The PRWIRE Press Releases https:// 2016-08-09T02:28:03Z The Most Common Pitfalls in PCI Compliance 2016-08-09T02:28:03Z the-most-common-pitfalls-in-pci-compliance A person trying to lead a healthy lifestyle, who eats right, exercises regularly and gets enough sleep, should expect their body to respond in a positive manner. However, just like companies who are doing their best to keep customer data safe, and hackers at bay, the person can find himself with a health issue that is not apparent at first, but if left untreated could lead to severe consequences. Since 2004, PCI Compliance has been the international standard major card companies enforce on their merchants, in an attempt to protect both themselves and the end customers. Made up of 12 main requirements, the PCI Data Security Standard (PCI DSS) is the industries ‘health check-up’ to find any missing key aspects that could affect the safety of the cardholder data. The consequences of not being PCI compliant can be catastrophic for a business, resulting in fines for the loss of private data, liability for fraud losses incurred against exploited cards, as well as the operational costs associated with replacing the accounts. Furthermore, the damage to the business’ reputation and own internal costs associated with the breach, can take years to fix. So if PCI Compliance is for the ‘greater good’, why do so many companies fail to meet compliance? One of the main themes we have discovered throughout the years of performing PCI Compliance audits for clients, is companies often treat PCI Compliance as a single event and not as an ongoing process. Businesses attempt to cram all the necessary requirements into only a couple of weeks, instead of attending to their security on a daily, weekly, monthly and quarterly, as certain PCI requirements demand. Furthermore, keeping up with updated versions of the PCI DSS is imperative as new versions often include new requirements that will need to be planned for in advance. For example the new PCI DSS V3.2 released in April 2016, now requires companies to perform Penetration Testing every 6 months, instead of the usual 12, in response to the increasing risks cardholder data environments face.   The most common technical and procedural pitfalls companies meet can be easily sorted under the PCI control objectives:   Build and maintain a secure network Companies can invest heavily in hardware and software for cyber security, however something as simple as a misconfigured firewall or weak password, could be the crack through which a cyber criminal slips through. Protect cardholder data Protecting cardholder data is the ultimate goal of PCI Compliance. However, if recent events such as the Target breach in 2014, have proved anything it is that businesses are still failing to properly encrypt customer data, both while in transit and on servers. PCI DSS requires the use of strong levels of encryption, because a complex decryption protocol or method can usually be enough to make the cardholder data useless to cyber criminals who do not have the decryption key. Also, businesses that do not have good network architecture can find PCI DSS more complicated that it needs to be. A main pitfall in this area is lack of correct encryption, but even more so the unnecessary access to cardholder data. This includes not properly segregating customer data from personal company servers via network segmentation, which not only gives hackers more access to roam, but also increases the cost of PCI Compliance as the scope will need to include everything that touches the cardholder data.   Maintain a vulnerability management program Regular patching of software is not just good practice but one of the requirements of PCI compliance, unfortunately, it is something that gets over looked due to its simplicity. Businesses should remember that if it effects the cardholder data, then it is part of the scope and needs to be patched! Implement strong access control measures Privileged user abuse is still one of the main internal and external risks to cyber security. Businesses are have bad habits when it comes to restricting access to data. As much as businesses should value and trust their employees, they shouldn’t freely give nonessential team members access, both digitally or physically. Regularly monitor and test networks As mentioned previously, regular testing such as Pen Tests and Vulnerability Assessments are both required to be done frequently and on all network elements that concern cardholder data. These tests need to be performed by either an external 3rd party, or a certified internal member who is not part of the PCI assessment (to ensure partiality). These tests require both time and resources to plan and execute, and often result in a range of identified vulnerabilities that need to be fixed before PCI Compliance. Maintain an information security policy Those who do not plan, plan to fail – companies that are not serious about their security will ultimately find themselves stuck due to poor planning for the future. Security policies are like a medical chart – they are individual to each company and require thorough planning and development by people with intimate knowledge of the company’s internal systems as well as its weaknesses.   If you find that this process sounds too complicated for your IT team to carry alone, there are many options available from PCI Compliant software (PA-DSS) to expert PCI Compliance auditors who can help you plan, test, access and gain your PCI compliance. Dangers of Ransomware – 7 Most Effective Ways to Safeguard Your Organisation 2016-08-09T02:25:11Z dangers-of-ransomware-7-most-effective-ways-to-safeguard-your-organisation This year we are seeing an unprecedented increase in ransomware attacks on businesses and organisations of all sizes, from universities, hospitals and utility companies to police stations and medical centres. A rather alarming trend, considering that according to Ponemon Institute’s 2016 State of Endpoint Report, most organisations are not prepared to deal with this threat. While ransomware is not a new concept, in fact it goes back almost 30 years, cybercriminals have used the emergence of bitcoin, increasingly sophisticated encryption, and lack of vigilance by businesses and institutions to turn ransomware into today’s cash cow.   1. What is Ransomware? Essentially, ransomware is a form of data-kidnapping malware that encrypts a victim’s data with the intention to extort payment. It is constantly evolving, with new malware families emerging nearly every week. The sheer size of possible threats, coupled with the constant development of new variants and continuous improvements made to the code and attack vectors, ensure that criminals always stay two steps ahead. This means, that in many cases, once ransomware infects a computer, the encryption is rather impossible to break, leaving the victim with two painful choices: pay the attacker for decryption of the data or face losing it. At the moment, all popular operating systems are being targeted by ransomware, including Windows, Mac OS X, Linux, and Android. Regardless of the ransomware family involved, attacks are carried out in a similar manner each time. The malware is spread via email attachments, exploit kits, infected programs and even compromised websites. These methods of infection are effective because they work on people, with 81% of respondents in a recent study agreeing that employees were the biggest threat to security, it’s not hard to see why cyber criminals choose to exploit the human factor.   