CyberCX Security Report | December 2020
There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
New rules for financial sector
The Australian Prudential Regulatory Authority (APRA) is launching a new effort to consolidate and strengthen the financial sector’s cyber resilience.
Whilst Australia’s financial sector has a strong track-record when it comes to securing critical systems and data, APRA believes that the institutions it regulates, including banks, insurers and superannuation funds, as well as third-party suppliers, can do more to embed this resilience.
The introduction of APRA’s cyber security standard, CPS 234, has significantly contributed to the sector’s strong approach to cyber risk management. However, the regulator believes some boards may still lack visibility or sufficient understanding of cyber risk. Furthermore, some organisations’ internal teams may lack the necessary specialist skills.
To address these concerns, APRA has unveiled its Cyber Security Strategy for 2020 to 2024. APRA will begin taking a more formal approach to ensuring the requirements of CPS 234 are being fully implemented. The regulator may hold boards accountable in cases where an organisation is not implementing CPS 234. Part of this new approach will include APRA requesting independent cyber security reviews across all its regulated industries. From next year, boards will be required to use an external auditor to review CPS 234 compliance and report back to both APRA and the board.
If boards are unwilling or unable to make the required cyber security enhancements in a timely manner, the regulator will consider using formal enforcement action.
Importantly, the new strategy takes a broader approach by recognising the critical role third-party suppliers and providers play in the industry’s integrity. The financial system’s cyber resilience is only as strong as “the weakest link in the chain,” according to APRA Executive Board Member, Geoff Summerhayes.
For comprehensive CPS 234 consulting services that help ensure your financial organisation is fully compliant, contact CyberCX. Our team of CPS 234 specialists will guide you through all the requirements so you can demonstrate alignment with this important cyber security standard.
Don’t neglect physical security
Wi-Fi is an essential tool that facilitates greater efficiencies. Ensuring the security of the Wi-Fi network helps organisations protect customer and commercial information, personal data and business assets.
Wireless network penetration testing is an important security activity many organisations undertake to ensure their Wi-Fi systems are protected. However, just as important in any risk management framework is the physical security of the premises.
Having comprehensive physical security controls in place can prevent “man-in-the-middle” breaches, in which a Wi-Fi monitoring device is brought into the premises and used to monitor the internet traffic of people who are legitimately connect to the organisation’s Wi-Fi network.
CyberCX’s Security Testing and Assurance team regularly conducts physical environment penetration testing. By undertaking this activity, organisations can implement measures that help strengthen their physical security by preventing unauthorised entry, which in turn helps mitigate the risk of Wi-Fi monitoring.
Our team will analyse access points and recommend remediations to ensure only authorised individuals are able to access your premises. Contact CyberCX to learn how your organisation can incorporate physical environment penetration testing within your overall risk management approach.
Securing your search engine ranking
Websites are critical business assets. Many organisations invest years in improving their search engine rankings in an attempt to drive more traffic to their website. It is therefore important to consider the security of web hosting platforms, such as the popular content management system (CMS), WordPress.
Activities such as web application penetration testing and secure code reviews can help protect WordPress-hosted websites from a range of risks.
In a recent case, a WordPress-hosted website’s code was manipulated, resulting in the traffic being redirected to a server hosting fake e-commerce sites. As a consequence, the website’s strong search engine ranking was undermined, resulting in missed business opportunities.
It is thought such tactics may be used to extract a ransom in exchange for restoring the website’s search ranking.
For any organisation hosting its website on WordPress, it is essential to have strong authentication controls. Any user with access to the WordPress admin should be using strong passphrases and, preferably, Multi Factor Authentication.
You can further strengthen your website’s security by conducting regular web application penetration testing and secure code reviews. Such activities should form part of a broader risk management approach and will help you prevent breaches or the insertion of malicious code.
Speak to the CyberCX team to learn how our approach to application security can help your organisation protect this critical asset.
API security for AWS users
Even as cyber defences become more sophisticated, individuals with high-level privileges to specific systems need to be cautious that their publicly available information is not putting them at risk.
Intelligence-gathering on individuals may be conducted in many different ways. A recent report revealed that more than twenty Amazon Web Service (AWS) APIs may inadvertently reveal critical information about specific individuals within an organisation.
Through using an organisation’s publicly available 12-digit AWS account ID, it may be possible to identify the various roles and users in the account.
Through mapping out all the users and roles in the AWS account, any misconfigured user roles may be identified and exploited, or the user could become the target of spear phishing.
The Amazon services that are vulnerable include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).
In order to secure AWS APIs, it is essential to have appropriate Identity and Access Management (IDAM) best practices in place. Give consideration to:
1. Removing inactive usernames and roles.
2. Adding a random string to usernames to make them harder to guess.
3. Ensure proper authentication is required before new users are given access.
4. Log and monitor all identity authentication activities.
Furthermore, web services penetration testing can help mitigate the risks to APIs in your environment. Speak to CyberCX to learn how both IDAM and web services penetration testing can form part of your risk management approach and strengthen your cyber resilience.