Hiring – Penetration Tester Roles

LOCATION: Sydney and Melbourne

VISA: Must currently have permission to work full time in Australia
NB: All successful applicants will need to successfully pass criminal history and background checks

SALARY: Dependent upon successful applicant (plus over 6 weeks leave per year).

Securus Global is currently looking for an experienced web application penetration tester to join our team – based in either Sydney or Melbourne. This is a challenging and varied role with predominantly project-based, hands-on engagements that include, but are not limited to:

  • Web application penetration testing
  • Network vulnerability assessment
  • Application source code review
  • Application reverse engineering

Continue reading

New PCI DSS requirements will come into effect on June 30

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement set down by several of the world’s leading payment card providers for any retailer who processes debit or credit card information.

However the scope of PCI DSS compliance, and the fact that individual requirements vary depending on the size of a company, can often make it confusing for businesses to understand.

And it may soon become even harder to internally evaluate PCI DSS compliance with new updates coming into effect on June 30.

Retailers will now be required to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities”, according to the security standards council – something which was previously only considered a best practice.

This means that businesses will not only have to be aware of and understand vulnerabilities, they must also be able to rank those vulnerabilities based on the relative risk to their systems.

The importance of having a secure system for managing payment card information has been highlighted in the media lately, with news breaking earlier this week (June 26) that the US Federal Trade Commission has filed a lawsuit against Wyndham Worldwide, accusing the hotel group of not properly securing customer information leading up to the theft of 600,000 payment card accounts.

Rumours emerge of Facebook smartphone project

The smartphone industry is set to become more competitive than ever, with reports emerging that social media giants Facebook are planning to enter the market.

Less than a month after its disappointing initial public offering – which saw a 16.5 per cent decline in stock prices over the first week of trading – the New York Times has released a report speculating that Mark Zuckerberg’s company is hiring former Apple engineers with hopes to design a Facebook smartphone.

Facebook is reportedly optimistic that the phone will be released next year, which will mean further competition for the popular Apple iPhone and Samsung Galaxy products.

With so many smartphones now available, more consumers are likely to begin experimenting with new forms of mobile payment technology.

Forward thinking businesses will need to examine the mobile payment options they offer, while at the same time making sure online retail services are secure and private.

The Payment Card Industry Data Security Standard (PCI DSS) is a required certification for all retailers dealing with credit and debit card transactions and seeks to assure that consumer information is correctly managed.

The PCI Security Standards Council participated in a congressional subcommittee hearing on mobile payment acceptance security in March, where it announced plans to introduce new guidelines for mobile security requirements and encryption technology.

Reaction to the Facebook smartphone has been mixed, with some experts speculating that the company does not have the industry knowledge to correctly design a competitive product.

Others have indicated that the move may be a necessary step in the continued expansion of Zuckerberg’s empire.

Facebook is yet to confirm or deny the reports, instead directing reporters to a statement made last year to technology website AllThingsD, where it claimed to be “working across the entire mobile industry; with operators, hardware manufacturers, OS providers, and application developers.”

Social media monitoring gains popularity as form of vulnerability management

Employees may need to begin taking more care over what they upload to Facebook, with 60 per cent of Australian businesses expected to be formally monitoring online social media by 2015, according to a recent study by Gartner.

However the Gartner report was quick to note that corporations will need to be wary of the legal and moral pitfalls involved in keeping tabs on employees.

“Surveillance of individuals … can both mitigate and create risk, which must be managed,” said Andrew Walls, research vice-president of Gartner.

The study comes after news reports accused several businesses in the USA of requesting that job applicants submit their Facebook login details as part of the interview process.

Several colleges have also been accused of monitoring the social media activities of potential students.

In a note published on March 24, Facebook’s chief privacy officer, Erin Egan, made it clear that the social networking site does not approve of this practice.

“As a user, you shouldn’t be forced to share your private information and communications just to get a job,” said Egan.

Facebook recently upgraded its Statement of Rights and Responsibilities, making it a violation for individuals or organisations to share or solicit a Facebook password. Egan suggested legal action could be taken against any persons or corporations found to be deliberately violating user privacy.

However many firms now offer legal forms of social media monitoring, while security organisations are also exploring the format as a way to investigate potential external threats to businesses.

Social media activity can pose a major threat to business security if employees do not understand their obligations under company protocol. Sensitive information which seems harmless at first could result in confidential company details being visible to outsiders.

