Although cybersecurity insurance can appear attractive, it is important that businesses understand it cannot feasibly serve as a replacement for threat mitigation. The majority of cyber threats are avoided by reaching a baseline standard of security maturity. The investment required to achieve this baseline is generally less than a few years of premiums and the deductible for just one incident.
Injection vulnerabilities are the most common result of mixing user input with system control. An injection vulnerability can have catastrophic results for a system, potentially leading to a full database dump, and laying the groundwork for a remote shell. In layman's terms, this means an attacker controls the entire system and has access to all data.
The information security framework for the Australian Government is driven by two main documents: the Protective Security Policy Framework (PSPF) owned by the Attorney-General’s Department, and the Information Security Manual (ISM) owned by the Australian Signals Directorate (ASD). Note that the PSPF is actually a set of documents, rather than a single volume like the ISM.
This weekend's Formula 1 Grand Prix has an unlikely parallel to the cyber security industry. You see, Formula 1 is a precisely engineered environment, where suspension load is modelled across the 300 or so corners of the calendar and components designed to only experience 40% of their rated strength.
In Part 2, the importance of a well-maintained and well-structured hardware and software inventory and the benefits of vulnerability management was explained. The next step in the process of getting on top of security basics is gaining control of the environment. This step should be easier and more efficient if the earlier steps of creating a comprehensive inventory were completed.
As high-profile breaches produce increasing public attention, effective information security is more important than ever. Cyber incidents have a potential impact comparable to natural disasters. It is increasingly insufficient for organisations to achieve the bare minimum required for regulatory compliance – real protection is necessary.
Every information security framework and “best practice” guide to cyber security states that you need “management buy-in”, but why is it important and what does it look like?
What Brush Turkeys Have Taught Me About Information Security
It is that time of year again when a male brush turkey has made my backyard his home, tearing apart vegetation to make his nesting mound. While this is a source of frustration, on the positive side, it has given me new ways to think about information security.
As information security has become more important across organisations, so has the role of an information security leader within organisations. As an information security leader in an organisation, several questions recur and are faced daily:
In part 1, the importance of knowing your system was discussed, in this article, the importance of properly managing and auditing these assets will be discussed. Proper management of ICT assets from an information security perspective involves knowing what properties of the assets are expected, being able to respond to new vulnerabilities quickly and knowing when unauthorised assets are present on your network.
There is no one size fits all when it comes to cyber security – you cannot uncover your potential risks purely through comparison to another business. That’s where risk profiles come in.
Topics: Risk Assessment
Passwords are obviously required to keep your online accounts and data safe, but how strong is your password? The idea of a strong password can be hard to quantify and most places require your passwords to meet some requirements. It's common to see "Your password must contain characters from three of the following categories" to be able to set your password. These requirements are in place to raise the entropy of a password and make it much harder for an attacker to guess your password.
Cyber security is a comprehensive multi-faceted approach to identifying, understanding, and then mitigating risks to information systems.
Topics: Risk Assessment
A big part of my job is conducting security audits or assessments of clients. In one assessment, I asked a client for some documentation, in this case a system design document, as is usual practice. I was told “We don’t do documentation just for audits”. Further discussion revealed that the client’s culture was one where documentation was considered unnecessary for many activities, including activities directly related to security. Needless to say, I found many issues with their information security posture.
Multi-factor, or two-factor, authentication (MFA, 2FA) has seen increasing adoption and public awareness. What is it? What benefits does it provide? Is it really worth all that hassle? And how can I justify the time spent implementing and maintaining a MFA solution?
Even the catchy name is not particularly innovative (Heartbleed has to take that prize over others such as BEAST and POODLE).
A common theme amongst many engagements and discussions are “we are having issues maintaining control over our environment what products can solve this problem for us”. Questions like this are tackling the problem by jumping to a solution without identifying the cause and they can usually be addressed without buying a new security product.
As organisations continue to adopt advancements in information technology and work towards an interconnected world, malicious attackers have not fallen short. The cyber threat landscape has never been more intense, and cyber security has never been more important.