British Standards Institution
British Standards Institution (BSI) is a business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence. BSI was the world’s first National Standards Body and operates globally, publishing over 2,500 standards annually. BSI works with industry experts, government bodies, trade associations, businesses of all sizes and consumers to develop their standards of excellence.
A penetration test is where professional ‘ethical hackers’ are given permission to attempt different attacks on an organisation's systems, is a well-established method to test cyber defence capabilities and find vulnerabilities that could be exploited by a malicious hacker. Despite the wide use of pentesting, there is little in the way of guidelines as to what a good pentest should involve and how to compare different levels of service. Inconsistent terminology and levels of service are holding back the industry, leading one security provider to describe the current situation as a ‘Wild West.’
BSI wanted to know:
- Is there a need for pentesting standards in the UK?
- What related guidelines and standards exist already for pentesting in the UK and globally?
- What would such a pentesting standard include and look like?
- Would the standard be written in such a way that it could be audited against/have external certification?
- What considerations need to be taken into account when developing the standard?
- Penetration testing procedures
- Research skills
- Professional report writing
Dr Alistair Baron and William Knowles, from Security Lancaster - Lancaster University’s EPSRC and GCHQ-approved security research centre, worked with BSI and completed background research and interviews with key stakeholders and organisations who certify pentest employees. They produced a report of their findings which highlighted a need for the cybersecurity industry to have greater 'ethical hacking' standards.
BSI highlighted three recommendations for standardisation:
- Standardised terminology for different levels of testing – enabling clients to make informed decisions and compare the market like for like
- Guidelines for reporting structure and content – offering clients greater consistency through the use of metrics and recommendations, as well as educating clients on the security threats their organisation faces
- Guidelines for the use of penetration testing as audit evidence
The total cost of the project for staff and travel expenses was £10,000, funded through the Impact Acceleration Account (IAA). The IAA is £600,000 funding from the Engineering & Physical Sciences Research Council to finance a range of activities designed to foster greater collaboration with industry and bridge the gap between the lab and the marketplace.
“By defining best practice in the area it will enable organisations purchasing pentest services to have a consistent, comparable quality of service thereby improving the security of UK organisations and providing comparable costs for services.”
“Standardisation of terminology would enable clients to compare like-for-like, which would also aid the commoditisation of penetration testing, particularly when looking to international markets,” Dr Alistair Baron, Faculty Fellow - Security Lancaster.
Then you can read more in the full report.
Benefits to the company
- Expertise in conducting the research
- A professional report containing recommendations for standardisation
Benefits to the university
- Opportunity to assist in the creation of a new industry standard
- Potential for further collaborative research in the future
Benefits to society
- The creation of a standard allows organisations to compare the market and determine the service best suited to them
- The report is freely available as an educational resource for organisations
“Organisations are increasingly looking to the penetration testing industry to better understand and improve their cybersecurity. As this thought leadership report has shown, there are respected qualifications for individual penetration testers, but that there can be greater consistency of the service penetration testing firms provide.”
“Greater standardisation in this area as identified in the report should allow customers to know they are getting a consistent comparable service. In addition, it will allow providers to better demonstrate and differentiate their capabilities. BSI will use the findings of the report to reach out to the stakeholders in the penetration testing market to determine the demand for new standards,” Tim McGarr, Market Development Manager for ICT & Asset Management, Governance & Resilience at BSI.
“Both providers and clients were found to be dissatisfied by the lack of transparency and consistency in industry offerings. Given the importance, and rapid growth, of penetration testing, resolving these needs for best-practice quickly would aid both providers and buyers,” William Knowles, Security Researcher at Security Lancaster.
BSI is looking to take the recommendations forward and has already conducted an initial scoping workshop. BSI has also shown interest in further collaborative research proposals based on the success of this project.
Ultra Electronics Communication & Integrated Systems (UECIS), based in London, is a specialist business within the Ultra Electronics Group and is a market leader in the provision of secure communications; information assurance and intelligence; surveillance; target acquisition; and reconnaissance systems to defence customers worldwide.
In this Knowledge Transfer Partnership (KTP), Ultra Electronics Communication & Integrated Systems worked with the School of Computing and Communications (SCC) at Lancaster University to develop a real-time integrated security monitoring and management system for the communication of situational awareness from remote locations, such as unmanned aerial vehicles, over satellite and local broadband links.
Originally, Ultra Electronics Communication & Integrated Systems initiated this KTP to gain expert input to develop an aircraft cabin surveillance system that would enable the crew to stream live images to the ground in the event of an incident. However, changes to industry regulations and markets cut customer demand for this product.
