Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

Archives: Services

Cyber Security policy production

Cyber Security policy production is a crucial component of an organisations approach to the management of risk and the governance of employee behaviour and use of IT assets.  Policies must be created with the target audience and appropriate language used if they are to be practical and effective.

  • Implement an effective set of policies, aligned with best practice
  • Properly govern employee behaviour whilst balancing their ability to deliver business functions
  • Reduce the likelihood of security incidents
  • Ensure effective and successful disciplinary outcomes

The overarching information security policy should set out the organisation’s business, appetite for risk and the expected standards that its employees are expected to uphold with regard to daily business duties and use of its assets and services.

Associated policies that are placed underneath the organisation information security policies, govern how employees are expected to operate whilst using IT assets and services. They should ensure proportional protection of the organisation, whilst balancing the need for employees to be able to operate effectively during their day to day business function. Policies can also go on to reference more detailed processes and procedures with regard to how specific operations are expected to be delivered.

Prism Infosec’s experience Security and Information Risk Advisors hold a number of workshops with key client stakeholders to understand how the organisation operates, its culture, risk appetite and control requirements.

The cyber security policy production process then produces a set of the policies, using organisational templates and covering standard requirements that are in line with common security best practice as well as bespoke areas that are relevant to the client’s business.

All policies shall be aligned with the ISO 27001 information security management series, to comply with and maintain any existing certification or to ensure readiness for any future accreditation that the business may wish to pursue.

The project will be fully managed by a principal consultant we work with client stakeholders throughout the policy development process, ensuring key project checkpoints and review periods to ensure that when the final policy set is handed over that the client is completely satisfied with the final deliverables.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Cyber Risk Management

The cyber risk management process is an essential part of an organisation’s or project’s approach to properly handling risk. The organisation must identify its business critical information assets across its entire infrastructure if it is to capture and manage risks accordingly. This includes processing activities, storage repositories, access controls, how information is shared and how information is securely disposed of once no longer needed. Once this has been established and documented, appropriate and pragmatic controls can be applied to mitigate the identified risk to a level acceptable to the risk appetite of the organisation.

  • Understand and document the organisational or project risk appetite
  • Effectively manage risks moving forward
  • Reduce the likelihood and impact of risks to the business and the associated costs involved

The common output of the information asset identification process is completed, a prioritised list of risks can be used to drive decisions on how the organisation or project should progress, which is then used as an input into the risk management process. If all of the risks above the organisational or project’s risk management tolerance are then properly managed, there is an increased likelihood of success moving forward.

Prism Infosec’s experienced security and information risk advisors applying cyber risk management techniques can deliver quantitative or qualitative risks assessments using a variety of either in-house or off-the-shelf methodologies and frameworks to fit with our clients’ requirements, including the use of:

  • NIST SP 800-30
  • CRAMM / CRAMM Express
  • Risk IT / COBIT
  • IRAM
  • ISO 27000 series guidance on risk and management
  • HMG IS1 (now retired)

Through a combination of client workshops, information transfer, observational audits and conducting or viewing the output from technical assessments, our consultants will conduct an extensive review of the organisation or project’s business operations. The assessment will take into account policies, processes, procedures, the legal and regulatory environment and physical and logical security controls.

The output from the assessment shall be a management summary describing the key risks that have been identified, including any root cause analysis, a narrative description of the assessment that was conducted and the output of a set of prioritised risks. Full workings of the risk assessment output can be provided, either in hard or soft copy.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Configuration reviews

Configuration reviews are critical when developing new products, hardware and software manufacturers where you must strike a balance between information security and product features. It is not possible for the developers to cover all potential use cases of a product deployment, therefore a common set of functions and settings are typically enabled by default to ensure reasonable compatibility.

  • Identify security weaknesses in the configuration of servers, workstations, firewalls, routers and other devices
  • Measure gaps against common best practices
  • Reduce the hardware and software attack surface
  • Improve the resilience of devices to local privilege escalation and remote attacks

However, once software or hardware is deployed within an organisation, there is often a specific requirement for which it is being used. For example, servers could be delivering web, application, file sharing, authentication or database services and therefore may only require a small subset of supporting functions. Furthermore, workstations may be deployed on desktops or laptops, which typically have differing security requirements.

