Hello Everyone and Happy New Year from the team at Securus Global. This is our first Newsletter of the year. We hope you find it interesting and as usual, please send us through your feedback.

Security as a Competitive Advantage in the Global University Software Market

In December Securus Global completed round two of our security shake up of Learning Management Systems used by universities and colleges globally.

The analysis and ongoing updates are posted here. Latest update is from December 2012: http://www.unitask.com/oracledaily/2012/12/27/open-as-in-transparent-instructure-conducts-2nd-public-security-audit-on-canvas-lms/

For those that are not aware of the history, in 2011 Securus Global was actively involved in shaking up how security was assessed in Learning Management Systems (LMS) affecting many of the world’s universities. We were initially drawn into this as a result of an engagement against an LMS that we performed for an Australian University.

It started with a news article from SC Magazine that came about when Australian universities shared the results of our work which showed serious security issues with student and staff information. This article went global and set off a chain of events that saw the world’s largest LMS developers competing with each other in regards to how well their products protected student and staff information.

Original article:
http://www.scmagazine.com.au/News/272215,millions-of-student-exams-tests-and-data-exposed.aspx

If you are responsible for Information Security at a University or other Educational establishment that uses LMS, please take your time and read through the article and the associated links within it.

Read more posts from Securus Global here:
http://community.securusglobal.com/author/securusblog/

Securus Global – Abroad in 2012

2012 for Securus Global brought a lot more work internationally with companies based in Europe, the US and Asia – companies that as a result of our strong reputation, chosen Securus Global as their preferred supplier/consultant for security testing and advisory services. (In banking, retail and education sectors to name just a few). We expect this to continue to grow in 2013 providing us with opportunities to perform different types of tests in different markets that we can then leverage for our Australia and Oceania customers.

It is always nice to see also the feedback coming back that our customers appreciate our commitment to delivering more. Our most recent review comes from the CSO of a new Silicon Valley start-up who previously was the CSO for a large global Cloud Services Provider:

“While at Company X, we managed over 80 customer sponsored pen tests against the Company X environment, and from my experience, Securus had the most skilled testers (and that's against approx 30 outsourced pentesting teams)”.

http://securusglobal.com/

Learning about Vulnerability Management, PCI Compliance, Policy Compliance and Web Application Scanning - Qualys

Even if you’re not yet using QualysGuard, the world’s leading Vulnerability Management System and its toolsets around PCI, Policy Compliance and Web Application, we invite you to attend these free training sessions:

- PCI Compliance: 17 January 2013
- Vulnerability Management: 22 January 2013
- Policy Compliance and Web Application Scanning: 23 January 2013

For more information on these sessions and to book in, please click here:
https://community.qualys.com/community/training

If 2013 is finally the year you’re looking at implementing a Vulnerability Management solution, please contact us. For close to 10 years, Securus Global and Qualys have maintained a strong partnership and helped secure many of the World’s largest brands.

A trial can literally take only a few minutes to set up and with the expertise of the Securus Global and Qualys teams, we can assist you to develop an overall strategy based upon a decade of seeing what works and what doesn’t across some of the largest companies in the world.

More information:
http://securusglobal.com/products/qualysguard/

Mobile Application Security Planning with Securus Global

Securus Global has always been at the forefront of mobile security analysis and testing.

Whether for iOS or Android, irrespective of internal or external target audiences for applications – internal for your staff’s use or systems being developed for clients, Securus Global has helped secure mobile applications for many of Australia’s largest companies across many industry sectors. (Including those for Australian and International clients).

You’re probably already using mobile applications daily that have been reviewed by Securus Global. As our clients will attest to, they rely on us as their “partner” and while they engage us directly to test specific applications, they know we’re available to them at all times to workshop ideas and approaches around mobile security strategy and techniques.

We don’t charge for ideas - only concrete deliverables. Before your embark upon development or deployment of mobile applications, why not set up a workshop with our team to sit down with you and your developers and let us share our experiences with you to help you with your programs. A couple of hours with our team could potentially help a great deal towards you achieving your goal of a successful and secure mobile application development and save significant time and effort when you're further through your Software Development Lifecycle. Call us anytime to discuss.

