Utility Week

24 | 28TH FEBRUARY - 5TH MARCH 2020 | UTILITY WEEK Operations & Assets the attackers we are likely to be defending against, whether that be 'script-kiddies' or nation states," explains Dr Duncan Hodges, a senior lecturer in cyber operations at the university. Ethical hacking is now mainstream, although it took a while for the utility sector to fully embrace the concept. This is perhaps due to political reasons, the absence until more recently of any real compliance stick to justify investments, and a reluctance to lay bare any security holes, experts specu- late, amid concerns that weaknesses in sys- tems re• ect badly on those in charge. "There's normally a bit of resistance because people feel you're attacking them. But attitudes are changing as people become more aware of the threats and more stories hit the news," says Victor Acin of Barcelona- based cyber intelligence provider Blueliv. Organisations are right to have some concerns. Ethical hacking brings risks of disruption, especially if it takes place in a live environment, Mosca warns. "Any tests need to be scoped and executed carefully by cer- ti„ ed specialists to avoid disruption to networks, systems and the service. All risks need to be iden- ti„ ed, and appropriate mitigations put in place to ensure that the business does not su… er any impact in the quest to increase security defences." If the risks of testing in a live envi- ronment are too great, especially where there could be safety implica- tions, testing should be carried out in a replicated virtualised or oˆ ine test environment or use alternative non- intrusive methods such as health check assessments against best practice stand- ards and frameworks, Mosca adds. "Some organisations will attempt to reduce the risk during the engagement by de„ ning the scope of the assessment to not include business-critical systems. This obvi- ously reduces the realism of the engagement and the attacks then become a less use- ful identi„ er of potential vulnerabilities," Hodges warns. Realistically though, the focus of an ethical hacker's attention will o‹ en be dictated by the de„ ned scope of a project or be limited by a timeframe – unlike real hack- ers who can devote as much time as they want to breaking into your systems. "That's why it's so important to monitor changes to your infrastructure," warns Acin. "It has to be an ongoing thing." Perhaps not surprisingly, the costs associ- ated with these types of projects can be eye wateringly high. "It depends on the size of the organisation and how many sites they operate but generally speaking you might spend around the £40,000 to £50,000 mark for an assessment that gives them a real- world attack scenario," Young says. Success boils down to approaching the ethical hacking exercise in the most intelli- gent way, says Cran„ eld University's Hodges. "The organisation must be mature enough to both work constructively with the penetra- tion tester and engage with the results from the activity to generate real bene„ t." That involves critical evaluation of the results to identify potentially systemic issues, whether that be in training, recruitment, so‹ ware development or security practice. Network audits are meaningless unless companies learn how to proactively patch the identi„ ed or known vulnerabilities in their network, Hodges warns. "You solve nothing if you hire ethical hackers just to dismiss their concerns. This is something we see all too o‹ en in this community. Ethical hackers will report and corporations will ignore the threat." "Remember that ethical hacking will only expose risk – it will not „ x vulnerabilities," agrees Adam Brown, senior security man- ager at Synopsys. "Ethical hacking can only expose around 50 per cent of risks because 50 per cent of these come from • aws in design that hacking is not best placed to „ nd. Use it as part of a process to discover risk and have a process to „ x „ ndings." Experts also warn that ethical hacking must be used in the context of continuous security improvement, as opposed to a one- o… event. Unless the outcomes from security testing regimes are integrated with risk treat- ment practices, then any vulnerabilities you identify may not be quickly tracked through to remediation, or even worse, those vulner- abilities may be exploited by a real attacker. "Whether it's patching across your estate, or making sure passwords are not weak and that people aren't sharing them – good security is a chain of events. You've got to make the bad guys really work for it by hav- ing good policies and procedures. But doing that at scale isn't easy," says Ed Williams, a 15-year veteran of the ethical hacking world who heads up SpiderLabs, the penetration testing arm of managed security services pro- vider Trustwave. Ethical hacking is very much the sexy side of digital security, but it is only e… ec- tive if you get the basics right with simple "cyber-hygiene". "A more holistic approach to cyber-security needs to be adopted, such Analysis 10 steps to ethical hacking success 1. Work with the ethical hacking team to permit as large a scope as possible. This will ensure that the engagement is as realistic as possible. 2. No single element of a security process should be viewed as a silver bullet; it's about doing everything from the boring (asset registers and password strategies) through to the cool and sexy like penetration testing. 3. A successful penetration test/red team exercise does not end a• er the test has been completed. To deliver value, your business must assess the impact of any issues found and action the recommendations. 4. Know your objectives. Are there particular concerning threats you would want addressed? Are you looking to improve the security of a particular system or the overall network? 5. Make sure you think a system is secure before spending time on a test so you don't waste time testing issues you already know exist. 6. Ensure the right people are conducting the test, those with the necessary technical skill set and quali„ cations (for example, CREST-Approved or an NCSC Certi„ ed Professional). 7. Listen to your hackers and researchers. They are the experts. You solve nothing if you hire ethical hackers just to ignore the threats and dismiss their concerns. 8. Any change in infrastructure should include cyber-security testing to ensure that change does not increase the company's vulnerability to a cyber-attack. 9. Tailor the scope of testing over time to focus on recurring problems, critical parts of the business, any high-risk systems and all external interfaces. 10. Remember, this is not a one-o… exercise. continued from previous page against, whether that be 'script-kiddies' or nation states," explains Dr Duncan Hodges, a senior lecturer in cyber operations at the university. Ethical hacking is now mainstream, although it took a while for the utility sector to fully embrace the concept. This is perhaps due to political reasons, the absence until hacking team to permit as large a scope as possible. This will ensure that the engagement is more recently of any real compliance stick to justify investments, and a reluctance to lay bare any security holes, experts specu- late, amid concerns that weaknesses in sys- tems re• ect badly on those in charge. "There's normally a bit of resistance because people feel you're attacking them. But attitudes are changing as people become more aware of the threats and more stories about doing everything from the boring (asset registers and password strategies) through de„ ning the scope of the assessment to not include business-critical systems. This obvi- ously reduces the realism of the engagement and the attacks then become a less use- ful identi„ er of potential vulnerabilities," Hodges warns. Realistically though, the focus of an ethical hacker's attention will o‹ en be Any change in infrastructure should include cyber-security testing to ensure that change does not increase the company's ti„ ed, and appropriate mitigations put in place to ensure that the business does not su… er any impact in the quest to increase security defences." If the risks of testing in a live envi- ronment are too great, especially where there could be safety implica- tions, testing should be carried out UTILITY WEEK be limited by a timeframe – unlike real hack- ers who can devote as much time as they want to breaking into your systems. "That's why it's so important to monitor changes to your infrastructure," warns Acin. "It has to be an ongoing thing." in a replicated virtualised or oˆ ine test environment or use alternative non- intrusive methods such as health check assessments against best practice stand- ards and frameworks, Mosca adds. "Some organisations will attempt to reduce the risk during the engagement by de„ ning the scope of the assessment to not de„ ning the scope of the assessment to not "Hackers will even scatter memory sticks in a client's carpark in the hope that they'll be used by staff and subsequently transmit viruses."

• Cover