Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

Plugging a Plugin


As a relative newcomer to the world of Penetration Testing, I never expected to discover an unknown vulnerability this early in my career.

In some respects, I have Melbourne’s COVID-19 lockdown to thank for this achievement.

Whilst conducting routine testing on a client’s web application, I could sense something wasn’t quite right. There seemed to be a problem that went beyond the vulnerabilities I tend to encounter when testing the access levels of an unauthenticated visitor to an application.

It wasn’t exactly obvious what the problem was. Uncovering it would require more digging.  Ironically, it’s thanks to the lockdowns that I had the time to delve deeper and discover the source of the problem.

 

A Passion for Penetration Testing

As a teenager, I was fascinated with computers. My dad was an IT professional for many years and instilled in me an interest in technology from a young age. He would often recount exciting stories about the hackers in the Penetration Testing team at his work.

When it came time for me to enrol in university, I knew I’d be studying IT, but had no idea what specialisation to select. I opted for a generalist Bachelor of Information Technology to get exposure to a range of different focus areas.

By final year, I’s discovered a passion for Penetration Testing. I researched ‘Heartbleed,’ the critical OpenSSL bug discovered in 2014, for my dissertation and conducted ethical hacking against the university’s Wi-Fi network for my final project.

Upon graduating in 2015, my prospects for working as a Penetration Tester were limited because I had minimal practical experience, no OSCP certifications and had never even participated in a hackathon or Capture-the-Flag. I knew I had to work on developing my skills, so began devoting every spare minute to ethical hacking.

Even after Shearwater gave me the opportunity to join their team as a junior Penetration Tester, I continued spending any spare time continually learning and honing my skills. My curiosity and drive always lead me to go a bit further and dig a bit deeper in the quest to discover hidden vulnerabilities.

 

On the Hunt

My sense that there was a deeper problem with the web application I was testing compelled me to interrogate it further. With little else to do during lockdown, I spent countless after-hours investigating, looking for any sign of a gap in the application’s security.

Like many web applications, this one made extensive use of a range of plugins. A plugin is a piece of ready-made software that performs a particular function. When building a website, many developers will make use of plugins as they can be quicker and easier solutions than building every piece of functionality from scratch.

But not all plugins are built to the same standard. Many are developed securely, but others are not. It’s vital to test the security of all plugins thoroughly before incorporating them into a web application.

In this case, the client had incorporated Umbraco Forms 7.4.1. This particular plugin formed part of their Contact Us page, allowing visitors to upload and send documents to the site’s admins. Normally such plugins should only allow visitors to upload and send certain types of files that are likely to be safe, such as PDFs or JPEGs.

Unknown to both the client and the folks who developed the plugin, was that Umbraco Forms 7.4.1 allowed unrestricted file uploads. There would be nothing preventing a malicious actor uploading and sending dangerous files, such as malware to the client.

When an admin user clicked and downloaded a file sent through the plugin, it would execute within their local desktop environment. Due to the lack of any restrictions on the types of files that could be sent, a file could include phishing attempts or malicious executable files, paving the way to steal administrator user credentials and potentially allowing a full system takeover.

Such a gaping vulnerability would represent an unacceptable level of risk for any web application owner.

With the web application leaving the client dangerously exposed, they were immediately notified and provided guidance on remediation efforts to keep them secure. Steps were also taken to notify Umbraco so a patch could be developed to fix the vulnerability.

With potentially many thousands of web applications around the world using the Umbraco Forms 7.4.1 plugin, this discovery allows admins to be aware of their exposure and increase their security.

Discovering my very first unknown vulnerability has been an exciting and rewarding experience. It motivates me to always go the extra mile in the hunt for other unknown vulnerabilities.

Click here for further details on the vulnerability.

 

 

 

Protecting your Business from DoS Attacks


With the Australian Cyber Security Centre (ACSC) recently warning of a spate of potentially devastating Denial of Service (DoS) attacks, it’s essential to put into place measures to protect your organisation.

This stark advice follows a series of ransom threats made against Australian businesses. Typically, victims are threatened with a devastating DoS attack against their web server or network unless they pay attackers a cryptocurrency ransom.

Put simply, a DoS attack is an attempt to severely slow-down, or crash, your business’s web server or network. It can result in your website and web applications being inaccessible to customers and staff.

A DoS attack can literally bring your entire business to a grinding halt, causing significant financial and reputational damage.

Due to the level of computing power required, a DoS attack often involves using a network of compromised computer systems in different locations that target a victim’s systems with bots simultaneously. This is known as a Distributed Denial of Service (DDoS) attack. As these computers are all based in different locations, they can be very hard to defend against.

Whilst preventing all DoS attacks may not be possible, there are a number of practical steps you can take to strengthen your business’s preparedness. But firstly, it’s important to understand exactly what’s happening when you’re being subjected to a network-based DoS attack.

 

Large-Scale DoS Attacks

There are a number of DoS attack methodologies, the most common are attempts to flood your business’s web server or network with enormous volumes of data. Your systems only have a certain amount of bandwidth or capacity. When overwhelmed in this way, it causes them to either become tardy or cease functioning altogether.

Launching large-scale attacks like these requires substantial computing resources. As businesses begin developing more sophisticated defence measures, attackers are resorting to more targeted methodologies that are more sophisticated, but require less computing firepower.

 

Targeted DoS Attacks

When visitors access your business’s website, data passes from the web server to the visitor’s computer along a series of physical cables, via a range of routers and networks. Nowadays, we are seeing sophisticated attackers undertaking extensive reconnaissance to identify the weakest link in that chain of infrastructure.

Once an attacker identifies the weakest link, such as a particular router, they look for ways to flood that specific component, knocking it out. By focusing the DoS attack on the weakest component in the chain of infrastructure, attackers can disrupt your system’s data flows without the need for huge amounts of computing firepower.

Interestingly, recent surveys indicate that whilst there’s a significant increase in the frequency of DoS attacks (up 16% from 2018 to 2019), these tend to be smaller in scale (between 100-200 Gbps). Larger scale DoS attacks (over 200 Gbps) seem to be on the decline.

As DoS attacks become more targeted and use less firepower, it’s more important than ever to be vigilant with monitoring your network for any sign of anomalies so you can respond as quickly as possible.

 

Be Prepared

DoS attacks can be notoriously challenging to prevent, which is why protecting your organisation needs to be an ongoing process. There are a range of activities your organisation can take to improve resilience.

