Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

The Latest

28 October 2021: The US Senate voted unanimously to deny Huawei and ZTE from supplying equipment to US enterprises due to national security threats that would violate the Secure Equipment Act. Once approved by Pres. Joe Biden, the companies will not be granted equipment licenses by the Federal Communications Commission (FCC) under its ‘Covered Equipment or Services List’. A few days before, the Federal Bureau of Investigation (FBI) raided PAX Technology's Jacksonville warehouse after reports of alleged transmission of malware through the Chinese manufacturer's point-of-sale (PoS) terminals.

Why it’s Important.

As a member of Five Eyes (FVEY), an alliance of countries including Canada, New Zealand, the UK and the US, for joint cooperation in signals, military and human intelligence, Australia has previously followed the US in cutting off suspicious foreign tech companies' domestic presence due to national security concerns.

  • Australia blacklisted Huawei and ZTE in 2018 from selling 5G equipment. The two firms vehemently dismissed accusations over high-speed mobile network espionage, citing discriminatory tactics even with a no-backdoor agreement. 
  • In the same year, the Australian Defence Department banned messaging and payment app WeChat for failing to meet the organisation's standards for use on networks and mobile devices but not necessarily because of security and privacy issues.
  • In late October 2021, PoS terminals from PAX were detected sending anomalous network traffic, which has seen formal requests to replace the equipment due to security concerns. 

The fundamental issue here is supply chain security - the ability of nation state actors to inject spyware (or other malware) into equipment that is broadly used globally. Even where the security risks are not validated, the potential remains. It must also be noted that in the recent past, allies of Australia have engaged in such activities.

With the current geopolitics on global telecommunications being influenced by the US, sweeping impacts on the global supply chain and reduced competition in the market are likely.  

IBRS expects this technology supply spat will expand into areas outside of telecommunications, such as industrial control systems and PoS. Any widespread technology that can be used to impact or monitor aspects of national economies are likely targets.

Who’s impacted

  • Telecommunications procurement

What’s Next?

For organisations considering foreign-manufactured tech products and services, look more closely at the implications of selecting such equipment or platforms. While there is still no public evidence on the credibility of allegations against specific state actors, senior leaders must take security concerns in their organisation and assess the risks they are willing to take when selecting any vendor.

In addition to the security risks, there are also reputational risks, and risks associated with having to replace key solutions, such as is the case with the PAX PoS hardware.

Related IBRS Advisory

  1. Choosing Huawei could be risky - but not why you think
  2. Are you FRUSTRATED with procurement? Why procurement often goes off the rails

Conclusion: A zero trust posture is critical as the global workforce has transitioned to remote work at scale brought about by COVID-19. The need to evolve from perimeter-based cyber security measures emphasises the crucial role of least privilege in Cloud environment access and micro-segmentation in digital networks.

The slow adoption of zero trust among enterprises is in part due to the difficulty in implementing key technologies and the associated security skills and practices. It is also because security teams do not engage with the C-suite to explain and sell the importance of zero trust for the modern workplace.

In this paper, IBRS provides a high-level overview of zero trust aimed at educating executive stakeholders to the needs, benefits and challenges. Ensuring senior business stakeholders understand the drivers for zero trust is essential, as the model is more than just technology – it demands a change in the mindset of how to approach cyber risk.

Read more ...

Conclusion: There are many frameworks available that can guide an organisation’s efforts to enhance its security capability. However, most are abstract and carry very little practical detail. Thus it can be difficult to establish how to implement the aims of a framework. This is a challenge to any organisation working towards minimising risk.

The Center for Internet Security (CIS) has been evolving the CIS controls for a decade or more. They are formulated in a way that makes them a superb tactical approach to cyber security. They do not subvert the available frameworks. Rather, they supplement most frameworks by filling in the details of what to do and how to do it.

Any organisation would do well to use the CIS controls as a measure of their current security stance.

Read more ...

Conclusion:

As cyber security breaches are now an almost daily occurrence for organisations, a serious breach is a question of when rather than if. Dealing with security breach not only impacts the organisation’s operations but more importantly, it poses a threat to its image and credibility.

