- Attack Vectors and Defence in Depth: Part 2 - Defensive Strategies
Mar 26, 2020
Part 1 of the Attack Vectors and Defence in Depth series explored ways to define the sequence in which cyber-attacks may be conducted. This part of the series will explore how to the attack sequence can be used to gain foresight into defensive strategies.
Security concerns should be addressed in a logical, straightforward, and effective manner. Armed with the attack sequence in Part 1, an analyst may aim to detect and prevent attacks, or mitigate damage in the event of a breach. Each step of the sequence directs what response may be appropriate, beginning with prevention techniques and ending with containment options.
Just as there are several attack methodologies, there are many ways to counteract an attack. For example, the MITRE ATT&CK Framework details the following goals for defenders to achieve when facing a cyber adversary:
1. Redirect - Involves deterring an adversary or adversarial activity from specified targets.
2. Obviate - Ensuring that the adversary’s attempts are ineffective.
3. Impede - Making it more challenging for an adversary to achieve their goal.
4. Detect - Identifying indicators or characteristics of adversarial activity.
5. Limit - Reduce the effectiveness of adversarial activities.
6. Expose - Developing threat intelligence on an adversary to better prepare defences.
The Australian Signals Directorate (ASD) has also developed a list of mitigation strategies to assist organisations in lessening the changes and impact of cyber security incidents. Among these strategies, is the implementation of the Essential Eight maturity model, an eight-step mitigation strategy developed as a baseline for enterprise network defence:
1. Application Whitelisting
2. Patch Applications
3. Configure Microsoft Office macro settings
4. User Application Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems
7. Multi-Factor Authentication
8. Daily Backups
Implementing an information security framework is essential for all organisations (such as the Australian Government Information Security Manual (ISM). The security principles around which all effective security frameworks are built are a lens which every organisation must inspect for security risks and appropriate controls. For example, the Australian Government’s ISM focuses around security principles in four key activities: Govern, Protect, Detect, and Respond.
These often provide security principles to follow that can enable a company to identify security risks within the context of the organisation and implement security controls accordingly. Alcorn Group can assess your processes, policies and systems to achieve a perspective on your current security readiness.
Part 3 continues the Attack Vectors & Defence in Depth series by exploring actions which can be taken during each stage of compromise.
- read more
- Attack Vectors and Defence in Depth: Part 1 - The Attack Sequence
Mar 5, 2020
In the current age of information, both public and private companies are challenged by cyber criminals. The fast-paced and rapidly changing cyber security environment has resulted in a need to define the best methods for detecting and defending against attackers. This four-part blog series will outline the structure of cyber-attack vectors and will identify defensive actions that can be taken to decrease the likelihood of the vector being attacked.
The Attack Sequence
Two common attacks across the business landscape are those that involve a compromise of an email account, and those that are a succession of privilege escalation where the attacker establishes a foothold in one system, then can pivot to another. By defining the progression of an attack sequence, it is possible to understand the methods used by cyber criminals to detect and defend at each level, preventing any further progression.
For example, according to the Australian Cyber Security Centre (ACSC), identity theft was noted as the number one cybercrime to affect Australians between July and September of 2019. Identity theft is one result of credentials or personal information being compromised and sold on various dark web black markets. A common attack method to gain these credentials en-masse involves targeting email, typically using the following sequence:
1. Network Reconnaissance – Here, the attack sequence begins again with the attacker attempting to find and use valid credentials on the linked network.
2. Initial Foothold – Includes gaining access to the system and activities taken to ensure that access is repeatable.
3. Execute Intent – By this stage an attacker has a firm presence within the network and can exfiltrate data, or move laterally through the network to other linked networks.
4. Ensure Persistence – This is done by installing malicious software on the target network which allows for the attacker to establish a command and control channel to remotely send commands or instructions, and receive information.
Each of these steps can be either detected, prevented, or mitigated with appropriate actions and pre-emptive measures. These methods are discussed further in Part 2 of this blog series, which will explore defensive strategies used to prevent further compromise. This includes defensive strategies from MITRE Corporation, who are not-for-profit which conduct research and development in Cyber Security, as well as details on the Australian Signals Directorate’s Essential Eight.
- read more
- How We Identify Your Applications’ Weak Spots
Feb 26, 2020
Web applications have become a necessity of business in a digital world, used for both externally facing applications to reach and assist customers through corporate websites, and internally for different business use cases, such as HR platforms. Protecting these assets is crucial to operating a modern and secure business. With the very real increase in data breaches impacting Australian organisations, business leaders are left worried and are asking the question, “Are we next?”. Expert security advice for your organisation can bring peace of mind that the good guys are finding vulnerabilities, before the bad ones. To prepare yourself for your next Web Application Penetration Test, detailed below is an overview on Alcorn Group’s testing methodology, as well as some of the most common risks found during testing.
Before testing begins, Alcorn Group’s consultants engage with stakeholders to gain a deeper understanding of the application and the business context in which its used. You can expect questions such as:
- What’s the intended business use of the application?
- Is there a particular scenario you are most concerned about? For example, someone accessing personally identifiable information. Or, defacement of the site?
- What kind of functionality does the application have?
These sorts of questions raised during the scoping phase allow consultants to focus their time on investigating vulnerabilities that relate to what matters to your business. Alcorn Group understands that companies often do not have the budget to spend on an exhaustive penetration test (although it is recommended for conclusive results). Our consultants will take the time to understand what is relevant to the business use case, and what you aim to achieve out of the testing.
After the scoping and kick-off phases, Alcorn Group gets to work investigating and analysing your application. Using a variety of tools and following our unique testing methodology, Alcorn Group’s consultants will test for the OWASP Top Ten Web Application Security Risks and ASVS (Application Security Verification Standard) vulnerabilities. Some of the more common risks we uncover are:
- Weak Access Controls: A key component of web applications is ensuring that the right people can access the correct information and controls, dependant on their role within the organisation. Alcorn Group often uncovers vulnerabilities that allow attackers to access confidential information or administrative functionality, as well as cases where regular users that can access higher privileged information or functions.
- Incorrect Session Management: Web applications make use of unique session ID tokens in order to differentiate between users performing actions within the application. A large amount of applications tested by Alcorn Group are discovered to have insufficient session management. These vulnerabilities often lead to information leakage, and in some cases, can be escalated to account takeovers.
- Denial of Service: There are a variety of vulnerabilities that allow for malicious attackers to affect the availability of your web application, stopping everyone, including clients and staff, from being able to use it.
- Data Injection: These are vulnerabilities which leverage data validation issues on the application server, and could be used to target other applications or users. Alcorn Group aims to ensure that all data submitted to the application is appropriately validated and there are no opportunities to inject data to achieve attacks such as SQL injection or cross site scripting.
Once Alcorn Group has finished the testing phase of the engagement, findings are collected, and our expert technical writing team develops a clear and concise report. This report is tailored to a variety of audiences, both technical and non-technical so that findings can be understood in a variety of contexts.
Testing your business’ web application is essential for gaining a deeper understanding of its security posture and empowering your organisation and its individuals to make decisions to improve your security posture. Alcorn Group’s process of assessing vulnerabilities and presenting recommendations leaves businesses with greater control and foresight in their security. To ensure that a web application remains secure in an ever-evolving threat landscape, penetration testing should be treated as an on-going process. This means that if you’ve not had a web application penetration test in over a year, it’s about time you have your applications looked at again.
- read more
- Building Better Security Habits At Home - Part 2
Feb 3, 2020
This is part two of our two-part series dedicated to educating users on techniques for developing better security habits at home. Part One included tips on: how to keep a secure connection; safe internet usage in a public setting; and, practicing safe browsing. This second part details: being vigilant with your email inbox; being aware of shady scammer behaviour; and, how to protect yourself with security software.
1. Be Vigilant with Your Inbox
- Don’t open emails that you’re not expecting, or those that are coming from senders you don’t recognise.
- Scan email attachments with your security software before opening them. Attachments can contain malware or links to download malware.
- If an email looks like it may come from somewhere familiar (for example eBay, LinkedIn, Facebook), avoid clicking on links within the email unless you were expecting the email. Instead, visit the site through the browser. Phishing emails often look exactly like credible emails, yet links in phishing emails may lead to sites that are trying to steal your details.
- Don’t reply to or forward chain emails.
- Only give your email address to people and organisations you are confident can be trusted.
- Consider using a separate email address for social networking, online shopping and banking.
2. Be Aware of Shady Behaviour
Scepticism is a valuable tool when it comes to security. Malicious actors may try to convince you to perform actions that will lead to compromise. This is called ‘social engineering’.
- Cold calls from ‘technical support’ or the ATO are common examples of social engineering scams that have been active in Australia for a few years. If you receive unexpected phone calls asking you to make changes to your computer or provide personal information, don’t follow the instructions, instead, hang up straight away.
- When browsing online, you may see pop-ups that tell you that you have a virus. Sometimes there will be flashing lights, or even an alarm. These popups can look important and may even cover your entire screen. Don’t click on them, close the webpage instead. If you can’t close the webpage, close the browser.
3. Install Security Software
It may seem like an expense that you could do without, but security software is recommended for every computer system, including your home computer. A good security system will include: a firewall, malware and spyware detection and protection, and some offer parental controls which are great if you have children at home. Finding an all-in-one package is highly recommended, as running more than one security system can cause issues due to the way security systems work. If more than one security system is active on your computer, they may detect each other as malware.
Update and Run It Regularly
Setting your security software to update regularly is important. New forms of malware are being discovered on a regular basis. Keeping your software up to date ensures that it will recognise more recent malware types. Some security software is available on a yearly subscription. If your software expires, it may continue to work, but it will most likely not get updated any more. That means it will only keep protecting you against older types of malware. A once-a-week security scan is ideal, but it’s not enough to simply set your security system to run at a certain time. You need to ensure your computer is turned on at the scheduled time so that it can run uninterrupted. If your scan is set for 3am but you turn off your computer at night, the scan will not run and your computer will not be protected.
Keep Other Software Updated
Where the option is available, turn on automatic updates for all software. This includes your computer’s operating system and any other devices in your home, such as game consoles. Updates to software often fix bugs and security flaws. These are the same bugs and security flaws that malicious actors use to break into your home network. Making certain that your devices have up-to-date patches improves security.
The Australian Government has produced some excellent resources about protecting yourself online. We highly recommend visiting their online safely site and browsing their library. If you believe you have been the victim of cybercrime, the Australian Government have an online reporting network. This site also has further information about how you can protect yourself against various types of cybercrime.
- read more
- Building Better Security Habits at Home - Part 1
Jan 28, 2020
At work, the IT support team almost certainly helps you stay secure, but how easy is it to replicate these security practices at home? We’ve created a two-part blog series that covers some simple steps you can take to be more secure outside of work.
1. Keep Your Connection Secure
- Set complex passwords on your computer and your Wi-Fi service. Ensure that the connection uses WPA2, which is the best practice standard for encrypting traffic on Wi-Fi networks.
- Don’t forget that your mobile devices need to be protected also. Use a complex password or PIN to unlock your devices.
- Always change the password to your modem and Wi-Fi when you set it up the first time so that the default settings are not used.
- Don’t store a list of passwords in a text document on your computer, or on paper near your computer. See our blog post Secure Password Storage for information on how to store your passwords.
2. Safe Internet Usage in a Public Setting
- Public Wi-Fi should always be used with caution and the knowledge that someone may have access to what you are seeing and doing while on a publicly accessible network. Using a VPN service can help protect your internet traffic from prying eyes.
- Mobile devices can often be used to create their own Wi-Fi networks, also known as hotspotting. This is a safer alternative to using public Wi-Fi for connecting to the internet.
- When using a public computer, avoid visiting sites that require you to login or provide personal and/or sensitive information. Public computers could contain malicious software, such as a keylogger, that can capture what you type on a keyboard.
3. Practice Safe Browsing
- Use an ‘adblocker’ to block adverts from appearing while you’re browsing. A current trend is ‘malvertising’ where online advertising is being used to spread malware.
- Disable content which uses Java and Flash as these can also contain malware.
- Configure your privacy settings on your browser and social media sites to expose the least amount of private information as possible.
- Block pop-ups within browser windows. This is usually found within the settings. If popups appear on your screen, don’t click within the window to close it. Even if it has a button that says ‘No’ or ‘Close Ad’, click on the ‘X’ in the title bar, just as you would to close a computer program.
- If your browser asks you to save a password, don’t accept. Passwords can potentially get stored on cloud servers that are not secure, meaning that if these servers are compromised, an attacker may also gain access to these passwords.
- Using anti-virus software to scan your downloads before opening them add in an additional layer of security.
- Always check hyperlinks to make sure you’re not being redirected to an unsafe site. Fake sites often look very similar to legitimate sites.
- When making online payments, check that the website is secured (the URL will start with https rather than http) and only make online payments through secure payment methods.
The time you spend ingraining these security principles within your daily habits is well worth the effort. By practising these safe browsing habits, you can keep your data more secure. Hold tight for the next instalment of Building Better Security Habits at Home where we touch on other behavioural and system changes that can be made to help keep good security habits in focus day-to-day.
- read more
- Public Safety Business Agency are Hiring
Jan 23, 2020
In the interest of public welfare and the continuing improvement of Australian cyber security assets; Alcorn Group would like to take the opportunity to freely promote an available role in a highly valued and strategic Queensland (QLD) Government organisation.
A call has gone out, as advertised through the smartjobs.qld.gov website, that it is now in the closing days before a new Director of Cyber Security will be accepted into the ranks of the Public Safety Business Agency (PSBA). This role provides the opportunity to create an ongoing innovative culture that recognises the future needs of QLD and its people, while improving and creating systems that maintain or improve public safety, especially in IT. Public Safety Business Agency (PSBA) is an organisation where you can engage with colleagues, and serve the public with pride as you support those who keep our community safe and secure. This is maintained while building, evolving and preserving a prominent and extremely well regarded QLD workplace.
Public Safety Business Agency’s Work Impacts Everyone
PSBA are a QLD government agency established in 2014 to provide a wide variety of services to QLD’s public safety portfolio. These agencies include, although are not limited to, the QLD Police Service, Fire and Emergency Services, Ambulance Services, and Corrective Services.
What Do They Do?
PSBA’s main obligations are to deliver professional ICT, financial, procurement, asset management and human resources services. In-person and web-based services provide ICT goals with the aim to “… connect everything, everyone, everywhere for a safe and secure Queensland …”. They achieve this by not only liaising with the public safety agencies, but also business and community members. PSBA has a very large stable of IT experts who further engage with other public safety bodies in their support of local communities. In their role to provide asset management and procurement they have attained such a high level of quality that they had nominations in the Premier’s Awards for Excellence.
It’s worth mentioning the PSBA’s efforts in human relations, as part of workforce planning, and also regarding adaptive abilities for workplace culture and initiatives. PSBA is a White Ribbon accredited workplace and they act to enable everyone to participate in “… challenging attitudes and behaviours that underpin violence, and work towards building respectful, safe and inclusive cultures.”
