The post Security Awareness Training Program (SATP) appeared first on Sense of Security.
]]>The current security threat landscape is replete with aggressive, tenacious and pernicious threats. Today’s attackers are typically highly trained, financially motivated and possibly in the employ of nation states.
Our adversaries tend to have extensive monetary and human resources and the capability to deliver exceptionally well planned, fine-tuned and orchestrated attacks. Motivations now range from political influence, vandalism and theft of customer data and intellectual
property to ransom and extortion on an industrial scale.
A cyberattack can jeopardise operations and create reputational and brand damage, which causes irreparable harm to larger companies and threatens the very existence of smaller ones.
Cyberattacks can also bring public infrastructure to its knees.
Historically, organisations have invested extensively in mitigation through a myriad of hardware and software solutions, that despite their technical capabilities, are not alone adequate to solve the problem. Technology represents only one dimension of the response we can make to manage down cyber risk. We now have extremely capable adversaries who are adapting their techniques to exploit the weakest element in the environment. Invariably, this relates to the most valuable asset in the organisation – its people.
Threats like these require an approach that can meet this challenge and the people to lead and deliver confidence in the face of adversity.
Download the below datasheet and case study to get a better understanding of how Cyber Security Awareness Training can help your organisation.
The post Security Awareness Training Program (SATP) appeared first on Sense of Security.
]]>The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.
]]>Release Date: 23-Oct-2019
Last Update: –
Vendor Notification Date: 09-Jul-2019
Product: XNAT
Platform: Linux and possibly others
Affected versions: 1.7.5.3 (confirmed) and possibly earlier versions
Severity Rating: High
Impact: System Access
Attack Vector: Remote with authentication
Solution Status: XNAT 1.7.5.4 Hotfix Release
CVE reference: CVE – 2019-14276
An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.
The following URL is affected: /REST/search
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply patch from XNAT 1.7.5.4 Hotfix Release.
Additional information is available at:
https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available
https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes
Hamed Merati from Sense of Security Labs.
The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.
]]>The post Sense of Security joins CyberCX as founding member appeared first on Sense of Security.
]]>Sense of Security Pty Ltd announces today that we are a founding member company of CyberCX – the nation’s first at-scale end to end cyber security services organisation.
CyberCX is the vision of technology and executive veteran John Paitaridis, the group’s CEO, and backed by Australia’s largest Private Equity fund – BGH Capital. This is a high-profile venture representing the most significant deployment of capital in the cyber sector in Australia’s history.
CyberCX will be staffed by equally impressive personnel such as Alastair MacGibbon, who has held leading roles in government and enterprise. MacGibbon was Australia’s National Cyber Security Advisor and most recently the head of the Australian Cyber Security Centre (Deputy Director General, Australian Signals Directorate).
Sense of Security (SOS), established in 2002 by co-founders, Murray Goldschmidt and Jason Edelstein, has grown to become one of the most respected firms in Australia, across the disciplines of Technical Assurance and Governance, Risk & Compliance services. With offices in Sydney and Melbourne, and over 50 professionals servicing the nation’s government and finest corporate establishments, the firm has been extensively sought after for assurance, trust and confidence.
SOS has developed a formidable brand and presence in the region. The company leads with innovative services delivered by the top consultants in the industry. The co-founders are highly credentialed, active contributors to the cyber community, and recognised leaders and industry visionaries. Edelstein is serving a second term on the CREST Australia board (the certification body for penetration testing expertise) and Goldschmidt is a substantial contributor to national, regional and international cyber security conferences.
SOS has a track record in development of intellectual property and employee capabilities. With a dedicated R&D function, the business has been committed to innovation since inception. This is a core value for the business and the reason why SOS has been so highly sought after for any professional seeking a career in cyber security. The platform that SOS operates from is one that imbues trust and confidence. This has resonated with clients and staff, seeing the company grow from strength to strength.
Becoming part of the CyberCX brand is an extension of the original vision of Edelstein and Goldschmidt – to operate the nation’s most trusted cyber security firm. That vision now has a national footprint and the delivery capability of over 400 committed and focused personnel.