Responses to breaches often focus on recovering business operations, systems, and data, while the response to impacted stakeholders takes a lower priority. However, it is this response that is at the core of protecting the organisation’s brand.

Read more ...

Conclusion:

As organisations flesh out their detection and response strategies, one new area of applicability of this technology deserves serious consideration. The new area is identity detection and response (IDR). Most of the current detection capabilities are clustered around the malicious actor’s activity across the infrastructure. Activities such as lateral movement using networks, system compromise using fileless malware, and even social engineering users to act on the attacker’s behalf.

Yet identity is the holy grail sought out by malicious actors in almost every penetration of a system. It is central to every IT environment. Organisations should examine IDR and assess the visibility it may bring to their detection systems.

Read more ...

The Latest

16 August 2021: VMware and AWS announced that VMware Cloud had been independently assessed by an Information Security Registered Assessors Program (IRAP) assessor against the Information Security Manual (ISM) PROTECTED controls.

Why it’s Important

IBRS has noted that VMware Cloud is becoming increasingly popular as a management platform for hybrid Cloud. Its main attraction is that it offers a smooth ‘lift-and-shift’ of on-premises vSphere environments to a hyperscale over time, with different aspects of the data centre ecosystem running in the Cloud and/or on-prem. The VMCloud approach is particularly attractive for heavily regulated organisations and agencies, since it supports Amazon Elastic Compute Cloud elastic, bare-metal infrastructure. 

By assessing the VMCloud service, public sector customers have the opportunity to accelerate their Cloud migration, moving more of the load from on-prem environments to Cloud, while retaining operational consistency with their on-prem data centre.

While VMware Cloud IRAP for PROTECTED status is very much welcome, there is also the risk that IRAP is treated more as a ‘check-box’ in a security policy, rather than a foundation on which to build robot security practices. Many Cloud breaches are not the result of zero day exploits or misconfigurations from vendors (despite recent issues with Azure) but rather weak configuration management. This is exacerbated by the ongoing skills shortage in Cloud engineers, plus the even more critical shortage of cyber security professionals.

VMware Cloud provides common approaches to managing the Cloud environment, but it is only as good as the attention to detail given to the configuration of the environment. Tools such as GorillaStack can assist, but operational security is ultimately a matter of practice.

Who’s impacted

  • CISO
  • Cloud teams

What’s Next?

When considering Cloud management tools, security certifications and IRAP assessments are a sign that the vendor has best practices in place, but are not a panacea for mitigating risk. Treat them accordingly. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. PROTECTED Cloud: Cyber considerations
  3. The value proposition for PROTECTED Cloud
  4. Why Cloud Certified People Are in Hot Demand
  5. VENDORiQ: Microsoft Cloud Database Security Flaw - A Nightmare or a Wake-up Call?

IBRSiQ is a database of Client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion:

Cyber security incidents are increasing in frequency and severity. Organisations, governments, executives, and boards are now actively monitoring and probing the progress of cyber security initiatives. At the same time, there are legislative and industry-wide pressures to achieve predetermined levels of compliance. Cyber security frameworks (CSF) provide a system of standards to achieve and demonstrate cyber security maturity. However, the task of selecting an appropriate CSF is now more complex due to the number of frameworks currently flooding the market.

Read more ...

The Latest

27 August 2021: Security flaw hunters at Wiz were able to obtain the security keys that control access to Microsoft’s Azure Cosmos DB, and demonstrate that it was possible to access customers’ Azure Cosmos DB.  

Why it’s Important.

This flaw is especially worrying, because all Cloud vendors and many independent security advisors, including IBRS, have been advocating that Cloud security is generally of a far higher standard than that achieved by most in-house data centre teams. IBRS stands by this claim. But this does not mean Cloud vendors will not make security mistakes. And when they do, they will impact large numbers of organisations.

