5 Tips for Successful Anti-Phishing Training for your Staff


I hear from potential clients all the time how they repeatedly get compromised by phishing-born attacks such as Ransomware. Often, they tell me they follow the age-old adage of telling their staff “Don’t click on links!” or by sending out notifications of current attacks, but they don’t really address the root of the problem – which is, lack of effective education.

So, if telling them “don’t click on links” doesn’t work, what can you do?

Here are a few of the key things you need to do to get users to become part of the solution, rather than part of the problem.

1.  Give them a reason to care – Most staff members don’t really care about the organisation they work for. They might be great at their job and take a keen interest in the company affairs – but ask them to do some awareness training in something they have no interest in and you’ll hear crickets.

There are gimmicks that can be used to get short term buy-in for the training program; but if you want a lasting effect, tie the communication back to how this problem affects their families and people they care about. When you give your staff the opportunity to become a protector of something they care about, not just your organisation, engagement becomes voluntary and much more compelling. This is when the real magic happens.

When they are asking to get a copy of the training for their kids, partners, and parents – you know you are on the right path.

2.  Treat staff with the respect they deserve – Spend enough time in IT circles and you’ll hear things like “dumb users”, “the users are stupid”, or “you can’t teach them anything”. This elitist thinking is one of the reasons IT departments in many organisations have a poor internal reputation.

It’s time we started looking at staff for who they are: specialists in their fields, which may not be IT. They would likely run rings around you and me in their area of expertise, but they just aren’t technologists. This is where you can fill in those gaps and teach them something new.

Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.


Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

3.  Tricking is not training – Nobody likes to be tricked or conned, and your staff are no different.

Old-school phishing assessments can easily get your users offside and make those running the program feel superior because they fooled so many people. What other training techniques can you think of that take this approach and actually work?!

A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take baby steps. You can’t teach advanced math by sending out advanced equations every month or so, you need to start with the basics and build it from there. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.

 

 

4.  Understand the audience – Users in most organisations are often non-technical people. In some cases, they are put off technical training because the past ‘old-fashioned’, dry, boring, and technical modules have left them feeling down or completely out of their depth.

We need to empathise and understand that each one of your staff members is starting off with a different level of expertise, capability and understanding of phishing and technology. A successful training program will need to cater to this and allow users to advance at their own pace.

5.  It’s not an overnight fix I’m sure by now you are seeing that phishing education is quite a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking.

Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the payout at the end will be worth it.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution. 

 

How to Make Sure your Phishing Awareness Initiatives Are Successful


Every organisation fosters a unique environment – the differences can be large and many.

Some have a strong culture of continuous learning, others not so much.

That being said, regardless of the structure and culture of your organisation, when it comes to phishing awareness initiatives there are key players that need to be included in your conversations to make sure you are successful in creating a security awareness culture.

In most mid-to-large organisations, the four key stakeholders that you will need to support your initiatives are:

  • Upper Management
  • Learning and Development Team
  • IT Security, and
  • Human Resources

A sure way to get on the bad side of these influential stakeholders is to loop them in at the last possible minute with something along the lines of “Oh, FYI – we’re starting a phishing awareness campaign next Monday. Thought you’d like to know!”

This is a sure-fire way to get them offside and have them push back against the initiative.

Bringing these influential parties into the conversation early and often, and arming yourself with the information they require, will help you nullify any objections.

Security awareness and, in particular phishing awareness, is so important in the modern workplace that we need to give it every chance to succeed. So how can you get these different groups across the line? After running phishing awareness campaigns for over 150,000 people covering almost every demographic, I have pulled together my personal cheat-sheet on tackling the hard questions with these key influencers.

 

 

 

 

 

 

 

 

 

 

 

 

Upper Management

Upper Management is by nature extremely interested in metrics, especially when it covers organisational risk and improvement over time. It is this combination of staff enrichment with hard evidence where we can appeal to Upper Management’s business goals.

I often hear that phishing is now among the top three risks discussed at a Board level, so having key on-going metrics that you can present to senior decision makers can be a door-opener to getting your project on the agenda.

When dealing with Upper Management, I recommend finding a balance between the data (such as phishing assessment results, click-through rates and training completion rates) and staff aspects. That is, while the data can spell out the situation in black and white, don’t underestimate the value senior decision makers place on a program that supports staff along the way with engaging content and a nurturing training environment.

