News & Events
One Compliance on the Move
Here at One Compliance things are definitely on the move, in more ways than one. Starting with our swanky new offices in the heart of Leeds, Yorkshire’s (and arguably the North’s) most vibrant city.
With plenty of room to expand in line with our ambitious plans the bright, modern environment is a perfect home to help us grow the business into the go-to name for everything compliance wise (the clue is in the name!) in the cyber-security sector. Also, with a bright new Web site to match, all is set to build on our success achieved in the two short years since our launch.
Simon Woods, One Compliance Sales Director said “Cyber-security continues to be the number-one concern for any organisation that takes its responsibility for protecting their corporate and client data seriously. With new and ever more sophisticated threats appearing at a relentless pace and new regulations forcing companies to invest in their network protection, we are well placed to provide the professional services they need to avoid becoming the next data-theft headline story.
Our new offices gives us the platform from which to keep growing and meet both the regional and national demand for our specialist services.”
Let’s be honest, no business actually wants the hassle and cost of regularly testing that their network security controls are up to the task of protecting their corporate assets. Without the threat of serious financial penalties hanging over them penetration tests would probably be way down the list of priorities for most organisations. So, it is understandable that when it comes around to that time of year again there can be a temptation to look for a quick fix to get the tick in the box that says they are OK for another 12 months. Or possibly even worse, simply believe that because your network is in the Cloud or looked after by an MSP they don’t need to worry.
The problem with that approach is that this can easily turn out to be a false economy. In the world of network security, there is no such thing as a quick fix when it comes to assessing all aspects of a multi-faceted network infrastructure, particularly when clients often don’t know what is on their network to start with. If you also factor-in other common discrepancies such as the lack of a regulated BYOD policy and outdated software that we frequently come across, the scale of the task for the pen-tester can expand exponentially, along with the cost of the project.
Unfortunately, in that type of environment it is easy for the less scrutable tester to find one or two exploitable vulnerabilities to put into their report, which may go some way towards convincing the client that they have done their job but ultimately has minimal value for the long-term security of the network.Yes, the company may be lucky and avoid any serious breach but is that worth the risk of a major fine or operational disruption to the business, that could be even more costly in terms of the lost production, if a black hat decides to exploit the missed vulnerabilities?
In the end, a penetration test doesn’t need to be a major exercise involving additional costly man-days of specialist consultancy. Providing that the client has done the basics right in the first place starting with knowing exactly what is on their network by maintaining an up to date asset register. There are plenty of tools out there that can do the heavy lifting on this. It also means regularly scanning for known vulnerabilities between the full-blown pen-tests, this can also be fully automated or remotely managed if in-house resources are stretched. Vulnerability scans are a good way of identifying and remediating potential weak spots as part of a routine, triaged maintenance programme and should really be part of any security best practice policy.
If clients implement these basic procedures of scoping, scanning and remediating vulnerabilities it means that they need not look to cut corners when it comes to the pen-test proper and be confident that their networks are operating in alignment with the highest security standards without incurring excessive consultancy costs – a win-win situation.
Halloween is over, the clocks have gone back so it must be time to dust off the baubles and lock down your network ready for biggest online sales event of the year, otherwise known as Black Friday. I can see the sense in thinking that making any changes to your eCommerce infrastructure, at the busiest time in the shopping calendar might not be such a bad idea. However, to the hacker community this is like an open invitation to do their worst. Stopping any changes to your network also means accepting that any critical vulnerabilities which may be present will also be locked in and will remain unfixed for the two to three months of shopping madness. To make it worse, many organisations also decide that in addition to the change freeze it is a good idea to relax some of their security controls to try to speed up access for hundreds of frenzied customers who are straining the bandwidth and won’t wait an additional millisecond for pages to respond to complete their transactions.
While it is probably too big an ask to expect online businesses to completely ditch their change freeze policy but if they are going to do so it would be a sensible move to factor some time to at least do a final vulnerability scan if not a full penetration test before the cut-off date. That way at least they can be reasonably confident that anything that is hyper-critical can be fixed before the hackers decide to help themselves to an early Christmas present.