- Cyber-Security Audit
- Breach Investigation and Incident Response
- IoT – Internet-of-Things
- Cloud and Hybrid
- Best Practice Frameworks and Standards
“He who fails to plan is planning to fail.”
— Winston Churchill
We live in an age of increasing technological complexity and inter-connectivity, yet many companies still fail to recognise the importance of a properly planned approach to cyber-security.
The consequences can be grave, with an increasing number of companies falling victim to opportunistic attacks, like ransomware1, and to targeted attacks, like whaling2 or theft of intellectual property or information about employees and customers.
What we do
Cardinia has a proven methodology which assesses each of three factors which contribute to good security, People, Process and Technology. We identify critical businesses information assets and the potential impact and likelihood of a breach, based on a broad understanding of how, why and where each information asset is used. This allows us to create a heat map of an organisation’s information risk showing where the most significant risks exist.
What you get
Clients receive a report setting out detailed findings, including a listing of risks identified along with an impact assessment of each. Our report includes recommendations on how to mitigate or eliminate all of the critical and important risks found. Unlike more purist, technologically based assessments, which often tend to suggest wide ranging and often very expensive infrastructure upgrades, Cardinia’s more pragmatic approach helps clients to achieve a proportionate balance between security and the cost of achieving it by targeting only the most significant risks and taking into account the impact of business process, governance and human behaviour.
Breach Investigation and Incident Response
Once you’ve had, or suspect you’ve had an information security breach, effective and rapid response is paramount.
Two main objectives need to be met; the need to find out what happened and the need to secure against recurrence of this and all related or similar exploits. Sadly, all too often the focus of a breach investigation is solely on the former of these.
Knowing what happened is certainly very important but that knowledge is useless unless broadly applied.
What we do
We will gather all available evidence, which may include log files and images of compromised systems, and undertake a detailed review of these to establish the specific attack vectors used. In addition, we will undertake a cyber-security audit (described above) in order to identify the same or similar vulnerabilities wherever they may be present across the broader enterprise.
What you get
Clients receive a report setting out exactly what happened, including specific attacks used and their source, where identifiable. The report also includes our assessment of related risks across the business along with recommendations to mitigate or eliminate these risks. By acting on these recommendations, our clients are able proactively to deal with as-yet unexploited vulnerabilities as well as to react to the past breach.
IoT – Internet-of-Things
As technology improves, Internet connectivity continues to get faster and cloud infrastructure becomes more and more accessible, even to comparatively non-technical customers, companies are increasingly discovering new channels to market or even whole new business models which exploit this pervasive, always-on foundation.
Many types of service increasingly rely on the connection of previously disconnected devices and the abilities to gather data from them and to control them remotely. Connected things now range from cars to CCTV, doorbells and even fridges.
While the benefit to the consumer of these new IoT services is simplicity – they just sign your contract, create an account and log in – all they have really done is outsource complexity to you, the IoT supplier.
What we do
Cardinia has assisted multiple clients who have developed innovative products and services, leveraging wireless networks (cellular, WiFi, BlueTooth), the Internet and cloud computing infrastructure to outperform competitors and disrupt established markets. Our clients must deal with the complexity outsourced to them by their customers and this complexity in turn makes security more and more challenging. Where IoT services capture data about their users, this is potentially an even greater concern as Data Protection requirements must be taken into account.
Cardinia assesses every element of the IoT technology stack, including devices, networks, software, coding standards and methodology, testing and release processes and back end infrastructure, whether on-premises, cloud or hybrid.
What you get
Clients receive a report setting out areas of weakness found in technology, processes and human behaviour as well as impact analysis of each. Our report offers guidance on how to remediate security concerns and how to embed good security practice so as to achieve and sustain a robust security model.
We also work with some clients to gain independent verification of compliance with appropriate security standards, which Business-to-Business IoT suppliers are increasingly finding demanded by corporate customers.