This is an excellent opportunity for our staff because the group provides extensive horizontal and vertical growth options across the 7 domains of cyber security that are now being delivered as a unified entity: Consulting & Advisory, Security Assurance, Risk & Compliance, Integration & Engineering, Managed Services, Incident Response & Digital Forensics, Training & Education.
More info on CyberCX can be found at cybercx.com.au.
Our press release is available here
The post Sense of Security joins CyberCX as founding member appeared first on Sense of Security.
]]>The post Achieving cyber resilience by reducing your susceptibility to attack appeared first on Sense of Security.
]]>Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim’s resources and make it difficult or impossible for legitimate users to access them.
These attacks can also be more targeted and may not require large volumes of traffic if a specific component is more susceptible to outage through a crafted attack.
A distributed denial-of-service (DDoS) attack occurs at scale and generally is operated through a network of compromised computers on the internet, all controlled and orchestrated by an attacker.
What does DDoS look like today and in what direction is it hitting?
Today, more than ever, organisations are susceptible to outages that are caused through attacks launched at denying their ability to operate their business and service their clients.
Mitigation technologies have achieved greater penetration in the market and the cost of mitigation has come down. This is common with large scale cloud offerings and Content Delivery Networks (CDN’s) now being very accessible. However, organisations remain exposed.
Resilience testing has been part of most other industries for yonks. Read the reast of our whitepaper to get a better understanding of how IT and Cyber resilience testing should be a key part of your Vulnerability Management program.
level that enables manufacturers to improve their
products and processes going forward.
The post Achieving cyber resilience by reducing your susceptibility to attack appeared first on Sense of Security.
]]>The post The case for supply chain risk assessments appeared first on Sense of Security.
]]>Companies, organisations and governments all require risk assessments to be conducted. And more specifically, a well-functioning board needs appropriate and complete information about the risk posture around the operations of a business in order to make informed decisions about the future direction.
The scope of assessments and the depth to which reviews are conducted are what differentiates the better managed businesses from the pack. The reason for this is because narrow risk assessments, while possibly meeting the objective of undertaking such reviews, do not really help an organisation understand the full extent to which they are exposed, and this therefore limits their capacity to react, control and mitigate.
One of the areas we find most lacking in coverage, yet ironically becoming more prevalent around risk and exposure, is supply chain risk.
Understanding Supply Chain Risks adds a totally new dimension to your assessment. These are no longer first order threats. They are likely to be second and third order threats, and in highly integrated and complex environments, the existence of nested supply chains means that you may never know all the parties associated with the product or service you are acquiring. While you may not be able to identify and protect against all supply chain risks, it does not mean that you can blindly ignore this vector due to the complexity of the subject. On the contrary, ignoring supply chain risks today would be negligent, and boards should be insisting that information be presented to them around these risks for consideration.
The post The case for supply chain risk assessments appeared first on Sense of Security.
]]>The post Saving your Windows 10 rollout from calamity appeared first on Sense of Security.
]]>In terms of Enterprise Computing for laptops and desktops (we will collectively refer to these as workstations), Microsoft Windows 10 is the go-to-choice for large scale Operating System (OS) deployments. Workstations are often targeted by an adversary through a range of techniques including luring users to malicious web pages and phishing users through email borne attacks with malicious attachments. Given today’s mobile workforce, laptops are also increasingly lost or stolen by attackers trying to access sensitive data stored on them.
Securing your workstation fleet is therefore an imperative. Testing the security controls is even more important because there is no use of going to the effort of defining and configuring the security profile if you do not know the controls will actually work!
Large scale rollouts generally include the creation of a reference image to serve as the foundation for the devices in your organisation. This also often termed as the Golden Image or Standard Operating Environment (SOE).
Ensuring this is secured can prevent large scale flaws spreading across your organisation. Download the full whitepaper for insights and tips on how to avoid calamity.
The post Saving your Windows 10 rollout from calamity appeared first on Sense of Security.