Fortunately, at that time Ultra identified a market opportunity for a system providing live images to the ground from unmanned aerial vehicles (UAVs) over satellite and local broadband data-links. By continuing with the collaboration, the company gained a highly-motivated and skilled associate in Alex Tarter, together with access to the expertise in communications technology and aviation security research within the School of Computing and Communications at Lancaster University.
- Computer networking
- Project management
- Communication systems knowledge
Academics from the School of Computing and Communications at Lancaster University provided the expertise and experience needed to deliver this KTP. Professor Garik Markarian, an international expert in communications technology, was the lead academic.
KTP is a European programme helping businesses to improve their competitiveness and productivity through the better use of knowledge, technology and skills that reside within the UK knowledge base.
KTPs are funded by Innovate UK (formerly the Technology Strategy Board, TSB) with 12 other funding organisations. These funding organisations include research councils, the devolved administrations and a number of other Government departments recognising the importance of knowledge transfer to economic development and wealth creation. Innovate UK is a business-led organisation established by the UK Government to accelerate research and development, and foster innovation for the benefit of UK business.
Ultra Electronics Communication & Integrated Systems made a contribution towards the KTP, which had a total value of £15,000.
Overall the KTP has been a great success, meeting all objectives and providing significant benefits for all parties involved. Ultra has gained expertise in the design and testing of new products. An enhanced understanding of computer networking continues to benefit its datalink work, with a computer-centric view complementing its more traditional radio engineering approach and potentially opening new markets for its data-link products.
These new capabilities have been demonstrated in meeting the key objective of developing a monitoring system using communications via UAVs, exploiting Alex's expertise to adapt video equipment so that images could be sent in real-time over Ultra Electronics Communication & Integrated Systems' new and unique High Integrity Data Link (HIDL). This innovative project has generated much publicity through exhibitions and the presentation of papers at several key conferences, raising the profile of Ultra in new market areas. The enhanced product range is expected to increase sales by around £500,000 a year.
A strategic partnership agreement has been reached with Ultra Electronics Communication & Integrated Systems, covering many areas of high technology, including aviation security, wireless communications and artificial intelligence. Working with Alex to develop new monitoring systems has provided staff with the opportunity to apply research into computer networking and artificial intelligence to real products. It has also enabled them to develop ideas in 'fuzzy logic' relevant to aviation security. A new area of teaching has been developed through the work, exploiting the success of video processing techniques utilised within the project.
Benefits to the Company
- Enhanced capabilities in product design and testing
- A better understanding of computer networking, facilitating easier-to-use products
- HIDL-proven, with potential in many new products
- Aviation security identified as an area for future business growth, reflecting the increasing concern within the industry
- Greater ability to utilise computers to identify and solve data-link problems
- Potential to expand product range and enter new markets predicted to increase annual sales by over £500,000
Benefits to the University
- Ultra Electronics Communication & Integrated Systems' laboratories made available for academics' research work
- A strategic partnership agreement in place, strengthening the mutual relationship with a successful bid for further collaborative research
- Opportunity to develop artificial intelligence for aviation security and further signal processing concepts
Benefits to the Associate
- Significantly enhanced technical, project management and presentation skills
- Completed an NVQ Level Four in Management
- Progressed towards PhD and Chartered Engineer status
- Accepted a position with Ultra Electronics Communication & Integrated Systems as Senior Systems Engineer
“The appointment of Alex Tarter, who had completed a Master’s degree in Information Systems Engineering, proved to be an excellent decision. As KTP Associate he proved enthusiastic, personable, skilled and hardworking, with his commitment and drive proving instrumental in the project's success. The KTP has added a valuable dimension to our data-link products and raised Ultra's profile at conferences, standards committees, and with published journals. It also resulted in a strategic partnership between Lancaster University and Ultra Electronics." Andrew Cambridge, Chief Scientist, Ultra Electronics Communication & Integrated Systems.
“The project was beneficial to both the industrial and academic partners, and provided a unique opportunity for developing new skills and products in the company, and exposing Lancaster University researchers to real-life industrial problems.” Professor Garik Markarian, School of Computing and Communications, Lancaster University.
KTP Associate Feedback
Alex gained considerable design experience, built on his project management skills, and extended his technical knowledge, in particular of communication systems and computer networking. He welcomed opportunities to attend exhibitions and conferences, through which he made useful contacts and showed professionalism in representing the company.
Alex joined a European Aviation Standards working group, EUROCAE WG-72, which was established to develop guidelines to address security concerns for aeronautical systems, which was also directly applicable to his project work.
