cyber news and updates

In this newsletter, we we cover off on:

Recent dotSec certification achievements and training news.
Read about a recent dotSec GRC project that focused on ISO/IEC 27001:2022 preparation.
Meet Gautham, Head of Governance, Risk and Compliance (GRC) at dotSec and learn more about dotSec’s GRC services.

Cyber security expertise through training

The dotSec ethos is to ‘provide a good working environment for smart people to achieve great outcomes’. dotSec provides significant opportunities and funding for ongoing staff training including study during work hours and funding full certification fees. This investment enables staff development and the delivery of cyber security expertise and services that are informed by up-to-date knowledge.

To that end, three of dotSec’s staff were awarded new certifications in June and July:

Geoff Wilson; OffSec Certified Professional (OSCP)
Prabal Sahoo (Head of Managed Services); PECB Certified ISO/IEC 27001 Lead Auditor
Joshua Allen; Splunk Enterprise Security Certified Administrator

In addition, dotSec has been doing its part to help the Cyber Security community to learn new skills. In the spirit of this year’s AusCERT conference theme ‘Pay It Forward’, dotSec gave away training prizes including:

1st Prize: an All Access Membership to TCM Security
2nd Prize: a VIP Training Pass to Hack the Box
3rd Prize: a Practitioner Certification Exam for PortSwigger

dotSec also helped out one of the CrikeyCon IX attendees by covering the cost of their OSCP exam.

dotSec has sponsored CrikeyCon IX (as a platinum sponsor for the 2nd year running) helping to support this exciting, local event that always provides a valuable forum for loads of knowledge sharing, newbie experience and friendly competition.

GRC case study

National Software Development Company: ISO/IEC 27001:2022 Certification Preparation

CLIENT:

Our client is a national software development company that undertakes software design, development, deployment, integration and maintenance projects for commercial and government customers. In these roles, our client is granted access to sensitive information and systems that were owned by our client’s customers, and those customers were keen to ensure that their information and system assets remained secure.

BUSINESS CHALLENGE:

Our client needed to become compliant with ISO/IEC 27001:2022 for two main reasons. Firstly, to meet compliance requirements that were increasingly appearing as a key requirement in new project tender documents. And secondly, to demonstrate and provide confidence to interested parties (e.g. customers, business and supply chain partners, senior management, insurers) that information assets are actively being protected.

SOLUTION:

dotSec designed and implemented a project that consisted of two phases: Firstly, a gap analysis of the company’s current state in relation to the mandatory requirements for ISO/IEC 27001:2022 certification. And secondly, following the gap analysis, preparation for ISO/IEC 27001:2022 certification.

During the project, we completed the following tasks during the course of the project:

A risk assessment in order to decide upon policies and controls.
Assistance with creation of required ISMS process, policy and procedure documentation.
Assistance with operation of the ISMS for a period of time to collect evidence that the ISMS was operating effectively and efficiently, and that the process of continual improvement had been well understood and executed.
An internal audit of the ISMS.

RESULTS:

The project was a success and our client was issued with a certificate of compliance by an independent, external auditor. Our client now has a considerable market advantage in negotiating contracts with new clients and business partners since the certification provides confidence to interested parties that our client’s information assets are being actively and effectively protected.

The dotSec GRC team works with organisations to identify and address security gaps, using compliance frameworks to ensure completeness and security maturity, and reduce overheads and risk.

Contact the dotSec GRC team to talk about the steps that can be taken to improving organisational GRC.

Meet Gautham

Head of Governance, Risk and Compliance

Gautham, Head of Governance, Risk and Compliance (GRC) at dotSec, is a PCI DSS Qualified Security Assessor (QSA), an ISO/IEC 27001:2022 Lead Implementer and an ISO/IEC 27001:2022 Lead Auditor.

Gautham also holds several related cyber security certifications including CISA, CISM, CRISC and CDPSE, and a Master of Information Technology (Computer Networks and Information Security).

Gautham has extensive cyber security knowledge and works closely with our clients to deliver dotSec’s Governance, Risk and Compliance (GRC) services, including:

Security Maturity Assessment
ISO/IEC 27001:2022 Certification Preparation
PCI DSS Level 1 QSA Assistance and Assessment
Table Top Exercises
CIS Essential Controls, NIST CSF and ASD/ACSC Essential Eight

Gautham, Head of Governance, Risk and Compliance (GRC) at dotSec, is a PCI DSS Qualified Security Assessor (QSA), an ISO/IEC 27001:2022 Lead Implementer and an ISO/IEC 27001:2022 Lead Auditor. Gautham also holds several related cyber security certifications including CISA, CISM, CRISC and CDPSE, and a Master of Information Technology (Computer Networks and Information Security).

Gautham has extensive cyber security knowledge and works closely with our clients to deliver dotSec’s Governance, Risk and Compliance (GRC) services, including:

Security Maturity Assessment
ISO/IEC 27001:2022 Certification Preparation
PCI DSS Level 1 QSA Assistance and Assessment
Table Top Exercises
CIS Essential Controls, NIST CSF and ASD/ACSC Essential Eight

Cyber security expertise - It's a real thing!

dotSec staff are highly trained and hold a wide range of certifications and degrees, including:

ISO/IEC 27001:2022 Lead Implementer
ISO/IEC 27001: 2022 Lead Auditor
Payment Card Industries Security Standards Council (PCI SSC) Qualified Security Assessor (QSA)
Splunk Enterprise Security Administrator, Cybersecurity Defence Analyst and Enterprise Administrator
OffSec Certified Professional (OSCP)
Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA), Security Manager (CISM), Certified Risk and Information Systems Control (CRISC), and Cerified Data Privacy Solutions Engineer (CDPSE)
Various university degrees including BSc, MSc (computer science, computer networks, security, and electrical engineering), and PhD (computer science, distributed computing, mathematics and physics, and human-computer interaction)

Contact the dotSec team and find out more about how dotSec’s passion for training and skills enhancement can help you with your cyber security risk management.

Premier australian cyber security specialists

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

DotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical for protecting web applications and services, by inspecting and filtering out malicious requests before they reach your web servers

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. As part of this service, we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

DotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

DotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

CIS 18 Critical Controls

Evaluation against the CIS 18 Controls establishes a clear baseline for stakeholders, supporting evidence-based planning, budgeting, maturity-improvement and compliance decisions

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.