Australian Cyber Security Magazine, ISSUE 3, 2017 by MySecurity Marketplace

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 3, 2017

The active directory botnet

Mandatory Breach Notifications and the GDPR Effect

Cyber insurance: A buyer’s guide Part 2

Machine Learning in Cyber Security

Know your enemy : Part 2

Honeycutt Social Engineering

Interview with ANZ's Security Team

WA’s Capture the Flag Competition

- PLUS -

D I V E R S I T Y F E AT U R E S Gender Minorities within STEM | Bridging the Gender Gap | Seeking diversity in Cybersecurity

Web applications and sites pose serious dangers to business How to protect your web investment Is your website Hackable? 70% are! With the uptake of cloud computing and the advancements in browser technology, web applications and web services have become a core component of many business processes, and therefore a lucrative target for attackers. High profile cyber-attacks regularly make the headlines, exposing citizens to financial loss and worry, and costing organisations millions. Australia has not been spared, with recent news of Medicare details being sold on the dark web and radicalised hackers defacing Australian websites. “Australia’s relative wealth and high use of technology such as social media, online banking and government services make it an attractive target for serious and organised criminal Syndicates” (ACSC 2016 report)

Hacking for Profit, Fun or State

Audit Your Web Application Security

The ongoing theft of intellectual property from Australian business agencies pose significant challenges to the future competitiveness of Australia’s economy. It is the time for business owners and organizations of any size to be proactive in their approach to website security. The risk goes well beyond governemnt.

Using Acunetix, you can automate vulnerability discovery from development through implementation of web sites and web applications.

Hackers concentrate their efforts on web-based applications like shopping carts, forms, login pages, etc. Accessible 24/7 from anywhere in the world, insecure web apps provide easy access to backend corporate databases and allow hackers to perform illegal activities using the compromised site. Firewalls, SSL and Hardened Networks are futile against Web Application Hacking! Once a hacker gains access, escalating privileges and moving latterally throughout an organisation’s infrastructure becomes far less troublesome. In some cases the first organisation to be hacked is not necessarily the end target as is the case with many state sponsored attacks. It is critical to make it as difficult as possible for malicious actors to breach your defences. Lack luster coding, pressure to deliver, and oversight on design, all contribute to sites and applications that may not be the most secure. Visibility is key to remediation. Using a web vulnerability scanner like Acunetix ensures vulnerabilities in websites are detected before a hacker can exploit them.

• • • • • • • • •

Scan for SQLi, XSS & 3000 other vulnerabilities Detect DOM-based & Blind vulnerabilities Full HTML5 & JavaScript analysis Built-in Vulnerability Management Integrates with popular WAFs and Issue Trackers Extensive Compliance Reports for PCI DSS and ISO/ EC 27001 Advanced Penetration Testing Tools Perimeter Server Security Available On Premise or Online

Acunetix is the market leader in automated web application security testing, with customers in the Government, Military, Educational, Telecommunications, Banking, Finance, and E-Commerce sectors, including many Fortune 500 companies. emt Distribution distributes Acunetix throughout ANZ with dedicated staff and has a partner base in excess of 500. If you wish to find out more about Acunetix contact emt Distribution on +61 8 8273 3030 or visit www.emtdist.com/wvs

Download your free trial here

https://www.acunetix.com/vulnerability-scanner/download

Effective Application Whitelisting Airlock Digital enables organisations to implement and maintain application whitelisting, simply and securely, even in complex enterprise environments.

Application whitelisting with Airlock is a simple, repeatable process Until now, application whitelisting has been difficult to deploy and maintain. Airlock has been developed from the ground up by security professionals to solve real world problems with application whitelisting.

Secure whitelisting Not all application whitelisting solutions

Airlock incorporates proven and effective workflows, designed for ease of use, in dynamically changing environments.

are created equal. Airlock is designed to be the most secure application whitelisting solution on the market. Supporting pure hash-based whitelisting on all executable files and application libraries, regardless of file extension.

Airlock Digital is an Australian based company, with offices in Adelaide and Canberra. Airlock is designed to be fully ISM compliant.

Creating and deploying whitelists with Airlock is fast, enabling organisations to become secure and compliant, sooner.

LEARN MORE Telephone: 1300 798 925 E-mail: info@airlockdigital.com Web: www.airlockdigital.com @airlockdigital

Watch a product video now or schedule a product demonstration at www.emtdist.com/aw Airlock is proudly distributed in Australia & New Zealand by emt Distribution Pty Ltd. Partners can learn about the Airlock Digital channel program at www.emtdist.com or call (08) 8273 3030

Contents Editor's Desk

Quick Q and A with Morey Haber

Feedback loop - have your say!

Editor Tony Campbell

Collaboration and skills are key issues for Australian

Director & Executive Editor Chris Cubbage

Helping Australia build a secure healthcare network

Director David Matrai Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au

Cybersecurity McCarthyism, collaboration & home brands

Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Machine learning in cyber security

cyber security professional

You've had a data breach - what happens next?

Mandatory data breach reporting

Helping Australia build a secure healthcare network

Cybersecurity McCarthyism, collaboration & home brands

Know your enemy Part II

Cyber Insurance: A Buyer’s Guide Part II

Seeking diversity in cybersecurity

WA’s capture the flag competition

The active directory botnet

Interviewing ANZ’s Security Team

I don’t like Mondays SMB’s and Information Security

General data protection regulation and its relevance in Australia

Machine learning in cyber security: The newest tool in the toolbox

STEM and the problem of gender minorities in Cyber

Failure in depth

It’s the humans, stupid, or, is it the stupid humans?

Cyber Security: A human right, or luxury for the few?

CONNECT WITH US www.facebook.com/apsmagazine Cyber Security: A human right, or luxury for the few?

@AustCyberSecMag

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

OUR OTHER CHANNELS Ty Miller

Emily MajorGoldsmith

Jackie Bayer

Wayne Tufek

Elliot Dellys

Morey Haber

Mark Luckin

Samantha Humphries

Ty Miller

Michael LeBoydre

Guillaume Noé

Mark Honeycutt

www.australiansecuritymagazine.com.au

www.malaysiasecuritymagazine.com

www.asiapacificsecuritymagazine.com

Additional www.drasticnews.com

Zoheb Ainapore Aaron Doggett

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

David StaffordGaffney

Annu Singh

Dr Jodie Siganto

Michael Sentonas

Aiden Daly

Editor's Desk

fter a gruelling few months battling with WannaCry, Petya and NotPetya, our cybersecurity operations teams have finally had some time to regroup and re-establish some semblance of calm. Respite couldn’t have come soon enough for most, since even the most battle-hardened op teams were feeling the pressure, especially since it’s only a matter of time before the game changes yet again. The media seems to think that cybersecurity is about protecting the data whizzing around our networks, and through one single lens they would be right. But there is a complexity to our world that most don’t see. We are defending against the bad guys with firewalls, anti-malware software and intrusion protection systems, but our jobs are multifaceted, requiring us to assume the role of frontline troops, captains and commanders, weapons experts, smart bomb operators and UAV pilots, intelligence operatives and the secret police, while most of the time our own managers have no idea what we do. Susan is simply the security girl who sorts stuff out. And until now, we have gritted our teeth and got on with the job. However, security is an intractable problem in today’s business, where cybersecurity won’t prevail without due care and comprehension being paid by the business. Groan, I hear you sigh, here comes the same old trite messages of, “Talk to the board,” or, “Use language they understand,” and, “Only escalate what you think the need to hear.” But the latest changes in legislation, with Mandatory Breach Notification in Australia and General Data Protection Regulations (GDPR) in the EU really do change the game. In fact, the pitch has changed, the goals have shifted and, let’s face it, most of our career has been spent being ignored, it’s about time everyone read the bloody rule book. The reality is that a breach that is ignored can now leads to massive fines, imprisonment and the ruining of lives and companies. Even the biggest global conglomerate, who are likely to have impeccable defences, are not safe. As shown recently with Equifax, no one is safe. These massive companies that we trust with our most personal of information, have, after all, an enormous juicy prize awaiting the determined and successful hacker. The US public have suffered worst over the past five years, with some of the largest hacks in history being recorded in companies such as Anthem, eBay, LinkedIn, the Office of Personnel Management and now Equifax. But we are just as exposed here in Australia. How protected are all the health systems, social services systems, financial

systems and government databases that hold the personal data of Australian citizens? What about the last iPhone or Android application your mother-in-law or daughter installed – can you guarantee it’s not stripping personal data from her phone and sending it back to Russia for use in a future raid? Next year we’ll see efforts redoubled to improve their defences, as companies clamber to get ahead of the compliance engine that bursts into life in February. This issue of ACSM contains a variety of timely and relevant articles that look at some of the big issues we are facing in Australia. We’ve got articles on data breach notification, GDPR and its relevance to Australia, cyber insurance, and an interesting look at botnets in Active Directory. We also have articles on social engineering, machine learning, the gender and skills gap (and what to do about it) as well as interviews, onion pieces and feedback. I hope you enjoy Issue 3 and enjoy AISA’s national conference on collaboration. Until next time, stay safe and secure.

Tony Campbell Editor

Cyber Security

....with Morey Haber Vice President of Technology, Office of the CTO

By Tony Campbell EDITOR

With more than 20 years of IT industry experience, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently overseas strategy for both vulnerability and privileged identity management. In 2004, Mr. Haber joined eEye as the Director of Security Engineering

With more than 20 years of IT industry experience, Morey Haber joined BeyondTrust in 2012 as a part of their eEye Digital Security acquisition, working in overseas strategy for both vulnerability and privileged identity management.

and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for

ACSM: Hi Morey, thanks for agreeing to speak with us today. Can you give our readers an idea of what brought you into cyber security and why cyber security? and what aspects of your career to date have helped you get where you are today?

Computer Associates, Inc. (CA), responsible for new product beta cycles and key customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.

In all fairness, I stumbled into cyber security almost 20 years ago, while working in the network management space of operations. The security models for SNMP only included v1 and changing community strings was not possible on many devices. Simple discovery scans revealed that devices could have their MiBs modified and the runtime of the devices altered for malicious activity. This included changing email addresses on multifunction copiers to send copies of all copied/scanned material to an attacker. These basic attacks in the late 1990’s raised my interest in cyber security and so began my journey on my current career path. In the early 2000’s, a former executive of mine joined eEye Digital Security and recruited me to grow the business. At that time, we were a young start-up with only two dozen

6 | Australian Cyber Security Magazine

employees and very limited venture capitalist funding. There were only two commercial vendors performing vulnerability assessments and the security community barely existed. Most organisations were in denial of the potential threats and the risks. Within a few years, I assumed responsibilities for product management and business development for our network scanner and endpoint protection platform. I will state candidly, that the learning curve was steep. There was very little training at the time, anti-virus was typically signature-based, and intrusion prevention solutions were just emerging on the market. Today, we take firewalls and basic threat protection for granted, before the wild west days of SQL Slammer and Code Red. In fact, many businesses at that time would not even put anti-virus on their server’s due to performance issues, let alone apply security patches, in fear of something breaking. In 2012, BeyondTrust acquired eEye Digital Security. The focus from vulnerability management to privileged access management was an easy pivot. Privileged attacks are just another method for a threat actor to breach an environment and conduct similar malicious activities as the defaults used in SNMP community strings. The only curve was learning the permutations of privileged attacks and applying them to data exfiltration and lateral movement, both of which vulnerabilities and exploits have been doing for almost 20 years. Privileged access was not much different than the threat landscape I learned in the past. Therefore, after all this time, my duration of being in the security community and watching threats and technology evolve, have been my greatest asset in bringing my career to prosper to date. New professionals to the security community should not only learn about modern threats, but also study past attacks and history. After all, history is what has brought us to the problems we face today and we can learn how similar problems have been mitigated in the past, and what has been proven to be most effective. ACSM: What advice would you give to Australian businesses and governments regarding both the national and international cyber threat landscape? There are several key recommendations all organisations should adhere to regardless of government, commercial, and even home use, to mitigate risks, regardless of the geography. These are critically important because they represent the lowest hanging fruit, threat actors are leveraging to attack our IT resources: 1. Education, Training, and Measurement The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do, however, understand that if you click on the wrong thing, you may lose all your work, infect your computer, and cause massive damage to the organisation. If you can translate the threat from an attack into terms the average user can remember, then the human element of social

Cyber Security

engineering can have some definable mitigation strategy. Most modern threats come via phishing attacks and the training needs to cover the threat, identification of phishing emails, and the hard lesson of what to click on and when not to open a file. A simple phone call can verify if the email is legitimate and we need to instruct team members how to verify the source before continuing. It is not hard to do--just like looking both ways before crossing the street--but we need to teach all users about safe computing practices. And, for most organisations, penetration testing with phishing samples is recommended to measure the success of your training initiatives. 2. Secure and Verifiable Backups One of the worst-case scenarios for any attack is you become infected with malware that wipes the environment. That means your data is encrypted by ransomware or simply erased (wiped). So how do you recover? Secure Backups. While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most important secured, such that a malware infection or advanced persistent threat cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files to a pristine state. A common mistake for organisations, however, is to attempt a restoration before a malware infestation is cleared. While some anti-virus solutions can remove the malware, best practices recommend rebuilding or re-imaging the host(s). There is always a chance the threat was more sophisticated than the endpoint security solution can detect and resolve, and that a persistent threat may be present for a future attack. A complete reload is the only way to be moderately sure that the issue has been resolved. If the infection is bad enough and found its way to a domain controller, you should strongly consider reloading the entire environment. It is the only way to be sure. 3. Secure Macros Some of the newest ransomware and clever malware is taking cues from older viruses that leverage Microsoft Office and other application macros. This isn’t easy to resolve, because many of our spreadsheets and documents depend on macros to satisfy business and functional requirements. For example, a recent addition to the long list of ransomware, “PowerWare,” comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro, which then calls a PowerShell script, which carries out the payload. This email is scary because Word and PowerShell are very common and approved applications at almost every organisation. Therefore, they represent a trusted attack vector for modern threats. In newer versions of Microsoft Office, they do contain a setting to drastically reduce the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will do just that, prevent a macro without a valid certificate authority from executing. This provides

secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros your business requires may be signed, or otherwise the certificate for them may be expired. Wherever possible, insist any vendor that provides software containing macros sign them and establish a process internally to sign macros, so this setting can be properly enabled for everyone.

'While defenses for monetized crimes are the same as

4. Patch and Update Frequently As if the thought of an angler phish is frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organisations do not patch third party applications regularly — let alone the operating system itself (think WannaCry). Maintaining software to their most recent versions is nothing new, but we continue to see outdated--and sometimes years outdated--software in production environments. It is important to have a regular schedule to assess your environment for outdated or vulnerable software, and have a tested process to remediate any findings. These are security basics and if your organisation is not doing it well, it is an easy problem to solve and see some tangible threat reduction results. This includes keeping endpoint protection technology and local anti-virus up to date as well. Businesses still rely on this for a first line of defense when education fails and a threat has been identified (and prevented) before the infection. Basically, if it can be updated to a more secure version, it should be, and as frequently as technically and business friendly as possible. 5. Remove Administrator Rights

other cyber security threats (monitoring privileges, patching, reviewing activity, etc.), organised hactivism is much more difficult to control without censorship.'

Most threats propagate by leveraging the user’s privileges to move laterally or infect files. If the user only has standard user rights, the only files and systems visible are the ones they may have local or via a network share. While the scope of this may be large, it can be much worse if the user has administrator privileges. Then, potentially every resource visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. The fact of the matter is that most threats requires administrator privileges just to launch or leverage an exploit. If you reduce a user’s privilege to standard user, threats that try to install a persistent presence are generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the clear majority of malware, that needs to own a system to begin infecting files and lateral resources. If this strategy is bundled with application control and least privilege technology, only a few forms of threats (like WannaCry ransomware or macro based) cannot be prevented. This proves that to successfully prevent an attack requires a blended approach from the removal of administrative rights to handling the edge cases that leverage social engineering, macros, and vulnerabilities and

Australian Cyber Security Magazine | 7

their corresponding exploits. In conclusion, if you look at these closely, they are covered in the ASD Top Four and Essential Eight. The Australian Government recognizes these recommendations and their effectiveness, and has taken the additional steps to formalize the recommendations for all applicable organisations. ACSM: What can organisations do to identify, evaluate and measure cyber risks, and put in place mechanisms to manage and minimise risks? Organisations have a plethora of security tools at hand to identify, mitigate, evaluate, measure, and prioritize cyber security risks. Each one of these tools as standalone solutions, regardless of vendor, have valuable events and logs that individually provide breadcrumbs to measure risk. I recommend to all organisations to invest in a Security Event Information Manager (SEIM). SEIM’s are designed to consolidate all this information and provide correlation, analytics, and depending on the vendor, automated actions to manage the risks. If they do nothing else, they provide a central location to look for security information, verses hunting through a network and manual correlation to identify a threat. ACSM: Where do most cyber threats affecting Australian organisations originate from? It is a false assumption that cyber security threats are originating from one region or another. While we hear in the news about attackers from Russia, Ukraine, and North Korea, it does not mean the threats themselves “actually” originated from those countries or geographic regions. Consider the recent breakout of WannaCry. The vulnerability and accompanying exploit originated in the United States, was stolen during a security breach of the NSA, and posted illegal to the web by ShadowBrokers. The information needed to create the ransomware worm was the culmination of prior art, but ultimately distributed by a threat actor; somewhere. In short, cyber threats affecting Australian organisations can originate anywhere. While the majority may appear to be originating from one region or another, an insider threat like Edward Snowden can overshadow all of them and prove that our greatest enemies could be anywhere. Organisations should therefore not focus defenses based on region, but rather consider the Internet a hostile risk all together and raise privileged access based on context aware decisions to mitigate any regional anomalies. ACSM: Is there a growing cyber threat posed by international terrorist organisations and organised crime and what can we do about it? There is a growing cyber threat posed by international terrorists, hacktivists, fake news, and organised crime. Their goals, however, generally follow two models: money or anti-establishment. Just like any organised crime, money is the attractor. This could be attacks against banking

8 | Australian Cyber Security Magazine

infrastructure like the SWIFT network or credit card skimmers. If a criminal can easily steal money anonymously, they have an easy crime they will continue to proliferate. As for the anti-establishment, it is all about politics. Whether it materializes as fake news or hacktivism, the goal is to destabilize a government, organisation, or create conflict. While defenses for monetized crimes are the same as other cyber security threats (monitoring privileges, patching, reviewing activity, etc.), organised hactivism is much more difficult to control without censorship. The Australian Government recently participated in a parallel effort to block websites containing stolen entertainment videos to protect the companies and revenue they generate. The same philosophy is enabled by China to block any questionable or controversial content. The problem becomes when does civil liberty become stunted by the need to protect the establishment. This is a freedom of speech issue that will play out for many years. ACSM: From the perspective of national critical infrastructure, how is Australia faring compared to other countries? While I can speak to the “actual” state of the nation’s critical infrastructure, I can unequivocally state that no other nation has produced a simplified requirements document like the ASD Top 4 or Essential Eight for end user (organisation) consumption. While other governments issue standards around HIPAA, GDPR, NIST, etc., all of them require a level of expertise to read, comprehend, and ultimately implement. I would say Australia is ahead of everyone else by promoting guidelines everyone can understand and implement, that solve the clear majority of cyber security threats. It is now up to organisations to implement them and measure their success. That measurement is something this security professional does not have intimate knowledge of since its introduction in 2014. ACSM: What can businesses do to keep abreast of the threats to Australian interests? I would recommend that all businesses have a security professional or trusted advisor to keep them informed of the latest cybersecurity threats. Depending on the size of the business, this could be a full-time employee or trusted technology partner, that helps with cyber security solutions and best practice recommendations. In addition, specialised news websites and blogs are good outlets for those who want to embark on a self-education process and stay abreast of all modern threats.

Preventing Advanced Cyber Security Threats Metadefender leverages 100+ data sanitisation, vulnerability detection, and anti-malware engines for the best protection against known and unknown threats.

Trusted by Organisations Across Government, Critical Infrastructure, Nuclear, Military, Finance, Technology, and More Over 1000 organisations globally rely on OPSWAT Metadefender to secure their data and meet strict compliance requirements. Metadefender’s optimized data sanitisation, vulnerability detection, and multi-scanning technologies oﬀer IT professionals and software engineers a way to enhance their security.

On-Premises

Air-Gapped

Kiosk

Air-gapped networks via Metadefender Kiosk and Secure File Transfer

Email via Metadefender Email Security

Cloud

ICAP

Web via Metadefender ICAP Server

Endpoint Solutions

Endpoints via Metadefender Client

Contact EMT Distribution Pty Ltd to learn more about how OPSWAT’s solutions can boost your cyber security threat mitigation strategies.

Visit www.emtdist.com/md or call +61 8 8273 3030 for further information

EMT Distribution is proud to distribute OPSWAT’s Metadefender product line. Metadefender protects enterprises, government agencies, defence, and critical infrastructure in open and air-gapped networks. Contact EMT Distribution for a free trial at +61 8 82733030 or visit www.emtdist.com/md.

