Last week, the United States and Canada issued a joint advisory on the threat posed by crypto based Ransomware. The advisory followed a string of high-profile incidents which had affected a number of hospitals both in the US and other countries.

The CERT advisory can be viewed at:

The pervasiveness of this threat is demonstrating just how many organisations are clearly completely vulnerable to this type of threat, often with severe business impact.

While it is clear that the Malware problem is massive. It has been well over a decade since we have seen any form of large scale destructive Malware. Back in 2004, I spent some time in New York City performing a consultancy for a then large financial institution in the wake of a destructive worm infection. On a Friday evening, an Internet Based Worm (which I won’t name here) penetrated their internal network spreading widely and randomly erasing hard disk sectors throughout the organisation. While it was contained, the damage was significant. Fortunately, they had the weekend to recover from backups and restore operations. Had the event occurred at another time, the business Impact may have been in the billions of dollars!

Around that time, and following high profile events like SQL Slammer and Blaster, there were many people, including myself, greatly concerned about the possibility of a large scale destructive worm outbreak and the resulting potential economic impact. Fortunately, the high profile Internet worm trend died off, simply because there was no money to be made and significant personal risk existed for the authors of such Malware. Ransomware is just another form of Malware….. but with a significant financial return! Given the fact so many organisations are openly vulnerable to Ransomeware, again concerns me greatly.

The CERT Advisory recommends a range of fairly fundamental preventative security measures, such as adequate backups, system patching, etc. While those measures are strongly recommended, I would also highlight the importance of a robust network security architecture. Having previously worked with many customers who had been affected by those events, some severely, some far less so, it became very clear that those who had robust network security architectures, and mature operational procedures, were far less impacted.

In light of the current trend and growth of Ransomware, I would additionally highlight the importance of Network Security. This includes the use of Zoned Security Architectures, quality Firewalls, IPS (with auto updates), Network AV and Day-Zero malware detection systems. While there is no silver bullet, these approaches can significantly reduce your organisations risk profile.

I can’t see this problem going away any time soon. I predict it will get worse before it gets better.


To everyone who attended my presentation on Friday 11 March 2016 at the Novotel in Brisbane, thank you for the opportunity.

The presentation material can be downloaded from Here.

For those of you interested in the topic of Cybersecurity and Network Security Architecture. I have just posted two White Papers under Knowledge Base.

Background - My primary focus these days is keeping corporate and government networks protected within a constantly changing Threat Landscape. While there is a lot of very good information available on many aspects of Information Security, I could not find much good information on Network Security Architecture and Design, and definitely very little which is up-to-date. 

To help address this gap, I have written two White Papers on this subject area:

  • The first covers the fundamentals of Network Security Architecture. 
  • The second then moves on to discuss the changes in recent years, and what this means for Security Architectures in 2015 and going forward. In particular, I discuss Architectural Foundations and then look at 'operationalising' security, the need for a new mind set, the role of Analytics and considerations for deploying 'Cyber Kill Chains'. I have attempted to capture the big issues and provide a number of technological and policy recommendations.

Please view them under 'Knowledge Base' or via these links to the PDF versions:

White Paper 1 - The Fundamentals of Network Security Design - Download Here.

White Paper 2 - New Considerations for Network Security Design - 2015 - Download Here.

There is about 80 pages of information, with more in the works. I hope it is useful and welcome feedback.

Penetration Testing versus Security Architecture Assessments


It is worth making comment on the positioning of a penetration test and a security architecture review or assessment. Penetration testing services are available from many organisations and are generally well understood and widely utilised throughout the security community.


Firstly, both penetration testing and architecture assessments are complementary to each other as they achieve different goals and can uncover different issues. 


The primary goal of a penetration test is to find vectors to break into an organisation and gain access to key assets in a controlled and ethical manner. At the most fundamental level, Penetration tests are performed in much the same way as a malicious hacker would attempt an intrusion. They looks for open attack vectors and vulnerabilities which can be exploited. The goal being to find them and close them ahead of a malicious hacker.


