Simon Saunders, managing consultant, Portcullis Computer Security
The types of security programmes run by financial institutions to date have delivered a certain amount of assurance, but they are not providing protection against the most sophisticated of attacks.
There are multiple reasons for this and it is not possible to cite any one particular failing as being solely responsible. It is important to understand that assurance programmes do currently, and will continue to, deliver significant value. However, there is also the need to do more if there is an aspiration to better protect against the most sophisticated threats.
Before proposing a solution, it makes sense to first highlight what a typical assurance programme fails to cover.
Risk reviews and security testing tend to be conducted as part of project go-live and at periodic intervals thereafter, e.g. annually, for the highest priority systems. Security testing is heavily reliant on highlighting known issues and the results are only relevant to the system in the present configuration. The changes made to the system over time, and the challenge of keeping up to date with patching, mean that the historical view of system security may be steadily made less relevant. Effectively, corporate perception of system security may be out of sync with reality.
Systems tend to be put forward for security testing in a relatively isolated state; the interconnections with other systems may be overlooked, the wider infrastructure is often considered trusted, legacy components assumed secure and users assumed not to significantly undermine security. As such, security testing can be performed without context and whilst the security of a particular system may be understood, its posture in its normal operating environment is less clear. Some of the responsibility for this sits with the security testing community for not challenging clients enough on test scope. There are also the commercial and practical realities; there will always be scope boundaries and the need to control cost and time. There is also the need to reflect on how the security programmes of many organisations have become driven by the need to comply with an internal standard which addresses a generic set of threats, rather than by threats to a particular system and the data thereof.
Risk acceptance is a key component of the modern landscape. There will always be risks that are accepted for purist reasons (those that pose an acceptable risk to the business) and for reasons of circumstance (those issues that are accepted because there is not the time or money available to fix them). However, these acceptances quickly grow into hundreds and thousands across the estate of a large multinational and it is really hard to map the connections between them. Some of the most sophisticated attacks leverage a lot of low and medium level issues to create a greater, ‘perfect storm’, attack.
Having recognised that the traditional approach to information assurance doesn’t cover all bases and that weaknesses remain which could be exploited by a sophisticated attacker, the question is ‘what next’?
Intelligence-led testing, as recently highlighted by the Bank of England under its CBEST scheme, has some of the answers. The process starts by using current intelligence (as in the military intelligence sense of the word) to understand what may be targeted by whom, how and why. This intelligence is then used to shape further assurance work on the live production network where there is an opportunity to have the security testing company test those assets that are at greatest risk using the same techniques as a would-be attacker.
This overcomes the limitations regarding historical risk reviews not being current, reviewing systems out of context, limited scopes and highlighting the consequences of risk acceptance and a wide range of other deficiencies.
The aspiration is ultimately to help organisations get one step ahead of the attackers and shut down those opportunities for compromise before they occur.
As part of the intelligence-led testing, there is also an opportunity to evaluate the effectiveness of corporate defences. These are often not exercised as part of a security test because, ultimately, they can only make a situation better. However, decisions do get made about the effectiveness of both technological and human measures in terms of their ability to identify and intercept attacks. As part of running intelligence-led testing, there is a chance to test the performance of these measures.
While the traditional approach to information assurance and penetration testing programmes does have its limitations, it needs to remain part of corporate culture. It covers a wide range of threats in a practical way and to move away from such an approach would be to the detriment of security. However, in recognising the limitations of this approach and filling these gaps with intelligence led testing there is an opportunity to better protect against the more sophisticated threats.