Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Like many things in life, hackers are victims (and I use the word loosely) of stereotyping. You won’t find much stock imagery depicting hackers that doesn’t involve a hoodie, a dimly-lit room and several monitors full of scrolling binary text. And whilst that’s definitely sometimes true, it also makes several assumptions about hackers in general, which is at best misleading and at worst leaves you wide open to attack.
The main assumption with this stereotype is that hackers are stuck behind keyboards, limiting their impact of how far they can reach into the physical world. How much damage can someone do like this? Sure, they could engage in a phishing campaign and compromise my email address, but I can change my password easily enough. The more enterprising hacker might hack into your company’s servers for a spot of cryptomining or a dabble in ransomware, but you’ve (hopefully) got basic security monitoring and, of course, backups. Now, before I go any further in this scenario, I need to acknowledge that an alarming amount of companies DON’T have these essential security features, but we’re assuming a broadly ideal world here, so indulge me for this moment.
Now, let’s hit pause on the hacker and instead turn our attention to the insane and often hilarious world of the Internet of Things, or IoT. The world of IoT is growing at quite the pace, with manufacturers keen to stuff a web server into the most mundane of devices or connect the most vital equipment to an app or the internet. The benefits of this range from the downright handy to the absurdly questionable. The downside, however, is that we’re increasingly opening more and more of our physical lives to hackers. The problem is compounded as it’s not just that more IoT devices exist, but also that manufacturers refuse to take their security seriously – especially the cheaper non-branded devices (the so-called Shenzhen generics).
Returning to the hacker, these IoT devices and their generally woeful security give them the ability to step out of the cyber world and in to the physical world. Cyber criminals use these devices are their remote hands. Hackers are no longer behind a keyboard: they’re in your house, your office, and maybe even more intimate places. IoT devices can do things like control your oven and adjust your heating – in fact, they can turn on anything connected to a ‘smart’ plug socket – meaning it only takes one little security flaw and you’ve given control to that hoodie-wearing figure.
Though IoT devices are certainly a major risk, it’s worth noting that they’re also not the only thing that we need to worry about. Let’s take a look at some real-life examples.
Let’s start with the tale of Yale’s security fail that happened to their ‘smart’ home system late last year. Their server went for a little lie down for a couple of days, leaving people locked out of their homes and offices, or at the mercy of their alarm system. Whilst the root cause this time was down to vendor error rather than a hack, do you really think hackers don’t know how to (D)DoS an online service? Plus, when – and it is when – these kinds of services get hacked (I’m not targeting Yale directly here), hackers will be able to open your front door and walk right in.
On exactly that note, January of this year saw researchers blow open the cyber security of a door access system – much like the ones you find in most offices. Cyber crooks could, in theory, simply turn off the access control for the doors, remotely unlocking them all and opening up your business to anyone who fancies walking in. The problem in this instance was the mind-numbing stupidity of using hard-coded passwords and default credentials – something that a pen test would have picked up.
For a more up-close-and-personal example, not to mention insanely terrifying, how about St Jude Medical’s pacemakers? Security flaws were found that could in theory allow a hacker to discharge your battery or even ‘deliver incorrect pacing shocks’ – i.e. stop your heart.
As for another example, let’s look at cars. Cars these days are able to be remotely locked/unlocked, started, braked and steered via an app, or even through Amazon Echo. As a man who drives a 10+ year old Saab, this level of technology is tantamount to witchcraft. As long ago as 2015, security researchers were showing that it’s possible to remotely take control of a Jeep and bring it to a stop. Add to the picture 2019’s leaps in autonomous cars, buses and lorries, and it’s a potentially grim outlook. Fun fact: some security advice from a reputable company recommends keeping your car’s key fob in the fridge as a security precaution. Yes, really.
Time for just one more example: the world of industrial control systems is (sadly) well-known for having lax security. A lot of factory machines were designed back before the internet was really a ‘thing’, and so didn’t factor much in the way of network security. Now they’ve been hooked up to the internet, their security is often best described as lacking, worst described as non-existent.
This became ever-more apparent at the beginning of the year, when it was found that cranes, drilling rigs (and other scary heavy machinery) were “alarmingly vulnerable to being hacked” – being called less secure than a garage door opener. Yikes. The culprits here were things like simple replay attacks, non-rolling codes and re-using the same checksums.
I could list many more examples of ways hackers can now interact with our physical lives, but I think you get the idea. The way I’ve painted it so far, is that hackers can pretty much tap us on the shoulder from the comfort of their keyboard. I’ve made it sound like we’re all doomed. Why aren’t cranes spinning around on building sites? Why aren’t houses burning down? Why aren’t cars smashing into each other at 90 mph? Well, it all comes down to motivation.
Generally speaking, hackers are motivated by prestige or, more commonly, profit. This means they’d much rather go for quick-wins like ransomware or cryptomining, or put the hours in and hack their way into a big juicy corporate target. Hacking a pacemaker might be good for some extortion on high-value targets (“Pay me millions or I’ll kill you”), but if a hacker trawling Shodan finds a way into, say, a vendor’s range of smart home devices, they’re more likely to go for a bug bounty if we’re lucky, or cash in on the dark web if we’re not. It’s the case of the latter that doom-laden scenarios start to become a tad more realistic.
The above notwithstanding, the writing is very much on the wall. So, it makes sense to do the sensible thing right now and make sure your business isn’t vulnerable to attack by that smart device your boss brought in, or to be honest, from any other part of your IT infrastructure. The remedies are very much the same and, thankfully, easy to implement. A decent penetration testing schedule will outline your security weaknesses and how to fix them, and security monitoring with proactive threat hunting is pretty much the best way to stay on top of any security threats as they arise. It sounds so simple – and it is – but so many organisations aren’t doing these security basics.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Find out how vulnerable your infrastructure is with a comprehensive penetration test from Bulletproof.
Learn how a Bulletproof pen test helped Traced create a chain of trust, improve its security posture, and inspire customer confidence.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.