Kimon Nicolaides, Digital Services Group Head at MASS
Organisational security can be thought of like peeling the layers of an onion – with critical assets sitting in the middle protected by multiple layers, and if one layer is removed or breached, there’s another one underneath. At least that’s the way it should be – too often, however, we see a siloed approach to the different areas of security. In practice, physical, cyber and personnel security can be much more inter-related than many imagine.
The finance sector is arguably one of the more mature in terms of established security measures. However, it’s also vastly diverse, targeted by some of the most advanced threat actors, and one where even the smallest breach has the potential for significant impact, monetarily, or on market reputation, perception or confidence. Security measures should therefore be viewed holistically, led and understood by senior management, otherwise gaps for exploitation will be found by intelligent and experienced people, supported by an ever-growing arsenal of exploitation technology.
Here, we take a closer look at some of the things that comprise a holistic view of security – based on the approach we take with public sector and defence organisations.
Physical security
It may seem obvious, but the first layer to assess should be the physical access to your business. For all organisations, this step remains as true today as it ever has been – even for the finance industry where physical security principles have been established over many years.
This stage should go back to the basics of how an intruder could gain access, starting by reviewing the ‘perimeter’ controls. In fact, the first question is, ‘what is the perimeter?’. With the potential for distributed site facilities, linked remote assets, and supply chain dependencies, this simple question needs careful consideration.
Scenario-based analysis, using threat actor personas, motivations and objectives can really help by defining a where a ‘perimeter’ really lies. It’s also an invaluable methodology for exposing how an organisation could be exploited.
This stage should involve a review of physical controls such as fencing, access technology, CCTV coverage etc., including, their role in deterrence and detection of hostile reconnaissance activities. Disrupting the planning cycle of attacks is often overlooked relative to direct prevention of unauthorised access.
Ultimately, security measures are only as effective as the people that apply them, so an understanding of human behaviours is essential. It’s important to consider how people’s actions affect overall site security and, why these actions occur.
Issues can range from the wearing of security badges in the street through to poor motivation and effectiveness of roving security staff or those monitoring CCTV. Simple and innocent human mistakes could form the seed of future security breaches.
Cyber security
The finance sector has progressed its cyber resilience considerably as it’s been dealing with threats for many years. But business sizes now range from the very large to the small and, as new forms of financial transactions evolve, protection becomes more challenging. There is an increased availability of cyber exploitation toolsets and associated managed services and coupled with a reduction in their cost – lowering the financial and technical barriers to advanced cyber-attacks.
This means that cyber security, even for the finance sector, needs to be taken to a new level and existing assumptions continuously challenged.
For example, while penetration testing regimes remain a vital tool in mitigating network cyber risk (including ‘CBEST’ which has been widely rolled out across the finance sector), these still remain a snapshot in time. While they deliver valuable depth of analysis within a network, they are often constrained in breadth of scope and can potentially leave vulnerability blind spots. Very frequent, lighter-touch cyber assessments can fill this gap as they offer a more dynamic view of ongoing vulnerabilities over a wider proportion of the estate, which could represent ‘low hanging fruit’ for the cyber actor. Assessments can be enhanced by applying modern threat intelligence techniques to rapidly identify existing compromises and potential weaknesses (including personnel and corporate digital footprint). This establishes a picture of cyber posture and vulnerabilities before any testing taking place.
Similarly, end-user device security is often viewed in terms of the encryption strength, keys etc. However, modern methods of fault injection attack (a device’s response to artificially applied ‘fault conditions’ used to derive security credentials), can effectively sidestep assumed security measures, which would normally take decades to ‘crack’ using computer power. So, it makes sense to test a device’s vulnerability to fault injection, rather than assuming encryption alone will protect it.
For this reason, it’s crucial to examine the wider supply chain. In the finance sector, there is high dependence on suppliers of digital telecommunications and energy services, and when different systems are interconnected its challenging to pinpoint cyber resilience risks. Despite this, it’s possible to map complex information to establish risk, by identifying ‘hot-spot’ concentrations of dependencies that represent single-point failures within the complexity of the overall business operation.
The insider threat
The potential threat from insiders – those who might misuse their legitimate access to an organisation’s assets for unauthorised purposes – is often overlooked.
This is particularly true for financial businesses, where personal financial gain could be an incentive, or where security controls are so effective that hostile actors must exploit those with legitimate access to circumvent them. You can think of insider threat as the ‘grand master skeleton key’ of security, as there are few security measures that cannot be overcome by the right insider, or team of insiders. Security compromises involving insiders can also have a disproportionately high business impact.
Yet many organisations consider insider risk to be mitigated simply by pre-employment screening and fail to recognise the spectrum of risks ranging from genuine human error, through to orchestrated insider activity by paid professionals. Insider cases frequently involve individuals who have been with an organisation for some years and have had some personal vulnerability exploited or exposed, or simply become disgruntled.
It’s a broad area to address. Internal governance, security culture, employee wellbeing, employment measures, corporate digital footprint, and perceived employee sentiment are some of the aspects that should be considered. When you have understood this for your own organisation, you should make the same assessment of your supply chain.
If the business is committed, it’s possible to use structured analytical methods to quantify your organisation’s maturity and assess where the key vulnerabilities and risks could lie. This understanding paves the way for improvement, and even small changes can make a big difference.
The hidden layers
Like an onion, there are hidden layers to security that may be overlooked so it’s important to consider physical, cyber and personnel security collectively, and to understand the dependencies you have as a business.
For example, your own environment may be protected, but if data is shared with your suppliers or partners, is it still secure? Similarly, if a supplier or partner has a security breach, what does it mean for your operation, your business continuity and your customers?
When assessing security measures, it’s essential to go an extra layer deeper and consider how a range of factors could impact your organisation and its readiness to respond to an incident.
At MASS, our security experts consist of professionals with extensive experience in preventing security breaches and performing assessments in accordance with Ministry of Defence processes, so that we can ensure our security analysis meets and exceeds industry best practice.
For more information, please visit: https://www.mass.co.uk/what-we-do/cyber-security/cyber-security-training/