Australian Cyber Security Magazine | 9

WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Reac h over out to 10 indu ,000 profe stry s per msionals onth !

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 10 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au

FEEDBACK LOOP - Have Your Say! There are many ways that you can provide feedback to us and

single one of you and publish the best discussion pieces in each

converse with our editorial board, but we’re establishing this

issue in this new standing section, entitled Feedback Loop.

regular feature in the Australian Cyber Security Magazine because

To thank you for your feedback, we’ll provide a token of

conversations can change the world. It is encouraging to see that

our appreciation for the best letter in every issue. As this is the

so many of you are already so vocal on some of the big issues

inaugural issue we don’t have any feedback yet, so let’s cut to the

affecting Australia, voicing your opinions on LinkedIn, blogs and

chase. The prize for the best letter in issue 2 will be a complete set

at industry conferences. We will endeavour to respond to every

of social engineering guru, Chris Hadnagy’s three amazing books.

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analysed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.

Unmasking the Social Engineer: The Human Element of Security The Human Element of Security focuses on combining the science of understanding non-verbal communications with the knowledge of how social engineers, scam artists, and con men use these skills to build feelings of trust and rapport in their targets. The author helps listeners understand how to identify and detect social engineers and scammers by analysing their non-verbal behaviour. Unmasking the Social Engineer shows how attacks work, explains nonverbal communications, and demonstrates with visuals the connection of non-verbal behaviour to social engineering and scamming.

Social Engineering: The Art of Human Hacking The first book to reveal and dissect the technical aspect of many social engineering manoeuvres. From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering.

Australian Cyber Security Magazine | 11

Collaboration and skills are key issues for Australian cyber security professionals Data breaches are something no company wants to have to face, however if the results of a recent member survey conducted by AISA are anything to go by, relatively few Australian companies have had to deal with data breaches over the last twelve months. According to the survey, conducted earlier this year, most members had experienced less than five breaches, although this result is moderated by 12.5 percent of members surveyed reporting that they had experienced in excess of 25 data breaches. Data breaches, and their disclosure, is vital to the cyber security industry, given the fact that the Senate in February passed the Notifiable Data Breaches Act. This Act, which comes into effect in February 2018, mandates that any organisation accountable under the Privacy Act must notify the Australian Information Commissioner and members of the public if data has been compromised.

Collaboration Australian information security professionals are well ahead of the game when it comes to feeling that they have the right mix of support and expertise to deal with cyber security breaches. According to the AISA member survey, 76 percent of respondents indicated they had good support. However, this is balanced by the fact that one fifth, or 21 percent, said they did not have adequate internal or external support to deal with any breach they experienced. The upcoming AISA Conference will focus around the theme of Collaboration, and the member survey clearly indicated that collaboration is a vexed issue for Australian security professionals. Respondents to the survey were evenly split on whether they had adequate collaboration between corporate departments to deal with cyber security issues. More significantly, the vast majority of those surveyed felt that collaboration between government and the private sector on cyber security issues was sorely lacking.

12 | Australian Cyber Security Magazine

Australiaâ&#x20AC;&#x2122;s standing when it comes to dealing with cyber security issues was one that divided survey respondents. Just over half felt that Australia is on par with most developed nations when it came to cyber security, while just under half were of the opinion that Australia is behind its global peers. Only one percent of respondents had the view that Australia is ahead of its global peers.

Skills and corporate positioning This split on where Australia stands globally when it comes to cyber security issues is also a reflection of the deep pessimism that AISA members have when it comes to the contentious issue of skills. Most of the members surveyed felt Australia is sorely lacking when it comes to having the technical skills to deal with cyber security issues. Around one third of respondents indicated that in their view technical skills are inadequate in industry and government. The budget being given for training, as well as the soft skills needed to capitalise on technical skills was also an issue of significant concern to Australian cyber security professionals. Overall, what the survey found is that Australian cyber security professionals simultaneously hold contrary opinions on the state of cyber security in Australia. On one hand, many AISA members feel Australia is the match of its global peers when it comes to cyber security. Yet on the other hand, Australian professionals donâ&#x20AC;&#x2122;t think we have adequate skills and training to deal with cyber security. Clearly, improving skills, and better managing collaboration between industry and government are the key issues Australia needs to address when it comes to cyber security. Are you ready to Collaborate? Join us for this unmissable event. The AISA National Conference will be held between October 10 - 12 2017 at the Hyatt Regency, Sydney. For registration and further information

CLICK HERE

Australian Cyber Security Magazine | 13

1 0 T H A N N UA L A I SA N AT I O N A L C O N F E R E N C E This year we are not only celebrating 18 years since our inception, but we also host our 10th annual AISA National Conference. The theme of this yearâ&#x20AC;&#x2122;s event is COLLABORATION. Join the AISA community as we bring together local and international thought leaders and industry experts. Under a single roof we will discuss how all areas of industry, the public sector and academia can improve the way we collaborate to advance cyber security in Australia.

14 | Australian Cyber Security Magazine

C O L L A B O R AT I O N

National Conference 10-12 October 2017 Hyatt Regency Sydney Australian Cyber Security Magazine | 15

C YB E R S E C U RI T Y F O R W O ME N EXECUTIVE BREAKFAST INVITATION EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO TUESDAY 24 OCTOBER 2017 8:30 AM - 10:00 AM

THE BOAT HOUSE MENINDEE DRIVE, BARTON, ACT

Diversity, Opportunity, Scale Mihoko Matsubara

Vice President & Public Sector CSO for Asia-Pacific Palo Alto Networks We would like to invite you to join an exclusive executive discussion featuring Mihoko Matsubara, Vice President and Public Sector Chief Security Officer (CSO) for Asia-Pacific, Palo Alto Networks. Mihoko, based in Singapore, is responsible for developing thought leadership, threat intelligence and security best practices for the cybersecurity community within the governments and academia in the region. Mihoko was formerly CSO for Palo Alto Networks in Japan and she also worked at the Japanese Ministry of Defense. Mihoko received a Fulbright Scholarship to pursue her MA in International Relations and Economics at the Johns Hopkins School of Advanced International Studies in Washington DC and was a research fellow at Pacific Forum CSIS, a Japan-US cybersecurity cooperation think-tank. In Tokyo, she worked for Hitachi Systems as a cybersecurity analyst researching cyberthreat environments and policy issues and worked at Intel K.K., Tokyo, in the role of cybersecurity policy director. She is the first Japanese speaker (2015) at the NATO International Conference on Cyber Conflict in Estonia and was most recently appointed as an Executive Committee Member of The Armed Forces Communications and Electronics Association (AFCEA) in 2017.

Discussion Focus: This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the key issues for women across the cyber environment. Opportunities abound in cybersecurity and roles for women are actively being encouraged to enter and engage in the industry. However, alongside the challenges of digital disruption and a global cybercrime industry, women themselves continue to be challenged with achieving equal diversity and inclusion, role opportunities and pay scales.Â On behalf of Palo Alto Networks and the Australian Cyber Security Magazine, you are invited to join Mihoko Matsubara for an intimate round-table discussion around the challenges facing women in cybersecurity, including young women, mentoring programs, womenâ&#x20AC;&#x2122;s advocacy, cross-career training and maintaining a diverse workforce. Your participation in this discussion will hopefully enable you to identify ways and exchange ideas to address these challenges and apply them at your workplace. This is a very limited seating engagement so please register ASAP to reserve your seat.

Kindly RSVP by 17 October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

EXE C U TIV E B O ARD RO O M BREAKFAST INVITATION

EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO WEDNESDAY, 25TH OCTOBER 2017 8:30 AM - 10:30 AM

THE WESTIN HOTEL HERITAGE BOARDROOM

1 MARTIN PLACE, SYDNEY NSW 2000

Application Security: Every business is a software business Andrew Kay

Application Security Solution Architect Micro Focus

Overview Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity for software-driven “digital transformation” to stay relevant and competitive in their markets. As software becomes core to Australian business across the value chain, companies are developing and updating applications faster than ever before. Exponential growth in application development represents both an opportunity and a threat. Research conducted by Forrester identified applications as the source of 84% of all data breaches. Why software? Because cyber criminals have identified software as the weakest link. The Australian Government has recently passed legislation to drive a quality approach to data security. 23 February 2018, will see the introduction of the Notifiable Data Breaches Bill, which will ‘strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches’. Micro Focus invites you to attend an exclusive briefing event to discuss the evolving threat environment and practical approaches to application security in the modern software development life cycle.

This discussion will feature Andrew Kay, Application Security Solution Architect for Micro Focus. With a development background and over 12 years of experience in Software Quality and Security Assurance, Andrew is one of Australia’s leading application security specialists and brings unique insight to the application challenge given his experiences in both DevOps and security. Andrew has designed and implemented quality and secure development lifecycles for clients, performed architecture, design and code reviews, written coding standards and development policies. In his current role Andrew is responsible for enterprise and government client engagement, delivering and advising on security assurance programs and application security activity in the South Pacific region. This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the constantly evolving threat landscape. This is a very limited seating engagement so please register ASAP to reserve your seat.

Kindly RSVP by 18th October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

Cover Feature Cyber Security

You’ve had a data breach … what happens next?

Y By Dr Jodie Siganto

ou know that Australia’s data breach notification amendments to the Privacy Act 1988 (Cth) become effective on 22nd February 2018. Naturally, you are busy planning your data breach response strategy. Aren’t you? Quite a bit has been written about the legal requirements relating to identifying and notifying data breaches, yet little has been said about what’s likely to happen after you notify of a breach. For example, how will the press cover the story? What happens if the Privacy Commissioner decides to investigate? Can your executives be called before the Privacy Commissioner and might you be fined? Could you be sued? This article looks at important considerations relating to your breach response plan, based on how the Office of the Australian Information Commissioner (OAIC) has handled data breach cases so far. I’ll also introduce some of the experiences in the US, where data breach notification laws have been in place for almost 15 years. How Might the Press Cover Your Story? One likely consequence of a data breach notification is that the press will find out from a tip-off or from social media (assuming they are not the source of the story in the first place). Having an effective strategy to deal with the press can reduce reputational harm, with the Australian Bureau of Statistics Census failure offering an excellent example of the reputational damage that a poorly executed communications plan can cause. Most organisations have a crisis communications

18 | Australian Cyber Security Magazine

strategy, which includes press releases and pre-prepared statements. But have you any idea how the media will treat your corporate comms? Do you expect them to adopt your language and support the same messaging? To the contrary, research from the US suggests that the press will sensationalise the ‘data breach’ aspects of the story and downplay or ignore apologies or remediation efforts. Last October’s Red Cross breach was a great example of how the media can sensationalise a data breach. A file of donor details was placed on a web facing server with directory listing enabled, meaning the file was both discoverable and accessible. The OAIC investigation indicates that only one individual found and downloaded the file before reporting the vulnerability (indirectly) to the Blood Service and others. There was no evidence of wider access to the file. However, media reports included headlines such as ‘1.3m records leaked’, ‘Australia’s biggestever data breach’, and ‘Human error exposed 550,000 donor records’, all of which implied widespread access to the information, which was not true. Your communications strategy should anticipate this type of coverage and include ways to neutralise the likely sensationalism.

What information should be given to the OAIC? If you decide you need to notify affected individuals of a data breach, a copy of that notice must be given to the OAIC.

Cyber Security

The OAIC suggests you should provide the OAIC with additional supporting information together with the notice, to explain the circumstances of the data breach and the organisational response in further detail. This information can assist the Commissioner in deciding whether to make further inquiries or take any other action. The OAIC has also indicated that it will publish an online form to help entities lodge notification statements and provide additional supporting information. Keep an eye out for that.

What will the OAIC do with the notice? After receiving the notice, it’s likely that someone from the OAIC will contact you to check on how you are dealing with the breach and to offer advice. Hopefully this will be a fairly brief conversation where you reassure the OAIC that the matter is under control. If the Commissioner is happy, he may take no further action. If not, the OAIC may decide to conduct a more detailed investigation. The OAIC has the power to investigate any circumstances, which might involve an interference with privacy, without needing to have first received a complaint. This is known as a Commissioner Initiated Investigation (CII). A CII may include a review and evaluation of the systems and processes that were in place to protect the information and how the organisation has managed its response to the data breach. A CII is particularly likely in the case of a high-profile breach affecting many people or involving particularly sensitive information. The OAIC undertook a more detailed CII into the Red Cross Blood Service breach in October 2016 and, more recently, has announced investigations into the Cosmetic Institute and Flight Centre data breaches. You’d be unlucky to be investigated (and have an investigation report publicised) unless you’ve had a massive and serious breach. The OAIC records indicate they received over 100 voluntary notifications of data breaches in each of 2014/2015 and 2015/2016. Of those notifications, only two investigation reports have been published and two enforceable undertakings given (for cases not covered by an investigation report) in the relevant period. The OAIC has confirmed its preference to work with entities to encourage and facilitate voluntary compliance with the Privacy Act before taking enforcement action (such as opening a CII). It has also acknowledged that entities need time to become familiar with the new requirements. Accordingly, during the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them (rather than enforcement activities).

information and the action taken to address the breach. That process will continue until the OAIC determines whether there’s been any interference with any of the privacy principles and is satisfied that appropriate steps have been taken to ensure that the same breach won’t happen again. It is important to respond to these requests for information in a timely and cooperative way. Previous published investigation reports acknowledge where the entity being investigated has been helpful and suggest that that kind of co-operation is likely to support a better outcome. More importantly, the OAIC has a series of formal coercive powers that can be used in investigations. These powers include the right to require individuals to appear and give evidence and to produce documents. No-one wants their CEO or one of the directors called to appear before the OAIC, so timely and fulsome co-operation in a CII is a good strategy.

How is an investigation concluded? Most commonly, the investigation is closed and an investigation report issued, including findings as to whether there has been any interference with privacy. Since the 2014 amendments, the Commissioner can accept enforceable undertakings by the entity to put in place agreed remediation actions and these seem to be becoming more common. The sorts of actions included in enforceable undertakings to conclude an investigation might include: • Engaging a qualified third party to review the organisation’s handling of personal information and implement any subsequent recommendations. • Implementing improved information security, in accordance with an acceptable information security standard, as certified by a reputable third party. • Implementing privacy training for staff. • Offering to reimburse the cost of a 12-month credit monitoring alert service for any individuals whose personal information was disclosed in the incident. Offering an enforceable undertaking may often be the most pragmatic way to finalise a CII, particularly where it is clear you’ve failed to implement appropriate security controls. It should assist in bringing a timely and mutually agreeable conclusion to the investigation. If you cannot reach an agreement with the OAIC on the outcome of the investigation, the Commissioner may make a Determination. In issuing a Determination, the OAIC has wide powers and, for example, may order that the organisation cease doing a specific activity, pay compensation, issue an apology or change the way it has been doing things.

What happens in an OAIC investigation? In most cases, CIIs are ‘on the papers.’ This means the OAIC will send you a letter asking a whole lot of questions, to which you must reply. The questions will likely concern: how the breach occurred, the information affected, the security controls that were in place at the time to protect the

What happens if you decide not to give notice of a data breach? The definition of ‘eligible data breach’ sets a high trigger for notification. There may be circumstances in which you decide there is no eligible data breach, and thus

Australian Cyber Security Magazine | 19

Cyber Security

no notification obligation, because it is unlikely that any individual will suffer serious harm. The OAIC can challenge that decision. The OAIC can also investigate where it becomes aware of a possible breach and there has been no notification. Again, this would be a CII, as it would not arise from a complaint being lodged by any individual, but from the OAIC forming a view that there may have been an interference with the privacy principles warranting investigation. The OAIC may couch the investigation in terms of compliance with the data notification provisions of the Act or APP 11 (the obligation to take reasonable steps to secure personal information). If you decide not to notify, you should think about the possibility of an investigation and retain records of the basis of your decision. It may also be prudent to seek legal advice, as some of the provisions in the Act are complex. It is worth remembering that legal advice may be privileged (and so not discoverable) in any subsequent legal proceedings. In the US, many internal data breach investigations are led by the in-house legal department, as part of the data breach response plan, which may extend legal professional privilege over all investigative and forensic reports .

Will my organisation be fined? Unlike other jurisdictions (such as the UK), the OAIC cannot issue fines. An application must be made by the OAIC to the Federal Court for the imposition of a civil penalty. The OAIC can make such an application only in the case of serious or repeated interferences with the privacy principles, or the data breach notification provisions. The Federal Court will determine the amount of the civil penalty, which could be up to $1.8 million in the case of corporations. Given the Commissioner’s light touch approach to enforcement of the data breach provisions, it seems unlikely that the OAIC would seek a civil penalty for a failure to notify or for circumstances relating to a notified data breach, unless there are particularly serious circumstances, for example a failure to notify in circumstances where notification would have given a large number of affected individuals a real opportunity to mitigate the damage from the breach.

Can my organisation be sued? There is no individual right to sue for breach of the Privacy Act (including, the data breach notification obligations in the Act). There is also some doubt about the existence of a right to sue for breach of privacy under Australian common law. Although there are indications that the courts may entertain a tortious claim of breach of privacy, it would be a change to the current law and such a claim is not the sort of ground breaking test case an average litigant would be keen (or wealthy enough) to take on. Suits could be brought based on negligence, such as an organisation’s failure to take reasonable steps to prevent a data breach. To date, no such actions have been brought in Australia and establishing causation and proving loss may prove difficult.

20 | Australian Cyber Security Magazine

Conclusion As part of your data breach planning, do not expect the media to be nice. Think about how the press might report the incident and be prepared to address any negative spin. Remember, your data breach will get into the press, especially once you’ve given notice, and they like to beat up a good data breach story. If you decide to notify, consider what you’re going to tell the OAIC and provide enough information to reassure them that the breach has been stopped, that you’re looking after the people affected and that the breach won’t reoccur. If it’s clear that some failure in your systems has led to the breach, think about offering an enforceable undertaking. If you are involved in an investigation, be as co-operative and helpful as possible. Remember, the Commissioner does not want to punish organisations and, in the first instance at least, will look to educate and guide them to a better understanding of their obligations. Finally, it’s unlikely that you’ll be sued or that you’ll be fined, but that is no reason for complacency. Mitigation costs and reputational damage can still hit hard – just ask Sony, Target, Anthem and the Australian Bureau of Statistics. Disclaimer Ringrose Siganto publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories. About the author Dr Siganto is a partner in law firm Ringrose Siganto, and a highly experienced ex in-house legal counsel. She is an information security and privacy expert and a long-time specialist in information security training. Dr Siganto has been sought out by government departments, international corporations and Australian businesses to advise them on a range of privacy and security issues, including conducting privacy compliance reviews, impact assessments and reviewing technology contracts of all types. In addition to her other work, Dr Siganto pursues research projects into cyber security issues, particularly around the human aspects of information security and regularly talks on issues such as data breach notification, information security practice and cyber security skills. Earlier this year, the Federal Government passed new rules on mandatory breach notification into Australian law. Commencing February 22nd, 2018 many Australian businesses and organisations will no longer be able to remain silent if there is a data breach. The rules are aimed at directing entities to become active in protecting the personal information they hold on behalf of their clients and customers, implementing effective data breach response plans and taking appropriate steps to protect individuals whose information has been lost, stolen or compromised. How can you determine if it’s something that applies to your organisation and what can you do about it? Let’s look at the new rules and how they should be interpreted.

Mandatory data breach reporting : What you need to start doing right now

n entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third-party to store, maintain or process personal information on its behalf. In February of this year, the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.

•

Does the Privacy Act apply to my organisation?

The reasonable steps entities should take to ensure the security of personal information will depend on the circumstances, including the following: • The nature of the entity holding the personal information. • The amount and sensitivity of the personal information held. • The possible adverse consequences for an individual. • The information handling practices of the entity holding

Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions. The Privacy Act also covers small businesses, with a turnover of $3 million or less under the following circumstances:

• • •

Private sector health service providers. Organisations providing a health service include: - traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional - complementary therapists, such as naturopaths and chiropractor - gyms and weight loss clinic Child care centres, private schools and private tertiary educational institutions. Businesses that sell or purchase personal information. Credit reporting bodies.

By Wayne Tufek

What are reasonable steps?

Australian Cyber Security Magazine | 21

Cyber Security

'Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018.'

'Your plan should be

updated and then tested to make sure that it is effective...' • •

the information. The practicability of implementing the security measure, including the time and cost involved. Whether a security measure is itself privacy invasive.

Reasonable steps would include: • Performing or conducting Privacy Impact Assessments (PIA). • Implementing Privacy by design principles. • Performing information security risk assessments. • Creating and maintaining a Privacy Policy. • Having a comprehensive and up to date set of information security policies. • Restricting physical and logical access to personal information on a "need-to-know" basis. • Keeping your software up to date and current. • Employing multi factor authentication. • Configuring your systems for security. • Employing end point security software. • Security monitoring tools to detect breaches. • Using network security tools. • Penetration testing exercises. • Vulnerability assessments. • Having a data breach response process.

