THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 2, 2017
Digitisation and Internet of Things
Cyber Insurance: A Buyer’s Guide
Cyber Hygiene: Tips to improve your security organisation
Threat Hunting – Pursue your adversaries
A Beginners Guide to Bug Bounty Programmes
Hacking your own company
PAGE 8
M EM B ER F OC U S E D
•
Majority of attacks target well-known Security patches close vulnerabilit ies. vulnerabilities that can be
exploited by hackers to gain access to machines and systems for multiple malicious purposes such as stealing personal information and stealing confidential files among other things. Vast research shows that unpatched software remains one of the most prevalent factors for cyber-attacks targeting organisations. So patching is more than essential! Take the recent “WannaCry” ransomware attack that took place. While many discuss whether their anti-virus could have stopped the attack, the plain facts are: • This attack used a vulnerability on a component of Windows and Windows Server that was patched by Microsoft two months before the attack happened! • The vulnerability was part of the recent NSA leak, a highly publicised scandal, and not an obscure vulnerability that no one had heard of before • Applying the patch would prevent any successful attack In line with the Australian Signals Directorate (ASD) The ASD indicates patching of applications and systems as two of the “Top 4” mitigation activities capable of stopping 85% of attacker techniques. These Top 4 mitigation strategies for targeted cyber intrusions are mandatory for Australian Government organisations as of April 2013.
•
The challenge of security patching If we all know patching is important, why do we continue to see security incidents and data breaches associated with exploitation of well-known vulnerabilities?
77.5% of vulnerabilities in the most common applications are in t he Non-Microsoft apps!
The main reason is the gap between IT Security and IT Operations. Normally, those in charge of scanning for vulnerabilities (IT Security teams) are not in charge of applying patches (typically done by IT Operations); therefore, it is common that both groups don’t understand each other’s challenges and the gaps in the technologies they use. Then technology integration is commonly poor so it is impossible to build reliable processes using disparate technologies. Lastly IT Operations teams often do not have performance measures associated with applying security patches, and do not have tools to support making the right decisions when it comes to applying patches.
85% of vulnerabilit ies have a patch available at t ime of public disclosure.
A strategic software vulnerability management solution is required to bridge the gaps in vulnerability management processes. The solution: Software Vulnerability Manager Software Vulnerability Manager empowers IT Security and Operations with intelligence to continuously track, identify and remediate vulnerable applications – before exploitation leads to costly breaches. It enables SecOps initiatives by providing verified intelligence by Secunia Research, timely vulnerability advisories, accurate assessment and security patches, all in a single console. This approach effectively reduces the attack surface for cybercriminals by accelerating identification of vulnerable applications, driving prioritization and reducing time to mitigation. To talk further about bridging the vulnerability gaps in your organisation or improving your patch management processes please contact us at www.flexerasoftware.com or at +61 3 9895 2000.
Hackers don’t need
ZERO-DAY
vulnerabilit ies. There are plenty of neglected unpatched vulnerabilit ies to target.
Reimagining t he way software is Bought, Sold, Managed & Secured
www.flexerasoftware.com
Contents
Editor's Desk 5 Feedback loop - have your say! Editor Tony Campbell
7
AISA National Conference
Director & Executive Editor Chris Cubbage The ASX 100 Cyber health
Director David Matrai Art Director Stefan Babij Correspondents Morry Morgan Sarosh Bana
Know your enemy part 1
MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au SUBSCRIPTIONS
T | +61 8 6465 4732 subscriptions@australiancybersecuritymagazine.com.au Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com
Hacking your own company
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US
8
Cyber Hygiene
14
The ASX 100 Cyber health
16
Building a modern sec ops centre
18
Know your enemy part 1
20
I want to be a hacker where to I start
24
A beginners guide to bug bounty programmes
28
Hacking your own company
30
Threat hunting pursue your adversaries
32
Surviving in the new threat environment
36
Don’t make security awareness training punishment
38
CyberSafety – the tweaking galah
42
An interview with Dhiba Daniels
44
Liberty equality fraternity
46
Trust the new face of cybersecurity
50
Cyber insurance part 1
52
Cybersecurity in the promised land
56
Digitisation and the internet of things
60
Kaspersky Lab Researcher creates free software tool
62
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Threat hunting
Correspondents* & Contributors
www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia RSA CONFERENCE REVIEW
Dawid Bałut
Simon Eid
Morry Morgan*
Mark Jones
Dawid Bałut
Jason Magic
Guillaume Noé
Michael Travato
Tony Campbell
Brett Williams
CF Fong
Sarosh Bana*
www.australiansecuritymagazine.com.au
www.malaysiasecuritymagazine.com
www.asiapacificsecuritymagazine.com
www.drasticnews.com
|
Dan Lohrmann
Ricki Burke
David StaffordGaffney
Chris Cubbage
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
www.cctvbuyersguide.com
Editor's Desk
S
ince publishing Issue 1 of ACSM, it seems that cyber security has been in the headlines as many times as Donald Trump – and in some cases because of Donald Trump, but we’ll not go into that. Starting with WannaCry, it was an interesting media spectacle to see how this new flavour of ransomware could stop an entire government department in the UK (the National Health Service). When a researcher stumbled on the so-called kill switch, stopping WannaCry in its tracks, he became an anointed hero of the information age. What I am interested in, though, is that no one considered to thank all those diligent security managers and sys admins who had already patched MS17-010. Anyone who had already applied the Microsoft fix would have halted WannaCry’s devastating lateral movement capability, curtailing its virulence and reducing it to the usual noise levels we deal with every day. The real lesson the world should have learned from WannaCry was that hoping you’ll be immune from infection, without addressing the issue, isn’t good enough: you must check. A few weeks later, the hype cycle started again, this time focusing on the worst named malware in history. In the rush to give it a cool name, people speculated it was a new variant of an older malware called Petya. In the media’s eyes, it was WannaCry the Sequel. It used the same EternalBlue exploit that WannaCry incorporated into its payload, but also looked very like a copy of Petya. So, WannaCry the Sequel quickly became Petya. However, it wasn’t long (a matter of hours) until someone had reverse engineered WannaCry the Sequel, revealing that it wasn’t Petya after all: it was something completely different. So WannaCry the Sequel became NotPetya. Did you see what they did there? Very clever. A few days later, with more research cycles under their belt, it seemed like this attack was less about extortion, rather it was a targeted attack on Ukrainian businesses, likely originating from ‘mother’ Russia. Amongst all the FUD and hype there was plenty of expert opinion and conjecture pinning NotPetya on the Russian government, and while the Kremlin vehemently denied these allegations, it did seem likely. I think I’ll rename WannaCry the Sequel to “WannaCry 2: This Time It’s Personal”, just for fun, as it seems more APT. NotPetya has shown that we are absolutely living in the age of cyberwarfare and this real example of a nation state repurposing a tool from organised crime into an online weapon of mass destruction means all bets are off for our beleaguered security teams. We need to get better at cyber security, especially at the
basics. Forgetting to deploy a critical Windows patch is irresponsible, and those charged with maintaining good systems’ hygiene need to be held to account. I understand that security is about risk management, but not patching a system when the world has already seen how devastating an attack can be is worse than careless. Anyhow, on to Issue 2. We have some great articles in store for you, with wise words from David Stafford-Gaffney on business process compromises, a deep dive into cyber insurance from Mark Luckin and a variety of technical and business wisdom from around Australia and the rest of the world. Enjoy and stay secure.
Tony Campbell Editor
WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •
Reac h over out to 10 indu ,000 profe stry s per msionals onth !
Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)
If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at editor@australiancybersecuritymagazine.com.au
Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 6 | Australian Cyber Security Magazine
professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at editor@australiancybersecuritymagazine.com.au.
FEEDBACK LOOP - Have Your Say! There are many ways that you can provide feedback to us and
single one of you and publish the best discussion pieces in each
converse with our editorial board, but we’re establishing this
issue in this new standing section, entitled Feedback Loop.
regular feature in the Australian Cyber Security Magazine because
To thank you for your feedback, we’ll provide a token of
conversations can change the world. It is encouraging to see that
our appreciation for the best letter in every issue. As this is the
so many of you are already so vocal on some of the big issues
inaugural issue we don’t have any feedback yet, so let’s cut to the
affecting Australia, voicing your opinions on LinkedIn, blogs and
chase. The prize for the best letter in issue 2 will be a complete set
at industry conferences. We will endeavour to respond to every
of social engineering guru, Chris Hadnagy’s three amazing books.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analysed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.
Unmasking the Social Engineer: The Human Element of Security The Human Element of Security focuses on combining the science of understanding non-verbal communications with the knowledge of how social engineers, scam artists, and con men use these skills to build feelings of trust and rapport in their targets. The author helps listeners understand how to identify and detect social engineers and scammers by analysing their non-verbal behaviour. Unmasking the Social Engineer shows how attacks work, explains nonverbal communications, and demonstrates with visuals the connection of non-verbal behaviour to social engineering and scamming.
Social Engineering: The Art of Human Hacking The first book to reveal and dissect the technical aspect of many social engineering manoeuvres. From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering.
Australian Cyber Security Magazine | 7
// SPOTLIGHT ON THE TEAM BEHIND AUSTRALIA’S LEADING INFORMATION SECURITY ASSOCIATION
NATHAN MORELLI
GARETH WILLIS
LEN KLEINMAN
MOURAD KHALIL
The annual AISA National Conference will be held on 10-12 October 2017 at the Hyatt Regency, Sydney. This year’s event theme will be Collaboration. Given the recent worldwide cyber attacks, this year’s event speakers will look to answer the following questions:
• • • • •
How can all areas of industry, the public sector and academia work better together? How can we collaborate for greater ideas and efficiencies? How can we share information in a more meaningful manner? How can we train the workforce of tomorrow? How can we retain the workforce of today?
AISA is a not-for-profit organisation run for members, by members. ACSM presents part two of a spotlight feature on AISA’s branch managers, who dedicate their time and effort to ensuring AISA members have an opportunity to share ideas, network and discuss the latest advances in cyber security.
// What is your day job? Len Kleinman: I am the Chief Cyber Security Advisor APJ for RSA Security. I serve as a spokesperson and cyber security "best practice evangelist", with a focus on cyber threats to technology systems. This could be health care, government, financial services or SCADA/ICS systems. Nathan Morelli: By day, I manage the ICT Assurance team at the Department for Education and Child Development in South
8 | Australian Cyber Security Magazine
Australia. We are responsible for assisting all our sites and our corporate teams in managing ICT related risk. Gareth Willis: By day I work as a senior cyber Security consultant, I establish and implement security programs for private and listed companies, helping them align their cyber strategy with audit and legislative requirements. I also get my hands dirty at a technical level when required. I also suspect I’m the only consultant with a Fine Arts Degree, an MBA, and a large collection of technical qualifications. Breadth of education
and experience seems to be a common denominator in infosec, I feel privileged to have met some truly great minds in this field. Mourad Khalil: Principle consultant, technical risk, at KPMG.
// What are you hoping your local AISA branch will achieve this year? Len Kleinman: I hope that the Canberra Branch will be a conduit
to a network of high calibre, cyber practitioners where information sharing, collaboration and knowledge transfer will prevail and thus enhance the overall growth of cyber security as an industry for our members. Nathan Morelli: I am hoping that our branch continues to grow and provide great professional development and networking opportunities for our local information security professionals. Gareth Willis: We want to create a more cohesive and holistic infosec scene that accommodates stakeholders from industry, government, and the higher education sector. We currently have strong representation from these areas at our branch events so we’re doing something right. Mourad Khalil: Steady growth, good member involvement and a great conference turn out.
// Globally, we have seen a lot of cyber security attacks of late. What do you think the industry has learned from the recent attacks? Len Kleinman: The biggest lessons have been that all data has value, and that a compliancedriven approach to cyber security is not the cornerstone of a robust cyber security program. The quality of cyber security practitioners in your organisation is also critical. Nathan Morelli: The industry is learning we need to maintain our focus on information security throughout our organisations. As the challenges we face grow in size and impact, so must our strategies to combat them. Continued focus on engagement with end users, focusing on the human side and collaboration across organisations are essential in managing the risks the industry faces. Gareth Willis: The industry has learned to embrace the eighth layer of the OSI model of late, that is the human element. It's not
necessarily intuitive for a technical audience to accommodate people in their risk modelling but it's essential nonetheless. Mourad Khalil: We are part of the global community and our physical distance is not really a deterrent as most want to believe.
// Australian companies tend to be pretty quiet about cyber security challenges that they face. How do you think industry and government would benefit from more information sharing when it comes to cyber security. Len Kleinman: Information sharing is one apparatus in enabling a cyber security program to be agile and responsive to the business needs. It is also critical that an organisation needs to be in a position to effectively utilise the information in a timely manner. Organisations also need to prepare so the information and intelligence it receives can be acted on immediately. Nathan Morelli: There is a tremendous opportunity for Australians to be more open and collaborative within our industry. Across Adelaide, being a smaller city, we have been able to create more opportunities to collaborate and share information, which has assisted local professionals in making better decisions and managing incidents in a timely fashion. If this was happening more frequently across the country, the information security community would be better placed to manage cyber security risks. Gareth Willis: Industry and government have some common ground here but also some distinctly separate requirements. Government should be sharing cyber security resources and information to the fullest extent because they work on a scale that accommodates high degrees of specialisation and efficiency. Industry takes a broader view of what may constitute competitive advantage, secrecy as strategy, and appropriate security frameworks.
Mourad Khalil: The more involvement we have from businesses the more we can achieve with the power of data.
// What sort of cyber security information do companies in other countries tend to share and benefit from that Australia doesn’t? Len Kleinman: The issue here is about enabling the sharing framework and less about the actual information. There is a lot of talk about sharing and collaboration, however, there is also much resistance to the execution. We need to find a way to break down the barriers, real and perceived, to enable any information sharing to have an opportunity to be positively successful in enhancing the cyber security posture for organisations and the nation. Nathan Morelli: Australia can learn from other countries by providing the legal and regulatory framework to allow organisations to be more comfortable with collaborating. Once this is in place, and the Cyber Threat Sharing Centre's are online across Australia, I think we will start to see a more collaborative approach across Australia. Gareth Willis: Britain’s approach with the NCSC is absolutely setting the pace where thought leadership and action converge - Dr Ian Levey is an iconoclast in the best possible way. The same can be said of the European Union and the GDPR legislation to be introduced in May next year. GDPR defends the digital rights of the individual and in the process mandates standards that strongly encourage organisations to adopt a strong security posture. This is the future.
Australian Cyber Security Magazine | 9
1 0 T H A N N UA L A I SA N AT I O N A L C O N F E R E N C E This year we are not only celebrating 18 years since our inception, but we also host our 10th annual AISA National Conference. The theme of this year’s event is COLLABORATION. Join the AISA community as we bring together local and international thought leaders and industry experts. Under a single roof we will discuss how all areas of industry, the public sector and academia can improve the way we collaborate to advance cyber security in Australia. To celebrate, AISA will also be hosting the EY AISA Birthday Bash – with tickets available as part of the gold registration package or sold separately. Early bird registration is now open with limited places available, so be sure to lock in your spot at this year’s cornerstone cyber event. We look forward to seeing in October in Sydney.
JOIN THE CONVERSATON
10 | Australian Cyber Security Magazine
C O L L A B O R AT I O N PERTH
Perth Conference 17 November 2017
Crown Perth Australian Cyber Security Magazine | 11
AI SA P E RT H C O N FE R E N C E 2 017 CA L L FO R PAPE RS AISA is pleased to invite current members to submit a paper for AISA Perth Conference 2017, being held at the Crown, on the 17 November. The theme of this year’s conference is “Collaboration: Perth” All submissions will be reviewed equally by the Perth’s AISA Committees and must adhere to the same criteria we apply for keynote speakers – The presentation must be vendor neutral and cannot be product focused. Please download your application below and submit your proposal to cfp@aisa.org.au (PDF Call for Papers) Submissions close: 1 September 2017 12:00 (AWST) We are also seeking Expressions of Interest (EoI) on the below parallel sessions. details provided below. AISA Perth Conference 2017 | WA Cybersecurity Executive Enhancement Roundtable: Collaboration and Partnering Aids Crisis Management Events Date: 17 November 2017, 09:00 – 15:00 (AWST) Venue: Crown (Perth), Great Eastern Highway, Burswood, Perth, WA 6000 We are seeking expressions of interest for the WA Cybersecurity Executive Enhancement Roundtable on 17 November, 09:00-15:00. Places are limited. Please email events@aisa.org.au if you are interested in attending this event, that is in conjunction with the AISA Perth Conference 2017. *Collaboration is a critical ingredient for securing our cyber space. The Round-table will help address the importance of collaboration and balance between time, money and resources in facilitating decision making and improve business performance.
AISA Perth Conference 2017 | WA Child Online Safety: Current Cyber Threats to Our Children Date: 17 November 2017, 09:00 – 12:00 (AWST) Venue: Crown (Perth), Great Eastern Highway, Burswood, Perth, WA 6000 We are seeking expressions of interest for the Special Track: WA Child Online Safety on 17 November, 09:00-12:00. Places are limited. Please email events@aisa.org.au if you are interested in attending this event, that is in conjunction with the AISA Perth Conference 2017.