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

Learning and Development (L&D) teams

The internal L&D team should have a better understanding of your staff learning culture than anyone else. As the L&D team are usually concerned with the training material itself, be prepared to answer questions like:

  • Does the training suit our environment and culture?
  • What are the learning outcomes, and will the learning material deliver those outcomes?

In most cases, L&D teams don’t typically have concerns over phishing simulation and assessment activities, but they are more concerned with the structure and quality of the training components.

The last thing you want to do is give the impression that you’re trying to go over the L&D team’s head. So, to bring this team along the journey, give them access to the training material as soon as possible, and provide an opportunity for them to take some ownership of the program. Blindsiding them and bringing them into the conversation late is a certain recipe for disaster.

IT Security

In many cases, IT Security teams approach phishing assessments in a certain way; that is, create a super hard phishing email and send it to as many people as possible with a goal to trick and deceive large swathes of the audience.

Fortunately, this old method is having less appeal to many stakeholders. As training and technology has improved, we have a better (and more effective) way of doing phishing assessments and awareness training using smart automation simulations that adapt to the user’s level of understanding.

IT Security teams are notoriously short of time and short-staffed, which is why you can score some easy wins by appealing to their desire to hit objectives using smart automation without compromising their outputs. From a ROI perspective, phishing campaigns are not often the best use of the IT Security’s time – this is where automation comes in. When you discuss your phishing campaign, you have the perfect opportunity to show how it’s possible to have the best of both worlds – effective phishing education and automation all at once.

Another way to win over these key decision makers is to offer access to this automation system – so that if they have a great phishing email they want to add to the campaigns, they can. Similarly, explain that if they are having a busy few months and have no time, the system should continue to run without their input. Giving IT Security the power to influence while still doing right by your staff is a great win/win.

 

 

Human Resources (HR)

HR acts as the advocate and conduit for your workforce, and as such, they are typically concerned with how users are going to be treated and how they will be made to feel during engagements. It shouldn’t come as a surprise; security teams have a history of performing phishing assessments that are far from respectful to the end user. In many cases, staff are often left feeling tricked, confused, and outright unhappy with the whole experience.

The biggest concern I see from HR is around transparency. HR often insists on telling users in advance about training and workplace changes. However, for phishing campaigns, telling staff upfront defeats the purpose of doing a phishing baseline – resulting in a warped gauge of the environmental risk and creating misleading data.

But there is an opportunity for a compromise.

If HR’s main concern is that staff are not being given a chance to be educated and warned before being tested by a simulated phishing email, there is a way to resolve this pain point. First, you can ease concerns by making sure that your simulated phishing emails look no different to the authentic phishing emails staff may receive any other day of the year – so be sure to make your simulations realistically undetectable. Second, make sure that your risk assessment baseline emails are anonymised and communicate that to HR. By removing the connections between the simulated phishing emails and your organisation, as well as anonymising the results, you can alleviate HR’s concerns and ensure users don’t feel tricked.

And lastly, but most importantly – The Staff

While your staff don’t need to be consulted upfront, in many ways your staff are the most important to win over. When it’s time to let them know about the initiative (typically just before the training starts), it’s important to frame the conversation or notification in a certain way to get maximum participation and personal buy-in.

Sadly, we often see this approach used in staff training: “Company X dictates that everyone must do this mandatory training by 12pm tomorrow!”. While it is a slight exaggeration, it probably captures the sentiment best. Nobody likes being told what to do, especially when they have no interest in it.

A better approach is to show the user how phishing has become such a huge issue. Not just for them, but for their kids, their parents, and their spouses. People are far less concerned about your organisation than they are about themselves and their family.

If you can show them how they can be the protector of their own domain with training that’s practical and interesting, you’ll see a new level of engagement and better results.

Don’t forget that many staff members have a fear of technical training. This fear, justified or not, needs to be addressed upfront. So, let users know that the training with be a fun and engaging experience, and make sure your training keeps the information at an appropriate and relaxed level.

Phishing awareness training is one of the most important areas of IT security in organisations today. By having a strategy, you can get the organisation moving together in a frictionless way. With a little extra thought, you’ll improve your risk profile and your staff will actually thank you for it – not to mention proving to stakeholders that your training is a complete success.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution. 

