Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

Stay Protected from Sophisticated Cyber-Attacks

When the Prime Minister fronted the media on 19 June and announced that Australia is facing sustained sophisticated cyber-attacks, it was a timely reminder that all organisations need to take cyber-security seriously.

According to the Australian Cyber Security Centre, the main attack vector involves ‘copy-paste’ attacks.

Such attacks are relatively simple. Unlike a zero-day, where the attacker discovers a previously unknown vulnerability, copy-paste attacks make use of known open-source exploits. These are all available in the public domain. Put simply, attackers are copying malicious code, then pasting it into the code of internet-facing infrastructure in order to compromise credentials and gain access.

The Australian Cyber Security Centre (ACSC) is warning that attackers are primarily exploiting remote code execution and deserialisation vulnerabilities. It appears Telerik UI, Microsoft IIS, SharePoint and Citrix systems are bearing the brunt of most of the attacks.

Whilst copy-paste attacks are relatively simple, the challenge for attackers comes in knowing exactly which malicious code to paste into which target system. Attackers also need to find ways to bypass an organisation’s detection system and how to conduct the exploit from outside a secure environment.

The fact that attackers are rapidly overcoming these challenges on a regular basis, points to their level of sophistication.

The good news is that because copy-paste attacks make use of known vulnerabilities, organisations can take precautions to avoid becoming victims. The ACSC recommends organisations focus on patching and implementing Multi-Factor Authentication (MFA) as the best ways to stay secure.   


Few cyber security activities are as important as regular patching. 

With most attackers exploiting known vulnerabilities, some of which have had fixes available for many years, there’s simply no excuse to neglect keeping your systems updated. 

My approach to patching is pretty straight forward – JUST DO IT! 

This means that organisations should apply patches aggressively. Aggressive patching involves running regular updates on an ad-hoc basis. In most cases it is preferable to ensure patches are rolled out in a timely manner whenever an update is released, rather than waiting and running large batches of patches according to a cyclical timetable.  

The latter approach may lead to various difficulties. Managing the roll-out of a large number of patches at one time can be more challenging than regularly implementing one or two updates. 

It’s also important that when vendors prompt you to run automatic updates, you do actually run them.  

Interestingly, it seems fixes for the copy-paste vulnerabilities currently being exploited may require manually applying updates to computers rather than running fixes using network-wide tools. So, this is something to bear in mind that could make keeping up to date with patches more time-consuming.  

CLICK HERE for our 8 Step Guide to Effective Patch Management   




Relying solely on passwords to protect your digital assets is a risky strategy as attackers have well-developed strategies for compromising login credentials. That’s why I strongly urge all our clients to implement Multi-Factor Authentication (MFA) on all their systems as a top priority.

There are a range of ways you can implement MFA including one-time passwords, SMS verification codes, hardware tokens or biometrics. Different MFA options offer different levels of security, but they all offer a significant improvement over the basic login and password.

Increasingly, organisations are making use of Two-Factor Authentication (2FA), which makes use of a password and one other verification method. Whilst this is definitely superior to password-only security, MFA offers even greater protection.

With MFA, you would be using a password as well as a minimum of two additional verification methods.

For example, you would use a password, as well as an SMS verification code and a fingerprint. Even if a hacker had compromised your password and had access to your mobile device to get the SMS code, replicating your fingerprint would be all but impossible. That’s not to say that biometric verification systems cannot be compromised, but the more layers of security you implement, the harder it is for attackers to gain access to your systems. 

Whichever MFA strategy you adopt, it’s important to understand that they do not replace passwords. They offer additional layers of protection, making it considerably harder for attackers to breach your systems. This is particularly the case with so many staff working remotely. The extension of the corporate environment to your employee’s homes makes them more vulnerable. MFA is one of the most effective ways you can take back control.

You can utilize the service of a number of MFA providers, many of whom offer Single Sign-On (SSO) facilities. With SSO, once a staff-member successfully logins into a device using MFA, that device becomes trusted. The staff member can then access a range of other systems from the same device without having to go through the MFA login process every time.  

How Shearwater Can Help

Contact Shearwater for advice and assistance when it comes to patching strategies or implementing MFA in your organisation. Once you have the right strategies implemented, your organisation will be well placed to prevent the types of attacks identified by the Prime Minister on 19 June. Whilst the attackers are sophisticated in their approach, it is definitely possible to make their lives more difficult and help ensure you’re better protected.



Zero-Trust: A New Security Paradigm

How times have changed.

Not long ago, security teams had things easy.

Their primary task was straight-forward: Securing the perimeter of the corporate environment.

Of course, in the days before BYOD and remote working, the corporate environment primarily consisted of an internal network of on-premises systems.

Once the internal network’s perimeter was secured, it was job done. Security teams could simply sit back and monitor everything going in or out. This was known as the ‘castle and moat’ approach to security.

However, all that began to change with the advent of BYOD and remote working, a trend that’s grown exponentially since COVID-19.

Security teams can no longer rest on the assumption that everything inside the security perimeter can be trusted.

With organisations now enabling employees to access systems and data in a variety of ways, irrespective of location, the corporate network has been expanded in ways unforeseen just a few years ago.

Valuable data is continuously being transferred between a range of systems including SaaS applications, IaaS applications, on-premises and cloud-based data centres, as well as a plethora of devices that are supplied by the company or by individual employees.

All this opens up a range of opportunities for cyber-criminals to breach your systems and compromise your data.

