Portcullis regularly gets contacted by organisations seeking help with regards to cyber attacks. Motivation varies, with some taking a proactive stance against a perceived threat, others may have been warned of imminent threats to their organisation and some may consider themselves to be under attack. What constitutes a ‘cyber attack’ varies, and I’m not going to try to define it here (nor do I much like the term), but at Portcullis we are exposed to client’s challenges relating to; state sponsored espionage, hacktivism, criminal gangs, malware, SCADA, DDoS, etc. My role in Portcullis sees me working with clients to design and manage our response to the client’s requirements in this space.
Some organisations demonstrate a good security posture and the route to meeting their security goals is comparatively straight forward. However, we find that good number of organisations demonstrate poor security posture; for whatever reason, they have managed to survive with security someway-off good practice. We encounter cultural issues, where security is a low priority, poor patching, no segregation, lack of assurance, poor monitoring, unsupported legacy systems and more.
When providing cyber defence solutions to clients with poor security posture, it becomes clear that there is so much to do that our options in the short-term are limited. Where we would hope to be improving security by a few percent, we’re actually looking for quick wins and talking about long-term improvement strategies. We can get these clients to where they wish to be, but the process is not as simple as first hoped. Quite simply, without effective traditional security controls, any kind of response against cyber threats will be limited. Furthermore, as is detailed below, traditional security measures are perfectly capable of handling many cyber attacks.
Given the frequency of these challenging projects, and questions from clients regarding where cyber security fits in alongside current practice, it seemed like time to state the case for adhering to what is considered traditional security good practice.
There is an assumption that cyber attacks are very sophisticated, launched by expert hackers, using brand new ‘zero day’ exploits that leverage holes in operating systems that not even Microsoft (and others) know about, let alone have issued patches for. Not true. It is true that attackers can use these advanced measures (and working from a solid platform, Portcullis can step up to identify and stop such attacks), however, in most cases the attacks are pretty rudimentary relying on well known weaknesses.
Simon Saunders | Special Projects Manager | Portcullis
‘Simon is the Special Projects Manager at Portcullis and, has been working in the Information Security Industry for nearly a decade. His expertise lie in delivering consultancy projects, thought leadership and delivering lead projects in the Cyber defence space.’