You should maintain close visibility over your systems and traffic flows. This will allow you to quickly identify abnormalities, such as unusually large volumes of data. You should seek to verify incoming data by undertaking IP address filtering against negative databases, so you can identify and block risky traffic sources. Engaging a third-party security provider for pattern detection and IP filtering can ensure you achieve an appropriate level of preparedness.

Another way to reduce risky data inflows is with the use of CAPTCHA challenges on web forms. These can help you ensure that incoming data is being sent by humans and will help limit bot attacks.

When planning DoS mitigation strategies, it’s important to consider ways to become more decentralised. In the event of an attack on one of your systems, your other systems will remain live. For example, ensuring you have redundant network resources will allow you to load balance and handle increased network traffic if one on your servers is attacked.

To protect your website, you may consider solutions such as Content Delivery Networks (CDNs) which allow you to create a non-dynamic cached version of your site. By having the cached version hosted on different servers, preferably in different locations around the world, your website will still be accessible even if your origin server is under attack.

Importantly, take care to avoid disclosing your origin server’s IP address, so attackers aren’t able to bypass the CDN. You should also use firewalls to ensure that only the CDN can access the origin server.

Preventing DoS attacks

Additionally, you should consider carefully which systems are business-critical, such as email systems. These should be partitioned from highly vulnerable systems, such as your web server, and hosted on separate infrastructure.

Furthermore, if you’re not yet using cloud-based hosting, then it is definitely worth considering as a way to withstand DoS attacks. Major cloud providers have teams of people monitoring traffic flows and will be able to rapidly notify you of any anomalies. They also have far higher bandwidth capacity, meaning they are able to cope with far higher volumes of incoming data.

 

How can Shearwater help you?

With DoS attacks occurring more frequently, and the methodologies constantly evolving, it’s essential every business develops strong resilience.

Our Penetration Testing specialists can secure your applications against a range of potential weaknesses and provide expert guidance on strengthening your overall application layer.

With our Managed Security Services team of experts monitoring your network for abnormalities, with the capacity to respond rapidly, you will achieve peace of mind that your organisation is ready to confront any DoS attacks.

Contact Shearwater Solutions for a no-obligation discussion with our security experts and discover the many ways we can help your organisation strengthen its ability to withstand a DoS attack.

Why Your Organisation Needs to Implement: MULTI FACTOR AUTHENTICATION (MFA)


Most of us rely on the humble password to access a myriad of systems including email, online banking, social media accounts and streaming services like Netflix.

With the simple combination of a username and password, we can easily access huge amounts of important data from wherever we happen to be located. There’s no doubt that passwords have brought immeasurable levels of convenience to our daily lives.

What’s more, passwords are an essential component in modern workplaces. Staff have ready access a whole range of systems and data, enabling far greater levels of workplace efficiency than ever before.

But what happens when passwords are compromised? How can an organisation ensure that the individual accessing a particular system is indeed authorised to do so?

It’s more important than ever that organisations implement Multi Factor Authentication (MFA) as a way to verify that the individual logging in with a password is actually the right person, rather than an attacker using compromised login credentials.

What is Multi Factor Authentication?

The Australian Cyber Security Centre defines MFA as:

‘A method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.

Put simply, when logging into any system, at a minimum you would need to prove your identity with a password and AT LEAST one additional verification method. If you only need to provide a password and one other form of verification, this is known as 2 Factor Authentication (2FA).

For example:

  • Password + One-Time PIN = 2FA
  • Password + One-Time PIN + fingerprint = MFA

Ideally, different verification methods should include a combination of:

  1. something the individual knows (e.g. password or PIN)
  2. something the individual has (e.g. a physical token or smartcard)
  3. something the individual is (e.g. a fingerprint or iris scan).

 

Why use Multi Factor Authentication?

With password breaches on the rise, it’s more important than ever to implement MFA within your organisation. The problem with relying solely on passwords, is that people often use the same password to access a wide range of systems. If the password is breached once, an attacker can use it to access a whole set of other systems.

The other challenge faced by many organisations is that they may have multiple points of authentication, whereby authenticating on one system, such as an email account, grants access to other systems.

That’s why it is essential to make sure whoever is logging into your corporate systems is legitimately authorised to do so.

Another important benefit of MFA is that it can alert people within your organisation that an unauthorised individual is trying to login to your systems. For example, if you have SMS notifications as one verification method within your MFA set-up, and a staff member unexpectedly starts receiving SMS messages with PIN codes, this can be brought to the attention of the security team. They can then investigate who might be trying to breach your systems illegitimately and stop them.

 

How to implement Multi Factor Authentication?

There are a range of technical solutions you can turn to when implementing MFA in your organisation.

However, one of the biggest challenges you’re likely to face, is building awareness and support for this security initiative among the people in your organisation.

Like any change, it takes time to bring people around. It’s essential you have the support of senior management across the organisation. Bring together the IT team, HR, Communications department and others. Their backing will help ensure the introduction of MFA succeeds.

You need to begin with a careful consideration of what assets you’re seeking to protect, determine an appropriate level of MFA, and factor in the impact this will have on staff. The more layers of security you implement, the more problems you’re likely to experience with staff who cannot access the essential systems they need to do their work. So you need to carefully balance your security needs with staff capabilities.

There may be some assets that require greater levels of security, whilst others do not contain sensitive corporate data. The former may require additional layers of security, whilst the latter may need fewer layers. These are all things you need to carefully consider before embarking on the implementation of MFA in your organisation.

The more you explain to staff the rationale behind the implementation of MFA, and how it is designed to protect the organisation’s systems and data, the more likely it is that staff will support the initiative, rather than seeing it as a nuisance. This needs to be combined with comprehensive training that makes it clear what staff will need to do, how they will need to do it, and where they can get assistance if required.

You should also consider using Single Single-On (SSO) technology. SSO allows your staff to sign in once to a system using MFA and then access a range of other systems without having to undergo authentication ever time. When they initially login using multiple verification methods, the device is then trusted, so there is no needed to repeatedly undergo the MFA process.

This can significantly reduce the complexity faced by staff, and will help make MFA implementation easier.

 

What are the different Multi Factor Authentication verification methods?

 

♦ U2F Security Keys

Universal 2nd Factor, or U2F, requires a user to authenticate using a physical security key.

It guarantees that the person accessing a system is also in possession of a physical security key, helping ensure that attackers with compromised passwords are not able to log in.

It is essential that U2F security keys are not stored with the computer. They should be stored separately, so in the event that an attacker has physical access to a computer, they will not be able to login to systems which have U2F authentication enabled.