With more entry points than ever before, attackers have a multitude of opportunities to gain entry to your systems. They may collect huge amounts of highly valuable data before your security team can identify and stop them.

Zero-Trust is a new security paradigm that aims to boost your security in this new environment.


How does Zero-Trust work?

Traditionally, a remote user, such as employee, would gain access to the internal network via a VPN. When connecting to the VPN, the user would need to authenticate themselves, either with a username and password, or preferably via multi-factor authentication.  

How does Zero-Trust work?

Once the user had been authenticated by the VPN, they would be granted access to the internal network’s systems. However, there would be no subsequent authentications on a user seeking to move laterally between various systems within the network.

In effect, if an attacker managed to get authenticated at the VPN stage, they could have free reign to access all the corporate systems. This could pave the way for an attacker to cause untold damage.

Furthermore, this traditional model only regulated access to the internal network but did not regulate accessibility to cloud-based applications, which many organisations now regularly use to store valuable data.

However, adopting a Zero-Trust model offers significant security enhancements.

When a user wishes to access any system, be it on the internal network or the cloud, they will firstly go through a proxy (step 1), which then sends them to the single sign-on gateway to be authenticated (step 2).

If the user is wishing to access a cloud-based application, they will be sent directly to the cloud, without passing through the internal network (step 3).

If the user wishes to access a system on the internal network, they will be sent back to the proxy (step 2 reversed), with the proxy then tunneling them to the specific system (step 4).

How does Zero-Trust work?

The benefit of this flow is that the user doesn’t require separate authentication credentials for each individual cloud application and network system. Their privileges can remain consistent across a range of systems. This makes remote working much more straight-forward for employees.

Importantly, from a security perspective, there are two main benefits of this Zero-Trust model:

  1. Privileges on all systems, be they in the cloud or on the network, can be centrally determined and managed by your security team;
  2. None of the systems on the internal network will allow access to anyone who has not been sent directly from the proxy. In other words, lateral movement between systems will be restricted. In the event an attacker gains access to one system on the internal network, they will not be able to move to other systems to cause even more damage.



Applying a Zero-Trust Model

At its heart, the Zero-Trust model mandates that no user, device or application, should have trust by default, even within the perimeter.

This is a paradigm shift for security thinking.

Unlike a traditional validation model, in which a user was validated once upon entering the perimeter, Zero-Trust recognises that this is no longer adequate. Apart from the fact that a user’s credentials may have been compromised, it also didn’t allow for differentiating the specific privileges a user or a device could have on specific systems within the network. Furthermore, it didn’t allow for easy alignment with cloud-based systems.

Rather than treating things inside the network as ‘safe’ and giving them additional privileges, with Zero-Trust there are three core pillars:

  1. Identifying users more rigorously using Multi-Factor Authentication, rather than simply relying on a username and a password.
  2. Identifying the devices being used to access systems and checking whether they are trusted (i.e. approved corporate or personal devices).
  3. Conducting these checks at the individual application level, rather than at the network perimeter.

Importantly, if a user or device has access to one application on the network, and then wishes to move laterally to another application on the network, they would need to be re-validated. By restricting lateral movement between systems in this way, you can be confident that any breach will be contained and the damage will be limited.

The Zero-Trust model also allows you to grant specific privileges to specific users and specific devices before conducting specific actions. For example, a particular user or device may be granted ‘read-only’ privileges on one system, but higher level ‘write’ privileges on another system.

The model also gives organisations greater visibility and control over their cloud-based applications.


What are the 5 Essential Elements of Zero-Trust?

These are the 5 Essential Elements that require considering when establishing a Zero-Trust model:

1) Networks

The Zero-Trust principle shifts away from reducing attack surfaces to strategising ways to protect your surfaces. Segmentation is critical. Once you identify your most valuable assets, applying microsegments around them helps create a series of barriers to block unauthorised lateral movements. This ensures that a user cannot move laterally between various segments, limiting the damage in the event the perimeter is breached.  


2) Applications

Applications, whether on your network or in the cloud, should have access rights and privileges that can be controlled by your security team. These should be managed according to the specific needs of individual users and/or devices. Don’t assume that once a user is on the network, they should have lateral access to all applications. Applications, particularly those in the cloud, are attractive targets to attackers. You need to ensure you have full visibility and control over who is accessing them and what they can do once they have access.


3) Data

Zero-Trust is all about protecting your valuable data. As data is increasingly shared between users, devices and applications across your network and on the cloud, it can be more vulnerable to breaches. Zero-Trust helps you ensure that data is segmented and access, particularly to highly-valuable data, is restricted by both user and device.


4) People

Usernames and passwords don’t offer sufficient protection anymore, as evidenced by the volume of breaches that occur with these credentials. It is essential that stronger methods, such as Multi-Factor Authentication, be implemented to strengthen identity verification. The single-sign on gateway and MFA are integral to the Zero-Trust model.  


5) Devices

Don’t just validate users. You should also be validating devices. Every device connected to your network can be compromised. This is particularly the case as BYOD has become common practice. In the event a device is compromised, Zero-Trust ensures it cannot be used to gain access to your network and move laterally between applications. This gives your security team more time to identify and block unauthorised breaches.  


How Shearwater Can Help

Speak to Shearwater for expert advice on how you can implement a Zero-Trust security model for your organisation.

At times of heightened concern surrounding cyber-intrusions and data breaches, you need to ensure you have the right systems and policies in place to safeguard your most valuable assets.

Our team of experts understand the risks and the methodologies you need to keep one step ahead of the attackers.

Call us today for a no-obligation consultation.