Cautious businesses should consider improving security measures to prevent such privacy breaches. Vulnerability management assessments provide a high-level risk evaluation to companies and can identify possible pitfalls in security.

While social media tracking services can be beneficial to employers for their ability to recognise and prevent employees from engaging in illegal or immoral activities, care must be taken to avoid the legal landmines involved.

Gartner has asserted that any social network monitoring performed must be purely in the interest of investigating company policy violation. What is concerning, says Gartner, is the potential for employees to use confidential Facebook information to discriminate employees based on religious or sexual orientations.

“The problem lies in the ability of surveillance tools and methods to produce large volumes of irrelevant information,” said Mr Walls.

“This personal information can be exposed accidentally or become the target of voyeuristic behavior by security staff.”

Annoucement – New Partnerships

Securus Global is pleased to announce that we have entered into relationships with the following respected security product providers.

  • Rapid 7 (Vulnerability Assessment and Management)
  • Imperva SecureSphere Data Security Suite (Web Application Firewall)
  • Whitehat Web Application Security (Web Application Automated Scanning Services).

We recognise that our clients will decide at some stage to purchase such products and services, but the value proposition we present as opposed to just a product sales company is that our focus is security, and not a desire to sell you something that is not going to provide value for you. Our clients who are buying these services from Securus Global buy them from us and not from product resellers because they know Securus Global gives them the facts about the limitations of tools, while also assisting our clients in developing better solutions around tools. Nothing is just ‘plug and play.’ Working with us means you’ll get the value from your investment.

These join;

  • QualysGuard Vulnerability and Policy Compliance
  • Tripwire Configuration Audit and Control
  • Immunity Silica and CANVAS exploitation tools
  • CardRecon Credit Card Scanning

Please email us at info@securusglobal.com or call Sydney on 02 92830255 or Melbourne on 03 9620 9209 if you require any information on any of these products

More information on all of these products is also on our website; http://www.securusglobal.com/products/

Tips for maintaining PCI compliance – ZDNET Article

Recently at our April Breakfast Briefs in Sydney and Melbourne, Steven Surdich one of Securus Global’s resident PCI DSS experts and QSA’s provided an address on the importance and trials of maintaining PCI DSS Compliance all year round, rather than just a point of time excercise when an Audit is due.

There are many very pragmatic strategies and processes that can be employed which do not need to be difficult or complex if implemented as part of business as usual process and not special PCI Compliance Activities.

Here is a little of what ZDnet had to say

Too many companies are neglecting to keep up to date with the standards required for accepting electronic payments, even though compliance is easily achieved by following three simple rules, and not a once per year obligation according to Securus Global senior security consultant Steven Surdich

Although many companies appear to be having difficulty in doing so, Surdich said it is simple if they follow the three basic rules: controlling changes to the cardholder environment; maintaining oversight of their activities; and simplifying compliance processes.

To read full article: http://www.zdnet.com.au/tips-for-maintaining-pci-compliance-339336453.htm?noredir=1

For more info on PCI Compliance visit the SG Website:

Small Vulnerabilities, Big Business Risk – ZDNET Article

At our February Breakfast Brief in Sydney and Melbourne, two of our Penetration Testers and Researchers presented to a select crowd on the importance of not overlooking the small vulnerabilities. When undertaking Vulnerability Assessments and Penetration Tests, these small, seemingly inconsequential vulnerabilities are often down graded or accepted and left to be exploited by hackers that are highly adept in finding, collecting and holding onto these vulnerabilities for future reference and to used together to compromise an organisation.

Here is a little of an article on the presentation from ZDNET.

At the Securus Global’s February security briefing, a pair of security researchers, demostrated how businesses accepting small securty risks may be leaving the door open to hackers who have realised that chaining small vulnerabilities together represents an easy way to destroy companies.

The researchers stated that organisations tended to look at vulnerabilities separate from other vulnerabilities, when the real issue was how these could be used in conjunction with each other to become potentially more dangerous. They then went on to demonstrate how a number of organisations they had previously worked with had fallen into the trap of considering threats to their business in isolation.

To read more: http://www.zdnet.com.au/are-small-vulnerabilities-the-real-enemy-339332377.htm

Securus Global’s Consulting Services

Welcome to the SG Blog

Welcome to the SG Blog, where the Management, Technical and Compliance Teams will be sharing their thoughts and opinions.

We hope that you enjoy their contributions and foster discussion with your own contributions.

Drazen Drazic
Managing Director