Blogs

How an airport overcame budget challenges and achieved smarter, affordable cyber security testing during COVID-19

09.03.2021

James Mason, Enterprise Cyber

The COVID-19 pandemic continues to cause severe global economic and business challenges, the likes of which have not been seen in living memory. Of course, all of us have our own personal experience.

Many organisations facing staff and budget cuts, furloughing or significant revenue loss have found it tough to navigate their way through the crisis. In the case of airports, airlines and the travel industry, the impact of travel restrictions and enforced quarantining eliminated their ability to continue normal operations. Budgets in the travel industry have also become excruciatingly tight.

For these organisations to operate, survive and even succeed in spite of the pandemic, they suddenly switched their operating procedures to remote working and moved many processes online. This created a unique pressure point for them to reassess their security posture and rapidly identify any new vulnerabilities introduced by the rapid adaptation in working practice.

QinetiQ’s, Security Health Check Team (SHC) have been working with an airport (that I cannot name - sorry) throughout the pandemic, but I can share my experience of helping them through the changes they had to make to their highly secure environment during summer 2020.

A significantly reduced budget 

While working with the airport to understand their main priorities and challenges, it became clear that budget was a significant issue, yet they were still looking for robust assurances that their cyber-security posture was appropriate and covered them for the changes in ways of working the pandemic had forced them to adopt.

While QinetiQ offers large-scale, full-spectrum, red-team exercises, which typically include physical security breaches, phishing and social engineering, stealth-based attacks, etc mimicking the latest real world threats and attack paths to highly secure and cyber security mature clients, due to the current circumstances, a tailored, lighter touch approach was necessary, which would importantly also fit a significantly reduced budget

In early 2020, just as COVID-19 was beginning to hit the press, we launched a new cyber security testing service called Cyber Intrusion Exercise (CIE) as a more collaborative, cyber-only sibling to the Advanced Intrusion Exercise (AIE), our full-spectrum red-team service.  CIE is designed for medium-sized organisations and/or companies with a less mature cyber security posture, providing a cyber-only, red-team type exercise covering the entire cyber kill chain in a shorter time than AIE. CIE is therefore more affordable, but still gives senior management an end-to-end picture of their organisation’s latest security posture by answering key questions:

  • How do we generally look online?
  • How easy are we to compromise?
  • How easy would it be to exfiltrate data from our systems?

Due to many of the sudden issues the airport were experiencing, we worked closely with them to agree a change in our normal approach to deliver our CIE service instead of AIE.  The CIE would provide high levels of assurance, wide coverage and a collaborative approach, while delivering business value (something we always pride ourselves on focusing on when scoping requirements with our clients) in a shorter timescale.

We delivered the CIE within just one month in both remote and on-site phases, adhering to COVID-secure working practices at all times.

As we would have hoped, the airport’s security posture was found to be exceptionally high giving senior management and the board the assurance they were looking for. Furthermore, we met the overall brief quickly, technically and within budget. We did, however, identify some potentially critical issues around some simple misconfigurations.  These were quickly remediated and we evidenced in our report that even with the issues we found, the workstations, laptops and devices were still protected to a high level.

Is a lighter service any less meaningful?

In common with a larger-scope advanced intrusion or red-team exercise, a CIE delivers evidence-based findings and reports issues right through the cyber kill chain. Although some of the larger operational pieces of a red-team exercise are missing, a CIE provides a valuable cyber litmus test of your organisational security posture. We have proved that a single CIE can provide a much higher level of assurance and wider coverage, than a traditionally-scoped, project-led, compliance-driven penetration test – though these most definitely still have their place!

In short, a CIE can be typically delivered in approximately 1/3 of the time than a full-spectrum engagement, by using a collaborative approach with the client and therefore holding less potential apprehension and fear for some teams who haven’t tested this way before.  This is common and very natural before this type of exercise value has been delivered and it’s great to see the Information Security teams we work with perspectives change before, during and after concluding a CIE, as it becomes an important and valuable piece of their overall security strategy.

Not just for airports

Of course with an increase of remote targeted attacks during the crisis, possible cut corners from home-workers not working in their more secure office-based environment, perhaps rush-issued hardware not being adequately secured, CIE’s are not just valuable to airports but to organisations across all sectors who are likely to be suffering the same security challenges and with reduced budgets.

Some organisations we’ve spoken to have responded by approaching their security on an ad-hoc or postponed basis throughout the crisis, hoping that if a major breach occurred there would be some understanding that it only happened because of the pandemic. A very risky security strategy for multiple reasons you will probably agree and clearly unacceptable across many sectors with online dangers being greater than ever.

Medium-sized organisations of every kind often carry the same critical risks as their larger counterparts and are high-value targets because of their place in the supply chain, yet many are unable to consider a red-team exercise due to cost constraints.

There is no doubt, and that enforced changes have immediately increased critical security risks.  QinetiQ’s SHC team have continued to support our existing and new clients address their critical security concerns by delivering pen testing, red teaming, incident response preparedness, Cyber Intrusion Exercises, etc throughout the crisis.  This has spanned and is relevant to almost all sectors we work across.

Conclusion

Both large and medium-sized organisations have faced new challenges for security caused by actions they have taken to adapt to the pandemic. These have often come hand-in-hand with reduced budgets. CIE is a way to gain much of the value of high-end, full-spectrum testing that is normally only within the grasp of large organisations for less outlay. This is a great example of QinetiQ’s ability to adapt our services to the needs of our clients.

By closely working with our clients during the exercise, this can enable faster remediation and therefore a quicker increase in security posture. CIE’s provide Senior Management/Boards an end to end narrative, providing an organisational cyber litmus-test view of the current cyber security posture, providing a comparable before and after view, further demonstrating organisations higher assurance and maximising value of their security budget.

We’ll be talking about the applications of our CIE Service in our free upcoming webinar.  Sign up here.