Penetration tests are a practical simulated attack on the organisation. In many cases penetration tests will achieve a successful intrusion or intrusions through one or more exploitable attack vectors. In these cases the reason for the successful attack can be analysed and remediated. Commonly this will mean updating an operating system or application to close an open vulnerability. Such findings may well be the result of a process problem, sometime small, for example a single patch was missed during a patching cycle, but sometimes more significant, for example, a larger scale inadequate patching or software maintenance process.


Penetration testing services generally do not look at the underlying architecture. There are many organisations who have architectural deficiencies, but with no open attack vector at the time of a penetration test. In these cases, the penetration test will likely not pick up a high risk issue in the network, should it exist. Let me provide an example. Let's assume that a network has a poorly designed or outdated Internet DMZ architecture where a server, if successfully exploited and owned, would provide open access deeper into other parts of the network. Say at the time of the penetration test that server was at recent patch levels with no known exploitable vulnerabilities. Then a penetration test would not detect any issue. At a later point in time, a critical vulnerability is announced which now leaves the previously tested server vulnerable. We now have a fully exploitable path for an attacker to gain entry deep into the network. More importantly, this is one of many situations which would not have been detected through a penetration test alone. 


I am not trying to suggest that penetration testing is not a necessary or valuable service - it is. But the limits of what it can achieve should be well understood. 


Architecture analysis, architecture reviews and assessments provide a different approach with different goals. This approach is entirely complementary to penetration testing services. An architectural analysis, as the name suggests, is designed to find architectural issues which can allow an intrusion under certain conditions, or constitute a high risk deployment. Today, many networks have grown organically, or have had multiple groups of personnel working on the network throughout its life. All too often new services are deployed with tight timeframes, i.e. The "just get it working" approach. As a result sub-optimal or poor architectures get deployed and can remain for many years. These are often time bombs waiting to be exploited and can pose very significant business risks.


Sound security architecture involves many fundamental design principals. Dramatic changes have occurred in the security landscape over the last few years, and the use of sound security  architecture principals is now more important than ever. In in this day and age, circa 2015, newer architectural approaches such as Kill Chains are being recognised for their benefits. Adopting these architectural approaches is occurring in thought leading organisations which solid outcomes.


I hope this brief blog post has helped position the benefits of architectural assessments in comparisons to penetration testing.  

I recently posted the following comments to the LinkedIn Security Architecture forum discussing the effectiveness of Security Architecture today:



I agree with the comments which have been posted so far. As pointed out, a security architecture involves quite a number of factors - security infrastructure, policy and procedure, etc. Let me make some comments around the topic of the network security architecture.


Network security architecture discussions became a significant discussion point back in the mid to later part of the nineties when Internet connectivity was becoming the norm. Firewalls were being introduced and early network security architectures focused on the Internet perimeter. Concepts such as compartmentalisation using DMZs and visibility using tools like Cisco's Netflow were introduced. These concepts were as valid then as they are today. 


The landscape has changed and security architectures need to consider this changed landscape.


Probably the number one new consideration is that whole scene is way more complex than it was 15-20 years ago. Security managers and architects first and foremost need to understand this and ensure that adequate tools and process exist for dealing with a far more complex environment.


Application architectures are larger, more complex and more mission critical. Many of these environments have grown in an ad hock manner and are far from being optimal security architectures. They are not easy to change.


There are a lot more applications on the network today, some of these are legitimate, and some simply have no place in a business environment. Users are wishing to choose and use their own apps.


The use of SSL and TLS is widespread making it impossible to see traffic in these tunnels without decryption technology.


Mobile and personal devices are often accessing critical business system from just about anywhere.


Cloud technology is being introduced and utilised by many organisations due to the attractive cost benefits.


Attack trends have changed. Client side attacks now account for the majority of successful intrusions.


Malware sophistication has increased. But more importantly the sheer scale of the nation state sponsored espionage has significantly increased the risk for just about every organisation with business critical data.


This is certainly not an exhaustive list. My point is that it is critical for architects to have a firm grasp of the basics as well as these factors to create effective security architectures. A good network security architecture is not a silver bullet which will save you from all attacks, but it is a critical foundation on which everything else should be based. Experience has shown me that organisations who do have sound architectures in place, have been in a FAR more robust position when the bad stuff happens.