What is mandatory data breach notification? Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness. The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach".

22 | Australian Cyber Security Magazine

When has an eligible data breach occurred? An eligible data breach occurs when: • there has been unauthorised access to, or disclosure of, personal information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals because of the access or disclosure; or • personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals. Examples of a data breach would include and not be limited to: • Loss of a computer or data storage device containing personal information • Unauthorised access to personal information because of a hacking attack or data breach • Employees or contractors accessing or disclosing personal information outside the bounds of their employment • Emailing, sending or simply providing personal information to the incorrect people

What constitutes serious harm? Serious harm, in this context, could include serious physical, psychological, emotional, economic or financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. In assessing the level of harm, an organisation needs to consider the nature and sensitivity of the personal information, whether the information is protected by some type of security measures (e.g. encryption), who has obtained or accessed, or could obtain or access, the information, and the nature of the harm to affected individuals.

What does notification entail? In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification statement must include: • The identity and contact details of the entity. • A description of the serious data breach. • The kinds of information concerned. • Recommendations about the steps that individuals should take in response to the serious data breach. Notification must occur as soon as practicable after the preparation of the statement and may be made using the method normally used by the entity in communicating with the individuals. Depending on the situation, other methods of notification are permissible, for example, if an entity is unable to notify each affected individual, notification via the entity's website if one exists, would be satisfactory.

Cyber Security

What if I'm not sure if an eligible breach has occurred? If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity then the entity must carry out a reasonable and quick assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware. If you believe a data breach has occurred then you must undertake an investigation to determine if the breach must be reported or not. Your investigation must be completed within 30 days after you become aware.

Are there any exceptions to the requirement to notify? Yes. Following a data breach, where an entity has taken remedial actions and steps to address any potential harm to individuals that may arise due to the data breach, before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply. The key test is whether a reasonable person would conclude, because of the actions taken, that the access or disclosure or loss of information would not be likely to result in serious harm to any of the individuals to whom the personal information relates. This exemption demonstrates the value of early detection of data breaches and well thought out actions. The ability of an organisation to detect a data breach and act in respect of reducing any potential damage to individuals whose personal information has been disclosed or lost, will play an important part in mitigating the potential damage that such an incident can cause. Other exemptions are also listed in the Act.

incident response process is updated to include steps to: • Identify if an eligible data breach has occurred. • Investigate any suspected security incidents to determine if an eligible data breach has occurred so that it can be reported. • Assess the risk of serious harm to affected individuals if personal information is disclosed or lost. • Notify affected individuals and the OAIC. • Review any contracts with third parties who hold personal information on behalf of your organisation and ensure that adequate contractual provisions are in place to manage compliance with the notification regime. Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities. The introduction of the new legislation is a good opportunity to assess and measure your compliance with the Privacy Act provisions. About the author Wayne Tufek is currently a Director of CyberRisk (www. cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the ACSC Conference, RSA APJ and CeBit.

Are there any penalties if I don't comply? Yes. Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to noncompliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interference with privacy. Serious or repeated interference with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

What should I do? Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018. We recommend you ensure that your data breach

Australian Cyber Security Magazine | 23

Cyber Security

Helping Australia build a secure healthcare network Strategies to help protect the healthcare industry from the Cyber dangers lurking in Healthcare.

By Zoheb Ainapore

he healthcare industry in Australia has been fortunate enough to avoid being in the limelight, considering the recent spike in cybersecurity incidents affecting other industries. There have been a few high profiles, honourable mentioned globally that come to mind in recent years, such as the Anthem data breach, which potentially compromised the personal information of 78.8 million individuals [1] or the more recent WannaCry ransomware attack that wreaked havoc around the world and took out over 60 National Health Service (NHS) trusts in the UK affecting more than 200,000 victims [2]. There are over 1,330 hospitals in Australia [3] providing hospitalization facilities to over 10.6 million patients in a year. That translates to an average of more than 29,000 patients requiring inpatient care every day. In addition to the private and public healthcare facilities, critical support networks such as Medicare play an important role in ensuring that patients receive the appropriate healthcare on time. Healthcare in Australia centres around the public hospitals, private hospitals and medical centres. These are supported by the publicly funded Medicare health care scheme and operated by the Department of Human Services. The recent cuts to Medicare and the Medicare Levy Surcharge has resulted in many individuals taking out private health insurance.

24 | Australian Cyber Security Magazine

A targeted cybersecurity attack on the Australian healthcare sector can have catastrophic consequences and can directly affect the care provided to thousands of patients every day and have a direct effect on their lives. Consider the following headline that was reported in the media in Aug 2017 "Inside the New York hospital hackers took down for 6 weeksâ&#x20AC;? [4]. Hackers took down the computer systems of the Trauma Centre at the Erie County Medical Centre in the US for six weeks, resulting in staff going back to pen and paper for until the systems were back online. The story above is fact and not fiction and we're a step away from experiencing similar consequences in Australia. The cybersecurity risks that the Australian healthcare industry faces isn't much different from the risks faced by institutions in other industries. To protect the healthcare industry from the various cybersecurity risks that it faces, it is better to think of the various threats from an attackerâ&#x20AC;&#x2122;s perspective.

What assets are we protecting? Looking at it from an attackerâ&#x20AC;&#x2122;s point of view, some of the consequences that an attack on the healthcare system would have are:

Cyber Security

The pace at which attacks are targeted the healthcare sector across the world, it is only a matter of time when attackers would choose to focus their efforts into launching a targeted attack on Australian healthcare networks.

- Data breach of personal information. - Unauthorised access to data or systems. - Denial of service. - Ransomware attack. - IOT attacks. - Regulatory risk.

information (PII) would result in attackers utilising such information to carry out further targeted identify theft, fraud and other attacks. Such attacks are a result of attackers leveraging security vulnerabilities to gain access to a healthcare network, along with the lack of appropriate security monitoring and alerting controls. Centralised stores of healthcare PII data are being targeted by attackers with government Medicare service and private health insurance being prime targets. It is recommended that security controls be put in place to continually monitor healthcare systems and networks for vulnerabilities and to implement an effective vulnerability management program, to prevent unauthorised access due to the exploitation of vulnerabilities and security misconfigurations. Sensitive data must be encrypted appropriately. This ensures that even if a malicious individual has gained unauthorised access to healthcare PII data, the data being encrypted would not be of any use to the attacker. In cases where unauthorised access has taken place, appropriate security monitoring and alerting must be in place to provide notifications of such unauthorised access, or attempts to gain such access. Canary tokens provide an effective method of monitoring unauthorised access within an internal network.

The shifting perimeter

Unauthorised access

Recent trends in technology have resulted in healthcare data moving from being stored locally within healthcare facilities, to being stored in cloud-based systems. Additionally, the emergence of IOT devices has resulted in holes being punched into hospital systems, allowing direct internet access, while bypassing perimeter security controls. Tackling these new threats requires a different mindset that takes into consideration the heightened risk, by implementing appropriate security controls. In the following sections, we'll tackle each of these issues by expanding on the risks that these issues raise and providing recommendations to address these risks.

Attackers leverage security misconfigurations and vulnerabilities to gain unauthorised access to healthcare networks and systems. There was a recent security vulnerability affecting pacemaker devices manufactured by Abbott that resulted in the US Food and Drug Administration (FDA) alerting people to a voluntary recall of 465,000 pacemakers [5] due to the possibility of hackers reprogramming the devices, potentially putting patient lives at risk. Exploitation of such vulnerabilities would directly affect the lives of patients using the vulnerable medical devices. Dealing with these challenges requires a two-pronged approach. It must be ensured that healthcare systems, networks and medical devices are securely configured and patched on a regular basis. Security vulnerabilities must be monitored and continual vulnerability assessments carried out to provide alerts when such vulnerabilities are found.

Personal information breaches Data breaches of healthcare personally identifiable

Australian Cyber Security Magazine | 25

Cyber Security

Apart from the clinical trials and tests that medical devices undergo as part of their release into the general market, government regulations must be enacted to ensure that all such devices undergo a process of stringent security assessments.

Denial of service Attackers can cause a denial of service to restrict authorised healthcare users from utilising health services. Healthcare systems and networks must be designed and architected to provide high availability, that is resilient to a distributed denial of service (DDoS) attack. Critical internet facing healthcare services must implement appropriate DDoS protection.

Ransomware attacks With the recent increase in ransomware attacks affecting multiple industries, it is imperative to ensure that in case a ransomware attack eventuates, the hospital systems are not affected and can be quickly recovered. Attackers launching ransomware attacks generally target data by encrypting it and holding the client ransom by decrypting the data if the ransom is not paid. It must be ensured that in cases of a ransomware attack, appropriate security incident management processes are in place and are followed. Affected devices must be segregated and disconnected from the rest of the network. Backups of all data must be present on dedicated data stores that are not directly connected to the affected client devices. Application whitelisting and advanced endpoint security platforms can be implemented that prevent the execution of malware and proactively detect abnormal behaviour.

IOT attacks The threats that IOT attacks could have on the healthcare sector are three-fold. Many medical and IOT devices have security misconfigurations and vulnerabilities and are connected to healthcare networks. This would result in unauthorised access to, or takeover of, these devices by malicious individuals, leading to attackers using the devices as a pivot to gain unauthorised access to the networks that these devices are connected to. Furthermore, an attacker that has gained unauthorised access to these IoT devices can make them a part of a larger Botnet that could use to launch distributed denial of service (DDoS) attacks on other targets. The remediation to protect such IoT devices is to ensure that they are regularly patched and securely configured. Additionally, such devices are only to be connected to a segregated network that does not connect to the corporate healthcare network.

Regulatory risks Healthcare organisations face increasing regulatory compliance and possible penalties if the confidentiality of

26 | Australian Cyber Security Magazine

healthcare data is breached and the data is not properly secured. Healthcare organisations in the US are bound by the Health Insurance Portability and Accountability Act (HIPAA) and Australian healthcare institutions must assess the various regulatory compliance requirements that affect them such as the Australian Privacy Act 1988. It is recommended that healthcare organisations understand the regulatory and privacy compliance requirements they need to meet, to meet their compliance requirements and ensure that they comply with the requirements, as well certified against such requirements and standards.

Conclusion The pace at which attacks are targeted the healthcare sector across the world, it is only a matter of time when attackers would choose to focus their efforts into launching a targeted attack on Australian healthcare networks. It is important for the healthcare institutions and cybersecurity organisations to work together, to proactively address the risk that affect the healthcare enterprises of today.

TECHNOLOGY DISTRIBUTION

5 STEPS

TO DETECT AND REDUCE THE RISK OF

UNAUTHORIZED, UNAPPROVED OR MALICIOUS USE OF COMPANY’S RESOURCES AND ASSETS Organizations are continuously trying to secure and protect their businesses against cyber-attacks that disrupt the business causing data loss, data poisoning, service disruptions, ransomware or financial fraud. Insider threats and privilege abuse have been a major risk to all governments and organizations around the world for many years. High profile examples are numerous; Nick Leeson and the collapse of Barings bank, Jeffrey Skilling the former Enron President, to the more recent intelligence leaks from Bradley Manning and Edward Snowden that disclosed sensitive information that was damaging to the security and reputation of the United States. This is a classic reminder of how powerful and impactful a trusted insider can become because they have elevated privileges and are therefore able to leak sensitive data undetected including sales projections, customer data or intellectual property. In some cases, employees who have left the organization still have active credentials, often for months after walking out the door. For a disgruntled employee, it is then easy to return to cause sometimes significant financial damage or steal confidential information. Privileged Accounts are some of the most sensitive accounts within an organization and sometimes referred to as “The Keys to the Kingdom.” They are the keys that unlock access to move around companies’ networks, systems and access to confidential and sensitive data.

DON’T LET YOUR ORGANIZATION BECOME A VICTIM OF INSIDER THREATS AND PRIVILEGE ABUSE STEP

Educate employees on the risks and responsibilities of Privileged Accounts

Providing cybersecurity awareness training to those who will be using and are accountable for privileged accounts: Your training should emphasize the critical importance of privileged account security and include IT security policies specific to your organization. Make sure you get buy-in and support from your executive team by educating them as well.

STEP

Proactively discover Privileged Accounts and monitor for discrepancies and changes

You need a process and automated tools to continuously identify new privileged accounts and account changes made in your network. It’s the only practical way to maintain the visibility and control necessary to protect your critical information assets.

STEP

Do NOT allow direct sharing of Privileged Accounts, Privileged Accounts should be assigned and delegated with expirations with limitations on disclosure

Don’t allow privileged accounts to be directly shared. Shared credentials among IT administrators make it very easy for privileges to be abused to escalate permissions and gain further access to sensitive information. Privileged account access should be limited by time, scope of permissions, and approvals needed.

STEP

Monitor and record sessions for privileged account activity involving sensitive data or systems

This helps enforce proper behavior and avoid mistakes by employees and other IT users because they know their activities are being monitored. Recorded sessions are also invaluable when discovering the cause of a breach after it’s been detected.

STEP

Audit All Activity of Privileged Accounts

Auditing of privileged accounts gives you cybersecurity metrics that provide executives, such as the Chief Information Security Officer (CISO), with vital information to make more informed business decisions. The combination of auditing and analytics can be a powerful tool for reducing your privileged account risks and exposures of being abused.

sales@thycotic.com |

+1-202-802-9399 |

www.thycotic.com

emt Distribution is an Australian security software distributor focused on addressing the top cyber threat mitigation strategies. emt Distribution can be contacted on +61 8 8273 3030

Cyber Security

Cybersecurity McCarthyism, collaboration & home brands

T By Guillaume Noé

he US government is lashing out at Kaspersky Lab over concerns the cybersecurity company would willingly collaborate with foreign government entities, that would pose a serious threat to the US. The case begs key questions on building trust in cybersecurity companies, enabling an effective global collaboration and fostering further local innovation.

How well do we trust cybersecurity companies?

and processes. They trust the security controls they buy to be effective and efficient. They also trust the cybersecurity companies will not take or lose their data or be of any threat to their business, whether directly or indirectly through thirdparties, including foreign state government entities. The 2016 Ponemon’s Data Risk in the Third-Party Ecosystem research reveals key findings on how most organisations fail to efficiently manage data risk with thirdparties (incl. cybersecurity companies). For example: •

Our businesses and the organisations we work for are very likely to be facing cyber-attacks. The subject presents a very serious global risk. Individuals and organisations rely on a flourishing cybersecurity industry to better manage the risk with technologies and services. The Cybersecurity Ventures market research group predicts that global spending on cybersecurity products and services will exceed $1 trillion USD cumulatively, from 2017 to 2021. This is big business. The group also tracks a large number of cybersecurity companies and maintains a list of the top 500 world’s hottest and most innovative. It is already a big list for only a part of the industry. Such companies range from large multinational corporations, to small, local and specialised businesses. The cybersecurity industry is very competitive. Organisations typically subscribe to a variety of cybersecurity companies that they select, based on criteria, including technical and non-technical items and, importantly, trust. Trust is a big deal with cybersecurity companies. Businesses place some serious trust in the cybersecurity companies they rely upon to protect valuable information

28 | Australian Cyber Security Magazine

• •

49% of organisations confirm they experienced a data breach caused by one of their vendors; 55% rely upon the third-party to notify their organisation when their data is shared with their other parties; 58% say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach.

We may want to trust cybersecurity companies as well as we trust our banks, but it is not that easy. Cybersecurity technologies can be quite intrusive and knowing of our data. They can also be hacked themselves (RSA, Hacking Team, Kaspersky, Bitdefender, Lastpass, OneLogin, Cellebrite, etc.) and attract the unwanted attention of cyberoffensive government entities.

Kaspersky Lab vs US Government Kaspersky Lab is a renowned cybersecurity company, which specialises in technologies for consumers and organisations. It recently ranked fourth in a global ranking of antivirus vendors by revenue. It is the third largest

Cyber Security

“The Australian market would appear to be dubious towards local cybersecurity innovation. This is quite interesting and perhaps counter-intuitive, because we could expect local sensitive technologies to be further trusted than foreign ones." vendor of consumer IT security software worldwide and the fifth largest vendor of enterprise endpoint protection. Kaspersky has about 400 million users and has the largest market-share of cybersecurity software vendors in Europe. It provides services to organisations in both public and private sectors, including US and Australian federal government entities. It does more than 85% of its revenue internationally. Kaspersky benefits from the trust of many individuals and organisations to run their software. It is also the only company listed in the Cybersecurity Ventures top 500 that originates from Russia. The US government has recently revised its position towards Kaspersky and the case has quickly turned into a media frenzy display of suspicions and allegations worthy of McCarthyism. In May, the US Senate Intelligence Committee raised an “important national security issue” over suspected links between Kaspersky and the Russian government which could threaten US infrastructure. It urged the intelligence community to address potential risks posed by the company’s powerful market position. The FBI was reported to run a counterintelligence investigation looking into the nature of Kaspersky’s relationship to the Russian government, and they reportedly interviewed some of Kaspersky employees working in the US in relation to the suspicion. In July, the US government removed Kaspersky products from the US General Services Administration (GSA)’s list of approved vendors for contracts that cover information technology services and digital photographic equipment. While US government entities can currently still buy Kaspersky’s products, they can only do so outside of the GSA process. Allegations were made that the company has been working closely with the FSB, a Russian intelligence entity. Kaspersky would have developed security technologies for the FSB and would have been of assistance in cybersecurity initiatives, including sensitive “active countermeasures” according to a report from Bloomberg Businessweek. Some key Kaspersky staff have also been reported to be former KGB officers. A US congress committee reportedly raised a warning of possible, “nefarious activities against the United States,” and

requested 22 government agencies to provide all documents and communications with Kaspersky since 2013, including any internal risk assessments and lists of any systems, contractors and sub-contractors using Kaspersky products. In September, some reports suggested the US Senate was looking to mandate a full, government-wide ban on the use of all Kaspersky products. ABC News quoted a US senator on saying, “The strong ties between Kaspersky Lab and the Kremlin are very alarming and well-documented. While much of this information is classified, there is ample publicly available information to justify Congress passing my amendment to ban the use of Kaspersky across the federal government” and “Using Kaspersky software on federal computers is a national security vulnerability and invites further Russian cyber intrusion”. The FBI is also reported to actively advise US private sector companies, in private briefings, against the use of Kaspersky software over the concern of a threat to the US. Rob Joyce, the Trump administration's cybersecurity coordinator also advised the public not to use Kaspersky’s products. Kaspersky’s integrity and trustworthiness is a cybersecurity business-critical asset that is currently heavily tested by the US government, and which is scrutinised in the media. Some of its competition is also trying to exploit the situation. Bitdefender, a competitor to Kaspersky originating from Romania, recently took it to launch an opportunistic marketing campaign based on “Restore your confidence in security solutions” and “Concerned about renewing Kaspersky? – Call here to replace Kaspersky with no increase in cost” - overlaying a picture of a Trojan horse and a help desk operator, ready to take cybersecurity vendor distrust away. At the time of writing this article, no evidence of any wrongdoing by Kaspersky has been publicly produced. The suspicions could eventually be substantiated, but the cybersecurity company could also be a victim, caught amid a geopolitical rift between the US and Russia at a time reminiscent of the cold war. Kaspersky has publicly responded to the allegations with the intent of clearing the doubt on its trustworthiness. It has offered to disclose its products source code to the US government as a sign of transparency. It also seems to run business as usual despite a campaign of McCarthyism against it. However questionable the approaches of the US government and Bitdefender could be against Kaspersky, there is some merit in calling bluff to the trust we place in all cybersecurity companies.

How to build trust in cybersecurity companies? The basic answer to the question, is to perform a due diligence of the cybersecurity companies considered, as we would do for any other third-parties, and to perform a due diligence of the systems, solutions and services we consider acquiring from them, on a case by case basis. The suggested due diligence processes typically involve: 1.

An initial risk assessment.

Australian Cyber Security Magazine | 29

Cyber Security 2. The implementation of third-party risk management security controls. 3. An on-going governance and risk management process. There is a range of guidance and resources available such as from ISO 27001/2, NIST (e.g. SP800-161), the Google’s Vendor Security Assessment Questionnaire (VSAQ) and many others. Organisations may conduct the risk assessment themselves or with the assistance of trusted cybersecurity advisors. Lists of government evaluated cybersecurity vendors and products are available to make due diligence processes easier. For example, the Australian government publishes the Evaluated Products List (EPL), which is maintained for local government agencies and it is publicly available for anybody to consult. It includes some cybersecurity companies and products, which should probably be good enough to use with confidence as well as in most private sector organisations. However, the EPL is not comprehensive at all. It does not include all trustworthy vendors and products and does not replace a due diligence process. Organisations with a high level of maturity in risk management, and reputable Managed Security Services Providers, are typically well equipped in cybersecurity resources and invest in their own rigorous suppliers’ risk assessments and products’ certification processes. Less resourceful organisations can struggle in conducting their own meaningful assessments. A minimum level of due diligence is still advisable, in addition to sourcing advice from trusted independent parties and procuring products and services through reputable cybersecurity providers and resellers. Most organisations would be hopeless in effectively assessing a suspected level of risk, on their own, as it is allegedly in question with Kaspersky in the US. For such risks, we can only rely on the advice of the government and the collaborative input of the wider cybersecurity community.

Collaboration What to think of foreign cybersecurity companies entertaining business relationships with their own governments or employing former intelligence and military personnel? It seems to be a problem for the US government looking at Kaspersky. What should the rest of the world then think of US cybersecurity companies, such as Symantec, FireEye/Mandiant and CrowdStrike, just to name a few? Should they be distrusted and banned in other countries, such as Australia? The precedent created by the case of Kaspersky vs US government raises a critical issue of international trust and collaboration across the cybersecurity industry. The international collaboration of government and cybersecurity companies has proven to be very effective in dealing with large-scale cyber-attacks. I like McAfee’ slogan of “Stronger Together”. Some refer to cybersecurity as a “Team Sport”, which I like to see as a global collaborative team sport and not a competitive one. Constraining the effective global

30 | Australian Cyber Security Magazine

cybersecurity collaboration, by banning cybersecurity vendors over geopolitical sensitivity, for example, will not benefit anybody. We may need to think differently about the global cybersecurity industry and how we manage a well needed effective collaboration. The following principles may help: •

•

Transparency, from cybersecurity companies and the government. Kaspersky’s offer to share its source code with the US government is an interesting proposition. Government should also be more forthcoming with any factual risk assessment relating to technologies and avoid any debatable allegations assimilated with geopolitical issues. Further uptake in open-source technologies could also be beneficial. Benchmarking, from independent parties and moderated open communities. Many analysts provide elements of vendor comparison (e.g. quadrants), but they fall short of addressing the core issue of trust, in my opinion. A good example would be the comparison of VPN services providers on thatoneprivacysite. net, albeit not from an independent or moderated community. Regulation, where further government industry regulation would be beneficial.

Home Brands Scott Handsaker, the CEO of CyRise, an Australian cybersecurity start-up accelerator, shared in a recent roadshow his observation on the local uptake of Australian cybersecurity technologies. Australian cybersecurity startups would find it easier to sell their products in the US to large and very security demanding organisations, rather than at home to smaller organisations. He also suggested that unless things change, many Australian cybersecurity start-ups may be forced to head to the US or other places to grow their businesses. The Australian market would appear to be dubious towards local cybersecurity innovation. This is quite interesting and perhaps counter-intuitive, because we could expect local sensitive technologies to be further trusted than foreign ones. We have a fantastic cybersecurity innovation potential down under. Bugcrowd and Upguard are some great examples of it. We would all benefit from better cybersecurity, by investing further trust and interest in home cybersecurity brands, which would in turn foster even further local innovation. About the author Gui is a Cyber Security Advisor who delivers businessfocused Cyber Security and Technology services. He is passionate about the issues of Security & Privacy, and the process to address them in both business and personal contexts. As the General Manager for Pirean in Australia & New-Zealand, Gui leads Pirean’s business development in the region with Identity and Access Management technology and services. LinkedIn: https://au.linkedin.com/in/guinoe Blog: guinoe.com

A U S T R A L I A N I N F O R M AT I O N S E C U R I T Y A S S O C I AT I O N ( A I S A ) Cover Feature

EXECUTIVE ROUND TABLE CYBERSECURITY ENHANCEMENT

A special premier event designed for executives and board members alike. A closed room, vendor independent round-table discussion with Q&A, so come along and ask your questions.

C O L L A B O R AT I O N PERTH Collaboration Cyber security Metrics Cyber- Attack Crisis Management ERS K A E SP TO BE ED UNC O N N A SOON

SEATS ARE LIMITED. REGISTER INTEREST Mourad Khali - mouradkhali@aisa.org.au Daisy Sinclair - daisy.sinclair@aisa.org.au

9:00am - 3:00pm 17 November 2017 Crown Perth Australian Cyber Security Magazine | 31

Cyber Security

Know Your Enemy PART II I By David Stafford-Gaffney

n the last issue we delved into the world of Business Process Compromises (BPC’s) and demonstrated how the attacks work, based on the case of the driven, yet naive business owner; Steve and the driven and successful attacker; Joanne. The point we made was that both seek success, both are driven and both operate businesses, and most importantly, both follow processes. This is the key, this is our light bulb moment, this is where we seek to gain the upper hand in developing defenses. To recap, a BPC occurs when an attacker makes subtle, unnoticable changes to business processes to gain an advantage. We reviewed the case of the attackers in Antwerp making subtle changes to the location of containers at a dock, in order to make the containers carrying drugs, easier to access. Remember, they needed other attack vectors also in place to complete the heist, including dropping physical USB key loggers. The company being attacked wasn’t massive, it just happened to offer the attacker what they needed. That attack took two years to be successful. As a result, response plans need to consider the long game too and be appropriately measured. We need to understand the risks these organisations pose to our own, as this provides a far broader understanding of how attacks work and appropriate mitigation strategies, aimed at various points in attack

32 | Australian Cyber Security Magazine

process, can be targeted at more than just the perimeter. Once you’ve mapped the attack surface, you then need to find an appropriate way to communicate what has been done to customers, staff and the executive board. Every stakeholder needs the confidence in the business’s ability to appropriately mitigate risks and increase the security posture of the organisation improves.

Back to the Story… Like Steve, Joanne follows a tried and proven process known as the Cyber Killchain® (Lockheed Martin (http:// www.lockheedmartin.com/us/what-we-do/aerospacedefense/cyber/cyber-kill-chain.html), introduced in Part 1. The kill chain allows us to build defence in depth into our organisation. Prevention, as a tactical objective, should have a place in your security arsenal and cyber defence plans, however, the kill chain shows us that we need more. We should ensure appropriate levels of logging and confirm detection mechanisms are deployed. Furthermore, we need to prevent attackers from going undetected within our networks, buying us time to respond. Then, if we get to the stage of responding, our response plan need to be swift and ruthless. The trouble is, security isn’t easy. It’s a process, not an

Cyber Security

Identify your critical information You want a documented list of information that is critical to the business. It’s not always an easy process, so my advice is to ask a few questions: 1. What are my business-critical information and services? 2. Where are they located? 3. Who has access to them?

'“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu, The Art of War'

absolute. Some organisations have large security teams that manage infrastructure, while rely on information risk managers to handle all their security concerns. Very few have it all and many have nothing at all, relying, at best, on the IT team to keep them safe. None of these approaches are necessarily wrong, if that is what your organisation requires. I know that sounds generic and possibly trite, but I can’t tell you what you need for your organisation; at least not without understanding what you want to achieve. Security must underpin and support the objectives of your business and align to your strategy. It must be driven from the top and while it can be delegated as a function in your organisation’s structure, it must be part of every support function and service provided. You’re not alone if you don’t know where to start. Best practice and standards like ISO 27001 say to start with a risk assessment, yet this is not easy and requires maturity in several key business capabilities. So, another approach would be as follows: 1. Identify your critical information. 2. Review who (the actors) might be after your information. 3. Understand how it is protected. 4. Understand how you respond in the event of an incident.

Next, engage the rest of the organisation to gain more insight into your answers, as business-critical information could reside with the HR team or the finance team, the production and manufacturing group, or with your sales team. Be prepared for incomplete answers as this is expected, then help them get to the most complete answer they can. This is not an easy process, but make sure you document everything you uncover as this will form an important baseline moving forward. Your focus should be on ensuring that critical information is afforded the necessary protection, based on its sensitivity.

Review who (the actors) might be after your information We refer to this as a threat assessment and it’s important in identifying the types of people or organisations that stand to benefit from stealing or changing your information, or making it unavailable. More importantly, it helps you understand the capability of any given threat actor, which is essential in determining whether you feel the current security controls are sufficient. Start with a workshop where you identify the types of people or organisations that might attack you, then rate them in terms of their: • Capability – technical nous, access to financing, outsourcing possibilities, etc. • Motivation – why are they attacking you? What have they to gain? Your (documented) threat assessment might look like Table 1 (based on a 5 x 5 threat assessment matrix.) Consider all contractors you engage with, auditors, state sponsored hackers, religiously motivated groups and of course, students. This is just an excerpt of an example, and it’s important to note that motivations may change

Threat

Capability

Motivation

Threat level

Organised crime

Formidable

Focused

Critical

General Hacker

Significant

Committed

Severe

IT contractor

Significant

Interested

Substantial

Limited

Interested

Moderate

Guests

Little

Interested

Low

Acts of God

Formidable

Indifferent

Very low

Ideological organization (political)

Table 1 Threat assessment table Australian Cyber Security Magazine | 33

Cyber Security

depending on the organisation carrying out the threat assessment. Organised crime is far more motivated to want to manipulate container drops or electronic funds transfers than it is to manipulate the daily schedule of a fencing contractor.

Understand how it is protected This phase of the risk assessment shifts to focusing on your technology solutions and how sensitive information is protected. Bring in subject matter experts (SMEs) as they know they systems better than anyone, and explain your plans. Ask them, how they would attack the systems they manage, and explain why you’re doing this. Bring them on the journey with you, so that everyone is aware of the improvements that are needed and are helping patch over the vulnerabilities. Explain that this is not about blame, rather it’s about taking control and establishing some sensible security principles:

People – Process – Technology Is access to the information or system audited or logged? How is access authorised? How are users authenticated? Are there procedures or work instructions for activities that are associated with your information systems security? Are daily checks completed and is there proof? What technology protects business systems and sensitive information? Is your technology patched and free of vulnerabilities? Does it have vendor support (if it doesn’t it won’t get any security patches)? Ask lots of questions and seek evidence. Don’t just ask how, ask to see the what. However, don’t alarmed as you don’t want knee-jerk reactions that simply Band-Aid the issue – treat this like business strategy; it needs to be given the same energy and consideration.

Understand how you respond in the event of an incident Ask how they know if an incident has occurred? What sort of events do they collect? What do they do when an incident occurs? Do they have a suitable response plan? – ask to see it and ask for examples of incidents that have occurred and been investigated. Look at running sheets, evidence, forensic artefacts, note knowledge-based items, and remember they may feel threatened, so help them understand the objectives of the exercise. You want to uplift the security response plan to ensure all their jobs are protected, not persecute them for being remiss. By the end of this exercise you will have a better understanding of where your crown jewels, are and how they are protected. You will also know how you respond to an attack. The picture might look bleak, or it may look ok, however it looks today, it can always be improved tomorrow. Now you know what your baseline is, you can at least start planning those improvements. Based on what you have uncovered, do you think your protections are adequate? If not, you can now start raising risks that relate the loss of information confidentiality,

34 | Australian Cyber Security Magazine

system availability and information integrity, to the controls you have in place. The IT department will likely jump at the opportunity to remediate these issues and introduce better controls, as they might even get some shiny new technology to play with. If this sounds too much for you to handle, consider engaging a security consultant to assist, since this is the process they will use. The “big four” audit companies offer high-level services that help you understand your security exposure and can be a reasonable place to start, if you have the budget. But prepare yourself for lots of failures in their audit report, and learn to love these reports, rather than see them as your enemy. There are smaller firms with exceptional capabilities to provide a similar service, so cast the net wide and don’t buy the brand, buy the right consultant for your business. Professionals can help establish roadmaps for implementation and work with you to increase your security posture and overall maturity, within the budget and in line with your strategic business plans. Even look to your local security community or professional meet up and ask around. In summary, organisations face threats everyday, some know about them and stand a fighting chance, if not to prevent them, most certainly to detect them and respond in a timely manner. However, those that don’t will be compromised. It’s that simple! If you’re still not convinced, recall we offered a number of real examples of compromises that have occurred, and in one case, they spent 2 years planning the attack, 2 YEARS! Trust me, these people are motiviated and have all the time in the world to get what they need. Your job is to make their life hard, by protecting your business’s life blood with controls designed to fend off the specific threats that are coming after you. Threats that take the form of organised crime syndicates, lone wolf rogue hackers, experimental, curious students and script kiddies, right through to accidental and malicous insiders (staff members). And keep in mind that this is no easy task, however, we’ve offered some simple steps you can take to attempt to prepare your organisation and if external advice is needed, then at least you know your business in more depth and might even save some cash, as the first questions a consultant will ask are the ones we’ve covered in this series. My final advice is, all organisations face threats, yes the types differ and the motivations to attack your specific business differ, but they’re there and you’d be mad to ignore them. About the author David Stafford-Gaffney is an information risk and security professional with over two decades in the ICT sector in roles ranging from hands on technical, to operational management and business development. He has established two businesses from scratch and his strong business acumen enables him to understand acutely the need to align security with business requirements. He is passionate about leadership, Information Security and assurance and improving the industry. Davis currently works as an Information Security Manager for Datacom.

Available online!

000032

Post

ed PP1

Approv

See our website for details

ATE

w | w

u w.a

sec

urity

THE

COU

NTR Y’S

gazi

ne.c

.au

arch

Feb/M

2017

t a jus it trali Aus ’t hack n ca

URIT

SEC

AND

ENT

VER

R RPO

E AZIN

n ralia

LEAD

ING

| w ww.a us

tralia

Post

DIN

LEA

o m Com s single state

INC.

e.co

May 20

Te fundinrrorism g law s Digit aga al War Islam inst the ic Sta te

gy holo a Psyc rviving u for s nt attack viole

Get each print issue per year for only $88.00

2017 orld ol W ecurity Interp Cyber s s | view nect and re t ven Con nal e ines Regio| Philipp re gapo

Sin ek in

r we

Cybe

GST

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

ed unifi your : Three ring s Secu nication erations id mu com key cons

GST

INC.

03227

m.au

April/

T hoekr uch m m gy – RecCByobnolo

d lia? fe an A sa re Austra secu

$8.95

PP1000

f war

o rity: gnition & Facial secu r Video en in Senio Wom habab, rcher, Analytics b hin S esea Nous ecurity R ersky La S Kasp

INC. GST

$8.95

azin

urity r sec e US Cybe ets in th PL s ra s a of nected e &A, Drone con ick TQearr d r u Q te s, n o...rism in rity ime, evcieuw ore re S eTcehcT

VIEW L -RE els ECcIAuss Ctrhaalinann u rSitPy fo s ac’ a ly u u a c A e n rity ltCha & - M G’s s COA onwea Fourtu‘smecu COU

$8.95

mag

ren o

RNM

g the akin n 61: T o DATA n’s lead h o Nati r researc cybe

urity

Child

ep 20

Y’S NTR

nsec

000032

d PP1

Approve

Aug/S

THE

roved

E GOV

Post App

GOVE

NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o .au Ban role en Plan com ine. The yber nning agaz uritym nsec of c nce alia ustr .a w sura ww e E | the IT in to b Modern AZIN re kes ating MAG Secu isCin ITY Rg avig the futu it ta ity y N t ri o E U S a u ty f E r Wh art c eo ORAT Strate ORP gy scap DC a sm T AN land ING

EAD

L Y’S NTR

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Cyber Security

Cyber Insurance: A Buyer’s Guide Part II

P By Mark Luckin

art 1 of Cyber Insurance: A Buyers Guide gave us an introduction to the basics of Cyber Insurance. (covered in Issue 2) Part 2’s intention is to delve deeper into some of the more important aspects of tailoring coverage to organisations, service team offerings and submissions to underwriters. We further look into policy response and its importance with respect to the upcoming mandatory breach notification laws.

Tailoring coverage and the limit of liability to organisations associated risks and exposures Whilst every organisation is exposed to cyber risk, the consequences vary across industry and business size. When considering implementing a cyber insurance policy as part of an overall cyber risk management strategy, organisations

need to keep in mind the fact the policy provides both 1st and 3rd party protection and well as business interruption loss protection. Ultimately this translates into immediate and slow-burn costs and needs to be taken into account when considering the most appropriate limit of liability. Organisations should be encouraged to consider that beyond the immediate investigation costs, notification costs (see Mandatory Breach Notification Laws), business interruption costs, fraud costs, extortion costs and remediation costs, there is potential for consequential third-party litigation expenses, regulatory fines and penalties, customer loss and loss of revenue (“slow-burn costs”). Estimating the potential costs to an organisation of a breach by only considering immediate costs, could lead to a significantly inadequate limit of liability. If this approach is taken, an organisation may find itself with no protection available, for associated slow-burn costs. A proper assessment of the full potential impact of a breach/

Cyber Security

•

The Business Interruption (BI) Loss definition could also substantially impact an organisation, with some insurers offering gross profit protection only, and others offering – in addition to gross profit loss – “work around” costs (work around meaning power costs etc.). A junior mining explorer, for example, may not be making any profit and without the addition of workaround costs within their policy, they could be at a significant disadvantage when faced with a BI loss. Further, a BI definition may only provide BI loss protection until an organisations system comes back online, as opposed to an alternative insurer, who may offer BI protection until an organisation returns to making a full profit.

The above two brief scenarios demonstrate the importance in a proper review of wordings and limits of liability to industry and business size. A healthcare based organisation, for example, may have less concern around the business interruption loss component, as in example two, but would likely want to make certain that coverage for a breach of their data is afforded to themselves and as a result of a breach from a third party. A consideration of “where may the risk come from?” is essential. Organisations also need to consider future plans of an organisation, in a general business sense and an IT sense and plan for this when considering cover and limits.

Submissions to underwriters Traditional insurance risk is modelled on years of data from insurers, as well as national and industry data. There are no equivalent sources for cyber-risk for the required modelling. Cyber risk is an evolving risk, with an equally evolving knowledge. Therefore, given such an immature market, the better submission to an underwriter, the better the cover and premium.

unauthorised access should be undertaken. With respect to coverage, whilst there are emerging structures that most cyber insurance policies adhere to, there are nuances in policy wordings that if not addressed could have substantial impact on an organisation should a claim/ potential claim occur. Two examples are outlined below: • The definition of a computer system may vary between insurers to only include systems under the care, custody and control of the insured, or also those systems ownedby outsourced providers that store data on behalf of an organisation. This may have a significant impact should a breach of personally identifiable information (PII) occur through the third party as, under Australian Law the organisation may still be liable for the breach, despite the outsourcing. Organisations outsourcing storage of PII could potentially be uninsured, should the correct policy wording not be selected.

When considering insuring the cyber risk of an organisation, potential underwriters compile a mass of information on their potential clients to determine their risk exposure. The more information businesses have and share, the more effectively insurers are going to be able to price the risk, and tailor the appropriate cover. Organisations can dramatically improve their breadth of cover and premium by providing:

An outline of implemented cyber and IT security practices; o

This does not just apply to the IT team. Evidence of general staff training and their knowledge of cyber risk as well as further evidence of continual review of practices, procedures and training can significantly influence an underwriter’s view on risk. The importance of organisational culture and understanding around this risk is commonly understated. The clearer an organisation can demonstrate an acceptance and want to mitigate this risk, the better the outcome in obtaining coverage at a reasonable price.

Australian Cyber Security Magazine | 37

Cyber Security

'Ultimately the more relevant information an underwriter can receive from an organisation, the better they can construct a bespoke, accurately priced cyber policy that can cover an organisations specific cyber risks. '

Evidence of discussions held at C-suite or board level relating to cyber security risks; o

Often also understated, an underwriter will strongly value evidence of discussions around cyber risk at a C-Suite level. This shows an organisational want to understand and mitigate this risk.

Evidence of tested business continuity plan (BCP) or data recovery plans (DRP) (in the event of a cyber incident); o

By way of example to Office of the Australian Information Commissioner (OAIC) recently released their results of an investigation into the Red Cross Data Breach that occurred in 2016. (https://www.oaic. gov.au/resources/privacy-law/commissioner-initiatedinvestigation-reports/donateblood-com-au-databreach-australian-red-cross-blood-service.pdf). Simply, the Red Cross avoided a fine from the OAIC (but not enforceable undertakings) due to their response to the data breach. Implementing and testing a BCP/ DRP can potentially reduce an organisations exposure, and therefore an underwriter’s exposure. This may encourage them to reduce their premium and broaden their business interruption cover.

Results of third party penetration testing and external/independent party review of cyber security/privacy practices; o

Engaging independent parties to review an organisations current security procedures and practices, and then implementing suggested changes again brings confidence to an underwriter when assessing an organisations risk profile. Such assessments give underwriters confidence beyond a self-completed proposal form.

Provision of agreements with third party (managed security) service providers and how these are maintained:

38 | Australian Cyber Security Magazine

This is potentially a very large area of exposure for an underwriter, especially around slow burn costs (i.e. third-party litigation). If data storage is outsourced underwriters will want to know whether the third party obliged to let their client know whether there has been a data breach. Contractual evidence to show reporting obligations again can reduce data breach cost and exposure to organisations and underwriters.

Ultimately the more relevant information an underwriter can receive from an organisation, the better they can construct a bespoke, accurately priced cyber policy that can cover an organisations specific cyber risks. Finally, with respect to submissions to underwriters, organisations should consider the cost of cyber/IT risk mitigation and the potential reduction in premium this may bring. Conducting a review of an organisations areas of risk, strengths and weaknesses around cyber security and implementing changes could significantly reduce a cyber insurance policy premium and assist in broadening cover. This should be a discussion held with a specialist cyber insurance broker.