 

5 things to help you prepare for the Notifiable Data Breach scheme


Following on from my last post that covered the 5 things you need to know about the Notifiable Data Breach (NDB) scheme, this post is focused on the 5 things you really must do, in order to be prepared for the Notifiable Data Breach scheme. As you will remember the NDB impacts a significant number of organisations and requires specific actions to be followed in the event of a breach. So here is a top 5:

  1. Find out whether you need to comply with the provisions of the NDB.
  2. Determine what sensitive personal information you hold, and make a determination of what the following terms mean to you and your organisation:
    a. likely to ‘occur’
    b. ‘serious harm’.
  3. Prepare a step by step process of what you need to do in the event of a breach.
  4. Educate your stakeholders.
  5. Run a practice drill.

1.  Find out whether you need to comply with the provision of the NDB Scheme

This task should be the simplest of the 5 things you need to do. A good starting point is provided in my previous blog post, but if you are in any doubt, please refer to the Office of the Australian Information Commissioners website.

If you are covered by the scheme and need to comply, and haven’t already started on your NDB compliance journey, I’d suggest you need to initiate some internal conversations. If necessary engage some external expertise.

Even if you don’t need to comply, the investment you make in preparing a breach process will not be wasted.

2.  Determine what sensitive personal information you hold

This task may actually sound a little easier than it is for a large number of organisations. Unfortunately, many organisations have a very poor understanding of their information assets, what is important to them, and what information they need in order to run their business. If sensitive information is not understood, you may be capturing, storing or processing more sensitive information than you need to.

You should also consider, where that sensitive information is stored. Long gone are the days when you could safely say that all my data is on my big file server in my data centre under lock and key. When you really look into where sensitive personal data is stored, you are likely to find that it is located on multiple servers and applications, SAN devices, laptops, iphones, USB sticks, on your backups media, on SharePoint, OneNote, DropBox, and in a myriad of other cloud and/or shadow IT environments.

The next consideration needs to be who has access to the sensitive personal information you possess. Questions to consider include: Do you outsource functions, systems or operational tasks. Are you storing data entirely within Australia, or are you working offshore and around the Globe. Do your partners know that you have an NDB obligation. What is the state of your information supply chain, and where are you exposed. In fact, the legislation does recognise that organisations can jointly hold personal information, and has made provisions to avoid duplicate obligations.

Only once you have a full appreciation of what information you hold custodial responsibility over, where it is, and who else has access to it, can you make a determination and a judgement on what is ‘likely to result in serious harm’.

As with most approaches to information security and privacy matters, a solid understanding of risk management in terms of likelihood and consequence should be leveraged to inform the conversation around the serious harm question. The implementation of the NDB scheme effectively raises the bar on expectations from a risk management perspective.

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

3. Prepare step by step process of what you need to do in the event of a breach

After you have undertaken an information asset inventory and understood what sensitive personal information you have, where it is and who has access to it, you need to prepare for a breach by developing a breach response framework. The framework should include:

  • A process that provides:
    • Identification, investigation, validation and containment rules
    • Clear authority to initiate an investigation and declare a breach
    • High-level resolution guidelines and plans
    • Permitted timeframes for each phase of the breach
    • Communications protocols internally including a clear RACI model
    • Key contacts both within your organisation and with specialist external parties to assist with investigation and resolution where required
    • Plugs in to your work health and safety policy to help manage fatigue
  • Notification protocol for individuals affected. There are proforma’s available and these can be leveraged rather than invented. The information provided that relates to the breach should include:

    • the date, or date range, of the unauthorised access or disclosure
    • the date the data breach was detected
    • the circumstances and or known causes of the data breach
    • who has obtained or is likely to have obtained access to the information
    • the steps undertaken to contain or remediate the breach
  • Options for notifying individuals include:

    • Notify all individuals impacted
    • Notify only individuals who are at likely risk of serious harm
    • Publish your notification, and publicise it to bring it to the attention of individuals at likely risk of serious harm
  • Notification protocol for the OAIC. Again, proforma’s exist that can be used. Items required to be provided in the notification to the OAIC include:
    • Contact details for your organisation
    • A description of the data breach
    • The kind of information involved in data breach
    • The steps you recommend for impacted individuals in response to the breach

4. Educate your stakeholders

Without appropriate education and guidance, responsibility for everything during a breach may fall on you – the reader of this blog! Each stakeholder must know their roles and responsibilities and must be able to operate autonomously and as part of a team when it comes to managing a breach. An internal education activity is definitely something that you should undertake as a priority after your preparation activities. But don’t forget step 5. Knowledge helps, but nothing makes that knowledge stick like having stepped through the protocol at least once.

