Multi-factor authentication made easy

Multi-factor authentication made easy

It’s multi-factor not multi-app

Many of you will I hope have implemented multi-factor authentication (MFA) when using remote access. If you haven’t then please see my article here and then get your IT team to set it up. The majority of MFA (or two-factor) implementations will use an app on a smartphone and will ask the user to press approve or to enter a code shown on the screen (but not an SMS). Due to the widespread use of Office 365, you may be using the Microsoft Authenticator app. But if you have tried to set up MFA for cloud based applications such as Xero, WordPress, RealMe and MailChimp you will see that they ask you to use Google Authenticator. So you could end up with two authenticator apps for different web sites or services.

One app to rule them all

But you can in fact use one app. Both the Microsoft and Google Authenticator apps are based on the OTP (one time passcode) standard. So if you see a cloud service asking for Google Authenticator, you can scan the QR code with Microsoft Authenticator and it will work. I have logins for Azure, 365, MailChimp, Xero, RealMe, Buffer and two different WordPress sites set up on my Microsoft Authenticator app.

Using Microsoft sites with Google Authenticator takes a bit more work. When asked what mobile device you would want to install the app on, choose Other. You will then see the QR code that you can scan with Google Authenticator.

The future

The use of multi-factor authentication is growing, especially as on-premise software such as MYOB becomes cloud-based. And many organisations, especially government departments, are making MFA compulsory for their online services. Using  a mobile app as the second form of authentication (in addition to your password) means that you can log in even when you don’t have cellphone reception (the code the app shows you does not depend on a signal). And using one app rather than two makes it even easier.

If you’d like to understand why you should be using MFA to secure your data and operations, and the other cyber security risks you should consider and minimise,  then please get in touch.

0 comments on “Cyber Insurance – check the fine print”

Cyber Insurance – check the fine print

Cyber Insurance - check the fine print

Why should my business have an  Independent Security Review

When we provide Independent Security Reviews for clients, the first thing we do is sit down with them to understand their business, what type of information they hold, where they store it, what type of financial processes they have, and how they interact with their clients.

We use this information to perform a threat modelling exercise, where we think about how a criminal could attack the business, what effort would be required, and what the return would be.

The result is a list of threats, based on real-world data (what attacks are actually happening to other companies) and on their relevance to the client (do they have information, systems and processes that are vulnerable to this type of attack).

The Threat Model

The threat model determines where we test and probe, and where we ask further questions, both of the client and of their IT company. And we use it when we look at how ready the client is to respond to a successful attack, and whether they could limit the damage caused.

For many clients the only response plan they have in place is a cyber insurance policy.  There is more that a company should do in terms of planning for a cyber security incident, and we provide recommendations in that area.

Issues with policies

We review the cyber insurance policy against the threat model, to see if the client is really getting the protection they think they are. And we find in the majority of instances that they are not, and that their cyber insurance policy excludes a major risk that they think would be covered.

This omission included those policies that only covered malware that was specifically written for the client (unless you are Sony this is unlikely to happen), and ones that only cover online fraud if the criminal has hacked into the client’s system and made the bank transfer themselves. But in fact the  majority of online fraud happens as a result of criminals persuading staff to pay funds to the wrong bank account.

What should I do next

If you’d like to understand what your real risks are, how to minimise them, and how to limit the damage of a cyber security incident, then please get in touch.


Privacy Update – May 2018

Privacy Update - May 2018

2018 is going to be an interesting year for privacy, both in NZ and internationally. There are three main reasons.

Australia – Mandatory Reporting of Data Breaches

This came into effect on the 22 February 2018. If you have a business entity in Australia with an annual turnover of  over $3m then you will fall under the Privacy Act and the new Notifiable Data Breaches amendment. If you suffer a data breach that  “is likely to result in serious harm to any of the individuals to whom the information relates”, then you must notify the Australian Privacy Commissioner and the affected individuals as soon as practicably possible. The amendment defines a data breach, serious harm, and also qualifies what remedial steps a business could take to remove the risk to individuals, which would mean that they no longer had to notify the breach.

