With security budgets always tight, one of the most asked questions put to me in meetings with new clients is; “What can we do to demonstrate to our business management the risks we face and help us get some decent budget for security?”

Over the years, I’ve learned that the best answer, that will show big areas of risk that the IT security team can immediately show the business is to run a basic vulnerability assessment across your Internet facing environment. (Run from the Internet).

Nothing gets a better reaction all-round than seeing major to critical vulnerabilities on your businesses’ Internet facing environment just waiting to be exploited... if they haven’t already been. Once a Vulnerability Management solution is in place with supporting remediation activities, it's very easy to show return on a small investment over a relatively short time period compared to some other potential purchases (e.g. WAF and IDS).

Very few of our clients who have trialled our Vulnerability Management solution, who have not then gone onto purchasing the system and developed their own in-house Vulnerability Management program. From fixing their Internet facing systems and applications, they’ve then moved onto their internal environment, new system builds and overall, used this as the catalyst to creating a stronger in-house and more complete security and risk management program.

Checkout these links for more information and give us a call to set you up with a trial where you can start seeing the results within 30 minutes:
http://securusglobal.com/services/assessment-and-assurance-services/VAP/
http://securusglobal.com/products/qualysguard/

There’s no quicker way to kill off a great business idea than to push it out to the Internet without seriously considering security. It happens all the time. Here’s a recent example:
https://www.securusglobal.com/community/2013/11/11/hacked-australian-bitcoin-bank-highlights-need-for-improved-vulnerability-management/

We know that established sites survive after an attack. (Even the LinkedIn share price went up soon after their major incident last year). But, they’re established, people more easily forgive and more easily forget.

But, users don’t easily forgive or forget new businesses starting up, or new initiatives from existing businesses wanting to grow, that get hacked. Sadly, most of these ventures do die as a result of a security breach. It will be interesting to see how the Australian Bitcoin business linked above goes after this. We do wish them all the best.

In the old days when our industry was still new, you’d call this “scare tactics marketing”... (some still do this very well).... but the realities are what they are. Unless you are security testing your new offering before it goes to market, the likelihood that it will go to market full of security vulnerabilities is high.

Our figures on finding major to severe security issues in systems and applications we test for the first time is still at 95%+. That has not changed since we went into business 10 years ago.

Don’t take chances. Budget for security testing, make it happen, better still, include security consideration and review through all phases of your product life cycle and you will sleep better at night.

Do we recommend you undertake Social Engineering or Red Cell type testing as described in this link if you have never done anything to address this type of security risk before?
https://www.securusglobal.com/services/assessment-and-assurance-services/red-cell-assessments/

It may surprise you, but we actually don’t! You’ll be throwing your money away.

History shows that we have a 100% success rate in area for every job we have ever done. (And that includes companies who have tried to address this area before). What does that mean? Well scarily, it means we have been able to attain either confidential information, critical to the organisation’s IP or been able to attain enough information to launch a successful hack that would own that company. Take your pick, which is worse.

So what should companies be doing?

Awareness is key. Training staff on what to do and what not to do. Making staff aware that they are part of the security of the company and keeping the training flowing on a regular basis. Control your company’s Social Media exposure – LinkedIn is a Social Engineers best friend!

Then, call us in to test to see if your program is working. We’ll still get in, but you will have hopefully minimised our attack vectors. Here’s a recent case study:
https://www.securusglobal.com/community/2013/10/30/does-spear-phishing-work/

A few weeks ago, companies around the US were given a new set of voluntary standards <http://www.nist.gov/itl/cybersecurity-102213.cfm> that, if they choose to adopt them, will help them increase cyber security without having to formally adhere to red-tape laden regulations.

The plan was put in place by the National Institute of Standards and Technology (NIST), which said it hopes the framework will encourage companies involved with the country’s critical infrastructure to adopt the standards. These include banks, financial services firms and electric and water utilities.

For years, many of these companies have stated that enforced cyber security standards would only get in the way. By making the standards voluntary, NIST says firms will be much more likely to increase their cyber security efforts.
Read more here:
https://www.securusglobal.com/community/2013/10/30/us-companies-now-have-framework-of-voluntary-cybersecurity-standards/

There's been a lot of talk in recent weeks about the Privacy Act amendments due to come into play in early 2014.

Feel free to skip the lengthy webinar and rather spend 10 minutes here; http://www.oaic.gov.au/privacy/privacy-act/privacy-law-reform

Alternatively, if you are feeling really time poor, simply spend 5 minutes here; http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles and this should be enough time to become au fait with the Privacy Act.

On a serious note, The Privacy Amendment Act introduces many significant changes to the Privacy Act. While these changes will not commence until 12 March 2014, Australian Government agencies and businesses should start preparing now.

On 6th December, Qualys will be hosting their final certification Webex session, on Vulnerability Management on Qualys' training website.

This course provides the fundamentals for understanding a Vulnerability Management program with QualysGuard at the center, providing the technology validation component.

For further information and to register visit; https://community.qualys.com/community/training

Checkout our team blog and other industry news that we publish regularly on our website here:
https://www.securusglobal.com/community/

* Open Source and Software Trust
By Norman Yue - CTO
Recently, I stumbled across an interesting blog post about trusting security software on Reddit (http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html). This got me thinking, and kicked off a few conversations – to be honest, pretty much any open source software can be backdoored, and a good number of open source software packages have been/still are. It doesn’t need to be an obvious backdoor – simply omitting a security control, or rendering it weaker than it could be, could be just as effective (and much, much more difficult to detect during a source code audit).
Read More: https://www.securusglobal.com/community/2013/11/20/open-source-and-software-trust/

* Fear of cyber attacks influencing corporate IT decisions
As more corporations report a higher number of thwarted cyber attacks, which are also rising in severity, the growing fear of security breaches may be affecting decision makers' ability to mitigate further risks, according to Gartner.
Read More: https://www.securusglobal.com/community/2013/11/18/fear-of-cyber-attacks-influencing-corporate-it-decisions/

* What does PCI 3.0 mean to Security Practitioners?
Cybercrime, identity theft and frauds are on the rise; and in most cases, the data braches are associated with credit cards and cardholder data. The impact of data breach not only affects your organisation, but also your customers.
A common observation cites that organisations that are PCI compliant are 50% less likely to suffer a data breach. It is alarming to note that most organisations have difficulty complying with the requirements necessary for processing cardholder data.
Read More: http://thehackernews.com/2013/10/what-does-pci-30-mean-to-security_23.html

Upper lips in all of our offices have been transformed over the last few weeks, to help raise awareness of Men's health issues and to raise money for Movember.

Since kicking off on Nov 1st, we've all had the pleasure of watching whiskers spread across faces to develop into some seriously questionable facial hair, with styles ranging from Horseshoe to Mexican, Pencil to Handlebar and in Drazen's case - we're just not sure.

Follow the link to see photos of our 'SG MO Pack' in action... some may surprise you!
http://au.movember.com/team/1010181