Cloud and Hybrid
Many companies now take advantage of the economies of scale brought by cloud platforms and services to deliver better quality IT services at lower cost than would be the case if they continued to provide them using in-house, often called “on-premises” resources.
Services most commonly used include email and desktop applications3, but Cardinia has clients which run entire line-of-business applications, including Customer Relationship Management and Enterprise Content Management, using cloud infrastructure.
Clients most frequently express concerns about the security of cloud services themselves, although such security is potentially far better than would be the case if the service in question were on-premises. They key to realising this potential is planning the implementation of the cloud service with security in mind.
By far the bigger area of risk is in hybrid implementations, where clients place some services with cloud providers while retaining others in-house. As there is usually a need to bring about some level of integration of cloud and on-premises infrastructure, an additional layer of complexity is introduced; complex systems are more difficult to secure than simple ones.
Cardinia clients benefit from our extensive experience of effective cloud deployments and of current and emerging best practice in securing hybrid deployment models.
Best Practice Frameworks and Standards
“The best is the enemy of the good.”
At Cardinia, we do not believe in Best Practice. “Best” leaves no room for improvement, and there’s always room for improvement. Instead we prefer to think of Good Practice or Current and Emerging Best Practice.
A number of current best information security practice frameworks and standards now exist. Companies do not need to invent a security standard from scratch but, rather, they may adopt one of these frameworks, adapting it if appropriate to their own specific circumstances. Although, usually, companies will need help to do this, adoption of a suitable framework is now the quickest and most cost-effective route to good security practice.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a British Government standard which offers a sound foundation of basic hygiene measures suitable for all types of organisations. Cyber Essentials defines a focused set of controls which provide cost-effective, basic cyber-security.
(A number of Cardinia Breach Investigation clients would not have suffered breaches at all if Cyber Essentials had been in place in their organisations.)
Cyber Essentials exists in two forms – Cyber Essentials, which is self-certified, and Cyber Essentials Plus, which is certified by a suitably accredited third party.
Whichever of these is chosen, Cardinia helps clients to implement it as quickly and cost-effectively as possible. Cardinia by choice does not certify compliance with Cyber Essentials Plus or any other standard. Rather we are your trusted adviser and will help you to identify and remedy weaknesses and to embed good practice so as to enhance your prospects of successful certification at the first attempt.
ISO27001 and related standards4 cover a much more extensive range of aspects than the smaller and simpler Cyber Essentials. They are thus proportionally more difficult, time-consuming and costly to implement.
Many companies rule out ISO27000 as being too onerous or disproportionate to the risks they need to address. This is sometimes reasonable and justified, but is rarely a decision made on hard facts. It is however increasingly the case that ISO27000 is the right destination, most particularly for organisations which process personal or sensitive personal data, or which process data on behalf of others. The challenge for such organisations is to implement the wide-ranging changes needed as simply and cost-effectively as possible.
Cardinia has guided some clients to Cyber Essentials first. There is no incompatibility between Cyber Essentials and ISO27000; Cyber Essentials can be used as baby steps towards the broader, more pervasive standard.
Whichever route you choose, baby steps via Cyber Essentials or straight to ISO27000, Cardinia is your trusted adviser, preparing you for implementation and assessment.
Ransomware encrypts files and demands a ransom in return for a decryption key. As the encryption used is very strong, breaking the encryption is not usually an option and victims must either restore backups, or else pay the ransom. Not infrequently, backups are found to have been encrypted too and payment of the ransom is the only viable solution. ↩
In a whaling attack, an attacker researches relationships and identities within a company and then forges an email, usually “from” a Chief Executive or Finance Director and sent to someone authorised to make payments, like a Financial Controller. The email asks the victim to make an urgent payment to a nominated bank account, with a promise that all will be made clear when the sender returns from an off-site meeting. Companies which make these payments rarely if ever recover the money and the theft of substantial sums (up to 6 figures) is not uncommon. ↩
Microsoft Office 365 and GSuite (formerly Google Apps). ↩
Collectively often referred to as 27k. ↩