12 | Australian Cyber Security Magazine
RSA APJ Conference – AISA Member Competition Winner Well done to Richard Heron, Myers’ Cyber Security Manager based in Melbourne, who won a free trip to Singapore to attend the RSA APJ Conference, 26 – 28 July, 2017. Richard’s response was judged as the overwhelming best submission. Thank you to all members who submitted responses. Here is Richard’s winning submission: When and why did you join AISA? I joined AISA about 10 years ago. I joined for three reasons: • To ‘give’ - to speak at AISA events and give back to the Industry that has served me so well. • To ‘receive’ - to listen and learn from the diverse membership to improve my own performance within the information security community; and • To ‘network’ – to mix with security minded individuals for both knowledge and friendship. What role should AISA play or how should it contribute to the Australian cyber security landscape? AISA is the pre-eminent Information Security body in Australia. Therefore, it makes its mark on all: • Industries – ensure that the information/ advice / conference speakers cover a wide variety of industries, not just financial services. • Age Groups – take security to the education sector. Educate 5-21 year old’s about the perils of cyber security; and • Government bodies – ensure that Government is doing all they can for the cause. What are the top 5 cyber security issues that AISA should focus on in the next 12 months? • Making more inroads into the education sector to make students aware of the potential perils on being online (bullying, phishing, identity theft etc) • Brining to the membership insights from experts (please not pitches from Vendors) about what we should be preparing for. i.e. Mandatory Data Breach Notification Laws • Educating its membership about Mandatory Data Breach Notification Laws. It is not far away now and I believe that not enough organisations are aware • If possible, an unbiased view of security products on the market. Yes, I know security is more than just products, but I’d love to see security tool evaluations from AISA security members (not Vendors) so I can make a more informed decision rather than just from Gartner reports (no offence to Gartner) • More free resources to help us all with Security Awareness within organisations. Let’s face it – phishing is probably one of the biggest threats to organisations – it’s the human who chooses to ‘click on the link’. There is just not enough done industry wide to help us all to teach our staff not to click on links from people they don’t know. Thanks for the opportunity Richard Heron Cyber Security Manager, Information Technology, Myer Limited
Australian Cyber Security Magazine | 13
Cyber Hygiene Three tips to clean up your organisation’s security
A
By Simon Eid Area Vice President, Splunk ANZ
ustralian organisations lack the security maturity and skills needed to survive in today’s and tomorrow’s threat landscape. This is the message coming from IDC. Furthermore, cyber criminals are getting more sophisticated. Look no further than the recent WannaCry attack, which saw more than 200,000 computers across more than 150 countries locked up by the ransomware. The ability of organisations to detect and respond appropriately to this threat is directly tied to their skills and maturity in their people, processes and technology. Moreover, as cybercriminals become more sophisticated, Australian organisations are being urged to sharpen their focus on fighting the cyberwar. You can’t stop a highly-determined attacker from targeting your network, but with a strong focus on cyber hygiene, you can make your organisation extremely difficult to penetrate. With this in mind, let’s look at three steps to clean up the security of your organisation, ensuring you are equipped to survive in tomorrow’s threat landscape.
14 | Australian Cyber Security Magazine
Start at the top The biggest risk plaguing Australian organisations is a lack of dedicated security people. It’s eye-watering to think how many companies, storing extremely high volumes of sensitive customer data, consider security as a sideline for the IT department. Lydie Virollet, IT services and cybersecurity analyst at IDC Down Under, says the understanding and management of threats is a struggle that most Australian organisations face. "In some markets the lack of compelling and enforced legislation leaves the IT security team with the paradox of how to secure the environment when the C-Suite are not prepared to fund it – or, as so often happens, IT security is considered important, but not enough to staff it nor fund it sufficiently," Virollet says. The C-suite needs to take a role in protecting your business that encourages the entire organisation to be aware of security, risks and protection. Explaining how cybersecurity impacts the bottom line of your organisation is a great way
to start the conversation. Without the support and funding of the C-suite, you won’t have the resources and capabilities to keep pace with the diversity of security needs. If self-regulation is to be retained as the ’state of play’ then board members are responsible for driving clear cybersecurity objectives across their organisation. Coordinating minimum security standards and an overall cyber security strategy should be the primary remit of the Chief Information Security Officer (CISO), under board direction. Every system, data store and IT project should be reviewed and operational risk reported to the Risk Officer, CEO and board members. Transparency in the collection, analysis and reporting of this risk needs to be completed in real time to provide accurate, operational ‘situational awareness.’ It’s only with this level of maturity that cyber risk can be treated in the same way as other business risks.
Take a risk-centric approach Securing C-suite funding for security is only the first step. Organisations must realise that outsourcing security doesn’t mean outsourcing the potential impact of a breach. When customer data is compromised, your company will cop the overall blame, not your security provider. Last August’s Census is a good example. While the Australian Bureau of Statistics (ABS) pointed the finger at the vendor for failing to adequately test technology, it reflected most poorly on the oversight of the ABS, and is now remembered as the ‘Census fail’ – not the vendor fail. This highlights the importance of taking a risk-centric approach, a key aspect of practicing fundamental security hygiene. By understanding what your critical assets are, such as customer data, and conducting a risk assessment to determine the likelihood of a breach, you’ll be in a better position to identify what level of risk your security team is required to mitigate. Act tactically, plan strategically. In the words of Ben Franklin “By failing to prepare, you are preparing to fail.” There’s no guarantee your business will never be hacked. At the same time, there’s no point in fighting the threats of the present with tools from the past. Identifying future risks is a vital part of cyber hygiene. Threat
A connected nerve system enables organisations to centrally analyse and correlate a wide range of data across a multi-vendor environment, helping their security team to work faster and with more agility. This is especially crucial when attempting to outsmart teams of hackers. actors today move much faster than any security person could respond with manual tools. Automation is ‘de rigeur’ for cyber criminals and ‘Malware-as-a-Service’ or ‘DDoSas-a-Service’ have all plagued us for many years now. You need a future-proof solution which enables you to adapt your response in the heat of the action. Using adaptive response technology is one way to do just that. A connected nerve system enables organisations to centrally analyse and correlate a wide range of data across a multi-vendor environment, helping their security team to work faster and with more agility. This is especially crucial when attempting to outsmart teams of hackers. Overall, the growth in the frequency and sophistication of threats is far outpacing traditional security technologies. It’s imperative to take the relevant steps to preserve the cyber health of your organisation. Now is the time to update your systems and ensure you’re well positioned to defend against the complex attacks of tomorrow. About the author Managing Splunk’s business across Australia and New Zealand, Simon is tasked with owning the sales strategy, culture, leadership and people management of the sales operation. He has more than 25 years of experience in IT sales and business management. Prior to working at Splunk, Simon held sales and management positions at a variety of enterprise technology organisations, including Dell EMC and Symantec. Simon is based in Melbourne, Australia.
Australian Cyber Security Magazine | 15
Cyber Security
The ASX 100 Cyber health check report What’s next for your board?
T By Michael Trovato GAICD, CISM, CISA
he Australian Stock Exchange (ASX) and Australian Securities and Investment Commission (ASIC) along with the “Big 4” accounting firms have released the ASX 100 Cyber Health Check Report ASX Report PDF to establish a baseline in cyber security via a high-level “health check”. I commend the ASX and ASIC and the other participating companies for the leadership they have shown. Efforts like these are real accomplishments of cooperation and collaboration towards a common goal of a resilient ecosystem. Although the arc of progress described in the ASX Report might be tilted towards goodness, it is also clear - much more needs to be done. After reviewing it and reflecting, I would recommend: 1. Make sure the board has sufficient cyber security expertise or advisors; 2. Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; 3. Use the results of the ASX Report for discussion at your next board meeting; 4. Commence or update your organisation’s detailed
16 | Australian Cyber Security Magazine
cyber security strategy and report on the security transformation program regularly; 5. Include cyber security as a quarterly agenda item, or more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Today, I want to focus on the first item. Most importantly, expertise at a board level comes from knowing the that, how, and why of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or, as an advisor. In the ASX Report, they made a clear effort to survey persons like this – but in some cases companies struggled to find a person to answer the questions, or they feared sharing details, since 24% of companies did not respond.
The ASX 100 Cyber Health Check Report, as a baseline
Cyber Security
'In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers.' The ASX Report says that it “can act as a baseline where companies can see how they rate against their peers and can take practical steps to improve their cyber security.” I would caution using the ASX Report as a benchmark though – as it may reflect a perceived vs. an actual cyber security profile. Each company must do the hard work of learning where they stand and while baselines may be useful, they are a single data point or a vehicle for discussion. In the ASX Report, cyber security is often the domain of the board’s audit or risk committees (64% of respondents), allowing a subset of directors with relevant skills to focus on cyber risk. Considering the maturity of cyber security governance in Australia, this is the result I would expect and those committees are probably the most qualified to evaluate cyber risk.
This is good, but is it good enough? The answer to is it good enough depends on your board’s capabilities and strategic industry focus… I recently read in The New Yorker that the ‘British philosopher Gilbert Ryle gave an influential lecture about two kinds of knowledge. A child knows that a bicycle has two wheels, that its tires are filled with air, and that you ride the contraption by pushing its pedals forward in circles. Ryle termed this kind of knowledge—the factual, propositional kind— “knowing that”. But to learn to ride a bicycle involves another realm of learning. A child learns how to ride by falling off, by balancing herself on two wheels, by going over potholes. Ryle termed this kind of knowledge—implicit, experiential, skill-based— “knowing how”.’ So, boards must know their organisation’s risk framework, risk appetite, regulatory or other stakeholder obligations, the data and systems that must be protected, strategy, and investments. But they must also learn how to apply this knowledge – thereby understanding how they impact strategy, financial results, risk, or compliance outcomes. The article went on to describe how the most powerful element of interaction was not knowing that or knowing how—not mastering the facts of the case, or perceiving the patterns they formed. It lay in yet a third realm of knowledge: “knowing why”. This is what is key for boards and their risk committees to be able do, it is critical to their success.
Boards must be able to ask “why?” They must be able to ask, “Why is this happening?” Or “Why is this getting worse?” In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers. Cyber security is a pervasive risk and an arcane, deep, and fast moving area of knowledge, lacking for many board members. The 2016 Global Board Directors Survey by retained search firm Spencer Stuart indicated cyber security was a weakness in most boards. Board and risk committee evaluations - identifying areas of board strength and weakness in skills, behaviours, meeting effectiveness, reporting, composition, and stakeholder engagement are required for cyber security. Further, cyber security experience at board level, through its members, committees, and advisors is required on an ongoing basis, across the entire board agenda to build skill and knowledge. Progress at board level may be happening more slowly than we need and as a result, government and the courts may end up driving the process. In the US, the Cybersecurity Disclosure Act of 2017, or S.536, is being deliberated. It would mandate that companies have a cyber security expert sitting on their board or explain why it is unnecessary in their industry. Australia may not follow this direction, but we would be advised to follow it in spirit. The Australian Institute of Company Directors (AICD), ISACA, and ISC2 and other professional organisations are positioned to promote this idea to boards and executives, with further support from ASIC and ASX. For most boards today, they are outgunned by cyber criminals. Getting the right knowledge and experience integrated into the board will be essential to achieve the desired outcomes of organisational resilience. There is still much work to be done. About the author Cyber security and technology risk advisor to boards, board risk committees, and executive management including CEOs, CIOs, CISOs, TSOs, and CROs. Helps key stakeholders understand the obligations and outcomes of effective cyber security. This includes solving an organisation’s greatest issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment. Key Australian and US roles: ICG, Global Cyber Practice Leader; Cyber Risk Advisors, Managing Partner; EY Cyber Security, Lead Partner; NAB Group, GM Technology Risk and Security; KPMG, Partner Information Risk Management; Salomon Brothers, Internal Audit; MasterCard International, Principal. Graduate Australian Institute of Company Directors (GAICD); ISACA Melbourne Chapter Board Member. Certified information Systems Manager (CISM); Certified Information Systems Auditor (CISA); PCI DSS Qualified Security Assessor (QSA). MBA Accounting and Finance and BS Management Science, Computer Science, and Psychology.
Australian Cyber Security Magazine | 17
Cyber Security
Building a modern security operations centre How to protect your organisation’s information
S By Jason Legge Head of Security Consulting, Huntsman Security
ecurity Information and Event Management (SIEM) technologies are not new, but there remains plenty of misinformation and misunderstanding about how to use them. Critics focus on them being little more than log collector and storage tools, that due to their management overhead, gives little in the way of return on investment (ROI). What these critics fail to acknowledge is that by rethinking how security operations centres (SOCs) operate, SIEM technologies deliver significant operational benefits and efficiencies. Do you know what it takes to deploy a SIEM and upgrade your security to enable proactive threat hunting? By integrating a SIEM into the core of your SOC and re-engineering some of the processes, you can start to improve your cyber assurance and realise a highly favourable ROI. Let’s start with staffing; you might already have a security team looking after firewalls, antivirus products and intrusion prevention systems. That’s a lot of “security systems” to monitor and the addition of a SIEM may just add yet another thing to do. But what if you
18 | Australian Cyber Security Magazine
look at the SIEM from the perspective of a consolidation technology, which merges information from all these systems into a single screen. Instead of going straight to security operations, start talking to your network, server and desktop teams, and maybe even your database team, to see which aspects of security operations would sit more naturally with them. For example, adjusting the rule-set on a firewall is not unlike changing the configuration on a router or core switch. Your network team almost certainly knows all about firewall administration already. Firewalls are simply another networking device. If you can move the operation and management of your firewalls to the networking team, you’ll have freed up the time for your security operations team to focus on threat management and assurance. A second example might be to consider reallocating responsibilities for your antivirus technology to your server and desktop team. That team usually manages the configuration and software build of operating systems, along with software distribution and general systems administration, so adding
Cyber Security
'By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating changerelated activities.' your antivirus technology to their portfolio makes logical sense. These small changes are starting to free up enough time for your security team to initiate proactive threat hunting practices and develop more rigorous vulnerability assessments. Reallocating workflows and IT management activities to other technical teams can free up valuable security resources to refocus on streamlining processes and making proactive improvements; but don’t stop there. Run the next phase of modernising security operations as a project. Appoint a project manager, set the scope and identify all the requirements of a contemporary security operations centre. Now you can focus on getting the best out of your SIEM platform. The scope of your operational activities includes maintaining compliance, detecting and reporting on threats, and incident response. To achieve these deliverables, you will be collecting and analysing significant amounts of data to allow your operations team to undertake two kinds of activities: Historical log analysis used for audits and forensic investigations; 2. Real-time alerting, based on identifying threats from individual records or correlations that fire when a series of security events are detected.
management processes into it so that first-line resolver groups (service desk) know how to handle all types of incident. Equally, if you have a problem management process, extend it to include resolution of security problems. All of this becomes an extension of the SOC. Working closely with other operations managers from diverse areas of the business is critical to make sure security obligations and requirements are coordinated and delegated appropriately. Enlist them as stakeholders and train them to understand security requirements. In doing so, you will improve general operations and streamline the processes to deliver proactive security, as well as pushing security awareness throughout the IT management team. By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating change-related activities. This shift in emphasis will take hold over a transition period as the number of incidents starts to reduce (cutting false positives). The quality of security reporting will also improve, and you’ll notice better collaboration between the SOC and the rest of your service management team. The establishment of formal processes and workflows will enable performance measurement and form the basis for continuous process improvement and ongoing refinement of your security capability. Now that you have installed your SIEM at the heart of the security operations centre, analysts can add the specialist oversight necessary to drive the delivery of new and improved outcomes. Continual improvement of analysts’ processes and training them in threat modelling and threat hunting skills will ensure cyber-readiness across the team. Your SOC now monitors the pulse, blood pressure and temperature of your organisation, and as soon as it gets sick, your analysts will know about it. Welcome to a modern security operations centre.
1.
Your design team should produce workflows and process documentation for all the activities the security operations team will undertake, including any incident management and compliance reporting that the organisation needs to consider. Integration of operational security processes with the rest of your service management team’s processes is essential to optimise successful security outcomes. The security team needs representation on your Change Approval Board (CAB) so that they are aware of any changes to the infrastructure or network that might impact the SIEM application directly or indirectly. Security analysts can also use the CAB approval of a database update to trigger a proactive response, for example, to run exercises with the database administrators to identify any vulnerabilities in the new system (producing specific events when identified attacks occur). If you already have an effective incident management procedure, make sure you integrate security incident
About the author Jason works directly with customers, Huntsman’s channel partners and internal teams to provide solutions to cutting-edge cyber security challenges. Jason’s extensive experience in the areas of security threat analytics and incident response means he is well aware of the demands faced by analysts in quickly and accurately resolving cyber threats. Before joining Huntsman, Jason headed up the High Security Operations Centre for a UK government agency for six years. During that time, he advised business leaders, security accreditors and IT operations managers and analysts at a national level on IT and cyber defence threat mitigation strategies and SOC design and operation. Jason may be contacted at jlegge@huntsmansecurity.com Please visit the Huntsman Resources page at www.huntsmansecurity.com/resources/ for White Papers, Compliance Guides, Solution Briefs and Product Brochures.
Australian Cyber Security Magazine | 19
Know Your Enemy L By David Stafford-Gaffney
et me introduce you to Steve and Joanne. They both run successful businesses and both understand the need to plan their business activities to ensure success. Steve comes into work, as he has done each day for many months and works on planning and execution strategies for several projects. Joanne does the same. Reconnaissance: Steve and Joanne start by gathering useful information about their target customers, allowing them to kick off advertising campaigns, which will hopefully lead to their financial success. Weaponising: Someone in Steve’s organisation (Gary) receives an unexpected email. Good news, he has won the Nigerian Lottery without even buying a ticket – how lucky is that? Delivery: Gary was somewhat suspicious of this lottery win. Yet, if legitimate he doesn’t want to pass over on getting his prize directly from the Prince of Lagos. So, Gary opens the email and quickly scans the text, then hits the power button on his computer – there is no way those hackers are fooling him. He’s way smarter than the scammers as he knows the malware needs time to encrypt
20 | Australian Cyber Security Magazine
his disc. Nevertheless, he’s disappointed that the email seems like a hoax. Oh well, hopefully the Powerball on Saturday night will pay out. Exploitation. Steve, none the wiser to Gary’s disappointing lottery failure, continues with his latest project, deciding he’ll look up a few sales targets on LinkedIn. Joanne, on the other hand, just had a hit. One of her target customers responded to her latest email advertising campaign. She steps it up a notch, putting the final building blocks into place. It’s time to close out this deal. Malware: Being a cautious and experienced salesperson, Joanne deploys a couple of useful tools to ensure persistence and longevity with this customer. You never know when you’ll need another angle to attack this customer. Command and Control: Joanne’s campaign is in full swing. She has engaged her new client and opened the door for all her organisational resources: technical, managerial and social teams all start assisting her mission, ensuring her success in meeting her sales targets. Actions on objectives: Steve is plugging away, following up on leads with as many people as he can, but
'“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu, The Art of War'
it’s a tough quarter and there’s a lot of competition. Joanne, on the other hand, looks like she’s up for a salesperson of the quarter award. I know that anyone in security reading this might be expecting Steve’s files to suddenly be encrypted – we all know about WannaCry and NotPetya and it’s the first thing you think of these dats. Yet in this, while Joanne is the attacker, she (and her organisation) is not looking to cause damage, deny service or hold Steve’s files to ransom. If she wanted to, then Steve, Gary and many other workers would already know about it. Instead, Joanne is after a much bigger prize. Motivationally, both salespersons are capable, hungry for success and financially motivated – the main difference is that one does it legally and the other does not. Joanne works for a highly-motivated organised criminal gang, which, just like any other company, outsources tricky technical stuff to subcontractors. The troubling aspect of this kind of attack is that it targets integrity, making subtle and hopefully unrecognisable changes to processes, manipulating their marks into following their processes, but guided by Joanne’s hand.
