TRIAL Vipre Endpoint Security

What do ASD Essential Eight changes mean for your organisation’s security


By Alex Duffy, Security Solutions Architect, emt Distribution 

The recent (25/2/19) and unexpected update to the Australian Signals Directorate’s Essential Eight Maturity Model serves to keep the ASD’s guidelines relevant going forward and address the latest weak points in IT security. What stays the same though is the ASD’s guidance on practical updates on how to stay ahead.


While these guidelines are specifically relevant to federal government organisations’ critical infrastructure they are now being pushed indirectly to contractors or businesses who work with the federal government. But even though these guidelines may not be mandatory for private businesses, they are best practice. If they are good enough to safeguard our political, defence and economic interests as a nation, they should be appropriate to safeguard our businesses from the majority of possible cyber security attacks and incidents.


This recent update sees fewer restrictions around patching but a higher level of control on Application Whitelisting which has now been extended to all workstations for levels 1 and 2 of the maturity models. Multi Factor Authentication no longer permits the use of SMS, emails or voicemails for level 1 maturity and specifically states a requirement for passwords to be longer than six characters at all levels.


But what does this actually mean for today’s IT professionals?


These changes reflect the changing priorities required to address today’s threat landscape. With the loosening of controls around patching, the ASD acknowledges the balancing act that security personnel must perform in certain environments. There is definite acknowledgement of the dilemma faced where patching may break functionality vs maintaining a secure environment and strict adherence. A reduction in the burden on already overworked IT admins meeting requirements while allowing better automation is removing overhead while not reducing security.


The higher importance placed on Application Whitelisting definitely reflects what we see in the marketplace. With Application Whitelisting now available as a mature solution it is reasonable to expect organisations to use it across their entire environment. Increased visibility alone of endpoint applications makes life easier for security, helpdesk and management alike stopping more endpoint threats before they reach any part of the network.


Combined focus on patch automation and increased scope of Application Whitelisting we also see as acknowledgement of a more distributed workforce need for security and higher difficulty in controlling remote endpoints.


The more specific wording for Multi Factor Authentication also recognises how threat actors are now working around basic MFA and endeavours to close those weak spots.


There are now only three maturity levels instead of the original five: Partly (level 1), Mostly (level 2) and Fully (level 3) aligned. Level 0 is no longer listed as it doesn’t meet even the most minimal criteria and level 4 is only required on an ad hoc basis depending on advice from the ASD. These changes assume that organisations will now at least begin to adhere to these standards to a degree and give a clear path to full alignment at level 3.


The biggest takeaway from this update appears to be that it is no longer reasonable for a business entity to not address the Essential Eight, especially with the removal of level 0. If a business has not yet met the criteria for level 1 then its current security measures are faulty and need immediate remediation.

We welcome this specific update because it reflects what our customers have been demanding already. emt’s focus on security solutions addresses the Essential Eight and beyond to ensure our customers’ networks are ahead of requirements using the latest technologies. We already have solutions that address the Top 4 – Airlock Digital, Flexera, Stealthbits, and Thycotic.


Read more about our solutions for Top 4 mitigations at



Flashpoint Intelligence on APAC-ANZ Cyber Activity to Guide Upcoming Risk Decisions

Author:  Aaron Shraberg, Flashpoint


Geopolitical and economic tensions between the United States, China, and North Korea figure to steer risk management decisions in the Asia-Pacific region for the coming months. Organisations, such as some recently targeted financial services institutions in Australia and New Zealand, should closely monitor cyber and political activity in the area.

The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC. While most threat actors targeting organisations in the region are financially motivated, nation-state activity remains a potent threat against government and diplomatic entities, as well as financial organisations as nations such as North Korea continue to fund operations through hacking.

Political and Economic Events to Watch

As 2019 progresses, the ongoing trade conflict between the U.S. and China could spur an uptick in cyber activity against the U.S. and its closest Five Eyes allies, further eroding the Xi-Obama agreement to cease China’s industrial espionage activity for economic gain.

Last year, a limited number of named APT outfits operating in the region were alleged to be behind high-profile compromises and thefts of data and/or funds from global financial institutions, attacks on various multinational firms via third-party providers, and campaigns against the cryptocurrency industry.

North Korea is likely to remain a stressor in the region. It is unlikely to unilaterally disarm its nuclear program, and will likely ramp up its cyberattacks against APAC, ANZ, and Western financial institutions, as well as cryptocurrency exchanges in order to finance the regime and its activities. Organisations should also monitor unresolved disputes over ownership and militarisation of parts of the South China Sea, debates over the integrity of Huawei and ZTE devices in Western networks, and other events in the region that could impact businesses in ANZ and APAC.

While some criminal organisations operating in ANZ and APAC are believed to be behind Eastern European outfits in terms of experience and capabilities, APT activity from China and North Korea is considered highly advanced. Organizations in the region should be aware of campaigns linked to criminal or nation-states in the area, and some of the tactics, techniques, and procedures (TTPs) employed by these groups.