There is no evidence that this security flaw - likely an operational oversight - has been exploited. Once it was identified by Wiz (on the 9th August) and flagged with Microsoft (on the 12th August), the existing keys were quickly re-secured. Unfortunately, the keys in question are fundamental security assets that Microsoft cannot change. Therefore, Microsoft emailed the customers (on the 26th Aug) requesting they create new keys, just in case the previous keys had fallen into the hands of bad actors. It is estimated that 3300 customers have been impacted. 

To mitigate this issue, Microsoft advises Cosmos DB customers to regenerate their Cosmos DB primary keys immediately.

Unfortunately, just because there is no evidence the flaw had been leveraged, organisations should assume the worst. It is well publicised that state-actors hoard such flaws for intelligence gathering. In this case, paranoia may be justified.

More importantly, the situation highlights the need to take a multi-level approach to security in the Cloud. Relying on security protocols to secure an essential asset places organisations at greater risk of these hyper-scale security flaws.  

For example, in this situation, organisations that have behavioural/usage pattern analytics monitoring the database would likely have been altered should any bad actor start to access the database, and remedial action would be triggered. Furthermore, data from such monitoring could be used to determine the likelihood that the security flaw had been exploited - something few Azure Cosmos DB customers can confirm at the moment. 

Another example is using encryption services, these services should be leveraged extensively. Assume data assets will leak and repositories (including databases) will be breached, base encryption strategies on the sensitivity of the data. 

A migration to the Cloud can often improve the security stance of an organisation, but only if security is treated as a multifaceted, ‘trust nothing’ (akin to zero trust) philosophy is taken.

Who’s impacted

  • CISO and security teams
  • Cloud architects
  • Cloud migration teams

What’s Next?

  • If you are an Azure Cosmos DB client or have instances in development teams, immediately regenerate the primary keys for these databases.
  • Review your Cloud solution designs - including those of ‘lift and shift’ of legacy systems - to identify where single points of security failure could occur. Consider remediation strategies using multi-facilitated security services risks. Such effort needs to be balanced against business risk and information sensitivity. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. CyberArk launches AI-powered service to remove excessive Cloud permissions
  3. New generation IT service management tools Part 2: Multi-Cloud management

Conclusion:

The rapid adoption of Cloud services and the increasing and well publicised cyber security compromises have added to the security concerns within many organisations. The Australian Cyber Security Centre (ACSC) has recently published a set of Cloud computing security considerations whereby organisations are able to undertake a high level self-assessment of their cyber risks as they transition to Cloud services. IBRS has recently hosted a roundtable with senior ICT and security professionals to highlight some hands-on lessons for managing cyber security in a Cloud environment.

Read more ...

Conclusion:

There is no denying that the incidence and severity of ransomware cyber attacks, both real and fake, are on the rise. Whether the attacks are State-based or purely criminal in nature, organisations need to address their ability to both defend against such attacks and respond appropriately when they occur. The impact of a successful breach can have a high cost in the areas of productivity, reputation and the potential for financial losses. A good defensive posture against cyber attacks will make your organisation a harder nut to crack for the attackers.

Read more ...

Conclusion:

Traditional development practices have been supplanted by the DevOps movement over the past decade. The next evolution is the movement towards DevSecOps where security is integrated across the development lifecycle.

DevSecOps is not just a matter of buying the latest tooling and running the developers through some training. It requires commitment, not just from the technology group as a whole but from the business leaders themselves.

It is as transformative a project for an organisation as is a move from on-premise to Cloud. Poorly managed or even unplanned DevSecOps can have a negative impact on the development capabilities within an organisation.

Read more ...

The Latest

26 May 2021: Talend, a big data, analytics and integration vendor, has received ISO 27001:2013 and 27701:2019 certifications. According to the Talend, they are the only big data/integration vendor with this level of certification.  

Why it’s Important

IBRS has observed that even the most security focused organisations often overlook their big data integration and ETL (extract, transform, load) when it comes to assessing business risk. For example, when Microsoft launched its protected Azure services in Canberra, many of the Azure analytics capabilities, such as its machine learning services, were excluded from the platform.

