Cyber Security | Enterprise |

Getting the basics of cyber security right

By Telstra News March 30, 2021

Artificial intelligence. Blockchain. Zero-day detection. The cyber security marketplace contains a litany of confusing buzzwords that can make an already complex subject sometimes even more confusing. But like so many other fields, before you can make any progress in cyber security you first need to get the fundamentals right.

The fundamentals are often called the ‘basics’, but this doesn’t mean they’re easy. In fact, some big technology companies in the world also struggle with what can be thought of as cyber security 101.

The Australian Government has created a straightforward guide to the cyber security essentials, and how to implement them, to help you protect your business against online threats.

What is the Essential Eight?

The government’s cyber security experts have identified eight essential mitigation strategies designed to help limit your organisation’s exposure to the vast majority of cyber threats.

These eight strategies are a subset of the Australian Cyber Security Centre’s 37 Strategies to Mitigate Cyber Security Incidents and form a strong baseline of protection.

The Essential Eight is broadly aimed at:

  • Helping prevent attacks
  • Limiting the extent of cyber attacks, and
  • Recovering data and systems availability.

Helping prevent attacks

The first step to protecting against an attack is to prevent it from occurring in the first place. The vulnerability of your systems and users can be reduced by implementing the first four steps in the Essential Eight:

  1. Application control. This is one of the most effective steps in helping to ensure the security of systems. While application control is primarily designed to prevent the execution and spread of malicious code, it can also help prevent the installation or use of unapproved applications, which can bring harm to the security of your systems and data.
  2. Patching applications, or applying updates, is a critical process to help ensure the security of all your IT equipment. Patches often fix known vulnerabilities or flaws which might provide an entry point for anticipated threats to be released into systems and software. You should aim to always use the latest version of applications where possible, and to patch applications with “extreme risk” vulnerabilities within 48 hours.
  3. Configure Microsoft Office Macro settings. Macros, a staple in IT systems, automate regular tasks to save time. However, some macros can pose a security risk. A person with malicious intent can introduce a destructive macro in a file to spread a virus on your computer or into your network. You should block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
  4. User application hardening. With the rapidly shifting technology landscape, a regular clean out of old tools or applications is important to ensure your security posture isn’t being weakened by vulnerabilities in systems (like unpatched software) or processes (like default, weak, or reused passwords). You should especially consider configuring web browsers to block Flash as well as ads and Java, and disabling unneeded features in Office, web browsers, and PDF viewers; these are popular ways for hackers to push malicious code onto your systems.

Limiting the extent of cyber attacks

Breaches are inevitable but they need not be destructive. The next three steps in the Essential Eight will help limit the damage:

  1. Restrict admin privileges. Hackers actively seek admin accounts to give them greater access to data and systems. Which means the less admin accounts you have the better. Don’t let anyone be the administrator of their machine unless they have a legitimate business need. Set privileges in accordance with the user’s duties and role; someone who mainly works in email and the web doesn’t need to be an admin. Regularly revalidate the need for these privileges.
  2. Use multi-factor authentication. Multi-factor authentication is a powerful tool in your cyber arsenal. This defense makes it much harder for a hacker to break into your network, and limits their ability to move around should they be able to gain initial access. Aim to have multi-factor authentication on as many systems as possible, especially for VPNs and other remote access tools.
  3. Patch operating systems. Patching appears twice in the Essential Eight because vulnerabilities in systems and software are regularly used to hack into organisations. Again, you should always aim to use the latest version of operating systems – specifically avoid using unsupported versions – and patch “extreme risk” vulnerabilities in computers and network devices within 48 hours.

Recovering data and systems availability

Have you ever lost a camera or a phone and therefore the photos that were stored only on that device? The same pain is felt when ransomware attacks encrypt a business’ critical data, rendering it inaccessible.

It is often only when something goes wrong that business owners think about their backups. Backing up important data should be an ongoing exercise.

  1. Daily backups: To ensure information can be accessed following a cyber security incident or outage, back up new or changed data, software and configuration settings daily, and retain it for at least three months. Aim to follow the 3-2-1 backup rule: store your production data and two backup copies on two different mediums (like a cloud service and an offline disk drive), with one of these copies stored offsite (not connected to your network) to ensure you can recover in the event your network is taken offline.

Where and how to start with the Essential Eight

It’s easy to get a little overwhelmed with all the tools and services promising to protect you online.

Master the fundamentals with a trusted security partner. Telstra’s security experts can help assess the maturity of your systems, and help you implement the Essential Eight in the most relevant way for you.

Telstra strongly encourages all businesses to read and consider how the Essential Eight could be implemented within their organisation. More details can be found at the Australian Cyber Security Centre website.

