sb-au logo
Story image

Interview: Sense of Security talks red teaming, DevSecOps and 'box ticking'

24 Oct 2017

Sense of Security has been putting its roots in Australian soil since 2002 and now works with some of Australia’s biggest organisations and government bodies. From SMEs to tertiary institutions, the company delivers information security and consultancy services, security advisories, education and awareness to the wider community.

The company invested in a research laboratory to conduct analysis of flaws in common commercial and open technology platforms. Its most recent discovery was a vulnerability in Emsisoft’s Anti-Malware, which allowed hackers to bypass its behaviour blocker.

We spoke to Jason Edelstein and Murray Goldschmidt to gain their unique insights into the company’s plans, red teaming, IoT security, DevSecOps and advanced security techniques.

Goldschmidt says that Australian organisations have fallen into the trap of being cybersecurity ‘box tickers’ as a result of commoditised penetration testing for risk audit purposes. Every year, businesses conduct the same test and get the same results.

“Whilst businesses fall into this lazy routine, cyber criminals are getting more sophisticated in their approach and the ways they break into networks. They are moving away from targeting systems they know go through rigorous testing, instead focusing on the master key that unlocks the door - us.”

This is why, even for no other reason, businesses should go beyond box-ticking to actually thinking about where they are susceptible to attacks – whether through social engineering, physical breaches, mobile devices or IoT.

Edelstein explains that IoT devices are particularly problematic and inconsistent because there are no specific IoT security standards.

Manufacturers are working towards different requirements, which leaves many people and devices open to attack. Add in micro devices, cloud infrastructure, applications and web services, a higher level of scrutiny is required.

“We educate and train vendors on secure software development principles, through to hardware and software penetration testing and threat profiling of the entire IoT ecosystem. This helps to determine where to spend time and money on protecting the technology and the data it processes,” Edelstein says.

Sense of Security is also passionate about the concept of ‘red teaming’. In this exercise, the company plays the role of a motivated attacker who is trying to breach a client's security systems.

“It differs to a standard penetration test in that, instead of testing a specific set of security controls, a Red Team is focused on the goal (access) rather than the method. It doesn’t matter how they breach your security, as long as they do it,” Edelstein continues.

Through this process red teams get creative with layered tools and techniques that businesses may not have planned for – including likely and unlikely attack methods.

“In our experience, there hasn’t been an organisation that has been able to defend against our teams and in some cases, we’ve simply walked in and plugged a device straight into the network with little to no resistance. In fact, people in organisations are willing to assist us with our ‘IT problem’,” adds Goldschmidt.

Edelstein warns that red team analysis is best performed occasionally as it is intrusive, intensive and broad.

“A sensible organisation can see the value in testing the defences on their facilities and systems, but a Red Team operation also allows scope to find any bias, blind-spots or presumptions in your security posture as a whole. The Sense of Security Red Team methodology employs creative thinking, an agile approach and considerable tenacity to rigorously test your security. By thinking like an attacker, or one of your competitors, the Red Team are driven to gain access and are not restricted by assumptions or preconceptions.”

Goldschmidt says that Sense of Security is committed to the Asia Pacific and Australia region and wants to help businesses, governments and other organisations avoid a cyber disaster.

“Recently, we partnered with the Department of Foreign Affairs and Trade as part of its cyber mission to enhance cyber capacity in the Indo-Pacific region and position Australia for regional trade opportunities, while managing the risks related to an increasingly interconnected world.”

The company has worked with the Department of Foreign Affairs and Trade as part of its cyber mission to enhance cyber capacity in the into-Pacific region.

“We have already started working with developing nations, in line with the host Government’s initiatives to increase and improve their digital presence and will continue to do so over the next three years,” Goldschmidt says.

Edelstein adds that Sense of Security is developing security solutions for IoT, cloud and DevOps Security Automation (DevSecOps).

“We see DevSecOps as a fast growing area in cyber security at the moment, as part of the “shift left” trend we are seeing in the market - where businesses are looking to implement security earlier in the software development stage,” he says.

Any vulnerabilities that can exist amongst applications developed through the ‘full stack’ of layers, not just the public-facing component.

“With the development flow generally following a predictable and mature path from code to production, security can be implemented and automated, as tasks are repeatable. Security tests can be set in code (just like application code) and is one of the best ways to begin realising the benefits of DevSecOps. This will address security incrementally in achievable and actionable chunks inside the core of your development pipeline,” Goldschmidt says.

The company is also focusing on incident response and managed services including training. It recently achieved ISO 27001:2013 certification.

“It is important to our business given the type of clientele we engage with and the nature of our services. Clearly, our clients want the confidence and assurance we have taken reasonable measures to protect our systems, so we can continue to deliver quality services,” Goldschmidt explains.

“You can no longer just rely on the fact you’ve ticked boxes. By experiencing a simulated cyber-attack, you reveal a wider and deeper understanding of potential adversary options, including threat actor behaviours that may never have been previously considered, such as exploiting a partner’s or contractor’s network,” he concludes.

Link image
Phishing campaigns aren't stopping - but neither are their opponents
COVID-19 is presenting the perfect opportunity to cyber attackers to mount potentially devastating spear-phishing campaigns against organisations via their remote workers. Learn how to fight back.More
Link image
How to better protect your organisation's most valuable asset - its data.
Data resilience strategies are becoming increasingly critical in relation to the skyrocketing value of data and the proliferation of malicious entities wishing to steal it.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
Proofpoint launches new SMB focused security awareness training
Proofpoint has launched security awareness training for small to medium businesses (SMBs) with the aim of reducing successful phishing attacks and malware infections to almost zero. More
Story image
The SASE triangle: How a CASB protects managed apps
Enterprises that fail to adapt to the modern business world when it comes to security are likely to fall prey to data breaches and experience a host of other problems, writes Bitglass product marketing manager Will Houcheime.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More