19 September 2016

Pen testing: cyber security strategies for local authorities

Pen testing: cyber security strategies for local authorities   image

Cyber-attacks are a growing threat to organisations of all shapes and sizes and local government is no exception. Just as any organisation that fulfils a vital function or holds sensitive information is a target, local government is firmly in the crosshairs for cyber criminals. Having a strong cyber security strategy has become a necessity, not a luxury.

One of the most effective ways to maintain a strong cyber security strategy is penetration testing. The main aim of penetration testing is to identify technical vulnerabilities in IT and communications systems that could leave your local government department open to attack should they be exploited by a potential threat actor – from a disgruntled employee or casual hacker to a state sponsored cybercriminal. Once identified, these weak points within a network infrastructure or application can be remediated to strengthen your overall security posture.

There are lots of analogies that work here, but amongst the most illustrative is that of the fire drill. Everyone knows they need to leave the building if the fire alarm goes off, and thanks to installed signage they even know the safest route to follow. A fire drill which simulates the real thing might reveal that a door is routinely locked, an exit blocked or fire extinguishers that are either missing or non-functional. Now think of your network as a building with flammable materials lying around and a faulty extinguisher as vulnerabilities and a man with a match as the threat.

A penetration test provides that same kind of real world attack experience by mapping vulnerabilities, exposing gaps in security policy and process and ultimately managing risk. It would advise against storing large quantities of oil in an unsafe environment, point out that policy was being breached regarding extinguisher maintenance and suggest better methods of preventing arsonists from gaining access.

Size doesn't matter

While pen testing is often thought of as being something only larger government departments need, and have the budget for, the truth is that local government is firmly in the cybercrime cross-hairs. When it comes to being targeted by the bad guys, size really doesn't matter: every organisation is at risk. As for budgets, you shouldn't be asking whether you can afford a penetration test but rather whether you can afford to be breached. Breach costs can be financially devastating by the time you've rolled forensic investigations, incident mitigation and reputational damage into the total. Cyber criminals are also looking to directly monetise hacking through the likes of ransomware and Carbanak, used to steal money from banks. So, where the impact used to be in terms of fines or loss of reputation, there is more likely to be a direct financial impact.

DIY disasters

You may be thinking, what with the number of readily available automated vulnerability scanning tools out there, why you can't pen test yourself? In some cases, such as an organisation applying for accreditation or certification there will be a requirement to obtain penetration testing from an independent third party, but even if you were just looking to self-assess your security posture there are still plenty of good reasons not to do it. The main one would come down to skill sets as the person responsible for the testing may not have the necessary technical knowledge to carry out the various aspects of a penetration test. For example, they may need to perform a web application test, an internal infrastructure test and a Citrix review for which an external company would be in a position to provide experienced and capable consultants for each.

Another benefit of using an external provider is what they provide to the organisation in terms of exposure. A self-test may not provide a realistic picture, as an internal employee could bring additional access or knowledge about their own infrastructure that could skew test results. The fact that an external provider will be unbiased and independent really cannot be stressed enough, as these are vital requirements for a meaningful penetration test.

Manual dexterity

When it comes down to the use of automated vulnerability scanning tools, these actually do have their place and could help an organisation improve its security posture if identified issues were properly remediated. However, a vulnerability scan can only go so far. Anything more complicated than simple scans of infrastructure and web applications can lead to a lot of false positives. In addition, any issues will need to be manually reviewed to ensure they are legitimate issues. This can easily become unmanageable, and when you throw in complex systems and applications, it becomes impossible as simple vulnerability scanners will not identify vulnerabilities within business logic or complex multi-stage transactions. Automated scanning has its place but should only be used in conjunction with a more robust and manual penetration test approach.

The small matter of trust

Something that might be of concern, given the nature of the access being handed over to a pen testing team, is the not so small matter of trust. It's vital to ensure that any organisation carrying out penetration testing, and engaging an external company to provide that service, should be satisfied regarding appropriate qualifications. There are numerous certifications out there that can provide a level of assurance that the consultant is appropriately skilled and has the requisite knowledge. At Context, we aim for our consultants to acquire CREST related qualifications such as CREST Registered Tester (CRT), and Crest Certified Tester (CCT) which are technical qualifications that require a high level of knowledge and technical ability to be able to complete.

Any external consultants will also require the necessary security clearances - at least Security Check (SC) level - if accessing protectively marked information and assets. Tick the certification and clearance checkboxes and you can be happy with a high degree of assurance that your pen testing partners are competent, trustworthy and appropriately skilled.

Legally speaking

From the legal perspective, any company carrying out pen testing could be in contravention of the Computer Misuse Act. Penetration testing is also known as ethical hacking, which provides a hint as to why, so relevant authorisation must be given by the organisation being tested. Where the Data Protection Act is concerned, a penetration test may involve access to corporate data and information; so the organisation also needs to ensure that the testing company is handling any data appropriately and securely.

Report and remediate

You should also bear in mind that a successful penetration test does not end after the penetrating has been done; in order to deliver value to your business it has to also assess the impact of any issues found. A properly conducted pen test by a team of certified professionals will result in a comprehensive and focussed report; far more so than any automated process could hope to achieve. This is important, because the success of the testing should be measured less in what has been found and more in how those weaknesses can be mitigated.

By providing clarity through detailed reports stating the technical impact and ease of exploitation, you can better understand the risk and so be in a better position to implement the most appropriate and proportionate mitigation methods.

With network breach and data loss headlines appearing day-in, day-out, the threat to local governments is not going away. And whereas penetration testing was once seen as something only major government departments undertook, it is now seen as an essential part of information security strategies for departments of all types and sizes.

Owen Wright is assurance director at Context Information Security.

SIGN UP
For your free daily news bulletin
Highways jobs

Interim Head of Service - Adult Operations

Tile Hill
£600 - £700 per day
Two Interim Heads of Service are required by our local authority client to lead adult operations across two localities. South
Recuriter: Tile Hill

Operations Manager (Traffic & Compliance)

Barnet London Borough Council
TBC
We’re looking for the right person for this role, so we don’t mind where you’re located, as long as... Barnet (City/Town), London (Greater)
Recuriter: Barnet London Borough Council

Operations Manager (Traffic & Travel)

Barnet London Borough Council
TBC
You’ll be responsible for developing strategies and delivering projects and programmes as part of the service senior management team - including... Barnet (City/Town), London (Greater)
Recuriter: Barnet London Borough Council

Operations Manager (Development Control)

Barnet London Borough Council
TBC
You’ll be responsible for the overall delivery of all highways and development control management in this varied role. Barnet (City/Town), London (Greater)
Recuriter: Barnet London Borough Council

Operations Manager (Assets)

Barnet London Borough Council
TBC
It’s an exciting role where we’ll look to you to ensure highways projects are delivered against continuous improvement and... Barnet (City/Town), London (Greater)
Recuriter: Barnet London Borough Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue