Why code review is core to your enterprise’s health, productivity, and competitive advantage

There are few things more core to the modern business than coding. KPMG predicts that going forward 80 per cent of new revenue growth will come from digital opportunities, and embracing DevOps will sit at the centre of that activity.

For DevOps to be successful, however, the team needs to work securely and according to agile best practice. For that reason, code review needs to be baked into everything that they do.

What is code review?
Code review generally occurs at the start and end of any coding activity, and involves the members within the development team taking sections of code that they didn’t work on themselves, and checking it against a number of criteria, which can include (but isn’t limited to):

  • Are there logic errors in the code?
  • Are all the requirements of the code implemented in full?
  • Are there any security vulnerabilities, or malicious code?
  • Does the code fit with existing style guidelines?

Traditionally this has been a manual process, and it is potentially time consuming. However, there are now tools that bring automation to the code review process. A DevOps team that is particularly concerned about security, for example, might leverage some automated tools to help the team check the open source dependencies, container images, and infrastructure as code configuration.

The benefits of code review

  • Modern development is about being iterative and agile, and having code reviews a formalised part of the process before and after a coding project is a good way of ensuring that projects remain on-track and compliant at every stage of development.
  • Code review also allows DevOps to embrace open source. Open source comes with a host of benefits of its own – it offers pre-built solutions to problems and allows the DevOps team to focus on customisation and competitive differentiation. However, open source can also introduce vulnerabilities into the environment if they’re not caught, and can therefore be seen as being high risk. Any organisation that seeks to leverage open source will need to have a robust code review process in place.
  • There are soft benefits to code review too. For example, code review can be an excellent way of getting a new developer or engineer up to speed on the application environment quickly. Reviewing existing code first allows the newcomer to become accustomed to the environment before they try to add to it.
  • Code review can also prevent delays to projects. Say a developer needs to suddenly take some time off. Rather than need to wait for the developer to return to pick up on their work, through the code review process, a colleague will understand that developer’s work, and will be able to step in.
  • Finally, the earlier issues are found in code, the cheaper they are to address. If there is a security vulnerability in a piece of code, for example, detecting it right at the start of the project is going to make it cheaper and easier to address than discovering it later, in testing, when there are already multiple integrations and APIs, and capabilities to untangle.

With the right tools and a formalised process, a code review before and after the application development process is the most efficient and agile way with which to deliver well-founded, risk-free software back to the enterprise. Most importantly, however, it’s also the most secure way to undertake ongoing and iterative software development, and keep a tight lock on the code so that vulnerabilities aren’t introduced into the environment and then left unnoticed until it’s too late.

Speak to Protectera to discuss the right tools and best practices to build a code review strategy

Read More

In the era of multi-cloud Information Technology, zero trust security is the only solution

As IT environments have evolved, so too have the security requirements. The traditional, perimeter-based approach to security is no longer adequate at a time where organisations are leveraging multi-cloud environments, pushing computing to the edge, and embracing remote work.

Zero trust security emerged as a solution to the evolving use of IT. Zero trust security assumes that nothing, whether it is inside or outside of the network, can be trusted, and that ongoing verification is needed for authentication.

It is one of those rare technologies where there is universal consensus on its value. The vast majority of executives – 83 per cent – agree that, to safely protect modern work environments, zero trust is strategically necessary.

Unfortunately, companies across APAC are struggling with the implementation of zero trust. When poorly implemented, zero trust security can result in inefficiencies across the workplace. In a worst-case scenario, the risk of shadow IT, as users look for alternatives outside of the networked environment, exposing that data and work process to a high level of risk.

Looking at zero trust strategically
To implement zero trust IT in a way that maintains the user experience, the CISO and CIO need to approach implementation with three specific strategies in mind.

