Who can you trust?
With the rise in cybercrime, Ian Glover, president of CREST, explains why more firms are turning to penetration testing to check out their defences.
In the last few years, we have experienced cybercrime on a scale never seen before. WannaCry, an extremely virulent outbreak of ransomware began to infect organisations across the world and within several hours, over 75,000 victims were reported in 90 countries from telecommunications companies in Spain to a Russian ministry. In total, some 200,000 organisations were affected in over 150 countries. In the UK, the NHS felt the full force of attack across 48 health trusts in England.
Ransomware, as the names suggests, is a malicious program that locks a computer's files until a ransom is paid, usually in the form of the online currency, Bitcoins. But WannaCry ransomware attacks were different from any outbreak previously seen. WannaCry used a vulnerability in Microsoft Windows operating systems to spread to neighbouring computer systems over networks once it had infected its original host.
While WannaCry and Petya delivered a serious wake-up call for many companies and organisation, they also reflect a general increase in more sophisticated cyberattacks from sources ranging from lone-hackers and hacktivist groups to organised criminal gangs and state-sponsored cyber terrorists. And the rise of ransomware-as-a-service has lowered the barrier to entry and made cybercrime accessible to anyone.
The result is that no sector is immune from these targeted or indiscriminate attacks. Most large firms have a specialist security team and achieve the security basics very well. Some conduct more proactive threat detection to identify threats that anti-virus and other traditional security products may not find. But an IT department needs to understand what data is attractive to an attacker and protect it effectively.
It is more important than ever that all businesses discover where their security weaknesses are and how to fix them before someone else finds and exploits them. The best way to discover where vulnerabilities lie is to simulate a malicious attack, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets. This is called penetration testing and the demand for this very skilled, technical and clearly very sensitive investigation and analysis has seen a rapid rise in demand. While penetration testing has traditionally been associated with government organisations and large financial institutions and corporations, it is now commonplace among medium-sized companies, NGOs and the wider public sector.
But this is sensitive work and companies need to be very clear who they are dealing with and have confidence in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity. There needs to be confidence trust in these specialist companies regarding how information is handled and processed. It is a common misconception that the security industry is simply made up of ex-hackers, who let’s face it, most organisations would be reluctant to trust.
This is why CREST was established in 2006 by the technical security industry with the support of the UK Government. CREST is a not-for-profit body representing the technical information security industry that provides internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo a stringent accreditation process every year and sign up to a strict and enforceable code of conduct; while CREST qualified individuals must pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate the highest levels of knowledge, skill and competence.
For example, CREST Practitioner entry-level examinations are aimed at individuals with typically 2,500 hours relevant and frequent experience, while candidates for CREST Registered Tester examinations should have at least 6,000 hours - three years or more - and at a certified level 10,000 plus. All these individuals have to re-sit the examinations every three years reflecting the fast-moving nature of the industry.
This means that organisations wishing to buy penetration testing services have the confidence that the work will be carried out by trusted companies with the appropriate policies, processes and procedures for the protection of client information, using qualified individuals with up to date experience and understanding of the latest vulnerabilities and techniques used by real attackers.
CREST Members work particularly closely with the UK’s critical national infrastructure providers where cyberattacks could do the most damage - from energy and utility companies to major financial institutions. Working alongside the Bank of England, Government and industry, CREST developed a new framework to deliver controlled, bespoke, intelligence-led cybersecurity tests for the UK’s most important financial institutions.
Getting the basics right
With recent reports and experiences demonstrating that companies of all sizes are under threat from cyber attacks, CREST has also helped to develop the technical assessment and certification framework for the UK Government’s cybersecurity standards, Cyber Essentials and Cyber Essentials Plus. These set down baseline requirements for cyber hygiene and are now mandated for some government contracts dealing with sensitive data.
The scheme provides organisations with clear guidance on implementation, as well as offering independent certification for those companies who want to demonstrate to their customers that their data is adequately protected and that they take cybersecurity seriously. CREST accredits companies to deliver Cyber Essentials certifications and following the recent WannaCry and Petya ransomware attacks it was shown that organisations that had achieved this basic level of cyber hygiene had not been affected. For more information on Cyber Essentials, go to www.cyberessentials.org
Incidents will happen
Despite best endeavours, it is impossible to be 100% secure and if your business does fall victim to a malicious cybersecurity incident, your immediate task is to act as quickly as possible to limit the impact and damage. You are effectively working in a crime scene and the requirement for evidential integrity can conflict with the need to resume business as usual, let alone budgetary and time constraints.