Service team offerings (third parties) As touched upon in Part 1, a common and unique aspect of cyber insurance policies, is the unique combination within a policy of a (potential) promise to pay, coupled with Crisis Management Service Team offering. These service teams are structured in a “panel offering” by insurers. This comprises a selected group of Lawyers, IT Specialists, Media Relations Specialist, Credit Monitoring Specialists, designed to assist an organisation from the moment a breach, or suspected breach occurs within an organisation. Traditionally this Service Team is accessed through a dedicated 24/7 dedicated incident response “hotline”. These hotlines can be monitored by Loss Adjusters, Internal Claims Teams and even Lawyers depending on the insurance provider. As per wordings, service team offerings differ between insurers. Suitability of service teams also need to be considered with limits of liability and alternative wordings. As per the above point made with respect to discrepancies in wordings, organisations will want to partner with the most suited service team. This again comes down to an assessment on the most likely area of exposure/concern to an organisation i.e. business interruption loss or privacy breach. It is easy to use a healthcare organisation as an example again, in which the main area of concern/exposure may be a privacy breach. Such a healthcare organisation may want to consider a claims team where a Lawyer – as opposed to a loss adjuster – is the first claims contact, given initial discussions with a lawyer will give an organisation legal privilege should a third-party claim develop. An alternative organisation whose main concern is business interruption loss (a factory or transport organisation for example) are likely to be more suited to a loss adjuster being the claim first point of contact. It is also understandable that organisations may have alignments/partnerships with third party cyber security

Cyber Security

providers. Certain underwriters will welcome consideration in placing such a provider on their crisis management service team for specific clients.

Mandatory Breach Notification laws Having been on the governmentâ&#x20AC;&#x2122;s agenda since 2015, many within the IT, Security, Legal and Insurance arenas have seen this as a long time coming. Under the proposed laws, organisations subject to the Privacy Act 1988 (Cth) would be required to notify the OAIC and affected individuals should a serious data breach occur. Most businesses are subject to Privacy Act obligations, specifically those with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive data. This Bill increases the consequences of an already present and growing risk faced by all organisations and in the event of a breach, the affected company will face serious cost and reputation exposures. Significant pressure to protect personal and corporate data, as well as maintaining relationships and brand reputation will be felt by companies regardless of the Privacy Amendment. Mandatory notifications, however, amplify potential damages given: 1. Notified data breaches becoming instant public news. Not only will the person affected potentially disclose such a breach in forums such as social media or web pages but breaches will be reported in the mass media and recorded for perpetuity online. 2. Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches. 3. Contractual counterparties will know about the breach and will be concerned about whether their confidential information has been exposed. 4. A potential increased risk from affected parties,

Print Post

UNTRYâ&#x20AC;&#x2122;S

THE CO

ZINE

Y MAGA

SECURIT

| www.a

ustrali

ansecu

rityma

The Ponemon Institute indicates that without mandatory breach notification laws, companies face up to an 80% chance of losing nearly a quarter of its value in a single month following a significant breach crisis. These costs are only expected to increase once the above Bill comes into effect. The application of cyber insurance as an additional layer of protection, complementing the efforts of IT departments and other information security functions, is where the greatest value lies. This is particularly effective when the cost of additional information security controls does not reduce the risk enough to make the investment in such controls practical.

Conclusion As the threat increases, so will the demand for cyber insurance. Discussion around the risk and potential insurance requires the whole of an organisations input and assistance from a specialised cyber insurance broker given: - - - - - -

The assessment involved in determining a suitable limit of liability. The intricacies and associated suitability of various wordings. The detail involved in submissions to underwriters. The risk to organisations and directors and officers. Preferences to Crisis Management Service Team offerings; and Developments in legislation and the potential impact on directors, officers and the organisation as a whole.

In the next issue, we look at specific, yet hypothetical, scenarios and how a policy may or may not respond.

PP10000322

gazine

.com.a Aug/Sep

NT AN

RNME

G GOVE

LEADIN

ORATE D CORP

Approved

or litigation funders on behalf of affected parties conducting class actions resulting from a breach of data.

Women

2017

Women in Security

IN RAITTURYE READ U C E SPECIAL FE NOW S

Special Feature E-mag

OUT NOW Australian Cyber Security Magazine | 39

Cover Feature Cyber Security

Seeking diversity in cybersecurity

I By Jackie Shervington

am new to the Cybersecurity industry, joining my old eGroup colleague, Graeme Speak almost a year ago. After watching his UWA Graduation ceremony on his innovative BankVault Cybersecurity solution. The technology is sound, offering remote isolation or “virtual machine” for secure transactions such as Banking. I was attracted by its simplicity and innovative approach to a big problem – end point security. In unpacking the gender issue in Cybersecurity I’d like to explore a couple of personal observations and propose they are causing the gender diversity gap. Firstly, let me clarify how big is the gender issue? The “2017 Global Information Security Workforce Study: Women in Cybersecurity,” reports the Cybersecurity industry is composed of only 11 percent women globally. To my mind, the problem is bigger than gender diversity, but relates to lack of diversity of skills within the industry. The cybersecurity industry places too much importance on the narrow technical/forensic skills. It is this bias which is directly effecting true diversity within the industry - not only women, but also across men. I propose we need to attract a broad array of skills for a healthy ecosystem. By doing so we will help to normalise the culture and ultimately provide a more attractive career path for non-male workers – technical and non-technical. Before I continue, I am not stereotyping that women

40 | Australian Cyber Security Magazine

can’t do tech – of course they can. I’m just saying that the focus and elevated importance of “tech” skills – will not bode well for the effectiveness or level of innovation within the industry. At a recent WITWA forum, I was delighted to hear that efforts to recruit beyond “skills” have proven successful. Adrianna Skok-Muir, Principal Mining Engineer with Iluka Resources, representing Women In Mining spoke to how they have achieved diversity. In a male dominated industry, tackling similar low female participation rates, at only 12.9%. Diversity recruitment policies have delivered successful outcomes when looking beyond “skills” and actively recruiting for “attitude and aptitude”. At the same forum Diana Adorno, an Experience Designer with Thoughtworks, Global Winner of #TechDiversity Awards 2016, shared similar positive outcomes with recruiting beyond the “tech” resume. Both speakers stressed the importance of support mentoring and education for these strategies to mitigate the “imposter syndrome”. An opportune segue to share my personal story and my Cybersecurity experience. In my 30-year marketing career across banking and technology I have always straddled the Fintech realm. Think of me as a “marketing geek” but I’m no techy. My background is strong and proven and yet I often feel like an imposter in this industry? I’m grateful

Cyber Security

'...as a female executive within BankWest, I represented the minority 5% in a leadership role. It is encouraging to see banks are now leaders in gender diversity with almost 50% in leadership roles. ' Graeme extended the opportunity and patience to fast track my Cybersecurity knowledge to complement my market development skills. With my appointment, I am helping to boost the statistics bringing; gender, age and skill diversity to this industry. Perhaps it is my lack of technical Cybersecurity experience, which inspired me to join BankVault. I don’t have the history or attachment to the old methods of perimeter protection, such as anti-virus, but I rather enjoy the paradigm shift that the concept of “remote isolation’ brings to Cybersecurity. I knew from my banking experience anything that could help deliver security for online banking was a worthy pursuit. Banks can’t save customers from installing malware; they acknowledge traditionally recommended anti-virus software is ineffective. Both banks and customers need a secure environment that sidesteps hackers completely to ensure safe online banking. BankVault stops bank account takeovers. When I tell friends, I work in cybersecurity they usually respond with awe and immediately assume I am a tech guru. I find this ironic, in a space where over 90% of cybercrime relates to the “human factor”. The key Cybersecurity challenges are to educate those who don’t care about the “tech” to respect and adopt good cybersecurity hygiene. Recent Wannacry and Petya ransomware attacks offer a highly visible example; both could have been avoided by simply ensuring that you had updated software. I have heard experts scoff at the “low level tech” of such hacking incidents. Really- do you think the cyber criminals care? The industry needs to avoid judging cyber risks by the quality of the tech. My observation of the industry, admittedly only during the last 12 months, is of an overly cluttered landscape of vendors and consultants seeking the silver bullet. Unfortunately, recent incidents have suggested the real solutions are quite possibly; boring and simple and may involve a shift in thinking. To achieve such a shift in response to the cybercrime problem, I propose we have to break the emphasis on technical skills. Having a Cybersecurity job doesn’t necessarily mean you’re a coder or a forensic specialist. Cybersecurity is an end-to-end business that requires people to do marketing, sales, communication, design, and a host of other things. Rewards will come if we extend our thinking. Looking beyond the “coding bootcamps” to recruiting people from culture and organisational change, perhaps an occupational health & safety expert or a psychologist might be better suited to cyber security challenges within an organisation. Only when we extend the reach of skills and experience will we enjoy an industry with rich diversity. And please let’s stop calling them “soft skills”. One standout female role model within the industry is Terry Roberts, global cyber intelligence expert. Her

credentials are enormous and there is nothing “soft” about her and yet her message is not technical – it focuses on the need to shift behaviour and exploring the big picture challenges faced within the industry. The secret to helping businesses advance their Cybersecurity journey, will be to create new language and new ways of thinking around the problems and solutions. Sans Institute, John Pescatore interviewed the boards of directors and the feedback was “CISOs are great on ‘blood in the streets,’ weak on strategy to avoid it.” We need diversity to help solve these communication challenges. It is true there are emerging “training consults” that offer much needed solutions to the human factor. A worthy pursuit, I just worry it may create a them and us division. Ideally the two should come together – but then again, I also wish for a world where my doctor and naturopath could work together to help solve my health issues. As many readers of this magazine will be CIO’s and CSIO’s, I challenge you to look beyond adding technical skills to the team in your next hire, and bravely recruit for attitude and communication skills to complement your team. There is a good chance some of them will be women. As the saying goes ‘from little things big things grow’. 20 years ago, as a female executive within BankWest, I represented the minority 5% in a leadership role. It is encouraging to see banks are now leaders in gender diversity with almost 50% in leadership roles. Vital to change is commitment and collaboration. Leadership, starting with you, best drives commitment. Collaboration is easy via networking groups, such as WIT (Women in Technology), AWSN (Australian Women in Security Network. Personally, these groups have provided me with a welcome mat and the confidence to grow. Hopefully, I can inspire others to join this space and be a part of a community seeking to make it safer online. About the author Jackie is Head of Partnerships and Growth for BankVault. com, a cyber security FinTech company, which is a 2017 finalist for the WA Innovator of the year. She was the CEO of Bonfire, a leading search marketing business (formally ineedhits.com) and was also Head of Customer Development at BankWest. She held national Direct Marketing roles at Microsoft and Westpac and was recognised by her peers, winning the 1997 Australian Young Direct Marketer. While enjoying time in the country with her young children she cofounded a regional WA newspaper, Northern Valleys News. She has been active in the tech start-up community having cofounded eGroup and was a mentor at Vocus Upstart and currently serves on the advisory board of a local start-up Storekat.

Australian Cyber Security Magazine | 41

Cyber Security

WA’s capture the flag competition By Aaron Doggett

n a chilly winter’s night in Perth, a handful of our local security practitioners met to discuss how we might build a cyber security challenge (capture the flag competition) for WA. Most of the attendees have worked as members of Perth’s booming security community over a decade, and have all seen first-hand how brilliant talent is often forced to leave the state due to the lack of demand for their specialist skills. The intent of the competition is to do something radical to show off our local talent and showcase to industry that they should be clambering over each other to get access to it rather than seeing it head over east or offshore. From the outset, the team agreed on the following key outcomes: • Bring together like minded people with an interest in cyber security to test and develop their skills against real-world cyber security challenges; • Showcase this talent to local industry; and • Uplift the profile of cyber security in WA, both locally and nationally.

42 | Australian Cyber Security Magazine

As a group, we also wanted to demonstrate that our organisations, who often compete for local business, can collaborate to deliver something that benefits everyone. Perth’s cyber security industry is quite unique since we have an incredibly strong sense of community and desire to collaborate, even though we often compete for work. With cyber security collaboration as a key theme being promoted across Australia (it’s AISA theme for this year’s conferences), the timing could not be better. The group agreed that four local security consultancies would fund WACTF: • Hivint; • Asterisk Information Security; • Kinetic IT; and • Diamond Cyber. Host One has agreed to host the challenge environment and more than a dozen security practitioners, from a variety of backgrounds (web development, forensics, cryptographic systems design, systems administration, penetration testing,

Cyber Security

'With the event structure in place, the work of building challenges began in earnest. We rapidly assimilated the challenge framework, decided on the domains, then the volunteers got to work. We settled on four key challenges in each domain,'

etc.) will build the challenges. It was noted that many other CTF competitions end up with challenged that are far too theoretical – these have limited practical application – so the team agreed that we’d focus on challenges that are practical, have real-world application, and shows experience in a domain that reflects the current security threats and issues facing Australian organisations. We wanted these challenges to reflect the current and perceived near-term demands of our diverse industry sectors, which is why we sought input from organisations around Perth to discover the kinds of skills they wanted to see on display. With the event structure in place, the work of building challenges began in earnest. We rapidly assimilated the challenge framework, decided on the domains, then the volunteers got to work. We settled on four key challenges in each domain, where contestants would progress through levels of increasing difficulty, with more points being awarded for solving the harder challenges. This approach will ensure that contestants who have an interest in cyber-

security and a dedication to solving the problems can get points on the board, whilst those with more experience would be properly tested by the harder challenges. WACTF is open to anyone with an interest in cybersecurity – the only caveat, they should not be currently working in the field. High school, TAFE and university students are the primary focus, as with other challenges of this nature around Australia, but we’re opening this up to anyone working in IT (or any other business) who has an interest in security and wants to have a crack at the challenges. Not only do we want to raise the profile of cyber security, we want to encourage more people to get involved in our vast and rapidly growing field. The skills shortage shows no sign of abating, so anything that helps encourage new blood into our community, as well educates non-industry personnel on the need for investment in cyber security can only be a positive move. For all our ACSM readers in WA, we’d love to get your support, either as a participant, observer or industry supporter. This is 100% a WA initiative – built and executed locally in Perth. We’ve spent hundreds or volunteer hours building this to date, and we anticipate hundreds more hours before it’s complete. It’s a self-funded, grass-roots initiative, built to uplift cyber security in WA and we want you involved. WACTF will happen on the 2nd and 3rd of December 2017 at the University of Western Australia in Perth. The event is co-located with the first BSides conference Perth has hosted. Following WACTF, an awards and industry networking evening will be held on the 6th of December in Perth’s CBD. WACTF is free to enter and both individuals and teams are welcomed. However, eligibility to win a prize requires you are not currently working in a cyber security job. Input from local industry is encouraged, be it to simply come along as an observer or attend the awards ceremony and networking event, or if you want to sponsor the event, we really need your support. Push your budding cyber talent to get involved – it’s Perth’s buoyant business community that will make this a success, so come along and help us make history. For more information and to register (either as a participant or attendee to the awards and networking evening) head to https://capture.tf or follow @capture_tf Australian Cyber Security Magazine | 43

Cyber Security

The active directory botnet

B By Ty Miller

otnets and command & control servers (a.k.a. C&C or C2 servers) are taking over the internet and are rapidly becoming a potential new major threat. Recent industry research from Verizon highlights the issue of how control may be unwittingly handed to an attacker. The “Verizon 2017 Data Breach Investigations Report” reveals “phishing remains a favourite technique of attackers” and “payloads are commonly delivered via email (73%) and driveby downloads (13%)”. The report continues: “if the attachment is opened, it will drop command and control malware to establish and maintain control of the device”.

security team have segmented all of these systems into security zones with firewalls and network filtering to contain the breaches. Microsoft Active Directory is used by most organisations as their central authentication and identity management solution. Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout your organisation, can connect to an Active Directory Domain Controller for authentication purposes.

Identifying compromised machines A life of their own There are many considerations of how botnets and C&C servers can become independently threatening. For instance, what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? Another consideration is the damage these botnets and C&C servers could achieve if they bypass our network controls. Likewise, if these botnets and C&C servers began communicating internally bypassing our security zones and firewalls. It makes you wonder what would happen if modern controls such as microsegmentation were all of a sudden useless. These nightmare scenarios are well on their way to becoming a reality. The Active Directory Botnet attack concept arises due to a fundamental flaw in the way nearly every organisation implements its Active Directory (AD) solution, which leaves a gaping hole within security and the ability to contain security breaches. Let’s say that your organisation has become the victim of a spear phishing attack and a range of your internal systems across multiple WAN sites around the world have been breached. Not only this, but some of your internet exposed systems in your DMZ and Azure cloud environment have also been breached. This sounds bad, but luckily your

44 | Australian Cyber Security Magazine

The Active Directory Botnet Client, or “Bot” is the backdoor installed on each of the compromised machines. It updates the currently logged in users’ standard Active Directory attributes, including registering with the internal Active Directory Botnet. Standard Active Directory accounts support over 50 user attributes, such as name, IP phone, postal address and info, which can be combined to create a covert communication channel between any compromised domain machine located throughout your organisation. These standard user attributes range in size from a small number of bytes through to one megabyte, which provides sufficient bandwidth for sending commands, receiving command output, and uploading or downloading files between the infected endpoints. The Active Directory Botnet Client injects unique command and control data entries into its corresponding AD account attributes within the target Domain Controller, which then automatically synchronises the data across every Active Directory Domain Controller throughout the organisation. At this point, any Active Directory Botnet Client within the domain can identify compromised machines via its Domain Controller and begin issuing commands to be executed on any of the infected endpoints. When one of the Bots injects a command into its Domain Controller, every infected machine polls its Domain

Cyber Security

Controller. The corresponding infected endpoint then executes the command and begins tunnelling the command output back through its own AD attributes. These attributes are then collected by the originating Active Directory Botnet Client to complete the command execution. Being able to send commands to any internal system, despite its security zone or location, is a great feature for an attacker. However, the Active Directory Botnet then takes things to the next level. Instead of sending commands to any internal system, the Active Directory Botnet has an advanced feature that makes the source and destination networks appear to be the same, with no network filtering at all. This is achieved through a “socket” feature that transparently forwards and receives any TCP network traffic, through Active Directory, to any system within any of the infected network segments. This ultimately turns your securely segmented network into a single insecure flat network, allowing exploits to be sent to all systems located on any of the infected network segments. This socket feature also has the ability to connect back to an attacker on the internet, so they can gain remote control over this powerful internal Active Directory Botnet.

When your AD is on the internet Now if you thought that was interesting, then let’s get into how Azure can potentially expose your internal network. If your organisation uses Azure Active Directory, then your onpremise Domain Controllers automatically synchronise your Active Directory data outside of your organisation, to the Azure AD Domain Controllers. Not only does this extend the AD Botnet communications into your cloud environment, but it also extends the AD Botnet out to the internet. Microsoft provide an internet-accessible API, called GraphAPI, that exposes your internal Active Directory Domain Controllers to the internet. This can be potentially accessed by any of your standard user accounts. This means that if you have a single password breached or guessed, then your Active Directory is on the internet. This provides a build-in channel for the AD Botnet Clients to exfiltrate data from your internal network out to the internet using native features and functions. An internetbased AD Botnet Client that can authenticate to GraphAPI is then able to query the data and extract it from Active Directory out to the internet. If your organisation utilises Azure Active Directory “Connect”, then your Azure AD is also able to update data within your on-premise Domain Controllers. The attacker on the internet then has a two-way communication channel to communicate with any system that has joined the internal AD Botnet, within your organisation’s internal network. This becomes very concerning when this is combined with the advanced socket feature. The attacker can transparently send and receive TCP traffic from the internet to any system on your infected internal network segments. This bypasses all corresponding firewalls and network filtering controls whilst providing a clear path to perform privilege escalation through exploit delivery or other techniques. You would think that this type of activity would stand out to Windows Systems Administrators, with updates being

made to Active Directory thousands or tens of thousands of times each day. Well guess again. By default, Windows doesn’t log any updates to standard user attributes within Active Directory, which makes this attack highly powerful and very stealthy. So, what should you do? In order to prevent the Active Directory Botnet from either working, or running within your organisation without being detected, you could consider the following security measures.

