Archives for September 2015

Incident Response

As part of the Cyber Academy ‘Cybercrime Investigations & Incident Response Bootcamp’, our CEO David Stubley will be delivering training to UK Law Enforcement. For more information on our approach to incident response, please visit our site.

Cyber Essentials Questionnaire Guidance

Providing relevant and detailed answers along with supporting evidence is key to a successful Cyber Essentials submission. As such we have issued the following cyber essentials questionnaire guidance.

As a recommendation, we would suggest the following approach be used:

1. Use the comments field to provide narrative that supports the statement.

2. Where appropriate, use additional evidence to back up that assertion.

3. Additional evidence should be included within a separate folder and where possible the file name should reference the question to aid in easy navigation.

4. Where a policy statement is used to support an assertion, the policy should be included within the evidence folder. The comments section should clearly reference the exact location of the policy statement and where possible the relevant paragraph should be included. This should then be backed up with evidence of use, such as screenshots.

5. If you do not feel you fully comply with a certain question, then provide a detailed answer as to what the business does have in place and any mitigating reasons as to why it may not be or is not possible/feasible to fully comply with a particular Cyber Essentials requirement.

To illustrate this, we will use question 13 from the questionnaire.

Q: Is a standard build image used to configure new workstations, does this image include the policies and controls and software required to protect the workstation, and is the image kept up to date with corporate policies?

A robust response within the comments filed would be:

A gold build is used to deploy machines within the estate, each machine is built using the most up to date gold build and is then tested to confirm there were no issues during installation. Once this has been completed, the machine is then added to the Active Directory and all relevant GPO’s such as those pertaining to updates, permissions and password policies are applied. At this stage the machine is ready to be introduced to the network for use by an end user. Evidence of this process can be seen in the following screenshots and policy extracts:

IS Policy ‘Section 4, page 2’ “All IT assets will be built using the authorized gold build”.

Screenshot ‘Question13-a’ details a list of authorized software deployed as part of the gold build.

Screenshot ‘Question13-b’ Evidence of the machines within the Active Directory. 


For more information regarding our Cyber Essentials services, please visit the following page.

Keeping cool in a crisis – Incident Response

Back in January 2015, SC Magazine published my article on keeping cool in a crisis. With the ever-increasing portfolio of breached organisations, maybe it is time to revisit that advice again?


In today’s world it is inevitable that organisations will suffer cyber-attacks. When an organisation is attacked their incident management procedures will be key in sustaining the company through the crisis. However, with large scale breaches continuing to cost organisations and individuals dearly as well as hit the headlines, more could be done to improve incident management procedures.


Preparation is key to any planned response but it can be difficult for organisations to anticipate what will be required in the event of an incident. For many organisations, incident response procedures plan to tackle scenarios identified through business continuity risks or following internal incidents. Procedures are often completed or reviewed as part of an annual business planning process by those with a focus on the business. This results in an introspective focus that can leave incident management procedures lacking.

An introspective focus does not effectively anticipate the full suite of scenarios that an organisation may face in responding to an incident. Such an internal emphasis does not take into account the evolving threat landscape or the changing external environment in which the organisation operates. Without placing incident response measures in this dynamic external context, organisations may find their response measures are lacking in the face of current attacks.

Learning from others

Of course, gaining information about factors external to your organisation, such as threats, is often an insurmountable challenge, but organisations have an opportunity to carry out reviews of the breaches of their competitors or other organisations similar to their own.

Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This fact has clearly been demonstrated in the recent attacks on the electronic point of sale systems in the US retail sector and the on-going use of targeted phishing emails to gain access to corporate networks. There are also previous attack trends of utilising SQL injection or memory scraping malware as attack methods to draw upon as examples of attack methodologies being reused. The use of similar methods by attackers means that organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them. Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures.

While it is accepted that the full details of the incident will not be publicly available, many industries have information sharing forums and employees build up relationships with their counterparts in other organisations. It is likely that an organisation will be able to garner sufficient information to identify vulnerabilities exploited by attackers and key attack vectors. This information can be used to review the incident and determine if the organisation is itself vulnerable to such an attack. In short organisations should conduct a post-incident review of the incidents that impact on other organisations.

Using the information available, an organisation can identify potential attack scenarios and whether they are likely to be breached as a result. By playing out these scenarios within the context of their own environment, organisations will be able to identify if they have compensating controls in place or where they may be required. Once compensating controls are in place organisations can then test their effectiveness in the context of these scenarios and therefore gain assurance that they are not exposed to the attacks their peers have suffered.

This process may be assisted by experts such as security testers, ordinarily external to the incident response planning process. Penetration testers can provide insight into the scenario planning and assessment process. By the very nature of their jobs, penetration testers are often skilled at identifying and understanding attack vectors. By using such experts, organisations will be able to add more rigor to their assessment of scenarios as well as challenge preconceptions. Ultimately this will result in a more resilient approach to incident response.

In summary

Reviewing the incidents of others will enable organisations to anticipate the types of attacks they may be vulnerable to and prepare for them, ultimately keeping cool in a crisis.

By keeping abreast of the threat landscape, spotting trends within relevant industries and reacting to the external environment, organisations will be able to plan effectively for incidents, if not reduce the likelihood of a successful attack. Should an attack occur, organisations will have more resilient incident response measures in place with which to tackle these anticipated threats. By learning from others’ misfortunes organisations may be able to avoid the pain of going through a similar experience.

Click here to find out more about our approach to incident response.