What is a penetration test?

What is a penetration test?

Penetration testing simulates an attack by a malicious party by using tools and manual investigation to identify weaknesses. Testing involves the exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact.

What do you get?

This approach looks at the depth and impact of a potential attack, as compared to the security assessment approach that looks at the broader coverage. It is great for understanding the depth of exposure from a vulnerability but it can result in a narrow focus that potentially misses other vulnerabilities that would have been identified through a security assessment. The level of assurance gained is directly associated with the ability of the tester, the scope of engagement and the time and effort allocated.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a security assessment?

What is a security assessment?

A security assessment builds upon a vulnerability assessment by adding manual verification of the results to confirm the level of exposure. It does not though include the use of exploitation code to gain further access to systems.

What do you get?

A security assessment is looking to gain a broad coverage of the systems under test but does not consider the depth of exposure to which a specific vulnerability could lead. False positives should be excluded through the analysis of the results. Security assessments are great for exposing business logic flaws and identifying security vulnerabilities that automated tools are unable to identify. This leads to a higher level of assurance. However, the time and effort required to complete a security assessment are higher than vulnerability scanning and assessments and require a higher level of technical skill to deliver.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a vulnerability assessment?

What is a vulnerability assessment?

A vulnerability assessment takes a vulnerability scan a step further by using a security tester‘s knowledge to drive an appropriate use of automated tools and test scripts.

What do you get?

The report for the results should be manually created, which places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and overall context of a finding. It is great for increasing the level of assurance gained through automated testing, whilst still helping to keep costs low.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a vulnerability scan?

What is a vulnerability scan?

A vulnerability scan uses automated tools to identify known security issues through matching conditions with known vulnerabilities.

What do you get?

The tool automatically sets the risk level for the results of the scan and no manual verification or interpretation of the results prior to issue takes place. This is great for identifying technical vulnerabilities at a low financial cost. However, it also generates a high level of false positives while missing certain types of issues. This limits the overall level of assurance gained.

For more information on security testing, see our blog here and download our cheat sheet here.

Creating a Strong SNMP Community String

Creating a Strong SNMP Community String

To ensure that an attacker does not gain privileged or read access to your devices via a poorly configured SNMP community string, we would recommend that the following steps should be taken:

Follow similar guidance to mainstream password guidance.

• Use both upper and lower case

• Include one or more numerical digits

• Use special characters, e.g. @, #, $ etc.

• Prohibit use of words found in a dictionary

• Disallow passwords matching the format of calendar dates, license plate numbers, telephone numbers, or other common numbers

• Prohibit of use of company name or an abbreviation

Information Security Assurance from a Resilience Perspective

Information Security Assurance from a Resilience Perspective White Paper

Today the global business environment is more complex and interconnected than ever before. Organisations rely on electronic data as their lifeblood, and the systems that enable the storage, transport, access and manipulation of this data have become critical. Even simple spreadsheets can become mission critical systems in their own right and this has resulted in an era where networks and the applications sitting within them have become the very backbone of every organisation regardless of their size and market sector. As a result, networks and applications are a primary channel for businesses and one that they must protect if they are to meet their businesses objectives and in the end, to survive.

For many organisations, their approach to information security results in a fortress mentality that focuses on the implementation of defences and preventing an attack. It is increasingly acknowledged however, that we cannot build sufficient defences to be 100% secure while allowing our organisations to effectively carry out their business, and as such, for many this siege based approach is no longer acceptable. A more resilient approach to the management of information security is therefore needed. This approach should not only take into account the mentality that organisations cannot be 100% secure but also acknowledge that the cost of securing our organisations can be large. A risk based approach should therefore be adopted which takes a more holistic approach to managing information security that accepts that the risks cannot be fully mitigated and adopts a resilient approach. Doing so will therefore place greater emphasis on the importance of gaining an appropriate level of assurance.

Following on from our recent article in SC Magazine on the topic of resilient information security, we have now issued our white paper. A copy of which can be found here.