More Information: http://www.securusglobal.com/services/assessment-and-assurance-services/mobile-application-security-testing/

http://www.securusglobal.com/company/Presentations%20and%20representations/
 

Securus Global is pleased to announce that we are now able to offer an offline password cracking service to our clients.

Not sure if you need this or what the benefits would be? (Maybe you haven’t heard of this before as a dedicated service?)

Using a dedicated, custom-specification and secure (offline) system we are able to offer you a very focused analysis of how your actual password security stacks up against defined password policies.

While penetration testing can help our clients in understanding the security posture of particular environments or applications, these projects often target only a small components of an organisation's entire IT estate. Also, as a result of commercial realities, penetration tests are generally limited to a particular time window or amount of effort. The downside of this approach is that clients don't get to answer some of the "what would happen if…" questions? In particular what would happen if an attacker with more time and effort allocated to penetration tests were to gain leverage inside the corporate environment. Securus Global's new offline password cracking service is designed to answer this question.

http://www.securusglobal.com/services/assessment-and-assurance-services/website-cracking-service/

2012 was a very busy year for reported compromises of credit card data, personal information and businesses scams and attacks. This is only going to continue as the global cybercrime increases.

As we are often preaching to the converted it is worth taking time to reflect on what our staff are prepared for.

While as IT Security professionals we can prepare policies, provide training and perform our periodic security testing with rigor - exactly how our staff would respond to a clever multi-level attack and undo all that good is always a bit of an unknown.

It is well known that a good attacker, preparing a realistic pretext has a high likelihood to get into an organisation Why? Because in many circumstances, people are very helpful and compliant in providing the attacker (social engineer if you will) with the information they are looking for.

This was shown time and time again at the most recent DEFCON 3rd Annual Social Engineering Capture the Flag and it is certainly the case in almost all of the social engineering/red cell assessments we undertook in 2012.

As we move into 2013 – consider including social engineering assessments as a part of your security testing and assurance program. You'll be surprised not at the results but at what those results do in terms of your getting Senior Management support for your security initiatives.

More information: http://www.securusglobal.com/services/assessment-and-assurance-services/red-cell-assessments/

After a busy 2012 with Breakfast Briefs, Technical Sessions and presenting at a raft of industry and outside of our industry conferences, we’re currently planning out our 2013 program.

One of the big things in 2012 that went down well were private/custom presentations and workshops for our clients. In 2012 we conducted sessions for our clients in a wide variety of specialised Information Security topics. Just an example of a few areas:

- Red Cell Security Testing and Social Engineering
- PCI DSS Compliance
- Mobile Security
- State of Security/Industry Analysis
- Web Application Penetration Testing Techniques
- Web Application Security – Secure Coding Techniques
- Emerging Security Threats
- Security for the Small and Medium Business

If you are interested in tailoring a private session for just your organisation, please contact us.
http://securusglobal.com/contact-us/

The Securus Global Community Website provide our clients information on:

- Selected Security News Stories
- Securus Global Announcements
- Industry News and Analysis
- Securus Global Team Information Blogs

Bookmark the page or subscribe to our RSS Feed:
http://community.securusglobal.com/author/securusblog/

A few of our favourite security conferences:

SC Magazine recently asked us to name a few of our favourite security conferences. Here’s a list of a couple we came up with at the time:
http://www.scmagazine.com.au/News/326383,securitys-2013-con-wishlist.aspx

IMPERVA:

Imperva CEO Shlomo Kramer details today's top digital threats and discusses why many firms are failing to protect their business data. Additionally, Imperva's CEO explains how enterprises can deploy a modern, effective business security strategy to keep customer and employee data safe, as well as secure intellectual property. Click here to view video.

Quick Reference Guide – 6 Step Data Privacy Protection Plan. Gives a summary of the risks related to protecting Personally Identifiable Information (PII), along with 6 steps customers can take to automate data privacy and protect sensitive information. An illustration maps our Database Security Products to each step.

Assessing the Effectiveness of Antivirus Solutions HII Report: How good is antivirus? Imperva collected and analysed more than 80 previously non-catalogued viruses against more than 40 antivirus solutions. Imperva found that less than 5% of anti-virus solutions in the study were able to initially detect previously non-catalogued viruses. Click here to download Assessing the Effectiveness of Antivirus Solutions HII Report.