Author Archives: Bramble Hub

Pravesh Kara, Content+Cloud’s Director for Security and Compliance, has over two decades’ experience in cybersecurity. In 2010, he was one of the founders of Perspective Risk, a company that initially specialised in penetration (“pen”) testing. Later, Perspective Risk expanded its offerings to provide advice on risk and on compliance with the InfoSec standards such as ISO27001 as well as providing other assurance services.

In 2017, when Perspective Risk had around 20 employees, it was acquired by IT Lab (which was later rebranded as Content+Cloud). Pravesh describes the merger as an excellent fit: “Both companies had similar, non-bureaucratic ways of working, and IT Lab had a great client base and great culture.” Although Pravesh moved into the parent business, Perspective Risk continues to operate as a standalone entity. Pravesh remarks “If we were wholly integrated, we wouldn’t have the right level of independence in our assurance outcomes.”

Thinking Securely Across the Organisation

Pravesh’s role encompasses the entire Content+Cloud business, and he has indirect reports spread across the company, to ensure that a consciousness around security permeates every aspect of the sales and delivery cycle, rather than security being seen only as an add-on service.

C+C’s security offerings
are split into two streams: Perspective Risk continues its core product lines, offering assurance services. And Content+Cloud offers design and build professional services for Security technologies and a Managed Security Operations Centre, whose aim is to actively detect and respond to cyber-attacks.

Perspective Risk: Managed Assurance Services (MAS)

Perspective Risk offers multiple levels of assurance services. At the simplest level is vulnerability scanning, which identifies potential security holes. Pen testing takes this further, probing potential vulnerabilities to determine beyond theory whether they can be exploited. As well as looking for systems security problems, pen tests also look for holes in business logic, such as web forms that fail to protect against unexpected inputs, and so can be utilised by hackers to modify the behaviour of the application.

Beyond pen testing, Perspective Risk offers Red Teaming, and
describes the service
as follows: “Perspective Risk’s elite Red Team simulates a cyber-attack on your organisation. By deploying similar strategies, tactics and hacking tools to real-life attackers, you’ll gain an authentic picture of your company’s resilience to cybercrime… By revealing otherwise unidentified risk areas, a red team attack will identify where you should focus your resources, help you validate and improve security, strengthen defences and increase the security awareness of employees – all of which will drive greater security vigilance across your business.”

Pravesh explains that Red Teaming works differently from pen testing. “It has a wider scope of engagement than pen testing, which tries to identify as many risks as possible on defined scope of targets. Red teaming is instead based on an objective – for example, to find a specific file, or break into HQ and photograph the CEO’s office. Red teaming engagements are often led from threat intelligence – what are relevant threats and how do we replicate their behaviours?”

When it is suggested to him that Red Teaming sounds fun, Pravesh agrees. It is a popular career choice, he says: “Now they come into the industry to be red teamers – to have similar levels of freedom and creativity in compromising organizational security to real threat actors.”

Content+Cloud: Security Operations Centre (SOC)

The other side of Content+Cloud’s security business is run from a facility in Manchester and is designed to detect actual threats. The SOC provides rapid detection of intrusions and external attacks and undertakes containment of the threat to minimize the impact.

“Perspective Risk focuses on the offensive side, but as a group we also cover the defensive side.”, says Pravesh. “We design & build security monitoring capability, spot threats and react instantly. In the past, threats were detected based on static analytics. Now we can spot anomalous activity in real-time – for example, changes in user behaviour. Our system is based on Microsoft’s
Sentinel SIEM and SOAR
, which has machine learning and AI capabilities to enhance detections and produce a higher fidelity of threat alerts.”

Cybersecurity Threats Today

What risks does Pravesh see currently, given increasing international tensions?

“When Russia first invaded Ukraine, Russian cyber-attacks were focused on Ukraine, but then they began to broaden. Russia had been targeting other countries anyway. But the latest intelligence suggests that the Russian state intends to attack organisations involved in critical national infrastructure – not just in the public sector, but across the supply chain. The security issues haven’t changed, but the threats are increasing.”

What about China? “China loves state secrets but also heavily targets the private sector. The Chinese state acts to protect the interest of private and state-owned Chinese companies. But it’s Russia that really invests in harvesting data. Its intelligence agencies try to vacuum up everything they can.”

Is the public sector prepared for attacks? “The public sector was a long way behind the curve five to 10 years ago, but now it’s catching up. It’s getting better both at detecting and reacting to threats.”

How would Content+Cloud approach security for a new public sector customer? “We would begin by asking what the threats are… why would you be targeted? There isn’t a one-size-fits-all approach. Central government has different threats to local government. And different attackers have different focuses: do they want to attack facilities or quietly harvest information?”

If Pravesh could give the public sector one message on cybersecurity, what would it be? “The advice that the
National Cyber Security Centre
provides – You should assume you’ve already been breached, and act on that basis.”

Olivia Williams, a security specialist at Bramble Hub partner Apache iX (a small consultancy firm that we recently wrote about here), did not set out to become an expert in InfoSec (information security). In fact, after graduating in Italian and French, she was unsure what to do next, and eventually found herself working in current affairs at the BBC in London. It was there, working with the technology broadcaster Aleks Krotoski amongst others, that highlighted to her the value and world-changing power of digital technology.

