Featured

The Latest

31 May 2022: The South Australian (SA) government is launching a bug bounty program through the Department of Premier and Cabinet (DPC) to drive cyber security researchers in the discovery of weaknesses in the organisation’s technology. The DPC revealed that 234 of the SA government’s environments have not undergone pentesting in the past three years. The SA government allotted a AU$20 million budget for its cyber defence program in 2021 to establish  cyber security operations centres (CSOC). No exact amount was mentioned for the financial compensation for researchers who can successfully discover vulnerabilities.

In 2019, New South Wales created the state’s first bug bounty program through the Service NSW digital driver’s licence. The U.S. Department of Homeland Security (DHS), on the other hand, launched a similar program last year, which rewards participants with the highest bounties based on the severity of the bugs.

Why it’s Important

Crowdsourcing ethical hackers to discover cyber vulnerabilities that organisations should be aware of is necessary to validate the existence of weaknesses within their applications. For both public and private organisations, they benefit from improved remediation time as a result of increased detection of vulnerabilities to better prevent data breaches. In addition, with such a program, access to top talent is more cost-effective than maintaining an in-house team who are under contract whether they find any issues or not.

While websites often undergo vulnerability testing for maintenance and security practices, putting out a bug bounty program weeds out amateur hackers who leverage websites that offer free tools to identify security flaws or misconfigurations. Some of these include SSL Labs by Qualys, Security Headers by Probely, and CookieServe by CookieYes. The reports from these tools produce little to no value, which only adds to the workload of the organisations that have to review and verify the findings.

A well-managed bug bounty program, on the other hand, can provide excellent feedback on the security of a site. It harnesses the expertise of many researchers and encourages responsible disclosure. For example, a bug bounty vendor, BugCrowd, is now offering a posse of testers as an option for pentesting a website. 

In addition, with a bug bounty program set in place, it can also be used to test the ability of an in-house security team and existing tools being used to detect flaws on websites. 

However, IBRS also underscores the limitations of such a program. For instance, when an organisation doesn’t have a transparent and clear scope for testing, participants may go beyond ethical frameworks, or breach regulatory compliance standards.

In addition, when too many vulnerabilities are discovered, it can drive up the cost of financial incentives. This can include security issues that were not immediately remediated.

Finally, not even a bug bounty program will stop malicious hackers from researching, testing and taking advantage of flaws to attack a site. However, encouraging ethical hackers to discover vulnerabilities first is more than necessary, so organisations can get ahead of outsiders who can exploit such weaknesses.

Who’s impacted 

  • CEO
  • Cyber security teams
  • CIO

What’s Next? 

  • Ensure that the website is hosting a security.txt file. This provides information on who to contact for security issues, links to any vulnerability disclosure programs, or bug bounty programs in place. It is now an official RFC 9116 issued by the Internet Engineering Task Force (IETF) to guide vulnerability disclosures.
  • Establish a closed bug bounty that is only open to named researchers. This puts a cap on the financial incentives that will be given out for successful discoveries. Then the organisation can eventually open to a wider audience for participation. Simultaneously, the organisation should tightly define what’s in and out of scope. This should be managed progressively since researchers can quickly get frustrated if the coverage of the program is less transparent. 
  • Do not fully depend on bug bounty programs that detect single vulnerabilities as a long-term security strategy. Instead, examining the attack surface must cover the full spectrum to avoid relying only on incremental improvements.

Related IBRS Advisory

  1. Advancing cyber security capabilities requires continual maturation
  2. The difference between fraud and cybercrime

The Latest

24 May 2022: ActiveCampaign has acquired email delivery service Postmark and email authentication DMARC Digests to improve its sales and marketing communications features. With the integration of Postmark, ActiveCampaign users can send transactional emails through a drag-and-drop tool to engage more non-technical users. On the other hand, with the DMARC Digests feature, users can easily identify sources that are sending unauthenticated emails that result in DMARC failures. 

Why it’s Important

Email marketing tools are evolving rapidly, with platform features that support greater usability. In addition, allowing recipients to reply to transactional emails, such as Postmark’s feature, can help improve recipients’ engagement with the organisation.  

Similar to other Cloud analytics vendors, IBRS expects more mergers and acquisitions among customer experience automation firms. It projects more features using no-code technology to be integrated for a streamlined email building process. This will help marketers and non-developer teams to create, maintain and analyse their marketing campaigns while simplifying their workflows.