Common U2F security keys include:

Tokens: When authenticating, the user needs to either click a button on a token or insert the token into the computer (e.g. via a USB port). Once activated in this way, the user will be able to successfully login to the system.

Proximity Cards: When authenticating, the user needs to tap a contactless card on a Near Field Communication reader. Once tapped, the user will be able to successfully login to the system.

 


Physical One-Time PIN

Physical One-Time PINThis authentication method makes use of a physical token that displays a limited-time PIN on a screen. The PIN displayed on the token usually changes every 60 seconds and can only be used to login to a system once.

The time on both the physical token and the authentication service are synchronised, allowing the authentication service to know what one-time PIN should be used.

It guarantees that the person accessing a system is also in possession of the physical token, helping ensure that attackers with compromised passwords are not able to log in.

It is essential that tokens are not stored with the computer. They should be stored separately, so in the event that an attacker has physical access to a computer, they will not be able to login to systems which have one-time PIN authentication enabled.

 


♦ Biometrics

Attackers may gain access to your password. However, requiring a fingerprint or iris scan to authenticate makes it much harder to breach your defences.

Many systems now incorporate biometrics as part of the authentication process.

Whilst biometrics certainly offer greater protection, they are not foolproof. Typically, biometric readers convert the biometric data into hashed form. If attackers can decrypt the hashed data, they could potentially gain access to your systems.

Biometrics can form one layer of security in a multi-layered authentication process.

 


♦ Smartcards

SmartcardsThis method can be implemented to authenticate a user by ensuring the person logging in has possession of a particular physical smartcard.

To be authenticated, the user will need to login to the smartcard’s portal and either tap the smartcard on a reader, if it is contactless, or insert the smartcard into a reading device. This unlocks the smartcard, thereby enabling the user to be authenticated on the systems they need to access.

Unlike a basic proximity card, a smartcard is embedded with a chip containing user data. Smartcards can exchange data with readers and other systems. Smartcards offer greater security than a basic proximity card, as even if the card is stolen, an attacker would need to firstly know how to unlock the card before being able to use it.

 


♦ Mobile Apps

Mobile AppsMobile apps can form an important part of your MFA process.

The user first needs to download the app to a mobile device. They then either scan a QR code or provide a phone number / email address to receive a PIN that is used to register with the mobile app. Once registered, the app will be linked to the system(s) on which the user will need to authenticate.

Each time the user needs to login to a system, they will receive a unique one-time passcode from the mobile app. They use the one-time passcode to authenticate on the system.

Whilst this method does offer significant security benefits, it should be noted that if the mobile device has been compromised, the passcodes generated by the mobile app may be accessible by attackers.

 


♦ SMS, Email or Voice Messages

SMS, Email or Voice MessagesOne of the most common authentication methods is the one-time password.

When enrolling on a system, the user will need to provide a phone number or email address. Each time the user subsequently logs into the system, they will be delivered a unique one-time password via SMS, email or as a voice message.

This password is then used to login to the system.

This form of authentication is beneficial because it is easy to use for many people. However, it also poses the problem that a compromised device may allow others to access the one-time passwords.

 


♦ Software Certificates

Software CertificatesWhilst most MFA process focus on authenticating the user, another path is to authenticate a device.

Software installed on devices have certificates stored in the device’s registry. When a user seeks to access a system from a particular device, the system can verify the software certificates on that device. This helps ensure the system is not being access by a hacker from a different device.

The challenge with this system is that it relies on the software and the type of operating system on the device.

 

 

How Shearwater Can Help

When your organisation needs to implement a Multi Factor Authentication solution, contact Shearwater Solutions. Our security team will provide you expert guidance on implementing the right strategy for your organisation, ensuring that appropriate layers of security are in place to protect your data and systems.

Stay Protected from Sophisticated Cyber-Attacks


When the Prime Minister fronted the media on 19 June and announced that Australia is facing sustained sophisticated cyber-attacks, it was a timely reminder that all organisations need to take cyber-security seriously.

According to the Australian Cyber Security Centre, the main attack vector involves ‘copy-paste’ attacks.

Such attacks are relatively simple. Unlike a zero-day, where the attacker discovers a previously unknown vulnerability, copy-paste attacks make use of known open-source exploits. These are all available in the public domain. Put simply, attackers are copying malicious code, then pasting it into the code of internet-facing infrastructure in order to compromise credentials and gain access.

The Australian Cyber Security Centre (ACSC) is warning that attackers are primarily exploiting remote code execution and deserialisation vulnerabilities. It appears Telerik UI, Microsoft IIS, SharePoint and Citrix systems are bearing the brunt of most of the attacks.

Whilst copy-paste attacks are relatively simple, the challenge for attackers comes in knowing exactly which malicious code to paste into which target system. Attackers also need to find ways to bypass an organisation’s detection system and how to conduct the exploit from outside a secure environment.

The fact that attackers are rapidly overcoming these challenges on a regular basis, points to their level of sophistication.

The good news is that because copy-paste attacks make use of known vulnerabilities, organisations can take precautions to avoid becoming victims. The ACSC recommends organisations focus on patching and implementing Multi-Factor Authentication (MFA) as the best ways to stay secure.   

PATCHING

Few cyber security activities are as important as regular patching. 

With most attackers exploiting known vulnerabilities, some of which have had fixes available for many years, there’s simply no excuse to neglect keeping your systems updated. 

My approach to patching is pretty straight forward – JUST DO IT! 

This means that organisations should apply patches aggressively. Aggressive patching involves running regular updates on an ad-hoc basis. In most cases it is preferable to ensure patches are rolled out in a timely manner whenever an update is released, rather than waiting and running large batches of patches according to a cyclical timetable.  

The latter approach may lead to various difficulties. Managing the roll-out of a large number of patches at one time can be more challenging than regularly implementing one or two updates. 

It’s also important that when vendors prompt you to run automatic updates, you do actually run them.  

Interestingly, it seems fixes for the copy-paste vulnerabilities currently being exploited may require manually applying updates to computers rather than running fixes using network-wide tools. So, this is something to bear in mind that could make keeping up to date with patches more time-consuming.  

CLICK HERE for our 8 Step Guide to Effective Patch Management   

 

 

MULTI-FACTOR AUTHENTICATION (MFA)

Relying solely on passwords to protect your digital assets is a risky strategy as attackers have well-developed strategies for compromising login credentials. That’s why I strongly urge all our clients to implement Multi-Factor Authentication (MFA) on all their systems as a top priority.