2. 2016 – Year of the Ransomware The increased attacks on corporate entities and other institutions are actually not that surprising, considering the significantly more severe consequences of losing corporate data than consumer data, and subsequently increased likelihood of potential payout. What is surprising, is that these entities are so ill prepared. According to a recent study, 56 percent of companies surveyed said they are not ready to fend off ransomware attacks, and just 38 percent said they have a strategy to deal with destructive software. These numbers seem like a fairly accurate representation, considering the number of reported ransomware attacks every month. In February, the Hollywood Presbyterian Medical Center in Los Angeles and several police departments in the US, had to pay ransom after falling prey to ransomware attacks. In March, MedStar Health, a network of 10 hospitals in Washington D.C. and Maryland, and a hospital in Kentucky were hit with similar attacks. More recently in April, a water and electricity utility in the US State of Michigan has needed a week to recover from a ransomware attack that happened after an employee opened an email with a malicious attachment. From reading of these incidents, one may assume that the US companies are particularly negligent when it comes to cyber security compared to Australian organisations. The fact is, that unlike Australia, which is lagging behind the rest of the developed world, mandatory data security breach notification laws have been enacted in most U.S. states since 2003. “Mandatory data security breach notification laws have been enacted in most U.S. states since 20 At present, Australian organisations enjoy a measure of anonymity without being legally bound to report security breaches, something that may change if the mandatory data breach reporting legislation is passed in the near future. In truth, Australia and the Asia Pacific region make a relatively easy target for cyber criminals due to lack of awareness at all levels of security, underinvestment in security, and skill shortages. 3. How Can Companies Protect Themselves from Ransomware? While companies are discouraged to pay the ransom, depending on the criticality of the asset and effect of its loss on a business’ viability, many enterprises may not have a choice. Organisations like hospitals store vital patient data, the loss of which may result not just in financial difficulty or loss of reputation, but rather risk to patients’ lives. To successfully combat ransomware, organisations should employ a layered approach, as no single solution will be effective on its own. It is important to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat. 1. Back up Daily back up of all critical data is the most important step as insurance against worst-case scenarios involving not only ransomware attacks and a myriad of other cyber security issues, but also natural disasters, such as floods and fires. At a minimum, two backup copies should be maintained – one to enable on-site recovery and a second copy for vaulting to a secure off-site facility 2. Whitelisting Whitelisting may also help reduce risk as it prevents malicious software and unapproved programs from running on an organisation’s network. This option may be less appropriate for users like developers, but the average office worker is protected by having access only to known safe files. 3. Anti-virus and Firewalls Maintaining up-to-date anti-virus and anti-malware capabilities, as well as appropriate firewall configurations is just good practice, especially as some malware variants tend to terminate themselves if anti-malware software is present on the compromised machine. 4. Software and Systems Patches A large percentage of attacks target vulnerable applications and operating systems, therefore keeping the operating system and software up-to-date with the latest patches is crucial. 5. Network segmentation and user permissions Network segmentation is an important step in ensuring that any infection or security breach is contained, thereby limiting the impact of ransomware on the organisation. To further lower the risk of infection, restrict user permissions for installing and running unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Doing so may prevent malware from running or limit its capability to spread through the network. 6. Education and awareness Because staff are often the cause of ransomware infections, user education could go a long way to improving a company’s resilience to ransomware. However, while it is important that staff understand the spiel on malicious attachments, suspicious links, etc., carrying out random pen tests, with a social engineering component to imitate ransomware attacks, can not only test if the employees are doing the right thing, but also motivate staff to be more vigilant in the future. 7. Email Security and macros Disabling macros and ensuring users can’t switch them back on, as well as adopting an email security gateway to effectively thwart emails that contain malicious URLs, may be an effective strategy as it cuts out the human factor, reducing the risk of that one user getting a twitchy finger and rendering the above security precautions futile. What On Earth is Managed Security Services (MSS)? – INFOGRAPHIC 2016-08-09T02:18:04Z what-on-earth-is-managed-security-services-mss-infographic When it comes to IT Security every company has options. One-off testing such as Pen Tests for identifying vulnerabilities, software and hardware for firewalls and endpoint protection. Or Managed Security Services. This outsourced service can literally take over an organisation’s whole IT security initiative, working as an extended arm of the IT team but focusing solely on protecting the business, finally giving the internal IT team the necessary time to focus on day to day duties. This infographic shows what most businesses can expect from their Managed Security Service Provider (MSSP).    