Blog
Privasec, a founding company of Sekuro, named 2021 AISA Awards ‘SMB Employer of the Year’
Sekuro congratulates our legacy company, Privasec, for being the overall category winner of SMB Employer of the Year at the Australian Information Security Association (AISA)’s 2021 awards.
Domain Exposure Via Qualys SSL Server Test
In this article, find out how your domain is exposed to the public after a Qualys SSL Server Test?
Team Sec Con 2021: Getting Started in Cloud Security
In this event recap, catch up on the personal journey of Sekuro’s Chief Growth Officer, Shamane Tan, in how she got started in cloud security.
Sekuro Is A Platinum Sponsor At AustCyber 2021!
Catch up on the segments Sekuro’s CEO, Chief Growth Officer, and CISO have participated in the annual event Australian Cyber Week 2021.
How Important Is Cybersecurity For Domestic & International Businesses?
If you missed the GRC Institute’s panel discussion on the impact of cybersecurity on domestic and international businesses, read this article for a summary.
How to Get ISO 27001 Certification
ISO 27001 certification can be a complex process and challenging for any business not quite prepared for the audit. Organisations often fail to fully understand how the standard translates into real-world security control implementations, and what is needed to gain that all important approval from the assessor. The most important thing to understand is that to be certified, an approved ISO 27001 assessor needs to review your information security management system and agree that you meet all the minimum requirements. You must demonstrate your organisation’s compliance against each of the in-scope controls, which must be supported by operational evidence that you are using the controls. Preparing your Information Security Management System Before applying for certification, you will need a compliant Information Security Management System (ISMS) that allows the auditor to cross-reference your ways of operating controls against those specified in the standard. This ISMS is your management system, which tells your staff how they should undertake security activities and records audit trails of decisions and outcomes of security processes. Once you have the ISMS integrated into your overall business management systems, certification follows across three main phases: Engage an assessment organisation that can audit your ISMS and issue your certification …
Choosing SOC 2 vs ISO 27001
Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information). The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)? Let’s look at what matters when making this selection, and the requirements that both standards demand you meet. Scope SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers. First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both …
Cyber Training and Education Makes a Real Difference
You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture. Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall. Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start. A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to …
SOC 2 Explained
I’ve heard SOC 2 mentioned in various cybersecurity contexts, but I have no idea what it is. Does it have anything to do with security operations? Much of the confusion about SOC 2 is because there is another acronym used in the world of cybersecurity – SOC – that refers to a security operations centre. The reality is that SOC 2 is more like ISO 27001, as it’s a security standard you use for running your business and can be externally certified so you can demonstrate to your customers, partners, or regulators you have a well-implemented security program. What does SOC stand for? SOC stands for System and Organisation Controls and was designed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC). The service organisation evaluates the suitability of the design and operating effectiveness of the controls stated in the description to provide reasonable assurance that its service commitments and system requirements were achieved based on the TSC relevant to the trust services category or categories included …
What is Credential Stuffing?
Credential stuffing is one of the most used attacks adversaries rely upon to establish a beachhead in their victim’s networks. Attackers gather usernames and passwords from multiple breaches, merging them into a unified list to use against their victims. It’s a well-known fact that employees frequently reuse their passwords, with an average of 13 times reported by LastPass in their The 3rd Annual Global Password Security Report. Attackers can either grab public breaches or buy lists of stolen credentials on the dark web and merge them using the technique above. In many cases they will have multiple passwords for a single user, then they can target all the main sites they want to breach, using those same credentials. With many services delivered these days as software as a service (SaaS) capability directly from the vendor over the Internet, credential stuffing is fast becoming one of the most common methods used to compromise a user. The root cause is the use of passwords and especially since users have so many to remember, they often reuse what they believe to be strong passwords across many sites. There are ways to address credential stuffing, and to reduce the likelihood of an attack being successful, using a …
CORIE: A Game Changing Financial Services Security Framework
A new security framework, developed by the Council of Financial Regulators (CFR), that focuses on cyber resilience and maturity assessments is hitting the financial services world very soon. This approach, known as the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework, is in early pilot stages, but is set to take the world by storm when it settles into what’s considered normal operations. CORIE builds on the proactive nature of Red Team Attack Simulation and provides financial services organisations with a step-change methodology for baselining and improving their cyber defences. At its heart, CORIE builds on the well understood discipline of adversary simulation and creates a solution fit for the rigorous testing needed by financial services organisations now and into the future. Here’s what we think you need to know: It’s a whole better way of using Red Teaming – think like the criminal. We focus on how to prevent the worst-case scenario – it’s objective led. It helps better answer management’s hardest question – could this happen to us? The techniques an attacker will use to target you define the testing approach – Threat Intelligence provides leverage to the defender. Bespoke attack simulations are used to mimic the attacker tradecraft – understanding the motives and capability of the enemy is key. …
Bypassing 2FA is Possible
Most of us know that multifactor authentication (MFA) is a useful tool for managing and securing passwords, and many web services integrate it into their logging in processes for both business and personal use. There is no doubt that a properly implemented MFA solution will help mitigate against brute force attacks, and credential stuffing, but MFA also has a few issues you need to consider so you are not lulled into a false sense of security. In this blog we’ll demonstrate how MFA can be bypassed, especially if users are not paying attention during the logging in process. Before explaining how to execute this attack, I want to explain a little bit about how it works. Basically, to gain access to 2FA-enabled accounts we don’t just need the credentials, as this wouldn’t be enough to log-in. Instead, we need to get the session cookie. For those who don’t know what a cookie is, it’s a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a …
Privasec, a founding company of Sekuro, named 2021 AISA Awards ‘SMB Employer of the Year’
Sekuro congratulates our legacy company, Privasec, for being the overall category winner of SMB Employer of the Year at the Australian Information Security Association (AISA)’s 2021 awards.