Europe – General Data Protection Regulation

This comes into effect on the 25 May 2018. It provides protection for people residing in the EU. Businesses in NZ will fall into the scope of GDPR if they

  • have a business entity in the EU
  • provide services (paid or free) to people residing in the EU
  • market to people residing in the EU (including profiling them using web technologies)

It does not apply if someone from the EU is able to access your website – you have to be targeting your services to them. And it does not apply to EU citizens residing outside of the EU – so no need to ask your clients about their citizenship in order to comply with GDPR. Travel and tourism companies are likely to need to comply, as will Internet startups who market their services to the EU. As the law is new, it will take a while for any ambiguities to be ironed out.

New Zealand – Update to the Privacy Act

After a couple of reviews over the past two decades, our Privacy Act is finally getting an update. Submissions close on the 24 May 2018. Currently included in the draft Bill is mandatory reporting of data breaches, and it’s likely that other requirements will be strengthened to keep our laws close to the level provided by GDRP (though perhaps not as stringent). NZ currently has “adequacy” status with the EU, which means that personal information can be transferred to NZ without businesses having to take additional measures. We will want to maintain this status (only 12 countries have this).


You’ve probably seen new privacy policies being issued by a lot of organisations. They’ve taken the time to review and update their terms, prompted by GDPR. Even if you’re not doing business in Australia or Europe, its worth reviewing the personal data you collect and hold, how you are securing it, and whether your privacy policy reflects this.

If you’d like to discuss this area in more detail, please get in touch.

Protecting your reputation

Protecting your reputation

Email phishing remains a constant problem for businesses. Whilst implementing an email anti-spam/anti-virus solution can cut down on the amount of phishing emails your staff might receive, some will still slip through.

This leaves your staff as the last line of defence. They need to know how to spot phishing emails – by looking at the address it was sent from, the wording etc. Our new online training course can help with this and has a lesson dedicated to email security.

The majority of phishing emails are sent from addresses that are:

  • random (
  • throwaway (
  • have one or more letters changed (

Staff can spot these with some training – especially if the wording in the email causes suspicion.

But some emails are sent from an address that looks genuine – for example.

There are a couple of ways this can happen:

  • criminals gain access to a staff member’s email account
  • criminals spoof the email domain

These phishing emails can be very hard to spot – especially if they have been received from a trusted business partner. I’ve seen a number of phishing emails received by my clients that appear to come from suppliers. They were from people in organisations the clients trusted, and so they clicked the links. When it was discovered that they were phishing emails, it caused some concern about the security measures in place at the business partner, and whether the client’s information was safe with them.

Whilst receiving phishing emails is a constant risk, you certainly don’t want to be in the position of appearing to have sent them (or to have actually send them because an email account has been hacked). That would certainly damage your reputation.

Thankfully there are ways that you can protect both your business and your clients from these types of emails. Before I go into what you can do, I’ll quickly explain the technologies involved.

  • Two factor authentication – most people should know what this is (I’ve written about previously). Its main use is to protect remote access to email accounts, remote desktop servers and web applications. Once you enter a correct username and password, you need to enter a code from your mobile phone (or click an app)
  • Sender Policy Framework (SPF) – this lists the email servers that are authorised to send email on your behalf
  • Domain Keys Identified Mail (DKIM) – this adds a secret encrypted key to the email to prove it came from your business (or someone you have authorised – MailChimp for example)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – this tells the receiving email server what to do if an email it receives fails the SPF or DKIM checks – either report it to you (monitor mode), put it in the recipient’s junk folder (quarantine), or block it entirely (reject)

Many organisations use DMARC, DKIM and SPF to authenticate the emails they send – including BNZ, Xero , PayPal, ANZ, Westpac and IRD

Emails you receive 

  • Make sure your email server is set to check and  act on DMARC rules for the emails it receives (most email servers do this)
  • Make sure your suppliers / trusted partners have implemented two factor authentication for remote access to their email. This should form part of the security standard you ask them to agree to.
  • Make sure your suppliers / trusted partners have implemented SPF, DKIM and DMARC for the emails they send out. Once again this should form part of the  supplier security standard

Emails you send

  • Make sure you have implemented two factor authentication for remote access to your email (do this for any remote desktop servers as well). This is really becoming an essential part of IT security for a business
  • Implement SPF, DKIM and DMARC for the emails you send out. You need to make sure you have thought about all of the parties who send email on your behalf – including marketing programs, scan to email devices etc. You should set DMARC in report mode for the first month, which will allow you to see if there are any emails that would fail the checks, and why. Once you are happy that genuine email would get through, then set DMARC to reject mode

Implementing the above is not hard and significantly reduces both the risk to your business reputation and the risks from your suppliers.

If you’d like to discuss this area in more detail, please get in touch.

Securing Credit Card Payments

Whether you are an online retailer who has taken credit card payments for years, or a business who has started to take credit card payments as a way for clients to pay their bills, there are a few important things you should consider.

Any business taking credit card payments will have signed a merchant agreement with their bank. One of the terms of that merchant agreement is that the business needs to comply with the Payment Card Industry Data Security Standards (PCIDSS). These cover the security measures required to keep credit card information secure.

Here are links to the PCI DSS pages of the major banks





Many businesses will not realise that they have this contractual obligation. Even if you use a 3rd party payment gateway, you still need to confirm that the rest of your website is secure. Criminals can compromise your website so that credit card details are stolen whilst clients believe they are being entered into the secure payment gateway.

If criminals do manage to steal the credit card details of your clients, the penalties from your bank can include:

  • Fines of up to USD 500,000
  • A mandatory review of your security (at your cost)
  • Removal of your ability to take credit card payments

And your reputation with your clients will obviously suffer. This can have a far greater impact. You may have implemented security measures in other parts of your business, but the loss of credit card data will make clients question whether you can be trusted with the rest of their information.

To avoid this outcome, businesses need to do the following:

  • Make sure your website is secure
  • Make sure that any other methods of taking credit card payments are secure (for example over the phone or in person)
  • Make sure that credit card information is stored securely (it’s best not to store it at all)
  • Complete an annual Self Assessment Questionnaire (see below) stating that you have taken steps to secure your website
  • Run vulnerability scans of the website each quarter to prove that it is is still secure

Our PCI DSS Compliance Service is a cost-effective way for you to meet your obligations and reduce the risk to your clients and your business.

We work with you and your web developer to complete the Self Assessment Questionnaire.  If there are areas where you are non-compliant we will provide recommendations to bring you up to the required standard.  And we scan your website every month to look for vulnerabilities that could be used by criminals. If the scans show issues we advise you and your web developers and provide recommendations on how to resolve them.

If you’d like to discuss this service in more detail, please get in touch.







1 comment on “What Equifax did wrong”

What Equifax did wrong

Much has been written about Equifax’s poor response to their data breach. But how did they get breached in the first place, and what would have limited the damage?

On the 6th of March 2017 Apache announced a bug in Struts, which is software used in web servers. The following day, a proof of concept was publicly released to the Internet showing how the bug could be used. Three days later (the 10th) Equifax was hacked via the Struts bug. The hackers then install code on a number of servers which they can use to transfer data out of the company.

A patch for the bug had been issued within days of its discovery. Equifax patch their vulnerable servers on the 30th of June (including the ones that had been compromised) but do not notice anything wrong.

On the 29th of July Equifax discover they have been hacked and on the 30th of July they boot the hackers out of their servers. They don’t disclose the breach until the 7th of September, with senior executives selling large quantities of shares in the intervening period (something the SEC is investigating). When they do disclose the breach, they bungle the communication and try to get affected customers to sign away their rights to sue.

But back to the time of the hack. I’m sure that if you are responsible for IT infrastructure you will know how difficult it can be to patch servers. And four days is not a lot of time to do so. What else would have helped prevent the hack, or limited the damage?

  • Security Information and Event Management (SIEM) – these types of logging and alerting solutions look for suspicious events in log files and raise alerts to the IT team that a server may have been compromised
  • File Integrity Monitoring – often integrated with SIEM solutions, this would have raised an alert if a critical system or web configuration file had been changed
  • Network monitoring – the hackers moved a large amount of data from Equifax systems to the Internet. This would have shown up, either in the firewall logs or in the server logs, if it had been monitored and if an alert had been raised
  • Asset management – some of the information the hackers took came from legacy databases that had not been decommissioned. These should have been identified and removed as part of a regular review
  • Access restrictions – the compromised web servers were sitting in a DMZ. Good access restrictions.may have reduced the ability of the hackers to  use compromised web servers to take information from internal databases
  • Honeytokens – these can be made to look like files or be implanted in databases. When a hacker opens the file or queries the database, an alert is sent to the IT team

If your organisation has data that it needs to protect, we would suggest that you start by understanding your assets (where they are, how they can be accessed) and your risks (how valuable are they to others, what would be the impact if they were stolen). With this understanding, you can use a framework such as the CIS Controls to ensure that you are putting the right measures in place and that any investment you make, whether in time or money, is creating the most reduction in risk.

NotPetya – what to do

NotPetya - what to do

To call NotPetya ransomware is a bit of a misnomer. It is malware dressed up to look like ransomware. The aim does not seem to be monetary (as the payment methods were so poorly implemented and have now been blocked), but instead it has been designed to cause widespread disruption and destruction. It first hit machines in Ukraine via a compromised update for an accounting package, and spread from there.

It looks for a certain file before launching (to see if the machine has already been infected) which means that a vaccine can be created to guard against it (click the link for details). You may also want to get your IT team / partner to block the execution of perfc.dat, perfc.dll and psexec.exe (which the virus uses to jump from machine to machine within a network).

The usual advice still applies – make sure that Windows machines (servers and workstations) have the latest patches (especially MS17-10 which was released in March), make sure your firewalls are correctly configured (including personal firewalls on laptops) and make sure you have backups of servers and critical workstations.

This virus showed a major jump forward in sophistication. Not only did it use NSA exploits (as did WannaCry) but it also incorporated password stealing functionality  (Mimikatz) usually employed by hackers who are after corporate information. This  enabled it to use those passwords to infect patched machines as long as they were on the same network.

Organisations are going to have to invest more time in ensuring that their IT systems are secure, including strengthening the security of accounts, workstations and servers.

This isn’t the only NSA exploit that was stolen, and the inclusion of more sophisticated hacking tools in the virus shows an escalation in the methods that virus writers are employing.  Patching helps, but it’s not the complete answer.

Avoiding data breach mistakes

Many data breaches are inadvertent, caused by staff emailing a document to the wrong person. This can lead to embarrassing phone calls, and in the worst cases reputational damage and loss of revenue.

Clearly naming documents helps to prevent this. If a document contains confidential or personal information, its name should show that  – either by including the client name (so it isn’t sent to the wrong client) or the words confidential, internal or private. This provides a visual clue to the person sending the email before they click Send.

Anyone who has tried to recall a message using Outlook will know that it does not work, and can often highlight your mistake to the recipient, ensuring that they will open  the attachment. For increased security, and the possibility of stopping the document being read by the recipient and sent to others, a file sharing service should be used. This allows you to send a link to the document, rather than an attachment. If you realise you have made a mistake, you can stop the link from working, and prevent access to the document.

There are a number of file sharing services which store your files in New Zealand or overseas. If you are using a document management system, it may offer a file sharing module. There are a few important things to consider before choosing a file sharing service, including the security of the service itself. Please get in touch if you’d like some assistance in this area.


A pragmatic approach to cyber security

Most businesses will have heard about cyber security attacks, or may have experienced attacks themselves. They may also be aware of new attacks that are taregting their industry. But the issues for many businesses is knowing what action to take to reduce their risk of attack. There are numerous standards including NIST and ISO27001, but they take time to understand and implement, do not easily translate into actions that businesses can take, and can be too unwieldy for smaller businesses.

We like to take a more pragmatic approach to reducing cyber security risks for clients, by using the Critical Security Controls from the Centre for Internet Security (CIS Controls). These are a concise, prioritised set of recommendations that are based on combating real attacks that have hit businesses. There are twenty controls, each of which contain a number of recommendations. Implementing the controls significantly reduces the risk of a cyber attack.