The New Normal: 4 Ways to Reduce Attack Surfaces


The last two months has seen an unprecedented change in the way Australians work.

And while it appears that the economy will begin to re-open in the near future, we should be mindful of the fact that working patterns are likely to change permanently, even once we see the back of COVID-19.

Many organisations are now seriously contemplating a ‘NEW NORMAL’.

On the other side of this pandemic, we are likely to see many organisations adopt far more flexible working arrangements. These will allow workers to balance their time between home and office in ways that are mutually suitable.

There are a range of benefits to such flexibility. It allows staff to enjoy a better work-life balance. Reducing the number of commutes each week ensures people have more time to devote to recreational activities, including spending quality time with family and friends. A better-rested workforce will likely pay significant dividends in terms of increased productivity.

Furthermore, with large percentages of their staff working remotely each day, organisations will need less office space – providing significant real estate savings.

However, there is still a question mark over how this ‘NEW NORMAL’ will affect the security and integrity of an organisation’s systems and data.

We know the sudden shift to remote work over the last two months saw many organisations adopt ‘quick-fixes’ that fell short of providing adequate long-term security. These may have included accessing or transmitting data without the use of a VPN, or allowing staff to work on their own devices without adequate BYOD policies in place. Staff may have been using less secure home wi-fi routers or communicating with colleagues via unencrypted teleconferencing platforms.

As remote work becomes a permanent feature of the economic landscape, now is the time for organisations to be thinking of ways in which they can embed more rigorous, long-term, cyber security policies, rules and procedures.

Attack Surfaces: Knowing Your Exposure

Thanks to enforced lockdowns, our adoption of information and communications technologies has been accelerated in an unprecedented way.

We have all had to rapidly change the way we work and communicate, from large enterprises to small and medium sized businesses. Even government departments and agencies have dramatically changed their practices to accommodate working from home.

Whilst the new technologies provide much greater levels of flexibility than ever before, they also significantly increase our ‘attack surface’.

An attack surface is defined as the total sum of vulnerabilities that can be exploited to carry out a security attack. In order to secure an organisation’s network, IT administrators should seek to reduce the number and size of attack surfaces. 

The first step to reducing your attack surface is knowing the extent to which you’re exposed. Whilst someone living remotely, without access to the internet, would have no attack surface, most Australians use internet connectivity in more ways than ever before. The result is an expanded attack surface. Any steps that reduce your attack surface make it harder for attackers to breach your systems.


4 Measures to Reduce Attack Surfaces

1. Audit Your Assets and Map Attack Pathways

Start with a comprehensive audit. It is one of the best strategies you can implement for reducing your attack surface. You’ll be surprised how many misconfigurations you’ll detect and the volume of outdated software you have installed across your network.

These are some of the questions an audit should seek to answer:

  • What assets do we have, whether located on-premises or in the cloud?
  • Which assets are business-critical, which assets are somewhat beneficial to the business and which assets are redundant?
  • What vulnerabilities can be identified in the business-critical systems?
  • How are the assets interconnected and what could be done to segment different assets?
  • What potential pathways exist for an attacker to reach the business-critical assets?

Answering these questions will put you on the right path to substantially reducing your attack surface.


2. Remove Redundant Software

Over the years, all kinds of software can find their way onto your servers’ operating systems, not to mention a wide range of software that may be installed on individual computers within your network. You should only retain those applications that are absolutely necessary for your team to carry out their work.

Anything else should be disabled or simply uninstalled.

Periodic cleaning of your servers and computers should include removing any unnecessary applications. Reducing redundant software and applications will reduce potential entry points for attackers.

This is particularly important as we regularly see attackers gain entry to networks by exploiting vulnerabilities that have been known for some time. Often, organisations will have software on their systems that they’ve neglected to patch or update because they are not being used. This may provide a perfect opportunity for an attacker to gain entry. 

Follow our 8-Step Guide to Patch Management to ensure you keep all software up to date.


3. Scan Network Ports

A firewall between your network and the internet helps determine what data is allowed into your environment, and what is kept out. When configuring your firewall settings, you need to decide what should be allowed in. By opening specific ports, you can specify the different types of data that should be allowed into your network.

Unfortunately, all too often ports are left open. Attackers know this and are regularly scanning for open ports. The last thing you want is your network accepting whatever an attacker sends your way.

That’s why reducing your attack surface should include closing unnecessary ports, both inbound and outbound.

You should scan for open ports on a regular basis, preferably fortnightly. Any open ports that you suspect may not be necessary should be closed as a precaution. When it comes to ports, it’s preferable to be slightly over cautious. If closing a port causes some inconvenience to people in your organisation, because they cannot access certain types of data, you can always re-open it.

Using host-based firewalls (often linked to your anti-virus) can also be an effective way to implement a firewall policy on devices that are being used from home. This ensures that just because the device is no longer within the office, threats can still be prevented and detected remotely. 


4. Segment your Network and Adopt Microsegmentation

You’re always told not to keep all your eggs in one basket. Likewise, you shouldn’t keep all your assets in one network.

By segmenting your network, you can significantly reduce your attack surface. Segmentation helps prevent attackers moving laterally if they breach your perimeter. Such a strategy can enable you to focus your efforts and resources on securing the most important assets within your network.

When considering segmentation, it’s important not only to consider North-South data flows, between the server and a client, whereby traffic flows into and out of the data centre. With increased use of containers and microservices, we are seeing far more data flowing East-West, or between applications.

