Integrated IT and OT systems like Smart Grids are becoming more popular because of their self-management abilities, ensuring continuous availability of power. The ease of operation is pulling more energy and utility companies to invest in these systems.

But along with the benefits, critical systems are becoming a prime target for cyber attackers to inflict serious damage and disruption.

Cybersecurity is all the more critical while implementing such systems compared to the traditional electrical grid.

Download the full whitepaper to understand the emerging cyber-attack  scenarios in relation to the smart grid, its vulnerabilities and standards for cybersecurity assessment.

The current security threat landscape is rapidly changing. The threats you faced yesterday will not be the threats you face tomorrow. Today’s attackers are typically highly trained, financially motivated and possibly in the employ of nation states.

A whole-of-business approach to security awareness training is needed encompassing everyone.

Attackers are systematically adapting techniques to target the weakest elements in your business. Their attacks are wide and also targeted, with motivated attackers carefully perfecting their craft to get handsome returns on their investment in time.

People remain the weak link in the security of networks, applications and data. It is not only the rank-and-file employees who succumb to phishing scams who pose risks. Most businesses believe that the shiny new technologies they’ve acquired will protect them from everything while producing the reporting they need to comply with standards and regulations. However, human points of interaction have the potential to undermine even the most comprehensively designed systems through a simple mouse click.

A denial-of-service attack has the objective of preventing legitimate users from accessing specific computer systems and services.

Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim’s resources and make it difficult or impossible for legitimate users to access them.

These attacks can also be more targeted and may not require large volumes of traffic if a specific component is more susceptible to outage through a crafted attack.
A distributed denial-of-service (DDoS) attack occurs at scale and generally is operated through a network of compromised computers on the internet, all controlled and orchestrated by an attacker.

What does DDoS look like today 
and in what direction is it hitting?

Today, more than ever, organisations are susceptible to outages that are caused through attacks launched at denying their ability to operate their business and service their clients.

Mitigation technologies have achieved greater penetration in the market and the cost of mitigation has come down. This is common with large scale cloud offerings and Content Delivery Networks (CDN’s) now being very accessible. However, organisations remain exposed.

Resilience testing has been part of most other industries for yonks. Read the reast of our whitepaper to get a better understanding of how IT and Cyber resilience testing should be a key part of your Vulnerability Management program.
level that enables manufacturers to improve their
products and processes going forward.

Risk Management has been a constant in information security standards, regulations and corporate policies essentially forever. It is a staple.

Companies, organisations and governments all require risk assessments to be conducted. And more specifically, a well-functioning board needs appropriate and complete information about the risk posture around the operations of a business in order to make informed decisions about the future direction.

The scope of assessments and the depth to which reviews are conducted are what differentiates the better managed businesses from the pack. The reason for this is because narrow risk assessments, while possibly meeting the objective of undertaking such reviews, do not really help an organisation understand the full extent to which they are exposed, and this therefore limits their capacity to react, control and mitigate.

One of the areas we find most lacking in coverage, yet ironically becoming more prevalent around risk and exposure, is supply chain risk.

Understanding Supply Chain Risks adds a totally new dimension to your assessment. These are no longer first order threats. They are likely to be second and third order threats, and in highly integrated and complex environments, the existence of nested supply chains means that you may never know all the parties associated with the product or service you are acquiring. While you may not be able to identify and protect against all supply chain risks, it does not mean that you can blindly ignore this vector due to the complexity of the subject. On the contrary, ignoring supply chain risks today would be negligent, and boards should be insisting that information be presented to them around these risks for consideration.

The case for advanced 
security testing

In terms of Enterprise Computing for laptops and desktops (we will collectively refer to these as workstations), Microsoft Windows 10 is the go-to-choice for large scale Operating System (OS) deployments. Workstations are often targeted by an adversary through a range of techniques including luring users to malicious web pages and phishing users through email borne attacks with malicious attachments. Given today’s mobile workforce, laptops are also increasingly lost or stolen by attackers trying to access sensitive data stored on them.

Securing your workstation fleet is therefore an imperative. Testing the security controls is even more important because there is no use of going to the effort of defining and configuring the security profile if you do not know the controls will actually work!

Large scale rollouts generally include the creation of a reference image to serve as the foundation for the devices in your organisation. This also often termed as the Golden Image or Standard Operating Environment (SOE).

Ensuring this is secured can prevent large scale flaws spreading across your organisation. Download the full whitepaper for insights and tips on how to avoid calamity.

Risk Management is a discipline with an extensive heritage. For example, the insurance industry has been built on, and profits from, disciplined risk management. For every product there is a policy and a detailed assessment as to what the premium should be to cover the risk and for the underwriter to make a profit overall.

Many of the models that are used in insurance are mathematical and require years of claim data to improve accuracy. However, cyberspace is a constantly evolving landscape with changes occurring far more rapidly than in traditional cover areas such as home and contents, car, travel etc. Due to the lack of established data the cyber insurance industry has struggled to develop models to accurately determine what to cover and for how much.

Putting cyber insurance aside (that is a topic for another paper altogether), let us focus on how cyber risk assessments can be performed for the modern organisation given the dynamic nature 
of cyberspace.

You should be asking yourself “Does my testing firm really understand my tech stack? Are they really going to scrutinise our ability to be cyber resilient?”

High profile website deployments need to leverage the elastic nature of public cloud technology. Modern applications today are most likely designed as micro-services with containerisation for speed of deployment and operational management. The environment is also likely to be auto-scaling. This means that the environment scales to accommodate the load.

There are some other quite fundamental differences between these modern web apps and the ones that are a few years older.

The older ones probably lurk at the edge of your physical data-centres, internal networks and could possibly be in your public cloud environment if they were migrated in a lift-and-shift manner when everyone was all gung-ho about cloud adoption.

For further information download the complete report below.

Sense of Security has released a benchmark study based on 12 months of continuous external network penetration test reports.

Sense of Security has released the first ever Australian Cyber Security benchmark study built on 12 months of continuous Web Application Penetration test reports.

This comprehensive document clearly demonstrates those in Australia who think their web apps are safe-and-sound could be vulnerable. Co Author and SOS Founder, Jason Edelstein, “Web applications are part of the basic building blocks of the Internet, and a major portion of those who think their web assets are secure, are in fact, potentially vulnerable.”

SOS collated and examined data from 175 Web Application Penetration test reports over the past 12 months and came up with 3,670 findings. 41% of the findings show that companies and institutions are at medium to high risk, and from those, 6% of the findings found serious web app vulnerabilities and are rated at a high risk of attack.

Edelstein said, “we are coming from a very large sample over a relatively short time period, the report is a perfect benchmark for everybody concerned with Cyber Risk. Based on the depth and breadth of the report, the notion of thinking ‘everything is OK’ has been comprehensively rebutted.”