As a business, your data is one of your biggest assets. Protecting your data is critical. Data breaches occur constantly and the effects can be devastating. Systems can be taken off line for days or weeks, customer data could be shared with competitors. Confidential information could be published publicly leading to large fines.
Attacks can be opportunist or targeted. Understanding what an attack could look like, or how it will affect your business is difficult. It’s a common mistake to think that strengthening your IT infrastructure is the ultimate defence. Your people, your processes and your communications are all potential vulnerabilities too.
Samurai determine how to maximise your defences with the minimum cost and time. We do this by establishing the points within your organisation that are in most need of strengthening, from staff awareness training to web applications and networked systems.
Full Force Attack Simulation Includes
In essence we mirror all aspects and actions of persistent, malicious hackers.
Once we have a clear picture of the potential issues, we work with you to find and then implement the most robust, effective and cost-efficient solutions to eliminate the risks.
Why Choose Samurai?
So why choose Samurai, for your cyber security requirements?
Our expert team can aid in carrying out a full spectrum, cyber security attack simulation in your organisation, this will include a set of manual and automated methods, which are used to find vulnerabilities and weak areas in the organisation.
With over 20 years of combined experience in cyber security, our team can conduct a full system penetration test, on any systems, networks and applications, whether they are new additions, or systems already in place, this penetration test will highlight any threats or vulnerabilities within an organisation, and produce a detailed report, highlighting areas of concern, how much of a risk they pose and mitigation methods to either reduce, or patch the vulnerability.
Vulnerability assessments can also be carried out on the internal and external networks, ensuring there are no gaps in your current security practices, and that any risks are identified and corrected as soon as is possible, a vulnerability assessment would also ensure that networks are properly segmented and that they are not accessible from any other network. Completing vulnerability assessments could be the difference in responding to a breach, or preventing network attacks.
Samurai Digital Security has experience in phishing campaigns, working closely with top management to ensure all departments are properly educated in cyber security awareness and are able to identify malicious emails, texts and calls, any information leaked during this would be under a strict NDA, and all employees who responded to any emails in the campaign, would be highlighted for extra training, ensuring all employees are educated appropriately for their roles within the organisation and that they are meeting their cyber security expectations within the organisation.
While phishing is a big threat to organisations and their information, another issue is social engineering and vishing, which can be a huge threat to organisations, especially if employees aren’t aware of the techniques that attackers use. Social engineering simulations can be run by Samurai, where we attempt to conduct a vishing attempt (Call and speak to one or multiple people in the organisation), with the intention of getting employees to divulge sensitive information. Social engineering can also be conducted in person, such as tailgating an employee into a secure area in a business, or wearing a high-vis or overalls to look like you belong, any access that was granted, information offered, or secure areas entered would be noted down in a detailed report which highlights all issues found during the time that Samurai was employed by your organisation, with a simple to understand set of instructions in order to remediate any issues found, and suggestions for training for departments that appeared to not be following the expected cyber security procedures.
Samurai can also hand out infected keyboards, mice and other peripherals, which have been infected with malicious software, such as keyloggers (Logs the keys pressed to send to an attacker), malware (Malicious software or program), or software to infect the organisations network, this can be monitored by our team and any machines or devices that these have been connected to, can be highlighted in a report to offer some guidance on how much information could have been lost, which departments require training, and any other issues that may have been found. Samurai can also conduct a removable media test, similar to peripherals, where a USB drive is infected with fake malware, and branded with the organisational logo, with the intention of getting employees to find and pick them up, then plug them into company machines. Again, all information will be compiled and included in a detailed report, explaining issues found, devices infected and the overall potential loss of data, as a result.
Samurai Digital Security employs a wide range of experts with experience in many roles, such as cyber security trainers, cyber security engineers, cyber security consultants and penetration testers, with a background in secure code reviews, network attacks (Both simulated and prevention), and application testing.
What’s getting through your defences?
When it comes to an organisations defences being breached, there are several areas that could be leveraged by a malicious hacker, threats can range from internal or external and can be exploited in a range of ways.
Phishing is one method of attack, this could come in the form of a call, text or email, with the intention of getting the target to click on a malicious hyperlink or to divulge sensitive information. This is often done by impersonating a business, person of authority, or a family member in need. When done to target an organisation, it may be sent out to employees with a spoofed email, which looks like it came from a CEO, or the technical department, in order to mis lead the target into sending money or confidential information to the malicious hacker.
