Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Thursday, 25 October 2018

Latest security tests introduce attack chain scoring


When is a security breach serious, less serious or not a breach at all?

Latest reports now online.

UPDATE (29/10/2018): This set of reports are confirmed to be compliant with AMTSO Standard v1.0 by the Anti-Malware Testing Standards Organization.

Our endpoint protection tests have always included targeted attacks.

These allow us to gauge how effectively anti-malware products, in use by millions of customers, can stop hackers from breaching your systems.

We penalise products heavily for allowing partial or full breaches and, until now, that penalisation has been the same regardless of how deeply we've been able to penetrate into the system. Starting with this report we have updated our scoring to take varying levels of 'success' by us, the attackers, into account.

The new scores only apply to targeted attacks and the scoring system is listed in detail on page eight of each of the reports.

If the attackers are able to gain basic access to a target, which means they are able to run basic commands that, for example, allow them to explore the file system, then the score is -1.

The next stage is to attempt to steal a file. If successful there is a further -1 penalty.

At this stage the attackers want to take much greater control of the system. This involves increasing their account privileges – so-called privilege escalation. Success here turns a bad situation worse for the target and, if achieved, there is an additional -2 penalty.

Finally, if escalation is achieved, certain post-escalation steps are attempted, such as running a key logger or stealing passwords. A final -1 penalty is imposed if these stages are completed, making possible scores for a breach range between -1 and -5 depending on how many attack stages are possible to complete.

We have decided not to publish exact details of where in the attack chain each product stands or falls, but have provided that detailed information to the companies who produce the software tested in this report and who have asked for it.

If you spot a detail in this report that you don't understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.

SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define 'threat intelligence' and how we use it to improve our tests please visit our website and follow us on Twitter.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Monday, 1 October 2018

SE Labs introducing cyber security to schools

It's widely acknowledged that the cyber security workforce needs more talented young people to engage. Just as we, at SE Labs, want to help fix information technology security by testing products and services, we also want to encourage an interest among young people, hopefully igniting a passion for understanding and defending against hacking attacks.

We test next-gen security products AND encourage the gen-next!

Our attempts to enable youth from progressing from complete novice, through to getting their first job and then to reaching the top of industry, is an initiative to bring about the needed change and fill the gaps.

As part of our new corporate social responsibility programme we set up an event at Carshalton Boys Sports College to introduce the concept of cyber security and its career prospects to the students.

Around 15 participants ranged from year 10s to sixth formers (aged 16-18) attended the main presentation and all year groups approached us at the stand we set up.

We outlined various topics in the presentation including the different types of cybercrime and attacks; and institutions offering free and paid courses to certain age groups on cyber security, aimed at students.

We also addressed how to break into the cyber security sector; what positions are available in the industry; and how employees are in high demand in both public and private sectors, part- and full-time, in virtually every industry in countries around the world.

Then we went through a test run of a targeted attack to demonstrate what it looks like and what it means.

"Why do we use Kali Linux?", "What should I do to get into cyber security?", "What are the skills required?”, were a few curious questions asked by the students at the end of the presentation.

Those who came over to the stand wanted to know who we were, what we do and simply, "what is cyber security?"

They were interested in who are clients are (we gave limited answers due to NDAs), what do they need us and how did we manage to get this far. A lot of these were asked by the younger years who were inquisitive to learn more about this subject. Positive!

Feedback from the college:
On behalf of the Governors, Head Principle, students and parents of Carshalton Boys Sports College, I would like to thank you for your valued input, helping to make our Directions and Destinations Day a great success. 
Our staff work tirelessly to open our students’ minds to the possibilities available to them, but without the support of partners like you, that job would be impossible. Together we had the school filled with a sense of purpose all day and responses we have had from students and parents have shown us that the day has inspired our students. 
We have already started thinking about the future and would be grateful if you have any suggestions about how we might make things even better next year. 
Thank you once again for giving your time, energy and expertise last week.
Well, yes! A career in cyber security is a journey for sure, but a worthwhile one. And in the end, it's more about people than machines, as a mind's software can be more powerful than any hardware.

Pooja Jain, March 2018