There are a range of ways you can implement MFA including one-time passwords, SMS verification codes, hardware tokens or biometrics. Different MFA options offer different levels of security, but they all offer a significant improvement over the basic login and password.

Increasingly, organisations are making use of Two-Factor Authentication (2FA), which makes use of a password and one other verification method. Whilst this is definitely superior to password-only security, MFA offers even greater protection.

With MFA, you would be using a password as well as a minimum of two additional verification methods.

For example, you would use a password, as well as an SMS verification code and a fingerprint. Even if a hacker had compromised your password and had access to your mobile device to get the SMS code, replicating your fingerprint would be all but impossible. That’s not to say that biometric verification systems cannot be compromised, but the more layers of security you implement, the harder it is for attackers to gain access to your systems. 

Whichever MFA strategy you adopt, it’s important to understand that they do not replace passwords. They offer additional layers of protection, making it considerably harder for attackers to breach your systems. This is particularly the case with so many staff working remotely. The extension of the corporate environment to your employee’s homes makes them more vulnerable. MFA is one of the most effective ways you can take back control.

You can utilize the service of a number of MFA providers, many of whom offer Single Sign-On (SSO) facilities. With SSO, once a staff-member successfully logins into a device using MFA, that device becomes trusted. The staff member can then access a range of other systems from the same device without having to go through the MFA login process every time.  

How Shearwater Can Help

Contact Shearwater for advice and assistance when it comes to patching strategies or implementing MFA in your organisation. Once you have the right strategies implemented, your organisation will be well placed to prevent the types of attacks identified by the Prime Minister on 19 June. Whilst the attackers are sophisticated in their approach, it is definitely possible to make their lives more difficult and help ensure you’re better protected.

 

 

Zero-Trust: A New Security Paradigm


How times have changed.

Not long ago, security teams had things easy.

Their primary task was straight-forward: Securing the perimeter of the corporate environment.

Of course, in the days before BYOD and remote working, the corporate environment primarily consisted of an internal network of on-premises systems.

Once the internal network’s perimeter was secured, it was job done. Security teams could simply sit back and monitor everything going in or out. This was known as the ‘castle and moat’ approach to security.

However, all that began to change with the advent of BYOD and remote working, a trend that’s grown exponentially since COVID-19.

Security teams can no longer rest on the assumption that everything inside the security perimeter can be trusted.

With organisations now enabling employees to access systems and data in a variety of ways, irrespective of location, the corporate network has been expanded in ways unforeseen just a few years ago.

Valuable data is continuously being transferred between a range of systems including SaaS applications, IaaS applications, on-premises and cloud-based data centres, as well as a plethora of devices that are supplied by the company or by individual employees.

All this opens up a range of opportunities for cyber-criminals to breach your systems and compromise your data.

With more entry points than ever before, attackers have a multitude of opportunities to gain entry to your systems. They may collect huge amounts of highly valuable data before your security team can identify and stop them.

Zero-Trust is a new security paradigm that aims to boost your security in this new environment.

 

How does Zero-Trust work?

Traditionally, a remote user, such as employee, would gain access to the internal network via a VPN. When connecting to the VPN, the user would need to authenticate themselves, either with a username and password, or preferably via multi-factor authentication.  

How does Zero-Trust work?

Once the user had been authenticated by the VPN, they would be granted access to the internal network’s systems. However, there would be no subsequent authentications on a user seeking to move laterally between various systems within the network.

In effect, if an attacker managed to get authenticated at the VPN stage, they could have free reign to access all the corporate systems. This could pave the way for an attacker to cause untold damage.

Furthermore, this traditional model only regulated access to the internal network but did not regulate accessibility to cloud-based applications, which many organisations now regularly use to store valuable data.

However, adopting a Zero-Trust model offers significant security enhancements.

When a user wishes to access any system, be it on the internal network or the cloud, they will firstly go through a proxy (step 1), which then sends them to the single sign-on gateway to be authenticated (step 2).

If the user is wishing to access a cloud-based application, they will be sent directly to the cloud, without passing through the internal network (step 3).

If the user wishes to access a system on the internal network, they will be sent back to the proxy (step 2 reversed), with the proxy then tunneling them to the specific system (step 4).

How does Zero-Trust work?

The benefit of this flow is that the user doesn’t require separate authentication credentials for each individual cloud application and network system. Their privileges can remain consistent across a range of systems. This makes remote working much more straight-forward for employees.

Importantly, from a security perspective, there are two main benefits of this Zero-Trust model:

  1. Privileges on all systems, be they in the cloud or on the network, can be centrally determined and managed by your security team;
  2. None of the systems on the internal network will allow access to anyone who has not been sent directly from the proxy. In other words, lateral movement between systems will be restricted. In the event an attacker gains access to one system on the internal network, they will not be able to move to other systems to cause even more damage.

 

 

Applying a Zero-Trust Model

At its heart, the Zero-Trust model mandates that no user, device or application, should have trust by default, even within the perimeter.

This is a paradigm shift for security thinking.

Unlike a traditional validation model, in which a user was validated once upon entering the perimeter, Zero-Trust recognises that this is no longer adequate. Apart from the fact that a user’s credentials may have been compromised, it also didn’t allow for differentiating the specific privileges a user or a device could have on specific systems within the network. Furthermore, it didn’t allow for easy alignment with cloud-based systems.

Rather than treating things inside the network as ‘safe’ and giving them additional privileges, with Zero-Trust there are three core pillars:

  1. Identifying users more rigorously using Multi-Factor Authentication, rather than simply relying on a username and a password.
  2. Identifying the devices being used to access systems and checking whether they are trusted (i.e. approved corporate or personal devices).
  3. Conducting these checks at the individual application level, rather than at the network perimeter.

Importantly, if a user or device has access to one application on the network, and then wishes to move laterally to another application on the network, they would need to be re-validated. By restricting lateral movement between systems in this way, you can be confident that any breach will be contained and the damage will be limited.

The Zero-Trust model also allows you to grant specific privileges to specific users and specific devices before conducting specific actions. For example, a particular user or device may be granted ‘read-only’ privileges on one system, but higher level ‘write’ privileges on another system.

The model also gives organisations greater visibility and control over their cloud-based applications.

 

What are the 5 Essential Elements of Zero-Trust?

