June 2013 Newsletter

Web Version

Forward

TABLE OF CONTENTS

•

A message from our CEO

•

Securus Global Opinion

•

PCI Update

•

Industry Round Up

•

Upcoming Events

•

Follow us on Social Media

JUNE 2013 EDITION

About Securus Global

Securus Global helps businesses of all sizes and across all industry sectors. When clients work with us once, we’re generally there with them for the long haul – becoming their security partner of choice.

To find our more about what we can assist you with, please email or call on (02) 9283 0255. For a description of some of our services, please visit our website: www.securusglobal.com

A message from our CEO

This month, we’re addressing a few topics that through our experience, we find can be misunderstood.

We start by looking at proposed Mandatory Data Breach Disclosure laws. If not done right, they will hurt companies who take security seriously, more so than companies that don’t. We then look at Vulnerability Management programs and why many companies struggle with it. Then, to throw a spanner in the works, we pick apart penetration testing and the view by many, that it’s a security panacea.

There are also a bunch of interesting articles from the Net and our own Securus Global News and Blog site. In particular, have a look at Nick Ellsmore’s post on the US penetration testing market and analysis of the Australian market.

If you haven’t yet seen our Facebook page, check it out. We’re the first Australian Security Consultancy that is using this medium to focus on spreading awareness of Information Security issues into the broader community.

As we mentioned in the last newsletter, this year we celebrate 10 years in business. When we started out, we did so with a vision to raise the bar and expectations on what security consultancies should be providing businesses. We believe we have done this, yet, we are still trying to raise the bar further everyday. We consistently get the great feedback from our clients and recently got this one from a large US based Cloud Service Provider: “We managed over 80 customer sponsored pen tests against our environment, and from my experience, Securus had the most skilled testers (and that's against approx 30 outsourced pentesting teams)”. If you have never worked with our organisation, we see that as a challenge to win your business. We welcome the opportunity to show you why we have established the reputation we have in our industry both locally and overseas. Give me a call directly anytime for chat.

Drazen Drazic
CEO
Securus Global

Securus Global Opinion

How Mandatory Data Breach Disclosure Could Negatively Impact Australian Businesses

Like Securus Global, you have probably followed this topic now for a number of years and are probably wondering how we can put a negative spin on this when everyone is promoting the benefits of such proposed legislation.

We’re not really, but we are concerned that if not implemented right by the Government, it will have a negative impact upon some companies – and we are not talking about the companies who do security poorly. We are talking about how it will negatively impact those companies who do security well!

Why do we say this?

Read on.... The following outlines what our position has been for the last 10 years on this topic and includes our submission to the Australian Government’s request for comment about this topic from 2012. Data Breach disclosure is not as clear cut in terms of results as many may think:

http://community.securusglobal.com/2013/05/29/mandatory-data-breach-notification/

Vulnerability Management Programs – Do you have one?

In 2003 we predicted Vulnerability Management would be the next big thing in Corporate IT Security approaches/strategies. However, 10 years later, we still only see a very small percentage of companies who have an effective Vulnerability Management program in place.

Sure, we see a lot of companies now running QualysGuard, Rapid7, nCircle and even Nessus, but just scanning, (and selective scanning at that in most cases), does not make for a Vulnerability Management program.

One of the biggest problems we see in companies that do actually have such enterprise vulnerability assessment systems deployed is that they scan and then focus on the reports themselves, (not the issues and the fixes) – such as, how they look, spend a lot of time debating individual findings, argue over who has ownership of identified issues and then repeat the process after the next scanning cycle. Many companies forget what these systems are all about. These systems are there to identify known issues in corporate systems that could pose a risk if those issues were to be compromised. They give you a list of problems and a proposed solution.

The following is an interesting article that covers what we are talking about. It is well worth a read:
http://sentinel24.com/blog/vuln-mgmt-lie/

An effective Vulnerability Management program is one of the most proactive things you can do to protect your organisation. Give us a call and we can share our experience with you and talk about how we have helped the security of some of Australia’s largest companies right through to small businesses.

Securus Global Consulting Services:
http://www.securusglobal.com/services/assessment-and-assurance-services/VAP/

Securus Global is one of Qualys’ oldest global partners. In 2003, we reviewed the vulnerability assessment tools market and chose Qualys as the best. Since then, no one we have seen has done it better:
http://www.securusglobal.com/products/qualysguard/

Application Security – A Lost Focus on Corporate Application Security

- This article looks at what Application Security is and proves that it’s not just about “penetration testing”. Application Security is much more than that and Application Security “experts” are more than just people who can find holes in application code:
http://community.securusglobal.com/2013/06/05/looking-at-good-application-security-its-not-just-about-penetration-testing/

- A look back at a talk Drazen Drazic had with David Rice, the author of the widely acclaimed book, “Geekonomics: The Real Cost of Insecure Software” in 2008. Has much changed?
http://community.securusglobal.com/2013/05/20/the-real-cost-of-insecure-software/

PCI Update

Just a reminder that in November the PCI Council will release version 3.0 of the PCI DSS and PA DSS. The standards can be used for audits from 1 January 2014. Throughout 2014, organisations will be able to choose between being validated on 3.0 or 2.0.

