Cyber Security. Building and assuring defence in depth

Similar documents
Information Security Controls Policy

External Supplier Control Obligations. Cyber Security

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber security tips and self-assessment for business

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Digital Health Cyber Security Centre

Department of Management Services REQUEST FOR INFORMATION

DIGITAL TRUST Making digital work by making digital secure

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Cybersecurity Today Avoid Becoming a News Headline

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

to Enhance Your Cyber Security Needs

Unit 3 Cyber security

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Security by Default: Enabling Transformation Through Cyber Resilience

Data Sheet The PCI DSS

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Sage Data Security Services Directory

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

AUTHORITY FOR ELECTRICITY REGULATION

Cyber Resilience - Protecting your Business 1

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Nine Steps to Smart Security for Small Businesses

NEN The Education Network

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Ingram Micro Cyber Security Portfolio

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cyber Security Incident Response Fighting Fire with Fire

The Common Controls Framework BY ADOBE

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Emerging Technologies The risks they pose to your organisations

Information Security Controls Policy

2017 Company Profile

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Incident Response Services

Canada Life Cyber Security Statement 2018

Gujarat Forensic Sciences University

falanx Cyber Falanx Phishing: Measure your resilience

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Protecting your data. EY s approach to data privacy and information security

Industrial control systems

CYBER SECURITY AND MITIGATING RISKS

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Penetration Testing. Strengthening your security by identifying potential cyber risks

A practical guide to IT security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

A new approach to Cyber Security

CA Security Management

IoT & SCADA Cyber Security Services

Security Awareness Training Courses

INFORMATION SECURITY AND RISK POLICY

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cybersecurity The Evolving Landscape

Big data privacy in Australia

CYBER SECURITY TRAINING

Security Solutions. Overview. Business Needs

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

An ICS Whitepaper Choosing the Right Security Assessment

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Choosing the Right Security Assessment

SECURITY & PRIVACY DOCUMENTATION

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

A company built on security

A Comprehensive Guide to Remote Managed IT Security for Higher Education

SFC strengthens internet trading regulatory controls

TEL2813/IS2820 Security Management

Secure Development Lifecycle

What is ISO ISMS? Business Beam

IT SECURITY FOR NONPROFITS

NEXT GENERATION SECURITY OPERATIONS CENTER

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Twilio cloud communications SECURITY

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Ransomware A case study of the impact, recovery and remediation events

Google Cloud & the General Data Protection Regulation (GDPR)

Continuous Monitoring and Incident Response

How to be cyber secure A practical guide for Australia s mid-size business

Are we breached? Deloitte's Cyber Threat Hunting

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Transcription:

Cyber Security Building and assuring defence in depth

The Cyber Challenge Understanding the challenge We live in an inter-connected world that brings a wealth of information to our finger tips at the speed of light. It provides the intelligence that we need to deliver excellence and to manage complex organisations. It allows us to share big data across organisational boundaries, to support research and to further improve services and outcomes; and it does this in a way that has become so engrained within our day to day processes that the thought of working without it is, well, unthinkable! 90% 74% had a security breach in the last year This inter-connected, data driven, world, however, also brings significant operational risk. Recent events have reminded us that the internet is also being used to perpetrate a wide range of crimes, all of which have substantial human and economic consequences, including significant reputational damage. These, however, are not one off events. More and more often, organisations are being targeted for the data that they possess, to acquire it for profit or hold it to ransom, to disrupt services or simply for the kudos. Malicious hackers, hacktivists and script kiddies are constantly knocking at the door, trying to penetrate networks, using ever more intricate and diverse approaches to gain entry. Gone are the days when the hack was a dark art; more and more the intrusion will begin through social engineering. Getting employees to divulge key information, either directly or by providing their credentials which can then be exploited, is often a more successful route for the hacker. 69% 38% were attacked by an unauthorised outsider in the last year Whether using phishing emails or simply entering buildings wearing a hi-vis jacket, social engineers create an aura or plausibility that encourages us to let our defences down. But not all data loss or disruption is at the hands of the outsider, it remains the case that incidents are more likely to be the work of an employee. In times of austerity, insider related incidents rise, whether the result of dissatisfaction, personal circumstances or the pressures that we put on staff when we reduce headcounts. All together, this represents a hazardous world in which to operate but the benefits are worth it if we control it. Building and assuring defence in depth Protecting data requires a multi-faceted approach to reflect the myriad of systems, vulnerabilities and threat vectors. Organisations cannot depend solely on education of users, nor can they focus on simply locking the doors and windows of the perimeter or even relying on system access controls. The threat horizon is more complicated and defence in depth is required. Developing, implementing and testing a defence in depth model will provide an organisation with confidence that it has protected its core internal networks, applications and databases; it has secured the perimeter of the network where it touches multi-organisational WANs and CoINs as well as the internet; and, that its users and system managers are aware of their responsibilities, how to detect threats and, importantly, how to react to them. Implementing a robust process of testing, auditing and continuous improvement will provide the assurance that the organisation and its wider stakeholders require. 75% 3% suffered staff related security breaches in the last year 20% of NHS Trusts are fully confident that their board has a complete and accurate picture of cyber risks At MIAA we have extensive experience working with clients to develop, test and assure their cyber security defences and supporting them to achieve certifications. With a team of professional architects, testers and auditors, and with a track record of successful delivery, we are able to provide a service that combines industry leading expertise with value for money to create a compelling offer. - HMG 205 InfoSec Breaches Survey 2 - NHS Digital Maturity Survey

Our services Protecting the core Your network provides the means for accessing systems and data. It is the heart of your digital nervous system and it should be protected by design. Our team of security experts are able to support clients by providing a range of services from technical security design to policy and process development and support to achieve certification to acknowledged security standards. Typical support for clients includes: Security architecture design, helping clients to build, configure and deploy new and upgraded networks which are designed with security as a cornerstone; Security management assessment, assessing the capacity and capability of internal information security functions and their ability to deliver organisational requirements; Information risk assessments, identifying and assessing risks to the organisation s information assets and delivering risk remediation plans for local action; Information asset management documentation, creating system level security policies and privacy impact assessments; ISO2700 compliance, identifying the extent to which the organisation complies with the international information security standard, creating action plans and developing compliant policy and procedural frameworks. Protecting the perimeter No organisation is an island, however, and the connection of organisations to one another and to the internet creates further vulnerability at the perimeter of the network. It is essential that organisations understand and manage the risks at the boundary of their infrastructure. 25% 55% 84% 63% Key support provided to clients includes:- suffered a disruptive malware attack in the last year increase in zero day vulnerabilities increase in phishing attacks 35% increase in ransomware Cyber Essentials base lining and certification, undertaking assessment against the UK government s Cyber Essentials and Cyber Essential Plus standards and supporting organisations to achieve certification to these; Regular vulnerability assessment, providing low cost, high speed testing to clients who wish to proactively identify and address issues within their infrastructure. The assessment comprises four main elements; port scanning, service identification, vulnerability identification and reporting. The service is typically delivered on an annual, quarterly or monthly basis; Firewall rule base assessment, to determine the packet flows and implied access with a view to highlighting any rules that could facilitate external to internal access in order that these can be assessed and, if necessary, removed. Embedding the culture People are often described as the weakest point in the security of an organisation; ensuring that they are aware of risks and attacks and training them in how to respond are crucial. Our security awareness workshops, which can be tailored and delivered to all levels and disciplines within an organisation, can include a live hacking demonstration, provide presentations on security threats and how individuals can spot and react to them, and can include structured discussions with IT teams to identify controls and weaknesses and prepare action plans. In addition, to support security professionals and system administrators in securing their infrastructures, through our website and a free alerts service we provide regular security advisories relating to vulnerabilities in vendor products. Testing, probing, improving, assuring Testing is critical in the assurance and improvement processes. Only by testing the organisations cyber defences can an accurate assessment of the arrangements be made. An effective and robust assurance strategy will marry technical review with active testing of the defence mechanisms, looking for the weak points and trying to exploit them. Working with clients we are able to develop co-ordinated testing strategies to meet assurance needs through assignments including:- Penetration testing, using industry leading tools and techniques we aim to identify weakness in your defences and expose the potential for them 28% 34% 37% do not provide on-going security awareness training to their staff of NHS Trusts do not receive regular assurance, including thorough penetration testing, that digital assets are secure to be exploited. Weaknesses identified are risk assessed and prioritised and remediation plans are provided in order to improve security and learn lessons. 2