  • Firstly, they need to understand the impact that zero trust security will have on legacy systems. With many applications it won’t be possible to simply drop zero trust solutions over the top, and so, before adopting zero trust, there should be a full audit of the environment, to mitigate against surprise incompatibilities.
  • Secondly, the IT team needs to understand how users are interacting with the applications and IT environments, to ensure that, once the user has demonstrated the legitimacy of their login and interactions, the security subsequently gets out of the way. Zero trust security is only going to be embraced by the organisation if it doesn’t inhibit productivity.
  • Finally, the CISO and CIO need to understand that zero trust security is iterative – the IT security team should take an agile approach to rollouts, where they are constantly monitoring the network and traffic to build insights into how to improve the security over time.

These considerations can be addressed through a five-step process:

  • Define the protected surface – As above, audit the environment to understand the critical data, applications, assets and services, so the full scope of what needs to be protected can be defined.
  • Map the transaction flows – Understanding how the specific resources in your environment interact will allow you to build tight controls into the security system and optimise the performance of it.
  • Determine the right technology mix that will cover the full surface area – In most cases, zero trust security involves a combination of technologies and systems.
  • Build the policies, keeping the users in mind – This is the stage where you determine the balance between security and the user experience.
  • Monitor and maintain networks – As mentioned, it’s important to understand that zero trust is not set-and-forget, but rather iterative and agile. It’s also likely that you’ll need to undertake a change management program, so that the rest of the employees (and, potentially, customers and clients) understand this new approach to security. However, given that zero trust security ultimately allows for more flexible ways of working – for example, it will allow employees to work from home indefinitely – it is one of those times that the IT team will be seen as delivering meaningful value and opportunity to the business.

For more information on how Protectera can help you develop and execute on a zero trust security strategy, contact us today.

Read More

Most organisations suffer data leak via email – the case for email encryption has never been stronger

We’re sending more email than ever. Research shows that 85 per cent of employees are emailing more now that working remotely has become standard. Unfortunately, it’s also proving to be one of the most insecure forms of communication that we have, with 83 per cent of organisations have suffered data breaches via email in the last 12 months.

Part of the problem is that many business leaders only look at half the challenge with email security. Most leaders are certainly concerned about the security of email, but only on the receiving side of things. The risk of malware being delivered by email or phishing attacks are well-documented, and most businesses, of all sizes, have an active strategy to protect against these threats. Warding against data loss from email being sent, however, is less common than it should be, and yet, for businesses in many sectors, it’s essential.

When you need email encryption
The convenience and prevalence of public Wi-Fi, combined with our mobile working habits, is of particularly concern. Research out of the US suggests that people are more than willing to connect to public Wi-Fi hotspots, and email is one of the go-to applications once on there. Even when working from home offices, however, the environment isn’t properly secured. Off-the-shelf routers are not as secure as the office IT environment. If your organisation is then bound to follow compliance regulations, such as GDPR, HIPAA, or SOX, or PCI-DSS is a security standard that you need to follow, then operating without email encryption is playing with fire.

There is a three-pronged approach that you should be taking to email encryption:

  • You should encrypt the connection with your email provider. Doing this prevents unauthorised users on the network from intercepting and capturing your login credentials, and/or email messages as they pass through the provider’s servers.
  • The emails themselves should be encrypted. Should a cyber criminal somehow intercept the email, if it’s properly encrypted it’s going to be unreadable and therefore useless to them.
  • Finally, should the cyber criminal gain access to your email password, then there should be encryption on stored emails, to again render them useless. Email is one of the major sources of data leaks following a lost laptop or phone device, and this third step will assist in protecting against that.

It is best policy to encrypt all emails. Sometimes, a business or individual will only encrypt material that they believe contains sensitive information, but that acts as a beacon to cyber criminals, highlighting the emails that they should be focused on.

What is email encryption?

Email encryption traditionally uses one of two protocols – either TLS, or end-to-end encryption, and with end-to-end encryption, there are several options, including PGP and S/MIME protocols. With the right tools, none of this is difficult to implement. The standards and best practices for email encryption are well-known and established, and there are some excellent tools available that can make email encryption policies easy to deploy.