Avoiding an AD botnet attack There are three key steps to take to avoid this type of attack. The primary way of preventing this attack is to lock down unnecessary access for standard users to update as many of their Active Directory standard user attributes as possible. Most users don’t need to be able to update their name or phone number very often, and they certainly don’t need to do it thousands of times each day. Unfortunately, it is likely that there may be some attributes that you can’t lock down. Not all is lost as this is likely to slow down the communication channel significantly and may deter the attacker from using this technique. The second simple step is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis. If you find that a spike in updates to standard user attributes are being made, then you most likely have an Active Directory Bot on your network. You will first need to enable logging for standard user attributes and then setup a monitoring and alerting capability so that you are notified of the attack. The most effective, but also most difficult, security control is to re-architect your various security zones to use separate Active Directory Forests. This contains the Active Directory Bots to the individual AD Forest and corresponding security zone, which means that it won’t be able to communicate across your entire organisation. This is far easier said than done. The Active Directory Botnet uses techniques that are a clear violation of the way that Active Directory is designed to be used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come. About the author Security researchers, Ty Miller and Paul Kalinin from specialist security firm Threat Intelligence have showcased the Active Directory Botnet attack technique at this year’s Black Hat USA security conference. Ty Miller is the founder and Managing Director for Threat Intelligence and one of Australia’s leading IT security researchers and presenters. He has built a specialist team to work with organisations of all sizes, launching solutions and services to navigate a new era of risk management and penetration testing. Ty is an assessor and member of the Council of Registered Ethical Security Testers - CREST (Aust) Ltd. He has presented at Black Hat USA for the past seven years and co-authored the highly popular and well- regarded security book "Hacking Exposed Linux 3rd Edition".

Australian Cyber Security Magazine | 45

Cyber Security

Interviewing ANZ’s Security Team Contributors Dean Thompson, Richard Farrell, Mark Tutundjian and Erica Hardinge

n the lead-up to Lynwen Connick’s keynote presentation at the AISA Conference 2018, members of the ANZ Information Security team shared their views on the role of information security at ANZ. With a digital transformation underway and a keen focus on helping people and communities to thrive – cyber security has arguably never been more important to ANZ bank.

•

Can you give readers an overview of ANZ’s security programmes? Lynwen Connick is ANZ’s Chief Information Security Officer and the team she is responsible for plays a critical role at ANZ. The team ensures ANZ’s information security strategy evolves with the changing technology landscape, which presents both opportunities and challenges. Core functions include: • Cyber Security Operations, which provides threat intelligence, cyber analytics and ongoing operational information security management;

46 | Australian Cyber Security Magazine

•

Strategy, which focuses on determining the best investment and direction for information security for the bank and its customers; Governance and risk oversight for new delivery initiatives and day-to-day business operations, people and systems; Education and community outreach, which ensures staff members, customers and the community understand their role in protecting themselves in a digital world. This function coordinates ANZ’s contribution to the community through educational partnerships, collaboration and thought leadership; The Security Enablement Program that delivers continuous improvement in ANZ’s information security capability.

What advice would you offer Australian businesses and government agencies regarding the national and international cyber threat landscape? The cyber threat remains ever-present. Recent figures

Cyber Security

A connected nerve system enables organisations to centrally analyse and correlate a wide range of data across a multi-vendor environment, helping their security team to work faster and with more agility. This is especially crucial when attempting to outsmart teams of hackers. everyone's responsibility. This isn’t a job for technical experts, rather it’s about going about your daily business with a security mindset.

Do you have any tips for Australian organisations to help identify, evaluate and measure cyber risks, and put in place mechanisms to manage and minimise those risks? Cyber resilient organisations maintain good situational awareness and approach cyber security from the perspective of managing risk reduction, just as you would for any other form of risk management within an organisation. This includes: • Maintaining relevant threat intelligence – both sharing and learning from what is available; • Creating strong and, where possible, automated defence systems, with cyber analytics to determine unusual behaviours and/or patterns; and • Educating people to create human sensors across the organisation that ensure multiple layers of defence. Lynwen Connick is ANZ’s Chief Information Security Officer

show 65% of global Internet users have been victims of cybercrime through viruses, online credit card fraud and identity theft. It is important for businesses to understand cyber risks and new threats and be prepared to respond. The following three areas of advice are critical: • Cyber Resilience, covering incident response and command and control chains. Prepared and tested response plans are essential and threat sharing is critical, which is why ANZ is formally committed to the Joint Cyber Security Centres and industry collaboration. • Cyber Hygiene, which includes application whitelisting, risk management (knowing what data is important and what your risks and exposures are), patching, user access management – in short, following the advice of the Australian Signals Directorate’s (ASD) Essential Eight, or, at a minimum, their Top Four mitigation strategies. • Cyber Culture, which starts at board level and cascades down to educate everyone. The information security team must demystify security and help make it

What should businesses be worried about regarding Mandatory Data Breach Notification and GDPR legislation in the EU? It has always been essential to protect customer information, but these legislative changes make the importance of this task more public. Particularly, as a bank, our customers trust us to keep their information and finances safe and secure. The new legislation makes it critical for all organisations to increase visibility of customers’ citizenship and the location of personally identifiable information, including when it is released or managed by third parties. It also places renewed focus on an organisations’ ability to identify data breaches, regardless of where they occur. To achieve this, a holistic approach is required to understand where data resides always. Where do most cyber threats affecting Australian organisations originate from? It is notoriously difficult to pinpoint the origin of a cyber-attack. Attackers generally try to evade detection by breaking into poorly secured computers and hijacking them to launch and route attacks worldwide. The types of attacks we see increasing across the industry, coupled with the volume of attacks and the choice

Australian Cyber Security Magazine | 47

Cyber Security

of attack vectors are as follows: • Software patching vulnerabilities, such as the Apache Struts incident, as well as vulnerabilities in Microsoft Office; • Web-based drive-by malware attacks, such as targeting out-of-date applications like Adobe Flash or Acrobat, as well as general browser compromises; • Attacks against applications exposed on the Internet to SQL injections and logic abuse; • Email-based attacks, which are really targeting end users with ransomware or business email compromises; • Supply chain issues, where services or tools are not always as they seem; and • Third-party providers, as seen during the WannaCry outbreak earlier this year. Is there a growing security threat to financial organisations from terrorists and organised crime groups and what is being done about it? The threat from terrorists and organised crime groups has always been a factor from a cyber perspective. ANZ continues to work with governments and other entities to share threat information. As a financial institution, we keep abreast of terrorist organisations and their methods of using banking instruments to finance activities. Similarly, we work across the organisation with teams who specialise in countering money laundering, fraud and sanctions. How is ANZ addressing the cyber skills shortage? Our security team continues to grow and we are actively recruiting at all levels. This includes people with extensive experience and expertise, as well as people with the right attributes that we can turn into security professionals. We provide input to several universities to help ensure courses align with growing industry requirements. Increasingly, industry recognises that the skills required to face cyber threats come from a variety of disciplines: technology, legal, change management, user experience and business management to name just a few. We also need to invest in opportunities to increase diversity. Groups like the Australian Women in Security Network and initiatives like the Autism Spectrum Program play an important part in attracting a wide range of talent. ANZ is continuing to explore opportunities to contribute to the education sector to ensure we have meaningful and sustainable actions to help address the skills shortage.

What else can businesses do differently to tackle cyber threats? A new approach is required to better educate people, with early literature suggesting increasing user awareness of cyber threats helps people know how to keep themselves secure. Research between Data61 and ANZ suggests it’s time to change our thinking. Specifically, early findings suggest a greater linkage with highly-visible security procedures and low perceptions of vulnerabilities, which lead to poor security practices. The research suggests an interesting relationship between self-efficacy and the sharing of stories following cyber incidents. A relationship between phishing susceptibility and the number of non-

48 | Australian Cyber Security Magazine

relevant emails being processed by individuals was also uncovered. We found three things are important when educating people about cyber security: 1. Firstly, make it easy and personally relevant for staff; 2. Secondly, move away from traditional awareness practices and look for real-time, experiential learning opportunities; 3. Measure its effect and share these metrics across the organisation.

What else is ANZ doing to contribute to the cyber security ecosystem? ANZ, along with Westpac, has established an Application Security Financial Services forum, to assist and share lessons with other institutions from an application security perspective. This forum has run successfully on a quarterly basis through 2016 and 2017, with attendees from leading organisations across the region. ANZ cofounded the Security Influence & Trust industry group in 2015. This group shares good practice and drives functional uplifts in the security awareness profession. They coordinate and amplify consistent messaging across industry and government to educate the broader community. Furthermore, we are committed to the sharing relevant and actionable threat intelligence in a timely manner. To this end, ANZ shares threat intelligence with threat partners, both domestically and internationally, and is committed to embracing standards such as STIX and TAXII. Sharing threat information with relevant partners heightens all our defences against cyber threats. Finally, team members from ANZ’s Information Security Domain are also active participants in a range of industry forums, both locally and internationally, that facilitate good practice in threat sharing.

C YBER S E C U RI T Y F O R W O ME N EXECUTIVE LUNCHEON INVITATION EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO FRIDAY 27 OCTOBER 2017 12:00 PM - 2:30 PM

SAKÉ RESTAURANT & BAR BONSAI ROOM

12 ARGYLE STREET, THE ROCKS, SYDNEY

Diversity, Opportunity, Scale Mihoko Matsubara

Discussion Focus: This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the key issues for women across the cyber environment. Opportunities abound in cybersecurity and roles for women are actively being encouraged to enter and engage in the industry. However, alongside the challenges of digital disruption and a global cybercrime industry, women themselves continue to be challenged with achieving equal diversity and inclusion, role opportunities and pay scales. On behalf of Palo Alto Networks and the Australian Cyber Security Magazine, you are invited to join Mihoko Matsubara for an intimate round-table discussion around the challenges facing women in cybersecurity, including young women, mentoring programs, women’s advocacy, cross-career training and maintaining a diverse workforce. Your participation in this discussion will hopefully enable you to identify ways and exchange ideas to address these challenges and apply them at your workplace. This is a very limited seating engagement so please register ASAP to reserve your seat.

Kindly RSVP by 20 October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

Australian Cyber Security Magazine | 49

Cyber Security

I don’t like Mondays SMB’s and Information Security

I By Michael LeBoydre

f you are a SMB owner and have ten minutes to spare, I have a scenario for you to consider. Picture this. You have grown your small business over the last five years, very successfully I might add, and are now even considered medium-sized due to your success. The loyalty of some of your longest serving staff who have worked for you for years makes them feel like your extended family. When you arrive at work one Monday morning you are told that your computer systems are playing up. It might have been that no one can log onto their computers; or it might be that you are receiving dozens of irate complaints from suppliers, querying an email sent to them that had a virus attached to it; or one of your finance staff, who is visibly upset, tells you something has gone wrong with your business invoicing/payroll/accounts system; or, maybe you received an email from someone who claims to have stolen your customer database and wants ten bitcoins or they’ll release it to the world. You will invariably remain calm and spend some time trying to sort out the problem, but this is bigger than you can cope with: it’s all your IT systems and you're lost. You call your IT support guy/girl who is full time/part time/a friend/a friend’s son who is studying computers at University to help. Looking around at the team, there is no real panic

50 | Australian Cyber Security Magazine

in the office. You even joke about computers saying no, and someone offers the '3-day weekend' musing. Everything will be fine. Fast forward to Thursday and there are no more jokes. When your staff talk to you, they look scared. They are afraid because you look like scared and in shock; this silly computer problem is much worse than anyone thought. You have lost all control of your business and your IT guy/girl has no answers. You don't even know who you should be calling. Your business is crumbling before your eyes, with the personal, professional and emotional fallout for you and your staff likely to be profound, and on your shoulders. This is not a scenario that I have created out of thin air. Nor is it something I read about online. If you are reading this article on a Monday, somewhere in Australia there is a business owner who will be making jokes about computers and if you are reading this on a Thursday, well you get the point. Some businesses will survive an event like this, but many will not. There are many conversations we can have regarding this scenario. We could discuss plans, policies and business practices that, when implemented, may prevent such attacks. We could discuss systems and hardware that, when configured correctly, may prevent such attacks and we

Cyber Security

could discuss a response plan that would help you recover from such attacks. However, what I want to discuss here is, simply, information. If I use the words information and security in the same sentence, many people assume I'm talking about computer stuff – and that is where the IT guy/girl comes in and the rest of you tune out. However, everything that we are, personally and professionally, exists in the digital world, and every little piece of this digital information has a dollar value to criminals. Information is like pieces of a jigsaw puzzle, the more pieces of the puzzle that can be collected will create a better picture of who you are, which will result in greater profits for criminals. How much is our information worth? Your full name and date of birth can be used on any number of online loan applications and, depending on your credit history, can result in loans up to $20,000 being made in your name, with more pieces of your personal-information puzzle, criminals will look for more profitable attacks. When they can link pieces of your personal and professional puzzles together then they will attack your business, or use your business to attack another, it's not uncommon to see hundreds of thousands and even millions lost overnight. When you accept that information has a value, then you understand that criminals will never stop trying to convert it into currency. There will never be a magical fix or inoculation that will protect you from these attacks. Systems or procedures that work today may fail tomorrow and there is no completely 'safe state'. Many SMBs think they will not be targeted because the criminals have bigger fish to catch, but nothing could be further from the truth. SMBs are the low hanging fruit in the information security war. Criminals don't have their morning meeting where Dr. Evil states, 'let’s go after SMBs today.' Instead they will buy pieces of our information

puzzles wholesale and see who has been lazy. They will run automated tests across the globe to see who hasn't patched their systems. We are constantly being checked out, SMBs, big business, governments, mum and dads, all in the same boat. Basically, if criminals can make money from you, then you are a target. If we are discussing the value of our information then we must acknowledge the emotional cost of losing control. It is simply heart breaking to speak to people who have lost everything – I mentioned earlier that the impact will be profound and it will. If you own a SMB and are reading this on a Monday, if it’s business-as-usual then take the time to consider how you could better safeguard the information you control. Consider how you react to an incident, including what would you do, who would you call and what plans you will need? As a SMB owner, you have the same responsibilities as a big corporation: you have professional, moral and legal responsibilities as to how you safe-guard and manage the information that you control. Stop assuming you’re not a target and that it’s someone else’s responsibility. Take control and manage our information properly. About the author Michael LeBoydre worked as a Detective at the Queensland Police Cyber Crime Unit from 2014 to July 2017, investigating cyber offences, attending incident response meetings and supporting agencies affected by financial and cyber based offences. After 12 years of service, Michael has left the QPS and joined WyldLynx who strives to balance their client’s information needs with security, efficiency and compliance across enterprise systems. Michael is a AISA member and co-founder of SABR (Securing Australian Business Resources), created to support information security in small to medium businesses in Australia with ideas, articles and a place to be heard.

'As a SMB owner, you have the same responsibilities as a big corporation: you have professional, moral and legal responsibilities as to how you safe-guard and manage the information that you control. '

A U S T R A L I A N I N F O R M AT I O N S E C U R I T Y A S S O C I AT I O N ( A I S A )

EXECUTIVE ROUND TABLE CYBERSECURITY ENHANCEMENT

9:00am - 3:00pm 17 November 2017 Crown Perth

Cyber Security

General data protection regulation and its relevance in Australia

J By Samantha Humphries

oin me on a brief trip back in time, to October of 2016. A co-worker stops by my desk with a question… “Sam, what do you know about GDPR? I’ve got a customer asking about it.” Well, not a great deal at the time. Sure, I’d heard of it, I’m based in Europe so it had started to crop up in various news articles, but if deciphering the acronym had come up in a pub quiz, I wouldn’t have been 100% sure I’d have known what the four letters stood for. GDPR, or indeed the General Data Protection Regulation (there’s your trivia point!), is a piece of European Union (EU) legislation that was adopted back in April 2016, giving organisations just over two years to get their compliance ducks in a row. You’d be forgiven for thinking, as I’ve just mentioned the EU, then this article doesn’t apply to you in Australia. Well, stick with me for a few more sentences please, because you could be wrong, and it could be a very costly mistake. GDPR protects the “rights and freedoms of EU citizens” – more specifically it exists to ensure organisations treat their personal data properly. The data is the key point here – it doesn’t matter where the data is held, where your organisation has their head office, or even if you’ve done any business that involves money changing hands. If you process the personal data of EU citizens, whether they are

52 | Australian Cyber Security Magazine

customers, prospects, employees, or anything else, then you’re on the hook for GDPR compliance. Personal data is anything that can directly or indirectly identify a living person. This goes beyond some of the more obvious data types such as names, online identifiers, and ID numbers; IP addresses in some cases, location data, health information, biometric data, trade union member information, political opinions, sexual orientation, genetic data, and more class as personal data. Under GDPR, there are six principles of personal data processing that you must follow. Personal data shall be: 1) Processed lawfully, fairly and in a transparent manner. 2) Collected for specified, explicit, and legitimate purposes. 3) Adequate, relevant and limited to what is necessary. 4) Accurate, and where necessary, kept up to date. 5) Retained only for as long as is necessary. 6) Processed in an appropriate manner as to maintain security. This essentially means that the days of collecting and processing data because it might come in useful at some

Cyber Security

'Personal data is anything that can directly or indirectly identify a living person. This goes beyond some of the more obvious data types such as names, online identifiers, and ID numbers; IP addresses in some cases, location data, health information, biometric data, trade union member information, political opinions, sexual orientation, genetic data, and more class as personal data.' point are now over. You can only collect what you need, and you cannot hold on to it indefinitely. You must be clear about why you need the data, and what you’re going to do with it (including if you pass it on to a third party, such as a cloud provider or payment processing organisation). Your security program needs to be up to scratch too - if you are unfortunate enough to be impacted by a data breach and it transpires you’ve just got anti-virus and a firewall then things will not turn out well. Think: potentially massive fines, full audits, etc. Mandatory breach reporting requires you to report any breaches with 72 hours of discovery, which is not a long time in incident response terms. EU citizens are granted a number of rights under GDPR: 1) The right to be informed. 2) The right of access. 3) The right to rectification. 4) The right to erasure. 5) The right to restrict processing. 6) The right to data portability. 7) The right to object. 8) Rights in relation to automated decision making and profiling. Additionally, if a citizen believes that your organisation is doing something untoward (i.e. selling it to third parties without your express consent) with their data, they must be able to contact you (likely through a named individual who holds the title of Data Protection Officer) to have the issue resolved. They can also escalate this issue to a Supervisory Authority, who have the power to investigate and administer fines for non-compliance. Fines for infringement are eye watering. The worstcase scenario is the greater amount of €20,000,000 (AUD 30,294,000) or 4% of your worldwide annual turnover, which is a potentially business crippling amount of money. Supervisory Authorities can investigate an organisation at any time too, so it is vital that you understand now if GPDR applies, as ignorance will be a galaxy away from bliss, if you plan on using that as a defence. The regulation becomes enforceable on May 25th, 2018, which at the time of writing this is a shave under 9 months away. So, you’ve got some time, but I wouldn’t recommend resting, because this baby is getting born, regardless. Assembling a cross-functional GDPR project team should be your first action. Representatives from legal, privacy, risk, security, IT, HR and finance should be included, plus any departments who have anything to do with personal data such as marketing, customer services, support,

engineering, and sales. You also need to ascertain whether you need to appoint a Data Protection Officer, which can be someone senior within your organisation, or you can hire the services of a virtual DPO. If you have a board, they need to be on board (pun fully intended) now too, as their support throughout the process will be necessary. Everything you do under your GDPR compliance project needs to always keep personal data front and centre. Ask your organisation the following ten questions: 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)

What personal data do we hold? Where does the personal data reside? Who has access to the data? Why do we need the data? Do we still need the data? How is the data secured? Can we erase or stop processing the data if requested? Is the data accurate? Was consent gained from the individuals? Do we send data onto any third parties?

The answers will help you determine your journey towards GDPR compliance. There are consultants offering services to help you with gap analysis, which can be especially helpful if you have a small team. And although this sounds like a potentially huge mountain to climb, GDPR will be good for your organisation in the long run. Doing the right thing with people’s personal data is important – it’s personal to them, and they get to choose if they share it with you. If you had to make a choice to deal with an organisation that treats your data with respect, or one that didn’t bother then you wouldn’t have to think overly hard. Go forth, and GDPR. About the author Jill of many trades, mistress of a few. Samantha has spent most her working life entrenched in the world of cyber security. As you can imagine, she loves it. Her career has spanned many areas of the business - sales, technical support, solutions marketing, channel support, outbreak management and incident response, engineering and researcher management, product management, and more. She likes solving problems and making customers happy. She fully believes that it’s wonderful to be able to do what you love.

Australian Cyber Security Magazine | 53

Cover Feature Cyber Security

Machine learning in cyber security: The newest tool in the toolbox

M By Michael Sentonas

achine learning, as a concept, has existed since the first computer was created, which raises the question: Why has the term only recently begun to surface in the security industry? Technological and business changes have certainly contributed to the shift, with organisations far and wide exploring the potential of machine learning across a number of processes. For example, right now it’s near impossible for companies to keep up with sophisticated attack techniques using traditional prevention methods. Even the most advanced Security Operations Centres (SOCs) struggle to manage the overwhelming bouts of suspicious activity and alerts they encounter, when fighting advanced threats such as malware-free intrusions. Machine learning has been hailed for its efficacy in dealing with these security challenges and has become the newest tool in the security toolbox.