- read more
- Testing Methodologies: Attacking Off-the-Shelf Solutions
Jan 16, 2020
Many engagements, which start out as a typical application penetration test, quickly present themselves as interesting opportunities to do some more in-depth research into the underlying product and its processes. It is often the case that the application under assessment will be an off-the-shelf solution from a vendor, or an open-source project, that is further configured by the client to suit their business requirements. The time invested diving into underlying products and processes adds value to clients as the testing performed is more in-depth and tailored. Over time this builds up a repertoire of consultant knowledge on these systems, which are often deployed in multiple corporate environments.
Identifying the application’s underlying software and architecture allows testers to determine the availability of source code, or the ability to deploy our own ‘testing’ instance of the solution. This allows testers to pull apart and observe some of the technological nuances which may not be easily observable with ‘unauthenticated’ or ‘low privileged’ access that many engagements begin with. This is one element which is typically not available when testing a custom built or closed-source application in a black box assessment.
Where to search for research targets
The following list describes a few places you can easily find target applications to conduct additional research:
- Open-source code repositories, e.g. Github/Gitlab.
- Cloud hosted implementations, for ‘one-click’ deployments, e.g. AWS Lightsail for WordPress.
- Vendor released solutions available on cloud hosting platforms, e.g. prebuilt AMIs available in the AWS marketplace.
- Vendor released demo appliances and evaluation instances. Note: you may need to be mindful of any licensing or customer agreement terms before conducting any testing against these.
In other instances, you might be able to easily replicate some of the design solution elements in play, such as deploying an instance of the Azure APIM platform and spinning up a demo application. This affords the opportunity to explore the functionality available within a solution and map out potential avenues for attack.
Benefits of additional research
As a tester, there is great benefit in configuring a test instance of the solution yourself, as working through the build may also reveal areas where solution design choices must be made. It can also give you some insight into the assumptions or compromises a development team might make in order to configure the solution to their needs.
In the best case, if you have access to the open-source code which is running the underlying technology of your target application, you can do a full code review of the platform. This allows you the opportunity to identify any bugs present that may not be so easy to identify from a black box testing perspective. It also gives you the opportunity to run static and dynamic code analysis tools over the codebase. This helps leverage the power of automation in order to help steer your efforts towards areas of interest where a more manual investigation is required.
One thing to note is that while it is great to be able to deploy your own copy of the solution and get a glimpse into the way the underlying technology works, you still need to be mindful that your actual target application is likely to be configured differently to an out-of-the-box solution. Additional plugins or custom features may have been added by the client’s development team in order to meet a business case. Some elements of security that are not present within the base framework may be added by the client to mitigate any inherent risks present. Overall, performing some research and testing of off-the-shelf solutions and open-source projects is a great way to learn more about these products and identify points of interest within them, while providing direction as to where more focused investigation is needed.
- read more
- Australian Cyber Security: A Year in Review
Jan 9, 2020
2019 was an eventful year in the Australian cyber security landscape. The security industry saw an increase in government and private industry collaborations, with the 2020 security strategy announced. There was also a large amount of alarming security breaches and incidents spanning across industries and government agencies, which emphasised the importance of investing in cyber security.
New standards were introduced for APRA-regulated industries with the introduction of Prudential Standard CPS 234 on the 1st of July. This new standard aims to provide stricter reporting requirements around security incidents, consistent information security framework maintenance, and overall, assist with bolstering security resilience.
According to a report by Trend Micro, a 77 percent surge in ransomware attacks was reported during the first half of 2019, with researchers identifying WannaCry as the most common type of ransomware. According to new security research conducted by Datto, Australia and New Zealand’s small-to-medium sized enterprises now hold the highest rate of reported ransomware attacks globally. 91 percent of subject matter experts have reported an attack in the last two years compared to a global average of 85 percent. The Victorian healthcare industry was severely disrupted by ransomware attacks with major regional hospitals and medical centres being hit and surgeries delayed as a consequence.
Some shocking data breaches occurred during 2019, with millions of people in Australia having their information leaked publicly through a variety of data breaches. Some notable breaches include the ‘Collection #1’ breach, featuring 772 million records from multiple, different sources. Others included breaches from the Australian National University, payID, My Health Record, Puma, Canva and Symantec, just to name a few. Between April 1st and June 30th alone there were 245 notifications of breaches under the notifiable data breach scheme, with 62% being malicious or criminal attacks. A signification portion of 34% was also attributed to human error.
The most common industries reporting breaches are:
- Health Service Providers
- Legal, accounting and management services
Majority of the most common reported malware have been evolutions of old malware or exploiting old vulnerabilities. As a response to the dramatic shifts and exponential changes in Australia’s security landscape, the Australian Government reached out to private industry and government agencies for input in the new strategy. The full report is now available.
A lack of information sharing and collaboration in Australia’s private cyber security industry has been a well-known problem for a while now. Cyber criminals are consistently working together and sharing knowledge to conduct their criminal activity, it only makes sense that the good guys work together too. With the announcement of Cyber CX, Australia’s top industry leaders have joined forces under one company to ensure Australian organisations are supported by industry experts to protect themselves against cyber criminals.
Moving further into 2020, Alcorn Group’s subject matter experts expect to see:
- Data breaches caused by publicly storing information or poor password management will decline as more cloud and service providers implement security technology, processes and procedure.
- Ransomware will continue to escalate as one of the most common cyber security threats to organisations. Ransomware attacks will most likely mature and become more agonising for the victims as they move away from targeting specific workstations and immediately encrypting. Ransomware attacks may become more sophisticated with compromises occurring on a network, then the attacker pivoting to take over domain admin accounts and then systematically placing ransomware on the affected hosts. Targeting of backups and backup locations for Ransomware attacks will also increase, making it harder to ensure that attackers can be removed from the network.
- More IoT vulnerabilities will be found and exploited. Ongoing concerns and discussions around IoT expected are to escalate with an increase in internet connected devices in the home and business use cases.
- More business will turn to potentially insecure automation and industrial control systems as they look for smarter devices to provide data and metrics.
- An increase in attacks targeting Managed Service Providers (MSPs), with attackers further target the MSPs’ customers.
- read more
- Happy Holidays from Alcorn Group
Dec 23, 2019
As the year winds down, Alcorn Group takes some time out to celebrate and reflect on 2019.
Keeping up the annual tradition of thieving Santa, we all had a blast opening and swapping gifts amongst ourselves. Some gifts were reluctantly pried out of fingers, and others were gleefully obtained! The amount of strategy involved in this game was certainly surprising. We also celebrated with good food and drinks, and even greater company at our end of year function.
2019 has been an eventful year for Alcorn Group. Many new members joined our team, Alcorn Group expanded down into Sydney, featured in the CRN fast 50 and was welcomed into the new Cyber CX partnership. We’re all looking forward to an even bigger year in 2020!
Our team enjoyed many research opportunities this year including experimenting with ATM functionality and exploitation on Alcorn Group owned ATM machines. A password cracking station was also built by our fantastic team.
Alcorn Group would like to thank all of our wonderful clients this year for their continued trust in us.
Happy Holidays from Alcorn Group! Hope you all have a cyber safe and relaxing festive season. See you all in the New Year.
- read more
- Data Validation and Sanitisation
Dec 10, 2019
An important component of any application or website that facilitates data exchange between the interface and the user, is trust. Whenever an online application or website allows a user to submit information, there is always the potential that the information submitted could be malicious, corrupt, or otherwise make the application or website behave unexpectedly. Conversely, when an end user consumes data from an online application or website, this too comes with its own associated risks. In order to limit the exposure in both these cases, correct data validation and sanitisation ensures that the data being received by the application can be trusted.
Data validation checks that the information entered into an input field matches what the field is expected to contain. For example, birthdates are DD-MM-YYYY and should only contains numbers. Data sanitisation ensures that this input data does not contain code of any form. Validating and sanitising user input is carried out to ensure that any data entering an information system can be trusted. Without sufficient steps, devices and networks can be left open to attacks, such as Cross-Site Scripting (XSS) and SQL injection.
How is validation and sanitisation performed?
To prevent the injection of unwanted data, fields that require users’ input must accept or reject the input based upon a defined set of rules. A variety of tools and techniques can be used to accomplish this dependant on the systems and programs in use. This can include defining and enforcing a rigid, expected format for all input fields. For example, all dates must be in DD-MM-YYYY format and only numbers that match the expected range (i.e. 01-12 for months of the year) can be used.
To ensure the security of networks and devices it is imperative that they only accept the input they are designed to receive. Failure to do so can result in anything from applications freezing or crashing, to network compromise or worse. While data validation and sanitisation should not be used as the only form of defence, it is a key method to reduce the impact and severity of attacks. These preventative measures help reduce the vulnerability of systems, and the risk of compromise.
For more information and advice about input validation and sanitisation and its impact on your applications, please get in touch and we’ll be glad to assist.
- read more
- Secure Password Storage
Dec 2, 2019
Creating passwords can sometimes be an agonising task. However, once you have successfully created a strong, complex and unique password, you may need to think about how you are going to store your passwords.
Before talking about secure password storage, we have to first define what insecure password storage is. Generally, we can say that the more people that have access to a password, the less secure it is. If more than the one or two people who should have access, can access, then it is not secure.
What if it is stored in a text file on your computer, or on a piece of paper in your top drawer?
Hackers don’t limit themselves to passwords they find on the Internet or those they crack using tools. Instead, the hacker may not be a faceless stranger living hundreds of kilometres away, it could be someone with access to your computer systems, a colleague in your office, a curious friend, a family member in your home, or a burglar. A text file on your computer may be accessible by someone with physical or remote access to your computer. It is not secure. A piece of paper in your top drawer is accessible to anyone who opens that drawer. It is not secure.
So, what is secure?
There are numerous password managers available, such as KeePass or LastPass. This type of software can be configured to create secure passwords for you, store them in a central repository, and encrypt them so that only a Master password, or hardware authentication device such as a YubiKey, can unlock them. So long as your master password is complex and unique enough, your passwords will be generally more secure.
Offline password managers, such as KeePass are more secure, but convenience suffers as there is no synchronisation across devices.
Online password managers, such as LastPass, offer greater convenience but have risks associated with using them as the encrypted password data is stored in, and accessible from, multiple locations.
Many password management systems can also be configured to require multi-factor authentication, which can involve the use of a token in conjunction with the master password, to provide an extra layer of security. Using a password management system means that you don’t have to remember passwords for a large number of sites, nor do you have to spend time thinking of new and unique passwords for sites you may not frequent often.
Storing passwords securely is often an afterthought in people’s busy lives. However, with some initial preparation, it can become an easy habit which ensures a more secure first line of defence for your information and accounts.
If you have any questions about secure password storage, or want to know more about setting up a password manager, please reach out to us.
- read more
- Alcorn Group Ranked 17th Amongst Australia’s Fastest Growing IT Companies for 2019
Nov 26, 2019
Thursday last week, representatives from Alcorn Group, attended the 2019 CRN Fast50 award ceremony in Sydney. The annual award from CRN, now in its 11th year, recognises the top 50 Australian companies with the quickest growth in the Australian IT channel, ranked by year-on-year revenue growth. Alcorn Group’s Peter Menerey and Jessica Williams were in attendance, along with other representatives from some of Australia’s most up and coming companies in IT.
CRN is a premium IT business publication which aims to educate, as well as, inform on the latest news, emerging trends and products. With sponsorship from a variety of companies including Microsoft, Telstra and Hewlett Packard, CRN undertook a four month evaluation period, August to November, to evaluate this year’s entrants. Through hard work, a dedication to customer satisfaction, and diligence, Alcorn Group has more than doubled its growth in the last year. Alcorn Group is proud to have been awarded 17th place on its debut at the CRN Fast50 and in turn wish to recognise the many partners and companies that have made our growth possible.
- read more
- Air-gapped networks: Pros, cons, and jumping the air-gap.
Nov 12, 2019
What is Air-Gapping?
Similar to the medical term ‘quarantine’, an air-gapped computer or network is physically separated from other computers or networks. To explain further, an air-gapped computer is not physically or digitally (no Wi-Fi) connected to the Internet, nor to any external device. Air-gapping assumes that every other network or device is a threat in an effort to provide a heightened level of security. For data to move across the air-gap, it needs to be physically transferred using an alternative data storage medium, such as a USB drive. Air-gapped networks are closed systems, with input and output under strict controls.
Air-gapping can be setup in a variety of businesses and government agencies at a reasonably low cost, in terms of infrastructure. So long as the network remains unconnected, it is further protected from malicious actors working externally to the infrastructure. Most frequently, air-gapping is used in environments that deal with classified or highly sensitive information, such as military or government systems, financial systems like stock exchanges, life-critical systems, and industrial control systems.
What’s the catch?
The most obvious downside is that maintaining the air-gapped data can be labour intensive. Manual data transfer may lower productivity, which has a flow-on effect of becoming more expensive to run. Due to the lack of direct connectivity to the Internet, the system won’t automatically receive software updates, including security patches, antivirus updates, and so on, which leaves systems with vulnerabilities that can be leveraged by malicious actors. The installation of updates requires manual data transfer, which has its own risks as discussed in the next section.
In an air-gapped network, no remote connection from the outside world should be available. This can slow down recovery if a situation occurs where there has been a fault that is affecting operations and an engineer or developer is then required to attend to the system ASAP. Instead of being able to remotely access the network, they are required to be on-site, affecting recovery times from incidents outside business hours. By allowing a remote connection program in a network, it no longer is considered air-gapped and now potentially accessible to external malicious actors.
Jumping the Air-Gap
The biggest threat to any system is the people who have access to it. Insider threats, such as disgruntled staff members, may seek to disrupt or steal the data that exists within the protected system. However, gaining physical access doesn’t mean the threat has to be in the same room. Instead, sometimes they are able to use the behaviour of other people to gain access to the air-gapped network.
In 2010, the malicious computer worm ‘Stuxnet’ was targeted at air-gapped Iranian nuclear facilities through infected USBs. This malware was specifically crafted to take advantage of a string of zero-day vulnerabilities to infect systems, propagate itself, and look for the system it was designed to target. This was the first in a string of similar malware types (such as ‘Flame’, ‘Duqu’, and more recently, ‘Brutal Kangaroo’), which are crafted to infect every USB plugged into the compromised computer with the expectation that, eventually, one of them would be connected to the air-gapped network.
Once the target system has been infected, data exfiltration methods can extend to properties that are native to the machine, including light and sound (i.e. LEDs and hardrives using morse code), which can be monitored from a distance. None of this means that air-gapping has lost relevance.
While there are cons to running an air-gapped environment and there are demonstrated ways in which to jump the gap, systems disconnected from the greater world of the Internet remain one of the most secure ways to protect data. Due to the complexity of bypassing the air-gap and exfiltrating data, air-gapping a network is still a valid way for a company to establish a strong layer of defence for sensitive systems or data.
- read more
- Samuel Sentongo, Alcorn Group’s NSW Technical Area Manager
Nov 6, 2019
The expansion of the Information Security (InfoSec) industry in recent years has brought with it an increase in demand for skilled and experienced security professionals to provide expert consulting. To address this demand, Alcorn Group, a CyberCX Company, has expanded its presence in Sydney with Samuel Sentongo (pictured), the NSW Technical Area Manager. He is Alcorn Group’s eyes and ears on the ground in NSW, running the daily operations; including onsite testing, rapid response, consulting with our clients in Sydney, as well as, working in Business Development. Samuel enjoys the challenge of solving the unique problems that exist in the InfoSec industry, with a panache for mobile applications testing, especially in terms of new and developing areas.