Understanding how data flows between your microservices or applications can help you implement microsegmentation strategies that will further limit attack surfaces.



How Shearwater Can Help

The ‘NEW NORMAL’ is changing the way we work. It has the potential to offer significant benefits to organisations and staff. However, it also comes with the risk of greater exposure to cyber-attacks.

By reducing your attack surface, you can substantially reduce the risk. Speak with our security experts to learn how you can maintain your organisation’s security posture for the long-term.



FAQ: Consumer Data Rights (CDR)

With regular reports of data breaches, information security and privacy protection are increasingly important concerns for many Australian consumers.

Implementing rigorous data protection measures can be a good corporate differentiator – setting your business apart from the competition by giving your customers the confidence their confidential personal and financial information is secure.

Another important driver incentivising Australian businesses to implement stricter information security controls is the new Consumer Data Rights initiative.

Over coming years, the Government will roll out Consumer Data Rights across a number of Australian industries. Whilst this offers businesses exciting new opportunities to attract more customers, it also comes with additional obligations regarding data protection and privacy.

In order to make the most of Consumer Data Rights, it’s important to understand how this new initiative can affect your business and what steps you can begin taking to prepare for its implementation.


1. What are Consumer Data Rights?

1. What are Consumer Data Rights?‘Data is the new oil’.

That was the catchphrase first coined by UK mathematician Clive Humby in 2006. Like oil, data needs to be mined and refined so it can be useful to us. However, the analogy has its limits. Unlike oil, data is not a finite resource. The same data can be used in many different ways, revealing many different insights. Arguably, the more data is used, the more valuable it becomes.

Consumers are increasingly aware of data’s value. Seemingly endless reams of information are collected every day about consumers and their behaviour patterns. Many consumers now believe they should have some rights over the data collected on them.

Until now, consumers faced an uphill struggle finding out specifically what information is being collected, let alone gaining access to it or controlling its use.

That’s all about to change with a new government initiative: Consumer Data Rights, or CDR. 

Under CDR, consumers will have the right to access certain types of information businesses collect on them. They will be able to direct a business to transfer that data to an accredited, trusted third party of their choice.

If, upon receiving the data, the third party is able to offer the consumer a superior product or service, the consumer will be able to switch brands quickly and easily.

So, not only will CDR empower consumers by giving them greater control over their data, it will also encourage greater competition in a range of industries.


2. What industries are effected?

CDR will start off in the financial sector.

Banking customers are notoriously ‘sticky’ and tend not to switch financial institutions regularly. That inertia hampers competition in the sector. The government is committed to an initiative called ‘Open Banking’ which has CDR at its heart. The aim is to make it easier for consumers to ‘shop-around’ for the best financial products such as mortgage or credit card rates.

Once CDR is implemented within the financial sector, the government plans to extend it to other industries, starting with energy and telecommunications.

Further sectors will follow over time.


3. What are the principles underpinning CDR?

CDR will be implemented according to four key principles:

Principle 1

CDR should be consumer focussed. It should be for the consumer, be about the consumer, and be seen from the consumer’s perspective.

Principle 2

CDR should encourage competition. It should seek to increase competition for products and services available to consumers so that consumers can make better choices.

Principle 3

CDR should create opportunities. It should provide a framework from which new ideas and business can emerge and grow, establishing a vibrant and creative data sector that supports better services enhanced by personalised data.

Principle 4

CDR should be efficient and fair. It should be implemented with security and privacy in mind without being more complex or costly than needed.


4. What are some of the considerations informing the implementation of CDR?

Information security and privacy considerations are core features of the CDR initiative.

With consumer data being transferred to multiple parties via API, it is essential controls are in place to prevent breaches, leakage or unauthorised use of the data.

Among the data protection considerations are:

  • Measures to ensure businesses only transfer data to accredited third parties at the direction of the consumer;
  • Measures to ensure consumers control how their information is used by those third parties;
  • Obligations surrounding the deletion or de-identification of data by third parties once the data has been used in accordance with the consumer’s wishes;
  • Rigorous data transfer and storage standards;
  • Extension of provisions within the Privacy Act 1988 to other organisations currently not covered, such as organisations with less than $3 million revenue per annum;
  • Avenues for consumers to seek meaningful remedies for breaches, including external dispute resolution and direct rights of action.


5. How can businesses participate in CDR?

5. How can businesses participate in CDR?There are a range of security implications when transferring sensitive and potentially highly valuable consumer data between organisations via API. That’s why businesses will be required to meet a rigorous set of information security and privacy standards in order to participate in the CDR initiative. These are necessary to ensure consumer data is not compromised.

The Australian Competition and Consumer Commission (ACCC) has responsibility for overseeing the initiative and accrediting those organisations that meet the cybersecurity standards. Accreditation is necessary in order to participate in the initiative.

CDR will also impose obligations on businesses to provide access to data on the goods and services they have on offer. This will enable comparison websites to gain up-to-date information so consumers can make more informed choices.

In some cases, achieving ACCC accreditation will be possible if the organisation already meets other similar information security and privacy standards. For example, an Authorised Deposit-Taking Institution (ADI) will already meet many standards that align with the ACCC rules, so accreditation to CDR shouldn’t encounter any hurdles.

However, if any breaches of the ACCC rules occur, an organisation’s accreditation may be suspended and they will not be able to access any further consumer data.


6. What are the technical requirements for CDR participation?

Many businesses stand to benefit significantly from the adoption of CDR.

However, it comes with onerous requirements that must be adhered to.

