Barely a week goes by without a major company being brought low by cybercriminals.
But if cybersecurirty is now firmly under the media spotlight, a key vulnerability is routinely ignored: people, not the network.
We spoke to James Taylor of The Cyber Intelligence and Security Centre and Greg Oakley of its sister company, Sorinteq, to find out more.
The Cyber Intelligence and Security Centre is exhibiting at IFSEC International between 20-22 June 2017 at London ExCeL. You can find them on stand C1810. Get your free badge now.
IFSEC Global: Please tell us a bit about your organisation.
Greg Oakley: We are essentially a cyber-defence, cybersecurity and cyber intelligence organisation. So we cover three areas.
Cyber intelligence is the missing piece of the puzzle in many cybersecurity companies. We’re a sister company of Sorinteq, which delivers ex-listed cyber training to UK and international governments and law enforcement.
The Cyber Intelligence and Security Centre delivers the same typology of services and training but to the non-governmental commercial sector.
We examine network and software security. We review processes and policies. But significantly we will check for physical vulnerabilities and very much look at people. It’s this that sets us apart from the competition.
Human frailties can be exploited to the benefit of someone who thinks like a hacker. That’s part of the service we deliver: thinking like a hacker
IG: And what does looking at people entail in this context?
GO: Most people understand that software can be penetrated. What they don’t understand is the significant vulnerability that staff and other people can present to a company.
Humans have vulnerabilities and they can be socially engineered.
‘Hacking the human’, or social engineering, is the manipulation of human behaviour to achieve your objectives. In other words, how do I get this guy to do something wittingly or unwittingly, unconsciously or intentionally, for an ulterior motive without his or her knowledge?
IG: Like how phising or ransomware relies on duping someone into clicking on a rogue link?
GO: That’s an example. But it’s also human behaviour, traits and characteristics. Human vulnerabilities include not wanting to offend, wanting to please, naivety, sometimes ignorance…
The human element of what we deliver, in terms of training and software, mean we expose companies to areas they wouldn’t necessarily give a thought to.
Criminals can use social media to profile you for exploitative purposes. What people most likely don’t understand is how they leave residual data, a residual footprint, on a day to day basis.
IG: And they can use that data to make educated guesses at the password you might use based on date of birth, their dog’s name or favourite football team?
James Taylor: That can form part of it but you can go deeper than that. They could theoretically develop a relationship through social media, start to influence that individual’s behaviour.
As Greg referenced, it’s using social norms to please someone, leveraging human behaviour effectively. That’s primarily where we specialise.
GO: Human frailties can be exploited to the benefit of someone who thinks like a hacker. That’s part of the service we deliver: thinking like a hacker.
IG: What kind of people are you hoping to meet at IFSEC?
JT: I feel most companies in a commercial sector would benefit.
I’ll give you an example. Let’s say you have a company and you are making 20 people redundant. You give them notice and in six months’ time they lose their jobs.
We would look at that and say you now effectively have a group of employees that are theoretically very disgruntled with the potential to compromise your business. What safeguards are you putting in place for that insider threat?
Even if you’re a company that doesn’t operate in the digital sphere, it doesn’t really matter. If you have assets – and I mean employees, equipment, stock, anything – you’re effectively vulnerable.
GO: A question we’re often asked is “how do you mitigate threats against your company when you don’t know what those threats are”?
It’s only when Cyber Intelligence and Security Centre staff come along and work with a company that they start to have an understanding of what the very non-obvious and significant threats are.
The three questions I’d ask to IFSEC visitors are: Does your company employee people? Does your company have an IT network? And does your company have a premises? If the answer is yes to all three then we’re very confident we can provide a very sound and interesting dynamic risk assessment in terms of security.
Whether you’re running the most complex software in the world, have both proactive and passive systems, encryption, firewalls etc – it all starts and ends with the human factor
IG: How are you approaching IFSEC? What can visitors expect to happen on your stand?
GO: We’ll have three people there: two on the stand and one walking around and engaging with attendees and other stand holders.
You’re not going to be able to walk away from our stand with a top and tail around a range of variables. What we can do is have a conversation getting a meeting off the ground at your premises resulting in a bespoke, made-to-measure plan for your company.
IG: Is it becoming easier to get custom in your sector given the huge and growing media coverage of major breaches and cybersecurity generally?
JT: A two part answer. It is growing. You see an international hack occur. Companies are panicked. But they’re still thinking about the network side of the coin and only seeing 50% of the problem.
We give them the full picture. Because actually, whether they’re running the most complex software in the world, whether they have both proactive and passive systems, encryption, firewalls etc – it all starts and ends with the human factor.
So for us it’s very much about getting a company to identify that as a credible threat, to look at how a hacker would approach your business. Because I guarantee it’s not the way you think they will approach it. And on top of that you have the insider threat.
So we work on something called a cyber-risk exposure review. That consists of identifying all potential vulnerabilities within that business that they’re not already aware of.
Once the cyber risk exposure review has occurred and we’ve checked what we need to check, sat down with relevant persons in that company, that’s when we design the training. The training will consist of what I would class as end users.
So if it’s the NHS then we upskill the doctors or nurses around security and what they do online and take this all the way up to board level. We talk about risk and footprint – not only in their professional life but their personal one too.
Because from a hackers standpoint, social media is a rich source of data. But it might be less direct than social media. Take a director of, let’s say Ford. He might be security-conscious and not have Facebook, LinkedIn or Twitter accounts.
But I would ask him if he has a wife, kids? Are they using social media? What are they saying online? They’re probably not thinking around the full picture.
Once we’ve established that we then bring it back to the company and look at their processes and policies. Because actually they’re always missing a step.
We try to open their eyes.
So it is an opportunity for us on the back of the publicity that network security and hacking are getting. Everyone knows cybercrime is the future. What we’re saying is: “We give you the 360”.
Your network might be secure but not when you have an administrator who doesn’t know how to put the settings in place or leaves an open port.
You might have spent £250,000 on introducing something like Mimecast into your system. But if your users aren’t doing the basics correctly, you might as well have thrown that money down the drain.
We will get your users to a point where that risk and vulnerability is mitigated.
IG: It’s a compelling pitch. Is there anything else you want to add?
GO: We also work very closely with Russel Group universities, with eminent psychologists and linguistic experts in understanding human behaviour.
So our ability to demonstrate how the human can be hacked, manipulated and exploited, as well as our own background of operational experience, comes from an academic stance as well.
The Cyber Intelligence and Security Centre is exhibiting at IFSEC International between 20-22 June 2017 at London ExCeL. You can find them on stand C1810. Get your free badge now.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
