Business Security

Securing the laptops that schools give to children

Posted on 2024-05-27 by Matt Strahan in Business Security


This week Alexei and I will be presenting at the AISNSW ICT Management and Leadership Conference. Alexei is giving workshops on physical security and going from on-prem active directory to cloud based Microsoft 365. I’ll be presenting on Essential 8 for schools, why they might use it and what it’s trying to protect.

A while ago I talked about how healthcare has extremely specific security requirements and limitations around how they can approach security. Really, though, every industry faces their own unique challenges. For schools, they have the rather unique requirement of having to provision and secure devices that are going to be used by children. Imagine asking a primary school child, for example, to get out their phone and type in a multi-factor authentication code to get access to their learning platform? The way of “locking down” their systems must be approached in a very different way to enterprises.

In this post I’ll be giving my opinion on it. There’s no “right way” to secure the laptops of school kids and even amongst individual schools they may have to have different approaches for different year groups, but hopefully I can give out some ideas.

Continue reading

What do you really need to authenticate?

Posted on 2024-04-30 by Matt Strahan in Business Security


I was working on a penetration test for a gym company a while ago and found a vulnerability. When looking at the profile I found you could change the number in the URL and view other profiles. “Unfortunately” you couldn’t change the other user’s password, but wait! There’s a forgotten password function and I’m able to change the user’s email address! How about I just change the email address, submit the forgotten password page, and then…great I’ve got access to the account!

For the pentesters who are reading this, this is not a particularly interesting story. It’s just the exploitation of a stock standard IDOR vulnerability using a pretty well known technique. They’d put the recommendation to require the user’s password for changing email address and oh don’t forget to fix the IDOR.

But for some reason this story was rolling around in my head not long ago and it made me think. For this company the email address ended up being just another way of authenticate. In terms of authentication it was equivalent to just having the username and password. In other words, you could have either a username and password to access the account or access to the email.

We all kind of know this when we think it through, but did the company treat email this way? Did they treat access to email as a method of authentication in the same way as a password?

Continue reading

The three questions boards should ask to manage cyber risk

Posted on 2022-11-25 by Matt Strahan in Business Security


If you were a company director and you could ask three questions to judge the cyber security of the organisation, what would they be?

Continue reading

Attack Surface Management - The importance of knowing what you have

Posted on 2022-05-18 by Volkis in Business Security


Here’s the problem: technology is evolving rapidly, cloud adoption is at an all time high, development is faster than ever, infrastructure has become more dynamic, and security is struggling to keep up! The first step to regaining control: knowing what you have.

Let’s talk about it!

Continue reading

How to Get the Most Out of Your Penetration Test 🤷

Posted on 2022-04-05 by Volkis in Business Security


Our experience performing thousands of penetration tests has given us an in-depth understanding of common issues when engaging a consultant to complete a penetration test. We like to see our customers get the most possible value out of their penetration tests. Much of the responsibility lies with the penetration test provider, but cooperation and communication from our customers is also a key factor in the value that is provided.

In this article, we will be outlining some ways in which you, as an organisation receiving a penetration test, can get the most value for the money you are spending.

Continue reading

What questions should a board ask about cyber security reports?

Posted on 2022-02-07 by Matt Strahan in Business Security


Cyber security is now one of the top-of-mind topics for boards in Australia. Security assessment reports including technical reports such as from penetration testing are being placed in board papers. Although cyber security skills are becoming more commonly represented in boards, it is still the case that boards are called to interpret and act on the results of cyber security assessments without really understanding the practicalities that can underly it all.

What makes it even more difficult for board members is that the regulation and standards around cyber security reports aren’t as mature as for financial reports. While there’s a lot the cyber security assessment report might say, there’s also information that you might not be able to get until you ask the right questions.

While this is not a comprehensive list of questions you might want to ask, I’ve put together some questions that might uncover some of the gotchyas and catches you might not expect when reading a cyber security assessment report.

Continue reading

What to do to prepare for a penetration test

Posted on 2021-03-31 by Matt Strahan in Business Security


You’re spending a lot of money on getting your systems tested, with expensive consultants spending days, weeks, or even months making sure your systems are secure. You want to get the most for your money, right? You can make the test more effective just by properly preparing.

In general, the more you put into something the more you’ll get out. Penetration testing is no exception. With five steps you can properly prepare for testing, make the test run smoother, and get a better result.

Continue reading

Cease and desist from calling our products insecure

Posted on 2021-03-03 by Matt Strahan in Business Security


Earlier today Xerox reportedly threatened the Airbus Security Lab researcher Raphaël Rigo with legal action to prevent him from presenting at the Infiltrate security conference. Although obviously we haven’t seen the presentation, the summary said that he was going to talk about vulnerabilities in Xerox printers and give tips on how to secure them.

Is this going to prevent vulnerabilities from being exploited in the wild, or are the organisations who have Xerox printers now just less secure because they won’t know the steps they might need to take to protect themselves?

Continue reading

Our competitor has worse security, so we're doing well aren't we?

Posted on 2021-02-23 by Matt Strahan in Business Security


In business you have a day-to-day competition that feels very “survival of the fittest”. Your competitors come up constantly in meetings. You note their movements and announcements and try and match their moves. Companies don’t exist in a bubble, they exist in a constantly moving industry and competitive landscape.

It’s no wonder then that when we talk about risks for a business after performing penetration testing or testing their compliance against ISO27001 or NIST we’re asked “how does this compare to the industry we’re in?” This is a valid question, don’t get me wrong, but I sometimes wonder, what difference does it make?

Continue reading

Security and availability in healthcare

Posted on 2020-10-08 by Matt Strahan in Business Security


Imagine you’re laying on a hospital bed in an emergency room. The doctors and nurses are rushing around in seemingly organised chaos. You hear beeping and shouting as they investigate and prepare. Imagine the fear you feel, the uncertainty of this life or death situation. Imagine, then, you hear a voice of a doctor: “Damn I can’t remember my password!”

When considering security in healthcare it sometimes feels like you’re going into an entirely different domain. One of the biggest mistakes in cyber security is to treat every organisation the same way, a one size fits all approach. Healthcare has such a different set of rules and requirements to most businesses that it’s hard to even slightly entertain that illusion.

When asked about security in healthcare, most people’s minds go to the security of their patient data. They think about their privacy, about those sensitive answers they give the doctor. When you think about mental health practices, patient records can be as personal as your diary, and the exposure of those records would be violating. Is that the worst case when it comes to healthcare cyber security though?

Continue reading