Blog

Sekuro-landscape
Awards

Privasec, a founding company of Sekuro, named 2021 AISA Awards ‘SMB Employer of the Year’

Sekuro congratulates our legacy company, Privasec, for being the overall category winner of SMB Employer of the Year at the Australian Information Security Association (AISA)’s 2021 awards.

Read More →
austin-distel-Imc-IoZDMXc-unsplash
Blog

Domain Exposure Via Qualys SSL Server Test

In this article, find out how your domain is exposed to the public after a Qualys SSL Server Test?

Read More →
Sekuro | Atlassian | Cloud Security | Cybersecurity
Cloud Security

Team Sec Con 2021: Getting Started in Cloud Security

In this event recap, catch up on the personal journey of Sekuro’s Chief Growth Officer, Shamane Tan, in how she got started in cloud security.

Read More →
Australian Cyber Week 2021 | AustCyber 2021 | Sekuro
AustCyber2021

Sekuro Is A Platinum Sponsor At AustCyber 2021!

Catch up on the segments Sekuro’s CEO, Chief Growth Officer, and CISO have participated in the annual event Australian Cyber Week 2021.

Read More →
Sekuro | GRCI | Cybersecurity | Business
Cybersecurity

How Important Is Cybersecurity For Domestic & International Businesses?

If you missed the GRC Institute’s panel discussion on the impact of cybersecurity on domestic and international businesses, read this article for a summary.

Read More →
dylan-gillis-KdeqA3aTnBY-unsplash

How to Get ISO 27001 Certification

ISO 27001 certification can be a complex process and challenging for any business not quite prepared for the audit. Organisations often fail to fully understand how the standard translates into real-world security control implementations, and what is needed to gain that all important approval from the assessor. The most important thing to understand is that to be certified, an approved ISO 27001 assessor needs to review your information security management system and agree that you meet all the minimum requirements. You must demonstrate your organisation’s compliance against each of the in-scope controls, which must be supported by operational evidence that you are using the controls. Preparing your Information Security Management System Before applying for certification, you will need a compliant Information Security Management System (ISMS) that allows the auditor to cross-reference your ways of operating controls against those specified in the standard. This ISMS is your management system, which tells your staff how they should undertake security activities and records audit trails of decisions and outcomes of security processes. Once you have the ISMS integrated into your overall business management systems, certification follows across three main phases: Engage an assessment organisation that can audit your ISMS and issue your certification …

Read More →
Double,Exposure,Of,Professional,Businessman,And,Network,Connection,With,Server

Choosing SOC 2 vs ISO 27001

Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information).  The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)?  Let’s look at what matters when making this selection, and the requirements that both standards demand you meet. Scope SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers. First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both …

Read More →
austin-distel-mpN7xjKQ_Ns-unsplash

Cyber Training and Education Makes a Real Difference

You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture. Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall. Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start. A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to …

Read More →
Smart city security background digital transformation digital remix

SOC 2 Explained

I’ve heard SOC 2 mentioned in various cybersecurity contexts, but I have no idea what it is. Does it have anything to do with security operations? Much of the confusion about SOC 2 is because there is another acronym used in the world of cybersecurity – SOC – that refers to a security operations centre. The reality is that SOC 2 is more like ISO 27001, as it’s a security standard you use for running your business and can be externally certified so you can demonstrate to your customers, partners, or regulators you have a well-implemented security program. What does SOC stand for? SOC stands for System and Organisation Controls and was designed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC).  The service organisation evaluates the suitability of the design and operating effectiveness of the controls stated in the description to provide reasonable assurance that its service commitments and system requirements were achieved based on the TSC relevant to the trust services category or categories included …

Read More →
Young,Hacker,In,Data,Security,Concept

What is Credential Stuffing?

Credential stuffing is one of the most used attacks adversaries rely upon to establish a beachhead in their victim’s networks. Attackers gather usernames and passwords from multiple breaches, merging them into a unified list to use against their victims.  It’s a well-known fact that employees frequently reuse their passwords, with an average of 13 times reported by LastPass in their The 3rd Annual Global Password Security Report.  Attackers can either grab public breaches or buy lists of stolen credentials on the dark web and merge them using the technique above. In many cases they will have multiple passwords for a single user, then they can target all the main sites they want to breach, using those same credentials.  With many services delivered these days as software as a service (SaaS) capability directly from the vendor over the Internet, credential stuffing is fast becoming one of the most common methods used to compromise a user. The root cause is the use of passwords and especially since users have so many to remember, they often reuse what they believe to be strong passwords across many sites.  There are ways to address credential stuffing, and to reduce the likelihood of an attack being successful, using a …

Read More →
jessica-sysengrath-1uWTR1fcnI0-unsplash

CORIE: A Game Changing Financial Services Security Framework

A new security framework, developed by the Council of Financial Regulators (CFR), that focuses on cyber resilience and maturity assessments is hitting the financial services world very soon. This approach, known as the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework, is in early pilot stages, but is set to take the world by storm when it settles into what’s considered normal operations. CORIE builds on the proactive nature of Red Team Attack Simulation and provides financial services organisations with a step-change methodology for baselining and improving their cyber defences. At its heart, CORIE builds on the well understood discipline of adversary simulation and creates a solution fit for the rigorous testing needed by financial services organisations now and into the future.  Here’s what we think you need to know: It’s a whole better way of using Red Teaming – think like the criminal. We focus on how to prevent the worst-case scenario – it’s objective led. It helps better answer management’s hardest question – could this happen to us? The techniques an attacker will use to target you define the testing approach – Threat Intelligence provides leverage to the defender. Bespoke attack simulations are used to mimic the attacker tradecraft – understanding the motives and capability of the enemy is key. …

Read More →
jessica-da-rosa-VDi-T8oXwqY-unsplash

Bypassing 2FA is Possible

Most of us know that multifactor authentication (MFA) is a useful tool for managing and securing passwords, and many web services integrate it into their logging in processes for both business and personal use. There is no doubt that a properly implemented MFA solution will help mitigate against brute force attacks, and credential stuffing, but MFA also has a few issues you need to consider so you are not lulled into a false sense of security.  In this blog we’ll demonstrate how MFA can be bypassed, especially if users are not paying attention during the logging in process.  Before explaining how to execute this attack, I want to explain a little bit about how it works. Basically, to gain access to 2FA-enabled accounts we don’t just need the credentials, as this wouldn’t be enough to log-in. Instead, we need to get the session cookie. For those who don’t know what a cookie is, it’s a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a …

Read More →
Awards

Privasec, a founding company of Sekuro, named 2021 AISA Awards ‘SMB Employer of the Year’

Sekuro congratulates our legacy company, Privasec, for being the overall category winner of SMB Employer of the Year at the Australian Information Security Association (AISA)’s 2021 awards.

Read More
Blog

Domain Exposure Via Qualys SSL Server Test

In this article, find out how your domain is exposed to the public after a Qualys SSL Server Test?

Read More
Sekuro | Atlassian | Cloud Security | Cybersecurity
Cloud Security

Team Sec Con 2021: Getting Started in Cloud Security

In this event recap, catch up on the personal journey of Sekuro’s Chief Growth Officer, Shamane Tan, in how she got started in cloud security.

Read More
Australian Cyber Week 2021 | AustCyber 2021 | Sekuro
AustCyber2021

Sekuro Is A Platinum Sponsor At AustCyber 2021!

Catch up on the segments Sekuro’s CEO, Chief Growth Officer, and CISO have participated in the annual event Australian Cyber Week 2021.

Read More
Sekuro | GRCI | Cybersecurity | Business
Cybersecurity

How Important Is Cybersecurity For Domestic & International Businesses?

If you missed the GRC Institute’s panel discussion on the impact of cybersecurity on domestic and international businesses, read this article for a summary.

Read More

How to Get ISO 27001 Certification

ISO 27001 certification can be a complex process and challenging for any business not quite prepared for the audit. Organisations often fail to fully understand how the standard translates into real-world security control implementations, and what is needed to gain that all important approval from the assessor. The most important thing to understand is that to be certified, an approved ISO 27001 assessor needs to review your information security management system and agree that you meet all the minimum requirements. You must demonstrate your organisation’s compliance against each of the in-scope controls, which must be supported by operational evidence that you are using the controls. Preparing your Information Security Management System Before applying for certification, you will need a compliant Information Security Management System (ISMS) that allows the auditor to cross-reference your ways of operating controls against those specified in the standard. This ISMS is your management system, which tells your staff how they should undertake security activities and records audit trails of decisions and outcomes of security processes. Once you have the ISMS integrated into your overall business management systems, certification follows across three main phases: Engage an assessment organisation that can audit your ISMS and issue your certification if you pass the assessment. They will begin with a basic review of your ISMS documentation, looking at the overall structure and documented processes covering all relevant controls. This assessment will identify the gaps that need remediating before you invest in a real certification audit. When ready, the certification organisation …

Read More

Choosing SOC 2 vs ISO 27001

Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information).  The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)?  Let’s look at what matters when making this selection, and the requirements that both standards demand you meet. Scope SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers. First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both ISO 27001 and SOC 2 state that organisations need only adopt a control if it applies to them, but the approach to implementation is slightly different for each. The primary difference between SOC 2 and ISO 27001 is that SOC 2 mainly focuses on you proving the security controls that …