Social engineering is another possible threat to your organisation, this is performed in several ways, and is used to gather information or gain entry into secure areas systems, this can be done in conjunction with phishing emails, and can also be attempted in person. Social engineering is where the malicious hacker attempts to trick their target into divulging sensitive information.
Vishing is Voice phishing, this is similar to phishing and social engineering, in that the attacker will attempt to trick the target into divulging sensitive information, or manipulating the target into browsing a malicious website, which could infect their machine with a virus or malware. Vishing is done using a voice message over email, or through a call, where the attacker will assume the position as someone of authority, such as a boss or colleague, the attacker may also impersonate a business or provider such as Amazon or PayPal, and attempt to get the target to divulge payment details or login credentials.
Disgruntled employees are a leading cause for internal cyber-attacks, this happens when an organisation decides to terminate an employee for any reason and their access isn’t removed immediately, or they kept some sensitive information from the business. This can be avoided by ensuring all work related information and property is kept at the organisations premises only, and that all work computers, laptops and phones are handed back at the time of termination, all access should be revoked from company systems, ensuring all areas are covered.
Accidental information leakage from employees who are unaware or untrained happens more often than most organisations would believe, this can happen due to a number of factors, but is mostly due to a lack of education about data protection, cyber security and securing information. An example of this would be, an employee leaving sensitive documents on their desk where any other visitor or employee can walk past and see them, another example would be an employee finding a memory stick with the organisational logo on it, outside the building, then plugging it into a machine in the building. This flash drive could easily contain malicious software, such as malware or spyware, and if plugged into a company device, could infect the whole network if it isn’t contained quickly.
Another common attack performed when targeting an organisation would be a Web app defacement or hack, where the attacker would find your organisational website and use tools and experience to find security holes, which can then be exploited to either deface the website, and impact the organisational image, or steal information without the organisation being aware.
A final example of an attack, would be an Internal network hack, this is where an attacker gains access to the organisational network, which could allow them to steal sensitive or confidential information. Often attackers exploit weak or default passwords used on routers, sometimes attackers can leverage a guest network that hasn’t been properly segregated, allowing them to access company files and documents.
A real-world approach to the cyber threat
A cyber threat is anything that can cause harm to your organisations data, systems or network, and can result in data theft, or system down time, resulting in a loss of revenue.
The best course of action to ensure a real world approach is taken to cyber threats, is to establish a team to work on cyber security compliance and system hardening, the cyber team would work directly with upper management to implement any cyber security controls that may be required in the organisation.
A cyber team could either be a dedicated role or outsourced to a third party cyber security company, who will undertake all necessary requirements in securing an organisations information and systems.
The technical experts in the cyber security team will perform periodic system penetration tests, configure firewalls to ensure no traffic can enter the network externally, review logs in the event of an incident and perform general cyber incident response duties.
Management should ensure that they are making a commitment to improvement security strategies within the organisation, and are reviewing risk assessments yearly, or when new systems are put into place, system penetration testing should also be conducted at a similar schedule.
All risks should be considered and a full risk assessment should be carried out on every system and control currently in place, then mitigation should be applied where necessary.
Management should also ensure that the cyber security team is trained appropriately to allow compliance checks to be completed, this would depend on the organisations compliance requirements, for example ISO27001, IASME, or Cyber Essentials requirements could be audited and a report created for continual improvement, giving a positive image to current steak holders and clients.
Finally, all employees should be trained in basic cyber security awareness, ensuring they are appropriately trained for the job role, systems, and applications that they will be interacting with.
Getting into the minds of cyber attackers
Cyber attackers work in a number of ways and are lead to their position as an attacker for a number of reasons, understanding how an attacker may work or how they conduct their attacks, can be the difference between defending against an attack, or responding to a breach.
Operations Security (OPSec) is the process to identify confidential or sensitive information, that an attacker may target, and determining if this information is at risk of being stolen, or an attack successfully being carried out. The idea here is to get into the mind of an attacker and think of your systems, in the same way an attacker may try to target them, or scope them out. This can begin with finding employees to target via social media, or using a process for reconnaissance and intelligence gathering, to scope out the organisation.
