Category: Blog

ISD Cyber is very excited to share that we have received multiple nominations in the 2022 Australian Women in Security Awards.

“Best Place to Work for Women in Security”

ISD Cyber has been nominated as the “Best Place to Work for Women in Security”. This award recognises organisations that foster a supportive and empowering environment for women in the workplace where all employees are treated equally.

As an intentionally diverse organisation, with over 50% of our team identifying as women, we are delighted to be nominated for an award that recognises our desire to create an inclusive workplace.

We are also very excited to have four of our talented consultants nominated across two award categories.

“Australia’s Most Outstanding Woman in IT Security”

Patricia is a Senior Consultant in our advisory department. She has been an integral part of our team for almost two years. She is a vibrant individual who lights up any room, she has provided support to everyone across the company whilst leading in her skills across a range of areas.

“The One to Watch in IT Security”

Sapna has quickly gained momentum in her career and is now a Senior Consultant working within our technical team, she’s a great inspiration to those around her, our architecture connoisseur and certainly one to watch!

Laura and Anita have both joined us from another industry and have developed a passion for the diversity and complexity that is “Cyber Security”.  They have hit the ground running, having the desired skillsets naturally engrained that will make them a force to be reckoned with.

You can find more information about the awards and a full list of nominations on their website: https://womeninsecurityawards.com.au/

Best of luck, team!

This blog covers how you may improve your “Ability to Anticipate” cyber security risk events, thereby building a proactive cyber resiliency program for your organisation.

The aim of this blog is to not only educate, but to trigger questions that will empower you to challenge your current approach to cyber security.

Step 1 – How are you vulnerable to attack?

Do you understand how your organisation may be exposed to cyber security risks? How are you vulnerable?

These are unique and are likely to be down to company characteristics such as:

• The industry that you are in
• Your customer base
• The type of software that you rely upon
• The number of legacy systems still in use
• Dependency on data accuracy
• Dependency on the world-wide web.

Do a quick evaluation and highlight the potential areas of your business that may be exposed.

Step 2 – Threat Profiling/Cause Analysis

Based on your unique situation, (i.e., industry, business activities and location) which threats are most likely to occur?

Do you have a clear indication of what may expose your vulnerabilities? i.e., what series of events may occur that lead to a risk occurrence?

By understanding what may cause a risk to occur you will be in a far better position to be able to identify key risk indicators (KRIs) and anticipate its occurrence.

Step 3 – Developing Intelligence

Effective KRIs should be:

• Measurable (e.g., quantifiable in a number, count, percentage)
• Predictable (to provide early warning signals)
• Comparable (enable trends to be tracked over time)
• Informational (to help measure the status of a risk and control).

KRIs can be both leading and lagging:

• Leading KRIs are measures that can help to forecast future occurrences. 
• Lagging KRIs are metrics based on historical measures.

Don’t forget to set thresholds for your KRIs, at what point do you want to act to prevent risk occurrence?

What alerts or processes are readily available or can be put into place to act as your cyber security KRIs?

These KRIs will vary depending on the tools and resources you have available as well as your budget. They may also be a mix of automated system alerts through to physical spot checks (such as penetration tests). 

Keep an eye on the news, technical papers and surveys that indicate a change in the threat landscape. These are examples of Leading KRIs. For example:

• Is there an increased exposure to fire, flood, storm events that may impact your essential services (electricity/aircon/fuel)? (Considering cyber security these may be triggers that impact IT system availability)
• Is your industry being targeted? i.e., are we seeing increased cyber-attacks on a sector?
• Are the technical solutions you rely upon being targeted or ageing?
• Have there been any realised risks within other organisations? What happened (cause)? How did they respond? How did it impact them? Could it happen to you?

How ISD Cyber can help

If you’re unsure where to start, we can help you to define your cyber security risks and KRI’s.

ISD Cyber provides tailored solutions that will help you to build a Strategic approach to cyber security and help you to Optimise existing capabilities, and Remediate gaps in control effectiveness and efficiency.

Contact us today at enquiries@ISDCyber.com.

In 2020 businesses surged into online workspaces as we battled the rise of COVID-19. The shift to remote work enabled business continuity across the globe, however the opportunity soon opened up gaps and exposed many companies to social engineering attacks while they and their staff were adjusting to the change.  One such example was Twitter.