Read More

Cyber Training and Education Makes a Real Difference

You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture. Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall. Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start. A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to do their job and which certifications may help. This blog post looks at the world of cyber training and education and offers suggestions that will help you be successful. The Skills Gap: Fact or Fiction? Over the past decade, much has been written on the global cyber security skills shortage. …

Read More

SOC 2 Explained

I’ve heard SOC 2 mentioned in various cybersecurity contexts, but I have no idea what it is. Does it have anything to do with security operations? Much of the confusion about SOC 2 is because there is another acronym used in the world of cybersecurity – SOC – that refers to a security operations centre. The reality is that SOC 2 is more like ISO 27001, as it’s a security standard you use for running your business and can be externally certified so you can demonstrate to your customers, partners, or regulators you have a well-implemented security program. What does SOC stand for? SOC stands for System and Organisation Controls and was designed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC).  The service organisation evaluates the suitability of the design and operating effectiveness of the controls stated in the description to provide reasonable assurance that its service commitments and system requirements were achieved based on the TSC relevant to the trust services category or categories included within the scope of the examination. Firstly, SOC 1® is an audit report describing controls related to the protection of financial statements and reports. Secondly, SOC 2® is an audit report related to controls on security, availability, processing integrity, confidentiality and privacy.  There are two types of SOC 2® reports …

Read More

What is Credential Stuffing?

Credential stuffing is one of the most used attacks adversaries rely upon to establish a beachhead in their victim’s networks. Attackers gather usernames and passwords from multiple breaches, merging them into a unified list to use against their victims.  It’s a well-known fact that employees frequently reuse their passwords, with an average of 13 times reported by LastPass in their The 3rd Annual Global Password Security Report.  Attackers can either grab public breaches or buy lists of stolen credentials on the dark web and merge them using the technique above. In many cases they will have multiple passwords for a single user, then they can target all the main sites they want to breach, using those same credentials.  With many services delivered these days as software as a service (SaaS) capability directly from the vendor over the Internet, credential stuffing is fast becoming one of the most common methods used to compromise a user. The root cause is the use of passwords and especially since users have so many to remember, they often reuse what they believe to be strong passwords across many sites.  There are ways to address credential stuffing, and to reduce the likelihood of an attack being successful, using a combination of technology controls and education. Single sign-on (SSO) for example is a method architects can use to introduce solutions where users have less passwords to remember. If every application in your business is integrated into an SSO solution, then users can use one password to sign on, and that …

Read More

CORIE: A Game Changing Financial Services Security Framework

A new security framework, developed by the Council of Financial Regulators (CFR), that focuses on cyber resilience and maturity assessments is hitting the financial services world very soon. This approach, known as the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework, is in early pilot stages, but is set to take the world by storm when it settles into what’s considered normal operations. CORIE builds on the proactive nature of Red Team Attack Simulation and provides financial services organisations with a step-change methodology for baselining and improving their cyber defences. At its heart, CORIE builds on the well understood discipline of adversary simulation and creates a solution fit for the rigorous testing needed by financial services organisations now and into the future.  Here’s what we think you need to know: It’s a whole better way of using Red Teaming – think like the criminal. We focus on how to prevent the worst-case scenario – it’s objective led. It helps better answer management’s hardest question – could this happen to us? The techniques an attacker will use to target you define the testing approach – Threat Intelligence provides leverage to the defender. Bespoke attack simulations are used to mimic the attacker tradecraft – understanding the motives and capability of the enemy is key. Where has the CORIE Framework come from? The CORIE framework has been created and launched by APRA/RBA. It will soon be mandatory for Financial Institutions (FI) to use. Its aim is to focus efforts on how far a realistic attacker can go towards impacting your business operations and cause a …

Read More

Bypassing 2FA is Possible

Most of us know that multifactor authentication (MFA) is a useful tool for managing and securing passwords, and many web services integrate it into their logging in processes for both business and personal use. There is no doubt that a properly implemented MFA solution will help mitigate against brute force attacks, and credential stuffing, but MFA also has a few issues you need to consider so you are not lulled into a false sense of security.  In this blog we’ll demonstrate how MFA can be bypassed, especially if users are not paying attention during the logging in process.  Before explaining how to execute this attack, I want to explain a little bit about how it works. Basically, to gain access to 2FA-enabled accounts we don’t just need the credentials, as this wouldn’t be enough to log-in. Instead, we need to get the session cookie. For those who don’t know what a cookie is, it’s a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example, it remembers stateful information for the stateless HTTP protocol (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies). If we were able to get it, we could import the cookie into our browser and get access to the account. There are many tools out there that we could use, but on this occasion, I’ve chosen Evilginx …

Read More

Already know what you are after?

Get a quick quote from our consultants.

Already know what you are after?

Get a quick quote from our consultants.

Scroll to Top