Information Security Assurance from a Resilience Perspective

SC Magazine recently published an article by our CEO, David Stubley on the topic of resilience and the need to adopt a holistic approach to information security.

“If we accept that our defences will no longer hold against every attack and we cannot therefore 
be 100 percent secure, then we also need to think about information security from a new perspective.”

The full article can be found here and a link to our white paper can be found here.

 

Scottish cluster for the UK Cyber Security Forum

We are pleased to announce that we are collaborating with ZoneFox to establish the Scottish cluster for the UK Cyber Security Forum. The UK Cyber Security Forum represents small companies who are actively working in cyber security across the UK. As the leading independent information security consultancy in Scotland we are proud to work closely with other SMEs to develop Scotland’s cyber capability.

Our first meeting will focus around a breakfast briefing on the 4th November titled:

UK Cyber Forum – Breakfast Briefing – “What the Cyber are the Scottish Government up to!”

Our CEO, David Stubley will present an update on the Scottish Government’s plans on Cyber Security.

If you are a Cyber SME, why not sign up to join us on the day here.

Details for the day:

08:00 for breakfast
08:30 Events starts
09:30 Finish

Location: CodeBase, Argyle House, 3 Lady Lawson Street, Edinburgh, EH8 8RD

Scottish Business Insider

7 Elements CEO, David Stubley is quoted in the September edition of the Scottish Business Insider.

The article on ‘Building Your IT Fortress’, focuses on the ever changing threat landscape faced by organisations from hackers and the need for organisations to take proactive steps to manage the risk presented. Often security testing is used to gain assurance that an organisation’s approach to security meets thier needs.

However, David Stubley, CEO at 7 Elements, says organisations do need help in understanding what security testing actually means.

     “It has become ubiquitous within the field of information security and means very different things to individuals and organisations. All levels of security testing are valid but it is important you choose the level that is right for your needs. Balance your risk appetite, cost, the level of assurance required, threat landscape and any regulatory requirements, if applicable.”

The full Scottish Business Insider article can be found here.

To help organisations understand what it is they require, we have published a more detailed blog that takes a look at the different types of tests that come under the security testing banner and what you can expect from that test.

 

7 Elements CEO appointed by Glasgow Caledonian University

7 Elements CEO appointed by Glasgow Caledonian University

David Stubley, CEO at 7 Elements, a key player in the Scottish information security industry, has been appointed as an external examiner at Glasgow Caledonian University for the Digital Security, Forensics and Ethical Hacking course.

This new role brings practical, on the job insight to Glasgow Caledonian University ensuring students are learning relevant theory and that the University is producing sought after graduates.

Dr Michelle Govan, Senior Lecturer in Digital Forensics and Security, said; “Glasgow Caledonian University’s unique MEng/BEng in Digital Security, Forensics and Ethical Hacking programme has strong foundational links with industry, designed to inspire, embed real world understanding and provide an overall enhanced student experience. To ensure that the programme reflects current developments, and students develop the skill set industry requires, we are delighted that David, with his extensive experience and expertise in this area, has taken up the role of External Examiner and will be an integral component in the University’s quality monitoring and assurance procedures for our programme.”

The curriculum which combines the study of core technological concepts, theories and principles with specialised knowledge and understanding in the area of digital forensics, security and ethical hacking, has been developed to provide students with both theoretical and practical learning to produce graduates that will make a significant contribution to industry and society as professional practitioners.

David Stubley, CEO at 7 Elements, said; “I’m very pleased to have been appointed by Glasgow Caledonian University, good graduates are essential to the industry so it’s great to be able to influence the quality of students graduating with such a prestigious degree. Graduates are an important part of the 7 Elements model with the business appointing two graduates this summer on a 12 month graduate programme.”

The 7 Elements graduate programme has been developed and run internally by the 7 Elements team. The programme includes shadowing and training opportunities which are assessed throughout the 12 months with a six month and an end of year industry recognised practical certification, the ideal follow on for graduates.