Advanced TTPs Coming out of APAC-ANZ

Some TTPs include commonplace first-stage attacks such as phishing or spear-phishing emails and watering hole attacks. These groups also have at their disposal banking Trojans, malware that seeks out and steals credentials, and ransomware, among others. Many criminal groups are proficient in activity to facilitate carding and reshipment fraud, the theft and sale of personally identifiable information, as well as more technically involved operations, including the sale of compromised RDP hosts, developing proxy and anonymization tools (to circumvent law enforcement and censorship efforts), and other tactics to carry out fraud.

Some attackers are also making use of publicly available exploits for common vulnerabilities in Apache Struts, Oracle products, Adobe Flash, Microsoft Office and others. Most of these vulnerabilities have already been publicly disclosed and patches are available, meaning that threat actors are opportunistic in the region, capitalising on lax patching efforts, or under-resourced IT organizations to exploit these security flaws.

Already this year, financial institutions in Australia, Japan, and elsewhere have reported being targeted by a new spam campaign using the Hancitor dropper to infect machines with the Gozi information-stealing malware. Gozi, also known as Ursnif, packages up banking and other account credentials from an infected machine and exfiltrates them to an attacker-controlled server. Variants of the banking malware have been active since 2014 and frequently target Microsoft Office vulnerabilities to gain a foothold on unpatched machines.

Malware-based attacks aren’t the only means of profit for threat actors in the region. Late last year, several Chinese-language Deep & Dark Web forums contained posts advertising the availability of fraudulent identification cards from Australia, New Zealand, several locations in Europe, as well as North America. The fraudulent documents would allow, in some regions, the ability to travel without additional visas, vote in elections, or open bank accounts, for example. Another post also advertised processing of identifications and passports from Australia, New Zealand, Canada, France and Germany, opening the door to citizenship in some of those locations, in addition to the previously mentioned capabilities.


Enterprises in Asia-Pacific, Australia, and New Zealand will have impending risk management decisions guided in some part by the fragile geopolitical and cyber climate in the region. As the U.S., China, and North Korea tug at each other’s shirttails in cyberspace and in the political arena, businesses will continue to be targeted by criminal and state-sponsored outfits operating in APAC and ANZ. Any erosion of these diplomatic or economic relationships will trickle down to businesses in the area, and threat activity targeting countries and companies in APAC-ANZ will be influenced accordingly.


About the Author

Aaron Shraberg is Senior Analyst on the Asia-Pacific intelligence team at Flashpoint. He speaks Mandarin and specialises in analysing key trends, threat actors, and campaigns emanating from the region, with an emphasis on China. Prior to Flashpoint, Aaron held roles in foreign policy and national security research for organisations including the Institute for International Economic Policy, DGI, and Kharon. He received a bachelor’s degree in literature from the University of Kentucky and a master’s degree in Asian studies from The George Washington University.

Flashpoint empowers organisations worldwide with meaningful intelligence and information that combats threats and adversaries. Headquartered in New York, Flashpoint has offices in Melbourne, Australia and is distributed in Oceania and South East Asia by emt Distribution.

emt Distribution survey finds 85% of MSPs see growth potential in password or privileged account management as a service

EndPoint Protector overview


Protect your endpoints with the solution already being used with over 30 million devices, Endpoint Protector by Cososys. EndPoint Protector by CoSoSys will allow you to choose what gets moved on your network, to which device, and with a complete logging and reporting suite.

The feature rich nature of Endpoint Protector (EPP) makes it a comprehensive solution for businesses, enterprise, critical infrastructure, utilities and governments requiring strong control of portable media/devices and the protection and transfer of sensitive data. Features include:

  • Content Aware DLP that helps ensure data transferring through various exit points like email and cloud file transfer solutions, doesn’t contain confidential information
  • Device Control of removable devices on Windows, OS X and Linux platforms, assigning device rights, custom classes, File tracing and shadowing, device blocklists and whitelists and Alerting
  • eDiscovery gives visibility into sensitive data at rest and allows you to apply remediation actions helping prevent data leaks
  • Mobile Device Management adds protection and control to mobile devices such as geofencing, tracking and logging and mobile application management.

The administration console is intuitive, easy to navigate and easy to pick up configuration quickly.  Implementing DLP policies is a straightforward process but incredibly powerful and flexible.

Speak to us today about looking through this fantastic data loss prevention solution!

Reward your hard work – Introducing Secunia Deal Registration

It’s no surprise the amount of work that goes into growing an opportunity with a customer from an idea or quick conversation, to evaluation, proof of concept and finally through to close. After the weeks or months of work that you put into the process the last thing that you want to happen is a competitor to come in and take that away from you. Wouldn’t it be nice to have a way to protect the hard work that you have put in, and also possibly gain an extra discount margin to make the sale even more lucrative to your business?