Social engineering and phishing, exploiting what is often the weakest point by creating a false position of trust with an end user in order to get them to unwittingly expose credentials or introduce malware is an increasingly common attack vector. Our exercises mimic these approaches allowing the organisation to assess its exposure, identify training needs and deliver effective awareness raising. 23% % of recipients of phising emails open them open the mails and click on the malicious attachments Web application testing, as organisations increasingly use web interfaces to present applications to users from multiple locations, on differing platforms, so data is potentially more widely exposed. Our testing is typically delivered in two stages, with no authentication to the application and then with a valid user account for testing privilege escalation vulnerabilities, in order to identify weaknesses in the authentication and authorisation mechanisms. Remote access & VPN testing, supporting the mobile workforce requires secure entry points to the corporate network. Starting with reconnaissance to determine the type of remote access or VPN implementation we identify known attack vectors against specific vendors. This is followed by the use of a variety of tools to capture hashes which are run through password crackers to harvest passwords which could be used for malicious access to the RAS/VPN. Mobile device and own-device management, aimed primarily at mobile devices such as laptops, tablets and smartphones we are able to test the security of individual devices and assess the configuration of mobile device management solutions. success is all that is needed to breach the network 55% 66% currently, or are planning to, allow users to use their own devices Red/tiger team exercises, representing an all-out attempt to gain access to a system or data by any means necessary. This can include penetration testing, physical breach, testing phone lines for modem access and also testing employees through several scripted social engineering and phishing tests. They can be undertaken as a combined exercise or can be delivered in a phased approach as part of a structured security assurance programme. Core infrastructure assessments, covering the platform upon which systems run and data flows and which enable information to be delivered to the right people when and where needed, our reviews seek to provide an opinion on the arrangements in place across a range of areas including: - Network monitoring - Server management - Incident management - Domain policies - Change management - Server baseline policies - Physical security - User management - Back-up and recovery - Patch management - Vulnerability management - Malware protection Asset management reviews, considering the extent to which the organisation has a clear understanding of the totality of its hardware and software assets and the extent to which these are managed and monitored in order to ensure effective deployment and legal compliance. In particular, the reviews seek to establish the accuracy of asset inventories, the effective processes for recording asset data, the secure disposal of equipment and the reconciliation and management of, often complex, software licences. Application security, assessing the security of systems including access control, logging and monitoring, resilience, back-up and recovery and change control. Monitoring, identifying, responding, resolving We are able to provide an incident response service that can respond quickly, determine the best recovery strategy with you, and then work together to get you back up and running. Alongside, we can provide a full digital forensics service from initial response, through secure acquisition to investigation and reporting. The service is delivered in accordance with all relevant legislation, standards and guidance and can be complemented by the provision of expert witnesses at disciplinary hearings or court cases if required. Improve the outcome With a comprehensive service offering, delivered by experienced professionals, we are able to provide the support you require to meet your cyber security needs. From helping to build security into designs, through testing and ultimately responding to events, you will find that working with MIAA will improve your defences and provide the meaningful assurances that you require in these challenging times. Improve The Outcome

To discuss how MIAA can support your organisation to improve and assure its cyber defences please contact:- Tony Cobain - Assistant Director (Informatics & Infrastructure) Tel: 07770 97006 Email: tony.cobain@miaa.nhs.uk

To discuss how MIAA can support your organisation to improve and assure its cyber defences please contact:- Tony Cobain - Assistant Director (Informatics & Infrastructure) Tel: 07770 97006 Email: tony.cobain@miaa.nhs.uk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback