Cyber-attacks are a growing threat to organisations of all shapes and sizes and local government is no exception. Just as any organisation that fulfils a vital function or holds sensitive information is a target, local government is firmly in the crosshairs for cyber criminals. Having a strong cyber security strategy has become a necessity, not a luxury.
One of the most effective ways to maintain a strong cyber security strategy is penetration testing. The main aim of penetration testing is to identify technical vulnerabilities in IT and communications systems that could leave your local government department open to attack should they be exploited by a potential threat actor – from a disgruntled employee or casual hacker to a state sponsored cybercriminal. Once identified, these weak points within a network infrastructure or application can be remediated to strengthen your overall security posture.
There are lots of analogies that work here, but amongst the most illustrative is that of the fire drill. Everyone knows they need to leave the building if the fire alarm goes off, and thanks to installed signage they even know the safest route to follow. A fire drill which simulates the real thing might reveal that a door is routinely locked, an exit blocked or fire extinguishers that are either missing or non-functional. Now think of your network as a building with flammable materials lying around and a faulty extinguisher as vulnerabilities and a man with a match as the threat.
A penetration test provides that same kind of real world attack experience by mapping vulnerabilities, exposing gaps in security policy and process and ultimately managing risk. It would advise against storing large quantities of oil in an unsafe environment, point out that policy was being breached regarding extinguisher maintenance and suggest better methods of preventing arsonists from gaining access.
Size doesn't matter
While pen testing is often thought of as being something only larger government departments need, and have the budget for, the truth is that local government is firmly in the cybercrime cross-hairs. When it comes to being targeted by the bad guys, size really doesn't matter: every organisation is at risk. As for budgets, you shouldn't be asking whether you can afford a penetration test but rather whether you can afford to be breached. Breach costs can be financially devastating by the time you've rolled forensic investigations, incident mitigation and reputational damage into the total. Cyber criminals are also looking to directly monetise hacking through the likes of ransomware and Carbanak, used to steal money from banks. So, where the impact used to be in terms of fines or loss of reputation, there is more likely to be a direct financial impact.
You may be thinking, what with the number of readily available automated vulnerability scanning tools out there, why you can't pen test yourself? In some cases, such as an organisation applying for accreditation or certification there will be a requirement to obtain penetration testing from an independent third party, but even if you were just looking to self-assess your security posture there are still plenty of good reasons not to do it. The main one would come down to skill sets as the person responsible for the testing may not have the necessary technical knowledge to carry out the various aspects of a penetration test. For example, they may need to perform a web application test, an internal infrastructure test and a Citrix review for which an external company would be in a position to provide experienced and capable consultants for each.
Another benefit of using an external provider is what they provide to the organisation in terms of exposure. A self-test may not provide a realistic picture, as an internal employee could bring additional access or knowledge about their own infrastructure that could skew test results. The fact that an external provider will be unbiased and independent really cannot be stressed enough, as these are vital requirements for a meaningful penetration test.
When it comes down to the use of automated vulnerability scanning tools, these actually do have their place and could help an organisation improve its security posture if identified issues were properly remediated. However, a vulnerability scan can only go so far. Anything more complicated than simple scans of infrastructure and web applications can lead to a lot of false positives. In addition, any issues will need to be manually reviewed to ensure they are legitimate issues. This can easily become unmanageable, and when you throw in complex systems and applications, it becomes impossible as simple vulnerability scanners will not identify vulnerabilities within business logic or complex multi-stage transactions. Automated scanning has its place but should only be used in conjunction with a more robust and manual penetration test approach.
The small matter of trust
Something that might be of concern, given the nature of the access being handed over to a pen testing team, is the not so small matter of trust. It's vital to ensure that any organisation carrying out penetration testing, and engaging an external company to provide that service, should be satisfied regarding appropriate qualifications. There are numerous certifications out there that can provide a level of assurance that the consultant is appropriately skilled and has the requisite knowledge. At Context, we aim for our consultants to acquire CREST related qualifications such as CREST Registered Tester (CRT), and Crest Certified Tester (CCT) which are technical qualifications that require a high level of knowledge and technical ability to be able to complete.
Any external consultants will also require the necessary security clearances - at least Security Check (SC) level - if accessing protectively marked information and assets. Tick the certification and clearance checkboxes and you can be happy with a high degree of assurance that your pen testing partners are competent, trustworthy and appropriately skilled.
From the legal perspective, any company carrying out pen testing could be in contravention of the Computer Misuse Act. Penetration testing is also known as ethical hacking, which provides a hint as to why, so relevant authorisation must be given by the organisation being tested. Where the Data Protection Act is concerned, a penetration test may involve access to corporate data and information; so the organisation also needs to ensure that the testing company is handling any data appropriately and securely.
Report and remediate
You should also bear in mind that a successful penetration test does not end after the penetrating has been done; in order to deliver value to your business it has to also assess the impact of any issues found. A properly conducted pen test by a team of certified professionals will result in a comprehensive and focussed report; far more so than any automated process could hope to achieve. This is important, because the success of the testing should be measured less in what has been found and more in how those weaknesses can be mitigated.
By providing clarity through detailed reports stating the technical impact and ease of exploitation, you can better understand the risk and so be in a better position to implement the most appropriate and proportionate mitigation methods.
With network breach and data loss headlines appearing day-in, day-out, the threat to local governments is not going away. And whereas penetration testing was once seen as something only major government departments undertook, it is now seen as an essential part of information security strategies for departments of all types and sizes.
Owen Wright is assurance director at Context Information Security.