At a minimum, you need to ensure your organisation meets the necessary technical standards. These have been formulated through four work streams:

  1. API standards enable consistent transfer methods that meet acceptable levels of safety, convenience and efficiency and include specifications for data description and recording.
  2. Information security standards consist of techniques to protect users of the system, networks, devices, software, processes, information in storage, applications, services and systems.
  3. Consumer experience standards provide best practice language and user experience (UX) design patterns to request consumer consent and guide authentication and authorisation flows.
  4. Engineering standards focus on demonstrating the API Standards through the delivery of usable software artefacts that assist ecosystem participants demonstrate conformance with the standards and rules for CDR.

In cases where data holders or data recipients breach the CDR rules, there are a range of possible penalties, ranging from infringement notices, civil penalties, compensation orders, enforceable undertakings and potentially de-accreditation.


7. When will CDR start?

Whilst the CDR start-date has been pushed back pending resolution of some details, the Government is now committed to begin launching the initiative for the finance sector by July 2020.

Initially, the Big Four Banks will begin complying with the initiative, with other financial institutions to follow 12 months later.

CDR rules for the energy and telecommunications sectors are still under development.


8. What’s the first step to get ready for CDR?

8. What’s the first step to get ready for CDR?Whilst the rules surrounding CDR are yet to be fully finalised, it’s clear that privacy protection is going to be a central feature.

The Privacy Act 1988 established a range of privacy standards for organisations with revenues in excess of $3 million per annum. However, under CDR, we know that aspects of the Privacy Act will also be extended to financial organisations with lower revenues. The same may also be true for smaller organisations in other sectors.

The Australian Privacy Principles (APPs) form part of the Privacy Act. These apply to organisations holding consumer data and are designed to ensure that Personally Identifiable Information (PII) and other sensitive data assets are handled responsibly.

The APPs require organisations to maintain sufficiently robust controls to prevent unauthorised access, disclosure or use of information.

In addition to the APPs, CDR will also see the creation of Privacy Safeguards. The Privacy Safeguards are likely to be more onerous than the APPs as they apply to both individual data and organisational data, which is harder to de-identify.

The Privacy Safeguards will come into effect once a consumer makes a data transfer request. They will outline how transfers via API are to be conducted and how the third party receiving the data needs to handle it.

Making sure your organisation is compliant with the Australian Privacy Principles is a good first step to preparing for CDR so you’ll be able to take advantage of the benefits it offers once it is rolled out across different sectors of the economy.


How Shearwater can help you?

For further information about complying with the Australian Privacy Principles, Contact Shearwater. We have extensive experience assisting organisations of all sizes ensure they have the systems and policies in place to protect your information assets.

Know Everything About Password Security? It’s Time for a Rethink

As organisations continue to struggle with the issue of password security, many of the old assumptions are being re-examined.

If you make one cybersecurity-related resolution this New Year, commit to re-thinking your organisation’s password controls by considering some of the latest advice.

Passwords are the front line in your battle against cyber-attacks. Hackers rely on a variety of tactics to dupe people into revealing their passwords. So, it’s critical you have the right systems and policies in place.

Here are 6 TIPS to ensure your organisation’s passwords remain secure:


1. The Longer the Better

As a general rule, the longer the password, the more secure it is.

Therefore, it is best to advise your staff to opt for a passphrase rather than simply a password.

According to Australian Government guidelines, passphrases should be made up of at least four words and be longer than 13 characters. Making the passphrase meaningful will make it easier to remember. It’s important passphrases are memorable so people avoid being forced to write them down or store them in other locations.

Furthermore, different passphrases should be used when accessing different systems or applications. Using the same passphrase for multiple purposes makes people vulnerable, as if the passphrase is compromised once, attackers may gain access to other systems or applications.

2. Complexity Isn’t Always Better

Many organisations require passphrases contain a combination of upper-case letters, lower-case letters, numbers and other symbols. The thinking behind these requirements is that the more complex a passphrase is, the harder it is to hack.

However, according to the most recent advice from NIST (America’s National Institute of Standards and Technology), overly complex passphrases are not always better for password security. 

NIST argues there is limited benefit in requiring overly complex passphrases. It has analysed breached password lists and found many examples containing complex combinations of characters. Mandating overly complex passphrases may be counterproductive by encouraging risky behaviour, such as writing down passphrases on a post-it note and sticking it on the computer monitor.

3. Don’t Change too Regularly

The latest advice from both the Australian Government and NIST is to avoid rules that require password changes every 30, 60 or 90 days.

This requirement may lead people to come up with insecure passphrases as they struggle to think of new ones so regularly. Rather, NIST’s current advice is to come up with a strong passphrase that can be easily committed to memory and kept in use for longer periods of time. NIST recommends passphrases should be changed if there is any suggestion of compromise.


Know Everything About Password Security?

4. Implement Multi-Factor Authentication

Wherever possible, require multi-factor authentication (MFA).

By requiring users to input something they know (such as a passphrase), alongside something they have (such as a one-time password or OTP), you’ll ensure unauthenticated access becomes much harder.

NIST advises that SMS messages are not used in MFA. This is to help prevent social engineering attacks in which a hacker may have convinced a mobile phone operator to redirect the victim’s mobile phone messages to the attacker.

It is preferable to use time restricted OTPs from an MFA app such as Google Authenticator.

5. Use a Password Manager

Installing a ‘password manager’ on your computer or mobile device can be a useful way to generate large numbers of passwords for use on multiple systems and applications, without having to memorise them all.