It is therefore important that configuration reviews are critical when developing new products, hardware and software manufacturers where you must strike a balance between information security and product features. It is not possible for the developers to cover all potential use cases of a product deployment, therefore a common set of functions and settings are typically enabled by default to ensure reasonable compatibility. security configuration of hardware and software is defined and relative to the role in which it is being deployed. This process is commonly known as establishing security build standards or defining a ‘gold build’ for a particular hardware or software configuration.

Prism Infosec can audit the current standards of build given its role within the business and against commonly accepted best practices and other governance requirements (e.g. Payment Card Industry or Sarbanes Oxley). We will then produce a report highlighting gaps and providing technical details of where improvements can be made.

If necessary we can then work with the client’s systems and network teams to establish a gold build standard, create template images to deploy to new builds, manage and test changes to existing live configurations and document and report on changes made.

Prism Infosec has extensive experience with defining build standards associated with hardware and software, including:

  • Windows Operating Systems (e.g. Windows Server, Windows Workstation builds 7, 8, 8.1, 10)
  • Unix Operating Systems (e.g. Oracle Solaris, Linux variants, HP U/X, IBM AIX)
  • Web Servers (e.g. Microsoft IIS, Apache, NGINX)
  • Application Servers (e.g. Tomcat, JBoss, Websphere)
  • Database Servers (e.g. Microsoft SQL Server, Oracle RDBMS, MySQL, Postgres)
  • Routers and Switches (e.g. Cisco, Juniper)
  • Firewalls (e.g. Cisco, Juniper, Dell, Palo Alto, Intel)

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Social engineering simulation

A Social engineering simulation exercise is a useful tool to assess your organisations employees susceptibility to social engineering.

  • Simulate a social engineering attack on elements of your organisation
  • Gauge the effectiveness of information security awareness training
  • Improve the resilience of your organisation to social engineering and phishing attacks

The majority of recent high profile cyber attacks against top tier organisations have been successful because they have breached the perimeter through targeted social engineering attacks, otherwise known as ‘spear phishing’.

These attacks identify the contact details of potentially vulnerable people within the organisation and use a specially targeted attack vector which is likely to result in the execution of malicious code. Typically this involves crafting an email which would be of interest to the victim incorporating embedded malware, in the email itself or as an attachment.

Once the code has been executed, it will then use network architecture weaknesses to establish command and control connections with the attacker who can then commence attacks on internal network resources. It is then generally straightforward to identify accessible stores of internal information assets (given access will have been gained with the credentials of the compromised user) and export them over the Internet using usually benign and innocuous protocols such as web connections.

Furthermore, other attack vectors often include using phone calls to staff, usually under the guise of IT personnel or a senior member of staff and attempting to entice them into performing a task that would also have adverse consequences for the organisation’s information security.

A defence-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that personnel within the organisation are adequately briefed on information security awareness, how to identify and report potentially malicious emails and the inherent risks associated with opening them.

The Prism Infosec simulation will effectively identify an organisation’s susceptibility to social engineering attacks, whether delivered via email, instant messaging, telephone calls or face-to-face within the client’s premises. As part of the assessment, we can use open source intelligence gathering to attempt to identify people within the organisation or target a specific team or function that the client determines should be the subject of the investigation.

We will then systematically target those individuals with a bespoke attack which we believe (in co-ordination with the client) has the highest probability of success. All attempts will incorporate a means to measure the success and may also determine whether it would be possible to breach the architecture and establish outbound command and control connections.

The output of the exercise shall position the effectiveness of information security awareness within the organisation, statistics on successful and unsuccessful attempts, details on whether it was possible to compromise the perimeter and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

 

Physical security testing

Physical security testing is a great way to assess your organisations susceptibility to physical attack on your business premises.

  • Identify vulnerabilities with physical security controls protecting the organisation
  • Determine whether the organisations physical perimeter adequately protects its information assets
  • Effectively manage physical security risks

It is now well established that many successful compromises of enterprise information security controls involve some element of exploitation of physical security, perhaps to implement a malicious security device such as a keylogger or rogue Wi-Fi access point or to attempt attacks unnoticed and possibly outside of normal office hours.

A defence-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that IT assets are adequately protected from physical attack vectors which could be used to bypass effective technical controls such as firewalls, intrusion protection and strong authentication mechanisms.

Our physical testing service will investigate the security of controls used to protect an IT environment, including the use of technical control deployments such as CCTV and access control as well as personnel and procedural controls which may include guards, visitor records and effective staff training against “tailgating” attacks.

