News & Updates

Sign up to be the first to be informed of our news & updates

 

Search

CREST Accreditation


Fortis is delighted to announce that we have recently become a CREST accredited penetration testing company. After a rigorous application process that assesses virtually every aspect of our business and validates the knowledge, skills, and experience of our team, we are now officially recognised as a leading provider of penetration testing services.


What is CREST?


CREST is a not-for-profit accreditation and certification body that represents the technical information security industry and was established in response to the need for more regulated professional services. It is now a globally recognised cyber assurance body for the technical security industry, covering a variety of information security services, including penetration testing.



gif

Why should you choose a CREST-accredited service provider?


A quick search of the web will produce a list of numerous providers offering pen testing services. The big question is how do you choose between them, and which ones are reputable and trusted partners who consistently deliver high quality services using suitably qualified and experienced security professionals?


All CREST accredited companies undergo a comprehensive application process with everything from security testing methodologies, resources and reporting to information sharing and data storage independently assessed by CREST. Therefore, choosing an accredited company for pen testing gives you the added assurance that all their policies, procedures and processes have undergone an independent and verifiable third-party assessment. You can also be certain that the services will be carried out using best practice and proven methodologies to ensure you have the necessary controls in place to identify vulnerabilities and prevent breaches and attacks.

CREST members are regularly updated with industry-leading guidance and developments, so as the threat landscape evolves and cyber-attacks become more sophisticated you can be confident that you are working with highly-qualified individuals with up to date knowledge and skills, and the competence to deal with both the new techniques used by real world attackers and the latest vulnerabilities.


The CREST code of conduct provides additional assurance that the company operates within the confines of a regulated industry and that you will receive a high-quality level of service, delivered in an ethical and professional manner.


CREST accreditation quickly and easily identifies your chosen provider’s commitment to robust and comprehensive security testing and, as a globally recognised body, working with a CREST accredited company gives your business greater international credibility. Using CREST accredited pen testers will also build trust and confidence in your company and reassure existing and potential customers that you take your responsibility to safeguard their confidential and privileged information seriously, further enhancing you reputation. In fact, using CREST pen testers is increasingly becoming a standard requirement in many highly regulated sectors.


In short, by working with a CREST accredited penetration testing company you ensure you are engaging a trusted, experienced, and professional organisation that undergoes regular and stringent assessment to give you complete confidence in your chosen provider.


Fortis’ comprehensive range of penetration testing services enables clients to identify, assess, and prioritise vulnerabilities and security flaws across their applications, APIs, platforms and infrastructure and our team of security professionals are skilled and experienced in identifying and mitigating vulnerabilities in even the most complex and sophisticated IT environments.


0 views0 comments

ISO/IEC 27001 is the international standard for information security management systems (ISMS) and was developed to help companies of all sizes, in any industry and virtually any country, systematically secure their confidential and business critical data. The framework helps organisations to implement a robust approach to information security and introduces controls across people (education and training), process (policies and procedures) and technology (systems and software) to effectively manage and mitigate risk and safeguard information assets.


gif

So why should companies take the time to invest in ISO/IEC 27001 certification? Here we look at some of the major benefits:


  • Peace of mind – certification ensures all your company’s confidential data is secure, which may include financial records, intellectual property, and other commercially sensitive information, as well as employee and customer records.


  • Globally recognised - with 165 member countries, ISO 27001 certification is recognised all around the world and quickly and easily demonstrates your organisation’s commitment to information security.


  • Compliance - there are a growing number of complex laws and regulations relating to information security and the threat of prosecution and/or huge fines for non-compliance is very real. ISO 27001 gives you the ideal framework to help your organisation manage its regulatory and legal requirements and stay compliant.


  • Enhances reputation - certification builds trust and confidence in your company and reassures existing or potential customers and stakeholders that you are committed to safeguarding their information, as well as other business critical and confidential data.


  • Competitive advantage - the additional credibility that certification brings can increase commercial opportunities and help your company win additional business and new customers from competitors who are not certified.


  • Greater security awareness - a joint ‘Psychology of Human Error’ survey by Stanford University and Tessian found that 88% of data breaches were caused by human error, 43% of employees had made a mistake that compromised cybersecurity and 25% of employees had clicked on a phishing email at work. Incidents such as these can have serious consequences for any business; however, ISO 27001 certification means far greater information security awareness amongst staff, which reduces the likelihood of an incident occurring in the first place.


  • Cost savings – the aim of ISO 27001 is to implement a robust ISMS to prevent security incidents from happening and with one survey reporting the average cost of a breach as $3.86 million in 2020 (https://www.ibm.com/security/data-breach) the cost of implementing ISO 27001 is likely to be minimal when compared to the potential financial impact of a breach.


  • Efficiency - business operations are streamlined as policies and procedures are all clearly defined and documented. In addition, by reducing the number of incidents the overall disruption to day-to-day operations is minimised.


