Russell Moverley – Sense of Security Wed, 26 Feb 2020 00:39:49 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.2 Security Awareness Training Program (SATP) /security-awareness-training-program-satp/ /security-awareness-training-program-satp/#respond Thu, 07 Nov 2019 05:32:45 +0000 /?p=6520 We specialise in the development, facilitation and management of a whole-of-business awareness program that will educate your people to better understand the ongoing threat landscape and how security is a shared responsibility, and everyone is accountable.

The post Security Awareness Training Program (SATP) appeared first on Sense of Security.

]]>

The current security threat landscape is replete with aggressive, tenacious and pernicious threats. Today’s attackers are typically highly trained, financially motivated and possibly in the employ of nation states.

Our adversaries tend to have extensive monetary and human resources and the capability to deliver exceptionally well planned, fine-tuned and orchestrated attacks. Motivations now range from political influence, vandalism and theft of customer data and intellectual
property to ransom and extortion on an industrial scale.

A cyberattack can jeopardise operations and create reputational and brand damage, which causes irreparable harm to larger companies and threatens the very existence of smaller ones.

Cyberattacks can also bring public infrastructure to its knees.

Historically, organisations have invested extensively in mitigation through a myriad of hardware and software solutions, that despite their technical capabilities, are not alone adequate to solve the problem. Technology represents only one dimension of the response we can make to manage down cyber risk. We now have extremely capable adversaries who are adapting their techniques to exploit the weakest element in the environment. Invariably, this relates to the most valuable asset in the organisation – its people.

Threats like these require an approach that can meet this challenge and the people to lead and deliver confidence in the face of adversity.

Download the below datasheet and case study to get a better understanding of how Cyber Security Awareness Training can help your organisation.

[contact-form-7]

If you have any questions or would like to discuss your security training needs contact us today or call 1300 922 923.

The post Security Awareness Training Program (SATP) appeared first on Sense of Security.

]]>
/security-awareness-training-program-satp/feed/ 0
Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 /security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/ /security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/#respond Wed, 23 Oct 2019 01:18:10 +0000 /?p=6542 The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.

]]>

Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.

Release Date: 23-Oct-2019

Last Update:

Vendor Notification Date: 09-Jul-2019

Product: XNAT

Platform: Linux and possibly others

Affected versions: 1.7.5.3 (confirmed) and possibly earlier versions

Severity Rating: High

Impact: System Access

Attack Vector: Remote with authentication

Solution Status: XNAT 1.7.5.4 Hotfix Release

CVE reference: CVE – 2019-14276

Details

An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.

The following URL is affected: /REST/search

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

Apply patch from XNAT 1.7.5.4 Hotfix Release.

Additional information is available at:

https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available

https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes

Discovered By

Hamed Merati from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.

]]>
/security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/feed/ 0
Sense of Security joins CyberCX as founding member /sense-of-security-joins-cybercx-as-founding-member/ /sense-of-security-joins-cybercx-as-founding-member/#respond Tue, 15 Oct 2019 10:08:12 +0000 /?p=6421 Sense of Security Pty Ltd announces today that we are a founding member company of CyberCX – the nation’s first at-scale end to end cyber security services organisation.

The post Sense of Security joins CyberCX as founding member appeared first on Sense of Security.

]]>

Sense of Security Pty Ltd announces today that we are a founding member company of CyberCX – the nation’s first at-scale end to end cyber security services organisation.

CyberCX is the vision of technology and executive veteran John Paitaridis, the group’s CEO, and backed by Australia’s largest Private Equity fund – BGH Capital. This is a high-profile venture representing the most significant deployment of capital in the cyber sector in Australia’s history.

CyberCX will be staffed by equally impressive personnel such as Alastair MacGibbon, who has held leading roles in government and enterprise. MacGibbon was Australia’s National Cyber Security Advisor and most recently the head of the Australian Cyber Security Centre (Deputy Director General, Australian Signals Directorate).

Sense of Security (SOS), established in 2002 by co-founders, Murray Goldschmidt and Jason Edelstein, has grown to become one of the most respected firms in Australia, across the disciplines of Technical Assurance and Governance, Risk & Compliance services. With offices in Sydney and Melbourne, and over 50 professionals servicing the nation’s government and finest corporate establishments, the firm has been extensively sought after for assurance, trust and confidence.

