At Digital Interruption we’re passionate about data and passionate about security. As well as offering the usual services you’d expect from a security company, like penetration testing and vulnerability scanning we also work with companies to help them embed security in to the core of their business. We work to advise and empower companies, embedding the skills they need to secure themselves through our training and compliance services.
We believe that security is fundamental to development and should be available to everyone, not just those that can afford the hefty prices charged by many security consultancies. This is why we have tailored parts of our services to start-ups and SME’s. We also regularly talk at local meetups, events and conferences to offer advice on security and privacy and release free blogs and white papers.
In this blog we will suggest some ways you can embed security in to organisation. Depending on the size of your business, some of these solutions may still need some element of outside support, however it should be a good starting point and will sign post to lots of free resources you can use to learn more about taking security in to your own hands.
Compliance frameworks such as PCI DSS, SOX and HIPPA are a great starting point. These frameworks clearly set out what you need to do to secure applications and networks and are freely available. However, they can be very specific and only relate to a specific use of data. In the case of PCI DCC, the framework was specifically introduced as a method of maintaining a high security standard amongst organisations handling credit card data to minimise fraud. It’s in the interest of the payment card companies to enforce these standards as they are liable to cover the cost of fraud, not the individual.
One of the primary advantages of these frameworks is that they provide a methodology you can follow to ensure compliance. This can be useful for organisations looking to gain confidence in the standard of their own security.
Legislation and regulations
For organisations handling personal data there are regulatory and legal requirements, such as General Data Protection Regulation (GDPR) and the Data Protection Act 2018, that will drive the nature of your security policy. These give little to no information as to how to go about securing data and your business. They also don’t cover anything to do with non-personal data, so they don’t help with anything that is business sensitive but doesn’t relate to an individual.
What they do, however, is set out what should be secured and implications of not securing it. Though much of the language will be along the lines of taking reasonable measures based on your own assessment of the risk, you can cross reference against a compliance framework that best fits your business need to get a steer on what that reasonable measure might be.
Accreditation and certification
To demonstrate security you may want to look at certification or accreditation. The most common of these are Cyber Essentials and Cyber Essentials Plus, and ISO 27001/ISO 27017. Cyber Essentials is a UK government information assurance scheme operated by the NCSC that encourages organisations to adopt good practice in information security. It includes an assurance framework and a simple set of security controls to protect data. ISO/IEC 27001 is a management system that is intended to bring information security under management control and gives specific requirements and requires an audit.
Accreditation and certification can give both your business and your customers a level of assurance that you are operating good practice in information security. An accreditation by itself does not mean you’ll be secure though but can be used as a guideline on how to get there. Depending on the size of your organisation you may require some advice and guidance from consultants to help with this.
Standards and guidance
Organisations like NIST, NCSC, ICO and OWASP have lots of information, standards and guidance on security and how to keep your organisation secure, so they are worth being on your radar. Don’t make the mistake of thinking OWASP is just a methodology, the OWASP website has loads of helpful information including OWASP Guide Project, that has guides on areas including building secure web applications and web services, testing and code review.
Do bear in mind though that much of these are complex and lengthy technical documents, so can be confusing if you don’t have a background in security engineering. However, if you have those skills available internally or have the time to learn, you should be able to find much of the information you need. You can always look outside for support in digesting and implementing solutions if needed.
Scan your apps
It’s important to understand the security of the applications you deploy. There are many free or low-cost security testing products that you can bring inhouse, where you have the expertise available. You can run your own vulnerability scans using tools like Zap Proxy (free) and Burp Suite Pro (commercial license). OpenVAS is a free and open sourced tool that you can use for infrastructure scanning and where you’re deploying mobile applications for iOS and Android, free tools such as MobSF are available.
A vulnerability scan will detect known vulnerabilities and, other than the initial configuration, requires very little user interaction. You may need some training on configuring the tools for your environment to get the right coverage and those configurations may also need testing to make sure they are giving you the results you need. You will also need to be able to understand the results of the scan and understand how to fix the vulnerabilities. If you don’t currently have the skills in house to do this it may be worth investing in training developers and software tester to take on this role.