The data being ingested into data lakes, be they on-premises or in the Cloud, will include private information on clients, staff or citizens, and possibly sensitive financial data. But more significantly, taken as an aggregate, this information contains patterns and insights that cyber criminals and state actors may leverage for further attacks.  The value of analysing data at scale to an organisation is just as valuable to criminals.

Who’s impacted

  • Business analytics architecture specialists
  • CISO 
  • Security teams

What’s Next?

Start by reviewing the sensitivity of information moving to the data analytics platform. Such information would be reviewed against the organisation's existing data governance and data classification framework.

Next, review the process of how sensitive information is ingested, manipulated, stored and accessed within the organisation’s analytics platform. Be sure to pay attention to ETL processes: both the technologies and processes involved. 

Finally, review the third-party (vendor) supply chain for all platforms and services involved in data analytics.

Related IBRS Advisory

  1. How does your organisation manage cyber supply chain risk?
  2. IBRSiQ: Risk assessment services and the dark web
  3. VENDORiQ: SolarWinds Incident

IBRSiQ is a database of Client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

The Latest

11 May 2021: Jamf is a market leader in Apple iOS device management, with a strong presence in education. It has announced its intention to acquire the zero-trust end-point security vendor Wandera. 

Why it’s Important

Vendors in the device management have two options for continued growth: add new services and grow horizontally within their market (as in VMWare), or specialise in increasingly niche areas. Jamf has remained firmly entrenched in providing Apple device management, so it is a niche (though important) player in device management. Its acquisition of Wandera, hot on the heels of its purchase of Mondad, will broaden its base and help cement its position against the broader players. 

Who’s impacted

  • End user computing/digital workspace teams
  • Security teams

What’s Next?

Globally, the move to working from home saw an uplift in Apple products being connected to enterprise (work) environments. Citing IDC, Jamf reports the penetration of macOS in 2019 was around 17%, and during 2020 this increased to 23%. In addition, globally 49% of smartphones connecting to work environments remain iOS, though this is slightly lower in Australia, where Android has gained small market share in a tight market last year. 

The challenge with supporting a mixed device ecosystem (Windows, Android, macOS, iOS, Chrome) is now more than just securing the end-point, but the entire information ecosystem. VPNs in particular proved difficult to scale and adapt to a myriad of end points. The need to patch reliability and manage software also becomes significantly difficult due to differing rates of change, patch cycles and tools needed. 

Jamf’s acquisition of Wandera will not eliminate these challenges completely, but will at least simplify the Apple slice of the situation. 

Related IBRS Advisory

  1. Requirements Check-List for Mobile Device Management Solutions
  2. Embracing security evolution with zero trust networking

Conclusion

Even well-articulated and documented cyber incident response plans can go astray when a cyber incident actually happens. Experience shows the best plans can fail spectacularly. In this special report, IBRS interviews two Australian experts of startups in the field of cyber incident response, and uncovered the better practices for keeping your incident response plans real.

Read more ...

Conclusion

Many security incidents are having major impacts on organisations. In too many cases these are left to the information technology teams to handle.

Yet the group most responsible for an organisation’s continued survival and growth is the chief officer (CxO) group. Incident response therefore ultimately resides with this group. In order to develop the ability to handle a major attack on an organisation, it is imperative that the CxO group also become familiar with responding to cyber security events.

This can be done by running tabletop exercises that then become the basis for building more detailed plans around communications, crisis management, and the organisation’s preparedness.

Read more ...

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

Conclusion:

While some bots may be benign, many are engaged in unscrupulous behaviour, such as stealing valuable commercial data or attempting to obtain access illegitimately. At best, bots are a drain on an organisation's resources, increase demands on infrastructure and causing the expenditure of resources, pushing up costs. In the worst case, they represent a significant cyber threat.

IBRS interviewed experts in the field of bot defence: Craig Templeton, CISO and GM Tech Platforms with REA Group and Sam Crowther, developer of the Kasada bot defence platform.

Read more ...

The Latest

9 March 2021: The Australian Defence Department has inked a deal with Fujitsu, Leido and KBR to blitz its ageing network and end-user computing environment in a program of work thought to be worth around AU$200 million.