  • Futureproofing – the framework helps your business to continually review potential risks and weaknesses and implement appropriate controls that improve the way you manage your organisation’s information security.


The breadth of the Fortis service portfolio enables us to offer a variety of information security and risk management solutions and helping our clients to achieve the information security compliance standards they need to operate with confidence is just one of the areas in which we specialise.


From a simple one-off gap analysis against the ISO/IEC 27001 standard, through to complex multi-standard integrated management systems, Fortis offers comprehensive certification services that can be tailored to suit your organisation’s specific requirements. For more information about how Fortis can help protect your business please contact enquiries@fortiscyber.co.uk



20 views0 comments

Updated: Jun 30

A ransomware attack on a food-logistics firm in the Netherlands that caused six days of disruption to supplies at the country’s largest supermarket chain is thought to be the result of a vulnerability that was widely reported in March, when Microsoft revealed it had uncovered zero-day bugs being used to attack on-premises Microsoft Exchange servers.


The attacks are believed to have originated from a Chinese state sponsored hacking group, who were able to access email accounts, exfiltrate data and plant malware to enable long-term remote access, as well as launch a new strain of ransomware.


The last 12 months has seen an explosion in cyber-attacks as criminal networks have exploited confusion around the pandemic and opportunities created by the sudden mass transition to remote working. As a result, nearly 50% of organisations fell victim to some type of breach last year and one of the fastest growing threats in cyber security is ransomware. Deep Instinct’s 2020 Cyber Threat Landscape Report found that ransomware attacks had increased by 435% in 2020.


Below, we look at some of the latest trends in ransomware and how it is evolving:


  • In the past ransomware attacks might have just resulted in data being encrypted, but we are now seeing a significant increase in data exfiltration – the unauthorised of removal sensitive data from an organisation’s network.


  • Exfiltration is also linked to the growth of double extortion attacks, where threat actors will look to maximise their chances of profiting from an attack. As well as encrypting confidential information and then demanding a ransom to decrypt it, cyber criminals will then either threaten to sell the data they have harvested, such as customer credentials, or release it into the public domain unless an additional fee is paid.


  • Ransomware groups are increasingly maintaining their own dedicated leak sites on the surface web or dark web where they can publish confidential information of targeted organisations not willing to meet their ransom demands or threaten to make the data public on the leak sites as part of a double extortion strategy.


  • Threat actors are now engaging in big game hunting, whereby high-value organisations that are most likely to lead to big pay-outs are specifically targeted. After an initial compromise, cyber criminals are no longer immediately deploying ransomware to a single device. Instead, they are taking time to understand the company’s operations, exploit additional vulnerabilities, exfiltrate data, and gain access to critical systems that will enable them to cause maximum damage by disabling the entire network.


  • Ransomware as a service (RaaS) is growing in prevalence as new, smaller variants become available on the dark web. These are usually offered via a monthly subscription service, as a one-off charge, or may involve sharing a percentage of the profit with the provider, but in all cases these business models are particularly appealing to hackers as there are low entry costs and minimal technical skills required to launch attacks.


  • We are also increasingly seeing new sectors targeted. Over the past year there has been a sharp rise in attacks on local government, hospitals, and other healthcare organisations, as well as educational institutions, with the University of Portsmouth reportedly having to close its campus just recently due to a ‘ransomware attack.’


Unsurprisingly, the cost of ransomware is growing, and it is not just limited to the financial costs of paying ransoms. There are a multitude of other costs that can result from an attack, such as the cost of disruption and lost productivity, damage to a company’s reputation, loss of customer confidence, and the possibility of legal costs and fines from regulatory bodies. All are in addition to any costs associated with incident response and remediation, which can be particularly significant for organisations with large networks and complex infrastructure.


With the frequency and sophistication of ransomware attacks predicted to grow significantly companies need to take a proactive approach to protecting their business.


Alongside taking pre-attack activities to prevent ransomware from bedding into your systems, ensuring a comprehensive and a robust incident response procedure is in place. This is essential to effectively manage and minimise their damage, and enable the business to recover quickly – reducing financial impact to revenues. In the event of a security incident, the immediacy and effectiveness of the initial response has a direct and significant impact on the level of disruption and costs to the business.



gif


With advanced threats increasing rapidly, organisations also need to thoroughly investigate any Indicators of Compromise (IOCs) and breaches to help determine the cause and source of the incident and ensure that it has been dealt with effectively. It is possible a full digital forensics investigation could have helped the Dutch food-logistics company identify any indicators of compromise, identify exploitation activities and ensure no backdoors were left open to enable the hackers to access their network again and deploy ransomware.

Fortis offers comprehensive, certified and experienced Incident Response and Digital Forensic services that can be tailored to suit your organisation’s specific requirements, including investigations mentioned in this article. For more information about how Fortis can help protect your business from ransomware and other threats please contact enquiries@fortiscyber.co.uk

9 views0 comments