You need to take a step back and give yourself some hearty congratulations. You’ve done it. The monster that was cyber security has been tamed. You have endpoint protection in place. Complex password policy, after a bumpy start, is gaining universal acceptance. The staff training is ongoing, but being warmly received. The patch management solution is working like a dream. The supply chain has been audited and refined accordingly and Cyber Essentials certificate has pride of place and is regularly polished. So what’s next?
After many months of effort do you now sit back and wait to be attacked, or can you relax and get back to business as normal and try to remember what you were doing before cyber security leapfrogged all other tasks to become the number one priority? Now is the time to put all that technology, all those processes, all that training to the test, it’s time for a bit of attack simulation.
Testing of any new technology, be it IT based or otherwise, is a critical phase, even if ‘in theory’ it will all work, until you actually put it through its paces in a real world scenario you can never be 100% confident that it will withstand the stresses and strains of modern life. The physical world is far more mature in testing its products than those who work predominantly with data. Cars, aircraft, kitchen equipment even childs toys are tested literally to destruction in order to ensure that should they be placed under extreme use, well outside of their originally designed usage parameters, that they will not cause excessive damage. Results from these tests will be fed back for continuous improvements. However even this is not a fool proof system, as many products once released into the wild in their millions can collectively highlight shortfalls in their design and manufacture.
But how do you go about testing an entire cyber security strategy? You hire some ethical hackers, penetration testers and simulated attack managers who will devise multiple attack vectors in order to bring all your hard work crashing down around your ears. CREST, the not for profit organisation that serves the needs of a technical information security marketplace, has a register of such organisations that will relish the opportunity to find the smallest crack in your defences and exploit it to the full.
Any penetration testing company that has received CREST approval will have passed technical examinations that have been reviewed and approved by GCHQ. So if you do fall victim to their simulated attack you can be confident that you have been compromised by a ‘premier league’ level team and not just an opportunist who stumbled across a vulnerability in your system when they were trawling the web for the latest pirated movie downloads.
In the process of planning a simulated attack with your chosen friendly assailant something to consider is giving them a window of time in which to attack you. This window needs to be long enough for staff to actually forget that it may be happening, a month for example. You don’t want to mirror the ‘we are having a fire drill at 11am today’ daftness that often happens in companies so everybody gets ready for a drill that proves how effective you are at dealing with an emergency just as long as you get plenty of prior warning of that emergency!
Allow your attack team to use any method they deem fit over this month to expose you, nothing is off limits. They can leave USB sticks in the car park to see if a curious member of staff picks it up and pops it into a corporate machine. They can scour the social media profiles of your staff and use social engineering techniques to persuade unsuspecting individuals to hand over sensitive information. Don’t restrict, restrain, or ring fence any tool or technique that they may wish to deploy.
During this attack window also allow your attack team to ‘go dark. Don’t’ speak to them, don’t call them, don’t check up on progress. If during this month you see something that is untoward, something of concern then address it and resolve it. Don’t ask them ‘if it was them’. This phase of testing needs to be as realistic to the real world as possible and will actually also benefit you, and the IT Team in habitually monitoring all aspects of your cyber security implementation.
Once the month is up sit down with your friendly attackers and compare notes. Did they get in? What did they take? Did any unexpected events that you witnessed on your network correlate with an attack by them? Learn from what they found, from what you did and there will undoubtedly be some next steps to take so further enhance your cyber resilience. This cycle of implementation, test, refine is a normal software methodology and is an ongoing process, as we all bear witness too with constants revisions, patches and updates to all our software driven devices. By introducing testing and applying this cycle to your cyber security strategy you can ensure that you will never again catch yourself wondering ‘What’s next?’.