In order to get to know him better, we sat down with Samuel and asked him some questions about his previous experience, the InfoSec industry, and what drives him. Read his responses below: “I have answered candidly, these are my thoughts and my truth.”
Where does your passion for the InfoSec industry stem from and how did you get into the industry?
There was no one light bulb moment that did it for me. My first exposure to the InfoSec industry was through the movie Hackers. I fell in love with the notion of the “genius hacker” but soon found out that there is more to it than that. What is not shown are the hours put in, in the pursuit of ‘genius’. My life took a detour through a Bachelor of Engineering because, at that time, there was no degree for InfoSec, and my parents, who had raised a family of engineers, thought IT was inferior (Thanks Samuel Sentongo Sr). During my time at Multimedia University, I met two lecturers who worked part-time in InfoSec. They encouraged me, brought training to the university at their own cost, and mentored me. I can’t stress the importance of mentors enough in this industry. For my industrial placement internship, I went for an InfoSec job, even though I had only two subjects related to IT in my degree.
My sister told me, “if you have a one in a thousand chance of getting a job, apply 1000 times”, so that’s what I did. I applied to every InfoSec company on earth (I have the proof!). I applied to all of them, whether they had vacancies or not. (I did get some interesting responses which I am saving for my autobiography 😊.) In the end, two people took a chance on me (Sarah Oquist and Saurabh Sarawat) and the rest is history.
What skills are you bringing to the Alcorn Group team? Any unique approaches that you like to take to solve the problems that the industry faces?
Nothing unique here, just plain old fashioned hard work, grit, willingness to learn, a “leave my ego at the door” attitude, admit when I am wrong, perseverance, and getting things done, is what it is all about at the end of the day. I am not a ‘Rockstar hacker’ and I don’t intend to be one.
While the IT industry has a non-typical workplace culture, I am incredibly keen and invested in helping improve the diversity of the people in the industry. I have skin in the game, not just for people of different race or social origin, but also future generations. Women were the first en masse coders, and in Bletchley Park (do your Googles) women constituted 75% of the workforce which was responsible for Britain’s WW2 cryptanalysis effort including breaking the ENIGMA machine.
Where do you see yourself making the biggest impacts for AG, and the industry as a whole?
Alcorn Group has given me the opportunity to be myself, grow the business and set the tone for how things are done in NSW through autonomy, mastery of my skillsets, and purpose. In terms of the industry, I honestly do not know, time will be the judge.
If I focus on my craft, apply myself, be the best version of me I can, and uplift the people/network around me, then I can be a positive influence. If I can speak and live my truth, then, I will kindle ideas, and light the fires that will make the biggest impact. We always have to question the world around us and challenge thoughts, to grow both as a person, and as a business.
I want to help Alcorn Group to nurture crazy ideas that actually work and make breakthroughs in the industry. Whether a product that is new on the market (insert buzzword here), or a new way of doing business, and adding value for the customer. Alcorn Group aspires to be a place of innovation, coming up with ideas and breakthroughs, while commercialising them at the same time. Alcorn Group has the aspirations to be the employer of choice. This can be done by growing the pipeline of talent and being the ambassador for a place where difference of opinion, and diversity of thought is celebrated, not just tolerated.
What are your passions outside of the office?
Outside of the office, I spend most of my time in the gym or going out with friends. I like to try something new every quarter: last time it was acting and improv, before that rowing but now I am signing up for Spanish classes, as well as, getting back into swimming with the change in the weather. Doing things that scare me is the name of the game and you can only grow once you are outside of your comfort zone. The next new thing I want to practice is meditation and mindfulness.
Having a dedicated Sydney team allows Alcorn Group to have greater onsite utilisation and reduces response time for onsite requests. With his attitude and grit, towards learning and working, not only is Samuel successfully chasing his dream, he is also constantly proving he is a valuable asset to clients, to team members, and to Alcorn Group. By providing a unique and tailored service to clients, Alcorn Group is able to help NSW government departments and companies alike, improve their security maturity and position.
- read more
Oct 27, 2019
Deepfakes are video, and/or audio that have been altered to misrepresent reality, most often by using the face of a famous person doing or saying something that they did not. While having roots in the very late 20th century, it is only recently that the sophistication of deepfakes has progressed to photorealistic levels. It was not until a 2017 report, in Vice magazine, did the wide mainstream media picked up on the phenomena.
In the very short amount of time since that initial report, the machine learning technology deepfakes employ has moved at breakneck speed. Algorithmic face-swaps which, in 2017, required hundreds of images and many days of processing has recently been accomplished with a single image and within seconds.
A recent development out of Samsung’s research department has developed a new technique where, in place of training the algorithm to fix one face onto another using a collection of expressions from one individual, the new algorithm uses facial structures that are shared by the majority of people to puppeteer a new face. In this fashion, the Samsung researchers have been able to animate pictures and paintings, such as the Mona Lisa.
Attempts to have a machine give an audibly realistic reading from text have been the goal of many. Numerous companies, across industries, are invested in this research, including tech giants, game companies and navigational software providers. Producing realistic audio clips that are possible of ‘bringing the dead to life’ or taking existing samples of real people and having them ‘read’ text, has been around since the start of the century and have only become more believable and more accurate.
Even with technology bounding ahead, low-tech techniques such as slowed-down video or splicing audio snippets, labelled as ‘cheapfake’ or even ‘dumbfake’, which are easy to make with real content being ‘doctored’, can still be found entering the media.
The danger deepfakes pose as a disinformation tool is a major concern to many and has yet to be addressed from a legislative standpoint. Deepfakes have become a pervasive, international sensation, but platform moderation and legislation have failed to keep up, instead relying on the interpretation of existing codes such as those present for identity theft, cyberstalking and revenge videos.
Now that the technology has moved along, the cost and ease of producing a deepfake video is trivial. The cost of recognising deepfake videos, on the other hand, grows with the increasing difficulty involved to identify them. Since humans are quite poor at being able to recognise forgeries, it becomes more imperative that digital solutions be developed. These programs can utilise a range of techniques, although what works in one instance may not work on the next. One of the most promising tools looks at the target’s mouth. While various parts of the film may or may not be faked, the mouth is nearly always altered, to fit the audio, and ‘tells’ may be more obvious. Unfortunately, this tool remains far from accurate and requires further development before it can be used with accuracy.
Into the future
While laws may come into place that target deepfakes specifically, they are more likely to fall under the umbrella of current legislation. It could be expected that with the technology to create deepfakes getting ever cheaper, more realistic and harder to detect by consumers, that media industries will embrace the techniques. ‘Hiring’ separate faces, voices and movement actors that fit a role more fully than that capable by a single individual will be too hard to pass up, especially if it works out to be increasingly lucrative. The higher the proliferation of deepfakes, the more cybersecurity measures, such as detection tools and algorithms, will need to be brought to bear on the issue. At this point in time there are limited technologies available, although that is unlikely to remain the case for long if an initiative from Facebook and Microsoft called the Deepfake Detection Challenge bears fruit.
- read more
- Drupal Applications and Web Crawlers
Oct 22, 2019
Many companies that are looking to establish a digital presence create a website which customers can access and interact with to learn more about the business. However, externally accessible IT assets have the potential of presenting security risks to these organisations. In order to better assist an organisations’ understanding of potential security risks, Alcorn Group have recently conducted research into the detection of application fingerprinting for a common application framework, Drupal.
Drupal is an open source Content Management System (CMS) designed to support the development of web applications stored on remote servers, which deliver content through a browser interface. Many companies use Drupal to create customised web applications for user account creation and management, as well as content delivery. Drupal is the 4th most popular open source CMS in Australia and has over 9000 customers. Overall, it is known for its stability and security, however like many other Content Management Systems, there are several known vulnerabilities within versions of the CMS which can be exploited.
How Attackers May Exploit Drupal
Attackers often employ automated tools to crawl the internet for sites which meet certain conditions that can be exploited. By further fingerprinting vulnerable web applications, an attacker can determine which known exploits can be used. Depending on the content within the application and its functionality, web applications can expose user information, company documentation, staff information, or other personally identifiable information.
Why is Logging and Monitoring Important?
The source of an attack can be quite difficult, or near impossible to determine if no logging occurs. A lack of logging and monitoring also contributes to attacks being unnoticed for extended periods of time. Consequently, an attacker’s presence may persist during this time, with access to the information available within the application, such as user data. Additionally, there are liability risks associated with companies who fail to effectively control and mitigate these risks. To combat this, it is possible to use logging and monitoring tools to capture all requests made to an application. However, this often creates large files filled with information that may or may not be useful in identifying malicious behaviour.
What Can be Done?
Due to the difficulties associated with manually logging and monitoring all traffic requesting responses from a single web application, it is important to use a centralised system to ensure nothing is missed. A centralised logging server gathers logs in a single location for further assessment, while also assisting to prevent logs from being altered should they be compromised. Centralised logging typically improves the overall security posture of an organisation, as it not only assists with identifying network activity, but allows ‘normal’ traffic to be identified. This in turn aids in identifying any abnormalities when they occur. Additionally, centralised logging increases the integrity of data logged by ensuring a complete history of logs exist, which is a crucial part of a mature Incident Response process.
How to Detect
The use of centralised logging ensures a convenient single location where logs for numerous devices can be monitored and assessed. For example, the Elastic Stack, or ELK Stack, is a combination of three open source projects which take log data from any source and allow the user to search, visualise, and analyse the data in real time. By monitoring the incoming request data using Elastic Stack, an organisation can find unusual activity on their network, diagnose errors, and recover from attacks.
Overall, centralised logging to an external logging system, combined with after-hours alerting and monitoring, ensures that a robust and complete log history can be captured and maintained. A follow up blog post will dive into the research conducted by Alcorn Group in identifying Drupal scans using the ELK Stack.
- read more
- Data Protection and Privacy at the FACCI 2019 Schneider Electric National Innovation Business Forum
Oct 21, 2019
Held across five cities, the FACCI 2019 Schneider Electric Business Forum brought together thought leaders from French and Australian companies to discuss their unique perspectives on problems faced within their organisations. Topics included sustainability, Artificial Intelligence, digitalisation, business ethics, diversity, data breaches, and litigation risk.
Alcorn Group CEO, Wade Alcorn took part in the Data Protection & Privacy panel which explored the importance of resilience, governance, training, awareness, and ethics within the space. A central theme of this panel discussed how organisations can build and maintain consumer trust in how their data is protected and shared, as well as ensuring transparency, should a data breach occur.
If you’d like to know more about data privacy laws and how recent changes may impact your business, please call 1300 368 806.
- read more
- Alcorn Group Joins CyberCX - Australia's Greatest Force in Cyber Security
Oct 17, 2019
Alcorn Group is excited to announce the launch of CyberCX, bringing together Australia’s best cyber security skills and people. We are excited to be a part of the foundation of this new group, and about the extended range of customers and projects we will now be working to enhance our skills and service offerings.
CyberCX will be led by one of Australia’s most experienced technology industry executives, John Paitaridis, and former National Cyber Security Adviser, Alastair MacGibbon, who will play a critical role in CyberCX as Chief Strategy Officer. Offering the most comprehensive cyber capability in Australia, CyberCX will provide a full range of cyber security services: consulting and advisory; risk and compliance; security assurance; integration and engineering; training and education; incident response and digital forensics; and managed security services. Please reach out if you would like to learn more, or discuss this opportunity further at [email protected].
- read more
- It Also Runs Doom
Oct 15, 2019
While conducting research into ATM functionality and exploitation, Alcorn Group staff have confirmed that Doom (1993) can indeed run on the machine.
Since the release of the original source code from publisher id Software in 1997, the legendary first-person shooter Doom has been ported to a myriad of devices by fans, including a Kodak digital camera, LED billboard, Siglent SSA 3021X Spectrum Analyser, and so on. While some devices can natively run the code, porting Doom often involves exploiting device firmware. This is regularly served as an incentive for research into device exploitation, and similarly, provides a benchmark for further research within Alcorn Group into ATM vulnerabilities.
- read more
- OWASP Training Workshop Opportunities
Oct 11, 2019
Hey there Brisbane!
If you have ever wondered how security professionals hack into your web applications, then this workshop is ideal for you. The techniques covered in this workshop can be immediately implemented to increase the security of your organisation. This one-day training is an instructor-led workshop aimed to improve your ability to find vulnerabilities in web applications and web services. The workshop covers the process of hacking a web application, from the initial mapping and analysis, probing for common vulnerabilities to exploitation techniques.
You won’t need vast security knowledge, just a basic technical background and a readiness to learn. Ideally, you should have a basic knowledge of networking and how web applications work. An understanding of one or more languages and frameworks such as PHP, JSP, ASP, and ASP.NET is an advantage.
Sound like something you’d be interested in? Have a bit of free time on the 30th of Oct? Would you like to convince your boss to give you some time away from the office? Send us an email at [email protected] or call on 07 3556 9297 for more information.
- read more
- Consequences of Improper Data Destruction
Oct 2, 2019
What is Data Destruction?
It is the intentional, permanent and irrevocable removal of data. Specifically, digital data stored on memory storage devices, which include data storage, mobile devices, and Internet of Things (IoT) devices. If the data is not properly cleansed then personal and/or confidential information such as photos, company documents, emails, invoices, and passwords can be recovered.
Why is it Necessary?
Data management and destruction decisions occur throughout the information life cycle. Data destruction is a fundamental part of a holistic and mature approach to governing information, and paramount in preventing sensitive data from being accessed by unauthorised persons. Although data has a high value in most businesses, it also has an ongoing maintenance cost and may be subject to policies that necessitate destruction. Studies conducted within the field of media and data recovery demonstrate how easily data can be retrieved, even after efforts have been made to cleanse the storage device. While some cases of unwanted recovery of data occur when a device is lost, a larger number of instances can be attributed to the improper disposal of data due to inadequate cleansing.
Improper Data Destruction
With a multitude of brands and devices offering data destruction services to the end user, it is unsurprising that users may make misinformed decisions on the disposal of data. Two of the most popular and misunderstood options, which do not result in data erasure, are formatting and factory reset. These methods are primarily used for preparing new devices for use however, they always leave recoverable files as only metadata (which can point to the location of data) is removed. Information left behind after attempted destruction is known as data remanence which can cause unintentional leaks of sensitive information. There are many common ways to recover data, such as simply restoring a file from the recycle bin, or using programs to identify files that can be ‘found’ through signature-based analysis which recognises common file formats. Data on magnetic media can also be retrieved if it is overwritten only once, by direct observation with an electron microscope.
Proper Data Destruction
There are three common methods of data destruction that are more permanent:
Data Erasure - The process of overwriting data to reduce the likelihood of its retrieval from a storage device. There are physical methods for magnetic media, such as degaussing (applying strong magnetic fields to disrupt stored data) and heating (bringing the disk above the Curie point, where it becomes non-magnetic). Data erasure can also be achieved using software, which writes random, empty, or patterned data in order to destroy any evidence of the original data.
Cryptographic Erasure - Where strong full-disk encryption (FDE) has been used to guard the contents of a storage device, this method erases the key material which could be used to decrypt the data. Once the key material is securely erased, the data stored on the encrypted volume is no longer able to be read.
