Business Security

Attack Surface Management - The importance of knowing what you have

Posted on 2022-05-18 by Volkis in Business Security


Here’s the problem: technology is evolving rapidly, cloud adoption is at an all time high, development is faster than ever, infrastructure has become more dynamic, and security is struggling to keep up! The first step to regaining control: knowing what you have.

Let’s talk about it!

Continue reading

How to Get the Most Out of Your Penetration Test 🤷

Posted on 2022-04-05 by Volkis in Business Security


Our experience performing thousands of penetration tests has given us an in-depth understanding of common issues when engaging a consultant to complete a penetration test. We like to see our customers get the most possible value out of their penetration tests. Much of the responsibility lies with the penetration test provider, but cooperation and communication from our customers is also a key factor in the value that is provided.

In this article, we will be outlining some ways in which you, as an organisation receiving a penetration test, can get the most value for the money you are spending.

Continue reading

What questions should a board ask about cyber security reports?

Posted on 2022-02-07 by Matt Strahan in Business Security


Cyber security is now one of the top-of-mind topics for boards in Australia. Security assessment reports including technical reports such as from penetration testing are being placed in board papers. Although cyber security skills are becoming more commonly represented in boards, it is still the case that boards are called to interpret and act on the results of cyber security assessments without really understanding the practicalities that can underly it all.

What makes it even more difficult for board members is that the regulation and standards around cyber security reports aren’t as mature as for financial reports. While there’s a lot the cyber security assessment report might say, there’s also information that you might not be able to get until you ask the right questions.

While this is not a comprehensive list of questions you might want to ask, I’ve put together some questions that might uncover some of the gotchyas and catches you might not expect when reading a cyber security assessment report.

Continue reading

What to do to prepare for a penetration test

Posted on 2021-03-31 by Matt Strahan in Business Security


You’re spending a lot of money on getting your systems tested, with expensive consultants spending days, weeks, or even months making sure your systems are secure. You want to get the most for your money, right? You can make the test more effective just by properly preparing.

In general, the more you put into something the more you’ll get out. Penetration testing is no exception. With five steps you can properly prepare for testing, make the test run smoother, and get a better result.

Continue reading

Cease and desist from calling our products insecure

Posted on 2021-03-03 by Matt Strahan in Business Security


Earlier today Xerox reportedly threatened the Airbus Security Lab researcher Raphaël Rigo with legal action to prevent him from presenting at the Infiltrate security conference. Although obviously we haven’t seen the presentation, the summary said that he was going to talk about vulnerabilities in Xerox printers and give tips on how to secure them.

Is this going to prevent vulnerabilities from being exploited in the wild, or are the organisations who have Xerox printers now just less secure because they won’t know the steps they might need to take to protect themselves?

Continue reading

Our competitor has worse security, so we're doing well aren't we?

Posted on 2021-02-23 by Matt Strahan in Business Security


In business you have a day-to-day competition that feels very “survival of the fittest”. Your competitors come up constantly in meetings. You note their movements and announcements and try and match their moves. Companies don’t exist in a bubble, they exist in a constantly moving industry and competitive landscape.

It’s no wonder then that when we talk about risks for a business after performing penetration testing or testing their compliance against ISO27001 or NIST we’re asked “how does this compare to the industry we’re in?” This is a valid question, don’t get me wrong, but I sometimes wonder, what difference does it make?

Continue reading

Security and availability in healthcare

Posted on 2020-10-08 by Matt Strahan in Business Security


Imagine you’re laying on a hospital bed in an emergency room. The doctors and nurses are rushing around in seemingly organised chaos. You hear beeping and shouting as they investigate and prepare. Imagine the fear you feel, the uncertainty of this life or death situation. Imagine, then, you hear a voice of a doctor: “Damn I can’t remember my password!”

When considering security in healthcare it sometimes feels like you’re going into an entirely different domain. One of the biggest mistakes in cyber security is to treat every organisation the same way, a one size fits all approach. Healthcare has such a different set of rules and requirements to most businesses that it’s hard to even slightly entertain that illusion.

When asked about security in healthcare, most people’s minds go to the security of their patient data. They think about their privacy, about those sensitive answers they give the doctor. When you think about mental health practices, patient records can be as personal as your diary, and the exposure of those records would be violating. Is that the worst case when it comes to healthcare cyber security though?

Continue reading

Building vulnerability disclosure terms

Posted on 2020-09-21 by Matt Strahan in Business Security


We have now released new vulnerability disclosure terms for Volkis. You can look at them here. They were based off the excellent disclose.io templates pushed by Bugcrowd among others. I’d like to take a bit of time to talk about why vulnerability disclosure terms are important and why each and every company, no matter how large or small, should have them.

Continue reading

How could Twitter have stopped the attack? (Part 2)

Posted on 2020-07-22 by Matt Strahan in Business Security , Social Engineering


Last week Twitter had a successful social engineering attack that pushed through a Bitcoin scam. The scam netted about $120k for the scammers, but for Twitter it caused huge damage to their brand with the news of this attack going around the world.

Although we don’t have any hidden information about the Twitter hack that’s not already public, I thought it would be fun to look at the kinds of security controls that would help stop this kind of attack.

Yesterday we looked at all the multi-X controls. Today we’ll be looking at other strategies that can help mitigate the compromise.

Continue reading

How could Twitter have stopped the attack? (Part 1)

Posted on 2020-07-21 by Matt Strahan in Business Security , Social Engineering


Last week Twitter had a successful social engineering attack that pushed through a Bitcoin scam. The scam netted about $120k for the scammers, but for Twitter it caused huge damage to their brand with the news of this attack going around the world.

Even with the greatest of anti-phishing and anti-malware security stack, social engineering attacks are extremely difficult to stop. In our social engineering exercises we may call a 5% response rate to a social engineering attack a good result, but for many organisations just having one response is a catastrophic scenario.

Many guides when they talk about social engineering talk about user training and “users being the weakest link”. While security awareness is important, the social engineers are smart. It’s almost impossible to tell the difference between what is real and what isn’t. Why are we blaming users when they’re being put in an impossible situation?

Continue reading