Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts

How Hedgehog Security keeps your data secure from hackers

As a cyber security company, nothing is more important to us than the security of our customers’ data. A breach of our customer information could cost us our entire business, and that’s why we go above and beyond to implement the latest cutting-edge security tools, as well as ensure robust processes and the fundamentals of information security management are in place.

Our ISO 27001 Certificate

Our ISO 9001 Certificate

Here we describe the specific controls and approaches we take to securing the different aspects of our business, from the office we use, to our datacentres, access control, and prevention and detection strategies:

Continuous security monitoring
Our vulnerability scanning service provides high quality assessments of weaknesses in internet-facing systems. Using our own service against ourselves allows us to be rapidly informed whenever new vulnerabilities are released.
 
Detection
At Hedgehog we use industry standard intrusion prevention tools to protect our online services and infrastructure against active attacks.
 
Endpoint protection
We use state of the art anti-virus and anti-malware solutions as part of a suite of next generation endpoint protection tools.
 
Transport encryption
As you would expect, we use banking-grade 128-bit AES Transport Layer Security (TLS) encryption on all transport links carrying customer information or controlling our infrastructure. We would rather all our clients use TLS v1.3 but we will support TLSv1.2. Sadly, we can not support any clients that are unable to use at least TLSv1.2.
 
Data separation
Our client portal uses industry standard libraries and software engineering techniques to ensure logical data separation between clients’ datasets within our datacenter environment. All client data is encrypted with an encryption key unique to that client and subsequently changed every day.
 
Data centre security
We exclusively use UK based datacentres with numerous security certifications, including ISO27001, PCI DSS and more.
 
Individual accounts
We assign all privileged users with individual accounts to enable auditing and logging of privileged accesses to customer data.
 
Patching
Hedgehog has robust policies and implements processes to ensure we regularly perform essential maintenance activities such as patching software, taking data backups and testing controls are functional as expected. We patch our windows machines every 14 days, our linux machines every 7 days and our penetration testing machine every day.
 
Backups
We performs regular full backups of our customer data (while an engagement is underway) and company information and stores it securely to our Iron-Drive. Backup restore procedures are tested bi-annually to ensure that any disasters can be recovered from. We extended our backup program to ensure we have a full offline backup taken every week.
 
Background checks
We vet every employee with third party background checks for authentication purposes, and for criminal records, as well as following up on character references.
 
Access reviews
We perform regular access reviews of employee privileges to ensure that as employee roles change over time their privileges are updated and in sync.
 
Penetration testing
We perform penetration testing against our application on every major release using our own in-house CREST and TIGER qualified security experts.
 
Storage encryption
We use full-disk encryption on all company devices as standard, as well as cloud volumes storing customer information. This enables us to protect data on equipment that is lost or stolen. Data is stored used AES254 with a 4096 bit key. We have implemented a Shifting Sanding encryption mechanism which uses a unique 2048 bit long random key which is then hashed using a PGP key assigned to the client. Every day the keys change and are subsequently re-encrypted.
 
Data destruction
We wipe 100% of client operational data within 30 days of the end of an engagement. Wiping is a complex process that works by creating a 4096 bit hash which is used to create an in memory PGP key. This key is then used to encrypt all of the data belonging to the client. The PGP key is then purged from memory and the client files are overwritten 7 times with random data.
 
Hardened builds
Our of our systems use hardened builds for its application servers using CIS controls, which you can review on the CIS website here. No software runs with root privileges and application and deployment accounts do not have access to the rest of the operating system or network beyond what is necessary. Bash scripts for hardening our services can be found on a GIT repo.
 
Secure coding
We adopted secure coding principles during development. All code being checked in is reviewed for security weaknesses by both humans and automated scanning tools. However, we do not produce applications and are not involved in application development.
 
No passwords
We use SSH keys to control access to its infrastructure. No passwords are in use in the estate, protecting us from standard brute forcing and password stuffing attacks. We passwords are used, for users they are 16 characters long and for administrative functions they are 64 characters long. We do not enforce complexity or mandatory changes as guided by NIST and the NCSC.
 
Two factor authentication
Hedgehog uses two-factor authentication on all corporate accounts. This helps us prevent common attacks like email phishing, that aims to capture user credentials to gain access to company information and services.
 
Anti-virus and anti-malware
All of our infrastructure is protected by anti-virus and anti-malware systems. Our Windows systems are protected with Windows Defender. Our OSX systems are protected by Intego. 
 
Our Kali pentesting systems do not have any endpoint protection as they are pentesting systems.
 
Hedgehog does not enforce any form of web filtering due to the nature of our work.
 
Least privilege
We follow the principle of least privilege as a general model within the business. Where employees do not require access to information or systems, they are not given it.
 
Governance & Responsibility
No amount of technical security controls would be sufficient unless backed up by robust process and governance. Intruder has a robust governance model in place which makes specific staff members responsible for information security in the organisation, in line with ISO27001 principles.

Contact Us

Ask us a question, any question at all. As long as it has to do with Information Security / Cyber Security, we will get back to you with an answer.