Just be aware that there have been cases in the past when ‘password managers’ have been compromised.

It is not recommended to store your most important passphrases, such as your email or online banking passphrases, in a ‘password manager’.

6. Implement Password Training for Staff

The Australian Government offers the following advice when it comes to password security: 

  • Don’t share your passwords with anyone;
  • Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem;
  • Don’t provide your password to a website you have accessed by following a link in an email—it may be a phishing trap;
  • Be cautious about using password-protected services on a public computer or over a public Wi-Fi hotspot;
  • If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.


Ensuring your staff are trained in password security best-practice needs to be an ongoing priority.

With Shearwater’s Phriendly Phishing and Keep Secure modules, your staff will receive ongoing training in how to identify phishing emails and the strategies they need to stay safe online.


Gamification: Making cybersecurity awareness and professional development engaging

The cybersecurity threat landscape is constantly evolving. New attack vectors emerge weekly. This necessitates the adoption of strategies to engage and upskill teams on an ongoing basis.

Whether it’s raising general awareness about cybersecurity among your staff, or specific professional development training for your IT and development teams, there are many ways you can incorporate gamification to enhance your organisation’s cybersecurity posture.


Gamification to Raise General Awareness

It’s easy for staff to slump into a rut of boredom and complacency.

Getting your staff motivated to regularly learn new skills is a significant challenge in many organisations. This is particularly true when it comes to cybersecurity awareness training.

All too often non-technical staff see cybersecurity as ‘someone else’s problem’. There is an assumption the IT department will handle the issue.

Such attitudes are not only wrong, they can be dangerous for your organisation. With human error now one of the leading causes of cyber breaches, getting everyone on board when it comes to your organisation’s cybersecurity posture is essential.

A concerted effort is required to drive awareness among staff across the entire organisation. Building a security awareness culture, with specific emphasis on stopping phishing emails, is now a major priority for many organisations.

webinarAs a leading cybersecurity service provider, Shearwater is committed to helping organisations achieve a cyber-aware culture. Our recent webinar outlined the 3 Pillars that form the basis of cultural change within an organisation. If you haven’t yet had the opportunity to watch it, you should. It is filled with important strategies you can implement within your organisation.

One of the core pillars highlights the importance of engaging staff by winning hearts and minds.

Gamification can be a powerful tool to achieve this.

By incorporating game mechanics and game thinking as a component of training, gamification seeks to engage learners in interesting and fun ways. It encourages problem solving and motivates staff by introducing elements of competition and reward.



Shearwater’s Phriendly Phishing is a leading Australian training program that uses gamification elements to help organisations teach staff about email security.

Phishing email awareness is critically important. Attackers increasingly seek to exploit human error in order to infect your organisation’s IT infrastructure with malware, or to carry out Business Email Compromise (BEC) attacks.

PHISHING AWARENESSPhriendly Phishing succeeds in educating staff because it injects fun and excitement into its training modules.

The training begins by imparting basic phishing knowledge. Then, through a series of fun learning modules that combine interactive elements of gamification, staff analyse a variety of phishing emails. This highly interactive course is scenario-based and aims to enhance the phishing detection skill of learners.

According to Damian Grace, founder of Phriendly Phishing, “Gamification is an important training methodology because it significantly boosts learner engagement. By implementing gamification, we can ensure learners achieve ‘wins’. This increases the effectiveness of the learning processes as studies show learners are motivated when they have a sense of achievement. By incorporating innovative and interactive gaming elements, learners acquire new skills and retain that knowledge for the long term.”


Gamification in Professional Development

Gamification is also a useful tool in professional development strategies.

With your IT and application development teams requiring ongoing training opportunities, gamification can be an ideal way to enable them to up-skill.



Application developers focus on developing great applications. However, all too often they either don’t take into consideration security issues, or they try to bolt-on security measures at the end of the development pipeline, just before going live.

It’s essential to find ways to up-skill developers, so they have the necessary cybersecurity awareness to adopt a ‘shift-left’ approach and begin implementing security measures from the beginning of the development lifecycle.

That’s one of the main reasons we host the annual Shearwater Hackathon.
Hackathons are a great example of gamification, because they allow developers to participate in a fun and engaging competition whilst honing their security awareness skills. Also known as Capture-the-Flag challenges, a hackathon typically involves uncovering and exploiting vulnerabilities in a simulated web application.

The recent Shearwater Hackathon attracted over 150 participants, many from leading Australian companies. Participating in a winnable competition, in which staff can earn recognition and prizes, is a great professional development strategy.

According to Shearwater’s Chief Strategy Officer, Shannon Lane, the best type of education is ‘learning by doing’. Hackathons encourage participants to “look at applications as an adversary would – underlining the significance good security controls have in the launch of products and services” said Mr Lane.



Training application developers about the importance of writing secure code is now on the radar for many organisations. It’s increasingly understood the first step to developing a secure application is writing high quality code. Shearwater is often called on to provide Secure Development Training as part of an organisation’s professional development initiatives for its application developers.

A useful benchmark when developing any web or mobile application is the OWASP list of common vulnerabilities. These outline some of the most regularly seen attack vectors used by hackers.

So, OWASP’s decision to begin incorporating gamification as a strategy to raise awareness among developers about security is welcome news.

new poker-like card game The new poker-like card game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten. It is designed to teach developers best practice security measures in an environment that reflects a sense realism and excitement.

It pits black hats against white hats to see who can be the first to hack their opponent’s website.

Whilst this new game is still in development by OWASP, it’s further evidence that gamification is beginning to be incorporated into a wide range of cybersecurity professional development programs.



