infrastructure. The extent of the information gathered will depend on the scope of the engagement, whether it is to be a black-, grey-, or white-box testing scenario. This will typically be discussed during your first consultation.
- The consultant will scan your network for vulnerabilities, typically using an automated vulnerability scanning tool to locate potential issues. This is important, since it may not be practical to carry out manual penetration testing across every single component or endpoint.
- The next step involves actually attempting to exploit those vulnerabilities. This process is also known as red-teaming, in which a team of security professionals puts itself in the role of an adversary to attempt to penetrate the defences by overpowering existing cybersecurity controls.
- Penetration testers will step up their ‘attacks’, mimicking threats like APTs and other advanced attack methods. If they are able to gain access to your systems by exploiting a particular vulnerability, they will use the opportunity to perform vertical privilege escalation and lateral movements to search for new vulnerabilities, as well as discover which systems and data could be compromised in a real attack.
- After the simulated attack, the consultant will generate an in-depth report detailing the methods used to access the system and the severity of the exploit. Independent testers may provide remediation advice as well, but the actions you take are entirely up to you. That said, having one company provide the testing and another address remediation challenges ensures complete impartiality throughout the process.
As you can see from the above, vulnerability scanning and penetration testing are two different services that complement one another. For example, vulnerability scanning should happen on a scheduled basis, such as once every month or after making any significant changes to your systems or infrastructure. Pen testing should typically be undertaken every 6 to 12 months, or whenever vulnerability scanning discovers a potential vulnerability.
--
Datavax is an accredited security partner in the business of testing, reporting, and providing comprehensive cybersecurity guidance. Our red-team approach replicates real-world threats and, since we do not offer repairs, there is no hidden agenda. Contact us today to schedule a free consultation with one of our project managers and testers.