Cybernetic Global Intelligence to present at IMCA alongside Microsoft 2016-02-11T07:50:44Z cybernetic-global-intelligence-to-present-at-imca-alongside-microsoft Ravin Prasad, CEO of Cybernetic Global Intelligence will be speaking at the International Marine Contractors Association in Singapore on the 21st of January 2016. Covering the topic of Cyber Security in the Maritime Industry, alongside a panel of other IT experts from companies such as Microsoft and eVantage, Mr Prasad will be focusing on the tools and services available to Maritime companies to better protect their shipping data and SCADA systems. “The Maritime industry is entering the age of cybercrime,” stated Mr Ravin Prasad, “Companies today have to protect not only their physical goods but also their critical data. Cyber criminals would love to get their hands on shipping manifests or access to critical systems like those used in sea mining, it’s just a matter of what the cyber criminals angle is”.  Cybernetic Global Intelligence specialises in IT Security services such as Managed Security Services and Penetration Testing which can be extremely beneficial to Maritime companies who need in-depth knowledge on where their security gaps are and protection against cyber threats. Managed Security Services 2016-02-11T03:12:18Z managed-security-services As global cyber attacks mount and escalate in severity, companies are trying their best to just keep their heads above water. As is becoming more and more evident however, staying ahead of the curve when it comes to protecting a business against breaches may seem like an insurmountable task. With 61 percent of surveyed Australian and New Zealand companies expecting an attack on their organisation this year, it is often not a question of “if” a company will be breached but “when” and to “what degree of damage”? While cyber criminals definitely do not make things any easier, a number of related factors often contribute to poor performance of most well-known companies when it comes to their cyber security. These factors are also the reasons why putting your company’s security into the hands of a MSSP might be the best decision you will make this year. When it comes to dealing with cyber threats, companies large and small face shortages of qualified and capable staff, limited budgets and inability to effectively thwart threats. 1. Supplement or expand necessary skills Hiring, training and retaining qualified in-house security experts can be a costly and time- consuming procedure. A recent report suggests that it takes around 6 months to fill 32 percent of open IT security positions, and more than 35 percent of organizations are unable to fill open security jobs at all. These numbers are only expected to get worse, with an expected shortage over the next few years of 2 million cyber security jobs worldwide. In addition, according to the “State of Cybersecurity: Implications for 2015” study, fewer than 25 percent ofcybersecurity applicants are qualified to perform the skills necessary for the job, and the most important qualification of hands-on experience is extremely lacking. Due to these chronic shortages many basic security tasks are deferred and overlooked, resulting in only 43 percent of Australian and NZ surveyed companies being ‘prepared’ for an attack. Even if you believe your company’s in-house security team is up to scratch, what happens when everyone goes home for the night? A MSSP can handle security tasks such as 24/7 monitoring, manage your security devices; update security policies; manage your network, application, web and email security; and much more. A well chosen MSSP can help deliver breadth and depth to your security coverage, address compliance requirements and ensure that your company’s security needs are met now and into the future.   2. Make the most of your Security Budget Implementing the right security measures and maintaining a strong security posture can be very costly. And while security budgets continue to slowly rise in an effort to meet the increasing cyber challenges, by the time most security teams feel the effects of increased funding and find the staff to fill necessary gaps, it will be too late. A recent survey of more than 1,000 security professionals surveyed indicated that 54 percentbelieve that they need to double their IT security staffing, and 24 percent believe they need four times as many security professionals to cope with everyday threats. While throwing security staff at a problem may seem like a bright idea, considering that an average salary for a qualified security expert in Australia is around $146,500, security budgets of most companies will not stretch far enough to allow it. Employing the services of a MSSP can help you eliminate the costs involved in recruitment and training of additional security experts; eliminate the need of large upfront costs associated with developing in-house security operations centre – necessary for rapid detection and response to security breaches; and allow you to take advantage of industry best practices and economies of scale.   3. Improve your Security Posture  According to Eddie Schwartz, the international vice president of ISACA, the attempt of organisations to manage cybersecurity on their own is equivalent to “a bunch of small countries trying to fight a superpower in terms of organised criminals and nation-states; there’s just no hope”. While that may seem like a bleak outlook, it has proven to be accurate over the last few years, as even the largest companies all over the world are finding it hard to tackle the hurdle presented by advanced cyber threats. By switching to a MSSP your company can forgo all the aspects of insufficient capacity that may negatively impact your security outcomes. A MSSPs advanced experience, greater specialisation and increased proficiency when it comes to providing enterprise-wide protection, can help your organisation strengthen its defences and respond to new threats as they emerge 24 hours a day, 7 days a week, 365 days a year.     Penetration Test vs Vulnerability Assessment 2016-02-04T05:12:13Z penetration-test-vs-vulnerability-assessment Conducting a vulnerability assessment of your organisation’s security posture and calling it a day is like exploring your house for possible entry points that burglars might use, getting a handyman to beef up the security by installing new locks and security screens, only to then have your new neighbours make off with the house silver and your wife’s pearls after a cup of tea. In other words, knowing vulnerabilities in your network only solves half the problem. Knowing how these vulnerabilities may be exploited by cyber criminals and how much damage they might cause gives you the complete picture and allows you to develop a truly resilient security posture. A test by any other name… The problem is that while being worlds apart, Vulnerability Assessments (VA) are frequently confused withPenetration Tests (pen tests for short). The terms are often incorrectly used interchangeably, and some security companies market vulnerability scans as pen tests, further adding to the confusion that results in wasted resources for many organisations. Knowing the difference between two of these services is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network. So what exactly is the difference between the two? Well, a vulnerability assessment is an in-depth evaluation of your information security posture which seeks to identify and quantify cyber security vulnerabilities in your organisation. This is done by using an off-the-shelf software package, such as Nessus or OpenVAS to scan an IP address or range of IP addresses for known vulnerabilities. A report is then produced by the software that lists discovered vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps. There’s more to the story. Now, a pen test is a completely different kettle of fish. It actively simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organisation. As an example, let’s say a website is vulnerable to Heartbleed. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do. During a pen test, a pen tester may use the output of a vulnerability scan to exploit a discovered vulnerability in order to determine the possible amount of damage to an organisation if this weakness is compromised by a real attack. Alternatively, depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name. The level of access you give an attacker depends on what you are trying to test. So what SHOULD you be doing? The bottom line is that penetration tests alone will only give you a snapshot of your security program’s effectiveness. Similarly, when performed on their own, vulnerability assessments and employed scans may produce a number of false positives and discover only those vulnerabilities that the security community, hackers and software vendors are already familiar with. In a rapidly evolving threatscape, those vulnerabilities that are unknown to the public at large will not be identified by these scans. This is where a good pen tester, with out-of-the box thinking comes in. Most organisations should start with a vulnerability assessment, act on its results to the best of their abilities and then have a penetration test performed. Utilising vulnerability assessments and penetration testing together provides enterprises with a more comprehensive security evaluation than any single test alone. Using the combined approach gives an organisation a more detailed view of the threats facing its applications and networks, enabling the business to better protect its systems and data from malicious attacks. What to know more on how a Penetration Test or Vulnerability Assessment can help your company’s cyber security?Get In Touch today for a chat with one of our security experts and we’ll help you find the right solution. Cyber Security Trends 2016 – Infographic 2015-12-04T05:26:17Z cyber-security-trends-2016-infographic-1 As 2015 comes to a close, it’s time to look to the future of cyber security in the new year. We have gathered together the puzzle pieces and mapped out what we believe the cyber threatscape will look like in 2016. Get ready for more successful extortion schemes and new gen device failures. Will our predictions be right? Only time will tell!     Cyber insurance – a band-aid for a bullet hole? The devil is in the details. 2015-12-04T05:17:39Z cyber-insurance-a-band-aid-for-a-bullet-hole-the-devil-is-in-the-details Security breaches do not make for pleasant conversation topics, especially if your company has had to deal with one firsthand. Sadly, it often takes a breach to wholly comprehend the severity of the problem, and it comes as no surprise that sixty percent of small businesses close their doors within half a year of being victimised by cybercrime. In response to the string of high-profile hacks and data breaches over the last couple of years, many companies have been in a rush to purchase cyber insurance to protect themselves from losses suffered due to data breaches and the costs of managing the ensuing crisis.   A useful tool in your toolbox While not the answer to every problem, the right policy does have the potential to help with a myriad of costs associated with a breach. These can include forensics to analyse the incident and its origins, notifying the potentially harmed parties in accordance to state and federal law, legal costs, ongoing monitoring of credit charges for affected parties, fines for being in breach of regulations, rebuilding compromised security systems, and public relations to manage the brand’s reputation.   Buyer, beware of the fine print While insurance may help mitigate some of the costs associated with a data breach, complexity of the policies and numerous fine-print exclusions can leave your business without the protection you think you’re paying for. Because cyber insurance is still a relatively new product, it lacks uniformity between policies. This means that different terms are often used for the same insurance products, and assuming a product is covered by a certain policy can lead to disaster. Often, policies are so precisely worded that a business wanting to make a claim has limited grounds to do so. For example, if a computer system is defined as a computer system owned by the organisation, the organisation may not be covered for employee-owned devices that might be the cause of the breach. Failing to read the fine print is not a mistake isolated to businesses without a legal team on standby.  Back in 2011, after Sony’s earlier data breach, the company failed to receive reimbursement from Zurich American for the $171 million worth of damages caused by that breach, because the breach was caused by third-party hackers, and, apparently, its policy only covered actions taken by Sony. The 2013 Target data breach cost the company $252 million in expenses, only $90 million of which was covered by the company’s cyber policy. That left Target responsible for $162 million—more than 64 percent of the cost.   Understand and customise your policy Current cyber insurance offerings vary widely with different coverage caveats, exemptions and limitations. There are also limitations on the amount of coverage. The amount of cyber insurance that a company can purchase will vary depending on a company’s financials, industry, operations, and risk exposures. There also may be sub-limits for different categories (such as forensics and notification breach costs, regulatory fines and penalties). In choosing a cyber risk insurance policy, several factors must be considered. Most importantly, companies must understand what types of damages a policy actually covers. Cyber risk insurance policies can cover an assortment of services, tools and remediation techniques relating to data breaches and cybercrime. Companies need to review their cyber risk policies carefully to ensure protection in each of these areas. Furthermore, while these may be the chief costs that companies associate with data breaches, they should consider other, morespecific forms of cyber risk insurance that may be necessary to cover additional damages resulting from cybercrime.   Types of cover Data breach and privacy management coverage covers costs associated with managing and recovering from data breaches, including investigation, data subject notification, credit monitoring, and associated legal fees. Extortion liability coverage covers damages incurred from extortion. This could be used in the case of Distributed Denial of Service (DDoS) attacks which demand ransoms, for example. Network security liability covers costs associated with denial of service and third-party data theft. Business Interruption This covers the loss of revenue due to network downtime because of a security breach. Multimedia liability coverage covers defacement of websites, media, and intellectual property rights. Insurance providers also offer cyber risk products that insure against the loss of revenue due to data breaches orcybercrimes. Known as digital business income coverage, this product protects against income that is lost orunrealised because of security breaches, website failures or cybercrimes that inhibit or prevent a company from doing business digitally or online.  Companies should consider whether digital business income coverage is a good fit for their business, as standard cyber risk policies may not include it. A company should not assume that lost revenue is included in a business interruption policy or even a basic cyber risk insurance policy. Discovering a lack of coverage in this area after a costly breach or cybercrime can be fatal to a company.   As more companies store information online in ‘the cloud’, and engage third party vendors to manage such data, insurance issues arise when that data is lost or stolen. Knowing whether a policy has sub-limits for specific risks, such as cloud-based data breaches, is an integral part of obtaining adequate protection from cyber risk.   Purchase adequate protection Some industries have far higher risk profiles than others. At the very top of the tree are businesses that collect confidential information on clients, such as those in the banking, finance and health fields. However, any business that sells products to clients or charges them for services, and does so by collecting credit card and bank details, is at risk. It is therefore the responsibility of individual companies to understand their existing protection, assess their risks and work with their insurance providers to tailor a policy for their specific business needs. By doing so, a company increases the likelihood that it has adequate coverage, and that it is not paying for unnecessary, insufficient or redundant policies.   Have a good plan in place for when things go wrong Look at all of your company’s preventative measures as well as its pre-planned response strategies to a hack or breach. If a thorough, organisation-wide breach response plan is in place then this is a good demonstration to the insurer that a lower premium is justified. Make sure the disaster recovery plan is up-to-date and tested. It plan should take account of the business-criticality of the data and should be part of the general business continuity plan. Backups, archives, redundant databases, offsite storage – even printed reports that can be used to reconstruct information – should all have a place in this plan.   Implement a strong cybersecurity framework The key thing to understand is that cyber insurance doesn’t eliminate the need to invest in cybersecurity. Like a home fire insurance policy or car insurance policy, a cyber insurance policy is not meant as a substitute for making cybersecurity investments and observing good cybersecurity practices. In fact, if the necessary investments and practices are not made, the organization may not even be eligible to obtain cyber- insurance. To get insurance protection you need to have good demonstrable, documented and maintained security practices in place, such as ISO 27001 certification, as well as additional requirements (ISO 9001, ITIL, dedicated skilled security staff etc). If you do not have those security measures in place, or the measures you have do not meet the requirements set out by the insurance company, your costs to gain insurance will increase or you will not be offered insurance at all. In addition, any negligence on your part in protecting your data will mean that that the policies will fail to pay out and leave you stranded.   Conclusion The bottom line is that a thorough understanding of your organisation’s current levels of protection is vital to setting a suitable premium. The key is to read the small print, truly understand your coverage and what types of losses may not be insurable, as well as ensuring that the coverage spans most common breach areas. The final and maybe perhaps most important thing to remember for any business is that no matter how comprehensive your policy is, it will not protect your organisation against damage to its brand and reputation, customer loyalty or public confidence. Pride goes before the fall – Australian companies getting caught with their pants down. 2015-11-24T07:09:17Z pride-goes-before-the-fall-australian-companies-getting-caught-with-their-pants-down While the attacks on the US companies such as Sony, Target and Ashley Madison are old news, our own ‘home grown’ cyber incidents are growing by leaps and bounds, most recent of which, involving David Jones, Kmart Australia and Australian Farmers Direct, prove that cyber threats are a global phenomenon and even the big players aren’t safe. Over the past 12 months, the number of cyber security incidents detected in Australia has increased by 109 percent, with an average of two incidents per second. However, with companies taking on average 256 days to even detect that the breach has occurred, these rather chilling statistics only reflect a fraction of the problem.  The number of cyber security incidents detected in Australia has increased by 109 percent over the last 12 months. Last month, three of Australia’s biggest retailers reported security breaches in which hackers made off with customers’ personal details in the form of names, addresses and contact details. While David Jones, Kmart Australia and Aussie Farmers Direct may be congratulating themselves on the fact that no credit card details were stolen, the information obtained by cyber criminals will fetch a pretty penny on the dark web, helping to keep the lucrative practices ofphishing and identity theft alive and thriving. However, these retailers may yet feel the pinch once their customers feel the repercussions of these breaches and begin to point litigation fingers at the companies for failing to keep their personal information safe. What’s more, lack of consumer trust may see deterioration of customer loyalty and loss of sales, further hurting the bottom line.   