In 2020 Twitter experienced a social engineering attack where a large number of high-profile accounts were accessed, and a bitcoin scam was posted by these accounts. Forty-five accounts including those of Elon Musk, Bill Gates and Kanye West were used in the scam.

To gain access to Twitter’s system, the attackers pretended to be members from the IT team, they called remote workers claiming there was a VPN issue. Twitter utilised VPN when their staff were working from home that consistently experienced issues that required IT support. The employees were directed to an identical phishing site where the attackers were able to see and use the staff credentials to login to the real site. As they were logging in at the same time as the employee, the multi-factor authentication notifications were approved by the employees. Through this, the attackers were able to access numerous Twitter accounts where they asked followers to purchase Bitcoin through the shared link.

Twitter users purchased over $118,000 US in bitcoin through the links. The team of attackers were also able to download personal data from many of the compromised accounts. The bitcoin was unable to be tracked so the transactions were could not be reversed, resulting in losses to the affected users.

Twitter shares dropped 3.8% following the attack and they temporarily blocked verified accounts for two hours whilst they investigated the event.

Twitter only became aware of the unauthorised access when it was clear that multiple high-profile accounts were posting the Bitcoin scam. Following the event, they made improvements to their security including hiring a CISO, improving muti-factor authentication, conducted cyber awareness training, and implemented additional information security controls.

The exploitation Twitter experienced is a fantastic reminder that cyber events don’t just come from malware or advanced hacking techniques; this was a relatively simple social engineering attack exploiting the confusion created by a change in business operations.

Twitter, and many more companies like them made very quick changes to business operations and had to do so with little risk evaluation [we may assume] of how that risk event may play out or be enhanced by change.

A lesson to us all that continuity strategies and tools within our incident response plans should emphasise the importance of risk assessments, giving a quick check box indicating will [x] decision increase likelihood or exposure to [y], or questioning will this decision introduce new risks to our environment?

Risk management is at the heart of business continuity and is a vital tool to support resiliency, we need to react quickly to survive but always have a finger on the pulse in terms of risk, so we do not continue to suffer one event after the other, or worse still suffer many at the same time!

We cannot foresee every possible event before they occur, but a little pre-planning to give the tools that enhance decision making quickly is invaluable.

How ISD Cyber can help

ISD Cyber assists many organisations in developing business continuity strategies to enhance their existing systems and planning.

We can work with you to refine your plans, enhance team capability and understanding of their roles and responsibilities through training and we can facilitate exercises to challenge the assumptions within your plans and strategies.

Contact us today on enquiries@isdcyber.com for further information about risk management and what it means to your business.

We have to admit, March 2020 was pretty intimidating! It [Covid] impacted all of us in many ways. Businesses took a while to respond while we figured out the full extent of the risk on our daily interactions on a personal and business level. Many didn’t consider Pandemics within their planning, unless within sectors such as Health or if they had a Global presence, but even then the scenarios that played out couldn’t be foreseen.

That aside, many of us ‘simply’ had to make a decision.  Many were very quick to respond in a positive way regardless of whether there were plans or not.  We embraced working from home, procured new assets, and some even changed their business model to accommodate the new mandates, some of which have been permanent changes for the better!

We evolved to thinking far more about our staff and customer engagement models.  Organisations closely examined the customer buying experience focusing on touchpoints and physical interaction with the organisation. This meant rethinking shop and facility access, enhancement of digital channels, social distancing measures, updating customer experience communication, and a redefined brand strategy.

Things that, in the past, would have taken months if not years to come to fruition, and yet we found ourselves being able to almost turn on a dime and facilitate change, without all the red tape! That has to be a win.

This is the essence of resiliency, having the ability to anticipate, respond and recover from a business disruptive event and adapting to survive, to maintain the integrity of the business and continue to provide goods and services.

There’s always a fall out in reacting so quickly, we see that a lot in managing IT incidents, sometimes you just have to get hands-on to get systems functioning again and then facilitate retrospective risk assessments to manage any new gaps or vulnerabilities exposed by the rapid change.

With change, comes risk.  Do you know what new risks you introduced in responding to your Covid strategies that you may not have thought about yet? How have you changed existing risks? Remember these can be both positive and negative impacts to the business.

If you haven’t yet reviewed your risk register in light of business change, you’ll get a lot from the exercise.

About the Author

Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI  

Yvonne has over 22 years’ experience in information security and Privacy in the UK and Australia.  She is uniquely qualified having both a Master’s in Information Security and Computer Crime, and a Master’s in Information Law (covering: Data Protection, Freedom of Information and Copyright Law).  

