I believe most information security professionals now recognise that supporting enterprise innovation and transformation involves actively encouraging change while ensuring that new technologies are safe and fit for purpose. This is obviously preferable to the old-school response of saying ‘no’ and being ignored or side-lined. Taking this to the next level, the most innovative security folk are actively looking for new security practices that can add real value to the business.
One client recently engaged us to conduct a red team exercise, a process that involves completely re-imagining the traditional penetration test and vulnerability analysis. Rather than examining individual components of the security model (technology, policies and procedures) in isolation, a red teaming simulates a real criminal attack under controlled conditions. These tests mimic the real-world targeted attacks that businesses face on a daily basis. Red teaming is a goal-based engagement that delivers the true business impact of a breach. What was truly innovative in this example was how our client took the results of the exercise and created an engaging, story-based presentation and delivered it to all levels of the business world-wide. The result was an awareness campaign that staff talked about with enthusiasm and recommended to their peers, strengthening the organisation’s security profile in the most vulnerable area – people.
We started with a threat and risk analysis, personalised to the business, to identify real-world attackers, their motivation, their skills and likely avenues of attack. The results of this exercise were used to devise several attack scenarios that staff would recognise as real and pertinent to their company.
Each scenario started with an information gathering and reconnaissance phase that identified potential weaknesses in physical premises, staff members and Internet-facing technology. Next, legitimate usernames and passwords were harvested through a sophisticated spear phishing campaign and subsequently tested for validity using the organisation’s Outlook Web Access service. Further information was also obtained from emails, calendars and address books using these compromised accounts.
The stolen credentials were then deployed in an on-premises attack. The testers gained physical access to the client’s network through a combination of impersonation and telephone pretexting, and were able to steal information and to demonstrate persistent remote access through technical exploits.
Another on-premises attack was conducted in parallel to demonstrate weaknesses in visitor control and desktop security. Proof-of-concept malware infections and data theft were conducted by a tester posing as a visitor with ‘tummy trouble’ who needed several bathroom visits, which were unsupervised.
As a result of the world-wide series of presentations based on this exercise, the organisation has raised the bar on that most difficult of security controls – the human firewall. Security awareness at all levels has increased significantly and staff members are becoming security evangelists in their own right. More red team exercises are planned, to build on this exciting precedent and to provide more engaging stories to continue the education of everyone in the organisation.
Hear more from Peter on Security as a business enabler, recorded at Infosecurity Europe 2014:
Want to hear more Thought-Leader Insights? Check here.