These are the 5 Essential Elements that require considering when establishing a Zero-Trust model:

1) Networks

The Zero-Trust principle shifts away from reducing attack surfaces to strategising ways to protect your surfaces. Segmentation is critical. Once you identify your most valuable assets, applying microsegments around them helps create a series of barriers to block unauthorised lateral movements. This ensures that a user cannot move laterally between various segments, limiting the damage in the event the perimeter is breached.  

 

2) Applications

Applications, whether on your network or in the cloud, should have access rights and privileges that can be controlled by your security team. These should be managed according to the specific needs of individual users and/or devices. Don’t assume that once a user is on the network, they should have lateral access to all applications. Applications, particularly those in the cloud, are attractive targets to attackers. You need to ensure you have full visibility and control over who is accessing them and what they can do once they have access.

 

3) Data

Zero-Trust is all about protecting your valuable data. As data is increasingly shared between users, devices and applications across your network and on the cloud, it can be more vulnerable to breaches. Zero-Trust helps you ensure that data is segmented and access, particularly to highly-valuable data, is restricted by both user and device.

 

4) People

Usernames and passwords don’t offer sufficient protection anymore, as evidenced by the volume of breaches that occur with these credentials. It is essential that stronger methods, such as Multi-Factor Authentication, be implemented to strengthen identity verification. The single-sign on gateway and MFA are integral to the Zero-Trust model.  

 

5) Devices

Don’t just validate users. You should also be validating devices. Every device connected to your network can be compromised. This is particularly the case as BYOD has become common practice. In the event a device is compromised, Zero-Trust ensures it cannot be used to gain access to your network and move laterally between applications. This gives your security team more time to identify and block unauthorised breaches.  

 

How Shearwater Can Help

Speak to Shearwater for expert advice on how you can implement a Zero-Trust security model for your organisation.

At times of heightened concern surrounding cyber-intrusions and data breaches, you need to ensure you have the right systems and policies in place to safeguard your most valuable assets.

Our team of experts understand the risks and the methodologies you need to keep one step ahead of the attackers.

Call us today for a no-obligation consultation.

 

The New Normal: 4 Ways to Reduce Attack Surfaces

 

The last two months has seen an unprecedented change in the way Australians work.

And while it appears that the economy will begin to re-open in the near future, we should be mindful of the fact that working patterns are likely to change permanently, even once we see the back of COVID-19.

Many organisations are now seriously contemplating a ‘NEW NORMAL’.

On the other side of this pandemic, we are likely to see many organisations adopt far more flexible working arrangements. These will allow workers to balance their time between home and office in ways that are mutually suitable.

There are a range of benefits to such flexibility. It allows staff to enjoy a better work-life balance. Reducing the number of commutes each week ensures people have more time to devote to recreational activities, including spending quality time with family and friends. A better-rested workforce will likely pay significant dividends in terms of increased productivity.

Furthermore, with large percentages of their staff working remotely each day, organisations will need less office space – providing significant real estate savings.

However, there is still a question mark over how this ‘NEW NORMAL’ will affect the security and integrity of an organisation’s systems and data.

We know the sudden shift to remote work over the last two months saw many organisations adopt ‘quick-fixes’ that fell short of providing adequate long-term security. These may have included accessing or transmitting data without the use of a VPN, or allowing staff to work on their own devices without adequate BYOD policies in place. Staff may have been using less secure home wi-fi routers or communicating with colleagues via unencrypted teleconferencing platforms.

As remote work becomes a permanent feature of the economic landscape, now is the time for organisations to be thinking of ways in which they can embed more rigorous, long-term, cyber security policies, rules and procedures.

Attack Surfaces: Knowing Your Exposure

Thanks to enforced lockdowns, our adoption of information and communications technologies has been accelerated in an unprecedented way.

We have all had to rapidly change the way we work and communicate, from large enterprises to small and medium sized businesses. Even government departments and agencies have dramatically changed their practices to accommodate working from home.

Whilst the new technologies provide much greater levels of flexibility than ever before, they also significantly increase our ‘attack surface’.

An attack surface is defined as the total sum of vulnerabilities that can be exploited to carry out a security attack. In order to secure an organisation’s network, IT administrators should seek to reduce the number and size of attack surfaces. 

The first step to reducing your attack surface is knowing the extent to which you’re exposed. Whilst someone living remotely, without access to the internet, would have no attack surface, most Australians use internet connectivity in more ways than ever before. The result is an expanded attack surface. Any steps that reduce your attack surface make it harder for attackers to breach your systems.

 

4 Measures to Reduce Attack Surfaces

1. Audit Your Assets and Map Attack Pathways

Start with a comprehensive audit. It is one of the best strategies you can implement for reducing your attack surface. You’ll be surprised how many misconfigurations you’ll detect and the volume of outdated software you have installed across your network.

These are some of the questions an audit should seek to answer:

  • What assets do we have, whether located on-premises or in the cloud?
  • Which assets are business-critical, which assets are somewhat beneficial to the business and which assets are redundant?
  • What vulnerabilities can be identified in the business-critical systems?
  • How are the assets interconnected and what could be done to segment different assets?
  • What potential pathways exist for an attacker to reach the business-critical assets?

Answering these questions will put you on the right path to substantially reducing your attack surface.

 

2. Remove Redundant Software

Over the years, all kinds of software can find their way onto your servers’ operating systems, not to mention a wide range of software that may be installed on individual computers within your network. You should only retain those applications that are absolutely necessary for your team to carry out their work.

Anything else should be disabled or simply uninstalled.

Periodic cleaning of your servers and computers should include removing any unnecessary applications. Reducing redundant software and applications will reduce potential entry points for attackers.

This is particularly important as we regularly see attackers gain entry to networks by exploiting vulnerabilities that have been known for some time. Often, organisations will have software on their systems that they’ve neglected to patch or update because they are not being used. This may provide a perfect opportunity for an attacker to gain entry. 

Follow our 8-Step Guide to Patch Management to ensure you keep all software up to date.

 

3. Scan Network Ports

A firewall between your network and the internet helps determine what data is allowed into your environment, and what is kept out. When configuring your firewall settings, you need to decide what should be allowed in. By opening specific ports, you can specify the different types of data that should be allowed into your network.

Unfortunately, all too often ports are left open. Attackers know this and are regularly scanning for open ports. The last thing you want is your network accepting whatever an attacker sends your way.

That’s why reducing your attack surface should include closing unnecessary ports, both inbound and outbound.

You should scan for open ports on a regular basis, preferably fortnightly. Any open ports that you suspect may not be necessary should be closed as a precaution. When it comes to ports, it’s preferable to be slightly over cautious. If closing a port causes some inconvenience to people in your organisation, because they cannot access certain types of data, you can always re-open it.

