Business Security

“We need to strike the balance between security and convenience” … but do we?

Posted on 2020-04-22 by Matt Strahan in Business Security


I often hear a common phrase from people both in the security industry and those who are now faced with dealing with cyber security in their business: “We need to strike a balance between security and convenience!”

It’s a phrase that makes it feel like we’ve got a line with convenience at one end and security at the other. We have a slider on that line, and security as an exercise is really about picking the exact right point for that slider to land on. “This is a critical environment, so let’s take 20% convenience and 80% security.”

Maybe security within organisations is actually a battle between two parties: “Security” against “Convenience”. Maybe one of the solutions could be that organisations have a “Convenience” department like the security departments they currently have. Should we have a “Chief Convenience Officer” that sits alongside the CISO when reporting to the board?

Is that really how it is? A never-ending battle between security and convenience? Is there really such a trade-off between security and convenience?

Continue reading

Are you opening a security hole for your remote workers?

Posted on 2020-04-02 by Matt Strahan in Business Security


On Tuesday Shodun showed that the number of RDP servers exposed to the internet has skyrocketed, going up by 30%. Just having RDP exposed to the internet is pretty much automatically considered a vulnerability in our penetration testing, as it’s a complex protocol that has a history of vulnerabilities (most recently BlueKeep), and exploitation can lead to administrator access to the system. Given that most RDP servers have to be connected to an Active Directory domain, often administrator access is all you need to completely compromise the network and all its data.

Clearly the rise in remote working has caused some windows to be opened in organisations’ environments. While remote working doesn’t have to be a security nightmare, it can still be surprisingly easy to open holes in your security in the name of remote working.

The two main reasons for this is a lack of a strategy and technical debt.

Continue reading

Why remote working isn’t the security nightmare you think it is

Posted on 2020-03-19 by Matt Strahan in Business Security


A couple of days ago we posted up tips and advice to deal with this period of remote working. It’s a scary time not just for our health but also for our security, with organisations suddenly needing to have everyone to stay away from the office and to work from home, safe from the coronavirus.

For today, I’d like to provide a bit of reassurance: this period of remote working probably won’t present new risk to your organisation. Don’t get me wrong – there’s still a lot of risk in cyber security, but having a whole bunch more people working remotely probably isn’t going to open you up to new threats.

Continue reading

Security precautions for remote work – Quick wins

Posted on 2020-03-17 by Alexei Doudkine in Business Security


The sad truth of the world is that there are people out there who will take advantage of the COVID-19 crisis. As more organisations shut down their offices and ask employees to work from home, those that are less geared towards remote work will be targeted by threat actors.

It is my goal to give organisations pushing for remote work the basic necessities for securing their remote workforce. Rather than long-term strategies, these are things you can do or start doing this week to protect your employees and keep the organisation safe at the same time.

Continue reading

Attacking the backups

Posted on 2020-03-13 by Matt Strahan in Business Security


There are a critical systems inside any organisation where the compromise of those systems are almost automatically business threatening. When performing penetration testing we try and think about the “crown jewels” as a bit of a target – if we get access to this the risk is pretty well self evident. Most of these systems are the obvious: financial systems, domain controller, key business process systems, safety systems, and often the web presence nowadays. One such system that is not considered nearly enough is the backup system.

Let’s first look at the obvious: to properly backup data, the backup systems have to have access to that data. This means the backup systems often have the keys to the kingdom, so to speak. If the backup systems are compromised, then all of your data should be considered compromised.

Believe it or not, though, in modern IT environments the backup systems are even more important than just having access to data.

Continue reading

Should you go for bug bounties or penetration testing?

Posted on 2020-03-03 by Matt Strahan in Business Security


At school I was taught that a good piece of writing should “say what you’re going to say, say it, then say what you’ve said”. In that vein, I’m going to talk about the advantages and disadvantages of bug bounties and penetration testing but it will all come down to this:

Why not both

Penetration testing and bug bounties tend to complement each other extremely well. The disadvantages of penetration testing tend to be the advantages of bug bounties and visa versa. Let’s go through it in more detail.

