January 2014 Newsletter

Web Version

Forward

TABLE OF CONTENTS

•

The Target Breach – a case study of being compromised

•

“Dumping” Windows Credentials

•

New Securus Global Social Engineering Services

•

Securus Global - Client Workshops

•

Partner Updates

•

Industry Roundup

•

Securus Global joins PS&C Group

JANUARY 2014 EDITION

About Securus Global

Securus Global helps businesses of all sizes and across all industry sectors. When clients work with us once, we’re generally there with them for the long haul – becoming their security partner of choice.

To find our more about what we can assist you with, please email or call on (02) 9283 0255. For a description of some of our services, please visit our website: www.securusglobal.com

A Happy New Year to all our clients and friends. May 2014 be a good one for you.

Welcome to our first newsletter of the year. This month, we’re covering the following:

The Target Breach – A case study of being compromised
“Dumping” Windows Credentials
New Social Engineering Services
Securus Global - Client Workshops
Partner Updates
Industry Roundup
Securus Global joins PS&C Group

The Target Breach – a case study of being compromised

This story about the Target (USA) security breach has continued to unravel. Had it not been for card issuers and brands identifying Target as a common point of purchase for compromised accounts, Target would probably still be oblivious to the fact they had been compromised.
http://www.nytimes.com/2014/01/18/business/a-sneaky-path-into-target-customers-wallets.html?ref=business&_r=1

We could say that penetration testing may have reduced Target’s risk of being compormised, but the truth is that a company’s security posture is rarely, if ever substantially increased through penetration testing alone.

Read this article by Drazen Drazic from 2010 that looks deeper into Application and Systems security and contact us if we can be of assistance to you:
http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/

“Dumping” Windows Credentials

This post is targeted at technical security analysts and system administrators. It looks at what we do during a penetration test of Windows systems once we have compromised a host and are now looking for ways to escalate privileges and gather as much information as we can.

We cover various approaches and also discuss a relatively interesting technique; AD replication.

Full post by Securus Global:
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/

New Securus Global Social Engineering Services

In our last newsletter, we posted a case study on “spear-phishing” and the ease with which such attacks, if planned out well, can succeed:
https://www.securusglobal.com/community/2013/12/05/does-spear-phishing-work/

Whilst many companies carry out technical penetration and other security tests, its interesting to see so few who are actually addressing the concerns of “social-engineering” based attacks.

We believe that there are numerous reasons for this, ranging from the belief that there that can be done to stop such attacks from occurring, right through to companies simply not being aware of just how prevalent such attacks can be or not wanting to “hack humans”.

As we’ve said before, if someone wants to target your organisation, they will generally focus on the path of least resistance for success. In a lot of cases, that doesn’t involve just looking for vulnerabilities in your information systems (traditional “hacking’) to find a way in, when a couple of phone calls or other carefully crafted social engineering attacks can achieve the desired result faster and with less chance of detection.

Securus Global has been helping clients minimise their security risks against social engineering attacks now for many years and in 2014, we’ve expanded our services in this field to a level we believe no one else is doing at the moment.

Our Red Cell services continue to evolve, however the more interesting developments are our new self-service offerings that will allow our clients to create their own testing programs – at their own pace, customisation and analysis and tracking. Read more about this here:https://www.securusglobal.com/services/assessment-and-assurance-services/red-cell-assessments/

For further information, please contact us.

Securus Global - Client Workshops

The Anatomy of a Security Breach.

At Securus Global, we are frequently asked by our clients how hackers compromise companies and in turn, what can be done to minimise the risk of it happening to their own organisation.

This is why in early 2014, we’re offering client workshops to explain the anatomy of such attacks and how the attackers are obtaining this information from your companies.

In these 1-2 hour informal sessions (no cost), we talk about what we have seen in the last 10 years, how the attacks are planned and take place but most importantly, what you can do to minimise the chances of this happening to your company.

For more information: https://www.securusglobal.com/community/2014/01/16/the-anatomy-of-a-security-breach/

Partner Updates

Imperva:
Imperva has recently released a new Infographic & Whitepaper that is complimented by a on demand webcast around the blueprint for web attack survival “Web Attack Survival Guide”.

Prepare for attack! The seven rules listed in this graphic will help your contacts protect their organization from external threats targeting their high-value applications and data assets. This graphic complements the "Web Attack Survival Guide" white paper. Share this graphic and white paper with your network: http://www.imperva.com/docs/social/Infographic_Web_Attack_Survival_Guide.jpg

Qualys:
Upcoming Webex Trainings; https://community.qualys.com/community/training. Topics covered will include;

Vulnerability Management
Policy Compliance
Web Application Scanning
Malware Detection
Express Lite

Industry Roundup

The Underground hacked and owned:
World's largest Mixed Martial Arts Forum (The Underground) hacked and owned for a couple of years: http://www.mixedmartialarts.com/thread/2278512/Site-hack-and-PW-change/?pc=141
Interesting initial response and actions since first "reported".

The Privacy Act and the cloud:
The improbability of Privacy Act compliance, Pt 2.

Australia’s new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services. Securus Global is actively working with our customers to minimise the impact of the new requirements and with our product partners to develop ways in with organisations can meet the new requirements with as little impact to the business operations as possible.

Most of the initial resistance by CIOs to the use of cloud services is dissipating as the weight of opinion swings in favour of the model, spurred on by the availability of onshore clouds.
http://www.itnews.com.au/BlogEntry/369539%2Cthe-privacy-act-and-the-cloud.aspx

Securus Global joins PS&C Group

You may have read late last year about Securus Global joining the PS&C Group and floating on the ASX.
http://pscgroup.com.au/index.html

The main benefit to our clients is that with Securus Global now being part of a larger “group” of companies, we can now provide the market with a more complete and encompassing portfolio of IT services and solutions.

Outside of that, Securus Global remains Securus Global and that will not change.

From our perspective, this direction we have taken is a positive step in our industry. Our company began operating in 2003. Its growth over the past decade has been entirely organic, stemming from the referrals of our client base and those of other professionals. This has created the reputation that Securus Global holds in the industry both here in Australia and globally. The growth and development of our professional staff has evolved in a similar manner. We have attracted high-quality, committed professionals and invested in their training, development and growth. This will only improve now.