SOS has developed a formidable brand and presence in the region. The company leads with innovative services delivered by the top consultants in the industry. The co-founders are highly credentialed, active contributors to the cyber community, and recognised leaders and industry visionaries. Edelstein is serving a second term on the CREST Australia board (the certification body for penetration testing expertise) and Goldschmidt is a substantial contributor to national, regional and international cyber security conferences.

SOS has a track record in development of intellectual property and employee capabilities. With a dedicated R&D function, the business has been committed to innovation since inception. This is a core value for the business and the reason why SOS has been so highly sought after for any professional seeking a career in cyber security. The platform that SOS operates from is one that imbues trust and confidence. This has resonated with clients and staff, seeing the company grow from strength to strength.

Becoming part of the CyberCX brand is an extension of the original vision of Edelstein and Goldschmidt – to operate the nation’s most trusted cyber security firm. That vision now has a national footprint and the delivery capability of over 400 committed and focused personnel.

This is an excellent opportunity for our staff because the group provides extensive horizontal and vertical growth options across the 7 domains of cyber security that are now being delivered as a unified entity: Consulting & Advisory, Security Assurance, Risk & Compliance, Integration & Engineering, Managed Services, Incident Response & Digital Forensics, Training & Education.

More info on CyberCX can be found at cybercx.com.au.
Our press release is available here

If you have any questions or would like to discuss your security awareness contact us today or call 1300 922 923.

The post Sense of Security joins CyberCX as founding member appeared first on Sense of Security.

]]>
/sense-of-security-joins-cybercx-as-founding-member/feed/ 0
Achieving cyber resilience by reducing your susceptibility to attack /achieving-cyber-resilience/ /achieving-cyber-resilience/#respond Tue, 08 Oct 2019 11:27:03 +0000 /?p=6092 The reason why a DDoS mitigation 
effectiveness test needs to be part of 
your vulnerability management program.

The post Achieving cyber resilience by reducing your susceptibility to attack appeared first on Sense of Security.

]]>

The reason why a DDoS mitigation 
effectiveness test needs to be part of 
your vulnerability management program.

A denial-of-service attack has the objective of preventing legitimate users from accessing specific computer systems and services.

Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim’s resources and make it difficult or impossible for legitimate users to access them.

These attacks can also be more targeted and may not require large volumes of traffic if a specific component is more susceptible to outage through a crafted attack.
A distributed denial-of-service (DDoS) attack occurs at scale and generally is operated through a network of compromised computers on the internet, all controlled and orchestrated by an attacker.

What does DDoS look like today 
and in what direction is it hitting?

Today, more than ever, organisations are susceptible to outages that are caused through attacks launched at denying their ability to operate their business and service their clients.

Mitigation technologies have achieved greater penetration in the market and the cost of mitigation has come down. This is common with large scale cloud offerings and Content Delivery Networks (CDN’s) now being very accessible. However, organisations remain exposed.

Resilience testing has been part of most other industries for yonks. Read the reast of our whitepaper to get a better understanding of how IT and Cyber resilience testing should be a key part of your Vulnerability Management program.
level that enables manufacturers to improve their
products and processes going forward.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would like to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post Achieving cyber resilience by reducing your susceptibility to attack appeared first on Sense of Security.

]]>
/achieving-cyber-resilience/feed/ 0
The case for supply chain risk assessments /the-case-for-supply-chain-risk-assessments/ /the-case-for-supply-chain-risk-assessments/#respond Sun, 06 Oct 2019 04:37:38 +0000 /?p=6077 Are you thinking about the extent to which you are integrated in various supply chains. Learn how you can identify and assess your exposure and resilience to these forms of attack.

The post The case for supply chain risk assessments appeared first on Sense of Security.

]]>

A business primer

Risk Management has been a constant in information security standards, regulations and corporate policies essentially forever. It is a staple.

Companies, organisations and governments all require risk assessments to be conducted. And more specifically, a well-functioning board needs appropriate and complete information about the risk posture around the operations of a business in order to make informed decisions about the future direction.

The scope of assessments and the depth to which reviews are conducted are what differentiates the better managed businesses from the pack. The reason for this is because narrow risk assessments, while possibly meeting the objective of undertaking such reviews, do not really help an organisation understand the full extent to which they are exposed, and this therefore limits their capacity to react, control and mitigate.