Even when a nation isn’t at war, the armed forces don’t stop training. Ongoing drills and exercises during peace time are essential to ensure the military is combat-ready whenever an attack occurs.

The same should be the case when it comes to your IT and SOC teams.

Through cyber-attack simulation games, you can ensure your organisation is ready to handle a wide range of real-life attack vectors.

Like hackathons, attack simulations are a form of gamification. They pit teams against each other in a competition to develop an incident response plan for a realistic cyber-attack.

Reports indicate that as many as 76% of Australian organisations do not have a formal cybersecurity incident response plan. Addressing this requires IT and SOC departments to have professional development training so they understand what elements comprise an incident response plan. This is where attack simulation games can be extremely useful for your organisation. They identify gaps within your organisational capacity to handle a cybersecurity breach.

Shearwater scholarship recipient, Margueritte Saboungi, recently participated in her first cyber-attack simulation game. Known as CyBCA, the exercise recreated a real-world incident in which an attacker had disabled all connections to a bank’s ATM network. Armed with some basic facts, such as the network configuration layout which detailed how the ATMs linked back to the bank’s servers, Saboungi and her team had just a few hours to develop a comprehensive incident response plan.

Incorporating gamification in the professional development of your IT and SOC teams will enhance your organisation’s security posture, test your ability to prevent attacks, and teach ways to handle breaches when they occur.


How Shearwater can help you?

In a variety of different ways, gamification is increasingly prevalent in strategies to motivate staff to become more cyber aware and in efforts to enhance cybersecurity skills through professional development.

Shearwater specialises in a wide range of cybersecurity training services. Some, like our phishing awareness modules, already combine elements of gamification. Others, like our secure development training, can be combined with novel gamification elements to have a big impact on your staff.

Speak with Shearwater today to learn about training options for your organisation. 

What is security documentation?

So, you have been told by an auditor that your security policies and other security documentation are out of date or non-existent.

“Okay, so let’s draft a two-page policy and tick that box”.

Such glib responses are all too common. This is definitely not an appropriate way to address your organisation’s risk-profile and enhance your security posture.

At the other extreme, some organisations become mired in the process. I’ve witnessed organisations take over 12 months, with multiple iterations, trying to develop security policies. There is a fear that comprehensive security policies will be too restrictive and crippling, even when taking into account the organisation’s specific requirements.

So, what exactly does security documentation consist of and what value does it add?

What is security documentation?Some obvious documents include Agency Security Policies and Acceptable Use Policies. However, the spectrum of security documentation is far broader and can include standards, plans, policies, operational documentation and registers, and system specific documentation and registers.

Security documentation should be more than just rule-setting. Whilst it does help define the expectations of how people work, importantly it should also provide direction on how to get things done in a secure, consistent, and efficient manner.

The entire IT landscape, in particular the connected cyber world in which we all live, is changing rapidly. Developing, maintaining and actively using updated security documentation helps ensure staff are working securely. The right documentation is also a necessary precursor to ensure systems and information are appropriately secured. Documentation also keeps staff up to date with changes, itself a form of on the job training.

In today’s complex world, it is almost impossible to write concise, user-friendly policies and standards that meet every business need. It is therefore important that security documentation is drafted to meet most users’ needs for most of their daily activities. Exception handling processes should be available to ensure special circumstances are considered in a controlled and risk-based manner. Staff are more satisfied when most of their work can be undertaken seamlessly, so that whenever they have special requirements, those can be considered rather than just being told “no”.

Some documentation, such as incident response plans and in-depth procedures, may not be used frequently, however are equally important. When key subject matter experts are unavailable, or when things go wrong, there is usually still a focus on getting the job done quickly. Without the guidance of well thought out documentation, things can and do go wrong. In the rush to get things done, for example when restoring system availability after a cyber incident, it can be easy to lose forensic evidence, thereby hindering the ability to understand how the system was compromised. This means protective measures to stop future incidents cannot be put in place and it may be difficult to determine the full impact, such as knowing if sensitive information was stolen.


How Shearwater can help you?

When it comes to developing comprehensive security policies and documentation for your organisation, you need to get the balance right.

You need to ensure your policies have sufficient breadth and depth so they make a positive contribution to enhancing your organisation’s security. At the same time, they shouldn’t be so cumbersome that they hinder your operational performance.

With Shearwater’s security consultants, your organisation can be confident of getting the balance right. Our team of experts will analyse your business practices and assess your circumstances using a risk-based approach. We will work with you to ensure the security policies and documentation are appropriate and achieve the right outcomes for your organisation.

Contact us today on 1800 283 613 to discuss your needs with one of our consultants.


Business Email Compromise – Advisory

Business Email Compromise (BEC) attacks are increasingly prevalent. While there are several varieties of BEC attacks, the majority manifest themselves as follows:

A phishing email is sent to an intended target. The target is prompted to enter their credentials on a website, after which the attacker gains access to their mailbox. 

Typically, a forwarding rule is created to send emails to an external mailbox, RSS feed, or a different subfolder.

This flow of emails is monitored. When an invoice email is seen, the attacker may attempt to hijack the conversation. Precisely how this is done depends on the account they have compromised and whether the organisation is receiving a payment or needs to make a payment.  Often there will be a request to change payment details, resulting in money being paid into the attacker’s account. 


What can your organisation do to prevent a BEC attack?