A good method of getting into the minds of cyber attackers, is to search for previous breaches, or well-known attacks and analyse how they were conducted, how successful they were and how the same techniques could be utilised to target your own organisation, this is an opportunity to learn from past mistakes.
Past mistakes of other organisations are where an attacker may begin in searching for common vulnerabilities within organisations, they may search online for well-known and easy to carry out vulnerabilities, this could be to either test their own skills, or just to target an organisation they may wish to make an example of.
Planning and design
The Planning and Design phase of simulating attacks, involves planning what attacks could be carried out, what the targets may be, and the overall information that could be lost or leaked as a result, this can be planned and organised based on the systems and information used in the business.
An attacker would begin by scoping out the organisation, looking up organisational social media and performing passive information gathering methods, in order to find publicly available information about the business, this is a good step for organisations to perform as it allows cyber security teams and top management to gain an understanding of what organisational information is available to the public.
Next an attacker would attempt to scope out the systems and applications being used by the organisation, this is usually done by scoping the public facing website or web application, this is usually performed passively by an attacker first, to gain information about the website headers being used and current security policies in place. Penetration testing web applications, either internally, or through a third party company such as Samurai, is a useful method in simulating this form of attack.
If an attacker were to gain entry to the offices of the organisation, they would attempt to find a guest network to log into, or try and impersonate another employee, this could be simulated by performing an in depth vulnerability assessment on all networks and systems within the organisation, ensuring that all areas an attacker could leverage are checked, for example, a guest network should have segmentation testing performed, to ensure that the network is properly segmented from all organisational networks, and that sensitive information is not passed through any guest networks.
Physical penetration testing could also be tested by employing a third party business such as Samurai. Any contracted company would be able to send someone to attempt to gain access to confidential systems, either without any ID or a fake ID, this would simulate a real attacker attempting to gain access to any systems or secure areas and would test the current policies for secure areas, the awareness of employees and would highlight is any training is required.
Simulating an incident can be be done using an internal cyber security team, or a third party cyber security company, such as Samurai. This team would conduct a full vulnerability test or penetration test on the systems agreed on, a report will then be produced outlining all issues and vulnerabilities that were found, how much information was able to be accessed and would include a set of instructions to remediate any vulnerabilities and risks found.
Simulating an attack can be done on any system, secure area, device, application or network that requires testing, and all vulnerabilities and risks are noted and explained in detail in the form of a high level technical report, with an easy to understand and concise management summary.
Where information security is concerned, any suspicious activity should be reported to the relevant teams or departments. As soon as a suspicious email is received , a breach suspected, or suspicious flash drive found, it should be reported to whoever deals with cyber security in the organisation.
Reporting incidents when immediately able is important, as this allows for the lowest response time, and allows for the organisation to gather information about the breach sooner, and then this information can be passed onto the organisations DPO, to be communicated with the ICO.
All organisations should ensure they have a policy and procedure for handling and reporting incidents, this could be in the form of a cyber incident response plan/procedure, and a team, either internal, or external, should be responsible for dealing with information security related issues.
Whilst reporting can refer to reporting a breach, there is also the method of producing a written, legible and concise report on the issues that were found, this can then be forwarded to the relevant security team to be patched and reviewed. If reports aren’t created to a good, easy to understand format, which includes all relevant technical information, then it is possible that all issues found aren’t patched very well.
Phishing attacks make a big impact on businesses, especially when they target employees who aren’t fully aware of the threat. It is recommended to conduct a yearly phishing campaign to ensure that all employees who use or access emails, are aware of the risks and know how to spot a phishing attempt.
Phishing campaigns are where fake phishing emails are released into the organisation and directed towards employees, anyone who follows the instructions, or falls for the email, will be shown on the system used to perform the phishing campaign and trends for which departments require more training become apparent. It is also good to highlight which departments flagged the email as unsafe, or followed the correct organisational procedure for phishing emails.
Once a phishing campaign has been completed, a report details how many people fell for the emails, which departments, and how much information would have been divulged had this been a real phishing attack.
The organisational website, and the internal network, are two big areas of concern for businesses, if these go down, the business may not be able to run as intended, and profit could be reduced with downtimes.