One of the areas we find most lacking in coverage, yet ironically becoming more prevalent around risk and exposure, is supply chain risk.

Understanding Supply Chain Risks adds a totally new dimension to your assessment. These are no longer first order threats. They are likely to be second and third order threats, and in highly integrated and complex environments, the existence of nested supply chains means that you may never know all the parties associated with the product or service you are acquiring. While you may not be able to identify and protect against all supply chain risks, it does not mean that you can blindly ignore this vector due to the complexity of the subject. On the contrary, ignoring supply chain risks today would be negligent, and boards should be insisting that information be presented to them around these risks for consideration.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would like to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post The case for supply chain risk assessments appeared first on Sense of Security.

]]>
/the-case-for-supply-chain-risk-assessments/feed/ 0
Saving your Windows 10 rollout from calamity /saving-your-windows-10-rollout-from-calamity/ /saving-your-windows-10-rollout-from-calamity/#respond Sun, 06 Oct 2019 04:11:54 +0000 /?p=6072 While the Microsoft ecosystem has enjoyed dramatic improvements in security and the latest Windows 10 is orders of magnitude more secure than previous generations of the workstation platform, we make the case for advanced security testing to ensure you avoid calamity.

The post Saving your Windows 10 rollout from calamity appeared first on Sense of Security.

]]>

Saving your Windows 10 rollout from calamity

The case for advanced 
security testing

In terms of Enterprise Computing for laptops and desktops (we will collectively refer to these as workstations), Microsoft Windows 10 is the go-to-choice for large scale Operating System (OS) deployments. Workstations are often targeted by an adversary through a range of techniques including luring users to malicious web pages and phishing users through email borne attacks with malicious attachments. Given today’s mobile workforce, laptops are also increasingly lost or stolen by attackers trying to access sensitive data stored on them.

Securing your workstation fleet is therefore an imperative. Testing the security controls is even more important because there is no use of going to the effort of defining and configuring the security profile if you do not know the controls will actually work!

Large scale rollouts generally include the creation of a reference image to serve as the foundation for the devices in your organisation. This also often termed as the Golden Image or Standard Operating Environment (SOE).

Ensuring this is secured can prevent large scale flaws spreading across your organisation. Download the full whitepaper for insights and tips on how to avoid calamity.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would like to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post Saving your Windows 10 rollout from calamity appeared first on Sense of Security.

]]>
/saving-your-windows-10-rollout-from-calamity/feed/ 0
Dynamic Risk Assessments /dynamic-risk-assessments/ /dynamic-risk-assessments/#respond Sun, 06 Oct 2019 03:58:39 +0000 /?p=6062 While a traditional assessment may identify some of your issues surrounding your cyber resilience, we present a case study demonstrating the true value of a Dynamic Risk Assessment.

The post Dynamic Risk Assessments appeared first on Sense of Security.

]]>

The business case for dynamic risk assessment

Risk Management is a discipline with an extensive heritage. For example, the insurance industry has been built on, and profits from, disciplined risk management. For every product there is a policy and a detailed assessment as to what the premium should be to cover the risk and for the underwriter to make a profit overall.

Many of the models that are used in insurance are mathematical and require years of claim data to improve accuracy. However, cyberspace is a constantly evolving landscape with changes occurring far more rapidly than in traditional cover areas such as home and contents, car, travel etc. Due to the lack of established data the cyber insurance industry has struggled to develop models to accurately determine what to cover and for how much.

Putting cyber insurance aside (that is a topic for another paper altogether), let us focus on how cyber risk assessments can be performed for the modern organisation given the dynamic nature 
of cyberspace.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would like to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post Dynamic Risk Assessments appeared first on Sense of Security.

]]>
/dynamic-risk-assessments/feed/ 0
Security awareness – from boardroom to basement /security-awareness-from-boardroom-to-basement/ /security-awareness-from-boardroom-to-basement/#respond Fri, 04 Oct 2019 09:53:18 +0000 /?p=6416 The recent ransomware attack on Victoria’s Health Sector and breach of ANU’s administrative systems both serve to highlight the need to prioritise and build an effective cyber security management program, where raising security awareness is key to protecting systems and data.

The post Security awareness – from boardroom to basement appeared first on Sense of Security.

]]>

The recent ransomware attack on Victoria’s Health Sector and breach of ANU’s administrative systems both serve to highlight the need to prioritise and build an effective cyber security management program, where raising security awareness is key to protecting systems and data.