The Prism Infosec physical security experts can assess a building perimeter for exploitable weaknesses and ingress points and determine the impact of any security breach, including the possibility of being able to gain unauthorised access to IT resources via exposed network access points or physical access to systems and network infrastructure.

The output of the exercise shall position the effectiveness of physical security against best practice and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Wireless security testing

Wireless security testing is an essential part of your network defences where wireless technology is used.  It will identify any vulnerabilities in your wireless deployment whether for business purposes or guest access and provide a report with pragmatic and secure remediations to prevent unauthorised access.

  • Identify technical security vulnerabilities and weaknesses with a wireless network deployment
  • Test the effectiveness of security controls associated with a wireless network and ensure adequate protection of organisational information assets
  • Effectively manage wireless service information security risks

The deployment of a wireless network within an organisation can introduce additional risk that needs to be properly managed.

For example, a guest wireless network that is physically separate from a corporate network could be used to masquerade attacks against other Internet hosts, allow attacks against other wireless clients or to access unsavoury Internet content. Furthermore, a corporate wireless network could suffer from weak authentication or be lacking segregation, which could be used by an ex-employee with knowledge of the key to regain access to internal networks and to launch attacks against organisation assets.

Wireless security testing supports effective management of information security risk associated with organisational wireless and ensure a robust and functioning set of controls, including patch, configuration and vulnerability management of wireless access points, strong network architecture, robust authentication mechanisms and useful protective monitoring.

Whether associated with a sweep for unauthorised wireless deployments, an audit of a Guest or Bring Your Own Device (BYOD) Wi-Fi implementation or a full assessment of an enterprise grade wireless network access deployment our wireless testing service shall determine whether effective controls are implemented and operating properly. Our team has the equipment and capability to assess the complete and up-to-date range of wireless bands and technologies.

Using a team that comprises experienced penetration testers and wireless security experts and following formal methodologies, Prism Infosec will assess a wireless network’s security controls for vulnerabilities and weaknesses across the stack and deliver a detailed report.

The output of the exercise shall position the effectiveness of security associated with the wireless network against best practice and provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements to Wi-Fi information security.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Mobile application security testing

Mobile application security testing is an essential tool in an organisations armoury where mobile applications are used to process business information. Ensuring that vulnerabilities and weaknesses are identified and mitigated appropriately will provide assurance that they can not be exploited to impact your business functionality.

  • Identify technical security vulnerabilities and weaknesses with a mobile application
  • Test the effectiveness of mobile application security controls that should protect against threats to information assets
  • Ensure that the application is protected against client side manipulation and sensitive information leakage
  • Effectively manage mobile application information security risks

Business and e-commerce mobile application deployments have become more prominent recently and have now become a regular channel for product sales and an effective means for customers to access services and content ranging from bank accounts, social media and AV streaming.

Mobile application security testing supports the effective management of information security risk associated with organisational mobile applications and should ensure a robust and functioning set of controls, including those associated with web applications, web services. And bespoke communication protocol implementations. Additionally common application weaknesses such as authentication and authorisation, input and output validation and session handling problems should all be identified and managed.

However, given that the mobile application is also installed upon an end user device an additional set of risks are introduced, including the possibility of code manipulation and information leakage associated with application decompilation and reverse engineering. Furthermore, local storage of information and the safe use of mobile libraries and application programming interfaces increases the attack surface of a mobile application.

Whether associated with access to financial services, a complex e-commerce service or protecting key premium content our mobile application testing service shall determine whether effective controls are implemented and operating properly and that fraudulent manipulation of the mobile application and supporting infrastructure / application services is not possible.

Using a team that comprises experienced penetration testers and mobile application security experts and following formal methodologies (for example the OWASP guidance and top 10), Prism Infosec will assess the mobile application platform’s security controls for vulnerabilities and weaknesses across the stack and deliver a detailed report.

The output of the exercise shall position the effectiveness of security associated with the target mobile application and supporting services against best practice and provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements, where required.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Application security testing

Application security testing will provide you with assurance that your application security controls are performing as expected. Where vulnerabilities and weaknesses are identified these are captured and can then be remediated to ensure that they cant be exploited.

  • Identify technical security vulnerabilities and weaknesses within a application deployment
  • Test the effectiveness of security controls associated with application deployments which protect against threats to information assets
  • Effectively manage application information security risks

Management of information security risk associated with applications should ensure a robust and functioning set of controls, including effective authentication and authorisation, input and output validation and session handling.