Using host-based firewalls (often linked to your anti-virus) can also be an effective way to implement a firewall policy on devices that are being used from home. This ensures that just because the device is no longer within the office, threats can still be prevented and detected remotely. 

 

4. Segment your Network and Adopt Microsegmentation

You’re always told not to keep all your eggs in one basket. Likewise, you shouldn’t keep all your assets in one network.

By segmenting your network, you can significantly reduce your attack surface. Segmentation helps prevent attackers moving laterally if they breach your perimeter. Such a strategy can enable you to focus your efforts and resources on securing the most important assets within your network.

When considering segmentation, it’s important not only to consider North-South data flows, between the server and a client, whereby traffic flows into and out of the data centre. With increased use of containers and microservices, we are seeing far more data flowing East-West, or between applications.

Understanding how data flows between your microservices or applications can help you implement microsegmentation strategies that will further limit attack surfaces.

 

 

How Shearwater Can Help

The ‘NEW NORMAL’ is changing the way we work. It has the potential to offer significant benefits to organisations and staff. However, it also comes with the risk of greater exposure to cyber-attacks.

By reducing your attack surface, you can substantially reduce the risk. Speak with our security experts to learn how you can maintain your organisation’s security posture for the long-term.

 

 

FAQ: Consumer Data Rights (CDR)


With regular reports of data breaches, information security and privacy protection are increasingly important concerns for many Australian consumers.

Implementing rigorous data protection measures can be a good corporate differentiator – setting your business apart from the competition by giving your customers the confidence their confidential personal and financial information is secure.

Another important driver incentivising Australian businesses to implement stricter information security controls is the new Consumer Data Rights initiative.

Over coming years, the Government will roll out Consumer Data Rights across a number of Australian industries. Whilst this offers businesses exciting new opportunities to attract more customers, it also comes with additional obligations regarding data protection and privacy.

In order to make the most of Consumer Data Rights, it’s important to understand how this new initiative can affect your business and what steps you can begin taking to prepare for its implementation.

 

1. What are Consumer Data Rights?

1. What are Consumer Data Rights?‘Data is the new oil’.

That was the catchphrase first coined by UK mathematician Clive Humby in 2006. Like oil, data needs to be mined and refined so it can be useful to us. However, the analogy has its limits. Unlike oil, data is not a finite resource. The same data can be used in many different ways, revealing many different insights. Arguably, the more data is used, the more valuable it becomes.

Consumers are increasingly aware of data’s value. Seemingly endless reams of information are collected every day about consumers and their behaviour patterns. Many consumers now believe they should have some rights over the data collected on them.

Until now, consumers faced an uphill struggle finding out specifically what information is being collected, let alone gaining access to it or controlling its use.

That’s all about to change with a new government initiative: Consumer Data Rights, or CDR. 

Under CDR, consumers will have the right to access certain types of information businesses collect on them. They will be able to direct a business to transfer that data to an accredited, trusted third party of their choice.

If, upon receiving the data, the third party is able to offer the consumer a superior product or service, the consumer will be able to switch brands quickly and easily.

So, not only will CDR empower consumers by giving them greater control over their data, it will also encourage greater competition in a range of industries.

 

2. What industries are effected?

CDR will start off in the financial sector.

Banking customers are notoriously ‘sticky’ and tend not to switch financial institutions regularly. That inertia hampers competition in the sector. The government is committed to an initiative called ‘Open Banking’ which has CDR at its heart. The aim is to make it easier for consumers to ‘shop-around’ for the best financial products such as mortgage or credit card rates.

Once CDR is implemented within the financial sector, the government plans to extend it to other industries, starting with energy and telecommunications.

Further sectors will follow over time.

 

3. What are the principles underpinning CDR?

CDR will be implemented according to four key principles:

Principle 1

CDR should be consumer focussed. It should be for the consumer, be about the consumer, and be seen from the consumer’s perspective.

Principle 2

CDR should encourage competition. It should seek to increase competition for products and services available to consumers so that consumers can make better choices.

Principle 3

CDR should create opportunities. It should provide a framework from which new ideas and business can emerge and grow, establishing a vibrant and creative data sector that supports better services enhanced by personalised data.

Principle 4

CDR should be efficient and fair. It should be implemented with security and privacy in mind without being more complex or costly than needed.

 

4. What are some of the considerations informing the implementation of CDR?

Information security and privacy considerations are core features of the CDR initiative.

With consumer data being transferred to multiple parties via API, it is essential controls are in place to prevent breaches, leakage or unauthorised use of the data.

Among the data protection considerations are:

  • Measures to ensure businesses only transfer data to accredited third parties at the direction of the consumer;
  • Measures to ensure consumers control how their information is used by those third parties;
  • Obligations surrounding the deletion or de-identification of data by third parties once the data has been used in accordance with the consumer’s wishes;
  • Rigorous data transfer and storage standards;
  • Extension of provisions within the Privacy Act 1988 to other organisations currently not covered, such as organisations with less than $3 million revenue per annum;
  • Avenues for consumers to seek meaningful remedies for breaches, including external dispute resolution and direct rights of action.

 

5. How can businesses participate in CDR?

5. How can businesses participate in CDR?There are a range of security implications when transferring sensitive and potentially highly valuable consumer data between organisations via API. That’s why businesses will be required to meet a rigorous set of information security and privacy standards in order to participate in the CDR initiative. These are necessary to ensure consumer data is not compromised.

The Australian Competition and Consumer Commission (ACCC) has responsibility for overseeing the initiative and accrediting those organisations that meet the cybersecurity standards. Accreditation is necessary in order to participate in the initiative.

CDR will also impose obligations on businesses to provide access to data on the goods and services they have on offer. This will enable comparison websites to gain up-to-date information so consumers can make more informed choices.

In some cases, achieving ACCC accreditation will be possible if the organisation already meets other similar information security and privacy standards. For example, an Authorised Deposit-Taking Institution (ADI) will already meet many standards that align with the ACCC rules, so accreditation to CDR shouldn’t encounter any hurdles.

However, if any breaches of the ACCC rules occur, an organisation’s accreditation may be suspended and they will not be able to access any further consumer data.

 

6. What are the technical requirements for CDR participation?

Many businesses stand to benefit significantly from the adoption of CDR.

However, it comes with onerous requirements that must be adhered to.