Continue reading

The Five Whys and security vulnerabilities

Posted on 2020-02-20 by Matt Strahan in Business Security


When reading about the Toyota Production System and the Lean Methodology, a remarkably simple technique was talked about called the “Five Whys”. It was used by Toyota to solve the underlying problems, not just the symptoms. The technique was made popular by books such as The Lean Startup.

When there is a production failure, outage, or problem, the “Five Whys” facilitator will bring all the relevant people into a room and ask “why” again and again to try and pull the thread of the full sequence of events that led to the issue. The Wikipedia page for Five Whys gives this example:

  • Why? – The battery is dead. (First why)
  • Why? – The alternator is not functioning. (Second why)
  • Why? – The alternator belt has broken. (Third why)
  • Why? – The alternator belt was well beyond its useful service life and not replaced. (Fourth why)
  • Why? – The vehicle was not maintained according to the recommended service schedule. (Fifth why, a root cause)

When reading about this technique, I began thinking about security vulnerabilities. How often do we talk about patching the vulnerability without thinking enough about what caused the vulnerability in the first place? And I’m not just saying “we didn’t do the patch”, I’m saying the underlying processes that people don’t even realise are there that made us end up here.

Continue reading

6 things to look for when choosing your penetration test company

Posted on 2020-01-29 by Alexei Doudkine in Business Security


Nothing grinds my gears more than seeing companies flog cheap, crappy scans as penetration tests. It insults penetration testers like myself, but worse than that, it exploits the unsuspecting clients that genuinely want to improve their security.

When a company realises that they need a penetration test, this task is usually delegated to one person who is almost never a penetration tester themselves. They may have had some experience in the past with selecting a company to perform penetration testing and the outcomes may or may not have been satisfactory. A lot of uncertainty in that last sentence, isn’t there?

The fact of the matter is, penetration testing can be a bit of a mystery and it can be extremely hard to know if the one you chose will be good or not. It’s like when you go to the mechanic to service your car. You drive your car in, leave it for a day, pick it up and drive it out. The car feels exactly the same. Did the mechanic do anything, or did you just pay for some very expensive parking?

Continue reading

The easiest way to test your detection and response capability

Posted on 2020-01-21 by Matt Strahan in Business Security


Every year there’s a guy who comes out and tests my smoke alarm. The smoke alarm guy visually inspects the alarm, runs the internal test, and then uses a small device that, in my head, I ignorantly name “the smoke gun” to trigger the alarm. It’s a simple process that makes sure that the alarm still works.

Watching him work, I thought it curious how so many organisations check their smoke alarms this way but have probably never actually tested whether their security systems are working or not. Probably most organisations don’t even know specifically what their security systems will detect and probably don’t have the capability or know how of testing their security system themselves. I’m going to go a bit further and show my cynicism here: Probably most organisations don’t actually know what happens when their security system alerts, don’t know what the alert looks like, and wouldn’t know what the alert would mean. It’d be like someone wandering through their home looking at the box on the roof and saying “that’s an alarm. I don’t know what it sounds like. When it goes off something is wrong – but I don’t know what it could be!”

Continue reading

I make toasters

Posted on 2019-12-23 by Matt Strahan in Business Security


In the beginnings of my career in security, I spent a long time on the technical side as a penetration tester. I was a hacker, tasked with breaking into their websites and networks, trying to test their security. Although sometimes that job can be like banging your head against a brick wall, when you get in there is definitely a rush that comes with it. When something you try works, there’s a feeling of exhilaration and victory.

I knew why I was doing it. It was fun, and I was getting paid for it. I lived for that thrill of getting in.

Being focused on what I was trying to do, I wasn’t really looking to see why the customer was getting me to do it. Why were they getting me to hack their organisation?

Continue reading