Physical Destruction - The process of physically shredding hard drives, smartphones, printers, laptops and other storage media into tiny pieces, making it extremely difficult, if not impossible to re-assemble.
It is worth considering the value of information stored on personal and professional devices over their operating life. Choosing an appropriate disposal method to protect that data should be part of the documented life cycle of these devices. At an organisational level, appropriate policies on data storage, encryption, retention and destruction should be implemented. This can aid in mitigating the high costs associated with data breaches such as loss of customer trust, breach of regulation, financial loss, and other preventable occurrences.
Alcorn Group has experience in a range of governance, risk and compliance services including conducting reviews of data management policies to aid in mitigating these risks.
- read more
- Threat Intelligence Service with Alcorn Group
Sep 18, 2019
Here at Alcorn Group, we pride ourselves on consistently delivering high-quality products to all our clientele. Threat intelligence can prepare, prevent and identify threats which look to take advantage of any organisation. This is accomplished by keeping organisations informed and up-to-date on new and existing threats, which in turn reduces overall threat activity, lowers risk, and capitalises on security expenditure.
What is Threat Intelligence?
Cyber threat intelligence is evidence-based knowledge inclusive of; details of the circumstances, known malicious processes, general symptoms, and action-oriented advice about existing or emerging threats to assets. The key areas of information collection require exploration and analysis through rigorous and structured techniques, this gives the consumer vast quantities of information which promotes accurate and relevant intelligence.
Why You Need Threat Intelligence
A threat intelligence service delivers an improved defensive posture, helps to protect against zero day threats, lowers risk, reduces reaction times and gets the most out of security expenditures. With Alcorn Group’s considerable human resources focused on these crucial concerns, our clients can realise increased savings in financial and human capital while having enhanced security measures in place.
What is Threat Intelligence Used for?
Threat intelligence gives context around security issues that helps with informed decision making. Knowledge gained through threat intelligence is used to prevent, discover, and navigate incidents of data loss or network compromise. The information can also be scrutinised to supply further context for threat analysis (i.e. who is attacking and why), data investigation (identifying issues) and uncovering malicious activity on networks. In the event that malicious activity on a network is discovered, expertise can be focused to bolster security incident response capabilities.
What Does a Threat Intelligence Service Provide?
Good data governance involves having a security profile, which is a set of rights and restrictions associated with particular users. The profile determines the actions such as viewing, creating and modifying that a user can perform. An Intelligence service assists in enforcing the security profile of an organisation, identifying deviations in the profile and contributes to:
- Providing additional context and relevance to threats and can assist in attribution.
- Allowing for informed decision-making during, and post, security incidents.
- Enabled proactive operational security capability.
- Results in augmented detection of sophisticated vulnerabilities within the organisation.
- Empowering organisations to develop a proactive security posture and assist in developing overall risk management policies.
How is a Threat Intelligence Service Conducted?
The service will look at the internal and external aspects that are relevant to the client using, among other tools, cyber threat diagnostics. To build a profile of the client, internal intelligence is employed to highlight areas of focus and provide specific information into the external monitoring component. Internal threat intelligence is appropriate for detecting insider threats such as rogue employees.
External sources of intelligence that Alcorn Group use includes:
- Publicly available threat feeds (paid and free services).
- Closed threat feeds from partner organisations, including other security providers.
- Information gathered by Alcorn Group consultants using:
- OSINT (open source intelligence)
- SOCMINT (social media intelligence)
- HUMINT (human intelligence)
If you would like to know more about the threat intelligence services offered by Alcorn Group and how it can help your business, please call 1300 368 806.
- read more
- Multi-Factor Authentication for Beginners
Sep 5, 2019
Multi-factor authentication (MFA) refers to using two or more independent credentials to prove the identity of a user. It decreases the likelihood of accounts being stolen as it increases the difficulty of authentication. Many applications and accounts use protections based upon the following three stages:
- Identification – how a user is identified, typically through a username.
- Authentication – how a user proves their identity, typically through something they know, something they own, or something they are.
- Authorisation – the set of activities that the user is allowed to perform.
Multi-factor authentication focuses on increasing the strength of the authentication stage, which can be verified by the following factors: Something the user knows, something the user owns, or something the user is.
Something the User Knows
This may be a password or a PIN that the user remembers. It can also be the answer to a ‘secret’ question, such as, “What is your father’s middle name?”
Something the User Owns
This may be a mobile phone number, a swipe card or fob, a bank card, a USB key generator, or a token generator.
Something the User is
This is usually something that is biometric in nature, such as a fingerprint, retinal image, or voice.
So Why Use Multi-factor Authentication?
Combining two different factors of authentication increases the assurance of a legitimate user’s request for access as they have to declare multiple unique identifiers. This makes it harder for an attacker to authenticate as a legitimate user as they must have access to more information and/or items owned by the user.
In May this year, Google posted statistics (read here) based on multi-factor authentication, where they found “On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
An article posted by Alex Weinert (read here), the Group Program Manager for Identity Security and Protection at Microsoft, puts forward that “… your account is more than 99.9% less likely to be compromised if you use MFA.” In the article, Alex encourages everyone to go turn on MFA, stating that once an attacker gains access to your password, “…the attacker must try logging in with the compromised password, and at that point MFA is your safeguard”.
Alcorn Group recommends that administrative actions should always pass through at least one multi-factor authentication process. At a minimum, multi-factor authentication should be implemented as part of remote access to Internet accessible systems.
- read more
- Women in Security 2019 Conference & Awards
Aug 21, 2019
“Making it about their work, not their gender”
CSO and the Australian Women in Security Network (AWSN) have partnered together to recognise and honour the accomplishments of talented and influential women within the security industry. The Women in Security 2019 Conference & Awards, held in early September, gives these women the spotlight to share their contributions, accomplishments, and motivations within the industry.
Amongst the candidates is one of Alcorn Group’s staff members, Jessica Williams. Jessica has been nominated for three awards; ‘Best Student Security Leader’, ‘Best Volunteer’, and ‘The One To Watch’. While studying computer science at Queensland University of Technology (QUT), Jessica has been actively engaging within the information security industry. Jessica leads the AWSN Cadets Brisbane Chapter and is a committee member for QUT White Hats. She presented at the Australian Information Security Association’s (AISA) Brisbane branch event this week. Here, she spoke about the challenges involved with bridging gaps between students and becoming security professionals.
The 2019 Women in Security awards provides a much-needed opportunity to celebrate women who have made, or continue to make an impact in the security industry.
- read more
- Learning, Research, and Development at BlackHat Conference
Aug 7, 2019
A handful of Alcorn Group’s consultants are currently attending the annual BlackHat Conference held in Las Vegas. BlackHat provides industry professionals and enthusiasts alike with invaluable insight to current and future technologies. Our team are actively engaging with technical training featuring the latest research and development within the Information Security field.
One of Alcorn Group’s key drivers is to provide opportunities for training, research, and development of our team members, building upon existing knowledge and developing skills for the future. This investment in our team allows for flexible career growth and added value to our clients.
BlackHat features renowned speakers from across the Information Security industry presenting in a vendor-neutral environment and covering many topics. These include offensive security, remote attacks, malware, Enterprise environment security, attacking and defending cloud environments, and more. The training which accompany these talks provide hands-on opportunities to develop practical skills within relevant and upcoming fields of Information Security.
In addition to refining the set of skills required to simulate malicious attackers in real-world scenarios, this conference provides our team with an opportunity to develop further insight into the various issues currently faced by companies worldwide.
- read more
- How Alcorn Group Cracks Passwords
Jul 24, 2019
In recent years, there has been an increase in data breaches affecting upwards of hundreds of millions of users each time a company is compromised, some of which have been due to weak passwords. You may be inclined to believe that a sophisticated and experienced hacker is responsible for these events. However, with the appropriate hardware being utilised, password ‘crackers’ can run automatically, tasked with revealing passwords.
Alcorn Group’s Password Hash Cracker
Here at Alcorn Group, we have built a computer system specifically for performing brute-force attacks and cracking password hashes. The system is utilised by our security consultants to attempt to crack any hashes accessed during engagements. More commonly, it is used on Red Team engagements when the consultant can access and retrieve user hashes from Active Directory. The components utilised for this system build are listed below, consisting of off-the-shelf hardware:
- Intel i5 CPU
- 32GB RAM
- Gigabyte H110-D3A (Bitcoin Mining) Motherboard
- Corsair AX1600i Power supply (running at capacity)
- 4 x Gigabyte GeForce RTX 2080TI’s
- 1 x Asus Geforce GTX 1080
- 1 x Asus GTX 960
- 6 x PCI-E USB3.0 Risers
- Hydra III 8 GPU Case
As a result of the enormous computational power this system offers, it is capable of running through every possible 8-character long NT LAN Manager (NTLM) password hash within five and a half hours, as demonstrated below:
However, by adding only one additional character to the password (9-characters) it took approximately 100 times longer to crack, a total of 21 days and 13 hours:
These statistics indicate just how important length is when determining a password. Increasing the length by an additional letter increases the time exponentially.
How Can You Secure Your Password?
While password security and complexity requirements can be written into the code of the application, the responsibility of maintaining a secure password falls to every individual user. To limit the chances that your passwords will be cracked, the National Institute of Standards and Technology (NIST) offers the following guidelines for password complexity:
- An eight-character minimum and 64-character maximum length
- The ability to use all special characters but no special requirement to use them
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
- Restrict context specific passwords (e.g. the name of the site, etc.)
- Restrict commonly used passwords (e.g. [email protected], etc.)
- Restrict passwords obtained from previous breach corpuses
For additional protection, it is also highly recommended that the following are taken into consideration:
- Avoid context-specific words. For example, if you work as a Corrections Officer, avoid using the word ‘Officer’.
- Avoid words found in a dictionary. Common words from dictionaries are frequently tried first.
- Use passwords in conjunction with Multi-Factor Authentication (MFA), biometrics, or single sign-on (SSO) systems.
- Avoid reusing passwords across different services to reduce the chance of compromise on multiple accounts.
- Think about utilising passphrases instead of passwords. Passphrases contain multiple words which form a memorisable phrase which is not easily guessed and is an easy method of increasing the length.
Good password hygiene is the key to ensuring that your systems are secured. The more complex and difficult to guess your password is, the safer it is from malicious attackers and their tools. One method of ensuring this, is to utilise a password management tool. Password management tools are easily available and are a quick and safer method for keeping all your passwords in one secure place. By combining a strong long pass phrase to gain access to the tool, local encryption of passwords, and a built in password generator that can generate strong, unique and long passwords for you automatically, your passwords will become exponentially safer without the need to memorise all of them.
What is a Password Hash?
Successful password cracking depends heavily on the robustness of an application’s password security mechanisms. To assist in protecting against data breaches, storing passwords securely is essential when developing a new piece of infrastructure or application, however, it is often overlooked. Hashing passwords is a common approach to achieving this extra layer of security.
A hash is a one-way function that generates a representation of data (in this case, a password), using an algorithm to map the data, or password of any size to a fixed length representation. For example, when a user signs up for an account, the chosen password is stored as the generated hash, rather than the actual characters that the user typed. When the user attempts to log in with their password, the entered password is passed through the same hash function and then compared to what is stored in the application’s database. If the two hashes are the same, the user is granted access to the application. This method offers an alternative to the storing of passwords in plain text, adding extra complexity for a malicious attacker if they were ever retrieved during a data breach.
What is a Brute Force Attack?
Hashing a password is not enough protection to stop a malicious attacker, as brute-force attacks can be conducted with an appropriate degree of computational power. Brute-force attacks can be used to crack passwords by running a program that calculates each and every possible password combination, hashing it before comparing it to the hashed password that is being cracked. Once the two hashes have been matched, the password is known, or cracked.
What is Salting?
To assist in combating password cracking, hashes can be ‘Salted’. Salting is an additional layer of protection where a unique value is added to a password before it is hashed, creating a different hash value. Hash functions are designed in such a way that the slightest change to the input (the password to be hashed) drastically affects the output. Therefore, salting a password prior to hashing it complicates the password cracking process. The malicious attacker would require the unique salt value for that particular password in addition to the password hash to retrieve the password.
Alcorn Group is committed to continual investment in password security. We will continue to utilise hardware such as our password hash cracker during engagements in order to crack simple passwords, educating our clients on the importance of password security.
- read more
- Red Teaming Stories: How Secure is Your Swipe Card?
Jul 17, 2019
Entering your office building in the morning is generally an effortless task. Business operations continue throughout the day uninterrupted, knowing that the premises is secured by multiple layers of authorisation required for entry. These systems ensure that only select personnel may enter, with that trust typically represented by an access card, fob, or token associated with the individual. These small items grant the user with what is highly sought after by any malicious attacker - privileged access.
These devices typically use Radio Frequency Identification (RFID), a form of contactless authentication which can permit or deny physical access to specific locations. RFID readers are usually located on the outside of a building, on a doorway, or within an elevator, and are universally used within most offices, as well as government buildings. To work correctly, a RFID reader has an antenna coiled inside of it, sending out radio signals searching for cards or devices that enter within its range. Once inside this range, the RFID device is energised and responds back with the device’s credentials, including a unique identifier. The reader then sends this information electronically to a command station which will indicate to approve or deny the user.
While other security measures are normally paired with this system (such as physical security, manually gated access, security cameras, or elevator restrictions to user access levels), the overall security of the organisation is only as strong as its weakest point. Malicious attackers will continuously look for holes within the overall security of an organisation. Focus is placed on elements in isolation, particularly on identifying any overlooked element, no matter how small. For example, an entry point with swipe card access but no additional security monitoring provides an opportunity to perform reconnaissance on the RFID system, as well as any additional requirements needed for entry.
Through observing door traffic, an attacker may identify a target who has access to an entry point of interest and make attempts to clone their card. This is not always a straightforward process and often requires multiple attempts. Due to the low first-time success rate, an attacker may have to loiter outside of the building and make attempts to clone multiple people’s cards. This increases the likelihood that physical security management and staff are able to thwart these cloning attempts as they are trained in identifying people who do not belong, or who are exhibiting abnormal behaviour. However, if an attacker is successful in cloning a card, they have gained privileged access.
Powered by a concealable battery, the card cloning device can capture and decode data, running a wireless access point for a secondary device to connect to. This secondary device attaches to a commercial card reader, allowing data to be written to a blank card. Once the device is turned on, it can pick up any RFID card within its range of approximately 0-40cm, depending on the strength of the signal. This makes card cloning difficult to detect, as physical proximity is standard in crowded places such as public transport, organised seating, and elevators. In addition, many people store their building passes in accessible areas, such as around their necks or on their hips, allowing for cloning to occur inconspicuously.
Alcorn Group’s Red Team methodology involves consultants simulating a malicious attacker, sometimes using this specific method to gain unauthorised access to the target organisation’s physical premises. One of our senior consultants has created a ‘weaponised’ RFID card reader, which allows RFID-enabled tokens to be wirelessly cloned in the field. This gadget, like others of its kind, can be used by security testing teams to asses facilities exposure to these sorts of attacks.