Cyber Security | Enterprise | Small Business |

Australian businesses warned about Microsoft Exchange hacks

By Allie Coyne March 12, 2021

Australian businesses are being warned to “urgently” apply patches to their Microsoft Exchange servers to help protect against hackers who are actively exploiting four critical vulnerabilities in a spate of attacks around the globe.

Reports have placed the number of victim organisations between at least 30,000 and 60,000 so far.

The Australian Cyber Security Centre today said it had identified “extensive targeting” and “compromises” of Australian organisations with vulnerable Exchange servers.

Last week Microsoft released patches for four zero-day vulnerabilities in on-premise Exchange that it said were being actively exploited in “limited targeted attacks”. Exchange is a popular email, calendar and collaboration platform widely used by the smallest to largest organisations globally.

A “large number” of Australian Exchange customers are yet to apply the patches, the ACSC said. It urged these organisations to update their systems immediately.

What you can do to protect yourself

“Hackers are using the flaws as a series of steps in an “attack chain” that ultimately allows them to gain total remote control over a target system,” Microsoft said. “This could allow them to do anything from deploy malware to steal data or add in backdoors.”

The vulnerabilities are already being used to infect organisations with a new strain of ransomware, known as DearCry. Like other forms of ransomware, DearCry encrypts files to make them inaccessible and demands a payment from the victim to regain access.

One security expert said it appeared vulnerable Exchange servers in Australia as well as the US and Canada were some of the first victims of DearCry.

Hackers have also been spotted uploading web shells – a piece of code that allows persistent, remote access to a system – to vulnerable Exchange servers to allow them to keep accessing the system even after the patches have been applied.

Organisations that have unpatched Exchange servers exposed directly to the internet are the most vulnerable.

Hafnium group responsible: Microsoft

Microsoft said it had identified a group called Hafnium using the vulnerabilities to compromise organisations across the globe.

The company described Hafnium, a state-sponsored hacker group from China, as “highly skilled and sophisticated”. The group has been known to target everything from researchers and defense contractors to not-for-profits.

However other malicious groups are now also making use of the vulnerabilities in what has been referred to as a global cyber security crisis; Microsoft said in an update that “multiple malicious actors beyond Hafnium” had been spotted targeting unpatched Exchange servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) has similarly warned of hackers scanning the internet for vulnerable Exchange servers.

Microsoft has urged Exchange users to apply the security patches immediately.

However, security experts have noted that many updated servers could have already been compromised or backdoored; applying the patches now only protects against the vulnerabilities being used again.

“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again,” Sophos senior director of managed threat response Mat Gangwer told the SMH.

“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”

Interim mitigation options are available for those who are unable to patch immediately, and Microsoft has published a list of indicators of compromise organisations can use to check their systems for malicious activity. The ACSC said it was monitoring the situation and could provide assistance as required.

Consumer | Cyber Security |

How to stay safe shopping online this festive season

By Jen Stockwell December 17, 2020

This year, we’ve been stuck inside – and on our phones and computers – more than ever. More than a million Aussie households shopped online between March and September this year for the first time ever. If that’s you, we have some advice to help keep you safe.

Australia Post predicts this trend is here to stay too, and it’s easy to see why. Shopping online lets you browse and choose what you need from the comfort of your lounge, and in the past few years Black Friday and Cyber Monday have become record-breaking online shopping events in Australia.

There’s another side to this, though: scams. According to Scamwatch, Australians have lost over $7 million to online shopping scams so far this year – up by up 42 percent this year. Scamwatch also says that scammers are typically out in force over Christmas, as families rush to get through their festive season shopping and bargain hunters trawl through all the digital Boxing Day sales.

Last year it was shoes, smartphones and tickets to concerts and events that were most likely to be listed online by scammers looking to make an illegitimate buck. This year, concert tickets aren’t likely to be as popular, but you should be more cautious than ever about making sure your online purchases are legitimate. As is usual on the internet, a little bit of caution can save you a lot of heartache.

One of the most popular methods of scamming you out of your hard-earned dollars while you’re online shopping is for a scammer to set up fake online stores. Scammers often set up fake websites that look convincingly real, or use social media platforms to host storefronts that may look like a genuine retailer’s. Often they have popular items at prices that may seem too good to be true. The big difference is that when you pay, you won’t see anything arrive in the post like you were expecting.

