August 2014 Newsletter

August 11, 2014

Table of Contents:
• A CIO’s Approach to Developing a Security Framework 101
• Penetration Testing Applications
• Practical Security: Browser Security Settings
• Upcoming Events
• Achieving Comprehensive PCI DSS 3.0 Compliance
• The SG Community

Web Version:

A CIO’s Approach to Developing a Security Framework 101

One of the biggest questions we always get asked by CIOs and other senior business management in regards to Information Security and IT Risk Management is where to begin. Do you focus on purchasing security tools first, developing policies and standards or getting an audit done and working from the results of that audit?

From our experience, while all of the above can assist in some way, developing a framework about how you will think about your security position is the number one priority before you make a major investment in tools, your staff’s time or the costs of hiring consultants. You may find that a lot of the costs you estimated originally may not be needed.

Your initial priorities should be looking at what you have in place today, looking at your processes and procedures around how your business operates and just tuning those with a security focus in mind. Ingraining security consideration into most aspects of your IT operations does not need to be a costly exercise.

Our Strategic Security Management Framework in this post looks at why companies can be/are insecure and suggests simple ways to guide your strategy to start positioning you to becoming an organisation that looks at security from a holistic view. As you’ll see, all else flows from there:

It’s not really that complex is it?

With many of our clients, after a 2-3 hour workshop (at no cost), we find a radical change in their security posture within a short time frame once we have introduced a new way of thinking into their environment about security.

For more information:

Penetration Testing Applications

Everyone is “penetration testing” these days but is penetration testing really the key to rolling out a secure application?

Many people would say it is and while we agree it’s certainly an important component of the SDLC, it’s definitely not the “key”.

There’s many ways to look at it, but analysing the results of penetration testing Securus Global does for its clients, you have to wonder if how security is viewed as part of the SDLC is failing, and further, what the additional production costs are as a result – from simple post penetration testing remediation/fixes right through to major rewrites where the issues have gotten right down to the operational core of the application.

Over 95% of the applications/systems we test for the first time have major to critical vulnerabilities in them. (Plus a plethora of “lesser” vulnerabilities, but important and risky in their own right). That is a lot of applications being “completed” that are inherently insecure. (Aside: how many companies roll out applications that are not penetration tested?)

Surely the answer must lie, to one degree or another in earlier phases of the SDLC. What do you think?

Related Article by Securus Global:

Practical Security: Browser Security Settings

This latest blog post from our CTO – Norman Yue, aims to provide some “quick wins” for an organisation, security team, or even just an interested user, to help improve their online security.

He explains some strategies that people can realistically put into place immediately, detailing what they are and how they impact both security and usability.

From deleting cookies on logout, to not saving form data, alongside advice on click-to-play plugins, this article provides some great practical tips, that everyone can implement.

Read more:

Upcoming Events

Michael Gianarakis – our Practice Manager will be presenting at YOW! CONNECTED 2014 – Australia Developer Conference, in Melbourne, September 2014.

Michael specialises in mobile application security research. His work has assisted developers and organisations across most industry sectors to secure their new and emerging mobile applications and platforms. Michael has presented his research at numerous industry events including OWASP and Ruxcon in Australia.

This talk will provide attendees with practical advice for securing iOS applications against the vulnerabilities that are most prevalent on the iOS platform.

The presentation will draw from the security assessments and code reviews he has performed for clients ranging from large financial institutions and government organisations to small development houses.

More information:

Achieving Comprehensive PCI DSS 3.0 Compliance

It’s not news that any entity that processes, transmits or stores account data, or can impact the security of cardholder data environment, is required to be compliant to PCI DSS 3.0. However, the business benefits of the security framework — a more secure network, protection of corporate brand and reputation, reduced risk of successful data breaches and network attacks — can easily be overshadowed.

Tripwire (a long time parter of Securus) combines the power of configuration control and deep file integrity monitoring (FIM) with comprehensive log and security information event management capabilities to help deliver continuous and unmatched PCI DSS compliance. The above white paper serves as a useful guide for security personnel who want to learn how Tripwire® Enterprise, Tripwire Log Center® and Tripwire IP360™ could assist in meeting PCI DSS requirements. Qualified Security Assessors (QSAs) might find this document useful as well, as it highlights the areas of the PCI DSS requirements that can be verified and met by those solutions.

Download whitepaper:

The SG Community

Below is a selection of our most popular articles from our Company Blog this year… If you haven’t already, check ’em out!

Case Study: Security Pitfalls of a Shared Portal

Issues at Board Level Security:

Beating RFID Security:

Breaking Icg_value():

How I got Root with Sudo:

Dumping Windows Credentials:

Securus Global Community

Connect, Follow or Like us on social media to stay up to date with everything SG related: LinkedIN / Twitter / Facebook .

Also be sure to checkout our tech team’s blog and other industry news that we publish regularly on our website here:
p: +61 2 9283 0255

About Securus Global
Securus Global helps businesses of all sizes and across all industry sectors. When clients work with us once, we’re generally there with them for the long haul – becoming their security partner of choice.
To find our more about what we can assist you with, please email or call on (02) 9283 0255. For a description of some of our services, please visit our website:

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *