Presentation Slides now Available

Securus Global has a strong team recognised locally and abroad as specialists in their fields and respected by their peers. Our staff are regularly sought after to present and provide their opinion as experts to industry, media, education and our clients.

If you would like to view the latest presentation slides which are now available on our website please see below;

  • Industry Security Briefing – ‘SDL What’ – War stories and tips for securing your SDLC. Presentation Slides.
  • AISA Brisbane Conference – Social Engineering Risks and Tactics. Presentation Slides.
  • Industry Security Briefing – ‘PCI DSS Staying Compliant – Lessons From The Field’. Presentation Slides.

AFP issues young people with warnings for cybercrime activities

Cybercrime is no longer solely the domain of professional criminals. Today, many teenagers and young adults have access to complex technological equipment which can be exploited for criminal purposes.

That is why constant vigilance through penetration testing or ethical hacking assessment is so important in ensuring that businesses keep private information safe and secure at all times.

Yesterday (June 26), the Australian Federal Police (AFP) released information on an operation that saw six young people issued with warning notices for suspicion of cybercriminal activities.

Earlier this month officers attended residences in Brisbane, Sydney and Perth in order to educate both the suspects and their guardians on the risk of such behaviour.

“Activities such as hacking, creating or propagating malicious viruses or participating in DDOS attacks are not harmless fun,” said the national manager of high tech crime operations Neil Gaughan.

“They can result in serious long-term consequences, such as criminal convictions and perhaps jail time.”

However Mr Gaughan added that no arrests had been made, and that the operation was purely intended as a deterrence measure to help educate the community while preventing any further illicit behaviour from taking place.

“These activities are just part of the on-going commitment by law enforcement to deter cyber criminals,” Mr Gaughan added.

Serious cases of cybercrime being perpetrated by young people are becoming more common in the media. Earlier this month, Essex police indicted a 19-year-old man on suspicion of violating the Computer Misuse Act and the Criminal Law Act 1977.

Ryan Cleary was accused of developing and maintaining a large botnet which was used to conduct DDOS attacks as part of the Lulzsec hacking group.

According to the AFP, hacking and other computer related cybercrime offences can carry a maximum penalty of up to ten years in prison.

The AFP encourages Australians to use the internet and other technology safely in order to ensure they stay safe from cybercrime.

PCI DSS best way to prevent hacking incidents

Federal agents in the US have confirmed a massive sting operation aimed at hackers and cybercriminals has led to the arrest of 24 individuals.

“Clever computer criminals operating behind the supposed veil of the Internet are still subject to the long arm of the law,” said Manhattan US attorney Preet Bharara.

The investigation stretched over two years and involved FBI agents going undercover on internet forums to pose as fellow hackers. All the men arrested were aged between 18 and 25 and could face up to 40 years in prison.

While the news is a positive breakthrough in preventing future cybercrime, businesses should not rest on their laurels when it comes to ensuring the security of user data.

The men arrested were found to be exchanging stolen credit card details, as well as trading information on the best way to access secure databases.

Payment Card Industry Data Security Standard (PCI DSS) compliance remains the best way to ensure your company is meeting its responsibilities when it comes to handling debit and credit card information.

US authorities in New York have reported that the investigation prevented upwards of US$205 million in possible losses.

Almost half of the 24 men were arrested in the US, while the rest came from a range of countries including Australia, Reuters are reporting.

Importance of PCI DSS compliance highlighted in Wyndham lawsuit

The US Federal Trade Commission (FTC) has filed a lawsuit against Wyndham Worldwide, accusing the hospitality company of failing to adhere to suitable security protocols – actions which lead to the theft of 619,000 payment card accounts.

“Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorised access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years,” reads the lawsuit, which was filed June 26 (local time) in Arizona.

“Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”

The news is further evidence of the importance of Payment Card Industry Data Security Standard (PCI DSS) compliance, and for businesses to ensure that they are taking the measures necessary to protect user data.

The FTC claims that Wyndham Worldwide’s security practices led to unnecessary exposure of customer details to unauthorised access and theft.