Whether associated with the delivery of internal web sites, extranets, sharing and collaboration suites, or complex financial applications, our application security testing service shall determine whether effective controls are implemented and operating properly.

Using a team that comprises experienced penetration testers and application security experts and following formal methodologies (for example the OWASP guidance and Top 10), Prism Infosec will assess the application’s security controls for vulnerabilities and weaknesses across the stack and deliver a detailed report.

We can also deliver assessments against other application deliver mechanisms including web services, APIs and bespoke client/server deployments.

The output of the exercise shall position the effectiveness of security associated with the target application against best practice and provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Penetration Testing/Infrastructure Testing

Penetration/infrastructure testing of your organisational IT infrastructure is a key tenet of good information security management. Whether as a result of a major change to current IT architecture, for annual assurance purposes or to mitigate the result of a successful cyber attack, penetration/infrastructure testing provides assurance that deployed technical security controls are operating within required parameters. Where they are not a comprehensive report will detail vulnerabilities so that a remediation action plan can be implemented.

  • Simulate real world penetration tests against an organisation’s perimeter
  • Identify technical security vulnerabilities and weaknesses with a penetration testing of an infrastructure deployment
  • Test the effectiveness of security controls associated with internal or perimeter infrastructure which protect against threats to information assets
  • Effectively manage infrastructure information security risks

Management of information security risks associated with organisational infrastructure should ensure a robust and functioning set of controls that include patch, configuration and vulnerability management, change control, strong authentication mechanisms and password policies.

Whether associated with internal IT assets, perimeter systems, a new application delivery or database platform, our infrastructure testing service shall determine whether effective controls are implemented and operating properly.

Using a team that comprises experienced penetration testers and network / system and firewall security experts and following formal methodologies, Prism Infosec will assess an infrastructure platform’s security controls for vulnerabilities and weaknesses across the stack and deliver a detailed report.

The output of the exercise shall position the effectiveness of security associated with the target against best practice and provide a detailed set of issues alongside pragmatic remedial activities that can be used to improve infrastructure information security.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Red Teaming

Red teaming is a great way to test the effectiveness of your security operations and cyber response teams in a realistic, secure and safe way. Designed to simulate a real cyber attack our experts can provide your staff with a scenario which will allow them to grow and gain confidence in their own skills and confirm the effectiveness of cyber incident response plans.

  • Identify organisational cyber security weaknesses
  • Test the effectiveness of your security operations centre and incident handling team
  • Determine your organisation’s resilience against a cyber attack
  • Conduct organisational assessments beyond the penetration test
  • Effectively manage your cyber risk profile moving forward

It is now widely known that the cyber threat facing organisations has evolved beyond perimeter infrastructure and application layer attacks and is now focussed upon attempting compromise using sophisticated attack methods.

Attacks are now targeted against specific people within the organisation and utilise custom malware which will evade common Anti-Virus signatures, which are designed to exploit known weaknesses with ingress and egress communications from the target. Additionally, attackers are combining physical and virtual exploit methods to successfully achieve compromise of their targets.

The Prism Infosec Red Team Service will simulate a number of potential cyber attacks on your organisation, over an agreed period of time. This is commonly delivered with only a minimal knowledge footprint of the attacks within the customer, typically just the point of contact for the service, the information security manager or head of audit.

The service includes a start-up engagement between our principal consultants and the nominated contacts within the customer to discuss the planning and scheduling of the assessments, the amount of agreed prior knowledge associated with the tests (often zero) and elements that will be targeted. It will also include how we will measure the effectiveness of incident handling, in particular the response that we should observe if our attacks are properly identified.

The red teaming assessments include profiling the organisation and its staff using Internet open source discovery methods, identifying security weaknesses with building physical security controls and network access controls. It will investigate handling of simulated (safe) malware into the organisation and resistance to using command and control techniques to compromise internal resources. Additional execution of infrastructure and application layer assessments will be conducted at given intervals which will be delivered with ‘low noise’ to determine effectiveness of protective monitoring and incident handing capabilities.

The service deliverable shall be executive and technical reports clearly identifying physical, technical and procedural risks associated with the organisation (potentially on a global scale), alongside practical, pragmatic, clear and concise recommendations on how to effectively manage them moving forward. Furthermore, we will deliver a presentation to executive and/or technical staff on our findings and recommendations.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.