A good rule of thumb is that if there is even a remote possibility of risk with email data loss, then encryption needs to be in place. It’s one thing to protect the organisation from in-bound malware and encourage a culture of cyber vigilance within the organisation. Without email encryption in place, those efforts could be for naught, because all it would take is for a single lost laptop or ill- advised public Wi-Fi login to expose the organisation’s sensitive data and correspondence to hackers.

For more information on email encryption and protecting your organistion’s most critical communications platform, contact the experts at Protectera. We have the tools and platforms that can deliver a secure email environment to organisations of all sizes.

Read More

Good Cyber Security Starts At Home- Here are some of the key strategic considerations

If you were to imagine that cybercrime was a nation, it would be the third largest economy, after the United States and China. It costs businesses $6 trillion dollars annually, and it affects businesses of all sizes and scales, from the largest shipping companies in the world, right down to the smallest of businesses.

In fact, nearly half of all cyber attacks target small businesses, who often assume that they don’t have enough prominence, nor assets, to be worth the effort. The flipside to that coin, as far as the cyber criminals are concerned, is that smaller businesses are easier to target, and doing so becomes a “run-rate” business for them.

The other thing that cyber criminals count on, which is disproportionately represented within smaller and mid-sized businesses, is not only that the IT environment is less secure, but the employees are easier to target. Research from IBM shows that human error is a contributing factor to 95 per cent of all cyber security breaches. In other words, the best cyber security defence – and one that’s accessible to businesses of all sizes – is simply training staff to be better aware of the cyber security risks out there.

On Developing a Culture of Cyber Security
Successfully driving a culture of cyber security within the enterprise cannot be a passive process. The business leaders need to develop an active and ongoing awareness within the organisation, and at every level. This is one of those areas where the entire IT environment is only as strong as its weakest link.

Some of the key strategic considerations include:

  • Have absolute clarity around IT security policies and processes: you should be actively explaining to your people why strong passwords and two factor authentication is important, and why they shouldn’t be using the likes of Dropbox to share files. Not only will understanding why these policies are in place prevent any frustration towards “overbearing” IT security, but they’ll help the users understand the risks of circumventing them.
  • Regularly test employees: Rather than simply provide employees with resources on what to look out for with cyber threats, you should also regularly test them. A number of software solutions provide for simulations of common cyber attacks, and will provide feedback on where the risks are within the organisation. This allows you to create a targeted approach towards cyber security awareness.
  • Pay particular attention to BYOD: Most enterprises – especially smaller companies – do allow some form of BYOD, whether that be just the mobile phone, or the entire laptop. Be sure that you’re able to apply the same policies to these devices – including patch management and remote use policies – and that the employees are comfortable with this.

Finally, it’s important to have a solution in case human error does lead to a successful cyber attack. Having an effective backup solution means keeping the backup off-site, separated from the network, and regularly checked. That way, if malware should infect the network, it can be addressed simply by taking the network offline and running the restore. However, this also needs to be properly managed, as a staggering 37 per cent of backups fail when needed.

Read More

The Five types of Business Email Compromise (BEC) scams according to the FBI

Business Email Compromise (BEC) is a growing problem targeting organizations of all sizes across the world. It is a type of cybercrime scam in which the attacker targets a business to defraud the company. According to the Internet Crime Complaint Center (IC3), BEC causes the most financial damage with $1.8 billion in confirmed losses in 2020.

The Federal Bureau of Investigation lists the following five types of BEC scams-

  • Attorney Impersonation
    In this case the attacker impersonates a lawyer or legal representative. Such requests may be made by email or phone and that to at the end of the day. Lower-level employees are usually targeted as they may not have the knowledge to question the authenticity of the email.
  • CEO Fraud
    Here the attacker poses as the CEO or a senior executive and sends an email to employees in the finance department asking them to transfer funds into an account controlled by them.
  • Data Theft
    This attack targets employees in the HR department in an attempt to obtain personal information about individuals within the company such as senior executives. This information can then be used for future attacks.
  • Account Compromise
    In this case an employee’s email account is hacked and is used to request payments to vendors. These payments are then sent to bank accounts controlled by the attackers.
  • False Invoice Scam
    Attackers target companies with foreign suppliers with this tactic. The attacker pretends to be the supplier requesting fund transfer for payment into account owned by fraudsters.

