“We Break Your Toys” – Interview with Cyber Security Consultants Xiphos Research
"We break your toys" said the memorable trade fair banner of Xiphos Research, UK cyber security consultants.
After getting into conversation with Xiphos director Mike Kemp about the pros and cons (and limitations and potential for false sense of security) of website https, he kindly agreed to answer some general questions for this exclusive blog interview.
[Note: formatting and bold for emphases have been added by KnowledgePower Editor]
What is "pen testing" all about?
Mike Kemp: The term pen testing covers a multitude of sins none of which involve biros.
Penetration testing (or pen testing for short) can be utilised to test networks, applications, facilities, and sometimes even people. The goal is to find and actively exploit security vulnerabilities before fraudsters, criminals, or malicious attackers can.
Penetration testing when it is enacted correctly allows organisations to fix these vulnerabilities before they are exploited saving them money, time (in terms of responding to an incident), and reputation.
Penetration testers are paid to think and act like crooks, but with the safety of their customers operations and ethical behaviour always at the forefront of what they do.
So is pen testing only relevant to large corporations and high-risk businesses like banks?
This is a common and dangerous misconception.
Although larger targets present an attractive proposition to some criminals (either financially or in terms of bragging rights) smaller organisations are at a very pronounced risk.
Typically large organisations have security procedures, processes, and people in place. They will have a security spend and will work towards reducing their technical and non-technical risks. Criminals know this. As a result those that are financially motivated will often turn their unwanted attentions towards smaller companies.
Security incidents when they occur (and many do) at large organisations sometimes make major headlines, but there is a massive problem with regards the under-reporting of such incidents. If you have an online presence you often rely on the expertise of providers to assist with things that may not be your speciality. You are relying on their expertise, their honesty, and their efficiency. In many cases some or all of these may be lacking, and as a result, small organisations may find security risks present in the outsourcing of this expertise.
Another very important consideration is that large organisations have processes in place for dealing with a security breach or incident, and often the financial reserves to cover any losses, and ride out the reputational storm. For smaller organisations operating with no financial buffer, the impact of an attack can be devastating and result in job losses, or in the worst case scenario, business closure.
Ensuring the security of the business, should be something everything business pays attention to, and part of this process involves finding a penetration testing provider who not only understands the risks present in organisations of all sizes, but works with clients to reduce them.
Is pen testing something that you can automate?
The first stage of a technical penetration test is information gathering and enumeration.
Before a penetration tester can clamber through holes, they first need to find them. This is typically part of the process that is automated.
Sadly this is the part of the process that many people understand to be a penetration test.
There is a world of difference between penetration testing (clambering through holes) and vulnerability assessment (finding the holes). The latter of these can be automated, but it won’t find everything. Criminals are people. People not only use tools, but they also use their minds to achieve their aims. A competent and professional security company should also do this.
Clicking the start button on an automated test suite, will never be as effective as human analysis and action, and knowing how to react to the findings of automated software, and what avenues can be pursued to achieve the goal of improving client security by first breaking it.
Data security can seem a dry and abstract topic: how do you make stakeholders sit up and listen?
Data security can be dry, but it is far from abstract. A successful breach (from an attackers’ perspective) can impact on business operations, profits, and reputation. It doesn’t get much more unabstracted than that from a business perspective.
In terms of engagement delivery, Xiphos are a bit weird, but that is appropriate as that is why we were established. Traditionally many security services providers (including penetration testing companies) approach clients in the wrong way. Rather than engaging with companies to fully understand their risks, and help reduce them, the mind-set is often one of a hired gun. Problems are found, a report is produced, a cheque is cashed.
We think service should go deeper than that and work with our clients to establish what their key risks are (e.g. what keeps them awake with worry at night), test to see if we can exploit those risks, and then work with them to address such risks.
We are trying to move away from the adversarial nature of testing, to a model based on collaboration where clients can call us with their concerns, issues, or just for a chat, without worrying about getting a bill for the privilege. In terms of engaging with stakeholders, it really isn’t about bells, whistles, and fireworks (although we can do those too) but rather about informed collaboration, and treating people and organisations with professional ethics and humanity.
What are the human issues in regard to data security?
To improve anything you first have to recognise the problem. Are you going to be attacked? If so, who is more likely to attack you? A bored teenager? A professional thief? A disenfranchised and trusted staff member or supplier?
Determining potential attackers is a great start, but then comes the tricky bit, defining risk.
Is the risk to your business that someone wanders off with your customer database, or with your intellectual property, or discovers skeletons in your closet? If everyone in your organisation knew what each other was paid would it create a situation you couldn’t handle?
Identifying the risk is essential and should impact on any auditing or penetration testing you commission. In terms of day to day activities that can be used to improve security, a culture of closed openness if vital. Be open with those you trust, and closed with those you do not.
Obviously there are technical measures that can be put in place (no insecure shared passwords, don’t write things down, don’t share things that don’t need to be shared) but one of the most effective mechanisms (especially for smaller organisations) for improving security is non-technical. If you work with people you know and like, then a unified front can be presented, and the security risks faced together.
Is "cyber security" getting easier or harder for businesses to solve?
Combatting threat is tough. There is much talk of an arms race between attackers and defenders and although this is a somewhat simplistic view it does hold some truth to it. Attackers will find new ways to attack and defenders must find new ways to defend. Criminals are adaptable and always have been. Technology has evolved (and is evolving at a rapid rate) and as such so have technical and non-technical attacks.
As more and more organisations, people, homes, cars, dishwashers, etc. become interconnected, the risks present grow.
That said it’s not all doom and gloom. Security is a technology and a people problem. If you have people you can not only trust but verify, then you can work to overcoming risk. If you can work with trusted experts to help identify those risks, then you are off to a great start.
The sad truth however is you can never fully eliminate risk, you can however manage it. To do that you first have to identify it and once that identification has occurred the process does get easier. At least until someone thinks of something new (which happens daily).
Security is constantly in a state of flux, the right experts can help assisting in ensuring that the flow goes the right way.
KnowledgePower Editor: THANKS Mike for sharing these excellent infosec insights!
About Xiphos Research
Xiphos Research is based in Birmingham in the UK and has a branch office in New York, USA.
Xiphos was formed by a small team opposed to the current way things are done. All our service delivery staff have ten+ years in the provision of security consulting and testing services for a range of international clients. Many have spoken internationally and frequently on security research topics and our senior management team includes lecturers, forensic scientists, and recognised experts in IT security.
We work with a broad range of customers throughout the globe, and for a small company (which we are as small is indeed beautiful) we have worked for a variety of household names (including FTSE 250) on all manner of interesting things.