For Joanne, gaining access was the first step in a longer play: The Business Process Compromise (BPC). Mature processes can be your friend and your worst enemy. Processed can be logical and/or procedural, making it important to understand how it works so that you can identify weaknesses and minimise the impact of compromise. We mature and embed our processes because they offer a standard approach to repeatable tasks and, more importantly, staff follow them without question, thus guaranteeing the outcome. It’s the rigor in the following process that provides the weakness the criminals exploit. By their nature, when someone deviates from the process unexpected things happen. Processes can be complicated and are often unique to a specific business. The more complicated the process, the more likely it has a weakness that the criminal can exploit. The goals and motivations of the attacker may well be financial, but the process itself doesn’t have to be directly a financial one; all it needs to do is lead to the criminal’s financial gain. One real-world example is the criminal attack on several shipping companies at the Belgian port of Antwerp. Hackers working for drug traffickers infiltrated the shipping companies’ IT systems and manipulated their processes to modify the placement of containers. This allowed the drug traffickers to more easily retrieve their shipments of drugs. Understand that there is formidable capability for hire on the dark web and criminals are playing the long game. This example was two years in the planning and execution (over 700 days) with the hackers sitting inside the victim’s network, gathering information and planning the execution with absolute precision. Notably, it was a combination of malware delivery and the physical application of key logging devices that led to their success. So, make no mistake, this is real and the companies that were attacked didn’t need to be massive multinationals: they just had to be operating in an environment in which someone could benefit. To read more about this case, it’s covered well on the BBC’s website http://www.bbc.com/ news/world-europe-24539417. Recall the $82m pay day for the criminals that targeted the Bangladesh Bank and precisely exploited weaknesses in the SWIFT service? This too was a BPC. It could have been an insider, working under the influence of a compromised asset for an organised criminal syndicate, or a legitimately hired finance offer operating with malicious intent. It might have been perpetrated by an Advanced Persistent Threat (APT), compromising the network in the same way the hackers did in Antwerp. They worked for months making small changes, such as disabling a printer so that records wouldn’t print, in turn preventing the viewing of the logs relating to fraudulent transfers by officials. In this case, the transactions were authorised, so it wasn’t the financial processes that were under fire, but the destination of the fund transfer was. Fast forward to pay day and they cleared a cool $82m. Closer to home, another example was provided by state-based law enforcement organisation where a BPC was delivered over the telephone. The interesting element of this attack was that malware was not required. This
Australian Cyber Security Magazine | 21
Figure 1 - Cyber Kill Chain® - Lockheed Martin http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
was an exercise in influence and targeting the human asset. The adversary, in this case, completed appropriate reconnaissance, likely via LinkedIn. They contacted the construction company and pretexted as a real customer that they knew was building with them. Posing as a legitimate customer and requiring a simple update on a recent invoice, they requested two simple pieces of information; the invoice number and the amount, so they could arrange prompt payment. Pleased, the builder obliged. Predictably, they called the customer and posed as the builder, this time, with the invoice number and the right amount and required one slight change to the information: they needed the victim to pay the amount into a different bank account. However, with such specific information, the customer was more than happy to change their information to allow payment to the builder. The result was a $3.2m payday for the adversary. These attacks generally require a lengthy engagement, arguably not $82m worth, however, to understand this more, look no further than Lockheed Martin’s Cyber Kill Chain®. It describes the process the criminals follow to plan and execute an attack.
22 | Australian Cyber Security Magazine
The Kill Chain covers the entire process: even the bad guys have well-developed processes to follow, and because they know that if they follow the process, their likelihood of success is higher. This is where we can gain an advantage; as they attempt to launch a BPC so too can we. If we understand how they operate then we can seek to target our mitigation strategies at differing parts of the Kill Chain rather than focusing on technology controls (firewalls, IPSs, etc.). The cyber threat response needs to be planned and measured; we need to understand what risks these organisations pose to ours, as this provides us with a broader understanding of how they operate. We can then apply appropriate mitigation strategies, aimed at various points in their process, rather than just at the perimeter. Once you have this wisdom, it is easier to communicate what we’ve done to our customers, our staff and our executives so that confidence in our ability to appropriately mitigate risks and increase the security posture of the organisation improves. We’ll look deeper into BPC and cyber threat mitigation strategies in Part 2 of this article in the next issue of ACSM.
C O L L A B O R AT I O N
National Conference 10-12 October 2017 Hyatt Regency Sydney Australian Cyber Security Magazine | 23
Cyber Security
I want to be a hacker: But where do I start? “Being a pen-tester does not mean being good at using tools either. It’s about being able to understand how things work, how things are configured, what mistakes people make and how to find those weaknesses by being creative. Being a pen-tester is not about launching Metasploit against the internet.” - Corelan Team
A
By Ricki Burke
and Dawid Bałut
s an information security recruiter, I’ve worked with countless numbers of professionals in this incredibly diverse industry. One question that I get asked time and time again is how do you get started in infosec? So, I decided to collaborate with a great connection of mine called Dawid Bałut, who is an experienced security professional who set up his own boutique security consultancy called, InfoSec Remedy. After working as an internal security professional – as a security engineer, moving up to principal security architect and executive board advisor – and then operating as a freelance penetration tester, Dawid gets to work with his ‘proven in battle’ colleagues, delivering outstanding penetration testing and security consultancy outcomes for customers. Both of us are often asked to proffer advice to those looking to get into penetration testing, so we decided to co-author this article on how to get started. As a recruiter, I am asked to fill positions across the full spectrum of roles in this industry, all the way from the glorious heights of CISO down to finding the next generation of security professionals. Unfortunately, I have limited capabilities in helping those looking to get into the industry. Sometimes the best I can do is provide advice,
24 | Australian Cyber Security Magazine
especially regarding one of the most sought-after roles, that of the ethical hacker or penetration tester. For those wanting to get a great job like this, it’s probably one of the easiest. Why? Because you can upskill yourself without having to rely on an employer. The problem is that there is a difference between wanting something and being able to offer it back to the employer. Yet, it’s when you can offer these as professional skills that organisations are interested, so how do you get there? Let’s look at some of the activities that people looking to get into infosec need to consider: •
•
There are plenty of ways to learn and develop your skills, like reading books, reading (or writing) blogs or taking online training courses, such as those from courser (https://www.coursera.org), cybrary (https://www. cybrary.it) or securitytube (http://www.securitytube.net). You can even take some of the free Computer Science lectures published by universities like MIT. You should learn what real-life software engineering is like. Get some computer code and learn about
Cyber Security
•
•
•
•
•
•
•
•
•
•
development methodologies, such as DevOPS (https:// en.wikipedia.org/wiki/DevOps). It makes sense to become an IT security generalist, then go deeper into a specific subject so that you have both the big picture and can focus in on your specialism during a security engagement. If your knowledge is too narrow, you may end up missing critical issues because you simply didn’t have the knowledge to see the whole picture. Contribute to open-source projects or volunteer to be an intern in start-ups like Peerlyst (https://www.peerlyst. com), where you are not required to produce quality content, instead you moderate existing content. Immerse yourself in the best online resources, such as OWASP (https://www.owasp.org) and PTES (http:// www.pentest-standard.org/index.php/Main_Page) , but don’t jump directly into the technical detail. Read the prefaces, descriptions of business objectives and all the guides on how to be an ethical hacker. SANS and NIST are also your friends, so sign up to their newsletters and read as many of their papers as you can. Read and get to know the CIS Benchmarks (https://www. cisecurity.org/cis-benchmarks/) and DISA STIGS (http://
•
•
•
•
iase.disa.mil/stigs/Pages/index.aspx) to learn how to harden computer systems. Knowing how a system is hardened gives you the foundation of knowledge you need to know where to look for weaknesses. Get hold of resources explaining compliance frameworks and standards, such as ISO27001, SOC2, PCI-DSS and COBIT. Also, look at the Australian government’s Protective Security Policy Framework (PSPF) and the Australian Signals Directorate’s Information Security Manual (ISM). You are not looking to become an expert auditor, but you need to know why and how organisations need to adhere to compliance frameworks. If you want to show-off your knowledge or just have fun, participate in bug bounty programmes using platforms such as Hackerone (https://www.hackerone.com) or Bugcrowd (https://www.bugcrowd.com). Learn from other bug bounty programme reports and apply the knowledge you learn from them in looking for bugs in other software. This process of looking for vulnerabilities is the same process you’ll be using as a penetration tester – gathering and applying the knowledge of people who were there before. Consider this your, “Standing on the shoulders of InfoSec giants.” Don’t ruin your reputation by reckless reports or public disclosure that puts users at risk. Check, check and check again. If you need to, collaborate with someone else that can help you confirm your work is correct. Participate in so-called capture the flag (CTF) contests to make you more creative. You’ll get to work and collaborate with great people and you’ll get exposed to new technologies that you might not have considered working with. Take the formal education route and get a degree. You need discipline to be a penetration testers and a formal degree will help you create the discipline in your life that you need to do this job well. However, one caution is that degree qualifications are not essential to be a penetration tester, rather it’s a process that you’ll go through to build your own analytical skills, but isn’t something that a hiring manager will necessarily look for. Get your OSCP (https://www.offensive-security.com). This is by far the most commonly requested certificate in penetration testing. In Australia (and in the UK) CREST is also an important body to consider, once you’re more experienced. It’s true that certification cannot tell an employer exactly what level you are at in any given subject, but OSCP and CREST will certainly make you stand out from the crowd and give you more options. Don’t shy away from publishing vulnerability research and submitting CVEs. This is one of the most important aspects of the job and it’s important that you learn how to disclose vulnerabilities in a responsible and ethical manner. Writing articles for well-known websites can also help. Choose wisely through as not all websites have a good reputation. For example, submit a PDF of your work (if applicable/relevant) to Exploit-DB, Packet Storm Security, etc. If your paper is of a highly-scientific nature, try http://arxiv.org. Write your own security blog where you regularly post
Australian Cyber Security Magazine | 25
Cyber Security
•
• •
•
•
•
•
•
26 | Australian Cyber Security Magazine
about your work. You can also try to get your work featured elsewhere, maybe on a collaborator’s blog, so you gain more attention. One warning, though, is that you should refrain from spamming people with lowquality content. On your blog, you can publish anything you like, but when submitting something to another site (especially a more popular one) ensure you’re providing value. Publish on your own website even if you don't feel like your research is remarkable. Even if you've been in the industry for just one month, there are people who're behind you and will appreciate your work. If you think you’re not good enough, it can be a good sign, because as the great HD Moore saying goes, "if you're not feeling like a noob, you're not trying hard enough." Do you have a GitHub account? If not, get one. You can showcase your code here and share it with the world. Try developing your own security tools. Even if something has already been created, do it for the learning experience. If you have no idea what tool you should write, pick an existing one and try to write the same yourself. Find some mentors and get inspired by as many professionals as you can get access to. Without a mentor, you can end up drifting through your career without improving. Furthermore, sticking to a single role model can be as dangerous. Each mentor will have different strengths and weaknesses, so be aware that a mentor who is religious about a narrow subset of skills may ruin the career options for someone who is totally different to themselves. Also, find someone who inspires you to follow their career and follow their path. Go to conferences and interact with penetration testers and security product vendors. Some conferences offer sponsorships, such as free tickets for mature students. Don't be afraid to ask if vendors are hiring and find out what they're looking for – i.e. do they want penetration testers and if they do, are they after juniors or highly credentialed experts? Try to present your research at a security conference. At the beginning of your career, local meetups, chapter meetings of AISA (https://www.aisa.org.au) and local conferences provide an audience where you can contribute and bring value. Also, remember that if you've been in the field for just a few months and just learnt how a SQL injection works, you won't have that kind of talk accepted for presentation at DefCon (https:// www.defcon.org). Submit interesting responses to CFPs (Call for Papers) to conferences. If you get accepted, do your best to make an interesting demo or talk. Don’t put too much information on the slides (i.e. no walls of text) and make sure you put in a lot of preparation. If you are doing a technical demonstration, make sure you rehearse it with friends, family or colleagues to make sure it works and it flows. Presenting at a good conference is a great way to get noticed. Submit an interesting response for a CFT (Call for Tools) – this is not an official term! Conferences like Black Hat are always looking for people to submit new
•
•
•
•
security tools they have developed. Make sure you do a kick-ass demo for the crowd. Present in a friendly and engaging way, and be as relaxed and conversational as you can be on stage. This is your topic and this is your community: Black Hat Arsenal (https://www. blackhat.com/us-17/arsenal-overview.html) is highly interactive conference where researchers are given the opportunity to showcase their open-source tools, therefore, the presentation style is different to corporate or vendor conferences and should be relaxed, interesting and interactive. To be effective as a penetration tester, you need to know how to work with people. You will be working in highly motivated teams of technical experts, as well as dealing directly with very senior customers, such as CISOs and CIOs. Read a few leadership books to learn how to use empathy in your engagements. Build a solid understanding of business so that a prospective employer can see you as a someone who knows that business is about money, not so that you can have fun. Reading business books will be helpful. Focus on the specific value that you can bring and know your limitations. It's better to start with a lower-paid job that allows to put food on the table, while you learn and get promoted into a more senior role – micro speed, macro patience. Finally, do what you’re passionate about and you’ll get good at it. Focus on what makes you tick, because the stuff that fires you differs from everyone else and you should carve out your own path.
The common denominator across each of these suggestions is that you need to demonstrate your passion rather than just talking about it. There is an incredibly high demand for security professionals in the security industry and it is getting easier to find a job, but the most important advice from a recruitment perspective is that you remain passionate and dedicated to the field. The passion and dedication will be obvious when you interview, and it’s that drive that will influence the hiring manager to take a risk on you. Doing research on your own is one of the most important aspects of a career in infosec, so forget about certification and OSCP is better or worse than CEH – if you are asking this question, you're doing it wrong. Focus on learning and proving yourself and the certifications can come with time. About the Authors Ricki Burke is the Director of CyberSec People, a Melbourne based Cyber Security recruitment company supporting companies both locally and internationally. He is also the founder of CyberSec Career Kick Start, a series of events for those looking to get into the Cyber Security industry. Dawid Bałut is the founder of Infosec Remedy, a Polish based Information Security consulting company. Dawid has a strong background in penetration testing and supports organisations with a range of security services from pentesting to security architecture, security awareness training and beyond.
Effective Application Whitelisting Airlock Digital enables organisations to implement and maintain application whitelisting, simply and securely, even in complex enterprise environments.
Application whitelisting with Airlock is a simple, repeatable process Until now, application whitelisting has been difficult to deploy and maintain. Airlock has been developed from the ground up by security professionals to solve real world problems with application whitelisting.
Secure whitelisting Not all application whitelisting solutions
Airlock incorporates proven and effective workflows, designed for ease of use, in dynamically changing environments.
are created equal. Airlock is designed to be the most secure application whitelisting solution on the market. Supporting pure hash-based whitelisting on all executable files and application libraries, regardless of file extension.
Airlock Digital is an Australian based company, with offices in Adelaide and Canberra. Airlock is designed to be fully ISM compliant.
Creating and deploying whitelists with Airlock is fast, enabling organisations to become secure and compliant, sooner.
LEARN MORE Telephone: 1300 798 925 E-mail: info@airlockdigital.com Web: www.airlockdigital.com @airlockdigital
Watch a product video now or schedule a product demonstration at www.emtdist.com/aw Airlock is proudly distributed in Australia & New Zealand by emt Distribution Pty Ltd. Partners can learn about the Airlock Digital channel program at www.emtdist.com or call (08) 8273 3030
Cyber Security
A beginners guide to bug bounty programmes
B by Jason Magic Cyber Risk Advisor, Deloitte Australia
ug bounty programmes are a way of encouraging the security community to work together to identify and responsibly disclose security vulnerabilities located within a predefined scope. In return for the researcher’s hard work, organisations offer recognition and rewards, including monetary compensation that can sometimes run to thousands of dollars. Some people make their living as bug hunters, so I wrote this article to help anyone interested get started as a bug bounty hunter. Firstly, you should understand that, unlike a regular security audit for an industry client, there is massive competition surrounding public bug bounty programmes. As a bug bounty hunter, you are not only competing against the security of the target system, but you are also competing against hundreds or even thousands of other bounty hunters – a number that is continually growing. To be successful, you need to accommodate lateral thinking to minimise the probability of your report being marked as a duplicate. Don’t think the likes of XSS and SQLi will suffice; you need to be testing for all manner of vulnerabilities, even the highly unlikely and uncommon ones.