However, these drivers also mean that more email automation is on the way. In turn, this means more scrutiny of email quality, trust and delivery.

Who’s impacted

  • CMO
  • Sales and marketing teams

What’s Next?

Organisations should look at how their digital marketing can improve customer engagement. No-code/low-code platforms help cut down the time to build campaigns and also create better analysis of marketing initiatives. However, they must not only leverage new technologies and integrations that optimise each customer’s touchpoint, but also consider compliance regulations, customer analytics and engagement to accelerate return on investment (ROI) in lead conversion.

Related IBRS Advisory

  1. Reduce Email Overload to See a New World Order
  2. Measuring Marketing return on investment

The Latest

12 April 2022: Research by risk consulting firm Kroll revealed a 356 per cent surge in common vulnerabilities and exposures (CVEs) or zero-day vulnerabilities (also known as freshly announced threats) in the last three months of 2021 compared to the previous quarter. By December, an increase in new ransomware variants was detected in ManageEngine, ProxyShell, VMWare, and SonicWal pushed CVE logs to an all-time high.

Kroll’s industry survey revealed that while phishing remained the most popular initial access infection vector, at 39 per cent in the fourth quarter, CVE increased from 6 per cent to 27 per cent in the same period.

 

Source: Q4 2021 Threat Landscape: Software Exploits Abound

 

Why it’s Important

Many incidents of ransomware continue to impact Australian organisations who are considered prime targets due to (a) their capacity to pay and (b) their relatively immature (from a global perspective) cyber-defence and cyber-response capabilities of a larger number of mid-sized enterprises. Many of these organisations struggle to close common vulnerabilities, let alone zero-day exploits, quickly enough to avoid intrusions due to their weak defence postures.

Organisations need to address their ability to defend against such attacks and respond appropriately to limit any impact caused by breaches. More effort is required across industries to contain the likelihood of attacks impacting productivity, reputation and financial resources, rather than just within individual businesses. This will support sharing of intelligence and the growth of cyber-defence nationally.

Who’s impacted

  • CMO
  • Development team leads
  • Business analysts

What’s Next?

  • Cyber-defence can no longer be left to a 'best effort' basis by ICT groups. Organisations that lack a dedicated cyber security specialist, must seek out specialist services, peer groups and forums, and actively leverage better practices from these groups.
  • Evaluate the status of your enterprise’s ransomware defence and look into the strengths and weaknesses of your current security posture.
  • Create a dedicated team that will develop a roadmap to improve the organisation’s stance against ransomware.

Related IBRS Advisory

  1. The Security Impact of Remote Working: Find the Gaps in (Zero) Trust
  2. Use Security Principles to Guide Security Strategy
  3. Reducing the Risk of a Successful Ransomware Attack

The Latest

12 April 2022: Low-code enterprise software developer OutSystems announced Integration Builder’s (IB) support for Generic PostgreSQL version 13, Aurora PostgreSQL version 12, as well as non-relational database MongoDB. Prior to the announcement, OutSystems only supported a limited number of platforms including MySQL, Oracle, Azure SQL and SQL Server. With more connection options for infrastructure servers, users can now better develop applications where data resides in Cloud-based, high-capacity, elastic databases.

Why it’s Important
As low-code plays an increasing role in application delivery, the adoption of open-source databases will become increasingly common for several reasons. First, it opens up low-code applications to existing solutions as well as allowing existing applications built upon these databases to be extended by low-code developers. Second, it has the potential to reduce the overall cost of low-code architecture. Finally, the inclusion of elastic databases allows low-code to be used for massive scale data applications.

Therefore, for organisations that are considering purchasing a new low-code platform with connected services from different sources, look into how the vendor caters to the evolving hyperscale Cloud computing market to support the scalability and high-performance needs of clients. As previously noted by IBRS, the most successful ones will require minimal changes in enterprises' existing SQL Server application code, speed of migration, and ease of switching to other tools post-migration.

Who’s impacted

  • CTO
  • Development team leads
  • Business analysts
  • Low-code centre of excellence

What’s Next?

Review the low-code spectrum to determine which types of low-code capabilities your organisation needs in the near and midterm, and which are most likely to be needed in the longer-term.
In addition, it is imperative to assess risks associated with adopting a new operating model and platform before investing in any low-code platform.

 

Related IBRS Advisory

  1. Considerations for Selecting Modern Low-Code Platforms
  2. VENDORiQ: AWS Babelfish Brings PostgreSQL to its Hyperscale Database