Being aware of the types of BEC attacks is an important step towards preventing them.

Read More

Understanding what Penetration Testing is, when it is required and its benefits

What is Penetration Testing?

Penetration Testing is a type of security testing used to find flaws in the system. This is done in order to take appropriate security measures to protect the data and maintain functionality. A security risk is normally an accidental error that occurs while developing and implementing the software. This can include configuration errors, design errors, and software bugs, etc.

When should Penetration Testing be done?

Pen testing is essential to be performed regularly for securing the functioning of a system. In addition to this, it should be performed whenever −

  • A new network infrastructure is added
  • Office is relocated
  • A new end-user program or policy is set up
  • System is updated or new software is installed
  • A security system discovers a new threat

How it helps?

Pen testing offers the following benefits-

  • Financial Damage Protection-A simple security breach can cause millions of dollars of damage. Pen testing can prevent the organisation from suffering the same.
  • Customer Protection– Breach of customer data can damage the reputation of the company and also lead to financial damages. Pen testing ensures customers data remains intact.
  • Enhancement of the Management System − It provides qualitative and quantitative examples of current security posture for management. In addition to this, it also categorizes the degree of vulnerabilities and suggests which one is more vulnerable and which one is less. This way executives can manage the security system by allocating the security resources accordingly.
  • Avoiding Fines– Pen testing supports compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR).

For a complete peace of mind, use Protectera’s skilled penetration testers to perform an in-depth security assessment of your systems or applications. Reach us at contact@protectera.com.au

Read More

Security Awareness is key to Cybersecurity behaviour change- What it is and its benefits

Nowadays all our business activities are online. We work, communicate, and interact online, and our reliance on cyber security has increased accordingly. The increased use of the internet and mobile usage gives cybercriminals even more opportunities to exploit our vulnerabilities.

What Is Cyber Security Awareness?
The weakest link in any organization’s digital security system are human beings. People make mistakes, forget things, or fall for fraudulent practices. That’s where cyber security awareness comes in. This involves educating employees on the different cyber security risks and threats. Employees must learn the best practices and procedures for keeping networks and data secure. By making employees aware of the scope of the threats and what’s at stake if security fails, cyber security specialists can shore up this potential vulnerability.

What Are the Benefits of Cyber Security Awareness Training?

  • A well-trained staff poses less of a risk to the overall security of an organization’s network.
  • There is a reduction in financial losses due to cyber-crime. Therefore, a company that allocates funds for cyber security awareness training for employees will experience a return on that investment.
  • If all employees get training in cyber security practices, there will be less likelihood of lapses in protection should someone leave the company. The chances that a security breach will occur because a critical employee wasn’t at work that day gets drastically reduced.
  • A company with security-aware personnel will have a better reputation with consumers. A business that is repeatedly subject to security breaches will lose customers as a result of negative publicity.

Our partner KnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks. They were named a leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2020 Report. For more information get in touch with us at contact@protectera.com.au

Read More

The rise of Artificial Intelligence and its impact on Cybersecurity products and services

We live in an increasingly digitised world. The security and safety of our data have become paramount. With so much at risk of cyberattacks, we need technology that can keep up with the growing threat landscape.

