Red Team Readiness Assessment

I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):

Do you have a good understanding of your Enterprise Architecture?
Do you understand your service architectures?
Do you understand your security architecture/s?
Have you done an asset discovery exercise?
Have you modelled data flows?
Have you conducted security hardening of the environment/scope?
Have you done vulnerability assessments?
Have you done penetration testing?
Have you done control on/off testing?
Have you got a defensive security capability/team?
Have you reviewed your monitoring capabilities against common and known exploitation paths?
Do you need/want external help to understand your posture, capability strength and detection and response capabilities?

If yes to all the above: Conduct a red team exercise!

If no consider this question:

Do the key stakeholders understand the value of investing in security? If they don’t and you can’t secure resources to do the first tranche of activities, you may want to conduct an offensive security testing exercise to demonstrate the value in having a good security posture. This however may not be the only route, you may simply need to do a contract review and understand the delta between contractual requirements to customers and the current state of an organisation, the revenue/income loss risk (let alone the potential legal costs) may be enough to tip the scales and change mindsets (there is never “just” 1 path that works for every organisation or scenario).

“Understand and review before pew pew!” – mrr3b00t

Almost everything in life “depends”. I would however not want to have my ass kicked by an external team if I didn’t have a handle on the current state, resources to defend and had already invested in creating a strong defence (unless I was struggling to get investment. then f*ck it, pew pew all the way home!)

Leadership

UK laws and cyber security considerations for business

I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:

Data Protection Act 2018
Freedom of Information Act
Communications Act
Computer Misuse Act 1990
Investigatory Power Act 2016 (IPA)
Theft Act 1990
Terrorism Act 2000
The General Data Protection Regulation (GDPR)
The Privacy and Electronic Communications Regulations 2003 (PECR)
The Regulation of Investigatory privacy Act 2000 (RIPA)
Official Secrets Act 1989 (OSA)
Companies Act 2006
Copyright and Design patents Act 198
Trademarks Act 1994
The Malicious Communication Act 1988
Forgery and Counterfeiting Act 1981
Police and Criminal Evidence Act 1984
Contracts (Rights of Third Parties) Act 1999
Fraud Act 2006
Network and Information Systems Regulations 2018 (NIS)
Telecommunications (Security) Act 2021
The Bribery Act 2010
Freedom of Information Act 2000
Defence of the Realm Act 1914

can you think of any others that I should add?

Thanks Gary and Kevin and the other AVIS I can’t name for inputting!

Education

Information Security Risk Management

I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!

Risk Management doesn’t have to be risky!

Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.

Defense

Broadband Routers

When it comes to digital technology, we have to consider many things.

Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:

What does a typical consumer care about?
What security and privacy considerations could be made?

A typical consumer may be about:

Availability
Cost
WIFI Coverage
Performance
Ease of Use
Ease of Support/Troubleshooting
Style/Looks
What happens if it breaks?
Can I stop my kids messing with it? (Probably not so why bother)