Selecting a Platform I have found that any bug bounty platform that has an intermediary communication medium is best, mainly
28 | Australian Cyber Security Magazine
because it’s easier to contact and communicate with the target vendor. HackerOne (https://www.hackerone.com) and BugCrowd (https://www.bugcrowd.com) are two well-known platforms that have this feature, both of which are great starting points for setting up as a bounty hunter. There are also a few private programmes, such as Synack (https:// www.synack.com), however, this platform should only explored once you have gaining considerable experience.
Selecting the Right Programme Ideally, when you start out as a bounty hunter, choose a programme that contains a good selection of applicable vulnerabilities and a wide scope. It’s best to select a programme that has a large scope, such as *.example.com as opposed to subdomain.example.com. The bigger the in-scope vulnerabilities and attack surface, the easier it is to find vulnerabilities and get a decent payout. It’s vital that your testing complies with the target of evaluation. The company that is paying for your services has specified the scope that they need you to test. Furthermore, they are not looking for you to exploit the vulnerability, just prove that it’s there so that they can fix it. If you go too far and start to exploit the target, they will disqualify you from the payout and could potentially even start legal proceedings against you. For example, to verify an RCE
start structured testing on the defined target. Since most bug bounty programmes are web-interface focused, follow a web application security testing guide, such as OWASP (https://www.owasp.org/index.php/Main_Page) or read, The Hackers Handbook, for assistance.
Compiling the Report for Disclosure
'Bug bounty programmes are a great learning experience for security professionals and can be highly enjoyable while earning you big payouts. Not only can you make a good living as a bug bounty hunter, but it also looks great on your CV.' vulnerability, use whoami to see which user is logged in rather than rm –rf ’which has a destructive potential. Never use vulnerability scanners. These are not appreciated in the bug bounty world, since they are noisy and will likely disqualify you from the programme. After selecting your preferred bug bounty programme, read through all the instructions both from the site and from any individual programme. You should have a general idea now as to what you’re permitted to look at, so it’s time to
Once you’ve found a vulnerability, it’s imperative that you provide proof-of-concepts and vulnerability technicalities, including replication steps, for the target company’s team to reproduce. Additionally, you not only need to explain the vulnerability, but also demonstrate the threat and its associated risk as much as you can. For example, with a non-persistent XSS, you need to provide payloads, such as document.domain, as opposed to a generic alert(1). Furthermore, you need to provide multiple payloads, including reflective deface payloads to demonstrate phishing attacks, or show how you could serve crossdomain malware over their reputable domain and so on. You need to demonstrate the danger of your finding. The document.domain payload for your proof of concept is beneficial as it displays which domain is vulnerable and can verify that it isn’t sandboxed. Be clear and concise. Also, if you locate a vulnerability, you shouldn’t rush to report it straightaway without investigating it further. One vulnerability may be escalated to a more severe vulnerability, which could land you a bigger payout, so it’s worth persisting until you discover all the issues. For example, an LFI could become an RCE; an XXE could become an SSRF; an XSS could become CSRF and so on. In each case, this would result in a greater reward. It may seem like common sense, however, especially as a new bug bounty hunter, you need to be careful not to disclose the vulnerability anywhere else. If the vendor were to notice this, depending on their policies, they could disqualify you from a reward and the bug bounty service might even ban you from further participation. Bug bounty programmes can be highly rewarding and can also be a lot of fun. However, they do require patience. Prepare to be disappointed, but be persistent. You could be working on a programme for weeks without finding anything. At other times, you might get lucky with a nice payout for just a few minutes’ work. Once you have disclosed a certain number of bugs, you’re likely to be invited to private programmes, which greatly reduces the competition between other researchers and often remunerates very well (i.e. $500 per XSS). Bug bounty programmes are a great learning experience for security professionals and can be highly enjoyable while earning you big payouts. Not only can you make a good living as a bug bounty hunter, but it also looks great on your CV. For this reason, it’s highly recommended for any newcomer to security, since it has the potential to provide amazing career opportunities within the security community, as it has done for me. Good luck, and happy hunting.
Australian Cyber Security Magazine | 29
Cyber Security
Hacking your own company:
Before the bad guys do it for you
F By CF Fong CEO of LGMS IDG’s CSO of The Year 2013 Cyber Security Professional of The Year 2016
or some of us who are familiar with the term ‘Hacker’, we understand the general public’s perception about what they’d imagine Hacker could do - usually towards a more negative way. The mass media too, often portray hackers are the executioner of all evils in the cyber space. In the real world we are living in, there are a group of individuals, who are having good intention in mind, carrying out the mission to ‘hack’ for a good reason and purpose, we would call them the “White Hat Hackers”. In contrary to common believes, White Hat Hackers do carry out penetration testing or ethical hacking, just like what the malicious hackers do, however, White Hack Hackers done so, with the sole objective to discover vulnerabilities in the test target, report vulnerabilities, and provide recommendations and advisory to the target owner.
Penetration Testing in Malaysia White Hat Hacker services are nothing new in Malaysia. Major financial institutions and telecommunication operators in Malaysia do engage trusted security firms
30 | Australian Cyber Security Magazine
that are offering White Hat Hacking services for decades. The engagement frequencies are usually based on risk acceptance of the organizations themselves. With the pro-active discovery of loopholes and vulnerabilities, organizations can stay abreast about the latest cyber threats and be able to become vigilant in combating malicious hacking attempts. A good example is the recent “WANNACRY” Ransomware attacks. WANNACRY Ransomeware is targeting vulnerable and outdated Microsoft Windows systems to encrypt files and replicate itself to new targets. Pro-active Organizations which have been conducting regular penetration testing and vulnerability assessments would have had these outdated Windows systems identified during the testing and assessment exercises. Chances are, they may have already got these system decommissioned or patched up prior to the WANNACRY Ransomware pendemic.
What is Vulnerability Assessment There are still much confusion between “Penetration
Cyber Security
'Once your organization security controls become more matured in terms of security and vulnerabilities management, then you should be considering activating penetration testing to test out the effectiveness of the security controls of your organization. ' Testing” and “Vulnerability Assessment”. To understand this further, we can walk through an example below: Vulnerability assessment is conducted to understand and discover what are the ‘vulnerabilities’ or loopholes in an assessment target. An assessment target can range from a simple computer to a network of servers and networking equipment. As the name implies, Vulnerabilities Assessment (“VA”)’s main objective is to identify vulnerabilities. Security analyst can identify common vulnerabilities by analyzing the assessment target from various angles: by the computer software that the assessment target is using, the networking function and sometimes the business functionality of the assessment target. From a more technical perspective, some assessment target may exhibit obvious vulnerabilities, e.g. if the assessment target is an old and outdated Microsoft Windows XP system, the analyst can conclude that the assessment target is vulnerable to various SMB protocol attacks, plus any attacks that exists after April 2014, in which Microsoft has stopped releasing patches for Windows XP operating system. During the Vulnerability Assessment, the security analyst may also cross check any potential vulnerabilities on an assessment target by refer to vulnerabilities database that is in relevance with the assessment target. A database commonly used to refer of such is known as The National Vulnerability Database (NVD), that is currently maintained by National Institute of Standards and Technology (NIST) . It is also interesting to note that the Vulnerability Assessment activities mentioned above can sometimes be fully or semi automated. There are many software currently in the market can be used to carried out such assessment. Nevertheless the accuracy and relevancy of the assessment results are often relative to the tuning of an experienced security analyst.
analyst will be gathering vulnerabilities intelligence about the assessment target; these intelligence can be further exploited by penetration tester to penetrate into the assessment target. Since the vulnerabilities exploitation from penetration testing may potentially introduce different magnitude of impact to the test target, normally penetration testers will have a structured testing plan and contingency plan while executing the penetration test, and this is the clear differentiation point between an profession Penetration Tester and Malicious Hacker. Malicious hacker do no necessarily concern about the stability of the testing target; whereas the Penetration Testers have to always ensure that the penetration test plan they are executing do not compromise the confidentiality, integrity and availability of the testing target.
What Should I Choose: Penetration Testing or Vulnerability Assessment? If your organization have never performed any security assessment before, it’s always easier to begin with Vulnerability Assessment first. As the assessment will have least impact to your current business operations, and can be done in a rather shorter time period as compare with conducting a Penetration Test. System and network new vulnerabilities are discovered almost frequent as daily basis, we are only as good as we were secured yesterday. Hence, Vulnerability Assessment shall always be conducted in a more regular basis, depending on the risk tolerance of an organization. Once your organization security controls become more matured in terms of security and vulnerabilities management, then you should be considering activating penetration testing to test out the effectiveness of the security controls of your organization. The penetration testing exercise is a yardstick to test out how effective are your security controls and your current remediation process. About LGMS LGMS started as a specialized penetration testing and security assessment firm a decade ago. Today, LGMS is the single largest neutral-based Cyber security firm, which is specialized not only penetration testing and security assessment, but also computer crime investigation and digital forensic. LGMS is also the First and Only Malaysian cyber security consulting firm who are awarded with the CREST UK (Council of Registered Ethical Security Tester) certification, PCI QSA & PCI ASV accreditation. And LGMS is also the first company in Malaysia who obtained ISO 9001 quality certification on their professional services - in which Penetration Testing and Vulnerabilities Assessment are included.
What is Penetration Testing? In essence, penetration testing can be described as an extension of Vulnerability Assessment. During the Vulnerability Assessment process, the
Australian Cyber Security Magazine | 31
Cyber Security
Threat Hunting: Pursue your adversaries
I By Brett Williams Sales Engineering Manager Asia Pacific & Japan, Carbon Black
nstead of sitting back passively and waiting for cyber attackers to set off alarms, organisations should be pursuing them like a cheetah hunting for its next meal. We know the attackers are out there – they are perpetually trying to break in, and many are succeeding. The challenge is to start hunting them to find the shreds of evidence they invariably leave behind. First an organisation needs to build a hunting team. Team members should be knowledgeable about the internals of the operating systems (OS) found on their endpoints. The OS will usually be Microsoft Windows, but also Apple Mac OS and perhaps Linux. Threat hunters need to know how these operating systems work at a detailed level, including the following: • OS process tree structure • Files used by the OS • Registry used by the OS (Windows only) Expertise at this level of detail is important because malware operates within these domains and makes subtle
32 | Australian Cyber Security Magazine
changes to the OS. Threat hunters need to understand what to look for and what ‘normal’ looks like at the business application and human‐activity level — it’s not just about packets on the network and processes in the OS, so anomalies will be more apparent. Those anomalies are the primary sign that malware is lurking on endpoints.
Making the time to threat hunt It might be necessary to carve out time from the work schedules of existing staff for threat hunting. Depending on an organisation’s size, the time spent threat hunting may vary. In part, it depends a lot on security posture and risk tolerance. Start with two to four man/hours a week dedicated to hunting. When the results emerge, adjust as needed. It is important to see early results from hunts, to show a return on the time investment. The chosen threat hunters need to have passion! They must think like predators and have a hunger to hunt
Cyber Security
•
•
•
process management and the file system operation and network communication in each operating system in use. Endpoint application behaviour: It’s important to understand how any locally used applications function on the organisation’s endpoints. Threat hunting tools: The team needs to understand thoroughly how to use the tools at their disposal, to maximise their effectiveness. Incident response procedures: They need to know what steps to take when they discover signs of intrusion, then preserve that evidence for potential future legal proceedings.
Put the necessary processes in place Threat hunting needs to be a structured, long‐term effort. There must be a vision for what threat hunting is about and how it works with other IT and IT security processes. This means learning several things, including: • Endpoint baselines: The need to hone continuously threat hunters’ knowledge of what constitutes ‘normal’ in the endpoints, so anomalies can be recognised faster. The local context that humans have makes all the difference in detection. • Improving hunting tools, practices, and skills: Hunts must become more effective over time, and threat hunters must learn quickly from the seasoned warriors on their team. • Improving response: Finding prey requires response that includes containment and remediation. Mainly, this means doing these things more accurately and faster. • Improving skills: Threat hunters need to improve their skills and knowledge, not just from threat hunting itself, but from continuing education on ethical hacking, system and network internals, and incident response.
Put the necessary tools in place
'Threat hunters need to know their environment inside and out: How does everything work, where are the gaps and weak spots, and where are the risks? They need to think like attackers, so they can better anticipate threats and stop attacks early.' adversaries. After that important characteristic comes other trained skills including: • Operating system internals: This skill is critical. Threat hunters need to understand the rules and practices of
Threat hunting is a man‐machine activity — it cannot be done with just people or just machines. Without threat hunting tools, there’s no hunt. Endpoints are today’s battleground where intrusions into enterprises begin. Endpoints are the attackers’ crown jewels, and they’re used to make a landing into an environment. While the data that attackers seek lives on servers, access to servers starts with endpoints. Endpoint visibility is the ability to capture, in detail, the activities going on inside of every endpoint. If an organisation allows Bring Your Own Device (BYOD), it should achieve this visibility on those machines, too. Include information about every process, including its parents and children, as well as every file that’s created, read, written and removed, plus network activity. This information needs to be accessible across the entire organisation, so threat hunters can quickly understand what anomalous activity is going on at any place and time. Another important aspect of endpoint visibility is known as retrospection, which is the ability to hunt back
Australian Cyber Security Magazine | 33
in time. For example, mine the data for suspicious activity that took place not just yesterday, but last week, last month or even earlier. In addition to endpoint visibility, having access to network event data is essential. Sometimes the first sign of intrusion is in the command and control (C&C) network traffic from a bot that has already compromised an endpoint. Intrusion prevention systems (IPS), web filtering, firewall logs, packet capture and netflow tools are good sources for obtaining this data. Threat hunters must be able to reference one or more of these tools from time to time, to better understand what’s going on in the network. Threat intelligence feeds inform threat hunters of the new tools and techniques that attackers are using against other organisations, as well as the domains and IP ranges they may be using. Threat intel feeds are often high volume and delivered in structured formats such as Structured Threat Information Expression (STIX) and OpenIOC and Cyber Observable Expression [CybOX]. All these are designed to be fed into an organisation’s security information and event management (SIEM) system, endpoint detection and response tools (EDR) or other threat management platform. Remember that threat hunting is a man‐machine activity. In many respects, there is a high volume of information on threats and activities in your environment. To capitalise on this information, the threat team needs to understand what tools they are using and where there might be opportunities to integrate them. A prime example is the fusion of endpoint data, SIEM data and threat intel feeds. By themselves, they’re useful, but when fused together they become invaluable. APIs should also be used where available, so that threat hunters can consume this data and get it into their other systems. Know the environment Successful threat hunters need to know as much about their environment as possible, so they can better sense what’s normal and what’s abnormal. As their hunts progress, they begin to have an intimate familiarity with their environment. Threat hunters spend much of their time observing and becoming more familiar with normal routing events in their environments. However, they also need to be familiar with the organisation’s architecture: networks, systems, tools and applications. It is key they understand this independently of their threat hunting, because anything they might observe in the environment may or may not be normal. What they find and consider normal may include things that aren’t allowed. Threat hunters need to know what their goals are. Depending on the attackers and their objectives, this could be information like customer or employee data, or it could be critical assets such as public facing web servers. They need to know all these high value targets (HVTs) – and they need to understand how attackers might go about attacking them. Hunters also need to know how attackers are likely to try to break into their environments. This is part gut feel and part knowing the environment: • Architecture: Attackers will seek out the weak spots in
34 | Australian Cyber Security Magazine
•
•
•
an organisation’s architecture and data flows. Assisting them discover whatever valuable data they’re seeking and how to extract it unnoticed. Security posture: Attackers will target an organisation’s weak spots. They discover these through simple techniques like port scanning to find unpatched and vulnerable systems. Therefore, threat hunters need to know where those weak spots are. People: An organisation’s security culture is a great indicator of its vulnerability. Attackers will be able to gauge how easy it is to lure employees into clever social engineering, phishing or spear phishing campaigns, whether they’re purely online or on-site. Threat intel: Understanding how attackers are targeting other organisations gives threat hunters a better idea of how attacks might target their own organisation. While they will be creative and unpredictable at times, attackers are creatures of habit, apt to use tools and techniques that have worked for them in the past. Just as organisations tend to protect themselves in similar ways, attackers are likely to attack in similar ways.
Threat hunters need to know their environment inside and out: How does everything work, where are the gaps and weak spots, and where are the risks? They need to think like attackers, so they can better anticipate threats and stop attacks early. Finally, Threat hunting is becoming a part of information security table stakes: the essential tools and practices required by all organizations. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators, and the legal system. To learn more about threat hunting, download the guide: “Threat Hunting for Dummies.”
CAN YOUR SIEM
DO THIS?
UNPARALLELED VISIBILITY TO SEE THREATS ANYWHERE WITH
RSA NETWITNESS® SUITE
e-Book - Free Download
The 7 Building Blocks of Better Threat Visibility
DOWNLOAD HERE > www.rsa.com/en-us/resources/the-7-building-blocks-of-better-threat-visibility Australian Cyber Security Magazine | 35
Cyber Security
Surviving in the new threat environment:
Incident response and threat management
T By Mark Jones Security Practice Lead Dimension Data
his year we again saw an increase in the number of organisations that have a formal cyber incident management plan in place. However, our research shows that most organisations still don’t have a formal cybersecurity plan, and for those that do, the likelihood is that their plans are still relatively new, are not tested, or have limited scope. There may be a lot of work to do, especially with breach notification requirements, but we all understand that maturity doesn’t just appear overnight. It comes out of knowledge and experience gained over time, by trial and error, research and direction. And therein lies the challenge: it’s the ever-changing cyber threat landscape; the "proverbial" moving target. While malware delivered via phishing remains a primary causal factor in most cyber incidents, it’s a well-known fact that malware changes by the minute and can be as simple as a script or as complex as a Trojan, worm, bot, rootkit, crypto, or something as yet unidentified. Often, we don’t have knowledge about the malware. Is it trying to exploit a known or unknown vulnerability, a valid organisational process or application? You also need to
36 | Australian Cyber Security Magazine
remember that malware is just one of the many tools in your adversary's ever-expanding arsenal. Ask what the threat actor’s motives are. Numerous articles and opinions outline the rapid pace of evolution of malware, with nearly all of them telling the same cautionary tale: the increasing pace of innovation and development undertaken by threat actors means legacy protections are no longer sufficient. It’s for these reasons that cyber incident management has to be fluid, and more importantly, driven by a thorough understanding of the threat.
