Cyber Security News & Current Events

Security Fundamentals - Part 3: Controlling Admin Privileges

Posted by Tim on 14/12/2018 12:22:00 PM

In Part 2, the importance of a well-maintained and well-structured hardware and software inventory and the benefits of vulnerability management was explained. The next step in the process of getting on top of security basics is gaining control of the environment. This step should be easier and more efficient if the earlier steps of creating a comprehensive inventory were completed.

Read More

Topics: Fundamentals, Insider, Authentication

A Security Conscious Cohort - Part 1: Defining a New Norm

Posted by Nat on 13/12/2018 12:41:00 PM

As high-profile breaches produce increasing public attention, effective information security is more important than ever. Cyber incidents have a potential impact comparable to natural disasters. It is increasingly insufficient for organisations to achieve the bare minimum required for regulatory compliance – real protection is necessary.

Read More

Topics: Fundamentals

Management Buy-In - Part 1: Why You Need It

Posted by Nigel on 10/12/2018 11:02:00 AM

Every information security framework and “best practice” guide to cyber security states that you need “management buy-in”, but why is it important and what does it look like?

Read More

Topics: Fundamentals, Governance

Christmas Turkeys and Cyber Security Aren't That Dissimilar

Posted by Nigel on 03/12/2018 12:56:00 PM
What Brush Turkeys Have Taught Me About Information Security

It is that time of year again when a male brush turkey has made my backyard his home, tearing apart vegetation to make his nesting mound. While this is a source of frustration, on the positive side, it has given me new ways to think about information security.

Read More

Topics: Risk Assessment, Red Teaming, Governance, Insider

Hiding in plain sight: Preventing data exfiltration via DNS tunnelling

Posted by Eddie on 29/11/2018 3:02:00 PM

As information security has become more important across organisations, so has the role of an information security leader within organisations. As an information security leader in an organisation, several questions recur and are faced daily:

Read More

Topics: Insider, Pentesting, Red Teaming, Phishing

Security Fundamentals - Part 2: Managing Hardware and Software Assets

Posted by Tim on 26/11/2018 3:54:00 PM

 

In part 1, the importance of knowing your system was discussed, in this article, the importance of properly managing and auditing these assets will be discussed. Proper management of ICT assets from an information security perspective involves knowing what properties of the assets are expected, being able to respond to new vulnerabilities quickly and knowing when unauthorised assets are present on your network.

Read More

Topics: Fundamentals

Are you aware of your risk profile?

Posted by Security Centric on 22/11/2018 8:11:09 PM

There is no one size fits all when it comes to cyber security – you cannot uncover your potential risks purely through comparison to another business. That’s where risk profiles come in.

Read More

Topics: Risk Assessment

Bits of Entropy - The Importance of Complex Passwords

Posted by Kristian on 22/11/2018 11:42:00 AM

Passwords are obviously required to keep your online accounts and data safe, but how strong is your password? The idea of a strong password can be hard to quantify and most places require your passwords to meet some requirements. It's common to see "Your password must contain characters from three of the following categories" to be able to set your password. These requirements are in place to raise the entropy of a password and make it much harder for an attacker to guess your password.

 

Read More

Topics: Authentication, Fundamentals

Are you giving cyber security the attention it deserves?

Posted by Security Centric on 17/10/2018 7:30:00 AM

Cyber security is a comprehensive multi-faceted approach to identifying, understanding, and then mitigating risks to information systems.

Read More

Topics: Risk Assessment

In Europe for GDPR – Impressions Comparing it to Lessons from Australia’s Privacy Act NDB

Posted by Sash on 25/05/2018 2:58:00 PM

I have been in Europe for a couple of weeks now working on some longer-term strategic initiatives for Security Centric. My work brought me into a larger number of organisations than I normally would in my usual consulting life, and a consistent hot topic was GDPR. This is hardly surprising considering the gradual tidal wave of privacy policy update emails we have all be subjected to, as organisations align their compliance programs ahead of the deadline which comes into effect in a few hours across the EU.

Read More

Documentation Provides Security Value

Posted by Nigel on 15/02/2018 5:45:00 PM

A big part of my job is conducting security audits or assessments of clients. In one assessment, I asked a client for some documentation, in this case a system design document, as is usual practice. I was told “We don’t do documentation just for audits”. Further discussion revealed that the client’s culture was one where documentation was considered unnecessary for many activities, including activities directly related to security. Needless to say, I found many issues with their information security posture.

Read More

Topics: Governance

Why multi-factor authentication is worthwhile

Posted by Nat on 19/09/2017 11:15:00 AM

Multi-factor, or two-factor, authentication (MFA, 2FA) has seen increasing adoption and public awareness. What is it? What benefits does it provide? Is it really worth all that hassle? And how can I justify the time spent implementing and maintaining a MFA solution?

Read More

Topics: Authentication, Phishing

WannaCry: Nothing New Here Apart from a Catchy Name

Posted by Sash on 17/05/2017 1:17:00 PM

Even the catchy name is not particularly innovative (Heartbleed has to take that prize over others such as BEAST and POODLE).

Read More

Security Fundamentals - Part 1: Do this before buying the next security product

Posted by Tim on 24/11/2016 8:50:00 AM

A common theme amongst many engagements and discussions are “we are having issues maintaining control over our environment what products can solve this problem for us”. Questions like this are tackling the problem by jumping to a solution without identifying the cause and they can usually be addressed without buying a new security product.

Read More

Topics: Fundamentals

Top 5 Risks a Penetration Test Might Uncover

Posted by Eddie on 05/02/2016 1:59:00 PM

As organisations continue to adopt advancements in information technology and work towards an interconnected world, malicious attackers have not fallen short. The cyber threat landscape has never been more intense, and cyber security has never been more important.

Read More

Topics: Pentesting, Red Teaming, Risk Assessment

What does the eBay hack and Jeremy Clarkson have in common?

Posted by Security Centric on 26/05/2015 9:40:00 AM

The recent compromise and subsequent theft of personal information from eBay has reinforced one aspect of any mature information security approach – adequate application of defence in depth.

Read More

Security Centric joins PCI QSA program, but for different reasons

Posted by Sash on 14/05/2015 2:05:00 PM

QSA organisations and individual assessors usually complete the final phase of a PCI DSS compliance program – that is, a final audit. Whilst Security Centric is a QSA organisation, only a small proportion of engagements are to perform the final compliance audit.

Read More

Complete Heartbleed Protection in Under 36 Hours From Discovery

Posted by Sash on 14/04/2014 4:20:00 PM

Much has been written about the OpenSSL Heartbleed vulnerability, which affects the TLS heartbeat mechanism used by some versions of the OpenSSL library. Numerous open source and commercial products use affected versions of OpenSSL for their implementation of PKI, including enterprise hardware and software products.

Read More

Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe:

Recent Posts