Domain Exposure Via Qualys SSL Server Test
In this article, find out how your domain is exposed to the public after a Qualys SSL Server Test?
Team Sec Con 2021: Getting Started in Cloud Security
In this event recap, catch up on the personal journey of Sekuro’s Chief Growth Officer, Shamane Tan, in how she got started in cloud security.
Sekuro Is A Platinum Sponsor At AustCyber 2021!
Catch up on the segments Sekuro’s CEO, Chief Growth Officer, and CISO have participated in the annual event Australian Cyber Week 2021.
How Important Is Cybersecurity For Domestic & International Businesses?
If you missed the GRC Institute’s panel discussion on the impact of cybersecurity on domestic and international businesses, read this article for a summary.
How to Get ISO 27001 Certification
ISO 27001 certification can be a complex process and challenging for any business not quite prepared for the audit. Organisations often fail to fully understand how the standard translates into real-world security control implementations, and what is needed to gain that all important approval from the assessor. The most important thing to understand is that to be certified, an approved ISO 27001 assessor needs to review your information security management system and agree that you meet all the minimum requirements. You must demonstrate your organisation’s compliance against each of the in-scope controls, which must be supported by operational evidence that you are using the controls. Preparing your Information Security Management System Before applying for certification, you will need a compliant Information Security Management System (ISMS) that allows the auditor to cross-reference your ways of operating controls against those specified in the standard. This ISMS is your management system, which tells your staff how they should undertake security activities and records audit trails of decisions and outcomes of security processes. Once you have the ISMS integrated into your overall business management systems, certification follows across three main phases: Engage an assessment organisation that can audit your ISMS and issue your certification if you pass the assessment. They will begin with a basic review of your ISMS documentation, looking at the overall structure and documented processes covering all relevant controls. This assessment will identify the gaps that need remediating before you invest in a real certification audit. When ready, the certification organisation …
Choosing SOC 2 vs ISO 27001
Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information). The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)? Let’s look at what matters when making this selection, and the requirements that both standards demand you meet. Scope SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers. First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both ISO 27001 and SOC 2 state that organisations need only adopt a control if it applies to them, but the approach to implementation is slightly different for each. The primary difference between SOC 2 and ISO 27001 is that SOC 2 mainly focuses on you proving the security controls that …
Cyber Training and Education Makes a Real Difference
You cannot overstate the importance of training and education in terms of mitigating the risks associated with cyberattacks. However, you need to plan how the training and education program aligns with your organisation’s defined job roles, so that you get the best bang for your buck – and overall impact on your organisation’s security posture. Many people not working in cybersecurity don’t realise just how complicated it really is. Often the capabilities individuals need to deliver the requirements of their job role are misunderstood by management. Some think it’s all about just running an antivirus product or installing a firewall. Furthermore, given the vast array of certifications available in an overcrowded market – CISSP, OSCP, CISM, CISMP, CIPM, etc. – it’s difficult to even know where to start. A major issue many discover is that the CISSP, for example, requires five years of experience and is a hard exam to pass. This constraint helps keep the certification for those who have the relevant experience to be called a security professional, but there are many ways to add value to your organisation’s security program without the CISSP credential. If you need to hire someone, first consider what that person needs to do their job and which certifications may help. This blog post looks at the world of cyber training and education and offers suggestions that will help you be successful. The Skills Gap: Fact or Fiction? Over the past decade, much has been written on the global cyber security skills shortage. …
SOC 2 Explained
I’ve heard SOC 2 mentioned in various cybersecurity contexts, but I have no idea what it is. Does it have anything to do with security operations? Much of the confusion about SOC 2 is because there is another acronym used in the world of cybersecurity – SOC – that refers to a security operations centre. The reality is that SOC 2 is more like ISO 27001, as it’s a security standard you use for running your business and can be externally certified so you can demonstrate to your customers, partners, or regulators you have a well-implemented security program. What does SOC stand for? SOC stands for System and Organisation Controls and was designed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC). The service organisation evaluates the suitability of the design and operating effectiveness of the controls stated in the description to provide reasonable assurance that its service commitments and system requirements were achieved based on the TSC relevant to the trust services category or categories included within the scope of the examination. Firstly, SOC 1® is an audit report describing controls related to the protection of financial statements and reports. Secondly, SOC 2® is an audit report related to controls on security, availability, processing integrity, confidentiality and privacy. There are two types of SOC 2® reports …
What is Credential Stuffing?