She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations worldwide.  

She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016). 

Organisations essentially exist to produce a product or deliver a service along with a strategy or a set of goals to support that product or service.

Risk management is an organisational discipline that, when combined with strategic planning, ensures risks negatively impacting the organisation’s ability to achieve goals are identified, analysed and responded to in an appropriate way.

• Do senior leaders in your organisation seek out risk management insights to improve performance (not just manage the risk of non-compliance)?
• Is robust and realistic scenario analysis a primary technique in risk identification approach? Tip: If you are not using the COBIT 5 risk scenarios, consider looking at them and try to incorporate them into your risk identification process.
• Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation, and operations, along with steps to proactively manage them?
• When conducting an RCSA (Risk and Control Self Assessment), is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
• Does the organisation align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Tip: Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk!
• Does the organisation actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organisational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realised risk (incident) or near miss event. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

About the Author

Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI  

Yvonne has over 22 years’ experience in information security and Privacy in the UK and Australia.  She is uniquely qualified having both a Master’s in Information Security and Computer Crime, and a Master’s in Information Law (covering: Data Protection, Freedom of Information and Copyright Law).  

She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations worldwide.  

She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016). 

Bridging the gap between this years Privacy Awareness Week “Trust and Transparency” and Business Continuity Awareness Week “Building Resilience in the Hybrid World” (next week) this blog considers how the two disciplines overlap.

To ensure ongoing compliance to the Privacy Act (the Act) whilst in the throes of a business disruptive event, your business continuity strategies must consider the protection of personal data ‘by design’ so that the organisation can maintain confidentiality, integrity, and availability of such data and demonstrate ‘appropriate’ security controls have been applied. 

Over and above the Notifiable Data Breach event management and communications, Continuity Strategies should consider how to:

• Prevent loss or damage to personal data
• Maintain true and accurate records during and after an event
• Ensure access continues for those who ‘need to know’
• Comply with the principles of the Act where manual processing is a workaround strategy for lost / unavailable technology: How do you prevent loss of confidentiality/integrity/availability of manual records during the event?
• Maintain access to personal data
• Evaluate the impact on individuals if products / services are not available when required
• Consider how a business disruptive event may impact individuals
• Keep individuals informed as to when services can resume
• Manage a data breach during a business disruptive event: What are the constraints / issues / concerns in meeting the reporting requirements?

Additional processes to consider may include:

• How you manage the Employee Call Tree
• Physical relocation (of people and assets) including how you manage increased sharing of data across various platforms, or even removing assets from one office location to another / WFH
• Maintaining data integrity and confidentiality within your workarounds e.g., when moving to manual processing
• Resumption and recovery of services post an event i.e., do you retain the manual forms, if so, how? where? for how long? If not, how do you dispose of them?

ISD Cyber can help you build and maintain appropriate business continuity and privacy strategies, ensuring that you do not compromise the trust of your staff and clients during your most vulnerable times.

Good privacy management enhances trust in your brand in the eyes of your customers, it can help you stand heads and shoulders above the competition if you respect the rights of the individuals you serve by simply respecting their needs and expectations for privacy. This year’s theme for Privacy Awareness Week (PAW), Privacy: The Foundation of Trust, reminds us that privacy is a right, and we should always have trust in those who hold our personal information.

To build trust, you need to become transparent in the information you collect and have a clearly defined purpose for which it is needed.  Not only does that ensure you only collect the absolute minimum needed to provide a product or service, you are demonstrating respect of that individual by not taking more than is necessary. This also restricts the consequences of harm to an individual if you are unlucky enough to suffer a data breach.

Regulations world-wide are changing for the better and giving ownership of personal data back to the individuals.  They have a right to question how much you need, how long you keep it and who you give it to. Also, in light of some very significant data breaches that have caused harm to individuals, the onus is back on businesses to be open and transparent during a data breach so that individuals can be prepared and take necessary action to prevent further harm.

We built our services in a way that enables organisations to become better at being “open and transparent”, to build “trust” and to help businesses of all sizes build appropriate strategies to prevent and respond efficiently to a data breach.

Nobody likes to spend money on compliance, so don’t think of it as compliance. Ask yourself – If my information got breached and I could have a heads up, would I want to know? Of course, the answer is Yes.

