Cyber criminals launch daily attacks on UK universities and colleges, so building defences is essential. But how do you know that security measures in place are good enough?
Is the staff well trained to spot phishing emails, protect passwords and challenge strangers? Will the firewall hold? Is the anti-virus software doing its job?
At present, the level of security capability varies across the sector and it’s our aim to support all our members to achieve a common, high standard. Firstly, it’s important to know the risks; the weak spots which malware, or criminal hackers can exploit to disrupt or bring down a network, steal data, or extort money.
By far the most comprehensive method of testing security resilience is to recruit people with the same skills as would-be criminals, but who choose to stay firmly the right side of the law. In other words – ethical hackers. And we have just recruited two of them.
As adults, Matthew and Danny are paid to infiltrate security systems, both via the internet and physically. Danny, in particular, could be an excellent burglar. His last role involved attempting (with permission) hack and con his way into multi-nationals and banks, gathering intelligence, sweet talking his way past security guards, acquiring security passes and moving around the offices posing as an employee, breaking into drawers and sealed-off areas, including the server room. This method of assessment, known as Red Teaming (playing the bad guys) exposes all security risks that leave an organisation open to criminal intent, including industrial espionage.
But Danny became disillusioned with the money-spinning corporate world and is delighted to be working for a charitable organisation. He explains:
“The security industry has exploded across the world and not always for the better. At Jisc there are lots of people who work here because we are a charity and I like the fact that, because we are impartial, we are not trying to sell fear. Our objective is to improve standards, not to make a profit.
There’s no reason for us to lie about our capabilities or to provide less than we can achieve. That’s very attractive to me and one of things that drew me to Jisc.”
Danny has been part of the hacking community for years and will be using his experience to provide a security assessment service and working alongside Matthew on the penetration testing service (vulnerability testing and advice) that we’ve now brought in-house.
Danny also has an interest in research and development and the kinds of products and service we may offer in the future. Nothing is certain yet, but he’s full of ideas.
“We’ve always worked with institutions to provide information on threats that they might be facing and I’d like Jisc to build on this to provide even more detailed threat intelligence so members can make more informed choices. With Jisc as the trusted partner, there’s a good opportunity to share members’ experience.
Jisc is well thought of and, as such, is very well placed to solve security problems for the sector and provide tailored solutions.”
Matthew, who joins us from managing the penetration testing (or 'pen' testing) team at a commercial TV giant, is taking the lead with our pen testing service, which is proving popular.
“Pen testing is already very much in demand at Jisc. It’s just me right now, but we are going to be growing this service. Danny has a pen testing background too, and will be helping with that and we have other in-house talent interested in learning more, too.”
On the basis that prevention is better than cure, Matthew advises all organisations to conduct pen testing as a matter of routine, although the timing and frequency will differ. He explains:
“There are several triggers for pen testing: when something new is deployed, or developed, and some organisations then like to do it annually, to make sure that a system is OK, but anything relating to bank card payments needs to be done quarterly and there are regulations around that.
There are other triggers too, for example if a company gets hacked or a company they know is hacked, that makes people nervous. Further reasons may include migrating to a cloud-based solution, moving from one data centre to another, or any physical moving of systems, installing new software, or a new firewall, or adding new features to existing software, such as its ability to use mobile phones.”
The foundations of Matthew’s skillset were laid a long time ago, but the ever-changing technology landscape presents an irresistible challenge to someone who’s paid to circumnavigate security features.
“I taught myself to use pen testing tools as a teenager and I still use them today, although I’m always having to upskill. The aim is to use a mix of technical and creative tools to find ways of doing things with computers which would otherwise, at least to most software developers, appear to be huge endeavours.
I come up with cheeky little hacky methods and it’s a challenge that I relish. Finding my way around new technology is the fun thing for me and there have been very few occasions when I’ve been asked to test something and I can’t find a way to get around it.
But it’s not just online systems we can check; one customer wants me to call people on the phone and see if I can get passwords out of them – that’s a very blunt example of the social engineering we sometimes end up doing.”
While Danny and Matthew have very particular skills, there’s a wealth of knowledge and experience, products and security services that members can take advantage of.
For more advice about penetration testing, contact our professional security services manager Charlotte King ([email protected]).
Finally, remember to book your place at our security conference, which takes place in Manchester on 8-9 November 2017.