Machine learning pitted against traditional cybersecurity Machine learning is undeniably more effective than the traditional workhorses of cybersecurity; signatures and heuristics. Signatures (also called “Indicators of Compromise” or IoCs) can be as straightforward as a hash value or byte sequence that is searched for by a security or anti-virus tool. Heuristics, on the other hand, are often created by human analysts as a set of rules that, for example, describe malicious traits and create some resilience against

54 | Australian Cyber Security Magazine

basic modifications an attacker might attempt. On both counts, machine learning can have a transformative impact. With new malware files, emerging at an average rate of more than 10 million every month, signature or IoC based approaches to threat detection are not viable, while human-derived heuristics struggle to scale quickly and accurately. These malware detection approaches commonly rely on data files that are hundreds of megabytes in size and need to be updated daily. This is where machine learning-based approaches step in. These approaches do not attempt to recognise individual malicious files; instead, they search for malicious file traits.

Machine learning as the problem solver Machine learning is the ultimate problem-solver for today’s cybersecurity professionals. If properly managed and leveraged, machine learning can be a force to be reckoned with for cyber security teams; able to analyse securityrelated data, including file “features” and behavioural indicators over enormous data sets. That’s billions of events that can be used to “train” the system to detect unknown and never-before-seen attacks, based on past behaviours. If machine learning algorithms are trained with data-rich sources, and augmented with behavioural analytics, they can be an extremely effective first line of defence against threats like ransomware. That said, the value that machine learning can bring

Cyber Security

'Finding the right machine learning tool is critical in helping organisations deal with the huge volume and variety of security threats knocking at their doors. This is thanks to the amount of data available to analyse and learn from, which means machine learning is poised to recognise advanced and unknown threats. ' potential threats to ensure the most effective use of IT resources. Having information about the severity of a threat helps to prioritise and act as required, preventing the mis-allocation of resources, keeping businesses safe. 3. Detecting unknown malware with fewer false positives – Machine learning does not require signatures to be updated frequently in order to be effective. Unlike traditional anti-virus tools, it can learn without needing new data sets every day. It analyses higher-level traits to decide if a file is malicious, which is a superior approach to detecting today’s targeted, unknown malware. to the table largely depends on the data available to feed into it. Machine learning cannot create knowledge, it can only extract it. The scope and size of data is most critical for effective machine learning. Organisations should assess the data they have available to ensure machine learning is a viable option. For those with data readily available, machine learning cloud-based solutions have a distinct advantage allowing large amounts of data to be analysed at the same time from across business systems. For example, Spotify (cloud) can give you better album recommendations than your local music store clerk because it has vastly more data at its disposal. Cloud-based machine learning also combines architectured algorithms with the collective knowledge of crowdsourced communities where threat intelligence is aggregated and updated instantly. Enterprises seeking effective machine learning for endpoint protection, must consider: 1. The need for massive data sets – To be effective, machine learning must have enough relevant data with which to work. It must also be able to implement sufficient rounds of training with speed and efficiency. Without these two things, machine learning can negatively impact results. 2. Value added via intelligence – Machine learning solutions should deliver more than a yes or no answer. Businesses need as much information as possible about

Finding the right machine learning tool is critical in helping organisations deal with the huge volume and variety of security threats knocking at their doors. This is thanks to the amount of data available to analyse and learn from, which means machine learning is poised to recognise advanced and unknown threats. Additionally, openness towards cloud has helped businesses to realise the potential of machine learning, allowing security data to be processed at enormous scale, without the constraints imposed by individual machines on a given network. However, it’s vital to remember that an adversary will target an organisation persistently – potentially hundreds of times a day – therefore machine learning should form part of an organisation’s overall defence strategy, as one of many tools in its toolbox for combating threats. About the author Mike Sentonas is Vice President, Technology Strategy at CrowdStrike. Reporting directly to the Co-Founder and CTO, Mike’s focus is on driving CrowdStrike’s APAC go-to-market efforts and overseeing the company’s growing customer and partner network. With over 20 year’s experience in cybersecurity, Mike’s most recent roles prior to joining CrowdStrike were: Chief Technology and Strategy Officer, Asia Pacific at Intel Security and Vice President and World Wide Chief Technology Officer of Security Connected at Intel Security.

Australian Cyber Security Magazine | 55

Cyber Security

STEM and the problem of gender minorities in Cyber

D By Emily Major-Goldsmith

r Jenna Carpenter, the Dean of the School of Engineering at Campbell University and advocate for females in STEM subjects, once commented that, “If the cure for cancer is in the mind of a junior high school girl, odds are that we will never find it.” I’m not here to write about cancer or its cure, but rather the idea that, if the next breakthrough in mathematics, science, engineering or technology was inside the mind of a young female, the likelihood is that it is less likely to be developed past its infancy. This is disheartening. Nevertheless, there is hope. Dr Carpenter is neither alone in her encouragement of women nor alone in attempting to alter the gender shift. Like much of the developed world, Australia is seeing an increase in the inclusion of senior female C-suite leaders in some of our most influential organisations, such as Cisco, Tabcorp, NAB and PwC. In common, these women are passionate supporters of women in STEM

56 | Australian Cyber Security Magazine

Gender Minorities This leads me to thinking about the gender minority bias in STEM. According to the Oxford English Dictionary, a minority is defined as: ‘The smaller number or part, especially a number or part representing less than half of the whole’. When we discuss the topic of minorities, we often consider race, religion, even political persuasion, yet often we fail to consider the lesser known – ‘the minorities of the so to speak minorities’ - Women! Women are certainly not a minority in our world, yet when it comes to their roles in society, a gap grows between men and women and where they feel their careers lie. Women in STEM subjects isn’t a new topic. We, like our counterparts, have made significant advancements within society, yet our growth in these areas of study increases slowly by comparison. I speak of minorities from experience. Though I am not a ‘stereotyped’ minority, I am a first year, female

Cyber Security

“If the cure for cancer is in the mind of a junior high school girl, odds are that we will never find it.” - Dr Jenna Carpenter, Campbell University find alternative careers in traditionally male dominated fields of work. “The most common way people give up their power is by thinking they don’t have any.” - Alice Walker

Implicit Bias

Cyber Security student. There are few of my kind and, therefore, I am a minority in the Cyber Security Industry. Approximately 5-8% of the students in my lecture halls are female. Although mere presence of women may be seen as encouraging to those of you already in this field of knowledge, it made me – a neophyte – feel out of place, as though I may have trespassed into a world I do not belong. Females are not unknown in this field; however, this does not change the fact that we are few and far between. Habitually, society appears to believe that women would not typically be interested in more technical careers, careers in STEM subjects or simply IT in general. A consequence of such, is that I believe women often get overlooked when it comes to exposure to information about and encouragement to pursue STEM careers. By the time a young woman ventures into the realm of her career choice; she has quite often been influenced by harmful stereotypes. Females too often get guided like sheep into a pen into fields of work that may often not represent us or our abilities and it is only when we look outside at what is offered, do we

Females, far too often, become victims of unintentional and unconscious implicit bias. Implicit bias can be projected by both men and women, since they may find it difficult to picture a female in a traditional male career. According to Dr Carpenter; implicit bias affects attitude, reactions and expectations of women, and thus it can become difficult for girls and women to stick with a non-traditional career choice and reach their full potential. This is certainly something that resonates with me. From personal experience (and one that is certainly not common to all), being a female in Cyber Security is daunting. I felt I had something to prove; as though I needed to compete to be the best - beat or a least equal the competition. However, I am starting to realise this doesn’t have to be the case. The reason for my change of heart? My peers have helped me understand from their perspective that they feel that that women entering this industry bring additional skills above and beyond the technical. Women think differently. We provide alternative interpretations and different skills. Having been exposed to the industry – both through education and through first-hand involvement – I have felt acceptance, affirmation of belonging and support by both my peer group and industry personnel. I have been gradually recognised for the contributions I bring. For example, when working together on group assignments, I’m told it’s the unique differences between the males and females that is evident. Many of my classmates are older, male and often have industry experience. They appear to have the answers. I counter this by pulling them back to reconsider our objectives and ask them to look through another lens. Often this comes in the form of reminding them that there is much more to Cyber Security than the technical, and that most often we must consider the more social, moral and human elements of the assignment. It is all well and good creating a product, or a system for a customer, but having the inability to explain it in a manner they understand and be aware of the business outcomes that need to be achieved, rather than the raw technical solution is important.

Australian Cyber Security Magazine | 57

Cyber Security

Both myself, my peers and my mentors are understanding that the balance of men and women in the work place, breeds a new dynamic, a whole new range of ideas and development.

The challenge for women The challenge for women, despite their evident skills is that research suggests that most women choosing a non-traditional career must have two and a half times the amount of accomplishments on their resume to be equally competent to their male counterparts. I may not be a part of the Cyber Security industry yet, however, I can tell you that, that concerns me in the light of my own experience of my perceived need to out-perform my male counterparts. Change needs to occur!

Making the Change… Change is: “To accept difference – to alter one’s current course to adapt to something new” . But what exactly needs to change? Change should result in women no longer being perceived as incapable of pursuing careers in STEM equally to men. Change in industry is usually led by a desire to increase efficiency, reduce stagnation or respond to market forces.

How can we force perception shift? Change should involve inclusion. Male dominated industries often fail to recognise that industry progression is not about following the norm, but rather, it is about finding that new voice that will spearhead improvement and alter the current course. Change should result in the more widespread education of young girls about the variety of career choices available. Change generally comes from those who are existing in the now, however, if we look to digital disruption we see the most innovation is fostered by those new to a field, from those who think outside the box and those who aren’t stuck in convention. So, wouldn’t a perception shift be beneficial? “Progress is impossible without change, and those who cannot change their minds cannot change anything.” - George Bernard Shaw

Change in industry for women Through increasing acceptance of a women’s capability parity, we may encourage a positive change in the industry. More women may soon find themselves in fields such as Cyber Security and other STEM subjects. Acceptance breeds encouragement which in turn breeds progression, hopefully leading to an increased take-up of women in academia and the workplace, studying and working within

58 | Australian Cyber Security Magazine

STEM subjects. If women become more prevalent within STEM industries, this will drive change, instigation and development. Indeed, the next innovative breakthrough could be stored in one teenage girl’s mind, she should be given a chance and encouraged to embrace a career in STEM. Change must be borne from those in the industry, market leaders, academia and familial and societal endorsement, encouragement and proclamation. A minority is unlikely to develop into a majority overnight, in a month or even a year, but with a change in perception, inclusion, encouragement and peer and industry support, one girl’s innovative idea will develop and take shape and spark change for both the industry and for females destined to become part of it. About the author Emily Major-Goldsmith is an ex-pat and now a proud Australian citizen residing in Perth, Western Australia. A former student of Mater Dei College, she is now a first year, undergraduate student in BSc Cyber Security at Edith Cowan University. Graduating from Mater Dei with a strong passion for the Arts, but an inquisitive mind for the sciences, she is currently working her way through understanding the complexities of Information Services and Cyber resilience subjects and is focused on the impact and position and role of women within a STEM environment.

CivSec 2018 CIVIL SECURITY CONGRESS AND EXPOSITION 1-3 MAY 2018 MELBOURNE CONVENTION AND EXHIBI TION CENTRE, AUSTRALIA

SECURITY, SAFETY AND SOVEREIGNTY FOR THE INDO-ASIA-PACIFIC

Human Security

Cyber Security

Law Enforcement

Border Security

www.civsec.com.au For further information and exhibition enquiries contact the Sales Team Telephone: +61 (0)3 5282 0500 Email: expo@amda.com.au

Cyber Security

Failure in depth About getting the job done rather than looking for excuses

M by Aidan Daly

ost of us are sick to the teeth of listening to people pontificating about WannaCry/ Not WannaCry/ Petya etc. Vendors had a field day rushing to fill our inboxes with webinars and whitepapers. Security basics teach us Defence in Depth, the analogy of defending a castle … and we have all heard these banalities a thousand times before… So, why in the month of May, when WannaCry hit, did we see mass panic. The UK’s NHS was badly hit. The Irish health service disconnected their entire network from the outside world for three days until they manually patched all their systems. Pictures emerged of ATMs and kiosks in train stations displaying the warning that they had been encrypted, with the usual demand of bitcoins to release control back to the owners. Both Renault and Honda had to stop production when their factories were hit, again adding fuel to the fire. As of the 3rd June, MalwareTech’s website showed 430,000 infected PCs and over 1,600 systems still online. As an aside, MalwareTech is the online handle of Marcus Hutchins, the clever 22-year-old researcher who found WannaCry’s inbuilt kill switch, who has since been arrested after attending Defcon in Vegas. Eugene Kaspersky has recently blogged that the code used in WannaCry was riddled with flaws, least of which the

60 | Australian Cyber Security Magazine

so-called “Kill Switch.” The jury is still out on the motives for including this function, with some speculating that it was an error to be intentionally included. Kaspersky provided his own opinions to AISA’s event in Sydney in June. Questions were raised as to how this, not very well written piece of code, managed to infect 400,000+ PCs, take down some of the world’s largest car factories and maintain its spot in the news headlines for so long. Motives, political or otherwise, always tie back to the conspiracy theories: Russia or North Korea were behind the attack. The fact that NSA leaked hacking code was used in the payload and it was mooted as a wiper rather than ransomware, was indeed suspicious (especially after the targeted attacks in the follow up that seemingly came from Russia). For sure, registering the kill switch potentially saved the day, and all the resulting WannaCry variants have been thrashed to death, so was all the panic necessary?

It’s Just Malware In Bill Clintons 1992 presidential campaign, one of his aides coined the phrase, “It’s the economy, stupid!” This became the winning mantra of his campaign. After WannaCry, I feel like shouting, “It’s malware, stupid!” Yes, the geopolitical aspects interest me, but it’s

Cyber Security

hit. Looking back, for all those that were crippled by its rapid proliferation, how basic an error was it to not apply those patches in May? You were running a protocol that you don’t need on an unpatched system were fixes were provided two months ago. Shame on you. I understand that there may be limited situations where these protocols are required and cannot be deprecated, and yes, the NSA exploits did exist long before Marchs patch Tuesday. But if you don’t fall into this minority, then it’s time to take stock and learn from this harsh lesson.

D-Day On that fateful day in May when the fan was doused in foul smelling matter, how did your team learn about the spreading of WannaCry? Was it when users started complaining that there was a strange message on their screens? Again, shame on you! Advice had been streaming in from mainstream news channels all night, as well as targeted advisories from all the major security vendors – Trend Micro had a full analysis on the creation of a specific file (perfc.dat), that, when placed in a specific location it acted as a vaccine for any given PC. That PC would therefore not be infected, but would still help the malware to propagate, but it would limit your exposure. One of the biggest problems with trying to find ‘silver bullets’ like these is that by that stage you have already been significantly affected. On a day with so much noise online about global cyber-Armageddon, trying to find useful and actionable information was next to impossible.

Next time

just another malware outbreak to deal with. Should you do anything different to defend against WannaCry or its variants, as opposed to any other run of the mill malware or ransomware, besides turning off the ancient SMBv1 services that you should have disabled years ago? As security professionals, we know that there are several basic countermeasures that consistently fail to be implemented. The ASDs Essential 8 includes patching of applications and operating systems as well as firewall implementation and network segmenting. When was the last time anyone outside of the security team read ASD’s recommendations? The released a hardening guide for Windows 10 back in June, with new guidance on event logging and antivirus systems published in July and August. You must question the wisdom that keeps SMB v1 still running on your network. A quick Google search shows Microsoft articles from September 2016, with advisories from the US CERT, dated Jan 2017, all advising that SMB v1 should be disabled. So, what are you waiting for?

Patches Microsoft released the patches that would have stopped WannaCry’s spreading two full months before the malware

The next time a global outbreak occurs, how fast will you react? Every vendor under the sun has launched webinars and sale pitches on how their products can help. So, there is a wealth of information available, but have you got your own team’s playbook ready on where to take direction from? If your security team had stuck to the basics of allowing only required, ports and services on your segmented network you would have suffered minimal or no harm at all. Ask how your Security team assesses and implements ad-hoc antivirus signatures and DAT files. Could your team shut down access to certain portions of your network, be it certain ports or cut off the entire segment, in an emergency? The same line of questioning applies to pushing new IPS signatures to your security appliances. Can your team do it rapidly and do they do anything to tune and manipulate these devices into provide more than just the set and forget security profile that many come with as default? Undoubtedly, this is where WannaCry and its highprofile variants have done our information security industry a favour. Newsworthy malware and data breaches serve to highlight the failures in people process, and technology that we all have in our businesses, so if you were not hit by WannaCry, you can still learn from it. We might have the latest and greatest technology, providing APT defence and cyber protection, with AI, big data and machine learning, but if we can’t get the basics right, the fancy and expensive security tools are of little use.

Australian Cyber Security Magazine | 61

Cyber Security

It’s the humans, stupid, or, is it the stupid humans?

I By Mark Honeycutt

’ll admit that I don’t know a lot. In fact, I’m a bit of an outcast in the world of cybersecurity because I tend to think that most problems we face can be corrected, not by more scanners, segmentation, and sandboxes, but by spending time with the folks up in accounting on the third floor and working with them on secure practices that can keep your information systems safer. “Are you crazy?! Seriously dude, you need to go back to the 1980s!” I can hear you from all the way here in the USA, and I’m sleeping. Don’t worry, this is the flack I get from everyone I say this to, except for a few trusted colleagues who happen to like me because I agree with them. But let’s face it. The numbers don’t lie. Every…and I mean EVERY…security report I’ve read over the past five years, including Symantec’s and Verizon’s annual security reports, reveals that the clear majority of data breaches involve social engineering as the primary means of executing the attack. I know…I know. This is a hard pill for techies to swallow, but it’s a pill that needs to be shot down the back of information security’s throat right now. Let’s look at some numbers. In 2016, Verizon reports that it studied 42,068 security incidents that resulted in 1,935 breaches. 43% of the breaches were due to social engineering attacks! 66% of malware came through malicious email attachments. And I know we love to talk about the Deep State and all their high-tech hacking tools like we find on WikiLeaks dumps, but it’s official – phishing and other social engineering techniques are the number one choice they use to compromise systems.

62 | Australian Cyber Security Magazine

Seriously, this is a big problem! The problem isn’t just the fact that social engineers are excellent hackers, it starts with every IT employee and Information Security Officer in the world. Until we come to grips that technology isn’t the solution that will stop the most bleeding, we’re going to continue to see high-profile breaches. I’m begging all of you to come to the table and accept the fact that people skills might be a requirement to secure your networks. I know what you want to hear. You want me to tell you that there is an AI solution coming down the pike that’ll analyze and quarantine every phishing attack. You’re dying for facial recognition and physical security implementations that’ll identify every con artist who walks into your building. You’re hoping for voice recognition that’ll pinpoint any shift in a shifty voice. Hey, I’m not saying that it’s not possible, and I’m not saying that there’s not stuff out there that’s attempting to do that, however, it’s not going to stop everything from getting through, and it’s more than likely going to hurt your workflow, because legitimate emails and people will get filtered as well, and that’s a win-win for hackers too. The psychology of defense plays to the attackers’ strengths. I have a few acquaintances who I’ve met over the years who have gone on to do some pretty impressive things with their lives in tech. The most successful of the group is the CISO at a major corporation with over 40,000 employees worldwide. I can’t fathom the amount of security breaches he must worry about with that many devices connected to

Cyber Security

'Why do we continue to put money and resources into solving a problem that’s only occurring 5% of the time, and yet we do nothing to plug the gaping holes that we’re told about year after year? ' their networks. But the reason I mention him is because he’s the most ardent of my critics. Or at least he WAS! My friend, let’s call him Charlie, used to turn blue in the face every time he had to re-explain how employee training and social engineering penetration testing, would not appreciably impact the susceptibility of serious attacks. His solutions, and he sent me a long list of them, that you all probably understand very well were all “techy” and software driven. I cringe every time I think of that email. Before you buy a plane ticket to the US so you can slap me, please understand that I know that controls are a necessary part of this entire endeavor, I do get it. My point, though, is that the abject disavowal of the end-user’s role in the process is defective thought. You must incorporate more education and training, once a year isn’t enough. A mandatory training video isn’t enough. A paragraph in the employee handbook isn’t enough. Back to Charlie, I said he WAS one of my worst critics, I think I’ve convinced him otherwise. He tried to corner me one day with a comment that I make all the time – “I am 100% positive that I can own the keys to the kingdom to any company or organization.” He took me to task on that as I’m sure many of you will. I bet him $10 that if he’d give me the names of three people on his staff, that I was certain I could fool one of them to click on a link in an email. He laughed, because I’m certain he gave me the three most securityconscious people in his office. He knew he’d win the bet. To begin with, I spent an hour or so doing some background research on my targets. I knew Charlie, I knew that these three people worked for him in some capacity, but I didn’t know what their job titles were or what they did. I didn’t even know if they worked in the same location as he did. Using my powerful sense of intuition (Google), I discovered that they all worked in the same office as Charlie. OK. That’s important to know, they were all long-time employees too, these were no rookies. Hmm…that’s making it more difficult. The easiest prey to feast upon are the new hires, so, that’s a no-go here. Aside from their connection at work, I couldn’t find much to link them though beyond their interests in security. Then… You’d think that security folks would be leerier of social media, but I suppose there’s a need to connect to the outside world that drives us to Facebook, Twitter and even LinkedIn. Unfortunately, I view that “need” as a vulnerability that I can exploit. In this case, it proved worthwhile. Two of Charlie’s employees had children that were about the same age as Charlie’s son, and one of them had a son

that played on Charlie’s son’s baseball team. BINGO! After doing my due-diligence and finding the name of their sons’ baseball coach, I did my techie thing and spoofed an email using their sons’ coach’s name. I knew there was a big game coming up that they’d have to travel to (I always keep digging), and I crafted an email that was even written in the coach’s voice, which I studied from his Facebook page (keep the dig going). I even found out that Shirley was bringing snacks to the game. Hot dogs anyone? So, it was an easy and convincing email. Out of arrogance or curiosity, I didn’t attempt to spoof the link. I left it in all its funky glory, for this information security officer to question. But I knew if the email was convincing enough, he’d gloss over the link and click it anyway, and he did! I didn’t even need to try the other two employees. The poor fellow thought that it was Shirley’s idea that they all stay the night in a hotel and go to a waterpark the next day with the kids, and by clicking the link, he was going to the waterpark’s website to sign up for a special group rate created exclusively for the families and baseball players at this big tournament. It only took me about fifteen minutes to create a fake website where he could type in his name, the names of his wife and children, their ages, and his address. This was as far as I needed to go to prove Charlie wrong. And it did. Boom! Simple stuff. The entire process took me an hour of my time, making that the cheapest hour of work I’ve done in a long time, but it was so worth it! So, let’s recap. Had my intent been malicious, I could have easily worked myself into one of the largest tech companies in the world, through the very office of those who are supposed to protect their networks. And it was easy. What does this say? It says that even the most vigilant of us get distracted. It says that enough truths we put in front of a person, will create a perceived truth. It says that you don’t have to incorporate a lot of tech to circumvent a whole lot of tech. I’m here to tell you that quarterly social engineering employee training, coupled with social engineering penetration testing is the answer. It will shrink your attack surface more than anything in the world. Why do we continue to put money and resources into solving a problem that’s only occurring 5% of the time, and yet we do nothing to plug the gaping holes that we’re told about year after year? It’s the humans, stupid. It’s not the stupid humans. They can’t do what they’re not taught to do. Make them your biggest resource and stop viewing them as the biggest vulnerability! About the author Mark Honeycutt is the owner of Shark Cybersecurity and is a Social Engineering expert who focuses upon employee training after Social Engineering penetration testing engagements. Making real life lessons humorous is his goal because humor lends itself to memory. Mark has a Master’s Degree in Rhetoric where he studied the “Art of the Con.” During his doctoral work, he shifted his focus to Social Engineering where he explored “Hacking Humans.” He does have a techy geek side, and he loves to study AI, algorithm engineering, and malware analysis.

Australian Cyber Security Magazine | 63

Cyber Security

Cyber Security: A human right, or luxury for the few?

F By Elliot Dellys

ew amongst us today could argue our lives would not be drastically affected by being denied Internet access. No more video calls to distant loved ones; no remote connectivity to the office; for those who live an almost cashless existence, a limited capacity to access their wealth; and of course, no access to reddit. Broader still, what if we consider those who are socially or politically isolated and rely on the Internet as their window to a better, brighter world? We typically think of human rights as inalienable, universal, and as entrenched – at least conceptually – as human thought itself. Notions such as freedom of expression, the right to assembly and the right to education, are the foundations upon which modern democracies are founded and have not traditionally been bound to any technology. It is therefore easy to understand why until very recently, the idea of defending Internet access with the same conviction as we would the freedom to participate in a democratic process would seem absurd. Last year the UN Human Rights Council passed a resolution declaring access to the Internet a fundamental human right, acknowledging the technology’s capacity to accelerate human progress. The Internet provides us with a historically unparalleled access to our collective human knowledge, and an incredibly powerful medium to foster free expression. In the 21st century, finding a mathematical proof of the theory of time dilation takes four words, .58 seconds in a search engine, and an Internet connection. Finding an avenue for expressing yourself to a large audience, for good or ill, is as simple as scrolling to the comments section on a YouTube video. That our online

64 | Australian Cyber Security Magazine

freedoms have been recognised as fundamental human rights is not particularly shocking, but a right without the ability to exercise it freely is meaningless: my freedom of movement is of little value if my house has no door through which I can leave. So, to whom does the burden of making sure we have the capacity to exercise these rights fall? It is too simplistic to say this responsibility falls to the nation state alone. The United Nations’ Guiding Principles on Business and Human Rights states that the corporate responsibility to respect human rights applies to all enterprises, regardless of their size or sector. This is a simple enough proposition when considering a business’ obligation to protect its workers, but when, for example, a company provides both the figurative and literal gateway to the Internet, this responsibility becomes a little more abstract. If the intentional denial of Internet access functionally equates to the denial of a human right, is a company that inadvertently does the same, due to its poor cyber security posture, therefore endangering the ability of its’ customers to exercise their basic human rights? What about industries that facilitate these rights through e-commerce, social media or the myriad of other technologies upon which digital citizens rely? While to date the clearest examples of this behaviour have involved nation-state interference, the threats are far from unique to the government context. Beginning in January this year, the Cameroonian Government denied Internet access for 100 days to around 20% of the population, via its ownership of the country’s optic fibre backbone. For private mobile and Internet

Cyber Security

service providers, their sole reliance on this network spelled a complete denial of service to their customers. While the providers rightly attributed the Internet blackout to circumstances beyond their control, it is not difficult to envisage a near-identical scenario, where such a service failure is the result of a preventable power failure, lack of infrastructure redundancy, or even poorly constructed SLA’s. Beyond the financial and reputational loss determinations that underpin every corporate risk assessment, how does a company measure the ethical burden of creating a situation in which customers are denied their right to access the Internet? Moreover, even if Internet availability can be assured, to exercise our online rights freely, we need access to a secure Internet. However, a secure Internet is typically far from free. Traditionally, the security industry has benefited those with the deepest pockets: after all, security controls are intended not to guarantee the protection of information assets, but rather to make a breach such a difficult and timeconsuming exercise that all but the most persistent and wellfunded adversaries are dissuaded. The common analogy is that an organisation with good cyber security is like a house with deadlocks and barred windows: while these protective measures can still be bypassed, your run-of-the-mill burglar is far more likely to move on to your neighbour with the rusty fly-wire door hanging off the frame. And similarly, for nation states and large businesses with billions of dollars’ worth of information assets at stake, their capacity to invest in security is unlikely to be matched by individuals or small businesses. However, the principle of maximising the cost/benefit ratio of compromise for an adversary, is as relevant to individuals as it is for global corporations. Reconnaissance, zero-days, secure exfiltration, and finding a legitimate buyer for stolen cyber assets is an expensive exercise. For criminals in 2017, it is far more lucrative to hit a thousand targets for a dollar each, using common vulnerabilities, than a single high-value target for ten thousand dollars. Of course, even some large, wellfunded companies still neglect the security fundamentals, but it is undeniable that the explosive rise in ransomware and malware-as-a-service is primarily driven by the plentiful, low-hanging fruit. The unfortunate consequence is that those who can least afford to invest in security – those whose rights to Internet access are most vulnerable – are the most at risk. Ransomware is a prime example of a criminal enterprise that well and truly causes greatest harm to the soft targets, as the ransom is proportionately so much greater for a small business or individual. As this trend shows no signs of slowing down, what can our industry do to help support the protection of online rights for the big and small alike? My proposed solution is not a technological one. Rather, we need to communicate more effectively in both our education and collaboration, so we can remedy an environment in which companies are competing on security, which only benefits the attacker. Cyber security is perhaps one of the most esoteric fields to work in, nested within the already specialist realm of Information Technology, and drawing upon concepts (and TLA’s) from the worlds of Defence and Intelligence. It is all too easy to confuse

or alienate the people we should be supporting through a reliance on jargon or a lack of understanding. Robust security technologies, such as strong encryption (at rest and in transit), single-sign-on services, and multi-factor authentication are more accessible now than ever before; yet so many small businesses and individuals are still falling victim to rudimentary attacks. By emphasising education, we offer a cheap and egalitarian way of protecting online rights for those that can’t afford the latest and greatest technology. Most security incidents are due to human behaviour, resulting from phishing, social engineering, or poor removable media practice and it is for this reason we should consider to whom we pitch our education efforts. Disassembling malware well and truly has its place, but empowering those with little to no technical understanding of the value and importance of foundational security measures such as applying patches, not clicking links from unsolicited emails, and offering simple techniques for building strong, memorable passphrases, goes a long way towards avoiding a security plutocracy. We also need to ensure our education efforts go beyond the obligatory annual security lectures or posters with hoodie-laden teenagers swimming in glowing-green code. Achieving a secure culture is difficult, as it requires dedication and patience – you can’t simply patch your culture overnight – but informed and aware people can be the most powerful tool against compromise, for both the company and individual. When we talk about the importance of reporting an incident, ensuring privileges are revoked, or not sharing credentials, we need to think about not just the security end-goal, but also how we make people care. Security should be tangible, relatable and personal – and if this is not the case, then the education strategy is failing. By thinking about how we frame our objectives, beyond the technologies and the bottom dollar, we can help bridge the gap between what we advocate and what people care about. While in Australia the era of brushing security incidents under the rug may be coming to an end, with mandatory data breach notification laws soon to take effect, simply being reactive to a changing security landscape isn’t enough. Many businesses still regard security as a tick-box exercise, or occasionally – and most concerning – an obstacle to them performing their core functions. If we are to ensure we are doing our utmost to ensure access to a secure Internet is a freedom available to all, and not a privilege, we need to work together to help rewrite the security narrative, with the end user front and centre, and embrace both the rights and responsibilities of universal Internet access.

'We also need to ensure our education efforts go beyond the obligatory annual security lectures or posters with hoodie-laden teenagers swimming in glowing-green code. Achieving a secure culture is difficult, as it requires dedication and patience'

About the author Elliot Dellys is a Senior Security Advisor for Hivint, with extensive experience delivering complex technical projects, teaching international audiences, and providing risk management and compliance advice across Government and Industry. Elliot is a firm believer that strong relationships and a collaborative culture are the keys to achieving meaningful security maturity, and enjoys writing on the more abstract applications of cyber security in the fields of politics and ethics.

Australian Cyber Security Magazine | 65

Cover Feature Cyber Security

Bridging the gender gap in cybersecurity : Averting cyber apocalypse!

C By Annu Singh

ybersecurity is one of the fastest growing careers, but there is wide talent gap. (ISC)2 suggests there will be 1.8 million job openings by 2018, an increase of 20% from 2015, while Cybersecurity Ventures predicts a shortfall that will reach 3.5 million by 2021. US News & World ranks careers in Information security as the 5th best technology jobs, with salaries (in the US) averaging $88,890. However, women make up just 11% of the world’s cybersecurity workforce and just 1% in leadership roles. What is fueling this gender gap? What actions are being taken to address this? Cybersecurity Ventures predicts a doubling of costs and losses due to cybercrime, rising to $6 trillion by 2021. To fight against cyber attacks, organisations need a diverse talent pool. In this article, I will draw out some of the underlying issues, challenges and myths that have impacted gender diversity in cybersecurity and highlight some inprogress efforts to raise awareness, bridge the gender gap and build a thriving talent pool.

Factors Leading to Gender Gap 1. Under representation of women in STEM: There is a lack of women in cybersecurity that can be traced back to under representation of women in technology

66 | Australian Cyber Security Magazine

and STEM in general. The National Centre for Women and Information Technology (NCWIT) says women comprised just 26% of the computing workforce in 2016. The decline in STEM participation starts as early as middle school, where many girls decide STEM courses are not for them. Initially in 1930s to 1960s, computer programming was considered a job best suited to women since they made good mathematicians. Coding was thought of as theoretical, or akin to secretarial. However, as personal computing emerged, computer science degrees became popular. As salaries rose, more men started looking to IT as a viable career. NCWIT reports that female computer science graduates fell from 37% in 1985 to 18% in 2016. 2. Lack of role model and representation in pop culture: Another factor is the limited awareness of what this field is and what it encompasses. There are no role models for women that inspire the young to strive for success in this field. In fact, most middle school girls have never heard of cybersecurity as a career option. Focus on mathematics, with a geeky persona, built the stereotype of what suitable cyber candidates look like: which is unfortunately that of a young male in a hoodie. This further discourages women. As Sheryl Sandberg, author of Lean IN, said in an interview, “girls don’t code because girls do not code”. While pop

Cyber Security

"It is important to dispel the myth that women are not interested in technology. We must document, recognise and celebrate the contribution of women in technology, past and present. Providing the right platforms that give these women visibility as leaders, speakers and subject matter experts at conferences and public events." culture plays on the success of Bill Gates and Steve Jobs, women pioneers like Ada Lovelace, Grace Hopper, Jean Jennings (ENIAC) and Betty Snyder are lost to history. Walter Isaacson's book about the history of the digital revolution discusses how, for decades, the women who pioneered the computer revolution were often overlooked. "When they have been written out of the history, you don't have great role models" - Walter Isaacson 3. Confidence Gap: Tendency to self-exclude: An internal study by Hewlett Packard (referred to in Sheryl Sandberg’s) observed that women candidates only apply for open jobs if they think they meet 100% of the criteria. Men on the other hand feel confident enough to apply, even if they only meet 60% of requirements. This selfexcludes women and hampers exploration of new job roles by women candidates. Only 1% of women hold leadership roles in cybersecurity. This sends out the wrong message of the journey to the top being rife with challenges and adds to this budding talent seeking other fields in which to build successful careers. 4. Myth: You must be ‘technical’ to enter the cybersecurity field. Cybersecurity involves knowledge in technology, human behavior, finance, risk, law and regulations. Cybersecurity is an interdisciplinary field with varied responsibilities like intrusion detection, secure software development, attack mitigation, policy management, risk assessment and mitigation, network monitoring and access management. Job roles are not limited to just technical skills. Candidates need deep analytical skills, the ability to converse with clients, translate technical requirements to business value, including understanding of marketing and finance, strong communication skills, and the ability to work as a team. But the perception that you need to be highly technical to enter this field has played a major hand in discouraging women. In fact, a lot of women currently in cybersecurity are those who have switched from other disciplines and learned the responsibilities of cybersecurity on the job.

Developing the Talent Pool To overcome the barriers of gender inequality, geography and access to STEM education, cybersecurity education

needs to start as early as possible, targeting the most diverse range of students as possible and including handson experiences and training. To tackle the under-representation of females in cybersecurity, the Girls Scouts in the United States are introducing 18 individual cybersecurity badges to teach schoolchildren about programming, ethical hacking and identity theft prevention. AT&T, along with the Air Force Association, also conducts cybersecurity camps for teens, where they teach basic cybersecurity and STEM skills. In Israel, the Magshimim (accomplishers) programme develops cybersecurity skills and identifies talented high school students for recruitment by the defence department. Programmes like these not only raise awareness of potential careers in cybersecurity, but identify promising recruits for cybersecurity professions. Carnegie Mellon has developed a cybersecurity game, MySecureCyberspace Cyber-Siege for fourth and fifth graders. The US Department of Defense has produced CyberProtect, a game focused on resource management and countermeasure decision-making. Cybersecurity storylines are increasingly featured in mainstream games such as Watch Dogs, Deus Ex, Bioshock, and Fallout, which include hacking concepts.

Industry and university collaborations: •

•

Incorporating practical learning into academic programmes would better prepare cybersecurity professionals for the real world. Various universities are collaborating with industry to develop technical security curricula for higher education, which is relevant to industry. Focused degree programs in cybersecurity are now offered at graduate and undergraduate levels. Sponsorship from business. Several steps are being taken by businesses to help develop skills and promote talent. Symantec, IBM and Cisco have taken steps to promote and train women in cyber. Symantec partnered with NASSCOM to sponsor 1,000 scholarships for females who successfully graduate from NASSCOM's cyber security course. National hacking competitions also provide an effective channel to identify talent and develop cybersecurity skills. IBM, amongst others, has offered scholarships that cover 100% of the entry fees for woman interested in attending EC-Council’s Hacker Halted conference. Programmes like this serve to encourage women to get trained and avail networking opportunities to help stay abreast of the latest developments.

Australian Cyber Security Magazine | 67

Cyber Security

•

In-house hiring and on the job training. Organisations are looking to cross-train and retrain the women employees and give opportunities via their internal hiring/in-house placement programme to transition into cybersecurity.

requires a robust and diverse workforce, yet there are not enough cybersecurity professionals to adequately defend computer networks. Increasing diversity of the cybersecurity workforce will expand this talent pool and improve our chances of preventing what can only be described as the impending cyber apocalypse.

Here are a few ways to get started: •

•

Self-paced MOCC courses (from Coursera, Udemy, Udacity, Cyber Training 365, IBM university, CISCO Networking Academy) Professional certifications such as Certified Ethical Hacker and CISSP are good ways to demonstrate skills and experience. Join professional organisations: a. Women in Security and Privacy (WISP) b. Women in Cyber Security (WiCyS) c. Executive Women Forum d. Women in Technology (WIT) e. Australian Women in Security Network (AWSN) Hands on experience and on-the-job training, shadowing and observing in-house cybersecurity professionals, and mentoring from subject matter experts all helps to boost confidence to explore, fail, learn and implement. Effective incentives and talent-retention policies, with clear career progression pathways to ensure diversity representation at all levels of management.

Celebrating success is vital for creating role models that garner respect. Mainstream movies, like Hidden Figures celebrate the contributions and achievements of brilliant women like Katherine Johnson (Taraji P. Henson), Dorothy Vaughan (Octavia Spencer) and Mary Jackson (Janelle Monáe), who provided the brains behind one of the greatest operations in history: the launch of astronaut John Glenn (Glen Powell) into orbit. This helps create positive role models. Reshma Sujani, the founder of Girls Who Code, said, “It’s about role models. You cannot be what you cannot see.” It is important to dispel the myth that women are not interested in technology. We must document, recognise and celebrate the contribution of women in technology, past and present. Providing the right platforms that give these women visibility as leaders, speakers and subject matter experts at conferences and public events. We need to get away from the booth babe mentality that has plagued technology conferences for the past decade, challenging stereotypes and building positive associations of image for women who aspire to excel in this field. Mentoring and advocacy, men for women and women for me. This is not a journey that can be accomplished by women alone. Men and women need to ally in advocating the profession for both sexes, equally. Mentoring and speaking to raise awareness, sponsoring the right candidate, creating good role models, all go a long way to help bridge the gender gap. Continued skill and diverse workforce shortage, creates tangible risks to the organisations, and many organisations say they have already incurred losses due to the gender gap. A secure cybersecurity environment

68 | Australian Cyber Security Magazine

About the author Annu Singh is an IT Professional with keen interest in emerging technology trends, STEM and diversity. Her work experience range from Program and Project Management, Quality & Delivery Assurance, Continuous Service improvement, Tools & Automation, RPA, Lean to High performance team development, training and skill development.

Cover Feature

W O N

G A M EE

T U O

N I L N O

THE

OR INE F

MAG

maga

zine.c

om.a

u g

Cyb

Ma erSec

@Aust

Issue

2, 2017

N INF

RALIA

AUST

alia

curity

SSIO

ROFE

ITY P

CUR

SE TION RMA

str w.au | ww NALS

erse ncyb

ing Hunt reat ue your h T THE urs aries MAG –AZP INE vers FOR ad AU STR

ALIA

N IN FOR Buil MAT ION d i SEC n g se the URIT Y PR chan curi OFE e SSIO t d i y ge li rs G ut NAL i n S o f e e y n t cycloun n i g e A B o Bug B e mes t ram Prog

nd tion a ings a s i t i h Dig net of T Inter

ce: surande n I r e i Cyb er’s Gu A Buy

READ NOW

iene: e r Hyg Cybe o improv t s y p t i i r T secu your isation n a org

To C Not omply o Tha Comply r que t is not ? stio t n… he

| w ww.a us

trali

anc

ybe

rsec

urity

mag @Au

azin

stCy

e.co

m.a

erSe cMa 10 g star Cyberse tups c to w urity a in 20tch 17

our ing y Hack ompany c own

Issue

Cha way nging th abo we thin e Secuut Cybe k r rity

1, 20

Buil as t Singa ding he n po FINT umbe re ECH r 1 -HU B PAGE 8

Patc criti hing is for c cal secu yber rity

BE MEM

C R FO

USED

Not

INFO

RMA T just SECUR ION for h IT acke Y: rs

READ NOW

w w w . a u s t r a l i a n c y b e r s e c u r i t y m a g a z i n e .Australian c o mCyber . aSecurity u Magazine | 69

Cover Feature

Looking to commercialise innovative cyber security or physical security related technologies?

GET IN TOUCH www.securityventures.com.au

70 | Australian Cyber Security Magazine