Advanced Cyber Security Audit For Infrastructure Company

In-depth assessment of cyber security measures for an infrastructure company

Akita collaborated with a company in charge of key city infrastructure to deliver a comprehensive cyber security audit to ensure its systems and processes were robust against evolving cyber threats.

Driven by the organisation’s senior leadership, the audit used an array of measures to identify potential vulnerabilities and give direction to enhance the company’s cyber security posture.

Delivering An Advanced Cyber Security Audit

The highly in-depth audit comprised multiple elements, including stakeholder interviews, documentation reviews, process evaluations, and technical assessments.

The following key activities were then undertaken to review technical security:

High-Level ISO 27001 Gap Analysis

Akita coordinated a thorough gap analysis of the organisation’s cyber security measures against the ISO 27001 standard (which the organisation held) to identify areas of non-compliance and recommend improvements. This analysis provided a baseline for the company’s current cyber security posture.

Desk-Based Controls Review

The audit progressed to evaluating the existing endpoint protection measures to ensure defence against malware and wider cyber threats.

It focused on reviewing the change management processes for switches and firewalls to prevent unauthorised alterations and ensure traceability. The effectiveness of general user training and specific social engineering awareness programs was assessed to mitigate human error risks. Additionally, the segregation of networks, access control mechanisms, and change management procedures within the operational technology (OT) environment were examined to safeguard critical infrastructure systems.

Internal and External Penetration Testing

Ahead of onsite assessments, Akita performed vulnerability scanning of the organisation’s networks to identify any clear security gaps. Based on the findings, it was determined that both internal and external penetration tests would be valuable. These were conducted to identify potential security weaknesses and attempt to exploit them based on human experience, better simulating real-world attack scenarios.

Wi-Fi Security Testing

As part of the cyber security audit, a detailed review of wireless network security was undertaken. This review focused on authentication and encryption controls, ensuring that networks were fully locked down. Additionally, a rogue access point search was conducted to detect any unauthorised devices connected to the network that could compromise wider cyber security through their presence.

Advanced Intrusion Techniques

Beyond these measures, more advanced intrusion testing measures were used to full stress test cyber security measures. This included an investigation into historical data to determine if any user accounts had ever been compromised, helping to understand the potential of breaches.

Lastly, the audit analysed threat tactics that have been used against similar organisations. These were then used on the organisation to see if they would be effective. This included tests such as dropping a USB stick randomly in the office to determine if any members of staff would introduce it to the network. This approach allowed the organisation to anticipate and defend against specific threats relevant to its industry and profile.

Summarising The Audit

The in-depth cyber security audit resulted in five separate reports covering the organisation’s security measures, with an overarching executive summary of key findings and remediation works categorised by priority.

This thorough approach gave the infrastructure company a clear understanding of its current security posture and actionable recommendations to enhance their defences.

By addressing the identified gaps and vulnerabilities, the organisation has significantly strengthened its resilience against cyber threats, ensuring the safety and reliability of its IT infrastructure.