Multiple layers of physical security controls as well as security awareness training are key to ensuring your organisation can effectively prevent unauthorised physical access. In support of all employees remaining vigilant to security control weaknesses, all employees should be aware of physical and environmental controls protecting their company’s premises. This should include awareness training on tailgating, as well as vetting visitors and always have them be escorted around the premises. It is important to layer security measures across all entry points of a premises by pairing active security cameras with all swipe access entry points. In addition, where active security patrols are adopted, these should practice a hard-to-predict patrol schedule. Additional training for physical security management and staff should involve awareness of this type of threat, as well as knowledge of procedures to follow in response to incidents of this nature reported to them. RFID blocking card holders are also a useful tool to deter malicious attackers swiping valid credentials.
- read more
- How Alcorn Group Guarantees High-Quality Technical Deliverables Every Time
Jul 9, 2019
Here at Alcorn Group, we pride ourselves on consistently delivering high-quality products to all our clientele. This success can be attributed to the incorporation of a strict Quality Assurance regime. This ensures that every client engagement has deliverables that are technically sound, visually appealing and digestible by the client. At the forefront of this Quality Assurance process is our dedicated Technical Writing team.
Our Technical Writing team form a key component of the quality management process. They employ a high level of detail, organisational skills, understanding of business processes, and exceptional information-gathering skills to develop documentation that facilitates practical improvements for each client.
This specialist team reviews each deliverable at multiple stages of the Quality Assurance lifecycle to ensure they can be easily read by stakeholders, without stripping out any valuable technical information. In addition to making sure that the technical documentation is easily digestible by a technical and non-technical audience, the team also ensures that the document is visually appealing, with a distinct Alcorn Group brand feel. This meticulous care and attention to detail guarantees that each client receives a product that accurately reflects the service Alcorn Group provides.
Alcorn Group currently has three specialist writers, who are degree qualified with a combined 15 years of experience working within the Information Technology industry. This level of knowledge and understanding allows them to collaborate effectively with the security consultants. The team is adept at compiling and translating highly researched, advanced technical concepts and can articulate these clearly, accurately and comprehensively into actionable reports for our clients. Our professional writers ensure that all documents provide our clientele with the confidence and knowledge that what they are receiving is trusted, accurate, and understandable, while being written to be comprehended by all areas of the client’s business.
- read more
- Alcorn Group Expands Presence in NSW
Jul 2, 2019
The expansion of the Information Security industry in recent years has brought with it an increase in demand for skilled and experienced security professionals to provide expert consulting. To address this demand, Alcorn Group is expanding its presence within NSW, with additional staff being added to our Sydney team. Having a dedicated Sydney team allows Alcorn Group to have greater onsite utilisation and reduces response time for onsite requests. By providing a unique and tailored service to clients, Alcorn Group is able to help NSW government departments and companies alike, improve their security maturity and position.
Alcorn Group’s Head of Business Development, Reece Stewart (pictured), has been based in Sydney since 2016. Having worked in the InfoSec industry since 2014, Reece brought with him a diverse set of experiences while previously working in recruitment and sales roles and was also a Brisbane branch committee member for AISA. A man of many talents, Reece manages Alcorn Group’s sales and marketing strategies, while identifying the service needs of clients, and influencing our response to the industry’s needs. He is also a key account manager for our clients across several industries, including government, financial services and critical infrastructure.
Reece is passionate about giving back to the InfoSec community and fostering great communication and collaboration. He enjoys the challenge of problem solving for the unique solutions that the InfoSec industry requires, as well as ensuring that Alcorn Group’s communication suits multiple audiences so that our clients can have the best security outcomes. Reece is proud of his work and believes that there is no company with a better approach to security consulting within Australia than Alcorn Group.
In addition to his role at Alcorn Group, Reece has helped co-ordinate the OWASP Sydney meetups. These meetups facilitate a discussion on the value of aligning to an open source standard for security while bringing the local InfoSec community together. Reece is passionate about ensuring that industry-renowned specialists can share their InfoSec experiences and knowledge to both technical enthusiasts, and non-technical persons at these meetups.
- read more
- AG ATM Acquisition to Lead to New Research Opportunities
Jun 27, 2019
Alcorn Group have recently invested in purchasing two decommissioned ATMs, the likes of which you’ve likely seen before, whether it be in your local convenience store or at the servo down the road. Our commitment to deliver cyber resilience in an increasingly turbulent security landscape involves research into potential exploits in avenues that are often overlooked.
ATM security plays a significant role in our daily security, where compromise can greatly damage organisational reputation and consumer trust. Our internal team of consultants will use their extensive practical experience to research and test for weaknesses in these systems. All vulnerabilities and remediations discovered will undergo strict internal analysis.
These “trade secrets” will assist Alcorn Group to deliver a greater insight in identifying critical attack surfaces often overlooked by traditional penetration testing. Watch this space to see how our research can help identify potential exploits that haven’t been investigated.
- read more
- Notorious Ransomware GandCrab Retired After Decryptor Released
Jun 26, 2019
A recently notorious ransomware, GandCrab has finally been retired by developers after a decryptor has become publicly available. Like most ransomware, this has targeted organisations and individuals indiscriminately. While it has undergone many iterations since its release in ‘the wild’, the primary function has remained the same - Encrypt victims files and exfiltrate sensitive information, offering a key to decrypt these files for an exorbitant fee, payable through Cryptocurrency of indiscernible origin (Dash, in this instance).
GandCrab followed a Ransomware as a Service (RaaS) model, in which it was sold to affiliates who shared 60% of the revenue and could also access victim information which included IP addresses, domain information, operating system details and so on. Over 5 core versions of this malware were distributed via various malware campaigns, spam emails, exploit kits and fake torrenting sites. Each version aimed to answer solutions released to decrypt malware-infected files. This included basic encryption methods in its first iteration, leading to a later version which leveraged a method of DLL/EXE execution (Invoke-ReflectivePEInjection) within the victim’s Powershell process, without writing to disk. Characteristically similar to other ransomware, obfuscated scripts were presented to the victim to be downloaded, which then decoded a URL pointing to the download of GandCrab, unbeknownst to the user.
Since its creation and release, according to GandCrab developers, this ransomware campaign has earned over $2 billion dollars in revenue from roughly 50,000 devices within the last two months. The alleged success of this ransomware can be attributed to the developer’s persistence in meeting mitigating patches with newer, more effective versions of the malware, distributed sometimes within hours upon a fix. This back-and-forth between patching and malware updates finally ceased after GandCrab developers officially halted the malware at version 5.2, boasting a “well-deserved retirement” in response to the release of the Bitdefender’s decryptor.
Alcorn Group has observed this variant of ransomware amongst others through various Incident Response (IR) engagements. Ransomware is exceptionally damaging to individuals and organisations alike, posing a multitude of significant business risks when new strains are identified due to the tenacity attackers take to ensure a ransom is paid.
Ransomware can never be trusted, no matter what lengths criminals will take to convince their victims that their files will remain unencrypted after payment. Even if a ransom is paid, it is likely that sensitive data stored in a compromised system has already been exfiltrated. Newer, more sophisticated and damaging strains of ransomware can surface suddenly, as demonstrated within GandCrab’s lifecycle.
If you, or your organisation, has encountered GandCrab, please refer to Bitdefender’s decryptor. Contact us for more information on how ransomware can affect your organisation, and what to do in the event of malware infection.
- read more
- Whisky Live 2019
Jun 20, 2019
This past Saturday, some of the Alcorn Group team enjoyed an evening indulging in a few of the finer things in life – Whisky and curry being at the top of that list!
Having a presence at the event last year also, we found that there was an enhanced focus on the variety of whiskys available, and less focus on craft gins and rums. Amongst some great conversations with our clients, classics such as Macallan and Glenfiddich were sampled, with Writer’s Tears being a standout drop.
It was a great evening had by all. Just one of many social outings Alcorn Group enjoys as a team.
- read more
- Red Teaming Stories: Is That Really a Conference Call?
Jun 18, 2019
When it comes to conducting a successful red team exercise, it often involves building a level of trust against the target organisation. This trust will allow the consultant to exploit weaknesses in people and immature business processes, to gain access to systems, infrastructure or physical locations. Some activities used to build trust with an organisation may involve weeks of preparation through reconnaissance. This preparation builds confidence for the consultant during the physical attack stage of the exercise. For example, confidently tailgating into a building or facility, as the consultant has in-depth knowledge of the target environment prior to arriving.
Alcorn Group have a proven track record of delivering quality red team engagements through our client base. Our methodology covers several techniques used during these engagements to ensure success and quality for our clients. An example of such techniques to build this trust is using fake conference calls. Often physical access can be quite tedious (especially for smaller locations), where finding a vacant desk or room can be troublesome due to foot traffic. Alcorn Group frequently use phones to avoid conversation and gain access to a meeting room.
To take this a step further, Alcorn Group consultants have developed a service to streamline this process and add some flexibility. It can be used by anyone on an active engagement where physical assets are in scope. The service provides auto-answering ‘conference’ type calling capability, which will auto-play background noise, like that of a conference call. The consultants can then put this on speaker in a meeting room while they proceed to target the conference equipment and any other devices in the room.
Should a staff member walk in on the consultant attending the ‘conference’ call, they can inform the simulated call that they need to wrap up and can continue the call later. This adds to the story and will allow the consultant the ability to discretely leave and re-establish somewhere else. This technique can also be used to challenge people who may accuse you of being in the wrong location, using the conference call as context as to why you are there.
This is just one of the many techniques the consultants at Alcorn Group use, amongst their repertoire of knowledge and experience, to ensure that they deliver a successful and quality Red Team Engagement.
- read more
- Let Loose on the Lanes, Alcorn Group Bowl Up a Storm
Jun 13, 2019
On Wednesday, the team at Alcorn Group had a great evening of catching up outside the office and enjoying some friendly banter.
The team got into the competitive spirit, taking to the Bowling Alley to settle some scores. Some were bowling fiercely, some bringing out a few tricks and curving the ball, while others were more consistently measured. Everyone had a great time and is looking forward to next month’s team event.
- read more
- Information Security and Resilience in Australia’s Critical Infrastructure
Jun 11, 2019
As you wake up in the morning, you finally convince yourself to leave the warmth and comfort of your bed, only because there is an equally warm shower waiting for you. You proceed with your daily routine, brewing yourself a hot coffee and walking to catch the bus into work. No thought goes into these conveniences provided to you and the critical infrastructure that facilitates them.
Food, water, health, communications, transportation and banking all have one thing in common - they all represent parts of Australia’s critical infrastructure. Critical infrastructure has become the backbone of a functioning society worldwide, not just within our homes. It underpins our Australian society and economy and is integral to the prosperity of the nation.
Now, take a moment to imagine if a cyber attack was to occur on just one of these critical infrastructure facilities. There would be no running water for your shower, no electricity to brew your morning coffee, or perhaps no bus to take you to work. National security risks to critical infrastructure are becoming increasingly complex and have continued to evolve over recent years. Rapid technological changes are taking place all the time, such as the introduction of Internet of Things (IoT) devices or more specific to critical infrastructure, Operational Technology (OT) devices. These devices introduce a growing number of threats to critical infrastructure systems and facilities as they become cyber connected.
Within Australia, the Critical Infrastructure Centre coordinates the management of the national security risks that face Australia’s critical infrastructure. The centre works with state and territory regulators to help identify and mitigate risks, primarily focusing on sabotage, espionage and coercion in the telecommunications, electricity, gas, water and ports sectors.
In addition, the Security of Critical Infrastructure Act 2018 assists in the management of these national security risks posed by foreign involvement in Australia’s critical infrastructure within the electricity, gas, water and ports sectors. The Act aligns with the government-business partnership approach, that underpins Australia’s Critical Infrastructure Resilience Strategy. It ensures that the Government has all the information necessary to conduct national security risk assessments, by introducing three measures:
- An asset register to provide the Government visibility of who owns and controls these assets, enabling better targeting of our risk assessments.
- The ability to obtain more detailed information from owners and operators of assets in certain circumstances to support the work of the Centre.
- The ability to intervene and issue directions in cases where there are significant national security concerns that cannot be addressed through other means.
Here at Alcorn Group, we have extensive and proven experience in providing various types of security assessments on facilities and infrastructure alike. As highlighted in one of our previous articles (which you can read about here), Alcorn Group has accumulated experience in conducting successful red team engagements on utility facilities which provide critical infrastructure to the local community. Alcorn Group also has the ability and skills required to conduct various types of infrastructure security assessments to assess the resilience of IoT and OT devices used in relation to critical infrastructure.
Whether it is through providing a thorough Red Team engagement, or by conducting an infrastructure security assessment, Alcorn Group is committed to accurately identifying risks and providing tailored remediation steps to assist in the protection of many government critical infrastructure facilities.
Get in touch with the Alcorn Group team to discuss how we have assisted organisations with the development of their cyber security resilience in the past, and how your organisation can benefit from these strategies.
- read more
- Alcorn Group to Present at Trusted Information Sharing Network Event
Jun 5, 2019
The Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience is holding a Water Quality Risk and Resilience Workshop to discuss the risk landscape that Australian Water utility companies are facing. The workshop will gather members of the Water Services Sector Group (WSSG) alongside members of the Water Services Association of Australia’s (WSAA) Water Quality Health Group in order to facilitate a thoughtful discussion and the sharing of ideas.
As a result of our in-depth experience in conducting Red Team Engagements for clients within this industry, Alcorn Group has been invited to speak at this workshop about risk mitigation and improving Cyber Security resilience. Amongst other things, we will be discussing common vulnerabilities found across engagements with clients within the industry, as well as a roadmap of steps that can be taken to minimise the attack surfaces available to adversaries.
We look forward to creating actionable discussions around steps that can be taken to mitigate risks, identify threats, and improve the security posture of these businesses.
- read more
- Red Teaming: Do you really know your organisation's security posture?
Jun 4, 2019
When you think of criminals, images of shady figures in balaclavas and baseball caps brandishing weapons usually come to mind. Certainly not the vaguely familiar, well-dressed person that you kindly held the door open for as you entered the office this morning.
In fact, recalling what this person looked like stirs unremarkable images, not out of the ordinary for a typical contractor who would visit the office on occasion. The last thing that comes to mind when recalling this figure is “Criminal infiltrating the organisation to steal confidential information”, when it’s more likely they just work in an area of the business you are not familiar with from time-to-time.
Alcorn Group recently bypassed the physical security of a company who provides critical infrastructure in a test to assess the effectiveness of the organisation’s security controls. For this client, the Red Team Engagement involved physical infiltration of a utility facility, which ultimately resulted in Alcorn Group gaining internal corporate network access. Later this week, Alcorn Group will be presenting to the client about this engagement, while working with them further to develop improvements to their Cyber Security posture and resilience, including awareness for the importance of physical security controls in relation to Cyber Security.
Typically, a Red Team Engagement combines social engineering, physical entry, and digital exploitation, yet it can also involve other techniques depending on the target and resources available. Red Team Engagements are essential for organisations who endeavour to understand exactly where their security posture stands, and any unknown business risks , while providing broader education and engaged awareness across all areas of the business.
Through a multi-layered approach, Alcorn Group’s Red Team Engagements assist clients with gaining visibility of Cyber Security risks that have the potential to impact their organisation, with a focus on exposing vulnerabilities and risks that would be posed by different, real-world Cyber attackers who would try to infiltrate the network. Alcorn Group has accumulated extensive experience in delivering Red Team Engagements to Government organisations and facilities around critical infrastructure assets, including companies within the banking and financial sectors.