Strangely enough there is a way, introducing the “Secunia Deal Registration Program”:


The concept behind the program is simple in its design and yet provides a large help to your business as a partner trying to get the customer over the line. By registering an opportunity the partner can increase the discount margin and protect it from being won by a competitor. The opportunity can only be registered to one partner, which then leaves competing partners with a lower margin and hence helping secure the deal for you. The only requirement that needs to be fulfilled for the opportunity to be accepted is that it is not previously known to Secunia and you are an approved Silver Partner. Should you be successful in registering the deal, you will also receive deal registration approval for the renewal, further protecting the investment you put in!

Deal Registration benefits include:
1. Dedicated technical support and sales support for customer meetings
2. Special pricing support
3. Installation and product configuration support
4. Training
5. MDF funds (Gold partners only)

Head over to the FAQ for more information (see below) and as always feel free to contact myself or the team at emt for any further information.

Joining the team

Having the last name Hack it now seems inevitable that I would end up working for a company specialising in security products, and so here I am now joining the emt team as the pre-sales engineer for the Secunia products.

My name is Adam and I have been working in IT (amongst other things) for around 6 years now, having previously dealt with ISP’s and MSP’s before settling into this new role. Ever since I started back in my first helpdesk job with a prominent South Australian ISP back in 2007, security has been a keen interest of mine and one of which I intend to continue to grow. Being able to deal directly with the software that operates in the security space is an opportunity I am looking forward to and something I intend to try and work closely with partners to help them grow.

With that in mind, don’t be shy to come find me on LinkedIn, shoot me an email or give me a call if you wish to discuss anything.

emt to distribute Acunetix

acunetix - Copy

Today we are pleased to announce that emt Distribution will begin to exclusively distribute Acunetix products throughout Australia and New Zealand.

Used by IT Security Adminstrators,  and penetration testers and web developers, Acunetix Vulnerability Scanner is one of the leading tools on the market for detecting vulnerabilities. It’s an easy-to-use tool which has been continuously developed for a decade; evolving with the latest vulnerabilities and cyber threats. It’s the tool of choice for customers including the US Army, the US Airforce, Barclays Bank, American Express and more.

Automated hacks such as the recent WordPress cross sight scripting (XSS) Vulnerability late last week saw many people having their public websites defaced. Acunetix Web Vulnerability Scanner can bring these types of vulnerabilities to your attention.


Acunetix Web Vulnerability Scanner is already used by major companies such as Adidas, American Express, CERN, Credit Suisse, NASA, Siemens, Skype, Sony, T-Mobile, the University of Potsdam, the U.S. Air Force and many others and is well suited to join the emt portfolio of security solutions.

The AFP Phishing email is cryptolocker

In the news over the last couple of days there have been warnings of an Australian Federal Police (AFP) branded phishing email. We received one of these emails in our office and decided to run it through our malware analysis sandbox, ThreatAnalyzer, to determine the behaviour of the sample – something that wasn’t mentioned in the news articles.


The body of the spear-phishing email.

Although Facebook comments have been mostly light-hearted puns from people would like to unsubscribe from from police infringement notices the malware poses a significant threat.

Visiting the link with-in the email provides the attacker with the targets email address as it is embedded in URL allowing the attackers to identify the individuals who have visited the the links, allowing the attackers to follow up, or in the future re-target the individuals as they may be more likely to click on these these types of links.

Once the page loads the victim is presented with a captcha challenge, and when it is entered they will download a zip file containing an executable file which is a variant of the well known cryptolocker virus.


The fake “AFP” website with captcha used to download the malware.

When executed by the user the Cryptolocker virus will then encrypt the users files, communicate with a C&C server and the provide the user with a ransom message providing the victim with instructions on how to connect to the anonymous Tor network to make payment to be able to recover their encrypted data.


The encrypted files shown in explorer, and the instructional email giving recovery instructions

Although the various news articles urge users to update their antivirus, at the time of writing this article only 4/57 AV vendors detected the sample. None of these vendors are popular in Australia, showing that there would have been little to no protection offered to users running these solutions.

This attack is an example of how AV technology is struggling to keep up with modern malware. Preventative controls such as as Application Whitelisting would have stopped this attack by not allowing computer to execute an untrusted file. Although in this case the file was dropped as an executable, we often see the similar attacks where the spearphishing email links go directly to PDF, DOC, or Flash files which contain exploits to vulnerabilities so this is also a timely reminder to stay up to date with OS and 3rd party patching. Both these control types form part of the Australian Signals Directorate (ASD) Top 4 Mitigation Strategies.

Using a sandbox for dynamic analysis allows IT Security Administrators to quickly analyse reported phishing URLs and malware in a to determine the actions of the malware by executing the sample in a dedicated environment. Indicators such as DNS names, IP addresses and hashes can quickly be extracted and operationalised to prevent and identify future instances of the same attack, or other attacks from the same group.

For more information on sandboxing, or on how to operationalise your Threat Intelligence please don’t hesitate to contact us.