Blog

Basic security for humans in 4 Fridays

Posted on 2022-03-09 by Alexei Doudkine in Tools of the Trade

This post is going to be a little different. Instead of talking about the industry or business security, I’m going to share my guide on how to set up your own basic personal security. It is intended to be followed by non-technical people in 4 Fridays. My goal is to get as many people on this basic programme as I can, so I do ask you to share it with your friends and family. And, if you are a bit more tech-savvy, please help them along the way. 🙂

Continue reading

How to Share Social Media Credentials Securely

Posted on 2022-03-01 by Jessica Williams in Tools of the trade

Social media has become the platform that companies all over the world use to communicate with their customers, clients, critics, and investors. An attacker who gains access to an organisation’s social media accounts is able to send any message that they wish, posing as the organisation. Sending the wrong message on social media can cause a backlash, bad publicity, and in rare cases even be illegal as Elon Musk found out in 2018 when he was sued by the SEC over one of his tweets.

Continue reading

What questions should a board ask about cyber security reports?

Posted on 2022-02-07 by Matt Strahan in Business Security

Cyber security is now one of the top-of-mind topics for boards in Australia. Security assessment reports including technical reports such as from penetration testing are being placed in board papers. Although cyber security skills are becoming more commonly represented in boards, it is still the case that boards are called to interpret and act on the results of cyber security assessments without really understanding the practicalities that can underly it all.

What makes it even more difficult for board members is that the regulation and standards around cyber security reports aren’t as mature as for financial reports. While there’s a lot the cyber security assessment report might say, there’s also information that you might not be able to get until you ask the right questions.

While this is not a comprehensive list of questions you might want to ask, I’ve put together some questions that might uncover some of the gotchyas and catches you might not expect when reading a cyber security assessment report.

Continue reading

State of Volkis - what do we do well and what should we improve?

Posted on 2022-02-04 by Matt Strahan in Volkis News

A few weeks ago we had an internal strategy session with everyone at Volkis. In this session we only discussed four questions:

• What does Volkis do well?
• What can we improve?
• What are pain points that could be taken away?
• What does Volkis stand for?

While usually when companies do this they would keep it close, especially the “what can we improve” section. Transparency, though, ended up being something that everyone liked and wanted us to keep doing. In this spirit, everything we talked about in that session has been uploaded to our handbook as The State of Volkis.

Continue reading

PEN-300 Course Review

Posted on 2021-05-21 by Alexei Doudkine in Certifications

It’s done! I just completed my OSEP exam and submitted the report. In true Offensive Security style, the course was challenging but very doable given enough motivation. But was it worth it? Did PEN-300, one of Offensive Security’s new replacement courses for the outdated and retired Cracking the Perimeter course live up to the expectations? If you’re thinking about taking the course, read on as I go into the good parts and bad parts of the course.

Continue reading

What to do to prepare for a penetration test

Posted on 2021-03-31 by Matt Strahan in Business Security

You’re spending a lot of money on getting your systems tested, with expensive consultants spending days, weeks, or even months making sure your systems are secure. You want to get the most for your money, right? You can make the test more effective just by properly preparing.

In general, the more you put into something the more you’ll get out. Penetration testing is no exception. With five steps you can properly prepare for testing, make the test run smoother, and get a better result.

Continue reading

Cease and desist from calling our products insecure

Posted on 2021-03-03 by Matt Strahan in Business Security

Earlier today Xerox reportedly threatened the Airbus Security Lab researcher Raphaël Rigo with legal action to prevent him from presenting at the Infiltrate security conference. Although obviously we haven’t seen the presentation, the summary said that he was going to talk about vulnerabilities in Xerox printers and give tips on how to secure them.

Is this going to prevent vulnerabilities from being exploited in the wild, or are the organisations who have Xerox printers now just less secure because they won’t know the steps they might need to take to protect themselves?

Continue reading

Our competitor has worse security, so we're doing well aren't we?

Posted on 2021-02-23 by Matt Strahan in Business Security

In business you have a day-to-day competition that feels very “survival of the fittest”. Your competitors come up constantly in meetings. You note their movements and announcements and try and match their moves. Companies don’t exist in a bubble, they exist in a constantly moving industry and competitive landscape.

It’s no wonder then that when we talk about risks for a business after performing penetration testing or testing their compliance against ISO27001 or NIST we’re asked “how does this compare to the industry we’re in?” This is a valid question, don’t get me wrong, but I sometimes wonder, what difference does it make?

Continue reading

The Volkis independence policy

Posted on 2021-02-16 by Matt Strahan in Industry

When setting up Volkis, we wanted to set up a team the way we perceive that it should be set up. With quality, skill, effectiveness, ethics, and transparency. We didn’t only look at the security industry for inspiration, though. Instead of just looking in we looked around at other industries as well. Cyber security is barely a child, only having really been around for a few decades. Other industries have centuries if not millenia on us.

We looked over at finance and found that what their auditors do is in essence similar to what we do, but their processes and standards have a maturity that we don’t have. After all, cyber security isn’t known for being mature in processes, standards, personality…

Let’s take a look at one standard in the finance industry but practically unheard of in cyber security: the independence policy.

Continue reading

Our first anniversary

Posted on 2021-02-09 by Matt Strahan in Volkis News

Today marks the 1 year anniversary of our official launch!

We’re thrilled with what we’ve been able to achieve over the past year. It’s extremely humbling to receive so much support from friends, family and colleagues; we couldn’t have done it without you. Thank you! 🍻

Continue reading