Keeping Up With Security. One of the biggest problems remains to be, that regardless of the clear dangers and expensive repercussions, comprehensive cyber security is still viewed by many today as a luxury that often misses out on the necessary budgeting allocations required to keep these businesses from becoming the latest victims of cyber criminals. As evident, even the largest of companies are guilty of making this mistake. Many companies choose to perform cursory testing on an annual basis as a way of ticking the appropriate box and lulling themselves into a false sense of security. While the unsuspecting business continues to function, cyber criminals have a whole year in which to plant malicious software on company computers and reap the rewards, often in the form of stolen intellectual property or client credit card details and personal information.   Companies should review their options. To discover and correct vulnerabilities that may be exploited within company systems, regular and comprehensive testing and assessment must be performed. However, while a penetration test may identify your vulnerabilities and provide guidance on correcting them today, it will not stop a your employees from downloading those malicious zip files, or prevent any number of creative exploits that may be employed against your business tomorrow. Keeping abreast of the rising number of threats and keeping your system secure requires constant, 24/7 vigilance. That level of security just can’t be achieved when your security team goes home at 5 pm. Companies now have the option of outsourcing their extensive cyber security needs to managed security service providers who are able to provide an all-encompassing security solution, including the monitoring of the company’s networks and systems every second of every day. For any serious business, information security cannot be an afterthought or something piled into the ‘later’ basket. It needs a strategic and thorough approach, because your company’s survival may very well depend on it. Cybernetic Global Intelligence has been chosen as an accredited supplier to the NSW Government. 2015-11-08T09:13:54Z cybernetic-global-intelligence-has-been-chosen-as-an-accredited-supplier-to-the-nsw-government Cybernetic Global Intelligence, a leading supplier of cyber security solutions, has been appointed as an accredited supplier to the NSW Government under the ICT Services Scheme. The ICT scheme offers NSW Government agencies and other eligible customers a panel of exemplary suppliers who have already undergone a rigorous evaluation and identified as leading suppliers of ICT solutions. Companies on the panel undergo comprehensive assessments before being chosen as a qualified supplier. This is due to the high value and risk profiles of the services government agencies need to source. “We are exceptionally proud to have been accepted into the ICT Services scheme. It proves to us once more that we are on the right path as a company”, said Ravin Prasad, Cybernetic’s CEO. “Our participation in the scheme will give agencies a broader range of options when it comes to securing their most vital information. We look forward to building closer ties with the NSW government as we aid it to eliminate cyber threats and to create more resilient institutions.” The scheme aligns with the NSW Government ICT Strategy 2012, which provides a comprehensive approach to identifying, sourcing and procuring ICT goods and services, to ensure the government harness new, innovative and effective approaches.   For more information on how Cybernetic Global Intelligence can help you secure your organisation, contact us on 1300 292 376 or contact@cybernetic-gi.com.   About Cybernetic Global Intelligence. Cybernetic Global Intelligence is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services such as Security Audits, Penetration Testing, Managed Security Services, Web Application Security, and many more.  Located in the heart of Brisbane's CBD, the company has a global presence with clients spanning the Asian-Pacific region, Europe, USA, Middle East, and of course Australia and New Zealand.  Things That Go Bump In Your Computer – Infographic 2015-11-05T08:47:42Z things-that-go-bump-in-your-computer-infographic Common critters of all codes and sizes can be found lurking in the dark corners of unsecure applications and computers. Cybernetic has created a list of the most common digital nasties that give ghosts and ghouls a run for their money.    Mobile Security – Are you doing it right? 2015-11-05T08:45:12Z mobile-security-are-you-doing-it-right Unfortunately, when consumers (and many companies) think cyber security, they don’t think past their own computer systems and networks. But what of mobile security? Mobile phones have become so integral to our daily lives, that their loss means gigabytes of personal emails, contact details, and banking details are up for grabs. This data makes mobile devices a gold mine for hackers who need this information not only for their own personal gain, but to then on-sell these details to other cyber criminals. Companies that already face a tough time securing their own systems, must now also learn to recognise and defend against these threats which will now target their employee via ‘new’ channels.   Bring Your Own Hacker Device (B.Y.OD). The trend of BYOD has many potential benefits, such as lowered technology supply costs and increased collaboration, however it also introduces many security risks. For example, apps for everything from running accounting software to managing websites are now commonly used, however the App markets for both Android and iOS have become a virtual minefield.   Duck, duck, malware. According to Symantec, 17% of Android apps are malware in disguise, and a further 36% were classified as ‘grayware’, which can track user behaviour. While consumers may not be fazed by these numbers, companies that support BYOD are putting their businesses at risk, as any emails, phone calls or documents sent over corrupted personal mobile devices can ultimately end up in the hands of cyber criminals. iOS devices are also not impenetrable. The recent malware attack on iOS, resulting in more than 250,000 accounts being hijacked, has shown that users are often their own enemy when they sacrifice security for convenience. So what can users and company do to create a safer environment for the data stored on mobile devices?   