Cyber Security Audit Case Study
Shining Tor Ltd were unfortunate enough to have suffered a major data breach in August 2018 where 500,000 of their customers’ accounts were compromised in a hacking attack.
Romano Security Consulting were invited to conduct a Basic Cyber Security Audit at Shining Tor’s London offices in September 2018, with the purpose of assisting the Senior Management team in developing a strategy for managing their cyber and information security.
Romano Security Consulting held an initial scoping call with Shining Tor’s CEO to establish their requirements and to gather some further details around the August hacking attack.
Following the scoping call it was decided that given the relatively low level of security maturity within the organisation that Romano Security Consulting’s recently developed Basic Cyber Security Audit service offering would be the best fit for the organisation. This was agreed with the CEO and a statement of work was signed off.
The Basic Cyber Security Audit has been devised to specifically focus on evaluating an organisations cyber security risks in 3 main areas people, processes, and technology and provide high level recommendations on how identified risks can be speedily mitigated. This entry-level security audit is particularly valuable to organisations who have yet to evaluate and document their risks, vulnerabilities and threat exposure.
The Basic Cyber Security Audit is based around the ISO 27001, SOC 2, Cyber Essentials and industry best practice.
The audit began with a detailed overview of the organisation, its IT infrastructure and a detailed account of the hacking attack that occurred in August 2018.
The CEO and several of the functional managers including the Development, IT and Operations Managers were interviewed during the security audit.
The following Non-Technical and Technical control areas were covered during the audit:
Cyber and information security Governance, Data Security, Cyber Risk Management, Training and Awareness, Legal, Regulatory and Contractual Requirements, Policies & ISMS, Business Continuity and Incident Management, Physical Security, Third party Supplier Management, Secure Development
Hosting, Secure Configuration, Network architecture, Secure Perimeter – Firewalls, IDS, data exfiltration, Anti-Malware, Access Control, User Privileges, Mobile devices, mobile working and removable media, Security Monitoring
Findings and recommendations were made during the security audit as and when they were identified.
A sample of the recommendations made following the security audit are below:
Assign accountability and responsibility for security to an individual or individuals
Compile a high level risk register, Develop a suitable risk management framework, Conduct a risk assessment at regular intervals the organisations assets and apply controls applied where applicable
Provide security awareness training to all staff on induction and communicate security updates at regular intervals
Implement a door pass card system, Implement a clear desk and clear screen policy, Secure unattended offices, server rooms and filing cabinets
Document and communicate an incident management process, Document incident response plans for different scenarios
Carry out third party risk supplier risk assessments
Implementation of the required controls to comply with the GDPR regulations
Establish ownership and administrative control of the external firewall, Purchase and deploy a suitable internal firewall (hardware or software)
Document and implement a patching policy for all hardware and applications, Check AV is currently up to date on all devices
Introduce RBAC (role based access) for Dropbox (internal and external), Document and review user access for all applications,
Encrypt all mobile devices and removable media
Avoid storing un-encrypted customer data (locally), Encrypt all data in storage and transit
The following high level recommendations were made:
Implementation of ISO 27001:2013 and Cyber Essentials and regular penetration testing
A summary report was provided to Shining Tor’s CEO following the audit and a follow up call was arranged with Romano Security Consulting to walk through the findings and recommendations.
Romano Security Consulting are currently assisting Shining Tor in their audit remediation and the implementation of ISO 27001. Regular penetration testing is now being carried out on Shining Tor’s IT infrastructure.