The first five controls can be summarised as follows:

  1. Inventory authorised and unauthorised devices. Make sure you know the servers, PCs, mobiles, switches, routers etc. that are part of your system. This includes virtual servers in public/private clouds. Understanding that devices are present will enable you to pick up unauthorised devices, and old devices that have been forgotten and are now unpatched and insecure.
  2. Inventory authorised and unauthorised software. Make sure you know the software that should be running on your servers, PCs etc. This also includes authorised and unauthorised SaaS applications. Understanding the software that should be running will enable you to implement application whitelisting, which will significantly reduce the risk of malware (including ransomware) being able to run on your system.
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. This includes ensuring that there is a standard and secure way of implementing servers and workstations, that administration of servers and devices are secured, that laptops and mobiles are encrypted, and that Group Policy is consistently applying secure settings on servers and workstations. Failing to do this can lead to workstations installed without anti-virus and servers that allow unlimited login attempts by criminals.
  4. Continuous Vulnerability Assessment and Remediation. This includes making sure that all servers, workstations, databases, applications and websites are patched on a regular basis (using automation if possible) and implementing regular vulnerability scans. Unpatched systems are the cause of over 40% of successful cyber attacks.
  5. Controlled Use of Administrative Privileges. This includes changing default passwords on devices such as firewalls and routers, ensuring that administrative permissions are limited to only those people who need them, that two factor authentication is used for adminstrator logons, and that failed login attempts and the creation of new administrators are investigated. Many broadband routers are installed with the default password unchanged. These can easily be discovered  and compromised using IoT search engines such as Shodan. A compromised router can redirect you to fake websites which steal credentials.

Whilst the first five controls are regarded as essential (and mirror the Strategies to Mitigate Cyber Security Incidents developed by the Australian Signals Directorate) we look at all twenty controls when performing an independent security review for a client. We consider the business assets (information, databases, processes) and likely ways that they would be attacked (ransomware, fraud).  Our clients get a clear idea of their areas of risk, and prioritised recommendations on measures they can take that will have the greatest impact in reducing those risks.

Lessons from the iPhone hack

In August 2016 a serious vulnerability was discovered for the iPhone. A patch was released, and you should install it today by going to Settings, General, Software Update. If your version is 9.3.5 or later you have the patch.

The hack (named Trident) that targeted the vulnerability does not appear to be widely used. It was part of a targeted attack against a human rights activist and was designed to load government level espionage software (named Pegasus) that would have tracked the user’s location, given access to the camera and microphone, and allowed the copying of emails, text messages, contacts and other information.

Whilst this is thought to be a state-sanctioned attack (the UAE is suspected), it has raised concerns that iOS, which was thought to be very secure, is vulnerable.These concerns need to be tempered as:

  • The hack and the malware it was designed to load are very expensive to purchase (possibly a million USD or more) – the average cybercriminal is not going to spend that amount in order to grab information that might lead to a payoff when there are cheaper methods available
  • The vulnerability was patched very quickly – Apple was alerted on the 15th of August, and a patch was released 11 days later on the 26th

Aside from installing the patch, there are a few other things you can do to protect yourself whilst using your iPhone and iPad:

  • Don’t click on links in unsolicited emails or text messages – if you are unsure just delete them
  • Be careful about the websites you browse to. If the web address looks suspicious, it probably is

These good habits should also be applied to the emails your receive and websites you browse to from your computer.

In addition, you should:

  • Set a pin code – it is this that encrypts the contents of your iPhone/iPad
  • Use two-factor authentication – this notifies you when a change has been requested to your Apple account and asks you to confirm it. If you are running iOS 9 you can find this under Settings > iCloud > tap your Apple ID, Tap Password & Security, Tap Turn on Two-Factor Authentication. For earlier versions, it’s called two-step verification, and you’ll need to go to your Apple ID account page ( ) to turn it on

If you have colleagues or family with Android phones they need to make sure that they have antivirus loaded, and have updated their phones to the latest patch. Because of the lower level of security around Android apps (17% of them are malware), many Android phones have been hacked. This enables criminals to obtain copies of emails, text messages and other information.

In regard to anti-virus for iOS, it really depends on how cautious you want to be. There are anti-virus products available, but the locked-down nature of iOS means that they can’t really do much scanning . However, the ones that include a check for malicious websites are worth considering, especially if you are in a corporate environment that requires a high level of security.

If you’d like to learn more about how to secure your firm against cybercriminals, using both technology and training, then please get in touch.

And if you’re interested in the details of the attack against Ahmed Mansoor then Citizen Labs, who discovered the vulnerability, has full details at this link