Security 101 with Aura Information Security

Close up of person typing on a laptop. A outline transparent interface of security programming, shows the display

Co-written by Yana Brewster

 

Our partner, Aura Information Security, is an advisory consultancy company that provides numerous cyber security services, including; Penetration Testing, Security Assurance and Defensive Security Services. They support governments, corporates and medium-sized businesses worldwide. 

Earlier this year, they hosted a ‘Security 101’ bootcamp presented by their Security team: Phil Dobson, Alastair Miller, Lachlan Davidson, and Joanna Mañez. The team educated students on the responsibilities, career possibilities and perks of a career in security. The bootcamp also provided a hands-on experience where students attempted the hacking challenge, Capture the Flag. Capture the Flag is an activity where a digital product with vulnerabilities is provided, and the task is to find vulnerabilities and retrieve the data stored in them.

Why intern at Aura?

Aura Information Security has been one of Summer of Tech's partnering companies for the past six years and has taken on interns ever since. One of their interns, Julia Shan, reflects on her internship experience at Aura last summer.

Julia Shan is studying for a Bachelor of Engineering (Hons), majoring in Computer Systems Engineering. Julia joined Aura as an Information Security Intern. She spoke about her experiences regarding the internship hunt, competition and expectations coming into the internship. 

"Last summer, I interned at Aura as an Information Security Intern in Wellington. Coming into the internship, I had little experience with pen testing and security. The team at Aura was super friendly and awesome. It was honestly just a great place to kick start your career in Security Consulting. Aura has an excellent support system in place to encourage learning. I had lots of time to spend by myself to upskill in pen testing. Asking seniors for help was also a great way to gain new insights on approaching and tackling certain problems. I also gained valuable experience in how to write vulnerability reports. "

 

What would an ideal candidate look like?

Phil Dobson, the Acting Executive General Manager, also spoke of qualities that Aura looks for in potential interns. 

"We don't expect people to enter this internship knowing much about security. A person with the right attitude, enthusiasm for this space and passion for this sort of stuff usually stands out the most from the crowd."

 

What does the Aura Advisory team do?

The Aura Advisory team has a wide range of skills, and manages a wide assortment of security projects. This encourages people to grow into new areas and try their hand at something different.

  • Security Gap Analysis - To help a client get started on their cyber security journey, the Aura security team will first carry out a gap analysis of the organisation. Once complete, a client will receive an assessment rating the effectiveness of 12 key areas of their current security posture, the maturity of these areas and a roadmap to improve.

  • Organisation Security Assessment - With a full Organisation Security Assessment, Aura reviews the whole organisation using internationally recognised frameworks such as NIST CSF and ISO 27001, or Aura's own 31 domain assessment process.

    Aura provides a strategic document that outlines where a client’s security maturities are today and where they should be, using a multi-year roadmap to become a cyber-mature organisation.

  • Threat Modelling and Assessment - Aura works with SMEs and stakeholders to understand: key assets, harm scales, risk matrix, threat actors, threats, vulnerabilities and risks an organisation faces and apply a rating against those risks. 

    Aura will also see if existing controls will mitigate any of these risks and suggest additional controls to reduce the level of risk.

  • Virtual Chief Information Security Officer (vCISO) -

    Our vCISO team comprises industry experts who can provide a business with complete oversight of a company’s security fabric and guidance to ensure they keep pace with changes in technology and the ever-changing threat landscape.

    Many organisations cannot justify dedicated staff in this role, so why not leverage the skills, experience and expertise of a specialist company such as Aura?

  • Audits - Aura audits organisations against their chosen or mandated framework to determine their compliance.

  • Governance and Policy - Aura can help companies adopt an information security governance structure that effectively enforces security policies and measures and optimises operational security environments — ensuring good visibility and protection from new cyber threats and a plan that caters for business growth.

  • Privacy Impact Assessment (PIA) - Aura will assess the impact on the privacy of any new system or application that deals with Personally Identifiable Information (PII). All the necessary controls are in place to comply with NZ or international laws.

  • Technical Control Audit (TCA) - Aura will review the technical controls a company has in place and advise if they are built and configured to best practices. Aura will recommend ways to remediate some of the issues found.

  • Controls Validation Assessment (CVA) - When a business is unsure of how effective their current controls are, Aura can undertake a CVA that will assess the effectiveness of security controls. They'll help businesses understand how the controls mitigate their risks. They will also offer advice on how to deal with ineffective controls.

  • Third-Party Assessments - Aura will assist in the creation of Third-Party Management policies and questionnaires if they don't exist and then help manage the process of assessing key Third Parties for their level of risk for an organisation.

  • Incident Response (IR) Planning - Aura will assist in the creation of incident response playbooks. They run workshops with the relevant stakeholders and SMEs to talk about how the organisation will deal with the incident, who will do what and what communications will take place. Aura provides a playbook ready to be used should an incident materialise.

  • Business Continuity (BC) and Disaster Response (DR) Planning - Aura will run workshops with SMEs and stakeholders to understand key business assets and processes to create BC and DR plans for them.

  • Cloud Configuration Review - Aura will also review the systems' configuration in the Cloud and the Cloud service. They'll produce a report detailing any risks based on missing or misconfigured configuration.

  • Security Architecture Reviews - Aura reviews an organisation's security architecture and recommends improvements based on international best practices and experience.

  • Design Review - Aura will assess a documented design for security risks which may impose on the organisation and make recommendations on how risks can be mitigated.

  • Application/SaaS Review - Aura will assess the application or SaaS an organisation uses, highlight any risks it may create, and make recommendations on how risks can be mitigated.

  • Secure by Design (SbD) - Aura will conduct workshops with a company’s security personnel and developers to help the organisation move towards a functioning DevSecOps model.

  • Executive Training - Good security requires a top-down approach. Aura run executive workshops for a wide range of corporates and government organisations. These can be tailored to a business's individual needs and cover various topics, from making cyber security a boardroom issue to fostering a cyber-aware culture.

  • Employee Training - Regarding business security, staff are the first line of defence. But do they have the education and training they need to make a real difference to an organisation's security posture?

In an interconnected world, it's no longer viable for a business to assume that staff will refrain from interacting with the world outside of the organisation's security systems; it's almost impossible to monitor. The rise of smartphones and BYOD means it is easier for people to work on the go and access anything, anytime, from anywhere ... including sensitive work files and data.

 

What does the Aura Penetration Testing Team do?

The Penetration Testing team helps to provide network security assessments by conducting regular penetration tests to help identify vulnerabilities in a network or applications before attackers can exploit them.

 

The services Aura helps to provide include:

  • Network Boundary Security Testing

  • Internal Network Review & Wi-Fi

  • Remote Access Testing

  • Application Security Testing

  • Mobile Security Testing.

It was great to understand more about the world of information security and the roles and responsibilities of people that work in this field. A big thank you to the Aura Information Security team for bringing this bootcamp to Summer of Tech students this year. Check out the Aura Careers page for more.

Previous
Previous

Student Story - Kristine Brooks

Next
Next

Giving and Receiving Feedback with Pushpay