Knowledge The statement, ‘knowledge is power,’ has never been truer. If you know something before your adversary, you have the advantage. Knowledge relates to being able to understand information. You can then make effective decisions and identify an opportunity or risk and exploit or mitigate. It is about knowing where to fire a proton torpedo at the Death Star and why, or conversely why you might want to
Cyber Security
'The future of security will not be in a stand-alone department within an organisation, nor is it a set of products or restrictive policies. Security is a critical priority for the business...' put a grate in the exhaust port of your reactor that is small enough to stop a proton torpedo. In theory, knowledge about cyber security has never been easier to obtain; you collect, store and consume data at an exponential rate, with an estimated 2.5 quintillion bytes of data interacted with globally per day – that’s 18 zeroes. Making sense of all that data is a constant challenge, especially when it comes to analysing it for the benefit of security infrastructure that constantly needs to adapt to new threats. So, the question is how do you identify the information you need, as well as locate it and decide who should use it? And how do you use the information to determine threats like malware, or to paint a bigger picture such as the attack chain, actors and your level of exposure? With so much data to analyse and so many moving targets, effective threat management is essential, whether it’s being run by an internal team or managed by an expert service provider. Either way, knowledge of threats allows you to plan, and the earlier you gain awareness of an incident the more chance you have to limit its impact and remediate.
Know your business as much as you know your foe. This may seem obvious and common-sense, however, it’s worth reiterating that while you should always endeavour to stay ahead of the threat and identify the tools and techniques that power their trade, you can equally use your knowledge to determine the far less elusive legitimate user and their tools. This way, you can differentiate between the “known good” and the “known bad”. You will by nature have more knowledge of your organisation and its business practices than the external threat actor, and this gives you the advantage. A good level of this knowledge is a pre-requisite to determining many things in an organisation, but when it comes to cyber incident management, this knowledge allows organisations to narrow the gap between the known good and the known bad. In effect, the tools and knowledge used to drive incident management, such as determining a sequence of events, the relationship between access and change, are also useful when identifying the People, Process, Products and Information used in an organisation. If you’re fortunate your organisation already has a process, service and information asset relationship model, but if not, and you’re not sure where to start, then there’s still plenty you can achieve. Here’s a scenario: Employee A works from location B
using computer C. Part of A's role is to retrieve information (D) from file E and place it into application F, creating information set G. At any point, you know what should happen. Even if you don’t have all the pieces of the puzzle, you know that G, for example, shouldn’t be retrieved by employee A, or sent to company X. Knowledge like this helps us find the weak link in our security chain and fortify it. By way of providing more practical, albeit simple examples, organisations could equally: • Determine the relationships that internal groups have to each other or externally as part of their business processes, such as suppliers and customers from financial systems or CRM’s, automatically setting security configurations specific to domains such as email gateway and web proxies; • Reference travel booking and HR systems to validate if, for example, that access from Boston was expected; • Dynamically alter access based on location such as in-office, local, national, international, or have other location-based parameters such as a customer; • Identify applications and services traditionally used by a department, triggering an authorisation request to a manager when a failed access request comes from a user who is likely to be legitimate. Once you have all this knowledge and can analyse it, it’s imperative that you begin to leverage more orchestration and automation, making your networks and services more dynamic, and by virtue, more secure. We’re starting to see this thinking follow through to features in products, such as those that analyse the user, device and application behaviour. More importantly, many products now have open APIs allowing you to use features on one to drive automated actions on others. So knowledge is just one piece of the solution; it’s analysing what we know to manage future threats from cyber criminals. The security landscape is constantly evolving, and it's only by acquiring knowledge and acting upon it that we can begin to anticipate and manage cyber threats. The future of security will not be in a stand-alone department within an organisation, nor is it a set of products or restrictive policies. Security is a critical priority for the business, from the mailroom to the boardroom, and so eventually, through increased knowledge and understanding it will be something that just happens. About the author Mark leads the Security Practice for Dimension Data in Western Australia, leveraging more than ten years’ experience in senior security management roles within the Resource, Insurance, Finance, and Telecommunications sectors. With a career spanning over two decades, he’s worked in many regions of the world, experiencing the many nuances of compliance, culture, adoption of technology and security in those geographies. He also has an extensive technical background, including development of security applications, yet considers himself an analyst foremost. His career and focus on information security is a logical application of that, but more importantly is a subject he is genuinely passionate and enthusiastic about. Australian Cyber Security Magazine | 37
Don't make security awareness training a punishment
E By Dan Lohrmann Chief Strategic and Chief Security Officer for Security Mentor
very technology leader wants a security-aware, cyber-savvy enterprise culture. But what does that mean and how can we get there? There is an ongoing debate regarding security awareness training techniques, engagement and overall effectiveness. Let’s explore… Creating an enterprise-wide “culture of security” is almost always listed as a top priority for experienced security and technology leaders in the public and private sectors. Back in early 2007, when I was Michigan’s chief information security officer (CISO), I remember being interviewed by Bill Jackson at Government Computer News (GCN) about a long list of security topics. Here is how that interview ends: GCN: What's the biggest challenge left? LOHRMANN: Continuing to work on the culture, to help people understand how important security is at an individual level. ... Helping people understand the impact of their actions, I think that's the biggest challenge. Fast-forward more than a decade and I believe transforming the security culture remains our greatest challenge as we head toward 2020. But, how can we get to this elusive “culture of security” while balancing the cost,
38 | Australian Cyber Security Magazine
benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time? Can “Just in Time” Training Help? One answer that I am seeing and hearing more about is “just in time” training (or just-in-time learning). According to ShifteLearning.com, there are many practical examples and benefits of just-in-time learning: “It is walking down to the desk of a more experienced co-worker to ask for a solution when you get stuck on a project. It is looking up Wikipedia when you come across a novel concept during your browsing sessions. It is calling up mom when you want advice on a recipe. Just-in-time learning is having access to knowledge just when you need it. It is not having to wait till the public library opens or you can catch hold of a subject matter expert. The concept has its origins in the world of manufacturing. In the manufacturing industry, efforts are made to lessen inventory costs and reduce wastage by perfectly synchronizing the manufacturing and distribution of products to the exact time when these are needed.” The articles goes on to list many benefits of just-in-time
'Other companies are now offering related “education triggers” or “teachable moments” that are targeted at those who violate security policy or need the training the most, because they do something wrong.' learning, such as how it enhances worker productivity and speeds up the learning process. Taking the “just in time” concept further, several companies are advocating the use of these techniques for enterprise security awareness training. The general concept that I am seeing is to provide a very basic compliancefocused training for most people, and to enforce much more specific training for the select few who they identify as needing it most, since they violate some security policy, and/or do something inappropriate, such as clicking on a simulated phishing link. For example, Bay Dynamics encourages their just-intime security training, which offers: • Identification of non-malicious users and repeat violators based on behaviour; • The ability to automatically sign up non-malicious users and repeat violators for brief policy specific training such as PII handling, phishing, and more; • Attestation of completion and post-training behaviour is tracked and can be reported on in Security Awareness dashboards. In this article from Dark Reading in 2016, Tom Pendergast elaborates on this trend further: “The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time — but not always. So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies. Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t.” Other companies are now offering related “education triggers” or “teachable moments” that are targeted at those who violate security policy or need the training the most, because they do something wrong. These approaches claim to identify, focus training, (and where necessary) get rid of the bad apples and focus on those in the organization who (despite being non-malicious) pose the greatest risk. Several security leaders I have spoken to were (at least initially) attracted to this approach, since it cuts down on employee time required for security awareness training for the masses. I have heard the argument, “If I can focus on a select few troublemakers, and minimize the training for 98 percent of the employees, I can save time and money.”
Who can argue with the concept of learning just what you need to know at the exact right moment? Not So Fast: Some Problems With Just-in-Time Security Training But other industry leaders are not in favor of this “just in time” security training approach. They say this practice is like watering down the soup at your favorite restaurant. Yes, it may produce an immediate cost-saving benefit, but is it being penny wise and pound foolish in the end? They insist: With technology and threats moving so fast, don’t all staff need constantly refreshed, relevant, focused security awareness training? This blog from Info Security Magazine offers another specific contrarian argument. Kai Roer, founder and CEO of CLTRe, writes, "Blaming people for not handling poor technology correctly is — in my opinion — simply wrong." While there are certainly some benefits to fear-based (or carrot-stick-based) approaches that send you off to training if you fail, others ask where the carrot is for staff in this model. Most parents understand the need for a mix of rewards and punishments, but this is all about punishments. An article from Fast Company Magazine, while not specifically about training, points out five myths to changing behavior. Here are two: 1. Myth: Crisis is a powerful impetus for change. Reality: Ninety percent of patients who’ve had coronary bypasses don’t sustain changes in the unhealthy lifestyles that worsen their severe heart disease and greatly threaten their lives. 2. Myth: Change is motivated by fear. Reality: It’s too easy for people to go into denial of the bad things that might happen to them. Compelling, positive visions of the future are a much stronger inspiration for change. Other training experts I have spoken with say that fear can certainly help, if done in the appropriate balance with rewards. They have seen the classic “carrot and stick” approach work well in security training. One well known CISO I spoke with (who wants to remain anonymous for this piece) is fine with just-in-time security training as a supplement. However, he has also seen examples of where it is being overused to penalize staff. This expert said, “They even lock staff out of some corporate networks until they complete training. They can’t do their jobs. The security team is viewed as the Network Nazis who shut down system access. Not good.” My View on Just-in-Time Security Training Back in 2014, I wrote this article on how to change the security culture in government. Of course, training is only
Australian Cyber Security Magazine | 39
Cyber Security
one piece. The most important thing senior leaders must do is lead from the front. Second, all leaders must constantly communicate the vision for excellence, the process for getting there and the sense of urgency necessary by all. I also pointed to this fascinating research on what motivates us at work beyond carrots and sticks. If you haven’t seen this before, I urge you to watch the video: https://youtu.be/u6XAPnuFjJc Spoiler Alert: For those you don’t want to watch the YouTube video, the main points are that research shows that what best motivates us is a sense of purpose in work, selfdirection and mastery of a subject. In other terms, we need to offer compelling content that is intriguing and teaches people what they don’t already know about security in sticky ways, to change behaviours and motivate people. Content is still king, and I also believe that brief, frequent and focused content works best with gamification or game-based learning. I have even suggested to CSO Magazine that we need to make security awareness training more about culture change with a potential name change. And while I do think that “just in time” security training may be able to help select organizations in a very limited context (as a supplemental approach), I have a more fundamental concern with this trend, if it is front and centre. I worry that organizations that deploy this approach are making security training a penalty. In the extreme, security organizations can even send the message: “Only the ‘bad’ people (the policy violators, those who click on test phish or others who do something wrong), need go to security awareness training. The implied carrot becomes not having to take the security training. Over months and years, a culture could develop where security awareness training is a punishment for the select few. Like being sent to detention at school or writing phrases on the chalk board multiple times. The message to staff: you don’t want to be one of “those people” who need security awareness training. With memories of ridicule in elementary school, most staff have the goal of “not screwing up or not getting caught.” Beyond views of the awareness training, the security team’s reputation can suffer. In this type of enterprise culture, the security team members are the bad guys — or “Dr. No” who might pull you over or get you fired. My blog followers are familiar with the seven reasons that security pros fail — and what you can do about it. Bottom line: You DON’T WANT TO GO THERE! I was one of the first security pros to say: Be a security enabler — not a disabler. In a healthy security culture, all front-line staff are proactively well trained on information and physical security, know what to do (and not do), where to report incidents, when to ask for help, who to contact and how to work together effectively. Staff have a good relationship with the security team — because the cyberpros are helpful. There is not an “us vs. them” problem. The meaningful, customized security content is constantly updated in positive ways to meet the culture. Understanding risk (by all) in various scenarios is an important component of this overall security relationship. The security awareness training is a positive bridge to start
40 | Australian Cyber Security Magazine
meaningful conversations to enhance business projects, integrate streamlined processes and apply appropriate technology. When pressed, one well known security luminary friend of mine asked: “How can tech-savvy companies encourage employee mistakes to become more innovative, offer training on failing fast and still use this approach to forcing security training mainly on those who screw up.” He went even further and commented: “The unspoken message to staff will be to hide mistakes and not report them.” Final Thoughts I recognise that some in the security industry will disagree with me on this blog. But I hope we can agree on this: We need to be passionately building (or rebuilding) enterprise cultures that put security at the top of the priority list. We need innovative companies and government organizations that have healthy cybersecurity practices. The security teams must be enablers of positive change. I often hear staff say, “Teach me things I don’t already know.” No doubt, fear must occasionally be a part of the training menu, but it must be an appetizer and not the main course. Yes, there are bad apples in organizations that need to be disciplined or removed, but spend more time with the good apples. Just as model parents and teachers train their children by demonstrating, encouraging, motivating and challenging in fun, positive ways, much more than disciplining them, we must do the same to build healthy security cultures that endure. We want the staff to say, “thank you!” They will, if we offer helpful security lessons that are intriguing, thoughtful and memorable. And please don’t make end-user security awareness training mainly a punishment for doing something wrong. About the Author Dan Lohrmann is the Chief Strategic and Chief Security Officer for Security Mentor, Inc. He is a Certified C|CISO and accomplished author and public speaker, and provides strategic advice and management coaching on cybersecurity and technology infrastructure solutions. Dan is a regular contributor to Government Technology Magazine and CSO Magazine, and now ACSM is happy to have him too.
RANSOMWARE GOES INTO STEALTH MODE:
Cyber Security
5 THINGS YOU CAN DO TO PROTECT YOURSELF Ransomware is a very destructive variant of malicious malware that makes critical systems and sensitive information inaccessible until a ransom is paid.
Ransom is typically demanded in bitcoin with a 72-hour window to pay before the key is deleted and data is irreversibly lost. The impact this can have on an organization is: temporary loss of systems and access to sensitive information; downtime of operations; financial impact or loss, and incalculable reputation damage. The most recent variants of ransomware have gone into stealth mode. This means they avoid detection by hiding under the radar from traditional Anti-Malware software that scans the hard drive for malicious software. The most recent variants of ransomware have gone into stealth mode. This means they are fileless and avoid detection by hiding the payload into memory or the kernel. They move under the radar of traditional Anti-Malware software that scans the hard drive for malicious software. The destructive nature of Ransomware and the impact it’s had on individuals and organizations globally has prompted the Department of Homeland Security, US-CERT and the FBI to release alerts encouraging organizations to take this threat seriously before it’s too late
1.
EDUCATE EMPLOYEES ABOUT YOUR IT SECURITY POLICY AND THEIR RESPONSIBILITY ADHERING TO IT
1 in 5 employees will open emails containing malicious malware. Educating employees on how to identify phishing emails containing malicious malware mitigates risk to all organizations by a reduction of 50%. It is important to continuousy measure the effectiveness of Cyber Hygeine.
2.
BACK UP CRITICAL AND SENSITIVE DATA ONLINE AND OFFLINE
For organizations that have a solid online and offline back-up plan in place, critical and sensitive data can be easily restored to get the organization operational again. Offline backups are vital because some ransomware is able to quickly spread across the network making the online backup system unavailable. A good backup plan can vastly reduce the impact ransomware has on your organization.
3.
IMPLEMENT LEAST PRIVILEGE AND APPLICATION WHITELISTING
Combining application access control and least privilege, reduces the possibility of an employee being infected by ransomware. This is one of the most effective ways an organization can reduce the risk against ransomware and
malicious software by allowing only trusted sources and preventing the unknown. Application whitelisting enables an organization to analyze software or an executable prior to providing the application with the privileges it needs to perform its task.
4.
PRIORITIZE PASSWORD AND PRIVILEGED ACCOUNT MANAGEMENT
Companies must continuously audit and discover privileged manage and secure accounts and applications that require privileged access, remove administrator rights where they are not required and adopt multi-factor authentication to prevent user accounts from being compromised.
5.
KEEP SYSTEMS PATCHED AND UP-TO-DATE
Malicious attacks have occurred using known vulnerabilities to expose a systems weakness. Keeping your system’s security updates current will significantly reduce the risks of malicious software exploiting those vulnerabilities. The more you know about ransomware, the more likely you are to want to protect your critical data immediately. Stay up-to-date with essential cyber security info by following The Lockdown.
Cyber Safety: The Tweeting Galah
T
incredibly important for innovation. We need people with differentHi Kim, can you give readers an overview of what it is you do?