The CREST Cyber Security Incident Response scheme focuses on appropriate standards for incident response to help companies have in place effective policies, processes and procedures to plan for, manage and recover from significant cybersecurity-related incidents. Law firms face a major risk of reputational damage in the aftermath of an attack and clients will want assurances that their data is not compromised.
The Data Protection Act has now been updated and its replacement – the General Data Protection Regulation – has been designed to protect the privacy of consumers entrusting their data with businesses more effectively. Businesses in all sectors are required to demonstrate transparency in their processing of personal data and to have in place levels of technical and organisational processes appropriate to the level of risk their data collection afford them.
Businesses experiencing a data breach are required to report it to the national authorities within 72 hours of discovery. If affected individuals are considered to be at significant risk, the company will be required to notify them of the breach within the same timeframe. Legal firms that are unable to demonstrate that adequate measures have been put in place to safeguard the personal information they hold in digital form, will be subject to penalties of up to 4% of their global turnover, or 20 million euros, whichever is the greater.
As client organisations significantly improve the security of their networks, businesses must ensure they do not become the weak link in the protection of data. As we have seen, the results of a successful cyber attack can be devastating for business and individuals, so companies need a professional cybersecurity industry they can trust and rely on.
For more information, please visit www.crest-approved.org
By Ian Glover, President, CREST
Intelliwave SiteSense boosts APTIM material tracking
“We’ve been engaged with the APTIM team since early 2019 providing SiteSense, our mobile construction SaaS solution, for their maintenance and construction projects, allowing them to track materials and equipment, and manage inventory.
We have been working with the APTIM team to standardize material tracking processes and procedures, ultimately with the goal of reducing the amount of time spent looking for materials. Industry studies show that better management of materials can lead to a 16% increase in craft labour productivity.
Everyone knows construction is one of the oldest industries but it’s one of the least tech driven comparatively. About 95% of Engineering and Construction data captured goes unused, 13% of working hours are spent looking for data and around 30% of companies have applications that don’t integrate.
With APTIM, we’re looking at early risk detection, through predictive analysis and forecasting of material constraints, integrating with the ecosystem of software platforms and reporting on real-time data with a ‘field-first’ focus – through initiatives like the Digital Foreman. The APTIM team has seen great wins in the field, utilising bar-code technology, to check in thousands of material items quickly compared to manual methods.
There are three key areas when it comes to successful Materials Management in the software sector – culture, technology, and vendor engagement.
Given the state of world affairs, access to data needs to be off site via the cloud to support remote working conditions, providing a ‘single source of truth’ accessed by many parties; the tech sector is always growing, so companies need faster and more reliable access to this cloud data; digital supply chain initiatives engage vendors a lot earlier in the process to drive collaboration and to engage with their clients, which gives more assurance as there is more emphasis on automating data capture.
It’s been a challenging period with the pandemic, particularly for the supply chain. Look what happened in the Suez Canal – things can suddenly impact material costs and availability, and you really have to be more efficient to survive and succeed. Virtual system access can solve some issues and you need to look at data access in a wider net.
Solving problems comes down to better visibility, and proactively solving issues with vendors and enabling construction teams to execute their work. The biggest cause of delays is not being able to provide teams with what they need.
On average 2% of materials are lost or re-ordered, which only factors in the material cost, what is not captured is the duplicated effort of procurement, vendor and shipping costs, all of which have an environmental impact.
As things start to stabilise, APTIM continues to utilize SiteSense to boost efficiencies and solve productivity issues proactively. Integrating with 3D/4D modelling is just the precipice of what we can do. Access to data can help you firm up bids to win work, to make better cost estimates, and AI and ML are the next phase, providing an eco-system of tools.
A key focus for Intelliwave and APTIM is to increase the availability of data, whether it’s creating a data warehouse for visualisations or increasing integrations to provide additional value. We want to move to a more of an enterprise usage phase – up to now it’s been project based – so more people can access data in real time.