]]>The post Dynamic Risk Assessments appeared first on Sense of Security.
]]>Risk Management is a discipline with an extensive heritage. For example, the insurance industry has been built on, and profits from, disciplined risk management. For every product there is a policy and a detailed assessment as to what the premium should be to cover the risk and for the underwriter to make a profit overall.
Many of the models that are used in insurance are mathematical and require years of claim data to improve accuracy. However, cyberspace is a constantly evolving landscape with changes occurring far more rapidly than in traditional cover areas such as home and contents, car, travel etc. Due to the lack of established data the cyber insurance industry has struggled to develop models to accurately determine what to cover and for how much.
Putting cyber insurance aside (that is a topic for another paper altogether), let us focus on how cyber risk assessments can be performed for the modern organisation given the dynamic nature of cyberspace.
The post Dynamic Risk Assessments appeared first on Sense of Security.
]]>The post Security awareness – from boardroom to basement appeared first on Sense of Security.
]]>The recent ransomware attack on Victoria’s Health Sector and breach of ANU’s administrative systems both serve to highlight the need to prioritise and build an effective cyber security management program, where raising security awareness is key to protecting systems and data.
End users remain the most vulnerable point of initial attack through phishing. Weak protection and access controls (eg. passwords, authentication) of infrastructure – including legacy infrastructure can lead to networks being further compromised. Incident response time is also paramount to mitigating further attacks.
In planning an effective security management program, one must consider factors including but not limited to: user awareness education; access controls; incident response times; purple teaming – by combining red (attackers) and blue (defenders) teams to simulate an attack and gauge responses; providing technical training to developers to build applications that are more resilient to current and emerging threats. At the executive and boardroom levels, risk modelling should be presented to better understand cyber risks and implications – blending traditional risk assessment approaches with contemporary approaches to technical testing and validating controls.
It is imperative that organisations adopt a whole-of-business approach when addressing security concerns, educating all of its members from boardroom to basement, engendering a positive cultural change in its security posture.
The post Security awareness – from boardroom to basement appeared first on Sense of Security.
]]>The post Web scale cyber resilience appeared first on Sense of Security.
]]>You should be asking yourself “Does my testing firm really understand my tech stack? Are they really going to scrutinise our ability to be cyber resilient?”
High profile website deployments need to leverage the elastic nature of public cloud technology. Modern applications today are most likely designed as micro-services with containerisation for speed of deployment and operational management. The environment is also likely to be auto-scaling. This means that the environment scales to accommodate the load.
There are some other quite fundamental differences between these modern web apps and the ones that are a few years older.
The older ones probably lurk at the edge of your physical data-centres, internal networks and could possibly be in your public cloud environment if they were migrated in a lift-and-shift manner when everyone was all gung-ho about cloud adoption.
For further information download the complete report below.
The post Web scale cyber resilience appeared first on Sense of Security.
]]>The post The state of the internet perimeter in Australia appeared first on Sense of Security.
]]>Sense of Security has released a benchmark study based on 12 months of continuous external network penetration test reports.
External network perimeter penetration tests do not only concentrate on the network layer. This often means we will investigate exposed web applications too. You can rest assured that if it’s exposed to the Internet someone out there is having a look.
Our tests evaluated the robustness of an organisation’s Internet perimeter to simulated attacks designed to breach security defences. The results included in the data were complete perimeter tests but excluded any social engineering scenarios.
SOS has released this data to help improve security awareness of the state of cyber security in Australia. The results here are complementary and should be read in conjunction with those released in our recent ‘The State of Web Application Security in Australia’ report released in May 2019. This will provide the reader with a more complete view of common weaknesses at the network and application layers on the Internet boundary.
While there are certainly challenges, our research indicates that you don’t need the latest and greatest technology to secure your enterprise. Minimising your attack surface area is still one of the most effective things you can perform. Organisation’s should also strive towards continuous monitoring to identify vulnerabilities at high frequency, rather than relying on point in time security reviews alone.
The post The state of the internet perimeter in Australia appeared first on Sense of Security.
]]>