Start caring about information you are merely custodians of because your customers trust you to do the right thing.

About the Author

Yvonne Sears MSc, LLM, CIPM, CISM, PCIP, MBCI 

Yvonne’s experience quantifies her as having one of the most credible voices in Privacy anywhere in the world. The multi-discipline qualifications, certifications and experience held by Yvonne are overwhelmingly impressive and you would be hard pushed to find anyone as qualified across the globe. 

Yvonne is a veteran of the Information Security, Risk/Governance & Business Continuity industries, and her passion is Privacy and Business Resilience, and has spent the last 22 years working in Government, Corporate and Private industry throughout the globe, the UK and Australia. 

For recognition of her years of service, she has been awarded as an AISA Fellow and IAPP Fellow of Information Privacy. 

Yvonne has been a major contributor on several trailblazing privacy projects some ongoing in Australia and in the UK. The outcomes from these projects have proven to be globally significant and the repercussions have paved the way on data sharing and privacy issues in sensitive and complex areas. 

Your digital footprint is an accumulation of all your online activity: publishing, commenting, sharing, browsing the internet, online shopping, sending emails, etc. Consider it a normal footprint, an impression left in the sand or a track from walking through a puddle. It’s the same online.

The collection of this publicly available information is known as open-source intelligence (OSINT) gathering, and it’s paramount that businesses and their employees are aware of how this information can be used by social engineers and hackers.

OSINT techniques can be used to guess passwords and crack security questions to gain access to accounts and sensitive data. Whatever information is made available, think whether it’s used in a password. Have you got your university public on your LinkedIn page? Is the university and graduation year a password? Is your degree the answer to a security question?

LinkedIn company pages and employee lists can be utilised for username enumeration with the aim of gaining a foothold into company networks or systems. It can be possible for social engineers to scout social media pages and feed the information through automated scripts to generate a list of potential passwords and link them to collected usernames.

Nowadays, with the advancement of machine learning, it can be used to help break the veil of anonymity online. A disgruntled staff member may be slandering a company online using an anonymous/throwaway account. As more of an investigative tool, machine learning can be used to scan chunks of text for idiosyncrasies and writing style and compare it to legitimate accounts.

Nowadays, it’s rare to find someone with zero social media presence since social media and the Internet have become such an integral part of our day-to-day lives. Remember, the next time you post a picture online, consider whether that information, and other hidden information, can be collected and used to gain access to your personal information.

Cleaning it Up

Unsubscribe from mailing lists: check what unnecessary email you’re receiving and unsubscribe if they’re from a mailing list, this reduces threats from attacking subscriptions.

On social media: change your habits. Do you post images of your holiday while on your holiday? This tells criminals you’re not at home. Think about your posts: are you okay with anyone seeing any of your content?

Clear caches/cookies: cookies save your website activity for next use, so it’s important to clean them up every so often.

Adjust your privacy settings: this limits who can and can’t see your posts and activities on websites. Ensure to change them all on all your social media platforms.

Curate your online presence: go back through your old accounts and delete whatever you no longer use. Is there an online store you haven’t bought from in years? Log back in and deactivate your account.

For further information, or if you have any questions about your privacy, contact ISD Cyber at enquiries@ISDCyber.com.

Privacy Awareness Week (PAW) is a government initiative through the Office of the Australian Information Commissioner (OAIC), designed to support the public in keeping personal information safe. This can affect individuals, organisations and Governments alike.

This year’s theme, “Privacy: The Foundation of Trust”, reminds us that we have a right to keep our personal information secure and we should have the confidence that our shared information is kept secure by those who store it. The world is advancing technologically at rapid rates, so much of our personal information is stored within organisations, devices, online services, and cloud storage. How do we make sure this data is staying safe and why does it need to be?  

PAW is about ensuring that everyone has the knowledge to be able to make safe decisions with their personal information.  

Reducing the opportunity for breaches of information privacy is imperative for businesses as we advance in the digital sphere.

An organisation’s privacy conduct can considerably affect the reputation of a company. Ensuring personal information is safe and secure will create trust with the greater public, deepening dependability of the business. Breaches of information can reduce the trust an individual places with an organisation.

As we focus on information privacy over the course of the week, we will discuss good privacy practices, how and why you should manage your digital footprint, data breach notifications and we will introduce the latest about Australia’s privacy reforms.

For further information: Privacy Awareness Week – Home (oaic.gov.au)