5. Running a practice drill

As the old saying goes, practice makes perfect. Running a breach practice drill doesn’t have to be onerous or take massive amounts of time to prepare. Although the more you plan and the more often you can practice, the better off you will be. As a first step, prepare some meaningful scenarios, book a meeting with relevant stakeholders, establish some ground rules and run through your established breach process for each of the practice scenarios. Appoint a note taker who will observe and record variations to the process flow. Initially, stick to the process that you have designed, but annotate any issues. Then roll those lessons learned into a second iteration of your NDB process.

Then keep practicing. Perhaps utilise your regular business continuity and disaster recovery drills as a vehicle to test your NDB processes.

The 5 things you need to know about the Notifiable Data Breach scheme


Mandatory Data Breach Disclosure and the Notifiable Data Breach (NDB) scheme are both really hot topics at the moment. There is a number of experts from the legal, cyber security and business community all providing their advice, many providing guidance in forensic detail on what should be done to prepare an organisation for this change.

I’m not planning to cover NDB in detail, the aim of this blog post is to quickly and succinctly outline the 5 most important things you need to know about NDB scheme within Australia.

Essentially, the why, what, when, who, and which of NDB. I’ll follow with a number of additional posts designed to provide practical guidance for organiations on this topic.

Why NDB?

With the prevalence and increased impact of data breaches on the news and in our lives, there is a greater need than ever for a consistent treatment mechanism. The absence of any industry consensus on data breach notification meant that it was only a matter of time before the Government put in place a scheme to protect the interests of consumers, and individuals.

After extensive industry and professional consultation, the Notifiable Data Breaches (NDB) scheme was passed under Part IIIC of the Privacy Act 1988 (Privacy Act).

What is the NDB?

The Notifiable Data Breaches (NDB) scheme establishes a framework governing how data breaches are assessed and responded to, and the obligations of organisations in reporting breaches.

Specifically, the NDB introduces obligations for organisations who experience a data breach that exposes personal information and meets the criteria specified as likely to cause ‘serious harm’. More on what constitutes ‘serious harm’ in a moment.

Any breach notification must include recommendations for impacted individuals on the steps that they should take as a result of the breach.

The NDB also specifies that the Australian Information Commissioner must be notified of eligible data breaches.


Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

When does NDB come into effect?

The NDB comes into effect on the 22nd of February 2018.

Who does the NDB impact?

Unless you live entirely off the grid and share no personal information, ultimately, the NDB affects us all.

Whilst not an exhaustive list, with some exceptions, a good summary of the organisations that are impacted by the NDB include:

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Credit reporting bodies
  • Credit providers:
    • banks, building societies, credit unions, finance companies
    • retailers who issue credit card
    • organisations where payment is deferred for at least 7 days – telco’s, energy and water utilities
    • organisations that provide credit for hiring, leasing or renting goods
  • Health service providers
  • TFN recipients, which likely impacts State Government entities if they use TFN’s

An important thing to note is NDB applies to overseas organisations that have been incorporated or formed in Australia.

Which breaches are covered by the NDB?

In broad terms a data breach is defined as either: unauthorised access; unauthorised disclosure; or loss of personal information. The type of personal information covered includes:

  • An individual’s health information or other ‘sensitive’ information
  • information used as a precursor to identity fraud (Medicare card, driver licence, and passport details)
  • financial information
  • a combination of types of personal information.

As with all legislation, the devil is in the detail. This information does not seek to be exhaustive, and the usual legal disclaimers around seeking professional legal advice do apply.

The Office of the Australian Information Commissioner (OIAC) states:

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

What does all this mean? The terms ‘likely’ and ‘serious harm’ are key.

  • ‘Likely to occur’ means more probable than not/possible
  • ‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm to an individual

These terms are subjective and require some assessment against the so called ‘reasonable person’ test. Harm can include: loss of business or employment opportunity, damage to a person’s reputation, relationships; humiliation; identity theft; significant financial loss; threats to physical safety; and workplace or social bullying or marginalisation. The circumstances of the breach is also an important factor.

The stated exceptions are interesting, because if an organisation acts quickly to remediate a data breach, and as a result of their quick response the impact of the data breach reduces the breach to something less than what is termed serious harm, then there is no requirement to notify any individuals or the Commissioner.

Hopefully you have found this blog useful to set the scene for NDB. I’ll be following up with an additional series of posts on how to prepare for NDB, what is important during a breach and how your organisation can be prepared.

Ten things you should know about ISO/IEC 27001


By Shannon Lane

1.    What it ISO 27001

ISO 27001 is an international standard for information security management.

2.    Why is ISO 27001 important to me?

Information is the lifeblood of most contemporary organisations’. It provides intelligence, commercial advantage and future plans that drive success. Most Organisation store these highly prized information assets  electronically. Therefore, protection of these assets from either deliberate or accidental loss, compromise or destruction is increasingly important. ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.

3.    Why are international standards like ISO 27001 important?

Many Industries and many Governments have adopted ISO 27001 as the de facto standard for information security management practices. ISO is particularly popular at the State Government level within Australia where it is often mandated, and in industries such as ICT and data centre hosting.International Standards provide significant benefits overall to the domestic and global economy.

For Consumers
Proof of conformity to International Standards helps reassure consumers that products, systems and organisations are safe, reliable and good for the environment.

For Business
International Standards can be a strategic tool to help businesses tackle challenges and compete on a global stage.
Adoption can: open up new markets, improve competitiveness through greater customer satisfaction, reduce costs, streamline systems and processes, and increase productivity.

For Society
Standards improve safety, quality and environmental outcomes as well as encouraging international trade.

4.    Why is ISO 27001 important?

Having an international standard for information security allows a common framework for managing security across business and across borders. With an ever more connected world, the security of information is increasing in importance.

Data and information needs to be safe, secure, and accessible. The security of information is important for personal privacy, confidentiality of financial and health information and the smooth functioning of systems and supply chains that we rely on in today’s interconnected world.

ISO 27001 provides the framework for you to effectively manage risk, select security controls and most importantly, a process to achieve, maintain and prove compliance with the standard.
Adoption of ISO 27001 provides real credibility that you understand security and take security seriously.

5.    What are the elements of ISO 27001?

ISO 27001 is made up of a number of short clauses, and a much longer annexe listing 14 security domains and 114 controls. The most important of the short clauses relate to:

  • The organisational context and stakeholders
  • Information security leadership and high-level support
  • Planning of an Information Security Management System (ISMS), including risk assessment; risk treatment
  • Supporting an ISMS
  • Making an ISMS operational
  • Reviewing the system’s performance
  • Adopting an approach for corrective actions

Based on the risk profile of the organisation, controls may be selected to manage identified risks. Within the Annex, the 114 listed controls are broken down into 14 key domains which are listed below:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

6.    How does it work? – What is a Risk-Based Approach to Compliance?

Unlike other security standards, for example, the Payment Card Industry – Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX), which are highly prescriptive and control driven, ISO takes a risk-based approach to security compliance. In other words, there are no defined set of security controls that must be implemented regardless of the type of business operation, as is the case with PCI-DSS. Controls are selected based on their ability to mitigate risks to the organisation

ISO 27001 is concerned with the process of continual improvement and a demonstrated commitment to managing information security based on risks to the organisation’s information assets.
A risk-based approach to managing information security ensures that security risks are appropriately prioritised, cost effectively managed as well as ensuring that only those controls that are necessary to manage these risks are implemented. It is a comply or explain approach. Based on your organisations’ risk, you can comply with the controls that help manage risk, or simply explain why they aren’t relevant and why you don’t need them. There is no compliance for the sake of compliance with ISO.

7.    Where should I start?

Before starting out on the path to certification, it may be worthwhile understanding if certification is required, or if compliance will suffice. For many organisations, certification is not a requirement.

For those industries where certification is a requirement, the path to achieving certification should not be treated as a one-off project. Firms that successfully maintain certification over multiple years, treat information security as a critical business process and invest time, resources and effort into ongoing compliance. Certification is the logical consequence of compliance, and should be relatively easy if a solid compliance regime is established and maintained.

For most organisations, the logical place to start is to conduct a gap analysis against the requirements of ISO 27001.

8.    The Audit Process

External certification can only be conducted by an Accredited Certification Body (CB). In Australia, Shearwater recommends certification services from reputable CB’s only, such as BSI and SAI Global.

The initial audit process is undertaken in two stages:

  • Stage 1 – A Documentation Review that focuses on a desktop review of available ISMS documentation and processes. Sufficient evidence of a functioning ISMS is required in order to progress to the Stage 2 audit.
  • Stage 2 – Focuses on evaluating the implementation and effectiveness of the management system. The audit will assess evidence and will typically require the ISMS to have been running for a period of at least three months.

The certification cycle also requires regular external surveillance audits to be performed and evidence that the management system is being actively maintained. Surveillance audits for ISO 27001 are typically performed every six months, however, mature systems in low-risk industries can be extended to an annual audit cycle in consultation with the certification body. ISMS re-certification occurs every 3 years.

9.    Who wrote ISO 27001? – History

ISO (International Organization for Standardization) is the world’s largest developer of voluntary International Standards. Many Countries have their own national standards governing everything from railway gauges, electrical power point specifications, building materials, personal protective equipment and children’s toys, to name just a few. When a standard reaches maturity and has widespread application in more than one jurisdiction, ISO forms a working group and works towards publishing an International Standard.
The original forerunner of ISO 27001 was written by the UK Government’s Department of Trade and Industry (DTI), and then published by the British Standards Institute (BSI) as BS 7799 in 1995.

10.    Tips, trick and pitfall avoidance

Before Certification
Don’t underestimate the number of stakeholders you will need to consult. In large organisations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.

Partner with experienced information security providers who know the implication of advice, in particular with respect to the selection of information security controls. Many controls sound like a good idea, but the implementation can be much more challenging.
Start with an understanding of risks and development of a management system before jumping into controls and technology. Investing time up front to understand your risk posture will pay long-term benefits.

During Certification

Avoid anybody who guarantees certification within 1 month. They can’t! Certification Bodies require at least 3 months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body.

Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments of gap analysis. Whilst these may appear cheap, there are limits to the amount of actionable recommendations that can be provided.

After Certification
You will be entitled to display an ISO 27001 certification mark. The certification mark is tangible proof that you take care of information, are committed to protecting data entrusted to you, and are fulfilling your commercial, contractual and legal responsibilities with respect to information security. A great idea would be to promote this certification on your marketing collateral and website as a source of differentiation from your competitors.

ASD Essential 8 Summary


So you have mastered the ASD Top 4? What do you need to tame the Essential 8? 

In this ASD Essential 8 Summary, we will answer:

  • What has stayed the same?
  • What has changed?
  • What that means?
  • What do I need to do to achieve this baseline standard?
  • When do I need to complete it by?

 

What has stayed the same?

The key thing that has remained constant from the ASD Top 4 to the Essential 8, is the pragmatic, good advice provided by ASD. The focus is still on making systems and information secure, in order to safeguard organisational reputations and save time and money. However, unlike a great number of global compliance regimes such as SOX, JSOX, PCI, SSAE, etc, the Essential 8:

  • Helps organisations manage risks that are relevant to their specific context
  • Provides prioritised steps to address relevant threats
  • Represents a baseline for organisations to achieve

The risk-based approach and the prioritised controls are world class and equate to a cost effective and intelligent use of security budgets.

The evolution of the Top 4 to the Essential 8 quite firmly underlines the core message that good security is a process and not a project. Organisations that have conducted a ‘Top 4 project’ and not implemented an ongoing security process, may in fact have missed the point. The Essential 8 is ASD’s reminder to keep improving.

What has changed?

There is one large change and a number of smaller changes. The large change shifts focus from the Top 4 being Strategies to Mitigate Targeted Cyber Intrusions, to being an essential 8 Strategies to Mitigate Cyber Security Incidents. Top 4 was designed to keep the malicious out. Essential 8 recognises that whilst a lot can be done to keep people out, the reality is that you need to plan and design for when eventually they do get in.

The smaller changes add 4 more controls and shift the initial Top 4 around. You now have two columns:

Prevent Malware from running
Keep ‘em Out
Limit the extent of incidents and recover data
Plan for when they get in and respond
Application Whitelisting (Top 4 original) Restrict administrative privileges (Top 4 original)
Patch Application (Top 4 original) Patch Operating Systems (Top 4 original)
Disable untrusted Microsoft Office macros (New) Multi-factor authentication (New)
User application hardening (New) Daily backup of important data (New)

What this means?

The ASD has reinforced that good security is a journey that never ends. In other words, you should expect the Essential 8 to continually change over time. ASD’s subliminal challenge is to think about what will provide you with the best returns for your effort and investment across both prevention and response. ASD wants organisations and security leaders to answer 4 searching questions:

  1. Do I know what my mission critical assets are and what needs protecting?
  2. Who are my adversaries, or who do I need to guard against?
  3. What is the gap between my current security controls and those outlined in the Essential 8? In other words, what other strategies do I need to implement based on my risks?

