Viruses, data breaches, and hacking can result in more than just financial loss—they can jeopardize decades-long relationships and cause irreparable reputational damage.
As the frequency and strength of cyberattacks continues to evolve, organizations need to find innovative ways to prevent breaches and safeguard their most sensitive data. One effective method is to partake in a penetration assessment that’s tailored to their specific needs—testing their unique combination of systems, controls, and processes.
Before a hack or cyberattack occurs, a red team penetration assessment—which enables cybersecurity professionals to approach your system from a hacker’s viewpoint—can help management teams identify system weaknesses and develop confidence in their ability to protect their most valuable assets.
Background
The world’s leading information technology research and advisory company, Gartner, forecasted in December 2017 that worldwide security spending will reach $96 billion in 2018. At the same time, regulators at state and national levels are creating new laws and standards to help protect customer data and other sensitive information.
With those laws, regulators have started asking hard questions about vulnerabilities to data breaches, cybersecurity risks, and hacking—which organizations will need to answer to remain compliant.
While the red team assessment originated outside the field of cybersecurity, the process of having a team of mock-hackers infiltrate an organization’s systems during a simulated breach has become a supported practice for analyzing and addressing weaknesses in internal controls. Commonly referred to as offensive security, the red team assessment is an effective way to stay in compliance with developing regulations.
Addressing Regulator Demands
Increasingly, regulatory bodies and industry associations are focusing their efforts on protecting sensitive data through creating and enforcing information security and privacy laws.
Many industries are subject to multiple regulators, making it challenging to stay current with ongoing changes that are based on varying requirements. A hospital, for example, is likely subject to all of the following regulators, each with specific criteria for cyberthreat management:
- Centers for Medicare & Medicaid Services, commonly referred to as CMS
- Office of the National Coordinator for Health Information Technology, or ONC
- US Department of Health and Human Services, often referred to as HHS
This list doesn’t account for the state in which the hospital is located, which will also have data transmission regulations.
In order to address regulator demands, leaders should consider testing their cyberthreat resiliency using real-world scenarios and simulations.
Testing Your System
The best way for businesses to be certain that their people, processes, and systems can withstand a cyberattack is to invite the hack in a controlled environment. There’s risk when considering this type of undertaking, but significantly less than the risk of a genuine threat where data is hijacked for ransom.
In the controlled environment, you decide what you want to test: people, processes, systems—or all three. A scalable cybersecurity red team assessment is created based on what you want to assess and the data or systems you want targeted.
A test of overall incident response capabilities provides compliance evidence for regulators and learning opportunities for business-process owners. The simultaneous attacks use various methods—including phishing, phone-based impersonation and social engineering, and physical site breach—to help the organization gauge its ability to manage, detect, and respond to a threat.
For the simulation to be useful in preventing future threats, the modeled attacks must use the most current, pervasive, and successful hacking methods.
The Process
Penetration testing is suited to any business that wants to assess its vulnerability before experiencing a breach. The procedure allows consultants to review the organization’s incident response procedures and provide management with evidence of how long systems and personnel took to detect and respond to the breach as well as what steps were taken to detect, respond, and recover from an attack.
Tests will address a series of questions, including the following:
- Is the sensitive data we collect accessible to hostile or unauthorized access?
- Do our people have the training and skills to prevent a social engineering attack or the introduction of a virus into our system?
- Are the proper processes and procedures in place to prevent unauthorized personnel from accessing our physical site or sites?
- Can we verify to regulators that we have undergone rigorous testing to reduce the likelihood of penetration and loss?
The Rewards
After the red team assessment, you’ll receive a report of the results with the following information:
- A thorough description of the steps taken to test your organization
- A comprehensive list of the vulnerabilities found
- Recommendations for improvement of technical, procedural, and policy measures, as appropriate
- A clearer understanding of your environment
- New techniques and insights for security awareness training
Penetration testing can also help determine the feasibility and business impact of an attack, which could result from any of the following factors:
- Improper system configuration
- Hardware flaws
- Software flaws
- Operational process weaknesses
The Risks
Under no circumstances should a red team assessment be performed by anyone but a trusted advisor. If you wouldn’t ordinarily trust them with access to your sensitive data, you should seek an alternative method for assessing the strength of your controls.
There’s also the risk that conducting a red team assessment will uncover significant gaps in your cybersecurity protocols, which you may then be obligated to address both quickly and comprehensively.
The rub is that without the testing, you can’t identify the gaps.
Phishing for a Financial Institution
As part of a full security assessment, ABC Bank (name withheld), subject to the regulations of the Federal Reserve Bank and the Federal Deposit Insurance Corporation, among others, submitted the bank to a red team assessment. They received a thorough and customized external vulnerability assessment, penetration test, and social engineering assessment, with the goal of validating the effectiveness of their cybersecurity controls and incident response procedures.
The approach included reconnaissance of the bank’s digital footprint, a combination of spear phishing and CEO-fraud emails (also known as whaling), accessing physical sites, and phone calls to gain access to sensitive data. This scenario simulated the approach of an attacker with knowledge of the organization.
Applying multiple threat vectors assumes penetration attempts are likely to involve more than one or two methods per attack and provides a more comprehensive approach to threat detection.
The Results
During the course of the testing, a branch location was accessed and an inconspicuous device was connected to the network. However, while the device provided internet access to the network and bypassed the bank’s network firewalls and intrusion prevention systems, the bank’s detective controls identified the device before unauthorized data access could occur. The bank's internal processes for incident response resulted in loss of access before a permanent presence was established.
Following the assessment, the red team providers supplied a detailed report to senior management, the board of directors, and regulatory bodies, addressing the following points:
- Assumptions about the bank’s organization and controls
- The technical process used to develop the approach
- The attack methods and results
- The responsiveness of the bank’s controls and processes
The report provided evidence of the bank’s ability to detect, respond to, and recover from an advanced malicious attack. It also provided clear, actionable recommendations for improving the bank’s security posture and processes.
For more information on improving your cybersecurity strategy, see our Insight about improving cybersecurity and protecting your organization.
Get Only What You Need
Service options are best when they’re scalable or specific to your business. A full security assessment isn’t right for every organization. Whether experiencing budget constraints or establishing confidence around new or updated business approaches, there are many reasons not to receive a full assessment.
In these circumstances, your organization may instead benefit from an offensive security assessment such as:
- Internal or external vulnerability assessment
- Internal or external penetration testing
- Social engineering assessment, including:
- Spear phishing campaign
- CEO fraud—or whaling—campaign
- Fraudulent phone calls or vishing
- Walk-in assessment
- Targeted denial-of-service, referred to as DoS
- Web application penetration testing
Next Steps
Whether you’re responding to demands from a regulatory body, board of directors, or other stakeholders, you have options for establishing confidence that your people, processes, and systems are able to protect your most sensitive assets in the face of a genuine threat.
We’re Here to Help
For more information about assessing and testing your cybersecurity resilience, contact your Moss Adams professional.