What does a Cyber Security Consultant do?
So, the words Cyber Security Consultant get banded around easily, yet many of us don’t even understand what a Cyber Security Consultant does. I will use an encounter I found myself in recently with a client who wanted the services of a ‘Cyber Security Consultant’.
The client in question, I will refer to as ‘the client’. It is a Small business of around 25 Users. They work in the business of Ecommerce. In simple terms, they sell products online. They provide fast delivery on items that are required, even the very same day.
This business has 2 key challenges to understand –
- Even the slightest downtime can be detrimental to the client, and nullify their competitive advantage of same day delivery.
- The nature of an online only business means the brand is displayed online – there is no brick and mortar building for customers to visit. The brand values that has been cultivated so carefully over the last 3 years with painstaking marketing campaign after campaign can all too easily be destroyed by the simplest phishing email.2
For context, we need to be aware that the client is receiving around 500 phishing emails per day, with around 2% of phishing email getting past the filters. That is around 10 emails per day.
While this may seem low, even the best Security Awareness Training delivered to staff won’t guarantee that every single employee won’t click a phishing link. After all, humans are always the weakest link in Computer Security.
The C level executive of this client, expressed his concerns about the potential downtime that may occur from a breach, the customers loss of confidence in the company and related outcomes all resulting from a breach.
In order to help the client, we had to develop a strategy that incorporated a greater level of Cyber Security. There isn’t a silver bullet one size fits all approach to this – we needed multiple layers of defence.
Cyber Security 101: The strategy
Naturally, the first step we took was a full Network Audit to ascertain the technicalities and to ensure the network was in good shape. Once those things had been checked off and we were happy we had a solid baseline to build upon, we started to work through the critical business processes. We set about creating a strategy that would improve the clients security baseline significantly – something this can be done in a few simple steps – sometimes not.
We generally work through threats on a severity basis, then we focus efforts on the area the business is most likely to receive a threat from. We worked through the network systematically and observed how users accessed applications/web amongst other things.
The client regularly receives legitimate emails from International companies – and with this a whole host of external phishing emails too. This was determined to be our clients most severe threat, which is also most likely to happen.
Phishing emails using international domains names is an extremely common way of sending phishing emails. What’s more, the phishing emails had been sent from new email addresses created just for this purpose – no spam filter would have a chance detecting these.
These emails are the scourge of Cyber Security Professionals existence, as a first line of Defence (Office 365 spam filtering in this instance) is very unlikely to block these unless the domain name within the web link is already marked as malicious in a database somewhere.
A good course of preventative action for the human element in this particular occurrence is Security Awareness Training – which the client already had in place – it is always rather refreshing to see that a business is taking Cyber Security Hygiene seriously. However, this risk was deemed to be too much by Management.
Implementation of Safeguards
As the problem involved something that could not be stopped with any level of certainty, we looked to implement a next generation endpoint antimalware solution with web app blocker. This is a good start and something that was lacking, a huge improvement over the standard Windows Defender antivirus.
We pushed forward to enhance the level of protection, by setting up Advanced Threat Protection in Office 365, which supplements our endpoint Web App blocker very nicely and allows attachments and URL’s to be detonated in a cloud sandbox – a bit like a sandpit for naughty files.
Combining these 2 solutions had lowered the Phishing Threat substantially. Outlook still has some inbuilt security features which are often disabled by default. Setting Outlook to not download pictures and images from external sources it is not familiar with helps to prevent phishers from knowing you have received their email and opened it.
Our client also had particular sensitivity to a threat to do with Excel spreadsheets – they received a tremendous amount of these a week from external sources. With management blessing, it was deemed highly desirable to disable marcos’s within Excel Spreadsheets incase employee’s actually fast clicked a malicious attachment. Along with arming Outlook with a feature to rename the last 3 letters of any potential malicious file extensions which prevents excel spreadsheets that have been received from external sources from opening easily.
Our client had an available, helpful part time IT person who worked happily through the safeguard implementation on each machine using our suggested roadmap and techniques.
Given that all of these safeguards were provided with a gradual roll-out plan, our client had minimal disruption. Although these controls may seem basic individually – once combined can create a substantial barrier for phishing / malicious emails.
When we look at the controls in place, we can give a Qualitative rating on the mitigation measures we have put in place – it’s very hard to assign a £ value to this.
Long term, the solution is permanent and the client is happy with the safeguards.
What we can learn from this
Our client requested a consultation from a qualified Cyber Security Consultant for a small project, it has been a particularly interesting one because there’s been such a strong focus one particular threat vector.
- Don’t assume one single silver bullet solution exists – sometimes anti malware products may claim it does but the reality is far different. Defence in depth is always the key to Cyber Security success.
- Making changes to endpoint machines is time consuming, ensure you have man power available.
- A sound Cyber Security methodology is always based on multiple layers of security
Preventative is always better than cure, but this does not mean throwing everything including the kitchen sink into the mix. You need to select technical controls that won’t have a detrimental effect on user productivity – and all changes need a check and balance mechanism.