Get in touch with the Alcorn Group team to discuss how Red Team Engagements can help further develop your organisation’s Cyber Security resilience, and to identify any potentially impacting risks.
- read more
- CPS 234 Protects the Financial Services Industry (and you)
May 29, 2019
Information security is a constantly evolving and dynamically changing landscape of threat and risk. Organisations that manage significant amounts of Personally Identifiable information (PII) and personal financial information are a particularly attractive target. Unfortunately, in many cases APRA-regulated organisations of all sizes have historically found it challenging to achieve traction with information security initiatives, resulting in broad risk to the financial services industry and associated stakeholders (e.g. fund customers and members). To help with addressing this, APRA released draft Prudential Standard CPS 234 Information Security (CPS 234) in March 2018. This prudential standard sought to ensure that APRA-regulated entities have in place sufficient information security capabilities to ensure resilience against security incidents (e.g. data breaches). The final version of the standard was released in November 2018 and, following industry consultation, comes into effect on 1st July 2019.
CPS 234 applies to all APRA-regulated entities and applies equally regardless of the organisations size and capability. APRA-regulated entities include:
- banks, building societies and credit unions
- life and general insurance and reinsurance companies
- private health insurers
- friendly societies and superannuation funds (excluding self-managed funds).
When considering compliance to CPS 234, APRA-regulated entity must address nine distinct information security areas. These area are as follows:
- Roles and responsibilities – Defining the board and Individual responsibilities for information security
- Information security capability - Measuring and validating on an ongoing basis that the organisation can maintain information security
- Policy framework – Implementing and maintaining foundational organisation policy elements such as risk management, acceptable use, human resource security, change management etc.
- Information asset identification and classification – classifying all information based on criticality and sensitivity
- Implementation of controls – implementing the technical, managerial and operational controls necessary to achieve and maintain the security of information including those managed by third parties. Examples of controls are encryption, backup solution, security awareness training, documented procedures and guidelines etc.
- Incident management – defining and implementing a framework for managing and responding to a security incident when they occur to ensure incident are contained, eradicated, and that the impacted assets are recovered
- Testing control effectiveness – implementing a systematic approach to making sure the implemented controls are suitable and fit for purpose commensurate with the threat landscape, the type of information to be protected, the consequences of an incident and the regularity of change
- Internal audit – establish or extend an internal audit program to provide information security assurance to the board
- APRA notification – defined requirement for APRA to be notified no later than 72 hours after becoming aware of a reportable information security incident. CPS 234 also requires that APRA be notified no later than 10 days after becoming aware of a material security control weakness that can not be resolved in a timely manner.
In defining these requirements, CPS 234 varies from being highly prescriptive, to largely subjective in what it requires. As a result, some organisations may find it challenging to assess compliance. Where this is the case Alcorn Group recommends:
- Understanding the organisation’s core business goals and establish information security objectives that align and are supportive
- The Board should realise and take responsibility of information security and then define individual roles within the organisation to achieve these objectives
- Identification of the critical and important information, and information processing facilities
- The board should support initiatives to protect the information security of critical information assets
- Establishing information security Key Performance Indicators (KPIs) and measure the current state. The board is then able to set KPI target to influence information security and define leadership requirement for success.
For a further guidance on achieving compliance with CPS 234, APRA have released draft prudential practical guide CPG 234, with the final version expected to be released prior to the CPS 234 effectives date (1st July 2019).
- read more
- Personal Internet of Things Device Security
May 20, 2019
Door locks, coffee machines, security cameras, dryers, alarm clocks, and thermostats. At first glance it is difficult to discern what commonality these devices share from an end customer’s point of view. In previous years, some of these devices would not have shared a lot in common at all. However, now, almost all industries are selling devices connected to the Internet that are automating processes within the home and workplace. With the flood of devices coming onto the market, it is important to understand how devices can have an impact on the security posture of individuals purchasing these products.
Due to the large number of manufacturers rushing to connect their devices to the Internet, security features on IoT devices are highly variable. While there are steps being taken to standardise IoT frameworks, the high variability of security across devices at present makes it difficult for consumers to determine their security posture. As a result, organisations and people alike can be caught out owning, and potentially relying on, a device that is vulnerable to manipulation.
For example, a wi-fi connected printer increases the attack surface of a home network by being accessible from an external location. Printers can be vulnerable due to insufficient authentication or authorisation. They may display personally identifiable information publicly, or they may have insecure software on their system. If proper controls are not in place, the printer can become a gateway for an attacker to deploy malicious software on, or pivot to attacking the network.
A number of strategies can be employed to harden the security posture of IoT devices within the home. The following is by no means an exhaustive list, but it does provide a high-level overview of how one can protect their IoT devices in the home:
Embrace Network Segmentation and Segregation
Network segmentation involves splitting your network into a number of sub-networks, which impedes lateral movement through the network. Network segregation involves placing rules on which devices can communicate with each other. If IoT devices have only limited access to the other portions of a network, this can limit the ability for an attacker to leverage vulnerabilities.
Change Default Passwords
Where authentication is available on IoT devices, altering the default password should be made a priority. Default passwords may lack the complexity required to be secure, and in some cases, may be widely publicised on the Internet. Choose new passwords that are long and strong, and unique from all other passwords.
It’s important to make certain that connected systems are also protected with secure and unique passwords. This means that if one device gets compromised, there is a greater amount of difficulty in reaching other systems on the network. See our article ‘Creating Secure Passwords’ for more information about how to create a strong and memorable password.
Change Default Usernames
Where the default username is able to be altered, it’s a good idea to change it. This means it’s harder for attackers to identify the account with the most privileges.
Set User Privileges
User accounts should be set to the least amount of privilege required. Additionally, user accounts should use the highest privacy settings and enable multi-factor authentication where available.
Enable Account Lockouts
If there is functionality to lock user accounts out after a certain number of tries, this should be enabled. This can hinder attackers who attempt to use brute-force attacks against passwords.
Enable Automatic Updates
Patching is the most effective way to protect a device from known software vulnerabilities, so long as it remains in support. It is good practice to set up IoT software to receive automatic updates if possible, as it means that vulnerabilities will be addressed in a timely manner.
Limit Administrative Capabilities
Disable or remove any unrequired functions that any IoT device provides. This limits the ability for attackers to leverage weaknesses that may be present in those unused functions.
Encrypt Your Transmissions
If your system has the security options to encrypt transmission, it is good practice to set encryption to an accepted standard, such as AES-256, and enable HTTPS where it’s available.
For further guidance on IoT security, OWASP has a comprehensive breakdown from a number of perspectives. See https://www.owasp.org/index.php/IoT_Security_Guidance for more information. The IoT Alliance Australia (IoTAA) also has an IoT security guideline, which provides guidance of where security and privacy in IoT devices currently stands. It can be found here: https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
While the above strategies and methods can be employed to increase security of IoT devices in the home, it becomes increasingly difficult to mitigate vulnerabilities for IoT devices in other industries such as health care or logistics. For example, devices that have less consumer-based options and/or support, such as insulin pumps, or pacemakers. For people owning these devices, it imperative that a thorough risk analysis of devices is completed, and that support and maintenance of these devices are ongoing.
The practice of security of IoT devices is still developing as the industry itself matures. The first wave of devices have come to market in a “fail fast, fix later” mindset, and it is imperative that moving forward, a more security conscious approach is taken.
- read more
- Release of OAIC Notifiable Data Breaches Scheme 12-month Insights Report
May 14, 2019
The Office of the Australian Information Commissioner (OAIC) has released its first full-year insights on notifiable data breaches that were reported between April 2018 to March 2019. Key results highlight that of the 964 eligible breach notifications reported:
- 580 (or 60%) were attributed to malicious or criminal attacks.
- Of those 580, 394 (or 68%) were cyber incidents resulting from common threats such as phishing, malware, ransomware, brute force attacks, compromised or stolen credentials and other forms of hacking.
- The remaining 186 (or 32%) of those 580 were the result of theft of paperwork or a data storage device, social engineering or impersonation, or an act of a rogue employee or insider threat.
These annualised results continue to support our previous article published back in July 2018. It remains relevant for organisations to better protect the personal information they hold, through establishing a regular program of security assessment and testing. Identifying and remediating vulnerable targets before they are compromised will always be a key defence against data breaches.
Alcorn Group specialises in performing vulnerability assessments and penetration testing, which combined with our other services such as red teaming, threat risk assessments, and incident planning and response, can provide a broad and effective means to assist with mitigating the risk of data breaches. Please contact us to discuss how we can best address your organisation’s needs.
- read more
- Transport Encryption Recommendations
May 7, 2019
Transport Layer Security (TLS), the successor protocol to Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between two systems, such as a web server and a browser, to prevent third parties from reading or modifying transferred information, including personal details. The encryption algorithms used in TLS/SSL scrambles data in transit, making it very difficult to read while it is being sent.
Of all the findings Alcorn Group raises, weak TLS/SSL configuration is one of the most frequent. Using insecure protocols or weak cryptography undermines the intent of the security measures in place and leaves data accessible to prying eyes.
In this blog post, we are shining a light on our preferred practices.
There are currently six protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3. Published in August of 2018 (RFC 8446), the latest encryption protocol, TLS v1.3, was released with a redefined handshake protocol which simultaneously speeds up communication and protects downgrade attacks. However, since its release a group of researchers have successfully performed a downgrade attack on TLS v1.3 when RSA ciphers are in use.
Although there is a known vulnerability, at the time of writing, TLS v1.3 is the best protocol to use as it significantly reduces attack vectors compared to previous versions. Crucially, it also removes obsolete features from TLS v1.2, including SHA-1, RC4, DES, 3DES, AES-CBC, MD5, Arbitrary Diffie-Hellman groups, and EXPORT-strength ciphers. Cipher suites are defined differently to previous versions and do not specify the certificate type or the key exchange mechanism. Due to its recency, it is not yet supported on all browsers.
TLS v1.2 and TLS v1.3 support Authenticated Encryption with Associated Data (AEAD). This encryption provides simultaneous assurances on confidentiality, integrity and authenticity of the data. Therefore, when deploying servers, TLS v1.3 should be the default protocol, with TLS v1.2 the next preference. There may be a valid business case for use of TLS v1.0 and TLS v1.1 to support older browsers, however, this is sacrificing security for compatibility. It is best to disable support for the deprecated protocols SSL v2 and SSL v3 as these protocols have high levels of insecurity and are vulnerable to Person-in-the-Middle (PitM) attacks.
Where it becomes necessary to support older protocols like TLS v1.0 or SSL v3, consider using TLS_FALLBACK_SCSV. This mode can prevent protocol downgrades from being forced by MitM attackers. Alternatively, specify all protocols that your application is willing to accept.
Certificates should always be obtained from a reliable Certificate Authority (CA). When making the purchasing decision, perform research on how the certificate authority responds to public breaches, as well as how many breaches have occurred. Also important are the services offered. Certificate Authorities should provide a Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) revocation methods.
Your certificate needs to be properly validated against its hostname. If the Common Name (CN) of the certificate is different from the hostname, it becomes more difficult for users to verify the authenticity and identity of the web server. A mismatched certificate nullifies the use of SSL, and an attacker could then establish a Person-in-the-Middle attack against the remote host without changing the user experience.
Of particular note should be the cryptographic algorithms your certificate employs. A certificate will use two pieces of encryption which work hand in hand: the hashing algorithm and the signing algorithm.
Ensure your certificates are hashed with a minimum algorithmic strength of SHA-256 and signed with a minimum* key length of 128-bits in length (symmetric / shared key crypto), or 1024-bits in length for use in key exchange (asymmetric / public key crypto). Currently, the recommended hashing algorithm for a digital certificate is SHA256, with an RSA signing algorithm of a key length of at least 2048 bits.
Bigger is better when it comes to key length and security. However, overly large key lengths will take more power to process.
Further reading can be found here:
- read more
- New Requirements for Government Agencies under NSW Cyber Security Policy
Apr 29, 2019
In February 2019, the NSW Government issued its new Cyber Security Policy, a key part of its overarching Cyber Security Strategy released in September 2018. The policy establishes a set of mandatory cyber security requirements, ensuring an integrated approach to preventing and responding to cyber security threats.
The policy came into effect on 1 February 2019, requiring all NSW Public Service Agencies to comply with the new requirements. Adoption of the policy, while not mandatory, is also recommended for State Owned Corporations, local councils and universities.
To meet the new requirements, agencies will be required to:
- Ensure cyber security planning and governance is implemented, which includes:
- Establishing clear roles and responsibilities, oversight and plans for cyber security.
- Conducting cyber security risk assessments.
- Establish a cyber security culture across the organisation, incorporating such aspects as:
- Regular education of employees, contractors and outsourced ICT service providers.
- Imbedding cyber security risk management into decision making.
- Manage cyber security risks to protect and secure information and systems, which includes:
- Implementing an Information or Cyber Security Management System and supporting controls, compliant with recognised industry standards.
- Implementing and reporting maturity against the ACSC Essential 8 cyber security incident mitigation strategies.
- Identifying and classifying information and systems, and based on their relative importance, implementing commensurate controls.
- Improve resilience and incident management capabilities, through:
- Maintaining and testing annually, a cyber security incident response plan that integrates with the government’s response plan.
- Implementing adequate incident identification and response tools and processes.
- Reporting cyber security incidents in accordance with requirements.
- Report and attest annually on policy compliance, including reporting on high and extreme residual risks and “crown jewels” (the agency’s most valuable or vital systems and information).
Full details of all new requirements and the overarching strategy can be found in the respective documents linked above. As a CREST certified organisation, Alcorn Group is well positioned to assist government agencies with meeting the new requirements. Our independent assessment services can provide an initial baseline of your organisation’s cyber security posture and actionable recommendations to achieve and demonstrate ongoing compliance. Examples of services directly supporting policy compliance include:
- ASCS Essential 8 maturity assessments
- Threat and risk assessments
- ISMS development and assessments
- Cyber security controls testing (e.g. system penetration testing, red teaming, etc.)
- Cyber security incident management (planning, testing and response)
Alcorn Group will work with your organisation to tailor a program that meets your needs.
- Ensure cyber security planning and governance is implemented, which includes:
- read more
- Alcorn Group Celebrate the Holidays in Style
Dec 13, 2018
It’s that time of year again when we get to acknowledge the greatest Red Teamer of them all – Santa Claus!
With the countdown on until Christmas Day, the Alcorn Group team came together at Dutch Courage Officers’ Mess in Fortitude Valley. But it wasn’t brandy we offered up for the man in the red suit this year – Dutch Courage is known for its fine selection of over 130 gins.
We celebrated the season and fine company with good food and drinks, on into the night.
Alcorn Group would like to wish one and all a safe and happy holidays.
- read more
- Technical Writer Speaks at Conference
Nov 15, 2018
Kristine Sihto, technical writer for Alcorn Group, took part in the ‘Write The Docs Australia’ conference in Melbourne this month.
Kristine is a valued member of our quality assurance process, whose role ensures that the written content provided to our clients is both consistent and understandable. Her passion for the written word is evident in her day-to-day interactions with staff. Her topic at Write the Docs – The Art of Consistency: Creating an inhouse style guide – reflects the heart of what she does for Alcorn Group on a daily basis.