Credential stuffing is one of the most used attacks adversaries rely upon to establish a beachhead in their victim’s networks. Attackers gather usernames and passwords from multiple breaches, merging them into a unified list to use against their victims. It’s a well-known fact that employees frequently reuse their passwords, with an average of 13 times reported by LastPass in their The 3rd Annual Global Password Security Report. Attackers can either grab public breaches or buy lists of stolen credentials on the dark web and merge them using the technique above. In many cases they will have multiple passwords for a single user, then they can target all the main sites they want to breach, using those same credentials. With many services delivered these days as software as a service (SaaS) capability directly from the vendor over the Internet, credential stuffing is fast becoming one of the most common methods used to compromise a user. The root cause is the use of passwords and especially since users have so many to remember, they often reuse what they believe to be strong passwords across many sites. There are ways to address credential stuffing, and to reduce the likelihood of an attack being successful, using a combination of technology controls and education. Single sign-on (SSO) for example is a method architects can use to introduce solutions where users have less passwords to remember. If every application in your business is integrated into an SSO solution, then users can use one password to sign on, and that …
CORIE: A Game Changing Financial Services Security Framework
A new security framework, developed by the Council of Financial Regulators (CFR), that focuses on cyber resilience and maturity assessments is hitting the financial services world very soon. This approach, known as the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework, is in early pilot stages, but is set to take the world by storm when it settles into what’s considered normal operations. CORIE builds on the proactive nature of Red Team Attack Simulation and provides financial services organisations with a step-change methodology for baselining and improving their cyber defences. At its heart, CORIE builds on the well understood discipline of adversary simulation and creates a solution fit for the rigorous testing needed by financial services organisations now and into the future. Here’s what we think you need to know: It’s a whole better way of using Red Teaming – think like the criminal. We focus on how to prevent the worst-case scenario – it’s objective led. It helps better answer management’s hardest question – could this happen to us? The techniques an attacker will use to target you define the testing approach – Threat Intelligence provides leverage to the defender. Bespoke attack simulations are used to mimic the attacker tradecraft – understanding the motives and capability of the enemy is key. Where has the CORIE Framework come from? The CORIE framework has been created and launched by APRA/RBA. It will soon be mandatory for Financial Institutions (FI) to use. Its aim is to focus efforts on how far a realistic attacker can go towards impacting your business operations and cause a …
Bypassing 2FA is Possible
Most of us know that multifactor authentication (MFA) is a useful tool for managing and securing passwords, and many web services integrate it into their logging in processes for both business and personal use. There is no doubt that a properly implemented MFA solution will help mitigate against brute force attacks, and credential stuffing, but MFA also has a few issues you need to consider so you are not lulled into a false sense of security. In this blog we’ll demonstrate how MFA can be bypassed, especially if users are not paying attention during the logging in process. Before explaining how to execute this attack, I want to explain a little bit about how it works. Basically, to gain access to 2FA-enabled accounts we don’t just need the credentials, as this wouldn’t be enough to log-in. Instead, we need to get the session cookie. For those who don’t know what a cookie is, it’s a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example, it remembers stateful information for the stateless HTTP protocol (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies). If we were able to get it, we could import the cookie into our browser and get access to the account. There are many tools out there that we could use, but on this occasion, I’ve chosen Evilginx …