ANSWER: Secure all the things! Put a PIN in it! Most devices these days have the technical capability to support PINs and even biometric readers to scan fingerprints. Use them! Users who fail to employ these mechanisms are increasing the risk of stolen phones being easily accessed. Say goodbye to those banking details you saved in ‘Notes’! Already using a pin? Great! Make sure it’s not 1234 or 0000 as these are the most frequently used and the easiest to guess. So get creative. There’s an app for that! You have security software for your PC, now get it on your phone. There are hundreds of security apps on the market, take your pick from the bigshots like Norton, or try out Avira Antivirus Security which will scan your apps for malware, help keep you off unsecure sites and can help find your lost phone or tablet. Let’s Get Down to Business Companies that either dish out devices to staff as a perk or for ‘business purposes only’ will also need to be a bit more savvy with their security. Email policy for mobiles This is a must for every company, no matter the size. It is the backbone of how your employees engage with the emails they receive, guidelines on who they can and can’t open emails from at work, as well as the specifics on the type of attachments they can download. If you didn’t know already: Attachments like PDFs, Docs, (or heaven forbid) Zips, are common carriers of malware and other malicious code that is activated when you read the document.Find out more here. BYOD policy If your company already allows BYODs or is flirting with the idea make sure you do a pros and cons of the situation to determine that it is right for your company. From there you should start to build a policy covering everything from making sure every device has security software, to in-depth training for staff on how to identify cyber threats to ensure they stop the attack before it can occur, etc. Ernest & Young have created a great whitepaper on “Insights on governance, risk and compliance” for BYOD which is a great starting point. SMEs Make Easy Pickings 2015-11-05T08:42:59Z smes-make-easy-pickings The news today is littered with various cyber security incidents that are growing in frequency and the resulting damage seems to be escalating as businesses struggle against the onslaughts of cyber attacks. However, the cases in the media represent only a fraction of the true scale of the problem. The fact is that most cases involving cyber attacks or security breaches never get reported. Whether this is because companies prefer to keep from publicising security breaches to avoid reputational damage, regulatory investigations or lawsuits, or because these cases are just not as juicy as those involving their larger, global counterparts. Whatever the reason, this lack of media attention and understated statistics do a disservice to the general public by downplaying the current impact of cyber threats on Australia’s SMEs, and serve to lull companies and consumers into a false sense of security. Alarmingly, a large number of small and medium companies globally are labouring under a dangerous misconception that cyber crime only involves large companies and global players, and therefore cyber security is necessary only for banks and multinational corporations. These SMEs feel secure behind their imagined shroud of insignificance and modest business proportions even as cyber threats against small businesses soar. In addition to facing much of the same cyber risks as large corporations, SMEs are also often used as a means of access to their larger partners and suppliers. According to this year’s Internet Security Threat Report, 60 percent of all targeted attacks last year involved small and medium-sized organisations. Moreover, Ponemon Institute’s Cost of Data Breach Study revealed that in 2014 the average cost of attack for a small company with less than 100 employees was a massive US$3.5 million. What some may fail to realise, is that small and medium companies are often more vulnerable to attack than larger corporations.  The reasons are numerous, but most come down to lack of resources invested in security,  less mature or sophisticated security processes and technologies in place, and failure to adopt basic best practices or implement essential employee awareness and training programs. And in some cases, SMEs are not only potentially under-invested in cyber security, they may not even be aware of the gravity of the threat. The unpleasant fact is that a large number of successful attacks have not yet been discovered, and some cyber-security firms estimate that as many as 71 percent of breaches go undetected. Many executives assume that information security is an IT issue, not a distinct function with a separate governance structure that requires a separate budget that allows for appropriate resources.  As a result, numerous SMEs fail to appoint a data security specialist, or that specialist is forced to wear too many hats and is simply unable to keep up with the latest malicious code and software patches. Small and medium companies must realise that cyber security is a business issue and must be considered as part of the firm’s overall strategy. SMEs should consider: 1.       Partnering with a trusted firm to provide relevant advice related to their security infrastructure, including technical testing such as security audits and penetration testing to determine where the firm’s weaknesses lie and improve organisational readiness 2.       Monitor networks for unusually high traffic volume 3.       Work with their financial institution to implement multi-factor authentication and dual controls for financial transactions 4.       Educate employees regarding good security habits including stronger administrative passwords, policies regarding email attachments, etc. To improve their security posture, small and medium companies might also consider outsourcing elements of their cyber security programs to employ managed security services. Using sophisticated technologies and processes to detect security incidents, this solution can provide a comprehensive data security solution in a cost-effective manner.   Security Software Is Not Enough 2015-11-05T08:42:00Z security-software-is-not-enough Anti-virus software was created in a time when dinosaurs roamed the earth. Okay, maybe not that long ago. But the devices we depend on daily to help run our lives and businesses have greatly evolved from their bulky, slow, and monochrome ancestors. So have the threats that they now face every day, multiple times a day, and even when you’ve gone home for the evening. What does it actually do? Anti-virus software was originally designed to protect computers from one thing: viruses. However, as technology leaped forward so did the threats. These include; Trojan horses, worms, bots, rootkits, adware, spyware, spam, malware, and every scary variant in between. The name remained, even if its job got harder. A lot harder. According to Symantec, more than 57.6 million new pieces of malware were created in June alone. Quick History Lesson Computer viruses first emerged in the mid-1980’s during the first large wave of personal computer innovation. The viruses started off basic and quickly became more malicious as programmers began to manipulate the code. Developers saw the emerging threat and responded with anti-virus software (cue John McAfee and Eugene Kaspersky). However, internet connectivity was still not common and viruses were mainly spread via infected floppy disks, which limited the scope of