Right now, I’m doing a few different things. I work as a part-time classroom teacher and digital learning coordinator at a primary school in Esperance, Western Australia. I’m also building my own business, which provides digital technologies training to parents, schools and business owners. These training sessions range from social media marketing to web design to cyber safety. Recently, I’ve just launched two new projects; a podcast, “Learn Digital with Kim Maslin” designed to help teachers better integrate ICT into the classroom, and an illustrated children’s book, The Tweeting Galah, which is all about cyber safety. How did you arrive at this point in your career? I’ve always had a passion for technology and education. I pursued these interests at university, and have done a few different jobs all within these fields. From this, I developed the experience to establish my own business, but it was squeezed in around full-time teaching. It was actually my recent move to Esperance that allowed me to drop back
42 | Australian Cyber Security Magazine
to part-time teaching, giving me more time to focus on the other projects and areas of interest. Can you talk readers through your book and how it came about? “The Tweeting Galah” is a collection of four short stories about growing up in the digital age. Australian animals – led by a very cheeky galah, Gabbo! – are the main characters, and each of them experience a different cyber safety issue; posting inappropriate content online, cyberbullies, online predators and the effects of too much screen time. I wanted the book to be entertaining as well as educational, so apart from these quirky characters – and the incredible illustrations that John Field drew – I also included reflection questions and Zappar augmented reality components. This means families can scan pictures in the book with their smart device, using the free Zappar app, and cool stuff happens on their device screen! I had actually been working on this project on-and-off for about two years. The idea came to me after a brainstorm session, where I was trying to find more effective ways of reaching parents and tweens to educate them about online safety. This was because I was finding that children were
'...education is key! There are certainly some great technologies that help with filtering and monitoring – I use a few myself in the classroom! - but at the end of the day, we can’t monitor children 100% of the time online, just like we can’t in the real world.' using more technology from a younger age, and parents were struggling to keep up. I thought a children’s book could be an innovative way of reaching both the parent and child at the same time. Obviously, there are some big issues with social media these days with teenagers. Do you have any plans to extend your book portfolio to deal with teen cyber issues?
which was pitched in the style of Aesop's Fables for the purposes of cyber safety. It contained four short stories covering issues such as posting inappropriate content, cyberbullying, online predators and too much screen time. Reflection questions follow each of the stories, to facilitate discussion. Learn more about The Tweeting Galah here: https://www.slideshare.net/slideshow/embed_code/ key/4QiRDEKpzJznJT
Now there’s an idea! At the moment though, my focus is on tweens – that is, 8 to 12 year olds. Although there are many serious cyber issues affecting teens, I believe that the tween years are where life-long digital habits – both good and bad – are formed. So, I’m keen to focus on this age group a little longer with my writing, however, I certainly address teen issues in my workshops and presentations. Are you undertaking any collaboration with schools and if so, are you looking for volunteers and partners to work with? Definitely. Although the book works great with parents and their child, I also believe it is a timely learning resource for teachers. Along with the reflection questions and learning activities, when schools purchase class sets they also receive lesson plans and teacher resource sheets. The book has been well received by a number of schools and organisations already, and I would love to collaborate with any other interested parties – whether that’s to discuss them utilising the book, or to run a cybersafety workshop or even just have a chat about what else we could do to keep kids safe and happy online. Kim Maslin, digital technologies educator and book author What advice would you offer parents and teachers with regard to kids and technology? It's clearly not feasible these days to fully monitor everything, so is education the key? Perhaps it’s the teacher in me, but that has always been my motto… education is key! There are certainly some great technologies that help with filtering and monitoring – I use a few myself in the classroom! - but at the end of the day, we can’t monitor children 100% of the time online, just like we can’t in the real world. The best thing we can do is equip children with the skills to handle difficult or confronting digital situations, so they can make safe choices. About the Author Kim Maslin is a digital technologies educator and book author. She is a part-time teacher at Our Lady Star of the Sea Catholic Primary School, teaching ICT to year 4/5 classes. In May 2017, she self-published an illustrated children's book, called The Tweeting Galah
Australian Cyber Security Magazine | 43
An interview with Dhiba Daniel
D
hiba Daniel is the Divisional Manager, Risk – Public Sector JLT Australia. She works as a cyber security risk profiling specialist and thought leader and has 20 years’ experience in risk management, risk culture, governance, business continuity, workplace health and safety, systems auditing, anti-money laundering and regulatory compliance. Dhiba also has several years of direct experience working with Boards and Executive management in areas such as strategic risk profiling and risk culture. This interview looks at Dhiba’s career and examines some of the issues Australian business are facing in relation to cyber insurance. ACSM: Hi Dhiba, let’s start by telling our readers a little about yourself. When I started in risk management, as a Research Officer to the Risk Management department, it was exciting to have a mobile phone, with a handset in the car and email was just being introduced into the workplace. Now, as Jardine Lloyd Thompson’s (JLT’s) Divisional Manager – Risk (VIC & TAS) as part of JLT’s national (Risk) Consulting practice, I marvel, as the ever-changing technology environment brings many new challenges and opportunities, one of them being cyber risk management. With 20 years' experience in risk management, what was it about cyber security that attracted you into this relatively emergent field? With the increasing interconnectivity and Internet of Things, as Risk Managers we need to practice what we preach and delve into emerging risks. What attracted me to the Cyber field is that it is an emerging risk. We know it will have significant impacts, however, what those impacts will be and how they will shape our lives in the future, is uncertain. I am keen to explore the opportunities and help others, such as our clients and our own organisation, to capitalise on those opportunities, whilst being aware of and managing the risks along the way. In what is predominantly a male dominated industry, what do you think can be done to attract more diversity into the future workforce? To attract more diversity into the future workforce I believe the following will assist:
44 | Australian Cyber Security Magazine
•
• •
Providing flexibility for everyone through flexible and practical work arrangements, which is significantly assisted by technology; Offering intelligent and interesting work; Creating a supportive and collaborative environment.
I believe this will enable us to take on the challenges together, which we will experience in this developing technology age and enjoy the rewards that it will also bring. I must say I am looking forward to driverless cars as I’ll be able to catch up on some sleep every now and again. In your opinion, what are the biggest challenges enterprises have when evaluating cyber insurance cover? The biggest challenge, in my view, that enterprises have is their understanding of emerging cyber risk exposures and the role of insurance. Some enterprises now have the view that: • A cyber-attack won’t happen to us, as we don’t have anything of value that others may want; • If we don’t hold credit card information or trade online we really have no exposure; • Cyber is an IT issue for the IT department to manage; • We have a high level of protection with secure IT networks, which are regularly tested and built to ‘best practice’ standards, thus we don’t need cyber insurance. There is also a poor level of understanding of what can be covered under a cyber insurance policy, and many clients still believe coverage only responds to breach of privacy and third party claims. Many don’t realise that consequential business interruption loss can be covered, or that policy triggers now extend beyond a malicious hack, to include human error and system failure. Perhaps the greatest benefit of a cyber insurance policy is the incident response service that most policies will provide, and many clients also don’t turn their minds to the practical elements and costs involved in dealing with the immediate effects of a cyber incident. Because of the above view, the broader business often does not wish to be involved in engaging in the cyber risk conversation with their Insurance broker and the Risk Advisory team. Thus, it is left to the IT department to quantify the business interruption loss or other reputational or business impacts. This offers a one-dimensional view of the cyber risk
exposure, which is unhelpful from a business perspective, and possibly financially detrimental from a cyber insurance coverage and placement perspective. Quantifying the loss following a cyber-attack is also challenging, as organisations, understandably so, are uncertain of what the losses may be and what risks can be transferred to insurance via a cyber insurance policy. Is a relationship developing in Australia between security service providers and cyber insurance companies, to provide services together with clients? Yes, most insurers who are offering cyber insurance are also offering clients access to a panel of pre-approved IT forensic service providers, public relations consultants and legal experts to assist the client with managing the immediate fallout of a cyber incident and mitigate any resulting business interruption loss. In fact, this is one of the greatest benefits to clients of purchasing cyber insurance. Some more forward thinking insurers are also working with those providers to offer pre-incident IT systems assessments to clients, to help them strengthen their information security controls and protect themselves against an attack, and to develop a formal incident response plan, to assist the client in the event of an intrusion. This will normally come at an additional cost, which can be subsidised through the premium, if the client eventually elects to purchase cover. As we begin to increase our knowledge regarding the types of attacks and losses from recent cyber-attacks such as the NotPetya ransomware attack and Wannacry virus attack, I would foresee that the relationship between security services (as well other services such as risk profiling and training), and cyber insurance companies will continue to develop. This will enable clients to have cyber risk management solutions at the ready, to manage their cyber risk exposures in both a proactive and reactive capacity. How do cyber insurance covers scale up from the very small to the very large, given the threat remains the same, but the likelihood of small businesses having enterprise controls is much less? Whilst small businesses may have fewer controls or resources to deal with cyber risk exposures, there are still several insurance options to meet the needs of small and medium sized business. The method for insurers with a focus on SME risk, has firstly been to focus on volume of policies to create a premium pool from which to draw on to pay claims. At present, cyber insurance can be obtained for a small business at quite a competitive premium rate, either in the form of a stand-alone policy, or through cyber-related extensions to existing policies, such as professional indemnity or management liability. With regards to policy coverage, insurers will tend to scale down the cyber insurance coverage offered, where a business of any size is found to have insufficient enterprise controls. Insurers may seek to exclude coverage arising from claims where they consider the risk outside unacceptably high. For
example, an insurer may specifically exclude cover for losses in connection with a failure to encrypt any data or portable media devices, business secrets and professional information, They may seek to exclude cover where there is a failure to install or implement a firewall or intrusion prevention system, although this kind of requirement for system maintenance is becoming less acceptable to clients and brokers in what is rapidly becoming a very competitive market In offering cyber insurance terms, insurers will also account for the level of excess a business is willing to selfinsure as well as charging appropriate premiums to reflect their perception of the risk. What would the top three security recommendations you would have for CEOs? My top three cyber related recommendations I would have for CEOs are: 1) Acknowledge that cyber is a business risk, not just an IT risk/issue & begin the conversation. Cyber is a new and growing area, and for many organisations it’s far too easy to take a “head in the sand” approach, and offload the responsibility for managing the risk to their IT department. It is best to deal with it by increasing your knowledge and understanding, rather than putting it off, or indeed by thinking that cyber insurance will solve all your cyber issues. When having the conversation regarding what your organisation’s cyber risk exposures may be, involve the broader business, not just the Chief Information Officer or IT department. 2)
Provide cyber awareness training for your staff.
to increase our knowledge regarding the types of attacks and losses from recent cyberattacks such as the NotPetya ransomware attack and Wannacry virus attack, I would foresee that the relationship between security services (as
This is an effective first step to increase staff awareness and knowledge regarding the threats they face, such as phishing emails, social engineering and what strategies they can take to minimise the impact on your organisation when a cyber-attack occurs. 3)
'As we begin
Engage cyber specialists to help your organisation where needed.
well other services such as risk profiling and training),
At JLT, we assist clients with Fraud and Cyber Awareness Training, Cyber Insurable Risk Profiling and Cyber Vulnerability and Risk Profiling assessments. These services help to identify what critical data you have and want to protect and where your key exposures are as well as providing a mechanism to quantify any losses through forensic evaluation. Working with your insurance broker who understands your business and their risk consulting team is a good place to start as our industry is at the forefront of managing this new and interesting emerging risk.
and cyber insurance companies will continue to develop. '
Australian Cyber Security Magazine | 45
Cyber Security
Liberty, equality, fraternity and cyber security
E By Guillaume Noé Cyber Security Advisor General Manager for Pirean, Australia & New-Zealand
mmanuel Macron is the new French president. He led an astute political campaign, building and leading a movement called “En Marche!” (Forward!) all the way to political success. Macron is young; he embraces social media; his team was cyber-savvy, which served him well, with his campaign making the headlines on cyber security matters. First, Macron took a strong position on counterterrorism with regards to the responsibilities of technology providers and ISPs not collaborating in the circumvention of encryption services, especially in messaging services. He vowed to launch a major legal initiative to hold service providers accountable as accomplices of terrorist attacks . Since the election, Macron and Theresa May (prime minister of the United Kingdom) have announced a joint initiative to crack down on terrorism, including, “how to tackle encrypted communications between extremists” . Macron was even reported to have successfully fought hackers during his campaign. What did his team do to thwart the hackers? Let’s look.
France. Free, fair and lawful election processes are critical to preserving a representational democratic system and the values that such a system fosters. In France, democratic values are best referred to through the well-known republican motto of “Liberty, Equality & Fraternity”. The definition of Equality in the French Declaration of the Rights of Man and of the Citizen of 1789 included “…All citizens, being equal in its eyes, shall be equally eligible to all high offices, public positions and employments, according to their ability, and without other distinction than that of their virtues and talents.”. French citizens certainly value their right to elect their government representatives, such as their president, on the above principle of Equality. Interferences to election processes, whether from internal or foreign sources, is a risk to the principle of Equality, a risk to democracy and the values that citizens passionately defend in France and in many other countries.
Is Foreign Interference a New Risk? Interfering with Democratic Elections Democracy, the “rule of the majority”, is the cornerstone of many societies, such as Australia, the UK, the US and
46 | Australian Cyber Security Magazine
Foreign countries interfering in democratic elections or the political process of their enemies is certainly not a new phenomenon. In fact, interference has been an issue for
Cyber Security
Managing the risk relating to interference requires addressing these cyber security issues. It takes expertise, effort, time, resources and planning to do so efficiently.
Macron’s Cyber Security Campaign
hundreds of years, way before the current cyber-era. For example, back in 1796 France reportedly influenced the outcome of a presidential election in the US . From 1946 to 2000, the US government is suspected of interfering with presidential elections in several countries, with as many as 81 individual interventions recorded by political scientist, Dov Levin, of Carnegie Mellon University .
Has Risk Management Changed? If the risks relating to political interference have existed for such a long time, then you would assume that there have always been measures for managing these risks. However, managing risk today requires a different strategy, because cyber-attack means the threat sources are entirely different and incredibly difficult to detect and mitigate. The risks can manifest a range of options, including: • Tampering with computerised transactions supporting the elections process (e.g. ballot counting and reporting); • Impacting the operations of election campaigns, which heavily rely on data sharing and communication functions; and • Impacting the credibility of candidates through the publication of sensitive information, whether accurate or not.
Early in the French presidential election campaign, Macron was reported to be a target of foreign interference because of his stance on international matters. It was also reported that other French presidential candidates, such as Le Pen or Fillon, would have been preferred by an influential foreign country. Attempts at interference, supported by cyber-attacks, were thus expected and a specific risk was identified. “We [Macron’s campaign team] have been hammered every day since December [by hackers]” (Mounir Mahjoubi, Emmanuel Macron’s campaign digital lead). Macron’s team dealt with frequent, targeted and wellcrafted spear phishing attacks according to reports. Trend Micro reported that it had discovered fake web domains associated with the Macron campaign on infrastructure they believed was used by a group named, “Pawn Storm”, with the caveat that “this [attribution claim] is not a 100% confirmation, but it’s very, very, likely” . They made this discovery by monitoring the creation of rogue, lookalike websites, which were often used by hackers to trick victims into revealing their online passwords. Trend Micro’s report provides an example of such a phishing domain, with “onedrive-en-marche.fr”, including a subtle variation from the real domain. The dots in the real address were replaced by hyphens. “If you speed read the URL, you can’t make the distinction,” said Mahjoubi . And when the fake sign-in page came up, it was, “pixel perfect.” The intent of the spear phishing campaign was to trick Macron’s team into providing their credentials, which would be used to access team communications and documents. During the campaign claims were made that “It’s serious, but nothing was compromised” (Mahjoubi, April 24), but Macron’s campaign was eventually hit with a leak on the eve of election day. It was referred to as MacronLeaks. On Friday 5th May, a trove of files was publically dumped on the anonymous document sharing site, Pastebin, under the title "EMLEAKS". Macron’s team confirmed the hack, stating it had been the “victim of a massive and co-ordinated hack … which has given rise to the diffusion on social media of various internal information”. However, the leak came too late to impact the elections. At the time of the leak, it was also unclear whether the content of the leaked documents would have warranted any tangible impact on the election process. In addition, France’s presidential electoral authority had quickly stepped in and asked the media, “to avoid transmitting information from the leaked documents and reminded them of their responsibilities given the “seriousness of the election”. They also called for a “spirit of responsibility.” The call was respected. The French media abstained from publishing the documents and commenting on them so close to election day. The French mainstream newspaper Le Monde said it had seen part of the documents and that the hacking attack was, “clearly aimed at disturbing the current electoral
Australian Cyber Security Magazine | 47
Cyber Security
'This is a good story of cyber security risk management and we need more stories like this one. It may require some focus, planning and resources, but cyber risks can be managed.'
process,” and it decided not to publish the content of the documents. At the end, there was no impact on the election process, no surprise to the election result and importantly, there is no on-going political drama related to any alleged foreign interference unlike the situation in the USA.
How did Macron’s Team Manage Risk? “We knew we were going to be attacked and targeted.” (Mahjoubi) Macron’s team did not fully mitigate the risk. They were still the victim of an attack. However, they made it more difficult for the hackers and they significantly reduced the impact. They focused on the best possible defence of, “reducing the risk if anyone managed to break into the system.”. The key takeaway of the measures applied by Macron’s team include: 1. Identifying a risk early on, understanding it and planning accordingly to best manage it. According to Mahjoubi, the risk was “to unfocus us”; 2. Taking lessons learnt from the USA presidential elections and the alleged DNC server hack that would have impacted Hillary Clinton’s campaign. “The only way to be ready is to train the people. Because what happened during the Hillary Clinton campaign is that one man, the most powerful, [campaign chairman] John Podesta, logged on to his [fake] page.” (Mahjoubi, ); 3. Applying a clear focus on staff security awareness with weekly communications. “Every week we send to the team screen captures of all the phishing addresses we have found during the week.” (Mahjoubi, ); 4. Managing sensitive communications between campaign staff through a mix of different channels and applications (not only emails) . As such, the compromise of one channel would not compromise all communications; 5. Implementing a soft “counteroffensive” decoy strategy to “flood” hackers with misleading information and get them busy sorting things out. “You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.” (Mahjoubi ). Macron’s team handling of the risk was praised in the media. Mounir Mahjoubi, Emmanuel Macron’s campaign digital lead, was hailed as the 'geek' who saved Macron's campaign. It was a great example, showing that cyber security risks can be managed.
Attribution Some media channels were quick to point the finger at one specific country, which tends to be the same for all such activities. I have been sceptical of recent attribution claims, in both this French case and in various others, because some past claims have not been fully assertive, relying on varying degrees of circumstantial evidence referred to as a, “constellation of evidence”, not underpinned by definitive proof.
