How to be safely penetrated with Phil Graham

How to be safely penetrated with Phil Graham Director at Secora Consulting Ltd

Phil Graham enjoys a cyber brew with Lee from ALLOWLIST as he answers questions about Penetration Testing and how to do it safely. It can be dangerous if not done right, and Phil explores the right steps to take when it comes to penetration testing. He reveals some things you might never have considered, and some that may just surprise you.

We also find out the answer to the question: Phil Graham, what are you drinking?

Watch now!

Phil Graham Director at Secora Consulting Ltd – Bio

Phil Graham Director at Secora Consulting Ltd

Director and co-founder at Secora Consulting, a professional services company specialising in tailored cyber security assessments.

Secora Consulting is committed to improving the cyber security posture of our clients, to help protect their reputation, brand, profitability and most importantly, their data. We can provide your organisation with peace of mind in this ever-evolving threat landscape, securing your success for the future.

You can connect with Phil on LinkedIn: https://www.linkedin.com/in/phil-graham-307040b0/

If you would like to discuss our services in more detail, please contact us: info@secoraconsulting.com

Transcript

Lee Gilbank – ALLOWLIST

Oh right well back to cyber brew this is take two because i went wrong. Today i’ve got Phil who is one of the directors from Secora who are a security testing and consultancy company based out of Ireland but with customers all over Europe and globally, as well now. And fantastic service using them and worked with them in the past they’ve got crest accreditations very very high standards. As this is cyber brew the first question is always Phil do you have a brew and if so what are you drinking?

Phil Graham – Secora

I certainly do its tea. Tea is my the drink of choice

Lee Gilbank – ALLOWLIST

Yeah but what type is it? is it milk sugar or just milk

Phil Graham – Secora

Just milk i am sweet enough

Lee Gilbank – ALLOWLIST

Well i’ll go with that so the topic we’re covering today is how to be safely penetrated which is obviously touching on penetration testing. So i mean Phil having you know running a you know very high quality security testing company, how should people be prepared or get prepared to be safely penetrated? You know what would that mean to you are you thinking like at the start or at the end and what’s your thoughts on how to be safely penetrated?

Phil Graham – Secora

Yeah I think it’s a very kind introduction in the nice words and yeah just just to carry on with the introduction in fairness. So my name is Phil and I’ve been uh working cyber security for about 12 years or so now but to answer your question Lee, I suppose the first thing somebody should do is research. So research what they actually want and what they’re looking for and trying to understand and whether that research is approaching a company like ourselves and having an open discussion and a chat around you know the boardroom or you know key stakeholders around what they actually want and what they’re looking for or what they need against regulations and it’s good that’s the sort of starting point. Find an organisation that you’re comfortable with and people who are willing to have discussions are not just there to kind of just give it to the tick box you know. So like how to be safely penetrated? So you’ve found a good company and you’ve had your open discussions and it it it is quite a good question Lee in fairness how to be safely penetrated. Yeah so you found a good company um and what i would say you want to look for is you know skills and people you can trust i suppose that’s that’s a big thing is trust because you know they’re going to be working potentially with your data and you know they’re going to from a penetration testers point of view they’re going to be coming in and they’re going to be trying to uncover weaknesses and flaws which may lead to data recovery and they may read stuff or see stuff that you know might be ip, intellectual property or ppi personally identifiable information. So I would work with someone you ready trust someone who has the skills and experience of doing this as well especially if your infrastructure’s live in production and you know if you can’t have any downtime work with somebody who is highly skilled so from from our point of view you know all our testers are all a senior at a minimum we’ve all got at least six years uh it’s a rule of the core we we haven’t hired juniors for that reason because we do work with big global companies and you know smalls medium and guys locally as well but we understand that security and risk is very very high. So we do actually employ that as a sort of business trait um but yeah i would firstly work with someone that you’re comfortable with because they’re like people there’s they may be uncovering something that you may not want them to find or see yeah or you may not even know exists

Lee Gilbank – ALLOWLIST

yeah i mean that makes sense you know to to be safely penetrated if you want to trust the person or the company that’s going to be penetrating you and you know you want to know that you know that they can be trusted and doing it with the right tools and the right skills and things to not cause any damage essentially.

Phil Graham – Secora

Exactly yeah you know and um you know the nature of testing things may happen but as long as you’re working with skilled people they’ll often spot things early if you know like i said i’ve been doing this for about 11,12 years and you do spot things early you know if i push this a little bit too hard something might happen so you can have a conversation early whereas somebody less skilled or less experienced might run headlong into that and you know make mistakes and yeah um so yeah it’s just basically trust who you’re using because they are looking at your data and your infrastructure and also ensure that the company the results that they give you and so obviously you’ve gone through the testing phase obviously you’re looking at the results work with a company who understands exactly what your business is and does now this is something i think is a little bit of a fail and then in a lot of companies uh a lot of pen testing companies is they don’t consider what your business is and the risks that are to your business. Now we work quite heavily with with consultancy and and not just pen testing we do a lot of consultancy and we understand networks and infrastructure and business impact as well um and how certain risks can impact particular systems so you might have you know let’s say a general pen test report might pull out let’s take an internal test you might pull out three high risk issues or three critical risk issues but they might be against what are low severity systems so they may be the coffee machine for instance or something like that you know a till machine that’s in the canteen could be running windows xp or something like that and you know there’s plenty of issues out there for xp but we know that actually getting foot holds in that system may not actually do anything so although it’s a high risk issue it may not actually impact your business particularly heavily. So we we factor a lot of prioritization of issues especially if the company has uh you know a full asset register if there’s some maturity there we can use that to be an asset register with criticality applied to their assets across the across the industry we can apply that to our finance so we can go okay well you’ve got a critical issue against a critical asset you need to look at this and remediate this fast and we’ll put launch it behind our results and yeah and again you know critical and low risk we can say actually that could probably be remediated in you know three months because if those a critical issue you might have different category you might have a lot of issues like you might need to filter through a sweep first

Lee Gilbank – ALLOWLIST

yes i mean kind of what you’re saying is to be safely penetrated you need to trust the people doing the penetration and then you need to you need to have again more trust and that they’re going to put proper context and business cases and actual that fit for your business around some things as well

Phil Graham – Secora

Exactly and you know i was talking very no that was a very mature model we were using them but say you don’t have that we’ll say we’re looking at a web application we’ll take what you know the web application does or what it is and how that links to the business you know is it in a dmx is it hosted elsewhere what could you actually do if you managed to get a foothold on the server where could you go and what could you do or what is the worst case scenario for that business which can often if it’s broken away not actually be that severe you know yeah yeah so it’s like you can we can apply a lot of logic and and i think that’s a big thing is working with a company that can give you true results as in terms of criticality of the issue but also how that applies to you and where that might fit in your remediation time skills

Lee Gilbank – ALLOWLIST

Perfect well thank you for taking part in cyber brew today phil um you’ve i’ve definitely a few things there about how i should be safely penetrated um you know i need to trust the people doing it and know that they’re going to be there for me afterwards and you know care for me and comfort me and put things into context as well so yeah perfect all right cool thanks a lot cheers man thanks thanks for your time bye

Shopping Cart