Payment card information stored on Wyndham databases was kept in clear, readable text, while account passwords were overly simplistic and easy to guess, according to the FTC.

Hackers first gained access to the Wyndham computer network in April 2008 after compromising an administrator account by using a brute force attack.

They then installed memory-scraping malware on the server, allowing them to steal payment card information from over 500,000 hotel guests.

The FTC goes on to say that even after this incident, Wyndham Worldwide failed to integrate proper security measures.

Hackers were then able to gain access to private information in May 2009, and again towards the end of that year, stealing the details of a further 119,000 credit cards.

Wyndham Worldwide has denied the charges and has claimed to have made significant security improvements since the incidents.

“We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company,” reads a statement from Wyndham released to online security website CNET.

“In a time when cyberattacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide.”

New PCI DSS requirements will come into effect on June 30

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement set down by several of the world’s leading payment card providers for any retailer who processes debit or credit card information.

However the scope of PCI DSS compliance, and the fact that individual requirements vary depending on the size of a company, can often make it confusing for businesses to understand.

And it may soon become even harder to internally evaluate PCI DSS compliance with new updates coming into effect on June 30.

Retailers will now be required to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities”, according to the security standards council – something which was previously only considered a best practice.

This means that businesses will not only have to be aware of and understand vulnerabilities, they must also be able to rank those vulnerabilities based on the relative risk to their systems.

The importance of having a secure system for managing payment card information has been highlighted in the media lately, with news breaking earlier this week (June 26) that the US Federal Trade Commission has filed a lawsuit against Wyndham Worldwide, accusing the hotel group of not properly securing customer information leading up to the theft of 600,000 payment card accounts.

State of Information: Annual Report – Are you publishing one?

Updated from Beast or Buddha (August, 2010).

As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same… so at least, “better the devil you know”. Many in our industry have a continual battle trying to do their job and fighting every step of the way for even small gains. It’s always been like this. Continue reading

Google data shows value of penetration testing and regular security audits

Alongside penetration testing and regular security audits, ensuring safe online browsing practices can be one of the best ways to ensure your business remains protected from external threats.

A new blog post published June 19, from Google principal software engineer Niels Provos, has confirmed just how many malicious websites are out there and posing a danger to internet users.

“We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users,” writes Provos.

“We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing.”

The new information has been released to commemorate the five year anniversary of Google’s Safe Browsing effort, which is an initiative aimed at ensuring users remain safe while using the internet.

Malicious websites are often used as a way of spreading information-stealing malware software, which can allow cybercriminals to externally access private information, disrupt computer operations or track user activity online.

Google suggests that users who want to protect themselves from online threats pay attention to any official warning messages that pop up.

Furthermore, by selecting the check box that appears on the red warning page, people can assist Google by submitting information on potentially dangerous or unscrupulous websites.

Businesses concerned about the danger of online malware and viruses spreading onto company servers will want to ensure they are running up to date anti-virus software and regularly reviewing vulnerability management reports.

“The threat landscape changes rapidly. Our adversaries are highly motivated by making money from unsuspecting victims, and at great cost to everyone involved,” writes Provos.

However Google has moved to reassure people that it will continue to invest in safe browsing and maintaining internet security in order to deal with evolving cybercrime technology.

Businesses must ensure PCI DSS compliance in age of online retail shopping

As technology evolves, consumers are being provided with more tools than ever before with which to meet their shopping needs.

While this offers an exciting new frontier for innovative retailers, it is worth considering the importance of consumer safety and Payment Card Industry Data Security Standard (PCI DSS) compliance during this time.

The IBM Center for Applied Insights has just released a new study into the modern world of digital retail, titled The Value of a Smarter Shopping Experience, and the results are an indication of just how enormous the potential for online business success is.

"To win in today’s increasingly competitive marketplace, it is imperative for retailers to understand how consumers engage with their brand across all possible points of interaction," reads the document.

"No longer is a one-size-fits-all approach good enough, as today’s smarter consumers demand that retailers meet their unique needs and timeframes."