48 | Australian Cyber Security Magazine
In the case of the MacronLeaks, I took great interest in the position of Guillaume Poupard, the director general of the French cyber defence agency known as ANSSI. His agents were called in to deal with the aftermath of MacronLeaks. In a recent interview with the Associated Press , which referred to the USA warning to France about "Russian activity" before Macron's win, Poupard stated that, "The attack was so generic and simple that it could have been practically anyone.", and "To say 'Macron Leaks' was APT28 [or Russia], I'm absolutely incapable today of doing that, I have absolutely no element to say whether it is true or false.". The most interesting part of his commentary referred to the warning France had received from the USA: 'We are watching the Russians. We are seeing them penetrate some of your infrastructure. Here is what we have seen.' (Rogers, NSA Director)". Poupard said Rogers' comments left him perplexed and he said: "Why did Admiral Rogers say that, like that, at that time? It really surprised me. It really surprised my European allies. And to be totally frank, when I spoke about it to my NSA counterparts and asked why did he say that, they didn't really know how to reply either… Perhaps he went further than what he really wanted to say.". You may then, like me, take attribution claims with a pinch of salt going forward. After all, the most important is simply to manage the cyber risk as well as we can and that includes dealing with the vulnerabilities that are available for anybody to exploit, wherever the hackers may come from. Forward with Democracy and Cyber Security Congratulations to Macron and his cyber-savvy campaign team for their political success and their success in dealing with a cyber threat. This is a good story of cyber security risk management and we need more stories like this one. It may require some focus, planning and resources, but cyber risks can be managed. Democracy and the values many of us passionately defend are certainly at risk. The risk has always existed and it now requires some cyber risk management considerations. We are adapting to it. It is not easy. Some countries have also curbed or rolled back their technology initiatives with regards to managing election processes more efficiently (e.g. internet vote), over cyber security fears. For example, the Netherlands have decided to revert to manual ballot counting and election result processing, instead of continuing to use a software for it over security fears. France has also recently dropped its internet voting solution for citizens living abroad, which I contributed to trialling. The rollback saddened me, because I like it when technology is delivered to enable improvements. Internet voting could help in reducing abstention rates by delivering a more convenient voting option. It could help in improving democracy. However, I certainly appreciate the security risks at the same time. Going forward, we ought to further enjoy Liberty, Equality, Fraternity with better Cyber Security.
C O L L A B O R AT I O N PERTH
Perth Conference 17 November 2017
Crown Perth
Cyber Security
Trust - The New Face of Cyber Security
L by Manish Bahl Senior Director, Center for the Future of Work, Cognizant
et’s face it — as consumers, we don’t really think too hard about data security until something goes wrong. Despite the security risks, we happily go on sharing data online, downloading apps, uploading images, following free sites, and storing valuable documents in the cloud; this is because we prefer to focus on the benefits of such actions rather than the dangers involved. There is a widespread assumption that firms will leverage our personal data to provide highly tailored experiences that make us feel special. In fact, data is one of the intangible assets that account for as much as 84% of the market value of the organizations listed on the S&P 500 index. However, this era of extreme personalization has a dark side, in that we are more vulnerable than ever to online fraud or theft and data breaches. The recent ransomware attack, WannaCry, demonstrated that cyber security threats have already surpassed organizations’ capacity. The shocking reality is that 49% of businesses fell victim to cyber-based ransom attacks in 2016, and the costs of redressing cybercrime damage are set to hit a jaw-dropping $6 trillion per annum by 2021. In today’s ever more connected world, our data footprint is getting larger and larger; everything from wearables to home appliances, smartphones, and cars can now be synced. While this is a fantastic development, it means that a single security breach on one device can infect an entire network, as multiple devices are often interconnected on a home or business network. We have already seen reports of
50 | Australian Cyber Security Magazine
cyber-attacks launched through connected refrigerators and malicious e-mails sent via other household appliances. Even connected toys are not safe; a Chinese toy manufacturer recently admitted that the security of 6.4 million kids had been compromised by a massive data breach. As the IoT becomes ever more defined, it will be increasingly critical to win consumers’ trust; however, such a process will also become harder. This is illustrated by the fact that in a recent survey, 57% of Asia Pacific-based consumers said they would completely turn their back on a company if they were to suffer any breach of their data. Even worse, one-third of all consumers (or their family or friends) have reported that their personal data (credit card, bank details, health information, and so on) had been stolen or compromised in the last two years. A UK-centered telecom operator revealed that 157,000 of its customers’ personal details were targeted. Since October 2015, the firm’s share price has fallen by 27%, while it has seen a 4.4% drop in its market share of new customers in its home services segment. The impact of broken trust can be highly insidious; Forbes Insights noted that 46% of the organizations it surveyed had lost face in the eyes of the public, and had their brand value tarnished, due to a data breach. While it takes many years to gain customer trust and establish brand loyalty, it can all be obliterated in just one day, especially in the age of viral social media sharing. The depressing truth is that no single industry enjoys a
Cyber Security
' It is estimated that cyber-attacks will cost businesses as much as US$400 billion per annum through 2021. To put things in perspective, that’s more than the GDP of roughly 160 of the 196 countries in the world. '
high level of trust. Only 43% of consumers surveyed have utmost faith in companies and almost 40% are planning to switch to a rival firm or a digital startup as a result of trust issues. The question is how can businesses turn this situation around and make trust their greatest asset? Below are three key ways in which companies can win in the digital economy: Add Big Data and Artificial Intelligence as the New Tools of Trust. When it comes to security, too many organizations seem to adopt a reactive, rather than proactive, approach. According to our latest research, Asia-Pacific leaders trail behind their global competitors in prioritizing cyber security. Just how much is at risk in this situation? It is estimated that cyber-attacks will cost businesses as much as US$400 billion per annum through 2021. To put things in perspective, that’s more than the GDP of roughly 160 of the 196 countries in the world. Compounding the problem is the fact that our current computational infrastructure is inadequate. As more and more parts of our lives are conducted online, security threats will only become heightened. What we need is a software infrastructure that can be mathematically proven to give a greater level of security and bring the ability to identify suspicious patterns before they can do any damage (it must be remembered that there is no such thing as 100% security). AI and big data will complement each other and become the new face of consumer trust for organizations. In the same way that smartphones have become an extension
of our persona, intelligent machines will grow from this new ethos of cyber security. Cyber Security Must Become a Boardroom Topic. With so much at stake, companies can’t afford to take their foot off the pedal in matters of security. It is essential that cyber security becomes a top agenda point for boardroom discussions, so that concrete decisions can be made. Trust itself must become a boardroom issue, as it has a direct correlation with bottom-line benefits. It needs to be addressed throughout the hierarchy of the organization and every employee should feel empowered to build trust when interacting with customers. It is only by making consumer trust a business KPI metric that is capable of being measured can it become a viable asset that adds value to a firm. Be Quick to Respond to Failures. It doesn’t matter if a company has a world-beating technology infrastructure; history shows us that it cannot definitively promise its customers that nothing bad will happen to their digital information. To win, organizations need to recognize, understand, and proactively manage potential issues as they are spotted. For instance, after a recent cyber-attack, Vodafone was quick to notify customers and financial institutions of the incident, minimizing the damage to its trust levels. As the digital economy continues to rapidly expand, there is no question that we will hear of more businesses suffering financial and image losses due to failures and abuses of security and, consequently, trust. Forget the competition, these days one of the most significant threats to companies comes from within; namely, the need to win and retain consumer trust. Consumers do not just expect that businesses will put their interests ahead of everything else; they demand it. If they feel that their trust levels are taking a hit, more likely than not they will move on to another brand. As firms rely on consumers to demonstrate the quality of their brands, a loss of trust can be perilous for both the brand and the company’s very future. To make sure that trust is maintained at every touch-point along the customer’s journey, it is vital that senior executives ensure their companies are equipped with the right leadership, culture, organizational design, operating model, skills, technology, and processes. Those companies that view trust not just as a security or technology issue, but also a brand-building opportunity, and put their consumers’ interests ahead of short-term profits, will be those that are most qualified to come out on top when trust problems disrupt their business. In the months and years to come, trust will increasingly be seen not as the end objective, but as a necessity for cyber security.
Australian Cyber Security Magazine | 51
Cyber Insurance: A Buyer’s Guide – Part 1
I By Mark Luckin Associate LLB, BLS
nternationally, cyber and privacy liability insurance has grown in popularity and market share, as insureds and insurers alike grapple with the mercurial risks associated with: - Interconnected business; - Human error; - Supply chain dependency; - A dramatic escalation of increasingly sophisticated intentional or unintentional cyber-attacks; and - A proliferation of data privacy laws and regulations. The Australian cyber insurance industry is quickly maturing, leading to risk managers, the C-Suite and the board faced with a plethora of options to insure their organisation’s internet-based and information technology risks. The lack of standard cyber insurance policies leads to confusion in understanding the protections a policy can offer. Let’s look at cyber insurance and demystify the terminology, products and offerings on today’s market.
Cover Basics Cyber insurance can be used to reduce the impact of a cyber-attack or data breach. A cyber policy provides cover in the event of your organisation suffering a data breach, being hacked, employee error, losses from business interruption, fines, penalties and even civil lawsuits resulting from privacy breaches. Such policies are unique, in that most provide a (potential) promise to pay, but also the provision of a dedicated team of industry relevant professionals to assist in the event of a claim.
52 | Australian Cyber Security Magazine
Good cyber insurances combine third party liability cover with first party costs and a service offering to assist organisations, both during and after they suffer a breach.
What is the Trigger? The “trigger” in a cyber insurance policy is an occurrence that defines the event that leads to coverage and/or the initial response of a policy. Cyber insurance is usually triggered by a network security failure, or the theft, loss or unauthorised disclosure of third party corporate confidential or personal information. Threats come in various guises, such as malicious attacks or hacking, but often arise from simple human error. Triggers differ between insurers. However, organisations should consider a policy with a broad definition of the trigger, such as “unauthorised access”. Simplified language assists in avoiding confusion, disputes and potentially significant exclusions. Common practice is for insurers to pinpoint specific risks to be covered. Given the evolving threat landscape, organisations should seek as broad as possible policy wording, so if a breach happens it doesn't matter where it happens from. Ultimately a good cyber insurance policy will be triggered in the event of: • An intentional or unintentional computer system unauthorised breach and downtime, resulting from a targeted or untargeted attack, or an accidental or intentional employee action; • External cyber security events including unauthorised breaches caused from Spear Phishing, Ransomware,
'57% of all bachelor’s degrees in computer and information science were in technology, while only 18% were awarded to women. This is a significant decrease from the mid-1980s, when the number of technology degrees awarded to women was 37%.'
•
•
Malvertising, Secondary targeting, DDoS and many others; An accidental or intentional breach of personal private or commercially sensitive data (such as payment details or personally identifiable information); Loss of physical data (i.e. paper files, USB’s etc.).
Types of Cover Promise to pay A cyber insurance policy provides First Party Loss and Third Party Liability protection for organisations. First party losses are those which directly relate to the organisation arising from a cyber incident, including: • Costs to investigate and manage a network intrusion or data breach crisis; • Digital asset loss and recovery expenses; • Business interruption costs, including: - Profit loss; - Network disruption costs; - Recovery costs (including potential internal work around costs). • Cyber extortion demands; • Reputational damage and media relations; • Legal defence costs; • Voluntary and mandatory privacy notification expenses. Third party liability refers to liability owed by organisations arising out of security and/or privacy breaches. Either a security or privacy breach (a failure to keep data secure) may give rise to a third-party loss and result in civil suits and/or regulatory actions. These can result in third parties seeking damages or imposing regulatory fines on the “data owner” who is ultimately responsible for such information. These fines, penalties, civil suits and legal costs can all be insured under a cyber insurance policy. Such claims may arise even if they resulted from the actions of a subcontractor or supplier to the data owner, such as a cloud service provider, IT support company or other operational service provider. Furthermore, organisations should be mindful of coming obligations placed on them from February 2018, with the passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016. Organisations that suffer a data breach, or even a suspected breach, will be required to notify the OAIC and also notify individuals who may be affected by the breach. Costs associated with notification to individuals and the OAIC, potential fines, penalties, civil suits and media relations costs, can all be included in a cyber insurance policy.
Crisis Management Service Team In addition to a potential promise to pay, cyber insurance policies are unique in their offering of assistance from specialised crisis management teams. Most insurers provide 24/7 access to a crisis management team including: - Lawyers; - IT specialists in containment, service restoration and digital forensics; - Media relations; - Credit monitoring specialists. Additionally, some insurers offer the potential for organisations to include preferred third party service providers on their panel (at the discretion of the insurer).
Claim Circumstances To ensure that breaches are effectively managed, policyholders are encouraged to use the insurer’s expert incident crisis management team in the event of a claim. The costs associated with using their services are preagreed between the insurer and the incident responders, meaning organisations won’t need to seek consent before incurring costs. This also reduces the risk of not having been paid due to “unreasonable costs”. Not taking advantage of the insurer’s incident response team does not mean coverage is not afforded to an insured using their own/preferred third party provider. It does, however, come with the caveat that associated expenses must be reasonable and necessary, as determined by the insurer. Some insurers may require written consent (not to be unreasonably withheld or delayed) be given before costs can be incurred – which can take time, something which organisations don’t have during an incident. In the event of a breach this has the potential to cause unnecessary delay, amplifying potential consequences. Organisations should seek a written agreement from the insurer to make sure no unnecessary delays will occur when faced with a claim or prospect of a claim.
What Isn’t Covered? There are standard exclusions in policies that buyers should be aware of. Common exclusions arising from claims arise as a result of: - Death, bodily injury, loss of or damage to tangible property; - Previously known contributing circumstances; - Failure or outage in, or disruption of power, utility
Australian Cyber Security Magazine | 53
-
services, satellites, or telecommunications external services not under the direct operational control of the Insured; Sanctioned countries or war related circumstances.
Confusion can arise when organisations misunderstand what’s covered in a crime policy as opposed to a cyber policy. In general, the crime policy is best placed to deal with direct financial loss, be it from theft or fraudulent communications, which prompt an employee to send money to the wrong place, i.e. wire fraud. Cyber insurance focuses on the loss, destruction and theft of data, as well as the financial loss because of that trigger. Some cyber policies offer a cybercrime extension, which addresses theft and fraud, but this often has a narrow trigger or a small sub-limit. Cyber extortion (i.e. Ransomware) is an area where a cyber policy is written to respond, whereas crime policies often look to exclude this form of coverage.
Getting the Right Cover As with the differences in wording offered by insurers, the way cyber risk is assessed in Australian markets also varies. Underwriters have varying appetites across different industries, with preferences for some industries and an aversion in others. This makes it important that organisations know how to present their risk exposure. Cyber and privacy related risks are not adequately presented through the completion and presentation of a standard proposal form. Most are better served to involve risk managers, IT managers, general counsel and board members in the cyber insurance process. Organisations should provide not only a proposal form, but also the following to the insurer: - An outline of implemented cyber and IT security practices; - Evidence of staff training and knowledge of cyber risk; - Evidence of continual review of practices, procedures and staff training; - Results of third party penetration testing; - Evidence of tested business continuity and data recovery plans (in the event of a cyber incident); - Provision of agreements with third party (managed security) service providers and how these are maintained – i.e. is a third party obliged to let the client know if there is a data breach? and - Evidence of discussions held at C-suite or board level relating to cyber security risks. By providing this information to insurers, underwriters gain a level of comfort that the organisation has taken reasonable steps to protect themselves through implementation of security controls.
Conclusion Cyber insurance is not designed to replace good cyber security hygiene or allow organisations to disband their security operations teams. A bespoke and tailored policy provides an effective protection against the financial losses
54 | Australian Cyber Security Magazine
relating to recovery from a cyber incident. By now every organisation should appreciate that, irrespective how robust and sophisticated its network security is, it remains vulnerable to cybersecurity breaches, followed by the host of negative consequences that follow such a breach. Insurances play a critical role in addressing cybersecurity risks, as they do in all other aspects of protecting a business. Before a cybersecurity or privacy incident occurs, organisations should make the time to properly evaluate and address their risk profile. They should seek to quantify their exposure to cyber and privacy related threats and honestly document their risk tolerance, thus helping the workforce know what is reasonable and what is considered too risky. Only then can conversations with cyber insurance companies become meaningful and only then will the insured gap between existing insurance coverage, and what cyber insurance brings, be something that can be quantified. In the next issue, we’ll go deeper into some of the more complicated aspects of buying cyber insurance and look at the importance of ensuring a policy is bespoke and tailored to an organisation and its associated risks, the importance of a detailed underwriting submission and enter a more detailed discussion around claims teams and third-party involvement. About the Author Mark Luckin heads up Lockton Companies’ Australian Cyber Practice, advising clients on the insurable nature of their associated cyber risks. His experience encompasses advising small business to ASX top 200 companies, across a broad range of industries. Mark has 10 years of combined legal and insurance industry experience and is a regular contributor to the Cyber Insurance area through both the regular publication of White Papers and appearance on panels on the topic. Complementing his Bachelor of Laws and Legal Studies, Mark also advises clients on the Directors and Officers Liability, Professional Indemnity and Statutory Liability Insurance areas.
Preventing Advanced Cyber Security Threats for Enterprises Metadefender leverages 100+ anti-malware, data sanitization, vulnerability, and other security for the best protection against known and unknown threats.
Trusted by Over 1,000 Organizations Organisations in industries such as nuclear, defence, government and finance trust our solutions to secure their data flow and meet strict compliance requirements.
Visit EMTDIST.COM/MD for more information.