  1. Have a good process for changing any payment details that does not involve emails, or information contained in an email.
  2. Enable Multi Factor Authentication (MFA) when using o365. Should credentials be compromised, the user will be prompted to supply their MFA at a time when they are not expecting this. The attacker will be denied access to the account unless permission is provided.

Recently, it was discovered that accessing a mailbox was possible in some instances, despite MFA being enabled. Following an investigation and subsequent testing, it was found that o365 mailboxes could be accessed using protocols other than the standard protocol used by your outlook client.

This was the case when IMAP and POP3 protocols were being used to access o365 mailboxes.

When either of these protocols are used, only the standard UserID and password are required to access the mailbox. There is no prompting for MFA.

Whilst a UserID and password help limit attackers, accessing email through IMAP and POP3 circumvents the MFA that’s enabled on o365 accounts.

Whilst Microsoft does encourage tenants to disable legacy authentication methods and protocols when enabling MFA, it’s currently not the default. Many organisations still have these protocols available for use on all mailboxes.

So, in addition to switching on logging, enabling MFA and having good processes when dealing with payment changes, it is also preferable to switch off IMAP and POP3 on all user accounts in o365.(1)

However, before doing so, there are a few things you need to keep in mind:

  • You may have service accounts that access particular mailboxes using IMAP or POP3 as part of a business process. You may need to make an exception for these mailboxes.
  • Older Android phones may access o365 using IMAP or POP3.
  • Mail applications on IOS (excluding apple mail and outlook) may use IMAP or POP3
  • Integration between different cloud services that use email, may use one of these two protocols to access the mailbox.

In other words, take care when disabling IMAP or POP3. However, doing so will help protect your organisation from a BEC attack that uses this particular approach. 


(1) You can do this using the exchange portal under office.com.


Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

Gone Phishing

Shearwater spearheads innovation to improve email security

It’s the bane of every IT department’s existence:
How to weed out dangerous emails without also blocking legitimate ones.


False Positive: An email that’s been wrongly identified as dangerous, when in fact it is safe.
False Negative: An email that’s been wrongly identified as safe, when in fact it is dangerous.

IT teams face a near impossible balancing act. They need to keep the organisation’s infrastructure and systems safe. But at the same time, they also need to ensure operations are not impeded by over-zealous security measures.


Staking your security on reputation alone is risky business.

Typically, an organisation’s IT department relies on reputation-based intelligence to determine if an email should be considered high-risk. Relying on dynamic databases of known IP addresses, from which phishing emails have been sent in the past, any emails originating from these sources will be flagged and weeded out.

Certainly, this strategy is preferable to no strategy. However, it is far from foolproof.

IP addresses sending phishing email that have yet to be identified won’t be blocked. Likewise, if a trusted IP address is compromised by hackers who send out phishing emails, these could be let through your security filters with potentially devastating consequences.

That’s where staff training steps in. It’s the people within an organisation that represent the last line of defence. Organisations rely on people having the skills to identify potentially dangerous email, and to notify their IT department about it.

Naturally, errors occur. People often mistake phishing emails for legitimate correspondence. Once a dangerous link or attachment has been clicked, the damage has been done.


Shearwater’s commitment to email security is long-standing.

Shearwater’s Phriendly Phishing awareness product leads the way in giving people the skills they need to identify and report malicious email. With ongoing training modules that get progressively more advanced, people within an organisation become significantly more adept at stopping phishing emails in their tracks.

However, with hackers adopting increasingly sophisticated tactics, those of us developing defensive strategies are also constantly striving for improvement.


Using data to drive new insights.

Working with organisations across multiple industries, both in Australia and globally, Shearwater has accumulated extensive datasets. With this data identifying the origins of dangerous emails, as well as the destinations of any links they contain, it is a treasure-trove of potentially useful information that can be used in the fight against phishing.

When Lachlan Gabb, a Shearwater security analyst and Bachelor of IT (Network Security) student at TAFE NSW, suggested an innovative approach, his initiative was encouraged as potentially offering organisations a new defensive weapon.


Mapping the world of email phishing.

As part of his final-year capstone project, Lachlan wanted to deep-dive into Shearwater’s datasets, with the intention of identifying patterns of behaviour used by those sending phishing emails.

The first step was anonymising the data. Due to the confidential nature of many of the emails, only data specifically relevant to Lachlan’s project was extracted and internally processed on dedicated, secure systems.

Using data visualisation methods, Lachlan successfully mapped many thousands of phishing emails, showing clear trends in terms of origin and destination. He was able to generate interactive animations showing both sender and receiver locations, as well as any link locations contained in the emails.


Interestingly, Lachlan was able to visually demonstrate that source countries for phishing emails are not usually the same as link destination countries. While email source countries are often those with less robust cybersecurity governance and controls, the links contained in those emails often direct to countries not known for malicious activities and with reputations for more sophisticated law-enforcement.


The ongoing fight to stop phishing.

Work continues to implement the findings of Lachlan’s data analysis into Shearwater’s email security platforms, so organisations can benefit from its insights. With the focus of Lachlan’s research thus far mainly centred on English-speaking countries, the next stage is to expand the analysis to include other countries, providing an even more comprehensive understanding into the patterns of behaviour used by those engaging in email phishing.



How Shearwater can help you?

If your organisation isn’t yet taking the threat posed by phishing email seriously, it’s time you started.

The costs associated with ransomware and malware can be crippling.

Yet there are steps you can take to help safeguard your organisation.

With Shearwater actively engaged in research to continuously drive improvements in email security, SPEAK TO US TODAY to learn how you can benefit from our research and expertise.

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.