At a minimum, you need to ensure your organisation meets the necessary technical standards. These have been formulated through four work streams:

  1. API standards enable consistent transfer methods that meet acceptable levels of safety, convenience and efficiency and include specifications for data description and recording.
  2. Information security standards consist of techniques to protect users of the system, networks, devices, software, processes, information in storage, applications, services and systems.
  3. Consumer experience standards provide best practice language and user experience (UX) design patterns to request consumer consent and guide authentication and authorisation flows.
  4. Engineering standards focus on demonstrating the API Standards through the delivery of usable software artefacts that assist ecosystem participants demonstrate conformance with the standards and rules for CDR.

In cases where data holders or data recipients breach the CDR rules, there are a range of possible penalties, ranging from infringement notices, civil penalties, compensation orders, enforceable undertakings and potentially de-accreditation.

 

7. When will CDR start?

Whilst the CDR start-date has been pushed back pending resolution of some details, the Government is now committed to begin launching the initiative for the finance sector by July 2020.

Initially, the Big Four Banks will begin complying with the initiative, with other financial institutions to follow 12 months later.

CDR rules for the energy and telecommunications sectors are still under development.

 

8. What’s the first step to get ready for CDR?

8. What’s the first step to get ready for CDR?Whilst the rules surrounding CDR are yet to be fully finalised, it’s clear that privacy protection is going to be a central feature.

The Privacy Act 1988 established a range of privacy standards for organisations with revenues in excess of $3 million per annum. However, under CDR, we know that aspects of the Privacy Act will also be extended to financial organisations with lower revenues. The same may also be true for smaller organisations in other sectors.

The Australian Privacy Principles (APPs) form part of the Privacy Act. These apply to organisations holding consumer data and are designed to ensure that Personally Identifiable Information (PII) and other sensitive data assets are handled responsibly.

The APPs require organisations to maintain sufficiently robust controls to prevent unauthorised access, disclosure or use of information.

In addition to the APPs, CDR will also see the creation of Privacy Safeguards. The Privacy Safeguards are likely to be more onerous than the APPs as they apply to both individual data and organisational data, which is harder to de-identify.

The Privacy Safeguards will come into effect once a consumer makes a data transfer request. They will outline how transfers via API are to be conducted and how the third party receiving the data needs to handle it.

Making sure your organisation is compliant with the Australian Privacy Principles is a good first step to preparing for CDR so you’ll be able to take advantage of the benefits it offers once it is rolled out across different sectors of the economy.

 

How Shearwater can help you?

For further information about complying with the Australian Privacy Principles, Contact Shearwater. We have extensive experience assisting organisations of all sizes ensure they have the systems and policies in place to protect your information assets.

Know Everything About Password Security? It’s Time for a Rethink


As organisations continue to struggle with the issue of password security, many of the old assumptions are being re-examined.

If you make one cybersecurity-related resolution this New Year, commit to re-thinking your organisation’s password controls by considering some of the latest advice.

Passwords are the front line in your battle against cyber-attacks. Hackers rely on a variety of tactics to dupe people into revealing their passwords. So, it’s critical you have the right systems and policies in place.

Here are 6 TIPS to ensure your organisation’s passwords remain secure:

 

1. The Longer the Better

As a general rule, the longer the password, the more secure it is.

Therefore, it is best to advise your staff to opt for a passphrase rather than simply a password.

According to Australian Government guidelines, passphrases should be made up of at least four words and be longer than 13 characters. Making the passphrase meaningful will make it easier to remember. It’s important passphrases are memorable so people avoid being forced to write them down or store them in other locations.

Furthermore, different passphrases should be used when accessing different systems or applications. Using the same passphrase for multiple purposes makes people vulnerable, as if the passphrase is compromised once, attackers may gain access to other systems or applications.

2. Complexity Isn’t Always Better

Many organisations require passphrases contain a combination of upper-case letters, lower-case letters, numbers and other symbols. The thinking behind these requirements is that the more complex a passphrase is, the harder it is to hack.

However, according to the most recent advice from NIST (America’s National Institute of Standards and Technology), overly complex passphrases are not always better for password security. 

NIST argues there is limited benefit in requiring overly complex passphrases. It has analysed breached password lists and found many examples containing complex combinations of characters. Mandating overly complex passphrases may be counterproductive by encouraging risky behaviour, such as writing down passphrases on a post-it note and sticking it on the computer monitor.

3. Don’t Change too Regularly

The latest advice from both the Australian Government and NIST is to avoid rules that require password changes every 30, 60 or 90 days.

This requirement may lead people to come up with insecure passphrases as they struggle to think of new ones so regularly. Rather, NIST’s current advice is to come up with a strong passphrase that can be easily committed to memory and kept in use for longer periods of time. NIST recommends passphrases should be changed if there is any suggestion of compromise.

 

Know Everything About Password Security?

4. Implement Multi-Factor Authentication

Wherever possible, require multi-factor authentication (MFA).

By requiring users to input something they know (such as a passphrase), alongside something they have (such as a one-time password or OTP), you’ll ensure unauthenticated access becomes much harder.

NIST advises that SMS messages are not used in MFA. This is to help prevent social engineering attacks in which a hacker may have convinced a mobile phone operator to redirect the victim’s mobile phone messages to the attacker.

It is preferable to use time restricted OTPs from an MFA app such as Google Authenticator.

5. Use a Password Manager

Installing a ‘password manager’ on your computer or mobile device can be a useful way to generate large numbers of passwords for use on multiple systems and applications, without having to memorise them all.

Just be aware that there have been cases in the past when ‘password managers’ have been compromised.

It is not recommended to store your most important passphrases, such as your email or online banking passphrases, in a ‘password manager’.

6. Implement Password Training for Staff

The Australian Government offers the following advice when it comes to password security: 

  • Don’t share your passwords with anyone;
  • Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem;
  • Don’t provide your password to a website you have accessed by following a link in an email—it may be a phishing trap;
  • Be cautious about using password-protected services on a public computer or over a public Wi-Fi hotspot;
  • If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.

 

Ensuring your staff are trained in password security best-practice needs to be an ongoing priority.

With Shearwater’s Phriendly Phishing and Keep Secure modules, your staff will receive ongoing training in how to identify phishing emails and the strategies they need to stay safe online.

 

Gamification: Making cybersecurity awareness and professional development engaging


The cybersecurity threat landscape is constantly evolving. New attack vectors emerge weekly. This necessitates the adoption of strategies to engage and upskill teams on an ongoing basis.

