Story image

What cyber security needs to go beyond the network

07 Mar 2018

Penetration testing has long been a vital part of many businesses’ compliance and governance efforts as a measure of proactive security, but today’s expanding cyber threat landscape means that approach is too narrow and leaves businesses open to complacency.

The changing threat landscape means companies can’t rely on the traditional method of cyber protection anymore, which focuses on protecting only a network and its assets. Complacency like this is costing Australian consumers upwards of $2 billion a year according to the 2017 Norton Cyber Security Insights report.

Forward thinking companies are going beyond penetration testing to employ a more holistic approach to cyber security. Hackers are becoming more sophisticated and are using any means possible to gain access to a company’s data. This includes targeting the physical assets of a company, such as the building itself and the employees inside.

Luckily, there are a few measures businesses can take to ensure their security protocols protect all parts of their business, not just the network.

Going beyond penetration testing to secure physical assets

Due to the increase in protection around network assets, cyber criminals have to think outside of the box to gain access to a business’ data. Hackers are taking the traditional route to gain access to an organisation - through its front doors.

The way they do this is through employing social engineering techniques such as RFID badge spoofing, tailgating or posing as an employee which will give them direct access to a building.

We’ve been employed by companies to test their security protocols by attempting to gain access to their network by any means. There are instances where we have simply walked up to a receptionist, claimed to be from the IT department and allowed access to their network. It was then simply a case of plugging in a device into the network that provided remote access into their environment.

By far the most popular and successful social engineering technique is phishing, again pretending to be an employee or a contractor of the business to ultimately gain access to network data.

This could take the form of a forged email from a CFO to the finance team approving payment of an invoice, or an fake IT contractor requesting employee passwords to gain access into a network. Emails or calls like this imply a sense of urgency, especially if it looks like the request is coming from an executive level. This is ultimately how mistakes are made.

Just recently we saw this happen to Victorian home buyers who were targeted by a phishing attack, with the hacker pretending to be the real estate agent. Over $200,000 was lost due to buyers trusting the email address of the hacker.

In Australia, we are still lacking when it comes to protecting our physical assets and educating employees of the threats they are vulnerable to. It’s still too easy for hackers to walk straight into a building and gain access to an organisation’s data, including the private information of its customers.

This essentially makes a company’s investment in cyber security prevention technologies redundant, with threat actors completely bypassing those systems.

Social engineering tactics such as tailgating, phishing and posing as an employee can all be mitigated by ensuring employees are educated on these tactics and how to identify them. Building entry systems can also be upgraded to make it even harder for threat actors to gain unauthorised access. This, coupled with frequent monitoring and testing of defense systems can help to protect and strengthen physical assets, including employees.

Strengthening cyber resilience through the use of Red Teaming

One way businesses can better prepare themselves for the threat of attack is to employ services such as Red Teaming, a strategy traditionally undertaken by military teams for the purpose of rigorously testing the effectiveness of strategy, tactics and personnel.

Cyber security teams have adopted this approach to test a company’s cyber resilience, as it looks at a company from a hacker’s perspective, rather than that of an employed I.T. professional or team. Red Teams have to do everything in their power to breach a company’s defences, whether physical or on a network, to gain access to sensitive data. This helps companies to see the holes in their defences, and aims to catch them off-guard, much like a hacker would.

To date, there has never been an organisation which has been able to defend against our Red Teams, and in some cases, we’ve even been able to walk in and simply plug a device straight into the network with little to no resistance. This is opening business’ eyes to their susceptibility to hackers and when this information hits the boardroom, the company begins to take its cyber security policies a lot more seriously.

Over-reliance on penetration testing and a lack of cyber education and physical security create a volatile environment for Australian businesses. Those that will come out on top in 2018 will be those that take a holistic approach to cyber security to ensure all aspects of their business are secure.

Article by Sense of Security COO Murray Goldschmidt.

Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
Infoblox appoints channels head for A/NZ
Kenneth Cartwright’s appointment extends Infoblox’s position in secure cloud-managed network services throughout the region.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.