We took a few moments to interview Kristine on her role here at Alcorn Group:
A.G.: What does a typical day look like for you?
Kristine: When I get to work, I immediately look for any quality reviews that need to be performed. This involves checking every report for consistent and appropriate language, correct grammar and spelling, and consistent formatting. Once the urgent work is all out of the way, I can then get down to preparing policy and procedure documentation, reviewing marketing, and occasionally writing blog posts.
A.G.: Why did you join Alcorn Group?
Kristine: Alcorn Group was, for me, a huge step in the direction of my lifelong goals. A position working with words has always been my idea of a perfect job, whether that be editing or writing, and in this role, I get to do both every day. I’m also working in a field that I’m passionate about, which is a definite drawcard.
A.G.: What is the thing you like most about your job?
Kristine: This role stretches me in ways I previously couldn’t have envisioned. Information security is an amazing field, and I get to learn things that I would never have considered while working in other industries.
A.G.: What are your biggest professional challenges?
Kristine: I’ve come from a background unconnected to InfoSec or IT, so it’s been a very steep learning curve. Also, while the consultants can collaborate with each other on their technical needs, I have to find my own professional growth strategies and seek out professional networks that support the type of work I do, in addition to the professional networks that support information security.
A.G.: What is your biggest achievement to date – personal or professional?
Kristine: 2018 has been huge for me. I published a book of poetry that I’ve been working on since I was a teen. I’ve spoken at BrisSEC, and now I’ve presented at the Write The Docs conference in Melbourne.
A.G.: What advice would you give to recent new entrants to information security?
Kristine: Find professional organisations to build your network and support your growth. Making connections outside of your organisation means that you have access to a range of professionals who may have the information you need, or know someone to refer you to.
- read more
- Release of final version of APRA Prudential Standard CPS 234 on Information Security
Nov 13, 2018
APRA has released the final version of Prudential Standard CPS 234 on Information Security. This follows a period of industry consultation and responses to submissions on the draft standard released back in March 2018
In response to submissions received, APRA has confirmed:
- The new standard will come into effect from 1 July 2019. A transition period for third party arrangements has been allowed whereby requirements will apply from the earlier of the next contract renewal date or 1 July 2020.
- All information assets of regulated entities must be classified in terms of both criticality and sensitivity. This requirement is irrespective of whether information assets are managed by the regulated entity or a third or related party.
- Regardless of whether a third party is in a direct or indirect (downstream) relationship with a regulated entity, and whether the information assets under management form part of a material business activity outsourcing, information assets must be managed in accordance with the new standard.
- Regulated entities must notify APRA within 72 hours of becoming aware of an information security incident. Notifiable incidents are those with either an actual or potential material effect, or those requiring notification to other regulators either in Australia or other jurisdictions.
- Regulated entities must notify APRA within 10 days of becoming aware of a material information security control weakness that is not expected to be remediated in a timely manner.
APRA has also provided further clarification on other requirements in the standard relating to:
- Board information security responsibilities
- Information asset life-cycle
- Annual review and testing of information security response plans
- Nature and frequency of control effectiveness testing commensurate with materiality and frequency of information asset changes
- Reliance on testing of control effectiveness over information assets managed by third or related parties
- The role of internal audit for information assets managed by third or related parties
To assist regulated entities with implementing the requirements of the new standard, APRA will be updating Prudential Practice Guide CPG 234 in the first half of 2019. In preparation, and as recommended in our previous article, regulated entities should assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the effective date.
- read more
- Halloween comes to Alcorn Group
Oct 30, 2018
Ghosts and goblins and things that go bump in the night! This October 31, webs, spiders, skulls and cauldrons adorned the office, and Alcorn Group staff members got into the spirit of the season by dressing up.
We all know that showing up to the party in the same dress as someone else is a social faux pas of the highest order. While Dale and Callum managed to narrowly avoid the issue with their similar (but different) Apple costumes, imagine the embarrassment when Isaac and Kate both showed up to the office in their matching Sailor Moon outfits!
Extra props to the Sydney office who put effort into their costume despite being so far from the rest of the crew!
A popular vote from staff members decided that Isaac would gain the prize for best dressed, but who do you think wore it better?
- read more
- CiscPwn: Hiding the intruder in plain sight.
Sep 27, 2018
Innovation is at the heart of hacking. The hacker’s mindset needs to consider how common items may be manipulated to provide any advantage, whether that’s looking at online presence or finding ways to physically infiltrate an organisation.
Introducing Josh R. - Operations Manager at Alcorn Group, hacker, and innovator, whose customised modification to Cisco phone hardware is assisting our consultants in the field. We call it CiscPwn.
A.G.: What are we looking at, what is this phone device and what can it do?
Josh: We often use devices “implanted” at client networks in order to maintain access. This is a functional computer with hacking tools ready for us to connect remotely and run attacks. We custom made this for a job; the basic build was done in under a day. Since then we’ve added improvements. Typically we’ll build a device for a specific job if needed, then add new features and improvements when we think of them.
A.G.: Why did you choose a phone for the basis of this hardware?
Josh: Lots of spare room, and it fits in at most meeting rooms or desks without raising too many eyebrows. The phone is fully functional, but because it would need to be configured for the PBX at the target, we typically hang the phone on the loading screen so it looks like it’s frozen.
A.G.: Was it difficult to place the device on the site?
Josh: Very easy! When the device looks like it fits in, then it’s normally a matter of plugging it in. We snuck it into a network and used it to maintain remote access. It was very successful.
A.G.: You recently gave a presentation about this device, tell us about that.
Josh: I gave a presentation on Red Team techniques, how to get in the mindset of an attacker. Which for us often comes down to low risk and high success rates. These devices are low risk because they’re difficult to trace, and once we have one implanted there’s a good chance we’ll be able to compromise the network.
A.G.: Are there changes you’d like to make for the next version?
Josh: We have a few improvements to detect tampering and more… but let’s not give it all away.
A.G.: Will Alcorn Group be doing more hardware like this one?
Josh: We have a number of other purpose-built devices already, and whenever we see the need or have an opportunity we add to the list. We can make custom gear for an engagement for sure.
A.G.: What advice do you have for businesses on protecting themselves from hardware like this one?
Josh: Port security and a good asset management policy are key. Asset management and an easy way to identify legitimate items is incredibly important.
A.G.: If someone finds a suspicious piece of hardware like this one on their business premises, who should they contact?
Josh: Ahh, well, roll incident response. …(Have) a good IR plan.
Incident response is a vital piece of the puzzle when safeguarding your systems against intruders. Alcorn Group offer a range of incident response services to fill your needs, ranging from assistance in preparing your IR strategies, determining which areas of your business may require extra attention, or helping you recover in the aftermath of an incident.
Call our consultants today on 1300 368 806.
- read more
- Alcorn Group named as a finalist in AISA Awards 2018
Sep 25, 2018
Alcorn Group is proud to be named a finalist for the AISA Awards 2018 in the Cyber Security SMB Employer of the Year category.
The Australian Information Security Association (AISA) has been running its annual awards program since 2012 to recognise and promote excellence, innovation, and professionalism within Information Security by individuals, projects, and organisations.
This category honours organisations with less than 1000 employees who have helped engage the general community and other businesses to promote and improve cyber security capabilities and maturity in the sector.
Voting closes at midnight on Thursday 27 September 2018, and winners will be announced at the Australian Cyber Conference on 10 October 2018.
- read more
- Alcorn Group at Barefoot Bowls
Sep 12, 2018
The Alcorn Group team took to the green at the Merthyr Bowls club this week.
Finger-food was provided for the hungry crew, which all agreed was quite tasty (including the magpie who came to snack while we were playing). Then, breaking into four groups across two lanes, we faced off against each other to see who was the best at rolling balls in a curved line to deliberately miss the things we were aiming at. Which of us could have foreseen that the balls would roll so far, or so askew?
The competition was fierce, with light-hearted heckling to be heard throughout the match. Strategy became key, and at some points players would engage in the meta-game, rolling their ball into blocking positions for the adjoining game, thereby disrupting potential future combatants.
Reece’s Rockin’ Rollers proved strong against Harvey’s Hackers, but Dook’s Divas took the day, finishing off against Kleidon’s Klassics. A great day was had by all.
- read more
- Effective Security for Smaller Organisations
Sep 5, 2018
The need for effective security is not just limited to large organisations. Smaller organisations equally need to consider the importance of the information they hold, and the impact to their business and customers if this information fell into the wrong hands or was no longer available.
While there are many best practice standards available to guide good security implementation, their relevance and ability to be applied in smaller organisations may not be clear. This can make it difficult for smaller organisations to determine the scope and extent of security controls that they can practically implement, and whether they have the internal capability to do so.
As highlighted in a recent podcast interview with AEMO’s Chief Security Officer, Tim Daly, standards like the NIST Cybersecurity Framework are available for organisations of all sizes to use. The interview also highlighted partnering with a service provider for assistance where internal expertise may not be available.
How can the NIST framework help? While comprehensive and detailed in nature, the framework still offers a good model for smaller organisations to adopt, being based around a lifecycle approach to cybersecurity-related risk. It aims to guide organisations to:
- Identify the information and services that are important to the organisation
- Protect those important assets through proactively identifying and implementing appropriate security measures at a level appropriate for the organisation
- Detect malicious or unauthorised activities that could put the organisation’s information and services at risk
- Respond to those activities effectively to minimise any impacts
- Recover any impacted information or services in a planned, timely and effective manner.
Still not sure where to start and what to do? Alcorn Group can work with your organisation to perform a NIST capability and gap assessment to help determine your organisation’s current security posture. We can also provide recommendations on appropriate cybersecurity measures to address any gaps and guide you on their implementation. These activities together will help your organisation achieve the first two stages of the NIST framework – “Identify” and “Protect”.
Do you need a trusted partner to perform those ongoing security functions that your organisation does not have the internal capability to deliver? Alcorn Group can tailor a managed security service to fit your organisation’s needs. From effectively planning for and responding to cybersecurity incidents, through to assisting with returning impacted services to normal operations, our managed security service solutions will help your organisation achieve the final three phases of the NIST framework – “Detect”, “Respond” and “Recover”.
- read more
- Regulatory Requirement for Aviation Security Identification Card (ASIC) Issuing Bodies
Sep 4, 2018
The Aviation Transport Security Regulations 2005 require issuers of ASICs (“Issuing Bodies” or “IBs”) to establish and implement a program of procedures to ensure they perform functions and exercise powers in an appropriately secure manner. Recent regulatory oversight has highlighted the need to ensure these procedures adequately address how electronic information about ASICs and ASIC applications is handled and stored.
Alcorn Group suggest that IBs ensure that their systems that contain or host ASIC information meet the ACSC Essential Eight and OWASP Top 10 requirements. Alcorn Group also suggest that IBs audit their procedures annually to ensure ongoing compliance. As a CREST certified organisation, Alcorn Group can assist IBs by independently assessing their systems’ compliance through:
- conducting assessments against the ACSC “Essential Eight” mitigation strategies
- performing OWASP “Top 10” assessments and penetration tests of web applications
- assessing and testing other procedures in the IB’s ASIC program.
Alcorn Group can work with IBs to develop an annual independent assessment and testing program that meets the IB’s regulatory obligations, with engagements scheduled throughout the year, and as part of a multi-year program if desired.
- read more
- Third Party Security Assessments Now Offered by Alcorn Group
Aug 20, 2018
Due to demand from our clients and the recent release of APRA Draft CPS 234 we are very pleased to announce that we now offer Third Party Security Assessments to meet the needs of your business. See below for more information about TPA’s or contact us.
To assist in meeting corporate, customer and regulatory obligations, Alcorn Group can conduct third-party security assessments on behalf of your organisation. These assessments are in questionnaire format and are aligned to recognised industry standards for information security.
Alcorn Group will work with you to conduct the assessments of your nominated third party service providers via your organisation’s nominated contact. Third-party responses will be assessed based on information and evidence provided. Assessment results will be reported back your organisation with areas of concern highlighted for further consideration and remediation tracking.
Our approach ensures a consistent and reliable means of gaining visibility over third-party information security controls while freeing up your internal resources to focus on other important activities. Packaged with our other security services, this service will assist in providing greater independent assurance over your organisation’s security posture and management of third-party risk.
- read more
- Release of OAIC Notifiable Data Breaches Quarterly Report (April - June 2018)
Jul 31, 2018
The Office of the Australian Information Commissioner (OAIC) has released its first full quarterly report of statistics on notifiable data breaches reported during the April to June 2018 period. Key results highlight that of the 242 breach notifications reported:
- 142 (or 59%) were attributed to malicious or criminal attacks, of which 97 were cyber incidents.
- Of the 97 cyber incidents reported, the majority were attributed to compromised credentials resulting from phishing, brute-force attacks, or by unknown methods.
Organisations can better protect the personal information they hold through establishing a regular program of security assessment and testing to identify and remediate vulnerable targets before they are compromised. Alcorn Group specialises in performing vulnerability assessments and penetration testing, which combined with our other services such as red teaming and threat and risk assessments, can provide a broad and effective means to assist with mitigating the risk of data breaches.
- read more
- Alcorn Group Sponsors Appsecday 2018
Jul 24, 2018
“AppSec Day is Australia’s only conference dedicated entirely to application security. Aimed at providing a welcoming environment for developers, testers, devops engineers and security professionals alike. To improve their application security knowledge, skills and to network with other like minded professionals. With a day filled with talks, hands on workshops and panel sessions to learn all things application security.”
Appsec Day is a fantastic event where you can immerse yourself in great talks, network with other security-minded professionals and attend hands-on workshops all in the same great location - RMIT University in Melbourne
Join us on October 19th 2018
- read more
- Draft APRA Prudential Standard CPS 234 on Information Security
Jul 17, 2018
In response to the increasing frequency, sophistication and impact of information security attacks, in March 2018, APRA released draft Prudential Standard CPS 234 on Information Security. The proposed standard will require regulated entities to ensure they have effective security controls in place to protect against and respond to such attacks.
Australian regulated entities impacted by the proposed new standard are banks, building societies credit unions, life and general insurance and reinsurance companies, private health insurers, friendly societies and superannuation funds (excluding self-managed funds). The standard broadly covers the following areas that regulated entities will need to address:
- Information security roles and responsibilities
- Information security capability and policy framework
- Information assets and controls, including incident management
- Controls testing and internal audit
- APRA notifications
The consultation period closed in June 2018, and it is expected that the final version of the standard will be released in late 2018. The proposed effective date for the new standard is 1 July 2019.
In preparation, regulated entities will need to assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the proposed effective date.
- read more
- Creating Secure Passwords
Jul 6, 2018
With the enormous number of passwords we require in our day to day lives, it’s no wonder that people reuse them across multiple sites, or use the minimum complexity they can get away with. How does anyone store that many complex passwords in their head all at once?
A good password is hard to guess but easy to remember. It has uppercase letters and lowercase letters, numbers, special characters, and it is long. It doesn’t include any personal information.
This scares a lot of people, but it doesn’t have to look like this:
On the other hand, it shouldn’t look like this:
Instead, there is another method of creating a good password, called a passphrase. It has uppercase letters and lowercase letters, numbers, special characters, and it is long.
It looks something like this:
The phone sits next to 3 keys. It is on the desk!
