Interview: Sense of Security talks red teaming, DevSecOps and 'box ticking'
Sense of Security has been putting its roots in Australian soil since 2002 and now works with some of Australia’s biggest organisations and government bodies. From SMEs to tertiary institutions, the company delivers information security and consultancy services, security advisories, education and awareness to the wider community.
The company invested in a research laboratory to conduct analysis of flaws in common commercial and open technology platforms. Its most recent discovery was a vulnerability in Emsisoft’s Anti-Malware, which allowed hackers to bypass its behaviour blocker.
We spoke to Jason Edelstein and Murray Goldschmidt to gain their unique insights into the company’s plans, red teaming, IoT security, DevSecOps and advanced security techniques.
Goldschmidt says that Australian organisations have fallen into the trap of being cybersecurity ‘box tickers’ as a result of commoditised penetration testing for risk audit purposes. Every year, businesses conduct the same test and get the same results.
“Whilst businesses fall into this lazy routine, cyber criminals are getting more sophisticated in their approach and the ways they break into networks. They are moving away from targeting systems they know go through rigorous testing, instead focusing on the master key that unlocks the door - us.”
This is why, even for no other reason, businesses should go beyond box-ticking to actually thinking about where they are susceptible to attacks – whether through social engineering, physical breaches, mobile devices or IoT.
Edelstein explains that IoT devices are particularly problematic and inconsistent because there are no specific IoT security standards.
Manufacturers are working towards different requirements, which leaves many people and devices open to attack. Add in micro devices, cloud infrastructure, applications and web services, a higher level of scrutiny is required.
“We educate and train vendors on secure software development principles, through to hardware and software penetration testing and threat profiling of the entire IoT ecosystem. This helps to determine where to spend time and money on protecting the technology and the data it processes,” Edelstein says.
Sense of Security is also passionate about the concept of ‘red teaming’. In this exercise, the company plays the role of a motivated attacker who is trying to breach a client's security systems.
“It differs to a standard penetration test in that, instead of testing a specific set of security controls, a Red Team is focused on the goal (access) rather than the method. It doesn’t matter how they breach your security, as long as they do it,” Edelstein continues.
Through this process red teams get creative with layered tools and techniques that businesses may not have planned for – including likely and unlikely attack methods.
“In our experience, there hasn’t been an organisation that has been able to defend against our teams and in some cases, we’ve simply walked in and plugged a device straight into the network with little to no resistance. In fact, people in organisations are willing to assist us with our ‘IT problem’,” adds Goldschmidt.
Edelstein warns that red team analysis is best performed occasionally as it is intrusive, intensive and broad.
“A sensible organisation can see the value in testing the defences on their facilities and systems, but a Red Team operation also allows scope to find any bias, blind-spots or presumptions in your security posture as a whole. The Sense of Security Red Team methodology employs creative thinking, an agile approach and considerable tenacity to rigorously test your security. By thinking like an attacker, or one of your competitors, the Red Team are driven to gain access and are not restricted by assumptions or preconceptions.”
Goldschmidt says that Sense of Security is committed to the Asia Pacific and Australia region and wants to help businesses, governments and other organisations avoid a cyber disaster.
“Recently, we partnered with the Department of Foreign Affairs and Trade as part of its cyber mission to enhance cyber capacity in the Indo-Pacific region and position Australia for regional trade opportunities, while managing the risks related to an increasingly interconnected world.”
The company has worked with the Department of Foreign Affairs and Trade as part of its cyber mission to enhance cyber capacity in the into-Pacific region.
“We have already started working with developing nations, in line with the host Government’s initiatives to increase and improve their digital presence and will continue to do so over the next three years,” Goldschmidt says.
Edelstein adds that Sense of Security is developing security solutions for IoT, cloud and DevOps Security Automation (DevSecOps).
“We see DevSecOps as a fast growing area in cyber security at the moment, as part of the “shift left” trend we are seeing in the market - where businesses are looking to implement security earlier in the software development stage,” he says.
Any vulnerabilities that can exist amongst applications developed through the ‘full stack’ of layers, not just the public-facing component.
“With the development flow generally following a predictable and mature path from code to production, security can be implemented and automated, as tasks are repeatable. Security tests can be set in code (just like application code) and is one of the best ways to begin realising the benefits of DevSecOps. This will address security incrementally in achievable and actionable chunks inside the core of your development pipeline,” Goldschmidt says.
The company is also focusing on incident response and managed services including training. It recently achieved ISO 27001:2013 certification.
“It is important to our business given the type of clientele we engage with and the nature of our services. Clearly, our clients want the confidence and assurance we have taken reasonable measures to protect our systems, so we can continue to deliver quality services,” Goldschmidt explains.
“You can no longer just rely on the fact you’ve ticked boxes. By experiencing a simulated cyber-attack, you reveal a wider and deeper understanding of potential adversary options, including threat actor behaviours that may never have been previously considered, such as exploiting a partner’s or contractor’s network,” he concludes.