If your security posture is risk based, pragmatic and process rather than project driven, adding a few more tasks or re-ordering a few initiatives within your work programme should be straight forward.

When do I need to have done it?

With respect, you are asking the wrong question! The goal of establishing a layered defence to protect against and respond to threats does not have an end date. But if you want to know where to start, Shearwater are the experts who can help you avoid wastage of time, effort and money. Engaging our expert team of advisors will allow you to plan at the strategic level whilst executing at the tactical.

If you don’t know where or how to start with the Essential 8, Shearwater can assist. For expert help, please contact us.

MS15-034 – HTTP.sys Advisory


By Mark Hofman, Terry Darling, and Simon Treadaway


1- Background on Microsoft Security Bulletin MS15-034 (CVE CVE-2015-1635)

Microsoft earlier this week released a patch for both servers and workstations, MS15-034. This patch addresses an issue in the file http.sys. The http.sys file is used by the operating system to accept and process HTTP and HTTPS requests. At the time of release the information provided by Microsoft was that remote code exploitation may have been possible. Since its release on Tuesday Proof Of Concept (PoC) code has been published on the Internet. The initial versions would only check for a particular response from the server. However these have now morphed into simple requests that will cause a Denial of Service (DoS) and cause the Windows system to blue screen.

The vulnerability may result in a complete takeover or disruption of systems and services through a successful DoS attack. Microsoft states it has not received any information to indicate that this vulnerability has yet been publicly used in attacks, however since its release PoC code has emerged, and multiple threat intelligence honeypots are detecting scans for this vulnerability utilising the strings that result in a DoS.

Mass scale exploitation of Internet-facing web-servers having the vulnerability is expected.

As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.


2- How does it work

The vulnerability is in the main component of the Windows HTTP protocol stack known as http.sys and is caused when http.sys improperly parses what Microsoft describes as “specially crafted HTTP requests”. The specially crafted packet is a header request sent to the server with a RANGE parameter and some values.

 

GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615

 

Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code in the context of the IIS account being used (the default IIS user account is SYSTEM) and to thereby gain full remote access to the affected Windows system. It is however more likely that the DoS version of the code will be used to disrupt services.

Further technical details can be found at:


3- Who is affected

Any Microsoft server or workstation that accepts HTTP/HTTPS traffic is likely to be affected by this issue. Whilst most of the information available focuses on IIS, as this is the main application that utilises this particular file, it is not the only product running in Windows environment that will be vulnerable.

Microsoft states the following versions of their operating system is vulnerable:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation option)
  • Windows Server 2012 R2 (Server Core installation option)


4- How can you identify if you are vulnerable

The mainstream testing tools such as Nessus, Nexpose and nmap have updated scripts and signatures to perform checks.

The simplest method to test if your machine is vulnerable is to perform the following check from either a linux system or windows system (that has curl):

$ curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615”


if the response includes “Requested Header Range Not Satisfiable” the server is likely vulnerable.

 

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML
4.01//EN””http://www.w3.org/TR/html4/strict.dtd”>
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=us-ascii”></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>


Some PowerShell alternatives are available but testing suggests these scripts may not be reliable.


5- How can you remediate

To fix the issue the only approach at this time is to patch and apply the fix released earlier this week (i.e. MS15-034). Priorities:

  1. Internet facing Microsoft web servers should receive first priority, especially those utilising IIS as the web server.
  2. As a second priority any remaining internet facing Windows systems should be patched.
  3. Internal servers utilising IIS
  4. Remaining internal servers
  5. Workstations (unless these are running IIS in which case they should be treated as a level 3 priority)

Alternate options:

  • Disable IIS caching (IIS 7 upwards) – This will prevent the attack from being successful however will have significant impact on the performance of the server and is not a first choice.
  • Intrusion Prevention Signatures – The main Intrusion Detection vendors as well as those with Next Generation firewalls will already have signatures for this attack. Please be aware that effectiveness depends on the signature.
    • The more effective signatures will target the RANGE request as that means it will identify and drop all requests. It is not a parameter that is regularly passed in a normal application.

Given the criticality of the vulnerability Shearwater’s recommendation is to patch in accordance with the priorities outlined above.


6- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us via email to: seh@shearwater.com.au or via phone on: 1300 228 872