Not all password fields will allow spaces; this can be alleviated by using a different character instead of a space.
For example, if I replace the space with the letter z:
A passphrase gains complexity with each element that is included in it, but it remains easy for a human brain to recall. It’s also easier to input without errors than the original complex password shown.
But the program says my password is too long!
Sentences are wonderful things. They vary in length. If the program or website that you’re constructing a password for doesn’t allow a lengthy password, choose a shorter one. Shorter sentences can be memorable, while still having complexity. It’s preferable to aim for the upper margins of what’s allowed, rather than the lower margins. If the program allows for a password of 4-14 characters, choose 14 characters rather than 4, such as in this example:
So why can’t I use this great password everywhere?
It’s important to avoid reusing passwords. Not every organisation will safely store your password, and if you’ve reused passwords and one site gets breached, this can then mean that other sites you use are also affected.
Are there bad passphrases?
Not all passphrases are good to use as passwords. Book or song titles, song lyrics, or commonly known quotes may be present in password dictionaries. However, creating a unique sentence about the things around you will ensure that you’re not treading the same territory that hackers have already covered.
Meanwhile, you can check if your account has been breached by searching at https://haveibeenpwned.com/. This handy service will allow you to see what the breach was, when your account was breached, whether your details were pasted anywhere, and the source of the breach.
- read more
- Alcorn Group at Whisky Live 2018
Jun 29, 2018
It’s that time of year again - the time to taste some fantastic whiskys at Whisky Live.
With a range of fine spirits on offer, as well as plenty of distiller histories being told it was a tasty and informative evening.
- read more
- Alcorn Group and the Room of Many Escapes
Jun 27, 2018
- read more
- Hacking Windows Domains
Sep 29, 2016
Sydney’s newest go-to security industry conference, PlatypusCon, took place on Sat 24th September. Targeted at infosec enthusiasts of all capabilities and experience, this year’s event took on a fresh approach to conferencing - holding interactive workshops instead of talks, whereby attendees could try their hands at breaking and entering, capturing flags, hacking drones and fuzzing!
Alcorn Group’s managing consultant Lukasz Gogolkiewicz had the pleasure of demonstrating to his 50-strong audience the art of hacking Windows domains. Lukasz’s workshop took attendees on a journey of network service enumeration to identify vulnerabilities, and if possible, establish a foothold on the network. From there, it was a flag capturing mission for points via privilege escalation techniques, domain controller attacks such as password extraction and exploiting misconfigurations in service permissions.
The workshop was received well by the attendees and the opportunity for Alcorn Group to share some of the more intimate techniques behind Windows hacking was appreciated. Keep an eye out on our twitter feed and website for more information on upcoming workshops and training sessions on hacking Windows domains and web applications.
- read more
- Oceana CACS Conference
Aug 27, 2016
This year’s Oceania CACS conference is being held on the Gold Coast from September 11 -13. Run by ISACA, this is the premier event in our region for IS Governance, IS Security and IS Assurance professionals.
Alcorn Group’s founder and managing director will be presenting on Monday September 12 at 11:00am with Mayus Nath, Director of QLD Audit Office. With the theme of this year’s conference being ‘Governance, Empower, Protect’ Mayus and Wade will present to the audience their thoughts on empowering the use of new technologies by understanding attacks on Critical Infrastructure with Advanced Persistent Threats (APT’s).
With information technology becoming more and more pervasive, not only in enterprises but also in social and public settings, organisations need to embrace new technologies, including Internet of Things in order to enter the market and be competitive. However, until recently, protection has been focussed on information system. Wade and Mayus will discuss how organisations need to take a broader view now days, incorporating multiple technologies when designing and implementing security. They’ll also take a closer look at why browsers are involved in so many advanced persistence threats (APTs). Attendees will learn more about how web browsers within organisations provide opportunities for attackers.
The program of speakers for this year’s conference should ensure informative and insightful sessions for all attendees. For more information on the 2016 Oceania CACS click here
If you would like more information on Alcorn Group’s contribution to this year’s event or have any general inquiries please contact us here.
- read more
- Future of Work Security Panel
Aug 18, 2016
This week Alcorn Group’s founder and managing director Wade Alcorn had the pleasure of joining a panel of security experts in a discussion on the importance of security in collaborative cloud environments at the inaugural Redeye Future of Work (FoW) conference.
The FoW 2016 program was packed with informative sessions and keynotes from some of the Technology industry’s greatest contributors including Brisbane City’s Chief Digital Officer Cat Matson and Snowy Hydro CIO John McGagh.
An excellent opportunity for business owners and enterprise leaders to learn more about innovative technologies, successful business transformation, big data, insights and creating value was provided and it was a great pleasure for Alcorn Group to be part of the mix providing input from an information security standpoint. If you’d like more information regarding what security insights and considerations your organisation should be discussing don’t hesitate to contact Alcorn Group here.
- read more
- Alcorn Group on 'The Weekly'
May 18, 2016
Our managing director Wade Alcorn featured on Charlie Pickering’s The Weekly last week. A tongue in cheek look at “big data” had Charlie disagreeing with Wade’s assessment of most privacy data T&Cs. As Wade noted “…you practically need a legal degree to understand them”, to which Charlie quipped that he HAS a legal degree and still can’t understand them! We here at Alcorn Group are big fans of “The Weekly” and were quite chuffed to feature!!
can watchare no longer able to watch the segment here
- read more
- ACSC & Blockchain Security
May 11, 2016
Our Managing Director will be presenting in Canberra at the Australian Cyber Security Center Conference this week on all things Blockchain. Wade will delve into Bitcoin, Ripple, Ethereum and the implications of Blockchain for business and for law enforcement. Blockchain technology may be set to change the course of how the world does business - but who can honestly say they understand it? In this [presentation](http://acsc2016.com.au/program/?IntCatId=27&IntContId=7741#bitcoin, Wade will take the audience on an entertaining journey of discovery to build an understanding of this technology - what it is, who is using it, and why it may well be the biggest influence on humanity since the internet.
- read more
- ACSC & Blockchain Security
May 11, 2016
- read more
- Blockchain as a Service
Mar 5, 2016
Microsoft and ConsenSys partnered back in October 2015 to offer Ethereum Blockchain as a Service (EBaaS) on Microsoft Azure so Enterprise clients and developers could have a single click cloud based blockchain developer environment. The initial offering contained two tools that allow for the development of SmartContract based applications:
• Ether.Camp - An integrated developer environment
• BlockApps - a private, semi-private Ethereum blockchain environment.
Everyone, particularly Financial Services, is interested in Blockchain technology. While a platform like Bitcoin has many great uses specifically as a Cryptocurrency, Ethereum provides the flexibility and extensibility many customers are looking for.
In Financial Services, Blockchain is a major disruptor to some of their core businesses, and FinTech companies are driving innovation in this space. Ethereum is open, flexible can be customized to meet customer needs allowing them to innovate and provide new services and distributed applications or Đapps.
Ethereum enables SmartContracts and Distributed Applications (ĐApps) to be built, potentially cutting out the middleman in many industry scenarios streamlining processes like settlement. But that is just scratching the surface of what can be done when you mix the cryptographic security and reliability of the Blockchain with a Turing complete programming language included in Ethereum.
“Ethereum Blockchain as a Service” allows for financial services customers and partners to play, learn, and fail at a low cost in a ready-made dev/test/production environment. It will allow them to create private, public and consortium based Blockchain environments using industry leading frameworks, distributing their Blockchain products with Azure’s distributed (private) platform.
- read more
- Wade Alcorn delivers keynote at BrisSEC Aisa
Mar 2, 2016
Our Managing Director, Wade Alcorn, will be delivering a keynote Presentation at BrisSec on March 11th, 2016. Taking the perspective of an adversarial APT team, Wade will take you on a journey of the thought process behind hacking a browser to exploit your organisation.
It promises to be an entertaining ride!
- read more
- ASX and the Blockchain
Feb 6, 2016
The Australian Stock Exchange (ASX) has announced that it has selected US-based firm Digital Asset Holdings to develop solutions for the Australian market utilising Distributed Ledger Technology. This may be able to significantly simplify and speed-up post-trade processing. For ASX clients this could reduce back-office administration and compliance costs, while investors could experience significantly faster settlement of equity transactions – potentially in near real-time.
Adoption of Distributed Ledger Technology has the potential to stimulate greater innovation by ASX and third parties to develop new services for intermediaries, end-investors and listed companies. This would create a more competitive marketplace across a broad range of services.
- read more
- Australian Government Cyber Security Review
Jan 27, 2016
Here at Alcorn Group we are eagerly awaiting the release of the 2016 Australian Government Cyber Security Review. The issue of cyber security is one of national importance and affects every Australian citizen, and certainly every Australian business. Some estimates put the direct cost of cyber-crime to Australia a more than $1 billion a year and this seems to be on the conservative side.
There are some great initiatives already including the Australian Information Security Association (AISA) and CREST Australia. The Cyber Security Review will be a clear direction from the federal government and a very much needed clarity. The announcement of funding through to 2019-20 to establish an industry led Cyber Security Centre highlights the government’s efforts to prioritise the area of cybersecurity, and to move towards working more closely with industry, businesses and researchers.
It will be interesting to see how this Security Review evolves and as a wholly Australian owned cyber security company, we are keen to see engagement with Australian industry at a real level. We would like to see initiatives particularly around addressing the skills shortage within the industry that we see at the moment. Our managing director has long been banging on this drum and has been involved in several initiatives to lead Australia’s up-skilling in this area. How government can support Australian businesses to improve their resilience and understanding of cyber threats will also be an area of particular interest. We stay tuned!
- read more
- Alcorn Group presents at Infrastructure Saturday
Nov 22, 2015
Our Managing Director Wade Alcorn presented to a keen bunch of professionals at Brisbane’s “Infrastructure Saturday” on November 21st. Interest certainly seems to be growing around Bitcoin, Ripple the Blockchain and Etherium. There were lots of interesting questions and stimulating discussion. Thanks to Just People’s Adam Broadbent. Of course, a big thanks to Alan Burchill and his team for hosting the day too.
- read more
- Bitcoin User Group session was a huge success
Nov 6, 2015
Our MD Wade Alcorn had the pleasure of presenting to the Brisbane Cloud User Group on 5th November. Wade discussed BitCoin, Banking with Ripple, The Blockchain, and the brave new frontier of Etherium. Big thanks to Just People’s Adam Broadbent and Brisbane Cloud Group for facilitating the evening https://bnehyperv.wordpress.com.
If you missed the session, why not come along to Wade’s next presentation which will be at “Infrastructure Saturday” in Brisbane on November 21st: http://www.infrastructuresaturday.org
- read more
- Cracking the Mac Security Myth
Oct 6, 2015
Wade Alcorn is among a few security bods having a discussion in this insightful article on crn.com.au. Always interesting to explore the assumptions and myths around security and branding that are out there. As Wade states in the article: “The bad guys go where the money is”, so will we be seeing more and more attacks on Macs in the future?
More details here: Cracking the Mac security myth - CRN
- read more
- Security and Artificial Intelligence
Sep 4, 2015
Wade Alcorn recently had the pleasure of presenting to some security folk at an Australian Information Security Association (AISA) Adelaide event. Wade spoke about a topic of increasing interest within the media, and within the security world: security, artificial intelligence and big ideas.
Wade gave an entertaining and thought provoking talk on both the potential and real security implications of AI. We at Alcorn Group say - watch this space. This isn’t the last you have heard from security and artificial intelligence!
More details here: AISA National
- read more
- XSS Virus a Decade On
Aug 31, 2015
- read more
- Leak of Personal Details of Defence Employees
Aug 13, 2015
Alcorn Group’s Managing Director speaks to the ABC’s Brendan Trembath on the AM current affairs program about what’s believed to be the personal phone numbers, email addresses and computer passwords of US and Australian defence employees that have been published online.
Full story here: Article
- read more
- Cybersecurity: The New Due Diligence
Jul 2, 2015
We came across this report recently and really liked the main gist. When considering a merger or acquisition with any new company, cybersecurity is fast becoming no longer an afterthought, but a very important part of due diligence. Alcorn Group is highly skilled in providing visibility into the risks and threats any company may face.
Full story here: Article
- read more
- AusCERT Pre-Conference Presentation
Jun 1, 2015
- read more
- Internet of Hackable Things
May 24, 2015
Check out this Sydney Morning Herald article exploring a few different cyber topics that are capturing the media’s attention at the moment. Wade Alcorn was interviewed for the article, particularly around the hot off the press 2015 ACC Report into Organised Crime.
Full story here: Internet of hackable things: wired world wide open to new age of cyber crime
- read more
- Telstra's Pacnet Breach
May 21, 2015
We had a chat to Bloomberg’s David Fickling about the recent brouhaha with Telstra’s Pacnet. There’s always a spike in the interest about the who? and how? after these kinds of high profile attacks.
Another timely reminder for all businesses that your cyber security is really a prime concern for your shareholders - Telstra’s shares dropped 9 cents when this incident was announced.
Full story here: Hackers Exposed Government Data in Breach of Telstra’s Pacnet
- read more
- The Australian Crime Commission 2015 Organised Crime Report
May 20, 2015
If you have a spare half hour, make yourself a coffee and have a read through the 2015 ACC Report on Organised Crime in Australia. It makes for an interesting, if not daunting, read. The main things we took away from the report from our perspective.
Cybercrime ain’t going away any time soon and is becoming an increasingly significant factor in many aspects of organized crime
The report extrapolates the cost of cybercrime to Australians this year will be over $936 million.
And this is based only on ACORN self reporting of small-medium businesses, so the report acknowledges this is likely to be an underestimation. We would agree with that- many businesses avoid self reporting, and we all know that cybercrime certainly targets large businesses and government agencies as well, sometimes with devastating impacts. So let’s face it – we are looking at a conservative estimate of over 1 billion dollars this year.
- read more
- Cyber Attacks on Australian Businesses Rose 20pc Last Year
Apr 24, 2015
Wade Alcorn chats to ABC’s “The Business” about cyber threats to Australian businesses. “…finance has been facing cyber threats for quite a long time now - it’s one of the most strongly positioned industries in Australia…” You can see the full story here: ABC News Story - Cyber attacks on Australian businesses rose 20pc last year
- read more
- Presentation at ACSC Conference: Security of Browsers - Why are APTs successful?
Apr 23, 2015
At the Australian Cyber Security Center Conference Wade Alcorn presented an entertaining and insightful take on APTs and web browser security in Australia today.
The presentation description was “Why are browsers involved in many APTs? In this presentation you will learn how the web browsers in your organisation provide an opportunity for an attacker. You will explore and understand how they provide a great return of investment for your adversaries. You know them, you love them but how far can you trust them?”
Standing room only!
More details here: ACSC Speaker Details
- read more
- Alcorn Group Leads AISA Web Hacking Workshop
Mar 27, 2015
- read more
- Crypto App Uses Single-byte XOR
Mar 10, 2015
- read more
- How Much Do We Value Our Privacy?
Mar 9, 2015
Managing Director Wade Alcorn featured in an interesting Lateline story around privacy and personal data. Check out the social experiment in the café- what happens when people start acting like apps? Are we so ready to give away our personal data when it is face to face?
More details here: ABC Interview
- read more