Sometimes I think my cybersecurity colleagues believe they are living in a spy novel. I mean, we are all guilty of trying to make our day jobs sound more interesting or trying to make them sound more ‘sexy’, but this industry in particular takes the cake. Even the name “cybersecurity” is like “oooh, I work in a William Gibson novel!” Though we can’t fault someone trying to make their job sound better than “security guard at an online shopping mall”.
Category: Blog
Are the latest cyber attacks just fuelling the new buzz on security?
Stop, drop, and roll, is everything on fire?
Now that the media hysteria has abated on the topic of DDoS, it seems timely for us to provide some commentary on this long standing topic from the perspective of security professionals.
The recent Distributed Denial of Service (DDoS) attacks on NZX, Stuff, RNZ, and many more have had the media bombarding us with updates and semi-new information aimed to keep us, the general public informed. Reading some articles on RNZ, Stuff, and NZHerald provide similar information on the attack.
There is no denying that the threat of sophisticated cyber-attacks are real, and while raising awareness about what is currently happening is a good thing, doing so without care may not be helpful.
Welcome back Ahmed ElAshmawy
Today we are extremely delighted to welcome back Ahmed ElAshmawy who will be (re) joining the Axenic team! Ahmed will be returning to our team as our Consulting Practice Lead.
The security that dare not speak its name
There is a debate at work about what to call what we do. Actually, it’s not really a debate, more sort of a code of silence, or an agreement not to mention the subject in polite company lest it offends. When the subject comes up there is a sort of shuffling of feet, nervous laughter, “ahem”s and a subject quickly changed. But in Axenic’s spirit of transparency let’s get this out in the open: is what we do information security or cybersecurity? Certain people (I’m not naming names but they have numbered among our more beardy team members) have had such strong views that even using the word “cyber” at work is like a red rag to a bull. Actually, while I’m being honest, I have to admit that even though I am amongst the least hirsute of our team, I had strong leanings that way.
The top 5 ways to get the most out of your next security audit
Over the past few years, I’ve led and been involved in many security audits on both sides of the table, which has helped me develop some insights worth sharing. Sometimes these auditing engagements are seen as something to just get through, however, there were a few organisations which really made the most of the exercise and applied the impartial information learned to gain a more accurate understanding of their real risk exposure. After all, that is the primary reason for performing these assurance activities, isn’t it? To ensure the implementation of the most relevant controls, for managing the highest rated risks, occurs within resourcing and budgetary constraints.
So, how can you ensure your organisation gets the most out of its next security audit? Here are my top 5 recommendations:
Rogue Azure Apps
We’ve been seeing a bit of a buzz in the technical security press about a new method of phishing that bypasses many key security controls. Using a rogue Azure app, the attacker tricks the user into granting the app permissions to access their Office 365 email account and all of the information associated with it. Patrick Gray at Risky Business has been writing and talking up a storm on this one, and we believe that he is right to do so. In fact, we thought this was interesting and scary enough to let you know so you can understand what’s going on and maybe do something to prevent it.