If you have a slightly stronger skill level in-house you could also run your own vulnerability assessments. These differ from vulnerability scans in that it is more manual and requires some amount of security expertise. In a vulnerability assessment, a tester will look for as many security vulnerabilities as possible in a given application or network and report them based on severity. Of course, the assessment is only useful if the results are used to fix any identified vulnerabilites. Applications should always be retested following fixes to make sure the vulnerability has been correctly mitigated.
Hack your apps
A penetration test (also known as a pen test) is often confused with a vulnerability assessment. However, a vulnerability assessment will often be conducted as part of a penetration test. A big difference is that a good penetration tester will focus on vulnerabilities that can be exploited and look to chain vulnerabilities together into an attack scenario. For example, a penetration test may demonstrate that it is possible, using multiple vulnerabilities in sequence, to gain access to a database and recover user passwords. Alternatively, it may show that it is possible to obtain Domain Admin access by compromising multiple hosts on the network.
We would always recommend getting a professional to do a penetration test. They are complicated and require a wide understanding of different technologies, security understanding and experience. A lack of understanding could result in critical infrastructure being brought down. They are also legally constrained, so without the right permissions you could end up doing something illegal.
Learn from the professionals
Consider getting specialists in to work with your teams to train them on things like secure coding, implementing security tools and identifying vulnerabilities. You could bring security specialists in on an ad hoc basis to talk to your teams, especially which kicking off a new project, or if you have them, utilise specialists you have in house.
Involve developers and testers in risk assessments and Data Protection Impact Assessments (DPIA). If they understand fully what it is that they are developing and the risk of not doing this securely, security will become embedded in to the development as they will be buying-in to the security of their own products. The final sign-off of DPIAs should still sit with the Data Protection Officer (DPO) or Lead, but the comments and changes the DPO makes can be fed back to the team.Also involving the DPO in the development pipeline can impart further skills and knowledge into the development team.
Pair programming is an agile software development technique in which two programmers work together at one workstation. One, the driver, writes code while the other, the observer or navigator, reviews each line of code as it is typed in. If you already use this methodology, or are interested in introducing it, you could consider inviting a security specialist in to sit in the pairs. The specialist could replace the observing developer to review the code form a security perspective. They could then move to another pair on a rotation. This will help to embed security in to the code as it is being developed and further encourage developers to buy-in to the security of their own products.
Empower you teams
You can encourage your teams time to learn security form specialists in the community. Send them to security conferences, many of these are free, or if not, incredibly affordable. The Security BSides conferences are locally run conferences that are usually free, though sometimes they charge around £15 per delegate, and they are hosted all over the world. The UK hosts BSides conferences in London, Manchester, Leeds and Belfast. There is also Steelcon in Sheffield (around £15) and 44Con in London (around £300). There are also the AppSec conferences run by OWASP (between £100 and £2500 depending on ticket type), the DEFCON conferences (around $300) and Black Hat (around $3000). Most of these conferences video the talks. This is by no means an extensive list, but again, a good starting point.
Allow time for self-study and research using resources such as OWASP, projects on GitHub, tutorials on YouTube and websites like samsclass, and free vendor research and training. Many, including Digital Interruption, have technical blogs and whitepapers that are free and very useful. If you’ve had penetration tests in the past, open them up for developer and testers to read through, familiarise themselves with the content and ask questions.
Encourage your teams to follow security specialists on twitter and encourage them to attend community security groups such as the Manchester Grey Hats, the DC Groupsand OWASP Chapters. Offer them time back in lieu if they are attending evening events as this will increase the chance of them attending and increase the range of skills they bring back which can really benefit your business.
Consider supporting or sponsoring these events or hosting them in your business offices and headquarters. This will give the opportunity for you and you teams to not only network with security professional and aspiring security professionals but will also create an opportunity to recruit security talent. You could also approach community groups to give talk to your teams on specific areas.
Above all, if you have people in your organisation who are interested in security take the time to foster this. The skills they learn will be an asset to your business.
Hopefully some of these suggestions will be useful. If you would like to speak to us about any of our services, or for advice on the best solutions for you and your business please feel free to contact us.