Alex completed the KTP, achieved his PhD and is now a Technical Director at Ultra. He also became a NATO Civil Expert for Cyber Security and the HIDL continues to sell with full-motion video capabilities due to the work is done in the KTP.
Xyone Cyber Security Solutions Limited, based at InfoLab21 at Lancaster University, provides accessible and dynamic services which extend beyond technology to encompass people, culture, processes and even the physical environment to make their clients as resilient as possible. They employ a team of certified ethical hackers, qualified consultants and expert trainers to offer a complete end-to-end repertoire of cybersecurity for their clients.
Xyone Cyber Security Solutions Limited provide essential support to businesses in order to secure data, assets and intellectual property against the threat of cybercrime. They wanted an intern to assist in the launch of a new service, the Cyber Advisory Service (CAS), populate the company website with frequently asked questions and information, and provide a front-line service to callers to the company.
- Experience in IT
- Experience with customer service
- Knowledge of cyber security
Jenny Lam, MSci IT for Creative Industries with Industrial Experience, was recruited through the Science and Technology Internship Programme for a twelve-week internship with Xyone Cyber Security Solutions Limited. Jenny helped to develop a new service known as the Cyber Advisory Service (CAS). She converted the idea into a workable process and oversaw its development and growth into a functioning prototype to use as a pilot. She developed the content for the online service and outlined the procedures within CAS for future staff to follow.
Outside of the CAS project she assisted the North West Cyber Security Cluster (NWCSC) with administration and communication tasks and managed social media profiles for both the cluster and CAS.
The internship was part-financed by Xyone Cyber Security Solutions Limited at £1,500+VAT, and part-financed by Santander, with a total value of £3,300.
The new service provides free and impartial advice on cybersecurity issues and breaches for any small and medium enterprises within any industry across the UK.
“Jenny’s placement allowed Xyone to develop and test a methodology and criteria for us to launch the Cyber Advisory Service, which is a new layer of client support for our company and was something we weren’t able to explore prior to Jenny’s placement due to lack of internal resource. The Cyber Advisory Service is something that is much needed by the sector and provides front-line support to businesses who fear they may be the subject of a cyber-breach, allowing the client to access a first port-of-call, and providing the partners of CAS with opportunities to offer their skills.
“Using the advanced knowledge and expertise of one of Lancaster University’s Technology students was very advantageous to us, as Jenny was able to offer her ideas and thoughts during the development process, which was really useful in getting an additional opinion.” Sarah Green, Strategic Operations Manager, Xyone Cyber Security Solutions Limited.
- Knowledge and expertise of Lancaster University Science and Technology students
- Allowed the company to develop CAS, a product which will enhance their services to their clients, and grow the company
- Saved Xyone Cyber Security Solutions Limited management time
“The project helped us develop our new service – CAS – and saved us time. The internship undertaken by Jenny was a huge resource support to a small business like ours and really provided us with the opportunity to move forward, not only with the CAS project but with other areas of the business due to the additional support in place.
“We’re really so grateful to have been given the opportunity and I would highly recommend the internship programme to other small businesses. The positives we have received as a result have been tremendous, not only for us but in helping Jenny improve her skills for employment post-graduation.
“Jenny was instrumental in taking the idea of CAS and transforming it into a working, operative business process and commercial service, for which we are grateful to Jenny, and Lancaster University in helping us find the support we needed. Working with Jenny both during her internship and as a result of getting to know her personality and her skills has been very rewarding to Xyone, and hopefully Jenny too as she embarks on her first professional role within the cybersecurity sector.” Sarah Green, Strategic Operations Manager, Xyone Cyber Security Solutions Limited.
“The internship was a great way for me to practice and refine my project management skills, and learn about how businesses operate in an industry different to my previous experiences. My technical knowledge also improved from gathering content for CAS, as well as speaking to technical staff about their work. Being involved in the NWCSC was a fantastic networking opportunity to meet directors from various IT companies.
“Having worked for a cyber-security company, I am now fairly certain I want to pursue a career in the cyber security industry, whereas previously I was uncertain due to a lack of experience and awareness in the area. Following on from this internship, I will be starting a placement with Xyone in January as part of my course.” Jenny Lam, MSci IT for Creative Industries with Industrial Experience, Xyone Cyber Security Solutions Limited Intern.
Xyone Cyber Security Solutions Limited continues to work as part of the North West Cyber Security Cluster, which is based at InfoLab21 and supported by Lancaster University. The cluster aims to raise industry standards by establishing a minimum certification level for entry to the group, with the ambition that high-quality accreditation becomes the norm for all businesses operating in the cybersecurity sector.