Whether it’s raising general awareness about cybersecurity among your staff, or specific professional development training for your IT and development teams, there are many ways you can incorporate gamification to enhance your organisation’s cybersecurity posture.

 

Gamification to Raise General Awareness

It’s easy for staff to slump into a rut of boredom and complacency.

Getting your staff motivated to regularly learn new skills is a significant challenge in many organisations. This is particularly true when it comes to cybersecurity awareness training.

All too often non-technical staff see cybersecurity as ‘someone else’s problem’. There is an assumption the IT department will handle the issue.

Such attitudes are not only wrong, they can be dangerous for your organisation. With human error now one of the leading causes of cyber breaches, getting everyone on board when it comes to your organisation’s cybersecurity posture is essential.

A concerted effort is required to drive awareness among staff across the entire organisation. Building a security awareness culture, with specific emphasis on stopping phishing emails, is now a major priority for many organisations.

webinarAs a leading cybersecurity service provider, Shearwater is committed to helping organisations achieve a cyber-aware culture. Our recent webinar outlined the 3 Pillars that form the basis of cultural change within an organisation. If you haven’t yet had the opportunity to watch it, you should. It is filled with important strategies you can implement within your organisation.

One of the core pillars highlights the importance of engaging staff by winning hearts and minds.

Gamification can be a powerful tool to achieve this.

By incorporating game mechanics and game thinking as a component of training, gamification seeks to engage learners in interesting and fun ways. It encourages problem solving and motivates staff by introducing elements of competition and reward.

 

PHISHING AWARENESS

Shearwater’s Phriendly Phishing is a leading Australian training program that uses gamification elements to help organisations teach staff about email security.

Phishing email awareness is critically important. Attackers increasingly seek to exploit human error in order to infect your organisation’s IT infrastructure with malware, or to carry out Business Email Compromise (BEC) attacks.

PHISHING AWARENESSPhriendly Phishing succeeds in educating staff because it injects fun and excitement into its training modules.

The training begins by imparting basic phishing knowledge. Then, through a series of fun learning modules that combine interactive elements of gamification, staff analyse a variety of phishing emails. This highly interactive course is scenario-based and aims to enhance the phishing detection skill of learners.

According to Damian Grace, founder of Phriendly Phishing, “Gamification is an important training methodology because it significantly boosts learner engagement. By implementing gamification, we can ensure learners achieve ‘wins’. This increases the effectiveness of the learning processes as studies show learners are motivated when they have a sense of achievement. By incorporating innovative and interactive gaming elements, learners acquire new skills and retain that knowledge for the long term.”

 

Gamification in Professional Development

Gamification is also a useful tool in professional development strategies.

With your IT and application development teams requiring ongoing training opportunities, gamification can be an ideal way to enable them to up-skill.

 

HACKATHONS

Application developers focus on developing great applications. However, all too often they either don’t take into consideration security issues, or they try to bolt-on security measures at the end of the development pipeline, just before going live.

It’s essential to find ways to up-skill developers, so they have the necessary cybersecurity awareness to adopt a ‘shift-left’ approach and begin implementing security measures from the beginning of the development lifecycle.

That’s one of the main reasons we host the annual Shearwater Hackathon.
Hackathons are a great example of gamification, because they allow developers to participate in a fun and engaging competition whilst honing their security awareness skills. Also known as Capture-the-Flag challenges, a hackathon typically involves uncovering and exploiting vulnerabilities in a simulated web application.

The recent Shearwater Hackathon attracted over 150 participants, many from leading Australian companies. Participating in a winnable competition, in which staff can earn recognition and prizes, is a great professional development strategy.

According to Shearwater’s Chief Strategy Officer, Shannon Lane, the best type of education is ‘learning by doing’. Hackathons encourage participants to “look at applications as an adversary would – underlining the significance good security controls have in the launch of products and services” said Mr Lane.

 

CODE TRAINING

Training application developers about the importance of writing secure code is now on the radar for many organisations. It’s increasingly understood the first step to developing a secure application is writing high quality code. Shearwater is often called on to provide Secure Development Training as part of an organisation’s professional development initiatives for its application developers.

A useful benchmark when developing any web or mobile application is the OWASP list of common vulnerabilities. These outline some of the most regularly seen attack vectors used by hackers.

So, OWASP’s decision to begin incorporating gamification as a strategy to raise awareness among developers about security is welcome news.

new poker-like card game The new poker-like card game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten. It is designed to teach developers best practice security measures in an environment that reflects a sense realism and excitement.

It pits black hats against white hats to see who can be the first to hack their opponent’s website.

Whilst this new game is still in development by OWASP, it’s further evidence that gamification is beginning to be incorporated into a wide range of cybersecurity professional development programs.

 

ATTACK SIMULATIONS

Even when a nation isn’t at war, the armed forces don’t stop training. Ongoing drills and exercises during peace time are essential to ensure the military is combat-ready whenever an attack occurs.

The same should be the case when it comes to your IT and SOC teams.

Through cyber-attack simulation games, you can ensure your organisation is ready to handle a wide range of real-life attack vectors.

Like hackathons, attack simulations are a form of gamification. They pit teams against each other in a competition to develop an incident response plan for a realistic cyber-attack.

Reports indicate that as many as 76% of Australian organisations do not have a formal cybersecurity incident response plan. Addressing this requires IT and SOC departments to have professional development training so they understand what elements comprise an incident response plan. This is where attack simulation games can be extremely useful for your organisation. They identify gaps within your organisational capacity to handle a cybersecurity breach.

Shearwater scholarship recipient, Margueritte Saboungi, recently participated in her first cyber-attack simulation game. Known as CyBCA, the exercise recreated a real-world incident in which an attacker had disabled all connections to a bank’s ATM network. Armed with some basic facts, such as the network configuration layout which detailed how the ATMs linked back to the bank’s servers, Saboungi and her team had just a few hours to develop a comprehensive incident response plan.

Incorporating gamification in the professional development of your IT and SOC teams will enhance your organisation’s security posture, test your ability to prevent attacks, and teach ways to handle breaches when they occur.

 

How Shearwater can help you?

In a variety of different ways, gamification is increasingly prevalent in strategies to motivate staff to become more cyber aware and in efforts to enhance cybersecurity skills through professional development.

Shearwater specialises in a wide range of cybersecurity training services. Some, like our phishing awareness modules, already combine elements of gamification. Others, like our secure development training, can be combined with novel gamification elements to have a big impact on your staff.

Speak with Shearwater today to learn about training options for your organisation.