Why it’s Important

Fujitsu is not the first vendor that comes to mind when thinking about end-user computing overhauls. However, in the world of highly secure workplaces, vendors such as Fujitsu and Unisys have unique offerings and experiences. Even if not using these vendor’s capabilities, the critical components of the security architecture are worth noting by organisations that need to protect information assets with an increasingly mobile or distributed workforce. 

Who’s impacted

  • End-user computing / digital workspace architects
  • Security teams

What’s Next?

With remote working no longer a choice, but a business continuity issue, organisations need to rethink traditional approaches to securing information assets and people when planning for the next upgrade of end-user computing. Identity management, contextual access control and encryption of information assets are three essential pillars of a modern, secure digital workspace. Building upon these pillars, organisations can look towards zero trust approaches and adopt emerging new techniques for detecting issues and protecting the organisation, such as embodied in products for user, entity and behavioural analytics (UEBA).

Related IBRS Advisory

  1. Architecting identity and access management
  2. Embracing security evolution with zero trust networking
  3. Trends for 2021-2026: No new normal and preparing for the fourth-wave of ICT

Conclusion:

Allowing employees to use personal devices for work purposes comes with a unique security challenge. How can the organisation keep track of so many endpoints and make sure that each one is secure? Organisations need to examine their mobile device management (MDM) capabilities in order to protect the organisation from security breaches as a result of insecure mobile devices.

Read more ...

Conclusion:

As is common in security, a buzzword becomes a product segment which is then flooded with new entrants or even old players with new offerings. A classic case is the detection and response segment. Initially, it was one approach – endpoint detection and response. But as vendors entered the segment they were driven to find differentiation points to stand out from the crowd.

What was a simple segment became one with many new acronyms, new problem definitions and of course a plethora of products. To help understand the basic differentiation of products in this segment this advisory provides a direct and simple definition for each main sector along with points to note about how to select any specific product in the segment.

Read more ...

Conclusion:

The recent SolarWinds security compromise provides a timely reminder that a cyber security compromise from third parties is a clear and present threat. Virtually all organisations utilise third party vendors to provide services, software solutions and to store data. For these reasons, it is essential that all organisations have a third party risk assessment and compliance program as part of a broader cyber security strategy. Given that organisations utilise a multitude of vendors it is impractical to adopt a one-size-fits-all approach to third party risk management. This article provides a pragmatic approach to mitigating this risk.

Read more ...

IBRSiQ is a database of Client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: Cyber attacks are a clear and present threat. Some organisations now have varying degrees of detection, monitoring and response capability in place, while other organisations still rely on their major incident response process to identify and manage cyber security incidents. In these organisations, cyber security operational responsibility is still embedded in traditional ICT operations. Such a siloed approach is suboptimal and presents risks in the effective management of cyber security risk. CIOs and other cyber security professionals should ensure that they have implemented a SOC capability that is appropriate to their organisation.

Read more ...

Conclusion: Credential theft is still one of the prime means of attacking systems. Dictionaries of passwords are readily available (many with millions of passwords). These allow attackers to perform credential stuffing attacks – often successfully.

Eliminating passwords has been difficult in the past. However, the consensus amongst vendors of both software and hardware is to bring to market methods of achieving authentication without passwords. The ubiquity of mobile devices with touch or facial authentication is one prime element.

This is a necessary evolution of authentication.

Read more ...

The latest

14 December 2020: FireEye announced it had been breached. An extremely comprehensive overview is available from FireEye. This blog post includes timelines, technical recommendations, and IoCs (indicators of compromise). 

FireEye, a company that exists to track and thwart advanced and persistent adversaries, was itself compromised by an advanced and persistent adversary. FireEye was compromised through a product from SolarWinds. 

What now?

There are four main areas worth exploring. 

1) Check your SolarWinds instance(s) 

The FireEye blog post includes instructions for what to look for. Good asset management will be useful in this verification process. One CISO noted they found an unmaintained SolarWinds instance in one of their OT environments. 