computers you could infect as well as the number of viruses. Once the internet because more popular, viruses quickly began pouring into the digital space and antivirus software became a must for anyone with connected devices. Software doesn’t know…what it doesn’t know. The problem with anti-virus software is that it is very good at picking up the generic viruses and malware that would impact a PCs performance, and less reliable at picking up new and unique threats. The problem lies in the way antivirus software operates. For the large part, the software relies upon signatures to identify malware and viruses. The program will scan the code and match it against its database, if there is a match then the program marks it as a threat. All cyber criminals need to do is write a new virus or piece of malware and run it against these programs. As long as the program doesn’t identify it as a threat, they know they have a ‘golden goose’. Unfortunately, cyber criminals are very good at creating new threats. According to Checkpoint, there was a 71% increase in new malware in 2014 and around 106 downloads of unknown malware occurred every hour. Another major security concern is Zero-day vulnerabilities. These exploits are often launched via malicious codes on websites that infect a user’s browser when they visit a specific URL or open malicious attachments in the form of PDFs or ZIPs, all going undetected by the anti-virus software. These vulnerabilities are given the name ‘zero-day’ or ‘zero-hour’ because developers have that long to find a solution before criminals start to exploit them. In its Internet Security Treat Report for 2015, Symantec reported that, on average, it took 295 days for vendors to create patches for the top 5 zero-day attacks, which means users were vulnerable regardless of their anti-virus software. Prevention is better than cure – Security Measures You Can Take So how do you protect your system? Two Words – Layered Security. Having only one type of defence is like locking your front door while the window remains open. Here are several steps you can take to add layers to your protection. 1. Update Your Software Regularly updating both your anti-virus software and overall day-to-day business software will allow you to have the latest patches to vulnerabilities and updates in regards to new threats. Set your anti-virus to auto-update, to never forgo an update. Also, never update software via links on emails, alternatively do so directly for the vendors’ website to avoid Trojanized software. 2. Personal firewall. A reputable firewall such as Bitdefender Total Security, on each personal system, will help prevent the spread of an infection in case a corporate firewall has been breached. This can help minimise damage to systems, loss of information and keep operations running. 3. Email Spam Filtering Investing in an email filter such as SPAMFighter, for your company’s emails is a good first step to preventing tempting phishing emails and spam. Furthermore, setup an email policy regarding opening executable attachments such as PDFs, ZIPs, etc. 4. Be Safe on the Web Many anti-virus programs offer online protection such as URL scanning which works in the browser to automatically scanning the web page before you enter. This will help keep you away from sites that may haveharmful code or suspicious activity. You can also use Free Plugins such as Web Of Trust (WOT) for Chrome, Safari, and Firefox, which also checks the reputation and safety of a website based on user experience. This adds a human factor to the equation, allowing users to protect each other and find threats that the software hasn’t picked up. 5. Think Professionally Due to the expertise of cyber criminals, it often takes individuals with equally matching skills to successfully stop their attacks. A good option for companies who are looking to better manage their cybersecurity risk is investing in services conducted by Cyber Security providers. These companies often offer professional services such as Managed Security Services conducted by IT Security experts. Managed Security Services are an all-included suite of services, such as 24x7x365 Live Network Monitoring, Managed Malware and Firewall protection, Email Filtering, Managed Patches, and Updates, to name a few. The Live Network monitoring also provides peace of mind because malware or other threats such as any suspicious activity or spikes in the system are automatically picked up and eliminated. Utilizing the services of such companies takes the pressure of internal IT staff who are already taxed with daily operations and who may not have the expertise or manpower to successfully fight off persistent cybercriminals. Don’t Be Complacent A good anti-virus and firewall are definitely something every company should invest in as a basic layer of security. However, they by no means guarantee a company’s safety. In the words of the anti-virus giant Symantec itself: “Antivirus software alone is not enough” (Symantec, 2013).   PRESS RELEASE: Cybernetic Global Intelligence becomes Supplier of Choice for Queensland Government. 2015-08-05T02:23:52Z press-release-cybernetic-global-intelligence-becomes-supplier-of-choice-for-queensland-government Cybernetic Global Intelligence, a Cyber Security solutions provided, were GITC approved earlier this week. This accreditation is the result of a rigorous approval process, where Cybernetic demonstrated the high quality of their IT security services. GITC is Queensland’s leading accreditation for companies who provide services to government departments and agencies. Businesses who do not possess this accreditation are seriously hindered, as government buyers require suppliers to have GITC accreditation, otherwise they fail to abide by the State Purchasing Policy through Information Standard 13 and are not protected by the provisions of the GITC. The GITC approval came just days after Cybernetic was awarded a QAssure accreditation. The Cybernetic’s CEO, Ravin Prasad commented: “This is another great achievement for us! It strengthens our credibility as a leading iT Security provider and opens more doors, especially into government works. It also reassures our current clients that we are actively pursuing higher quality and better services to make sure they are always getting the best value and protection. Mr Prasad also reflected on why the company is prospering, saying that Cybernetic’s focus on client safety has been the key. “Their safety is our priority and the reason we created this company in the first place: to give companies peace of mind when it comes to their cyber security. They have the right to work and conduct business in a safe digital environment.” Cybernetic Global Intelligence in located in Brisbane’s CBD, and has entered its 6th year of operations. For more information go to www.cybernetic-gi.com For all media enquiries please contact Polina Kants (+61 437 271 588)