Attackers will target web applications and websites in order to deface them and make a negative impact on the image of the organisation, or target confidential information. The internal network could also be targeted for holes or vulnerabilities in order to access sensitive or confidential files and data.
A vulnerability assessment or penetration test should be conducted on a scheduled basis, either once every 6 or 12 months would suffice, all new technology and systems being put into place should also be penetration tested before being implemented. A penetration test can help with finding any vulnerabilities in the networks, applications or systems within the organisation and then aid in resolving these issues quickly and efficiently, before an attacker can exploit them.
Social engineering is a method in which an attacker will try to trick or manipulate their target into divulging confidential or sensitive information, this is done in several ways, from impersonating a boss, or colleague during a call, or email, to wearing a high-vis and following an employee into secure area and looking like they “belong”. Social engineering has many methods and a worryingly high success rate.
Social engineering attempts could be testes within the organisation, just like a phishing campaign can highlight weak areas for training employees, employing a third party organisation to conduct a physical penetration test could ensure that all policies and procedures around security checking people who are walking around a building, are being followed as expected.
Vishing is similar to phishing, but is exclusively done using a voice, either through a voice email, or on the phone. Just like phishing attacks, a vishing attack is intended to try and manipulate the target into divulging sensitive information, or into browsing a malicious website, the attacker will accomplish this by appealing to the targets empathy, or by making them believe they are a colleague, such as someone from the IT department, or a boss.
Vishing can be tested in the organisation by employing a third party company to try and gain access to your systems from the outside, they would impersonate someone in a position of authority, such as a CEO, or the IT department, and they would be able to give a detailed report of how much access or information could have been leaked if it had been a real attacker making the attempt.
Fake hacking, is where a fabricated, or fake breach took place in the organisation, the upper management and the cyber team would likely know about this beforehand, and would take measures to ensure employees are directed towards policies and procedures for responding to incidents.
Fake hacking can be beneficial in the same way a fire drill can be, it ensures employees are prepared and ready to act as required if a real attack were to be found, or if a breach really occurred
Fake hacking, could include, a phishing campaign, highlighting what information would have been leaked, or it could be a real cyber team employed to carry out a system penetration test, or a simulated hack, with the employees required to patch the vulnerabilities when found, or to report the incident to a certain department, this would allow upper management to gauge how cyber aware their employees are, presently.
Simulating a hack, or conducting a “Hacking Simulator” is where a cyber security team would carry out a vulnerability assessment, as if they were an attacker, attempting to log into segregated networks, access confidential files or try and breach the organisational network. Vulnerability assessments should be carried out at least yearly, in the organisation, to ensure all systems are patched and no security holes are present.
Using automated tools can be beneficial in performing a hacking simulator, which will help in finding known vulnerabilities, however this is no substitute for manual hacking, as an attacker would use tools and knowledge of systems and experience working with technologies and networks to attempt to find exploits in systems, networks, and applications. Manual tools can be much more efficient than automated ones, as manual tools are controlled by the user, and directed to areas of interest in order to find vulnerabilities which may not have been reported yet.
It is recommended to simulate a hack in an organisation periodically, to ensure all employees are trained in basic cyber security awareness and are able to spot specific security threats.
There are many types of security threats, which could turn into a security breach, this could be a virus or malware found on the network, a data leak from a disgruntled employee or a successful hack by an attacker on an organisational website, breaches come in many forms and all require action to prevent more damage and to ensure the business doesn’t lose out on any profit due to this.
It is recommended to put in place multiple security controls to consider all areas that could be at risk of a breach, this will help to reduce the chances of a fine, and also help to increase the confidence that clients and customers will have in your organisation.
A security breach can result in an organisation incurring fines if they aren’t handled correctly, or if the ICO isn’t notified within a certain time period.
It is recommended to employ a DPO who can ensure that the organisation remains compliant, while maintaining a reliable point of contact with the ICO, regarding cyber security, such as a security breach.
Cyber Security Attacks
Cyber security attacks can come from many parts of an organisation, and pose different security threats for each type of attack, for example, the network could be vulnerable to an outside attacker, where the attacker could leverage a guest network in the premises, which hasn’t been properly segregated, and use it to gain access to the organisational network, leaving data at risk of being stolen. Networks should have periodic penetration tests to ensure all security patches have been applied, and no security holes are left unsecured.
