Organisations continue to be at risk from cybersecurity incidents – with each incident potentially costing millions of dollars.

This risk – and cost – is only likely to increase as the social engineering and technical elements of cyber-attacks become more sophisticated. To help organisations respond effectively to these threats, the Australian Cyber Security Centre and the Australian Signals Directorate have developed the “Essential 8” baseline mitigation strategies. According to the ACSC, these strategies can be customised according to each organisation’s risk profile and the cyber threats they are most concerned about.

The “Essential 8” incorporates four mitigation strategies to prevent the delivery and execution of malware. We’ve summarised these here:

• Application whitelisting: By “whitelisting” approved applications, organisations can stop unapproved or malicious programs from executing.
• Patch applications: Patching computers with “extreme risk” application vulnerabilities within 48 hours – and using the latest version of applications – can reduce the risk of malicious code executing.
• Configure Microsoft Office macro settings to block macros from the internet – and apply strict rules to approved macros – to reduce the risk of delivery and execution of malicious code.
• Apply user application hardening: Blocking certain applications and disabling unneeded features in others can remove popular methods of delivering and executing malicious code.

The “Essential 8” also features three strategies to limit the extent of cyber security incidents. These are summarised below:

• Only giving users operating system and application administrator rights if their role warrants it – avoiding giving away the “keys to the kingdom”, thus increasing risk to systems and information.
• Patch computers with “extreme risk” operating system vulnerabilities within 48 hours and use the latest version of these systems, to avoid being compromised.
• Apply multi-factor authentication for remote access, and for all users when they perform a privileged action or access an important data repository – providing a bigger obstacle for adversaries that want to infiltrate systems or information.

Finally, the “Essential 8” incorporates – as a mitigation strategy to recover data and system availability – backing up important new or changed data, software and configuration settings daily and keeping the backups for three months. This will help an organisation recover from a cyber security incident.

Your organisation should strongly consider applying the “Essential 8” as the foundation of a mature, robust cybersecurity strategy. If you would like to learn more, please contact us at info@firstwave.com.au.

A common pain point that some organizations have expressed to us is the inability to prepare for or counter software license audits. There are two major concerns for any organization that are experiencing these occurrences, there is a lack of information regarding the network and there is not enough information to challenge a software vendor when given a bill.

Knowing what software is installed on your devices is more than a good practice for managing your network, but good practice for managing your budget. There are a lot of vendors who take an aggressive stance on license audits, an example of a bill for one extra license for a contract length of 6 years is below;

To be over licensed by one unit and get a bill that high should act as a clear deterrent and should provide motivation for organizations to ensure they are maintaining their license levels.

The best way to stay ahead of these surprises is to have extensive information about your network and be able to monitor the software licenses that you have entitled to your organizations. Open-AudIT can do this with very little information and at a very manageable cost, especially compared to the figures mentioned above. Once devices are discovered using Open-AudIT they can then be audited if licensing levels are configured then reports can be generated daily/weekly/monthly on software levels giving you genuine insight into your levels; this will mitigate the surprises that can occur if there have been three years between license audits.

Above is a demonstration of what the result can look like and of course, this process can be scheduled and a monthly report is generated. The process to configure this and get ahead of license audits is outlined in this wiki article. If you would like more information how to configure these features, you would like to see a demo of this in action or want a discussion on how to optimize your network, contact us and we will be happy to help.

Several countries and jurisdictions are increasing the protection afforded to personal information. The European Union’s General Data Protection Regulation (GDPR) is one of the most comprehensive measures worldwide to rebalance the data relationship between individuals and businesses.

The consequences for Australian businesses – of any size – that have an establishment in the European Union, offer goods and services in the European Union or monitor the behaviour of individuals in the European Union are potentially profound.

Under the GDPR data protection requirements – which came into effect on 25 May this year – businesses must meet obligations covering accountability and governance; consent; mandatory data breach notification; expanded rights for individuals; privacy notices; expanded rights for individuals; data control and processing; and overseas transfers of personal data.

For example, as a brief from the Office of the Australian Information Commissioner points out,  ‘data controllers’ – typically businesses or organisations that decide why and how data should be processed – must advise supervisory authorities within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in a high risk to individuals’ rights and freedoms).

If a data breach is likely to result in a high risk to the rights and freedoms of ‘natural persons’, the data controller needs to notify the individual without undue delay – unless exceptions to this notification requirement apply.

Affected businesses also need to be aware the GDPR gives individuals the right to require data controllers to delete their data in some circumstances – including when the information is no longer necessary for the purpose it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.

The penalties for non-compliance are severe – many contraventions can attract fines of up to €20 million or 4% of annual worldwide turnover. For organisations that do business in the European Union and have not fully accounted for GDPR, the message is clear: review data management and control practices against GDPR requirements and, where required, take remedial action as quickly as possible. Talk to Neil or the FirstWave team today on +61 2 9409 7000 to discuss your GDPR requirements.

Before implementing Open-AudIT in his organisation, Software and hardware audits were a loathed activity for Neil and his IT Team.  The company was growing fast and undergoing a lot of mergers and acquisitions (M&A) – great for the bottom line but a nightmare for the IT team who were responsible for keeping track of the Hardware and Software assets owned by the business.

Every year the team would break out the excel spreadsheets that held the asset register to review the age, warranty status and software licenses and versions for all of the devices in the company. Every year there were gaps, anomalies and errors in record keeping that required manual rectification, diverting resources away from customer and product support, until the audit was complete. This often resulted in unexpected licensing costs where usage of software had been under-budgeted in the organisation.

Auditors were the enemy – until Neil stumbled upon a recommendation for a great tool, that would discover and audit everything on a corporate network – turning auditing visits, from an interrogation of records into an exploration of data.

Neil got started on the free version and soon discovered that there were some substantial benefits to having a real-time asset register like Open-AudIT, especially when the team transitioned away from fire-fighting and started becoming more proactive.

He found that he was able to better support his help desk team, who could now quickly identify any device and it’s hardware and software components through customisable dashboards, aiding in quicker resolution of IT issues.

His security team were also impressed, with security vulnerabilities such as file permission changes and unexpected new files were summarised in a scheduled report, helping the team to mitigate risks in a time-bound manner.

The increased visibility into hardware and software, allowed the IT department to save money on their software licenses because they could see at a glance where they were oversubscribed for a product and could negotiate better contracts as the demand for software in the growing company increased.

Auditors were also impressed to see that software assets that were being licensed and hosted from cloud servers like Amazon and Azure were also viewable and reportable from within the application, giving a complete view of the full extent of software assets deployed across the business.

If you would like to understand more about how to work with your auditors to increase performance and reduce costs within your IT team, get in touch with one of our engineers today.  We offer 30 days of free support to anyone trialling Open-AudIT Professional or Enterprise.

An industry partner told me recently about a horror story that could occur to anyone operating in a hybrid network environment. One of their former employees had an EC2 instance they had spun up for testing purposes and paid the initial fees with Amazon credits, something most of us would have done. This staff member, however, left the company and did not inform them of the instance. Fast forward two years and there was a substantial bill that was directed to this company.

There are a lot of advantages for creating a hybrid network environment, but stories like this are commonplace when they shouldn’t be. The issue with the above problem is there was poor business asset visibility, the company didn’t know about assets it had control over and this creates vulnerabilities, security or financial. Turning this liability into an asset can be a simple, cost-effective project for teams of any size.

If you would like to try these features in your test environment, just register here!