BDaily Special Feature: What is ‘ethical hacking’ and how can it benefit businesses?
As part of Bdaily’s latest feature, Cybersecurity Week, Matthew Neville, Senior Correspondent at Bdaily sat down with our own CEO, Steve Spence. In their conversation, they touched on just what sets us apart from the contemporaries, and more on our growth plans after our recent six-figure investment. Read on to find out more.
1. Firstly, can you tell us a bit about what Cognisys specialises in and how this benefits other businesses?
Cognisys is a boutique penetration testing company, specialising in “Ethically Hacking” Computer systems. We search for vulnerabilities, misconfigurations, errors, and weaknesses, then exploit them in the same way that a cyber-criminal would.
The reason for doing a penetration test is to provide assurance in the security of an organisation’s Information technology. In the event that we find security issues, (which we always do) they are demonstrated as exploitable, through a proof of concept, and then listed, in the order of potential severity and risk to the company, with remediation advice, so that they can be addressed.
We also deliver Governance, Risk and Compliance consulting, specialising in Cyber Essentials, ISO 27001, and Virtual CISO (Chief Information Security Officer) services.
Cyber incidents have been the leading risk to businesses worldwide from 2018 to 2023 even during the pandemic, so it’s vital that businesses take appropriate steps to secure their data, understand how they could, would, and will be attacked, and ensure they present the smallest attack surface possible.
2. How does the business’ approach differ on a client-to-client basis?
There is no one-size-fits-all approach. All businesses are different and have different operating limitations or requirements, with potential regulatory issues which may need to be observed, which vary from industry to industry.
What they do have in common though is a need to improve their cybersecurity to the point of acceptable risk. The trouble is most organisations are not fully aware of their ACTUAL levels of cyber vulnerability and therefore don’t know how much risk is posed to their business.
Even businesses that rely on their outsourced IT Service Providers to keep them safe, have found that many general IT providers lack the specialist knowledge needed to unearth their weaknesses.
Although there are many commonalities, our Service Catalogue runs to around fifty pages, and therefore some organisations looking for niche testing find they can build a completely bespoke experience. They may also look to vary what they consume over a three-year period, interlocking all their security testing, so that they end up with a much stronger security posture.
3. Can you tell us about some of the more unique scenarios the team has used to test a business’ cybersecurity?
When we talk about “hacking” an organisation, many people think of the Hollywood type of hacking, with Tom Cruise-esque characters dropping through ceilings on suspended wires to insert a USB drive into a central control console, even though it is protected by lasers and retina scans and shark tanks.
We do get involved in offensive “Red-Teaming” engagements, where most things are allowed, however, we have yet to use a trapeze or retina scanner. We have, however, dropped decoy USBs attached to keyrings in the car park or reception area. These rely on a regular person’s desire to be helpful, after all, if someone has lost their car keys it’s nice to return them, right?
Moreover, if there are files on the USB memory stick (one may hold the clue to its owner), what about the one named CV.doc? Well, you can see where this is going. In actual fact, no files need to be opened, but a command-and-control beacon may be launched just by plugging the device into a computer.
We also use lock-picking kits, disguises (really), fake wireless access points, bogus deliveries, tailgating techniques, in fact anything to gain access to the site, in order to attach access devices to the network or achieve access to sensitive areas.
On a previous engagement, for a large distillery, one of our security consultants joined a whisky tasting tour and halfway through detached from the tour and went into the office area. He then proceeded to attach his MacBook to the network and initiated a network scan.
After five minutes he was approached by one of the staff who asked him who he was, and what he was doing. Our consultant replied, “I’m ****** from I.T. and I’m just checking the network, after I’ve finished doing that, I’ll be checking all the laptops”.
At this point, the lady in question said “Ah, ok, perfect timing – I’m about to go and get some breakfast so you can do mine now,”. She then handed her laptop over (still open) and disappeared to go and get a bacon sandwich.
Upon returning, she found her machine missing, (we’d taken it to the IT director in another part of the complex, after first sending an email from it, to prove we had full access).
The IT Director was fully aware of the exercise, and held the laptop until its owner rang to complain about the “guy from IT”. Be it hilarious or terrifying, it took nearly three hours for her to report that he had “stolen” it.
4. What has been the most significant benefit of opening a second office in Manchester?
Our Leeds office is primarily back-office operations and sales. The tech team is based in central Manchester. We opened a Manchester office in January 2022 at the Sharp Project, which is a hub for digital and technology organisations, partly because they need a quieter environment on a day-to-day basis, but also because a number of our employees happened to live in and around the area.
They do let loose on a regular basis, with monthly CTF challenges, beer and pizza nights, but usually with a cerebral focus, which for the technically minded are great fun. The additional office provides us with cover across the north of England and will be the base for our upcoming SOC (Security Operations Centre) in the near future.
5. In what ways does the work you do with a business differ depending on its size (e.g., SMEs compared with large corporates, etc)?
The differences between working for an SME and a large corporate are usually in the time taken for anything to get done. SMEs are often looking to start an engagement within a couple of days of sign-off, whereas it’s often fair to say that “big wheels turn slowly”.
Once the engagements are underway, the way we work is often identical, and our methodology has been audited and approved by CREST, ensuring that our clients get industry-leading levels of quality and assurance.
It should make no difference if you are among the largest companies in the world (our largest client’s turnover is $269B) or a 2-man software start-up, our approach is very similar.
6. Following the six-figure NPIF loan the business received in March, what can you tell us about Cognisys’ plans for future expansion?
Cognisys is looking to expand its workforce significantly through the next twelve months and will also be looking to develop a Security Operations Centre, based in Manchester, but with geographic spread.
We’ve also invested significantly in SmartScan, our secure Penetration testing and continuous vulnerability scanning platform. In terms of additional value and ongoing security visibility, it’s a game-changer.
Lots of Pentest companies already do this, however, SmartScan pulls the best-of-breed central technologies all into our stack, with a managed service wrap and deep integration. It’s the result of four years of development and is now on the third iteration.
Like everything, expansion requires money and with the sector showing no signs of slowing down, competition for skilled resources is tight, accordingly Cognisys has started an in-house academy to develop the next generation of cyber talent.
Plans for the longer term include a focus on IoT testing and a London office, employee share ownership, and potential acquisition. Whatever happens, we can say that we’re likely to remain busy.