At this stage, the previews suggest that most of the changes will be to improve the interpretation of the current requirements and to ensure that they remain vendor neutral.

Auditors will receive more detailed testing procedures to clarify what activities should be performed to verify a requirement is in place. In turn this should lead to a clearer interpretation of each requirement's objective. With each iteration of the standard, the infamous "grey areas" are disappearing.

Additionally, some requirements may be reworded so as to provide greater flexibility as to how the requirement may be met, without sacrificing or weakening its integrity, strength or effectiveness. For example, while effective file integrity monitoring (FIM) solutions detect changes to files and other objects, not all change-detection solutions are necessarily called "FIM" solutions, even though they can meet the intent of the requirement. PCI DSS v3.0 may include enhanced flexibility that addresses the objective of certain controls, without limiting the technology or methods employed to meet the intent of the requirements.

As we draw closer to November, we will keep you posted regarding key changes from version 2.0 to version 3.0.

http://www.securusglobal.com/services/compliance-solutions/pci-dss-compliance/

Industry Round Up

Extrapolating the US penetration testing market size:

By Nick Ellsmore

One of the questions I have been asked quite a bit following on from my analysis of the Australian penetration testing market <http://www.dellingadvisory.com/blog/2013/4/5/penetration-testing-market-analysis-where-is-all-the-revenue>, is the implied size of the global penetration testing market. Or at least, the size of the US penetration testing market, on the assumption that it is going to be the largest. With a few minutes to spare, I thought I would try to kludge together a number that at least seems plausible given the (admittedly very few) external reference points available. Read more here:
http://www.dellingadvisory.com/blog/2013/4/29/extrapolating-the-us-penetration-testing-market-size

US weapon designs exposed in cyber attack

A new report prepared by the American Defense Science Board (DSB) for the Pentagon has detailed how data relating to advanced weapons systems has been compromised. According to the information contained in the report, more than two dozen weapon system designs were compromised in an attack, which was rumoured to have originated from China. These claims are still unconfirmed. Read more and access the report from here:
http://community.securusglobal.com/2013/05/29/us-weapon-designs-exposed-in-cyber-attack/

The Best of AusCERT

This years AusCERT conference by all accounts was one of the best. Personally, we have never seen a better group of speakers gathered at the Royal Pines and it has been great to see over the years the organisers start to invite more technical security people/researchers to present. Checkout Patrick Gray’s work from AusCERT. He captures it better than anyone else in his series of interviews and updates:
http://risky.biz/

Securus Global Blog Posts

To read our blog posts as they come in, you can bookmark and access them from here:
http://community.securusglobal.com/author/securusblog/

Securus Global Industry News

We also do a daily wrap-up of industry news here on our website:
http://community.securusglobal.com/

Upcoming Events

Our stand will be focused on ways online retailers and solution providers can protect their security and stay compliant, in order to ensure your customers trust and prevent any reputational damage incurred from a security breach.

Come down and chat to us about:

Penetration Testing
Mobile Application Security Testing
Product Assurance
PCI DSS Compliance
PA DSS Compliance

Securus Global will also be presenting in the eCommerce Technology Theatre on Tuesday 20th August at 12.25 - 12.55pm. Michael, one of our leading Senior Security Consultants will be speaking about Hacking Mobile Applications - Industry Case Studies.

A synopsis of the talk:

With the significant growth in mobile commerce due to the mass adoption and rapid innovation of mobile platforms has put a bulls eye on these systems by people who see other challenges by their introduction.

While the growth of mobile commerce has presented many opportunities for online retailers to expand their business and improve customer engagement, it's also created a lucrative target for hackers. We know. We see it every day in our line of business.

This session will give you an insight into what can go wrong, how it has gone wrong for some companies, and provide you with our experience examining the security of mobile applications and assisting clients from a variety of sectors, including major financial institutions, retail and through to media companies whose businesses depend on the security of their data.

Would be great to see you there!

Twitter: https://twitter.com/SecurusGlobal
LinkedIn: http://www.linkedin.com/company/securus-global
Facebook: https://www.facebook.com/SecurusGlobal