When using software and applications, sometimes they get left on an older version, or updates get put off, if this happens, a known security issue could be exploited by an attacker, especially if the software or application is using an active internet connection.
Social engineering is another potential cause for a breach, attackers may impersonate a person of authority, like an engineer on site, a boss or even a colleague from another department, with the intention of getting the target to divulge sensitive information, or allow the attacker to enter secure areas, on site. Social engineering in person can be avoided by having strict access controls within the organisation, such as a key card to access pass to enter secure areas.
Phishing is something that attackers use alongside social engineering, with a phishing attack, multiple emails, or messages, are sent to several targets, often thousands of targets are chosen in the hope that a few will open the email and follow the instructions. The emails can be spoofed to look like a real email from a service provider, bank, or retail provider. The attacker would attempt to lead the target into divulging sensitive or confidential information, or login credentials. When businesses are targeted, often the attacker will choose someone who is in a position with high privileges like a board member, or a CEO, whilst impersonating an employee, the attacker could try and get the target to send a payment, or payment details, thinking they were speaking to a supplier, or another employee.
Vishing is very similar to phishing, however this is specifically carried out over the phone, or through voice emails. A vishing attempt is a voice phishing attack, where the attacker will impersonate someone of authority, such as a boss or another department, just like phishing, and then will attempt to get sensitive or confidential information which can be used to gain access to the organisation or its network, the attacker may also attempt to carry out this attack several times to different members of staff, in order to build a profile of information.
Malware is a type of malicious program or application, which can be used to install more malicious software, or monitor and take control of devices, if a machine is targeted successfully with malware, it could become completely compromised and in turn, infect the rest of the network. Attackers attempt to get their targets to download malware using phishing emails, and social engineering attacks.
Modelling and Simulation / Breach & Attack Simulation
Cyber security modelling and simulation would be the process of deciding which attack vector to take, for example, once a full spectrum attack simulation has been planned, the organisation has been scoped, and reconnaissance is completed, the cyber team would present the best attacks to target the organisation, and make a case to upper management, for the areas of concern. This would highlight the areas that are most likely to be targeted, what attacks may happen, how they may be conducted and areas that could be improved on.
Another recommended practice for cyber security modelling and simulation, is carrying out “What if” scenarios, such as “What if an attacker managed to compromise a system”. This would offer a scenario for the cyber team and employees to know how to react, in the event a system or application was targeted, or if data was leaked. These scenarios would prepare the cyber team to have a plan in the event that a successful cyber security attack was carried out while targeting the organisation, or in the event an attack was interrupted.
Data Breach Simulation
The data breach simulation, is when a breach or information leakage is simulated to employees, this would allow the cyber incident response policy to be tested and improved upon, and would also be a prime opportunity to forward employees for basic cyber security awareness training where required.
When carrying out a cyber security simulation, this could be a simple data breach, where the cyber team carries out a cyber security attack on their own systems. Similar to a phishing campaign, which targets employees, a data breach simulation would instead be aimed towards acquiring sensitive data, through several attempts, such as social engineering, phishing or even a planned or staged cyber-attack. Once the simulation has been carried out, an organisation would be able to monitor their employees, noting if they acted as expected, reported within specified time frames and to the appropriate departments, with the required information relating to your organisational data breach response procedure.
This can be carried out either using an internal cyber security team, or an external, third party company, such as Samurai, which will offer a full detailed report around the cyber security simulation.
Risk Management Methodology
A cyber security risk management methodology, is the methods, or rules which are used to identify and assess the cyber security risks in an organisation, the risks would be identified, communicated with upper management and the cyber team, and steps would be taken to reduce or avoid the risks. Once risks are identifies, upper management would be notified and steps would be put into place, to prevent the potential risks.
The cyber team would work closely in ensuring all risks are identified, from each area in the organisation, and a risk management procedure should be adopted for each scenario, for example, if a breach occurs, the cyber department should be notified, with a report detailing which areas were targeted, what information was lost or stolen. This report can be handed over to cyber security teams, top management and any other relevant departments, who will aid in ensuring the breach has been responded to as expected.
The cyber security risk management methodology should also include information about what happens post-incident. If an incident occurs, the department(s) the incident has affected should be assessed and relevant training offered where required.