End users remain the most vulnerable point of initial attack through phishing.   Weak protection and access controls (eg. passwords, authentication) of infrastructure – including legacy infrastructure can lead to networks being further compromised.  Incident response time is also paramount to mitigating further attacks.

In planning an effective security management program, one must consider factors including but not limited to: user awareness education; access controls; incident response times; purple teaming – by combining red (attackers) and blue (defenders) teams to simulate an attack and gauge responses; providing technical training to developers to build applications that are more resilient to current and emerging threats.  At the executive and boardroom levels, risk modelling should be presented to better understand cyber risks and implications – blending traditional risk assessment approaches with contemporary approaches to technical testing and validating controls.

It is imperative that organisations adopt a whole-of-business approach when addressing security concerns, educating all of its members from boardroom to basement, engendering a positive cultural change in its security posture.

If you have any questions or would like to discuss your security awareness contact us today or call 1300 922 923.

The post Security awareness – from boardroom to basement appeared first on Sense of Security.

]]>
/security-awareness-from-boardroom-to-basement/feed/ 0
Web scale cyber resilience /web-scale-cyber-resilience/ /web-scale-cyber-resilience/#respond Fri, 27 Sep 2019 05:36:24 +0000 /?p=6001 Does your testing firm really understand your tech stack? Are they really going to scrutinise your ability to be cyber resilient? Penetration Testing is a complex discipline. Your business deserves the best protection. If you really want to seek comprehensive assurance of your deployments, ask yourself this question when you next are seeking testing services for your cloud deployment.

The post Web scale cyber resilience appeared first on Sense of Security.

]]>

Testing the modern Cloud Web Application deployment (containers and microservices)

You should be asking yourself “Does my testing firm really understand my tech stack? Are they really going to scrutinise our ability to be cyber resilient?”

High profile website deployments need to leverage the elastic nature of public cloud technology. Modern applications today are most likely designed as micro-services with containerisation for speed of deployment and operational management. The environment is also likely to be auto-scaling. This means that the environment scales to accommodate the load.

There are some other quite fundamental differences between these modern web apps and the ones that are a few years older.

The older ones probably lurk at the edge of your physical data-centres, internal networks and could possibly be in your public cloud environment if they were migrated in a lift-and-shift manner when everyone was all gung-ho about cloud adoption.

For further information download the complete report below.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would like to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post Web scale cyber resilience appeared first on Sense of Security.

]]>
/web-scale-cyber-resilience/feed/ 0
The state of the internet perimeter in Australia /the-state-of-the-internet-perimeter-in-australia/ /the-state-of-the-internet-perimeter-in-australia/#respond Mon, 23 Sep 2019 04:36:24 +0000 /?p=5930 Our new benchmark study built on 12 months of external network penetration testing reports

The post The state of the internet perimeter in Australia appeared first on Sense of Security.

]]>

If your network is exposed to the Internet, you can be sure someone out there is having a look.

Sense of Security has released a benchmark study based on 12 months of continuous external network penetration test reports.

External network perimeter penetration tests do not only concentrate on the network layer. This often means we will investigate exposed web applications too. You can rest assured that if it’s exposed to the Internet someone out there is having a look.

Our tests evaluated the robustness of an organisation’s Internet perimeter to simulated attacks designed to breach security defences. The results included in the data were complete perimeter tests but excluded any social engineering scenarios.

SOS has released this data to help improve security awareness of the state of cyber security in Australia. The results here are complementary and should be read in conjunction with those released in our recent ‘The State of Web Application Security in Australia’ report released in May 2019. This will provide the reader with a more complete view of common weaknesses at the network and application layers on the Internet boundary.

While there are certainly challenges, our research indicates that you don’t need the latest and greatest technology to secure your enterprise. Minimising your attack surface area is still one of the most effective things you can perform. Organisation’s should also strive towards continuous monitoring to identify vulnerabilities at high frequency, rather than relying on point in time security reviews alone.

Get the full document here

[contact-form-7]

If you need assistance with fully understanding this report or would liek to chat further about your security needs, our specialists consultants are here to help you. Please contact us today.

The post The state of the internet perimeter in Australia appeared first on Sense of Security.

]]>
/the-state-of-the-internet-perimeter-in-australia/feed/ 0