I don't know what I don't know.

In Information Technology our businesses are often very project driven; “We need a new endpoint solution”, “We need to look at life-cycling our wireless”, “Our company needs a risk management platform”. In cyber security, this approach often leads to our clients ‘not knowing what they don’t know’. What they mean by this, is they rarely get the opportunity to take a step back and look at their cyber security in a holistic way (the people, processes and technology that make up security for them), and map themselves against common security frameworks to know where they’re strong and where they may need to work on.

i dont know.png

To help our clients better equip themselves to respond to this issue, we’ve released version 2.0 of the Cythera Security Platform, the cornerstone of which is a cyber security health assessment.


The cyber security health assessment can be self run, or run by a Cythera team member alongside your IT team. The health assessment is administered in the form of a question and answer format, the results of which influence a risk rating, and maps your strengths and weaknesses against the NIST security framework, as well as the ASD Essential 8. This allows IT teams to understand where they are performing well, and areas of their security people, processes or technology they may need to focus on.

risk rating.png

The assessment, which is free to use, can be run at regular intervals or once a year to compare to previous assessments, and ensure you’re improving in areas of focus. After the assessment is run, you can then access our business toolkit which provides recommended solutions in areas you want to drill down on, which include the full suite of Cytheras Protection Platform and associated offerings, allowing you to move towards an improved security posture across your business.

Our updated Security Platform also gives you access to ready-to-edit cyber policy templates and checklists, and allows you to easily enable phishing simulations and cyber awareness training for staff; items that are often lacking from Australian businesses security program.

Access your own cyber security health assessment, get started today for FREE at https://aware.cythera.com.au/free/

The Financial Impact Of Breaches

Part 2 : Landmark White Breach

The risk to your business in a cyber attack isn’t limited to remediation activities or solely to brand damage. It’s now often linked to a loss of trust with trading partners (with knock on revenue impacts), a breakdown of corporate culture which can lead to staff attrition and a real likelihood that your business will become insolvent.  In Part 1 of this article, I gave the example of a real Australian business, Landmark White. Today Landmark White are battling through the impacts of multiple IT data breaches within their property valuation business in late 2018 and 2019.

 Common Drivers To a Bad Outcome

The biggest drivers we see in organisations that lead to cyber related incidents and IT data breaches are:

  1. A lack of cyber awareness across the organisation

  2. Insufficient proactive security posture management

  3. Limited security visibility within an organisation

  4. Poorly deployed, or not fit for task protection technologies

  5. A culture of “it won’t happen to us”

  • Cyber Awareness

We’ve all heard the horror stories of social engineering or phishing emails that compromise the least IT literate members of your staff and leverage these to launch attacks against businesses.  But cyber security is everyone’s responsibility, much in the same way physical security is the responsibility of all staff in a building. An active and ongoing cyber awareness program is critical in businesses of all shapes and sizes; it needs to be reinforced by (and from) the leadership in the organisation as being considered a high priority and it something everyone should be measured against. 

  • Security Posture Management

Are you scanning your environment daily for vulnerabilities and are you on top of your patching and maintenance of applications, services and infrastructure? This is a crucial function within your business that isn’t just limited to penetration testing (though that is important) but about total lifecycle management and hygiene for all components in your IT stack, including third party providers if you use them.   

Use frameworks like the ASD Essential 8 as a starting point to guide risk management activities, but don’t be afraid to cherry pick the best of NIST or CIS to get something that is right sized for your business too. These Frameworks should be seen as starting points, not shopping lists for compliance and risk needs that fit every business.

  • Security Visibility

Many organisations collect logs and run a series of disparate systems to gain insights into their business’s IT function.  In our time we have seen a litany of SIEM solutions growing dust in a corner, being ineffective at protecting businesses from delivering any insights let alone preventing an attack.  The traditional SOC / SIEM approach is rapidly becoming overtaken by an integrated Managed Detection and Response (MDR) approach that couples SOC-as-a-Service and SIEM functionality with User and Entity Behaviour Analytics (UEBA), threat hunting and incident response capabilities as a turnkey outcome. 

Can your organisation justify 24x7 “eyes on glass” to monitor your security environment and provide you the visibility that you need to detect threats in near real time? It’s often a collaborative approach with a managed service provider partner that makes the most financial sense for organisations.

  • Inappropriate Protection Controls

I can’t tell you how many customers we still see that run legacy AV technologies and stateful inspection firewalls and think that they are protected from cyber threats.  What worked well in 2001, isn’t fit for purpose today.  Many attacks sail on through email or are enabled through legacy technologies like DNS; A dedicated attacker will use any and all tricks in their inventory to get past your defences. 

Building a layered security approach with next generation technologies that interoperate nicely together is critical. Technologies like Deep Learning are providing unique mechanisms to block signatureless malware and solutions like EndPoint Detect & Response (EDR) are helping detect and stop attacks in their tracks through global scale intelligence sharing and endpoint integrated protection stacks. Cloud Access Security Brokerage (CASB) solutions let you gain visibility and an ability to enforce cloud data policy no matter where you store your data or manage your workloads. Look long and hard at your IT stack and leverage what is available today and don’t be afraid to turn off what you used yesterday. 

  • A culture change

If you think a cyber attack won’t happen to you, you may be right, but I’d wager it will only be a matter of time (if it hasn’t happened already).  Our job isn’t to scare people into taking this stuff seriously, it is about helping prepare and protect our customers for the inevitable.

If you think you’re ready to start looking hard at your business and its readiness for a cyber attack, please reach out to us at Cythera. We love helping our customers protect themselves and their customers and we have solutions that fit businesses of all sizes.  From our monthly subscription bundles, our professional services, to our turnkey Managed Detection & Response platform, we have a wide range of offerings to fit your business needs. 

Let’s help you get started today.

The Financial Impact Of Breaches

Part 1: An Australian Example

Often, when we are presenting the state of the cyber security landscape and the risks that unprepared customers expose themselves and their businesses to, we get a real sense that customers nod but don’t really appreciate the gravity of the reality.  Seeing statistics on a page and bridging that to a scenario that they can wrap their heads around and relate to their business is hard.  Too regularly we have to see a customer being impacted themselves before they realise the magnitude of the danger to their business and their staff that a cyber attack brings.

 To help bring home an actual example of a cyber attack on an Australian business which has had significant brand damage, broken trust with upstream providers and customers and created a demonstrable financial impact to their business, you don’t have to look much further than Landmark White.


 Landmark White

By now, many of you should be aware of the difficulties facing Landmark White (LMW), one of Australia’s leading independent property valuation organisations.  These difficulties have built over the past year, precipitated by a breach leaking customer valuation records that left about 37,500 unique valuation records and 1680 supporting documents sitting openly on the Dark Web in early 2019. 

 Despite being contacted anonymously through live chat and through the corporate Twitter account, LMW were slow to respond to initial notifications of the breach, with their Twitter channel unmanned over the Christmas holiday period. After a further email notification from the Australian Cyber Security Centre to a vulnerability on an exposed programming interface on their platforms, LMW claim to have closed the vulnerability by January 23rd.

 After this breach and subsequent notification of same, LMW stopped trading on the ASX in February 2019. As a result of the incident and the publicity that it received, LMW was “suspended from receiving work from a significant number of clients which is impacting our revenues, profitability and cashflows," company secretary and CFO John Wise wrote in a letter to the ASX.

 A second breach involved posting to SCRIBD that “mostly comprised PDF valuation documents and other operationally related commercial documents”. This incident LMW believe was precipitated by corporate sabotage and potentially internally generated in nature.  This next breach was shortly followed by an exodus of staff from the Sydney franchise business a fortnight later.  Heading into a trading halt again following this secondary breach, LMW’s market capitalisation more than halved from $39 million at the close of 2018 and to $15.3 million when shares were suspended in June 2019. 

 There has been much speculation that LMW directors are seeking an exit for the business with leaked emails from the acting Chief Executive Tim Rabbitt stating they “have to consider alternative options for the business including the potential sale of the whole or parts of the business”.

 This is an absolutely horrific scenario and I’m sure there are many people within LMW today who would love to be able to roll back the tape and make some different decisions on how they prepared their business and their cyber security approach.

 In part 2 of this article, I will spend some time discussing the biggest drivers we see related to cyber security incidents and outline some suggestions on how you might position your business to best defend itself from the potential of a cyber attack.


EvilClippy and the rise of Office based malware.


Last month a cross-platform assistant for creating malicious MS Office documents, named EvilClippy was released.

It allows an attacker to hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools.

Attackers can now hide malicious code from anti-virus and macro analysis tools by leveraging undocumented features in the way macros are stored within an office file.

Macros are stored in Compound File Binary Format (CFBF) and EvilClippy uses a technique known as VBA Stomping to replace the compiled version of the macros with something malicious.

According to the creators of the tool it allows attackers to bypass all anti-virus solutions, however it’s worth noting that Deep Instinct’s VBA and Office deep learning models available since November last year prevent all threats produced using EvilClippy without requiring an update or cloud lookup. Anti-virus vendors cannot detect threats created with this tool statically and must update detection hash by hash (reactively) as samples are submitted by customers.

Certainly the name of the tool is a tongue in cheek play on the name of the old office97 assistant, Clippy, that proved universally unpopular with most users.

A full write up and download of the tool itself can be found on Outflank and GitHub.

Recent In the Wild Office/macros threats

Published below a list of hashes we have prevented at customer sites related to malicious office documents.

These include threats created using EvilClippy and word and excel droppers used in a number of campaigns, including, Emotet, Fareit, Lazarus, Lockergoga and Alcaul.

Again prevented statically with Deep Instinct’s November 2018 model.

Shift from Web based vulnerabilities to Office vulnerabilities

This data published by researchers from Kaspersky illustrates the pivot from browser based attacks to office doc attacks, which is an interesting trend.

officedoc trends.jpg

FlawedAmmy Remote Access Trojan being dropped by Excel macros – Microsoft Security advise ‘DisableMacros’

This last week we are seeing another successful campaign that uses excel macros and digitally signed files to deliver a remote access trojan. Microsoft’s security team’s only advice remains to ‘disable macros’

Cythera’s managed Protection Bundles are designed from the ground up to help your business meet emerging threats such as these, and provide you with ongoing outcome based security.




Learnings From The Trenches : Cyber Security Tips For Australian Businesses

We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.

Patch Patch Patch

This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.

Enable Two Factor

Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Authy https://authy.com/ and Okta https://www.okta.com/ .

Bake security into your culture and people

Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.

Be Proactive

Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.

Have a plan

There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .

Engage a security partner

There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.

Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.

How to securely remove MPLS from your network.

Businesses with multiple locations have been stringently handcuffed to costly, complex private networks such as MPLS for years. It’s been an unavoidable cost and it’s compounded if you operate in isolated areas throughout Australia.

 Even though MPLS is costly, it’s been extremely effective at securely transporting data around the world for decades. MPLS acts like a private toll road which ensures your information can travel securely from point A to B without crossing paths with anyone else’s information. On the downside, even though it’s a private road, MPLS can still get congested and there are speed limits in place to stop you going too fast. Businesses can increase the speed limit and add more lanes to the tollway but this simply pushes up the price. 

 Regardless, MPLS is fast becoming obsolescent. Many businesses are now utilising cloud applications like Office 365, Salesforce and 1000’s of other cloud delivered applications which can be accessed from any location using an internet connection. This has enabled employers to offer flexible working arrangements because employees can now access these applications from home or remote locations without an MPLS connection.

 There are security risks with this approach as hackers can get between users and unprotected internet connections with a well targeted attack. This is one of the reasons why businesses have been unwilling to completely remove MPLS or private networks when utilising cloud applications. 

Another reason is because the internet can’t provide guarantees around speed or availability. In other words, businesses are hesitant to push all corporate traffic including voice and video solely over an unmanaged internet connection.

 So where does this leave us? 

 Well, some businesses run a combination of networks including MPLS and Internet. Certain applications are delivered over the internet using VPN overlays, and others still use MPLS. This approach works, but it’s obviously tricky – especially when managing a sprawling application set and a conga line of security devices spanning data centres operated by your business and third parties. Business also need to establish various security policies for all the networks they operate.

 Cythera has a different approach which allows business to completely remove MPLS. It’s called Secure Network Fabric and utilises technology from Cato Networks. Secure Network Fabrics utilises intelligent SD-WAN controllers and a carrier grade backhaul network with points of presence across Australia and extending around the world to securely route application traffic. All you need is an internet connection. Secure Network Fabric includes a fully integrated, cloud delivered security stack including Next Generation Firewall (NGFW), Intrusion Prevention System (IPS) and detailed reporting to monitor performance and user behaviour. Secure Network Fabric is also optimised for voice and video and includes support for desktop and mobile users. 

 The Cythera Secure Network Fabric removes the need for an expensive, complicated MPLS networks whilst delivering enterprise-grade, unified security controls and granular network visibility.

 To find out more - visit https://www.cythera.com.au/secure-network-fabric


The changing face of IT security buying

Buying IT security can be a complicated process.

Today, there are literally thousands of security vendors who all claim to have the latest and most secure security product on the planet to help defend your businesses from cyber-attack. But which ones do you pick?

Businesses must work with technology partners, vendors and industry peers to make the best security technology decisions, but this takes time, money and plenty of people from all areas of your business.  To compound this problem businesses are confronted with countless industry terms, buzzwords and acronyms to make decision making even more complicated. Do you need a SIEM, EDR, MDR, EPP, NGAV, CASB, SOC, DLP or maybe even UBA?  What’s more, the security solutions can often be in search of a problem which may not exist in your business but because of slick, fear based selling tactics businesses can make poor security technology investments which don’t solve the most critical problems.

Businesses also face confusing information from technology partners and vendors who can claim they work in unison with other technology vendors under consideration. However, when you scratch the surface they don’t work in unison or can’t easily be integrated into a single cohesive solution.

Finally, businesses are now regularly seeking consumption-based procurement options for security technology. Options include per user pricing, monthly payment plans and annuity-based cloud licensing which avoids infrastructure obsolescence. Many of these options have been available for years with other IT solutions but for some reason security has lagged. As such, businesses are stuck with large, up-front capital investments which are infrastructure heavy and may struggle to defend against new and emerging threats for the duration of the designated investment period.

To help address these problems, the team from Cythera developed the Cythera Security Platform - Protection Bundles. The bundles utilise a combination of class-leading managed security technology to defend against common and advanced security threats. The bundles are cloud delivered, easy to set up and billed on a monthly basis, per user.  No longer do businesses need to complete complex, time consuming market assessments, technology testing and procurement processes. Cythera has already scoured the market for the best security technology, rigorously tested it in a production environment and developed an easy-to-consume, subscription based commercial model with low upfront costs.

Cythera has developed a platform which helps business save time, money and important resources while improving the security posture for the life of the subscription service.

For more information or pricing visit https://www.cythera.com.au/protection-bundles

Compromised business partners : How hackers catch you asleep at the wheel.

This week while on-boarding a new customer, before we could even start we needed to help them recover from a compromise they had received before coming to us.

A user had suffered a phishing attack and had their Office365 email credentials stolen. Email phishing is the act of sending emails purporting to be an entity (such as Google) or an individual (such as your CEO), often using a crafted email with graphics and text from legitimate emails included to fool users into entering login information or opening an attachment. The attacker can then use the stolen credentials to gain access to your organisation, or use malware the user clicks on to gain a control channel into your environment.

In this case, the malicious actor had utilised a common method to compromise a business; They had taken control of the email account of a trusted business partner, and had then sent our client an email with a Dropbox link purporting to contain a legitimate looking business proposal.

This method is highly successful because when we receive an email from a known or trusted user, we tend to bypass our usual scepticism and control when it comes to clicking links or opening files. In this case, our client actually replied to the email and asked if it was legitimate. He got a reply ‘Yes it is, I need you to respond to it urgently’. As the business partners email had been compromised, the hacker could reply themselves in an attempt to validate the email. The client then opened the file which prompted him to login to Office365 to access to file, and his credentials were then stolen.

So how can we better protect ourselves from these sorts of problems? Email filtering won’t always help here as the emails actually coming from a seemingly legitimate user. But secure DNS and web filtering (such as what we deliver with our DNSProtect and WebProtect portions of our protect platform), would have helped prevent the user from inputing their details into a phishing site by blocking the phishing page from displaying in the clients browser. Not reusing passwords across accounts is another good practice to limit your exposure to any compromise should it take place. Additionally if the Dropbox link had instead contained malware, ransomware or a remote access tool (commonly called a RAT to security operators), an endpoint protection agent such as MalwareProtect and EndpointProtect would keep you safe.