According to the International Telecommunications Union (ICT), there are now 5.9 billion mobile-cellular subscriptions worldwide – that's global penetration of 87 per cent.

Furthermore, the ICT states that one-third of the 1.8 billion households worldwide now have internet access.

In order to fully capitalise on this market, IBM suggests that retailers deliver an engaging, timely and consistently aware online shopping experience for users.

However it is important to note that any business which accepts credit or debit card payments, whether it be online or in a traditional bricks and mortar environment, needs to ensure that it is up to date with PCI DSS compliance.

This standard guarantees that retailers are fulfilling their obligations when it comes to protecting customer information, in order to ensure any potential for cybercrime or information theft is minimised.

IBM asserts that five key competencies are required for retailers to realise the rewards of investment in a smarter shopping experience – integrated information, prescriptive insight, precision marketing, relevant experience and continuous dialogue.

Web Application Security Tester Role(s)

TITLE: Security Consultant

LOCATION: Melbourne, Australia

RELOCATION/VISA: Need to have a relevant visa. All Securus Global successful applicants undergo a police/background check

SALARY: Dependent upon successful applicant (plus over 6 weeks annual leave per year).

JOB DESCRIPTION:

Securus Global is currently looking for expressions of interest from web application security exerts to join our team – based in Melbourne. This is a challenging and varied role with predominantly project-based, hands-on engagements that include:

– Web application penetration testing
– Web Application source code analysis
– Researching new vulnerability types and technologies

KEY REQUIREMENTS:

The following are the key mandatory skill and experience requirements for the role. Please only serious applicants who can fulfill this selection criteria:

– A passion for Information Security (you actively follow and/or participate in the industry)
– Good coding skills with knowledge of either python or ruby
– Knowledge of common web application programming languages (ie. asp, aspx, php, etc.)
– Excellent communication skills (oral and written)
– Self motivated and an ability to meet deadlines
– An ability to work unsupervised and in a team environment
– High personal standards and expectations of quality and high results
– High personal ethical standards for confidentiality and integrity
– Permanent Australian residency or longer term work visa.
 
Securus Global is a small, dynamic organisation that requires each and every person to step up to the plate. We have a strong reputation for excellence in delivery and expect quality in all we do. You will not be able to get lost in the crowd here and you will have opportunities for growth that are only limited by yourself.

Send your application in text file format to: jobs at securusglobal dot com

Increasing popularity of BYOD a security risk, study confirms

Handheld devices such as tablet computers and smartphones are revolutionising the way modern offices do business. However these gadgets can bring with them a variety of risks for anyone who fails to ensure the security of their company.

Network security company Fortinet has released the results of a recent survey into the popularity of these new forms of technology and the growing population of Bring Your Own Device (BYOD) users.

The firm surveyed 3,872 university graduates from 15 different countries – all in their 20s and in full time employment – who owned their own smartphone, tablet or laptop computer.

It found that while 42 per cent of respondents understood the increased risk of data loss and exposure to security threats that comes with BYOD, 36 per cent admitted that they would still take the chance of bringing such devices into work even if corporate policy forbid them to do so.

Furthermore, 30 per cent of those surveyed admitted that they would be willing to use non-approved applications in the workplace.

‘The survey clearly reveals the great challenge faced by organisations to reconcile security and BYOD,’ said Fortinet’s international vice-president of international sales and support Patrice Perche.

“Within such an environment, organisations must regain control of their IT infrastructure by strongly securing both inbound and outbound access to the corporate network,”

If you are concerned about the risk that BYOD brings to your workplace, it may be worthwhile to consider a Due Diligence Assessment in order to fully assess any threats and compliance gaps in your system.

Due Diligence Assessments provide you with the means to evaluate whether your business is fully protected against the latest security risks, and equip you with the information necessary to ensure that you remain protected in the future.

Microsoft recently announced that it would be entering the tablet market with the release of the Surface, a move that is sure to bolster the popularity of BYOD even further.