Metadefender’s optimized multiple anti-malware engines offer IT professionals and software engineers a way to enhance security through:
01001 01011
Multi-Scanning
Data Sanitization
Vulnerability Detection
Why Partner with EMT Distribution? Dedicated Local Partner
Product Support and Training
Sales and Marketing Support
emt Distribution is proud to distribute OPSWAT's Metadefender product line.Metadefender protects Enterprises, Government Agencies, Defence and Critical Infrastructure in open and air gap networks. Contact emt Distribution for a free trial on +61 8 8273 3030 or:
VISIT EMTDIST.COM/MD
Cybersecuring the promised land
T By Sarosh Bana
he revolutionary kibbutz collectives shaped the statehood of Israel as it emerged in 1948 in a sandstrewn terrain engulfed by a hostile neighbourhood. Israel is now a vibrant and innovative start-up hub where tech companies are today becoming the building blocks of the modern Jewish state. Defending itself ‘physically’ by military means and ‘virtually’ through effective cybersecurity are central to Israel’s survival. In the last three decades, cybersecurity has become a national priority for the Israeli government, as well as for the financial and industrial sectors. Over the course of time, Israel’s cyber practitioners have gained expertise and a worldwide reputation for developing cutting-edge security solutions and defences. This sliver of a country of 8.4 million people is widely acknowledged as the “start-up nation”, being a leading innovation hub with the highest density of start-ups and venture capitalists in the world. It has more NASDAQ-listed companies than any country, save for the United States and China, but more than India, France, Germany, Japan, South Korea, Singapore and Hong Kong combined. The total market capitalisation of these Israeli companies exceeds $85 billion. Start-Up Nation Central Ltd, an independent, non-profit organisation from Tel Aviv, that claims to be the authoritative source on the Israeli innovation community, says that Israel
56 | Australian Cyber Security Magazine
Tel Aviv - Israel
has emerged as one of the world’s leading centres for cybersecurity solutions. “With $581 million in investments in 2016, constituting 15 per cent of worldwide investments in cybersecurity firms, investors have discovered that many of the hundreds of cybersecurity firms in Israel – both mature companies and new start-ups – offer solutions to many of the cyber-threats that have overwhelmed financial institutions, online services, manufacturers, and any other organisation that relies on digital platforms,” it mentions, drawing figures from a report by tech industry database PitchBook. A quarter of the 65 Israeli cyber start-ups founded last year have already succeeded in raising funds, the report said. Start-Up Nation explains that Israeli cybersecurity firms have unique solutions and are being used by some of the world’s largest companies to protect their data and businesses, which rely on their ability to safely carry out digital transactions. “Israeli companies are making a difference in the battle to secure the digital future,” it points out. “Securing self-driving cars, better and safer authentication, battling ransomware – all these and more are part of the Israel cyber-defence success story.” Israel is fast becoming a centre for automotive security, with as many as seven new companies founded over the past two years to protect connected cars. The technology being developed now will provide the solutions the world will
need to develop safe and secure self-driving cars, the next big leap in automotive technology. Prime Minister Benjamin Netanyahu cites cyber technology as a growth engine for his country’s economy. The powerhouse that this technology has become is evinced from Microsoft’s $100 million takeover in early June of Boston-based Israeli cybersecurity firm Hexadite, which has a research team in Tel-Aviv, and computing giant Intel’s $15.3 billion acquisition of Israeli autonomous driving technology firm Mobileye in March — the biggest-ever acquisition of an Israeli tech company. Microsoft says that its buyout of Hexadite, a company delivering agentless, automatic incident investigation and remediation solutions, “will build on” Microsoft’s efforts in helping its Windows 10 customers detect, investigate and respond to advanced attacks on their networks with Windows Defender Advanced Threat Protection (WDATP). “With Hexadite, WDATP will include endpoint security automated remediation, while continuing the incredible growth in activations of WDATP, which now protects almost 2 million devices,” the Redmond-based tech giant indicates, “Hexadite’s technology and talent will augment our existing capabilities and enable our ability to add new tools and services to Microsoft’s robust enterprise security offerings.” Since 2015, 363 VC (venture capital) firms have completed at least one Israel-based venture deal, according
to the PitchBook Platform, with a total 468 deals closed during that span. Capital invested through these deals increased significantly, from $1.25 billion in 2015 to almost $2.28 billion last year, and recording almost $720 million this year. The Israeli innovation ecosystem has engendered many ground breaking advances, for instance, Firewall (Check Point), voicemail (Comverse), USB flash drive (M-Systems), VoIP (Vocaltec), and digital printing (Indigo), that Israeli companies either pioneered or were among the first to commercialise. Israeli start-ups have also driven innovation across all major technology sectors, as with Amdocs and Comverse in telecommunication applications, Verint and NICE in contact centre applications, Mercury in information technology (IT) management, Check Point in security, DSPG in semiconductors, and Mellanox in InfiniBand. Israel-based companies offer advanced and sophisticated security solutions, including intrusion detection and prevention systems, antivirus software, firewalls, authentication and authorisation mechanisms, secure coding and safe operating systems. Currently, these companies are successfully partnering global players to provide organisational IT, telecom and mobile security, and to protect financial institutions, government agencies, homeland security facilities and safety-critical infrastructure. Security has never been more challenging as attacks
Australian Cyber Security Magazine | 57
Cyber Security
'The powerhouse that this technology has become is evinced from Microsoft’s $100 million takeover in early June of Bostonbased Israeli cybersecurity firm Hexadite, which has a research team in Tel-Aviv, and computing giant Intel’s $15.3 billion acquisition of Israeli autonomous driving technology firm Mobileye in March — the biggest-ever acquisition of an Israeli tech company.' become more advanced and targeted. It is estimated that data breaches can cost between $12 and $17 million per incident, costing millions in lost productivity. Following the close of the deal, and after a period of integration, Hexadite will be fully absorbed into Microsoft as part of the Windows and Devices Group. Mobileye, on the other hand, covers a range of technology and services, including sensor fusion, mapping, front and rear-facing camera tech and beginning in 2018, crowdsourcing data for high-definition maps, as well as driving policy intelligence underlying driving decisions. The company is working with 27 car manufacturers, including 10 production programmes with Audi, BMW and others. Gali Bloch Liran, marketing manager of SOSA (South of Salame), a multidimensional platform for global start-up ecosystems, founded by the pioneers of the Israeli innovation community, explains that Israel is so entrepreneurial because research highlighted the early role of military R&D, which, much like in the US, helped create the nation’s tech industry. At 4.2 per cent of GDP, Israel spends more on R&D — public and private combined — than any nation in the world. The government also took more direct measures to boost the tech sector, subsidising in the 1990s, venture capital, incubators, university R&D, and technology transfer programmes. While less than one per cent of start-ups in the US manage to scale up and expand, four per cent of new businesses in Israel do. This success rate is largely attributed to Israel’s seamless relationship between mandatory military training and an evolving culture of independence, that encourages a desire to redefine the modern marketplace. Also, its lack of natural resources and raw materials redoubled Israel’s efforts to hone a highly-qualified labour
58 | Australian Cyber Security Magazine
force, scientific institutes and R&D centres. Today Israeli industry concentrates mostly on manufacturing products with high added value, by developing products based on Israel’s own scientific creativity and technological innovation. R&D is a thrust area in Israel, which also has proportionately more scientists and tech professionals than any other country. Almost 40 per cent of Israeli high-tech employees are engaged in R&D for many major global tech companies, that have subsidiaries or research centres in Israel. These include Intel, Microsoft, Google, Cisco, Facebook, Applied Materials, Apple, IBM, HewlettPackard (HP), Oracle and Motorola. Their innovations are used the world over, as with Intel’s Pentium PC/laptop processors, Google’s ‘Google Suggest’, and most of HP’s software infrastructure. Cyber-attacks targeting the Israeli financial sector have increased and become more sophisticated in recent years, forcing the Israeli financial and industrial sectors to invest more in cyber R&D, infrastructure and human capital. Israel’s two major banks, HaPoalim and Leumi, declared a state of emergency and blocked all overseas traffic in their respective websites, when Anonymous hackers blocked and disabled their servers in April 2015. Similar attacks were perpetrated on Bank Yahav, Bank Discount and The First International Bank in December 2013, and on Bank of Jerusalem in November 2012. The State of Israel was among the first countries to recognise the importance of defending its critical computerised systems, launching as long ago as 1997, the country’s e-governance project called Tehila (government infrastructure for the internet age). The measure was aimed at protecting the linkages between government offices and the internet and providing secure hosting for government sites. In 2010, Netanyahu appointed a special task force, known as the National Cyber Initiative, to formulate a roadmap for placing Israel among the top five countries in cybersecurity. The task force recommended the setting up of a National Cyber Bureau, that was approved by the Israeli cabinet in August 2011. The Bureau’s annual budget is confidential, but is nevertheless estimated at $26.5 million. Its fourfold task is to formulate national cyber policy and strategy, promote academic cyber research and develop human capital, advance international cooperation with friendly countries and organisations, and promote the local cybersecurity industry. It is charged with strengthening the national infrastructures critical to the continuation of normal life in Israel, while advancing the country’s position as a centre of information technology development. There are an estimated 16,000 cyber professionals in Israel, both business owners and hired personnel and functioning in both the defence establishment and the private sector.
Cyber Security
42% of Web Applications
have Severe Vulnerabilities.
Web Application Security shouldn’t be an afterthought. Firewall, SSL, and hardened networks are next to useless against web application hacking. Sophisticated hacks are concentrating on web-based applications accessible 24/7 and connected to valuable and sensitive data. Many web applications are tailormade and often under scrutinised. Legislation and Growth With the pending start date of February 2018 for the Data Breach Notification scheme, protecting sensitive data has never been more important. Coupled with the strategy for growth through online presence, ensuring cyber resilience and security is key to continued investment.
“50% of sample targets contained Crosssite Scripting Vulnerabilities and 33% had TLS and SSL vulnerabilities.”
Patching alone is not the answer, in part due to vulnerabilities arising from poor design choices or oversights made during development or deployment. Automated Vulnerability Scanning Automated vulnerability testing can uncover entire classes of grievous security bugs making it more cost effective than traditional pen testing. It also provides a highly scalable, ongoing security baseline from the initial stages of development through to production.
With web application vulnerabilities increasingly posing serious security threats to organisations’ overall security posture—now is the time to prioritize web security.
Acunetix • Most advanced and in-depth SQL Injection and Cross Site Scripting Testing
• Full HTML5 Support with Acunetix DeepScan Tech Web Application Vulnerability Report The Acunetix Vulnerability Testing Report 2017 found 50% of sample targets contained Cross-site Scripting Vulnerabilities and 33% had TLS/SSL vulnerabilities. With all the media attention over the last 5 years on SQL injection hacks, 20% of sampled targets still contained these vulnerabilities.
• Mobile Web site support • Advanced Penetration Testing Tools • Extensive reporting including Compliance Reports for PCI DSS and ISO/IEC 27001 • Multi-user, multi-role for granular control and access • Detects Malware disguised as plugins
• Integrates with popular WAFs and Issue Trackers
FOR A FREE 14 DAY TRIAL PH : +61 882733030 OR VISIT WWW.EMTDIST.COM/WVS Australian Cyber Security Magazine | 59
Digitisation and internet of things: How to make your network future-ready By Rob Merkwitza Managing Director RIoT Solutions
D
igitisation and Internet of Things are two buzz words of the current technological age that are
often used these days in the media, boardrooms and strategy discussions within every organisation. But are they interchangeable or is there a difference between the two notions? Digitisation by nature implies a market transition or a different approach to a market, enabling an organisation to improve an outcome in either productivity, process, lowering costs, accessing an adjacent market, improving client or staff experience or leveraging information from digital assets. Internet of Things (IoT) on the other hand, is more about devices and sensors that can assist in the digitisation of an organisation such as connecting people, data, process, and things together. Each in their own right is great but it’s not as powerful as when they are combined and applied together. For example, connecting people, data, and devices all at the same time can significantly change a process. And therefore, we often see the two terms used together in the same language. In short ‘digitisation’ is about the outcome and the ‘IoT’ is an enabler to the outcome. This is an important point as we find that organisations often see the IoT being possible through the connection of ‘widgets’ or technology in a
60 | Australian Cyber Security Magazine
bespoke fashion for a specific requirement or promise of an improved value. What needs to be leveraged is the existing assets such as the network, both Information Technology (IT) and Operational Technology (OT). The fact is that we are seeing more and more companies being sold on the hype that amazing digitisation outcomes will only occur when organisations dream and add new shiny devices to their networks. The temptation is there to make knee jerk decisions on the myriad of IoT solutions and platforms. However, this can and will prove difficult when looking to scale, manage, and secure additional solutions. There is an increasing trend in the process organisations are taking whereby large consulting firms are engaged to document a digital vision of what the future might look like. This leads to an explorative exercise through a proof-of-concept project of a one-dimensional solution that may promise significant digital outcomes such as water meters, digital lighting, smart bins, parking etc. It’s common that they will require new infrastructure or even non-standard communications that often cannot be leveraged for the next digital project as it was standalone or proprietary. This impacts overall security and the cost to maintain due to the many 1000’s of new vendor devices on the network and making sense of the data across disparate platforms. And unfortunately, cyber security is often an
The justification to this is a
afterthought, or only becomes necessary following a major security breach rather than being a fundamental part of the architecture and initial design. A more pragmatic approach is to focus on the IoT solution as part of a wider digitisation strategy. Logically, taking the time to ask some key questions can make the difference between a rushed project or a robust platform that can be built upon for the future. • What digital assets do I have already that can be connected and leveraged more efficiently, and what teams do I need to start to communicate to and bring together? • What is the applied architecture to form a foundation principal that I can leverage to integrate existing and new digital assets in a secure manner? • What visibility tools do I have or need to fully leverage the data that will be generated and manage the assets? • What guidance can I provide to new potential IoT vendors to connect their devices and sensors so that I have confidence in the architecture and can evaluate technologies more effectively? • And, have I thought about these three words? Security, Security, Security.
focus is on the shiny, so called, “Smart” device and there is no focus on the architecture, hence there’s a stall during the proof-of-concept phase. The other problem is the growing threat landscape these projects create which are some 100x or more, larger than the Enterprise. It’s enough to make you WannaCry! When being sold the dream, organisations should ask IoT vendors one question: “Can I have a quote for one digital platform or smart city, please?” Most likely the outcome will be that they are not real or it’s only a piece of the puzzle. Furthermore, we firmly believe organisations should first look at their existing OT or operational assets such as SCADA or other critical networks. These systems may be old in some cases but they are the original, well invested infrastructures that quite often only require remediation and a re-design to have them ready for the brave new digitised world. Quite often major digitisation outcomes can be achieved by simply connecting and managing these assets more wisely. The simple fact is that for one of the first times in a long time since the adoption of the Internet, companies really do need to stop to rearchitect their networks with the IoT in mind. Not because of large technology transformations, shifts or trends but because they need to leverage and align their current and potentially future digital assets better to address a changing market driven by customer demands and competitors. So a digital agenda should be what is driving different IoT solutions, but taking a mature approach to the architecture is what will give your projects the best possible opportunity to succeed and then it won’t matter what terminology you use in the board room – Digitisation or IoT – more importantly, a great outcome.
In short, some previous approaches have been like asking many different tradesmen turn up to a building site one day and build a house because someone thought it was a great feel good idea. With no physical architecture or blueprint they are all confused and the only guaranteed outcome is a very poor one. The justification to this is a recent report produced by Cisco at the IoT World Forum that states that close to 75% of IoT projects are failing. Quite simply this is because the
About the Author Rob Merkwitza is the Managing Director of RIoT Solutions, a specialised integrator of IoT architecture and cyber security, providing the “Digital Plumbing” of Operational Technology and Information Technology infrastructures. This includes bringing together the industrial and IT networks through technical architecture, design, implementation, cyber assessment, and managed services to deliver smart and connected outcomes.
recent report produced by Cisco at the IoT World Forum that states that close to 75% of IoT projects are failing.
Australian Cyber Security Magazine | 61
Cover Feature
Kaspersky lab researcher creates free software tool for collecting remote evidence after cyber-attacks To overcome the need for investigators to travel far and wide to gather evidence from infected computers after a cyberattack, a Kaspersky Lab expert has developed a simple tool that can remotely collect vital data without risk of its contamination or loss. Named BitScout, the tool can build a swiss-army knife for the remote forensic investigation of live systems and has been made freely available for all investigators to use. In most cyberattacks, legitimate owners of compromised systems fall victim to unidentified perpetrators. Victims usually agree to cooperate and help security researchers find the infection vector or other details about the attackers. However, it is a longstanding concern among forensic researchers that the need to travel long distances to collect crucial evidence such as malware samples from infected computers can result in expensive and delayed investigations. The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. However, the alternatives have either involved expensive tools and a knowledge of how to operate them, or the risk of contaminating or losing evidence by moving it between computers. To solve the problem, Vitaly Kamluk, Director of Kaspersky Lab’s Global Research and Analysis Team in Asia Pacific (APAC) has created an open-source digital tool that can remotely collect key forensic materials, acquire full disk images via the network or locally attached storage, or simply remotely assist in malware incident handling. Evidence data can be viewed and analysed remotely or locally while the source data storage remains intact through reliable container-based isolation. Kaspersky Lab experts work closely with law enforcement agencies across the world to help in the technical analysis of cyber investigations. This gives them a unique insight into the challenges LEA personnel face when fighting modern cybercrime. The cybersecurity landscape is now so complex and sophisticated that investigators need tools that can adapt and scale to the demands of the job. BitScout is a good example of this. It can be adjusted to the particular needs of an investigator, and improved and upgraded with additional features and custom software. Most importantly it comes free of charge, based on opensource solutions and is fully transparent: instead of relying on third party tools with proprietary code, experts can use the Bitscout open-source code to build their own swissarmy knife for digital forensics.
“The need to analyse security incidents as efficiently and swiftly as possible is increasingly important, as adversaries grow ever more advanced and stealthy. But speed at all costs is not the answer either – we need to ensure evidence is untainted so that investigations are trusted and results can be qualified for use in court if required. I couldn’t find a tool that allowed us to achieve all of this, freely and easily – so I decided to build one,” - Vitaly Kamluk. The list of BitScout features includes: - Disk image acquisition even with un-trained staff - Training people on the go (shared view-only terminal session) - Transferring complex pieces of data to your lab for deeper inspection - Remote Yara or AV scanning of offline systems (essential against rootkits) - Search and view registry keys (autoruns, services, plugged USB devices) - Remote file carving (recovering deleted files) - Remediation of the remote system if access is authorized by the owner - Remote scanning of other network nodes (useful for remote incident response) The tool is freely available at the GitHub code repository: https://github.com/vitaly-kamluk/bitscout
62 | Australian Cyber Security Magazine