A core lesson that many security executives drew from the MobileIron vulnerability (CVE-2020-15505) was that anything an organisation has that is internet facing needs to consistently receive critical patches quickly, even out of cycle. 

This will require a process to identify critical patches, but for the process to actually be executed. Citrix, VPNs, staff home routers (see FF no.02), and now MDMs have all been leveraged this year for compromise. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained. This relates to patching but also asset management. 

Further, it's an opportunity to review privilege. Just because a product can do something, doesn't mean it should. Does SolarWinds really need to talk to the Internet? There are technical controls like host firewalls and properly profiled application allow-listing that will significantly frustrate an adversary in this scenario. It’s a great example where a zero trust architecture would make a big difference.

2) Organised crime 

The ACSC has noted that once a vulnerability is disclosed, threat actors can develop an exploit within 48 hours. We've seen this timeline achieved this year, with both F5 and MobileIron vulnerabilities. Now that the advanced and persistent actor has been ejected from FireEye (and hopefully from SolarWinds) it could be a matter of time before organised crime tries to exploit unpatched SolarWinds instances. 

FireEye will recover, and have an even better story to tell. At this early stage it seems that FireEye was the last target compromised by this adversary, and probably compromised for the shortest duration before the adversary was detected and ejected. It sounds like FireEye was targeted as a source for further intel on government agencies.  

I've got no evidence for this, but I wouldn't be surprised if FireEye was the last, trophy, "let's see if we can do this" target. 

3) Supply chain

The critical point about FireEye being breached, is it points to what industry has been saying for years - "it's not if, it's when". What matters after bang (or 'right of bang'), is how the organisation responds and FireEye is giving a master class on how to respond. But FireEye is only able to do this on the back of years of refining their art. 

However, going left of bang will encourage technology and security executives to look at their supply chain. What other products have access to systems, data and privileges that would be a nightmare if you did not have sole occupancy?

What other software has pervasive access like SolarWinds? What protocols are my service providers following when they use tools like SolarWinds on my environment? We cannot boil the ocean but, as Kevin Mandia said at a CISO Lens gathering in 2016, "protect most what matters most". 

4) Cyber insurance

I've not heard anyone talking about cyber insurance regarding this whole hostile campaign. It seems inevitable that public attribution will end up pointing to a particular nation. If this is the case, many insurers will likely point to exclusion clauses that indemnify the insurer from costs incurred through nation-state activity.

If you have cyber insurance, it may be worth getting a position from your insurer on whether you would have been able to make a claim against your policy if your organisation had been compromised.

The Latest

10 Nov 2020: CyberArk launches an AI-based Cloud entitlements manager. The solution combines principles of ‘least privilege’ and ‘zero trust’ to reduce risks of poorly configured access privileges for the major hyperscale Cloud platforms. CyberArk uses AI to determine the context and intent, which in turn provides risk assessment and recommendations for appropriate actions, and automation of remediation. 

Why it’s Important

Poorly configured privileges to Cloud solutions - in particular storage services - is a major cause of data breach. It is a significant risk for all organisations that leverage Cloud resources. Reviewing and maintaining privileges over resources is problematic, even with high levels of automation, because automation will only impact known entities in the environment, and can only address well-defined use cases. 

Who’s Impacted

  • CISO
  • Cloud Teams

What’s Next?

The use of Machine Learning algorithms to interrogate Cloud services and identify and remediate risks is a welcome addition to Cloud security management. While the efficacy of the CyberArk solution is not yet known, IBRS anticipates that this approach will be beneficial and at least provide an additional ‘check’ over sprawling Cloud environments.

Related IBRS Advisory

The Latest

To cater for organisations with requirements to keep data in-country, VMware has opened a Sydney based Point of Presence (PoP) for Carbon Black Cloud in the AWS Sydney data centre. Carbon Black Cloud offers end-point security, which provides behaviour based analysis of devices. 

Why it’s Important

The market for end-point security based on behavioural analytics is growing quickly. However, it relies upon hyper scale Cloud or Cloud-like resources. The paradox is that risk-averse organisations that can benefit from this type of endpoint protection are reticent to allow as-a-Service solutions not based domestically to have access to sensitive information about their staff activities. By opening a Sydney based PoP for Carbon Black Cloud, VMware removes a policy barrier to this type of end-point security. 

Who’s Impacted

  • Desktop / digital workplace leads
  • CISO / security teams

What’s Next?

Carbon Black Cloud is one of a growing list of technology offerings in end-point security that leverage Cloud computing and AI. This market will grow rapidly as remote and hybrid working environments become a permanent part of the economy. And rightly so. In principle, IBRS does not see that data geolocation (keeping data domestically) significantly improves an organisation’s security stance, though it may provide regulatory compliance. Latency issues, especially for high-volume services, are also a consideration.

In practice, many organisations still need to address legacy policy regarding information management, and so the trend towards vendors setting up local data processing operations will continue..  

Related IBRS Advisory

  1. Embracing security evolution with zero trust networking
  2. What is the security agenda for 2019?
  3. When it comes to security, when is enough... enough?

The Latest

10 Nov 2020: Microsoft has announced the general availability of its Data Loss Prevention (DLP) services. The DLP services are being rolled out to Office 365 customers with E3 and E5 licensing (see details on licensing below). Microsoft also introduced additional features for its DLP service, including: 

  • Sensitivity labels for DLP policies
  • Dashboard within Microsoft 365 compliance center to manage DLP alerts 
  • New conditions and exceptions for mail flow rules

Why it’s Important

The rapid introduction of collaboration tools has opened new vectors for data leakage. This was a particular worry of participants in IBRS’s recent Teams Governance Peer Roundtable, with 67% of executives having data leakage concerns. The current approach to reducing data leakage from products such as Teams is to block sharing and collaboration with external parties. While this does limit data leakage, it also eliminates one of the key benefits of new collaboration tools: the ability to create borderless work environments. 

What’s covered

E3 licensing provides DLP for Exchange Online, SharePoint Online and OneDrive. However, organistions will need E5 licensing for access DLP for Teams Chat and Devices/ Endpoint.

Who’s Impacted

Organisations with Office 365 or Microsoft 365 investments. 

  • Desktop / digital workplace lead
  • Office 365 deployment leads / administrators
  • Information management teams
  • CISO

What’s Next?

Microsoft’s general release of DLP, under existing E3 and E5 licensing levels, is a potent step to addressing collaboration’s woes. While Microsoft’s DLP is not as feature laden as dedicated competitive offerings, it requires no additional budget. Effectively, Microsoft is pushing DLP down into the broader market, to organisations that may not have previously considered such solutions. Along with Microsoft Information Protection (MIP),  Microsoft DLP should be investigated as a priority feature for Office 365 deployments, especially where Microsoft Teams is being deployed with guest access enabled.

Related IBRS Advisory

Conclusion: Security breaches by insiders, whether deliberate or accidental, are on the increase and their consequences can be just as catastrophic as other types of security incidents. Organisations are typically reluctant to disclose insider security breaches and as a result, these breaches receive relatively little media attention. The insider threat may therefore be perceived as being of secondary importance in an organisation’s cyber security program. However, given the consequences, organisations need to ensure that this risk is given sufficient executive attention and resourcing.

Read more ...

Conclusion: Passwords will continue to be part of the landscape for the foreseeable future. Organisations, driven by the concepts of defence in depth, must implement techniques that enhance the security of the authentication process. Both products and processes can be enabled or added to help secure the creation, use and storage of passwords.

Each of the techniques mentioned can be used on their own to enrich the security. Some or all of them can be combined to further build the security. Most of them have little associated costs apart from deployment and perhaps training, but the cumulative impact on the robustness of the authentication process is significant.

Read more ...

Conclusion: Cyber incidents and the protection of information have now taken enterprise and national significance. 

Organisations will need to learn to operate securely in a zero trust world. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. The risk of a compromise for most organisations is increasing with the acceleration of digital transformation, adoption of technologies such as Cloud services, analytics and IoT. The threat landscape is further compounded by increased regulatory and compliance requirements.