Olivia – who happily admits she is not a city person – eventually tired of London, and in any case began wanting to use her skills in a way that would help people “in a more direct way”. With that goal in mind, she began to apply for jobs at emergency response organisations, and secured a role with an international emergency shelter NGO as a videographer.

Working in the humanitarian sector

“Before I knew it, I was being sent to all sorts of places – Malawi, Nepal, the Philippines. In 2015, I was sent to northern Iraq to help conduct vulnerability assessments and document beneficiary personal stories in refugee camps. During one operation during that deployment at an unofficial displaced persons camp in Iraq close to Mosul, it became clear that personal data and the inherent power it holds is exploitable and is frequently exploited. Being so close to the conflict-affected territories across that region made securing beneficiary data a vital topic of conversation, yet the humanitarian sector, particularly then, was not prioritizing data security and the necessary conversations were not really being had”.

The intertwined topics of data security and data privacy were raised once again during a deployment to Malawi where Olivia assisted with the distribution of solar lights and filmed beneficiary stories for her NGO, as well as shooting content for Shark Tank [the US equivalent of Dragon’s Den]. “The Shark Tank team insisted we gain written consent from everyone we filmed, but I had to ask myself – how can we truly be gaining people’s consent if they couldn’t read the consent form, couldn’t write and in any case the consent form was written in English – a language no one in that particular village spoke. At that moment I felt, like I had before, that I was part of the exploitation problem”.
It was this experience that led Olivia towards her Ph.D., which examined the realities of data security and data privacy in aid situations.

“Based on experiences like this, where there was a lack of genuine consent, I became uncomfortable videoing people. I would take names and ages and explain as much as possible and often work through translators/interpreters, but I felt that, perhaps, people were just saying yes because they felt obliged. We gathered information about people – name, date of birth, ethnicity, political affiliation, religion etc. but we’d never had a discussion about how to protect these people’s data, nor could we explain to people exactly how their data would be used, stored or shared. I instinctively felt that privacy was important, and at that point I was doing the little I knew how to do to protect people’s data – hide an SD card under my mattress or under my insole. I wondered, “were my experiences an anomaly and was anybody having conversations about this issue?”

The human side of security

So, Olivia put forward a Ph.D. proposal and was offered a scholarship at American University in Washington D.C. with the aim of examining the following points:

1. What do aid agencies say they’re doing to protect data?
2. What do aid workers say that they do to protect data?
3. How are beneficiaries harmed by the differences between these two datasets?

Indeed, Olivia found numerous discrepancies between the two datasets. Of the 182 aid workers that she surveyed, most said that they ‘weren’t sure’ when she asked them to respond to the statement ‘NGOs are targeted by cyber threat actors’. “We have this prevailing and outdated idea that aid work is globally understood to be philanthropic, with good people doing good things. But increasingly, aid workers and the organizations they work for are viewed as political vehicles, so there’s a disconnect between the humanitarian world’s understanding of what it represents and the reality of what it represents to others. Many aid organisations lack the usual data security checks and balances for several reasons: for example, because of the emergency contexts in which they work which make enforcing policies and protocols very difficult, and due to high staff turnovers.”

Olivia’s survey also indicated that aid workers had a minimal understanding of cyber-attacks, and only a minority could define ideas like spear-phishing or eavesdropping attacks. This is particularly concerning given the emerging research showing that aid workers are specifically targeted. One response to Olivia’s study said “… our NGO was actively targeted by Russia, China, and Iranian cyber armies… we were informed of this by the FBI… it never occurred to [the management team] that maybe others who had things stored on their laptops… did not know how to [protect their data].”

Many aid workers found they were unprepared for the field environment. One respondent indicated that “… protocols set by HQ don’t take into account the challenges of being somewhere with only 2G internet and one hour of electricity’ and ‘if the protocols are designed in a way that make frontline workers jobs harder, they’re going to get ignored or circumvented”.

Another of the study’s findings showed that many aid workers used their own devices to collect data; and that among these people, only a very small minority deleted data once it was no longer needed. While most people would protect their digital devices using a PIN or other protection mechanism, more traditional devices – such as cameras and voice recorders were rarely protected. Since conducting her study, Olivia has found that encrypted SD cards are still rarely used.

How does this apply to the Defence sector?

Olivia’s work in the aid sector seems a long way from her role as a security specialist for Apache iX, which specialises in the UK national security sector. How is her Ph.D. work relevant in her current role? “I learned about the centrality of human behaviour in security, and the human predisposition to circumvent policies. Human activity and decision-making are still central to any organisation’s operations and approaching the cyber and InfoSec problem from a human-centric standpoint gives me a good awareness of security issues. My subsequent doctorate training in advanced cyber security methods also gave me the depth and breadth of knowledge to approach and interrogate any InfoSec problem. The expert and author Bruce Schneier put it well when he said: ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’”.
Not to be satisfied with one Ph.D., Olivia is now working on her second: a study of information sharing between humanitarian organisations and intelligence agencies – an area that she describes as an ethical minefield.

What was it that drew Olivia to Apache iX? “I wanted to work in Defence and gain some very specific professional experience and I get to work on some pretty cool things… but I can’t say what they are! I’m very lucky as I’ve got great colleagues and work for a company who have brought together a team of people who aren’t judged solely by their Defence credentials but because they think differently, and that’s celebrated and encouraged. It’s a good place to be”.