Another popular scam to watch out for is on classifieds websites, where scammers create fake seller profiles and list popular items at attractive prices. If you’re shopping for items on a classifieds site, a seller might suggest they’re travelling and a friend or agent will complete the sale for you once you’ve paid. There’s a reason that ‘buyer beware’ is a popular saying…

Here are some common-sense tips to help you stay a bit safer while shopping online:

  • If you’re shopping at an online store with its own website, do some research before you click ‘buy’: to check if it’s reputable. Look for independent reviews of the retailer. Are there clear contact details? Make sure you have trust in who you’re buying from, and where possible try to stick to reputable platforms (like eBay and Amazon) that will guarantee your purchase.
  • Shop with a credit card or VISA debit card from a reputable bank, or use a payment processor like PayPal, and check your statements regularly for any fraudulent or unexpected payments outside of your shopping. Always shop with a payment method that allows for disputes to be raised if necessary. And keep track of your purchases!
  • Be alert to phishing attacks: scammers are highly active this time of year. Treat every email or message with caution, especially if it’s asking you to do something or if the offer sounds too good to be true.

And if you’re browsing the classifieds for a second-hand bargain:

  • If possible, picking up the item that you’re buying in person is always preferable. It means you can inspect what you’re buying to ensure it is real and in the condition you expect, and you can agree with the seller to pay in cash or with an instant transfer. You want to avoid paying for the item before you have access to it.
  • When you’re communicating with a potential seller, ask for some proof that they have the item you’re looking to buy – like a new photo of the item. One of our favourites is taking a photo of the item on a recent newspaper with the day’s date. Digital timestamps on photos are also useful for this, especially if there’s no newspaper handy.
  • Carefully consider how much personal information you share when you shop online. Only complete the bare minimum mandatory fields needed to complete your order as any information you enter during sign up could be exposed if that website gets hacked.
  • And, of course, there’s one other piece of advice we’ll never shut up about: always use a strong and unique password, and turn on multi-factor authentication wherever you can. That way, if someone manages to guess your password, they won’t be able to get into your account.

Happy shopping!

Telstra Vantage™ |

Scam me if you can: former-fraudster Frank Abagnale on how to fix cyber security

By Luke Hopewell October 23, 2020

It’s a question that plagues the technological age: how can we stop scammers and bad actors from stealing cash from innocent people? Frank Abagnale – former conman turned cyber expert – spoke at our Vantage Remixed conference this week on how we can all be more secure, and how we can ultimately fix the problem of scams.

Australians lose tens of millions a year to scammers online. Whether through confidence schemes, investment schemes or even romance scams, hundreds of thousands of us have been duped into parting with our money to the criminal hordes.

And it’s not just Aussies losing funds to the less-than-legitimate online. Millions of others around the world have been duped out of cash for decades due to scams. One such scammer and con-artist is Frank W. Abagnale.

Yes, that Frank Abagnale.

Abagnale is the subject of Steven Spielberg’s 2002 blockbuster film Catch Me If You Can. Starring Tom Hanks and Leonardo DiCaprio, the film tells the story of Frank W. Abagnale as an adolescent, where he became a confidence man and scam artist who defrauded millions and led the FBI on a global chase.

After his arrest and subsequent conviction, Abagnale started working with the FBI to teach scams awareness, and these days he’s a world-renowned cyber security specialist, and author of his most recent book, Scam Me If You Can.

Abagnale said that not a soul on Earth is immune from being scammed, and new scams are being invented to dupe us every single day.

“The whole social engineering aspect of it of scamming hasn’t changed in 40 years. Scammers, conmen and criminals all stay the same, but the methods have changed significantly,” Frank Abagnale tells Adam Spencer at Vantage Remixed.

“In writing my book it dawned on me that these scams are scams that are 50 years old. It’s just the methods have changed. The criminal mind has not changed much at all. There is no foolproof system, and if you think there is you haven’t taken into account the creativity of fools. We can make it so difficult for a criminal, we have the technology, but if you don’t use it, it’s worthless. If you don’t use it, you’re becoming a victim!”

Abagnale added that the best way to protect people from scams is to educate them on the methods scammers use to infiltrate our lives. That way, we can all know what to look for when scammers come calling.

Passwords: flawed from the start

Abagnale added, however, that we need more than just education to protect us from scammers. Passwords – those tricky combinations we all have to remember to access our online gear – have been broken from the start according to Frank Abagnale.

“We have to do away with passwords. They’re invented for treehouses,” Abagnale said at Vantage Remixed.

His solution? Do away with passwords altogether and instead rely on identifying us by our smart devices and apps whenever we make contact with a secure system.

“[Passwords] were invented in 1964 and today that’s 72 years on and we’re still using them. We have developed technology to eliminate passwords and identify you by your device. You might walk up to an ATM with your iPhone and open the bank’s app and it identifies you from your device. If I call the bank’s call centre, they recognise my device and I’ll open the app to verify.

“There will be no security questions and they won’t know the answers, I’ll be recognised by my device. That technology is called Trusona, funded by Microsoft. We’re slowly now in Japan and Europe getting away from passwords, and I predict as Gartner does that in the coming years we’ll see passwords go away, and that will put a huge dent in cybercrime.”