This is where Artificial Intelligence (AI) comes into the picture. AI can help in the following areas-

  • Enhanced Threat Detection
    AI powered by sophisticated algorithms can detect malware and recognize patterns. It can detect even the minutest behaviour of malware and ransomware attacks before it enters the system.
  • Improved Threat Hunting
    Applying automation to threat hunting enables faster response time and improved recommendations on response. This enables organizations to move from a reactive response to a more proactive one.
  • Detecting Phishing
    AI uses data analysis and machine learning to examine the content and context. It understands typical user behaviour and can identify potential threats and anomalies in emails.
  • Secure Authentication
    Whenever a user wants to log in to their account AI secures the authentication. It employs tools like facial recognition, fingerprint scanners, CAPTCHA for identification. By using the information collected by these features it can detect whether a log-in attempt is genuine or not.

Our partner SentinelOne provides best-in-class automated real-time breach detection, prevention, and remediation. It was named as a Leader in Gartner’s 2021 Magic Quadrant for Endpoint Protection Platforms.

To bring the power of AI to your organization’s Cybersecurity arsenal contact Protectera today.

Read More

The best ways to protect your organisation against Business Email Compromise scams

How to protect against BEC attacks
In the last post, we discussed the different types of BEC scams. Now we will see ways to protect against them.

  • Being aware of common BEC attack scenarios
    Awareness of the types of BEC scams is the first step in building a defence against them. By knowing what to look out for, your workforce will not fall for such scams.
  • Cybersecurity Training
    Adequate cybersecurity training will help employees understand the risks and implications of these attacks and how to respond to them. Since BEC exploits human vulnerabilities, an effective training program should emphasize the role grooming plays in such attacks. Proper guidance in the use of IT controls can empower employees in making the best security decisions.
  • Using strong passwords and multi-factor authentication
    Businesses should have a policy requiring strong passwords and frequent changing of passwords. Multi-factor authentication can be implemented through an authentication app. Employees should understand and implement best practices for passwords.
  • Implementing a Multi-layered defence
    An effective BEC defence secures all channels that attackers exploit. These include corporate email, personal webmail, business partners’ email, cloud apps, your web domain, the web and users’ own behaviour. Also, robust email security, domain authentication, account protection, content inspection and user awareness must work together in a holistic fashion.

Our partner Proofpoint provides you with an end-to-end, integrated solution to combat business email
compromise (BEC). You can reach us at contact@protectera.com.au

Read More

Endpoint Security and its increasing importance in the age of remote work

What is it?
Gartner defines an endpoint protection platform (EPP) as a solution used to “prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.” Endpoint security is all about defending endpoints from malicious activity.

What is an endpoint?
Any physical device that can be connected to a network is an endpoint. Some examples are- Desktops, Laptops, Mobile phones, Tablets, Internet of things (IoT) devices, Servers, Point-of-sale (POS) systems, Switches, Digital printers, Cameras, Appliances, Smart watches, Health trackers and Navigation systems.

Why have an Endpoint Security Strategy?
With the pandemic leading to a shift to remote work, the number of endpoints is only increasing. And every endpoint can be an entry point for a cyberattack. This makes it vital to have an endpoint security strategy in place.

Endpoint Protection Approaches-
An Endpoint protection solution offers a centralized management console from which administrators can connect to their enterprise network. With this they can monitor, protect, investigate and respond to incidents. The following are the approaches that can be taken-

  • On-Premise– This is a traditional approach. It involves an on-premise security posture that relies on a locally hosted data center from which security is delivered. The data center acts as the hub for the management console. With this it reaches out to the endpoints through an agent to provide security. This approach is not very efficient since administrators can only manage endpoints within their perimeter.
  • Hybrid– The limitations of the on-premise approach has led some vendors to take a Hybrid approach. They do this by taking a legacy architecture design, and retrofitting it for the cloud. Thus, gaining some cloud capabilities.
  • Cloud-native– This solution is built in and for the cloud. The centralized management console lives in the cloud and connects to devices remotely through an agent on the endpoint. The agent can provide security for the endpoint even in the event of no internet connectivity. By leveraging cloud controls and policies this approach maximizes security performance.

To build your Endpoint security strategy, get in touch with us at contact@protectera.com.au

Read More