A cyber compromise is almost inevitable and organisations are now focusing on improving the resilience of their organisation to a cyber incident. Many organisations now have cyber resilience programs in place which not only protect and defend their key information assets but are also well placed to respond should a cyber incident occur. Our cyber strategy, roadmap and implementation advisory are designed to assist on your cyber resilience journey.

Read more ...

Conclusion: People are and will be using passwords for the foreseeable future despite the numerous efforts underway to dispense with them. Managing them and particularly resetting them are ongoing costs for organisations.

Passwords are also a significant contributor to breaches. They are either captured during credential-grabbing efforts, leaked in a data breach or just too easy to guess.

Yet there are excellent guidelines in existence to assist people to minimise the possibility of passwords being cracked or guessed. Some involve implementing good policies, and most involve making it easier for users to create, remember and use passwords.

Read more ...

Conclusion: Identity and access management is a crucial component of an organisation’s security posture. At its most basic, it is how an organisation determines whether an individual can access resources or not. In today’s world, it is also becoming the basis of how applications first identify then communicate with each other.

Assurance of identity is the cornerstone of managing access to information. An organisation must be confident in that assurance. One method of bolstering the strength of that assurance could be the deployment of multi-factor authentication – at a minimum to privileged users, but ideally to all users of the services and applications whether those users are staff or not.

As organisations move from office-bound networks to distributed workforces combined with Cloud-based Software-as-a-Service (SaaS) applications, identity will evolve to be almost the sole element used to assess and grant access. Identity is certainly a central element of zero trust environments.

Read more ...

Background: The federal government has finally unveiled its cyber security strategy. The Australia’s Cyber Security Strategy 2020, released on 6th August will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade. IBRS provides their key takeaways from the strategy.


Most of the funding for the Strategy 2020 is from July’s announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package much of the Strategy details will be contained in legislation to be put before parliament.

Read more ...

Conclusion: Ransomware attacks are becoming increasingly common and Australian organisations have experienced several high-profile incidents in 2020. While the preferred option is to recover from backups, organisations may find that this is not feasible either because of the scale of the compromise or that backups themselves are compromised. While the decision to pay a ransom is complex and poses significant risks, it should be explored in parallel with the recovery from backup.

Read more ...

Philip Nesci, IBRS adviser and former CIO, has warned that agencies will need to get their information management sorted out to capitalise on the new rules.

‘‘Agencies need to identify their high-value data sets and where they are located.’’ 

Full Story.

Conclusion: Australian financial organisations have been bombarding their suppliers and partners with requests to complete security assessments. If servicing or dealing with financial organisations is part of the operational model for the organisation, this has probably already happened or is about to happen.

Those financial bodies are being driven by an Australian Prudential Regulation Authority (APRA) issued prudential standard CPS 234 (Cross-industry Prudential Standard). This document lays out how a financial body should manage its cyber security with particular emphasis on extending that management to parties that support or supply the financial body.

These assessments can be tedious and raise concerns about cyber security maturity within the organisation. On the other hand, they bring a clear high-level focus on areas that all organisations should either be covering or working towards covering. This makes CPS 234 a valuable reference for senior executives building a cyber security program.

Read more ...

Conclusion: In the current COVID-19-driven environment, video conference calls have become the stuff of life. They are used for school, family, leisure and even work. Numbers of call attendees have jumped from tens of millions to more than 300 million worldwide. As is normal in technology, there are a plethora of options to choose from.

One of those, Zoom, has made the news repeatedly over the period of April-May, initially because of its popularity but then because security flaws were being discovered. With the flaws seemingly serious, commentators were recommending organisations abandon Zoom. Many organisations did so, given the amount of coverage the flaws received.

But the product was and is popular. It is one of the easiest video conferencing products to use. It works well and is simple to deploy. A valid question to ask is whether Zoom is safe to use for business purposes. Taking a realistic view of the flaws combined with efforts Zoom has made to correct some of them leads to the conclusion that Zoom is safe for general business usage.

Read more ...