THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Issue #1 2019
Educating the security professional
Going beyond the SD-WAN hype in Asia
The weak link in your supply chain
Asia blockchain week 2018
High speed & subterranean transportation Data challenges in digital forensics
Pakistan: Data protection requirements India: The online matrimonial mayhem
ADVANCED PERSISTENT THREATS
APT10 & STRATEGIC OBJECTIVES FOR CHINA $8.95 INC. GST
PLUS
FOCUS ON SECURITY THE 2019 SECURITY EXHIBITION & CONFERENCE:
WHERE YOUR SECURITY NEEDS ARE BROUGHT INTO FOCUS
24-26 JULY 2019 ICC SYDNEY DARLING HARBOUR
Gain insight into the newest innovations that are reinventing the industry. AI, biometrics and tech inventions are moving at lightning speed and smart technology is inspiring new discoveries every day.
EXHIBITION IS FREE REGISTER NOW
Industry leaders, new visionaries and expert users are all joining together to exchange ideas and developments. The Security Exhibition + Conference is Australia’s largest and most established commercial security event that cultivates innovation, solves problems and leads an industry to be the best in the world.
#security2019
2 | Asia Pacific Security Magazine
securityexpo.com.au
LD RS SO EA CE Y N T3 RE AS FE L N HE CO T T U O Cyber Risk Meetup
THE ASIAL SECURITY 2019 CONFERENCE
BUILDING RESILIENCE TO COMBAT CHANGING SECURITY THREATS The ASIAL Security Conference hosts a compelling program of renowned local and international experts, academics and visionaries addressing how to strengthen your capabilities, managing risk, a digital future, emerging technologies and innovations, integration and more. It is your annual opportunity to receive fundamental updates from the organisations shaping today’s security landscape in a program carefully curated by the industry’s peak body. The format and content of the program reflects critical industry updates and challenges on the first day, followed by your choice of streamed executive briefings on the second and third day of the program. Bring your security needs into focus, stay up to date with the latest developments and gain a competitive advantage with proven strategies to tackle a rapidly changing industry.
SECURE YOUR EARLY BIRD TICKET & ENTER THE DRAW
TO WIN A PENTHOUSE HOTEL SUITE DURING THE EVENT!
HEADLINE SPEAKERS
HUGH RIMINTON
NICK ALDWORTH
DR TONY ZALEWSKI
JOHN LOMAX
Author, Television News Presenter, Radio Broadcaster. Conference Moderator
MPA DipPR, National Coordinator Protect & Prepare, Counter Terrorism Policing National HQ, New Scotland Yard
Director, Global Public Safety Pty Ltd
General Manager Asset Protection, The Star
KELLY SUNDBERG
SHARA EVANS
NICK DE BONT
DR LISA WARREN
Associate Professor, Mount Royal University (Canada)
Futurist, Market Clarity
Chief Security Officer, Thales Australia
Clinical/Forensic Psychologist, Clinical Director, Code Black Threat Management
SECURITYEXPO.COM.AU FOR FULL SESSION DETAILS
BOOK NOW TO SECURE YOUR PLACE and take advantage of the early bird discount.
EXHIBITION HOURS
CONFERENCE HOURS
Wed 24 July: 9:30am – 5.00pm
Wed 24 July: 9:00am – 5.00pm
Thurs 25 July: 9:30am – 5.00pm
Thurs 25 July: 9:00am – 2:30pm
Fri 26 July: 9:30am – 3:30pm
Fri 26 July: 9:00am – 2:30pm
Lead Industry Partner
Asia Pacific Security Magazine | 3
APR 9-12
REGISTER TODAY!
2019 PREMIER SPONSOR:
Sands Expo | Las Vegas
www.ISCWest.com
Discover the industry’s latest products, technologies & solutions
Network with 30,000+ Physical, IoT and IT Security Professionals
Direct access to 1,000+ leading exhibitors & brands
COMPREHENSIVE SECURITY FOR A SAFER, CONNECTED WORLD FEATURING:
@
&
SECURITY EXPO
@
85+ SIA Education@ISC Sessions 4 | Asia Pacific Security Magazine
ISCWEST19.COM/MYSECURITYMARKETPLACE
A part of
18 to 20
Transform The Future
JUNE 2019
Asia’s definitive platform for end users across Asia to explore disruptive solutions and specialised technologies by global tech leaders.
MARINA BAY SANDS SINGAPORE
www.NXTasiaExpo.com
Register Now
www.nxtasiaexpo.com/register/ Organised by:
Held Concurrently:
www.Broadcast-Asia.com
Join in the conversation:
www.CommunicAsia.com
#NXTAsia #ConnecTechAsia
Asia Pacific Security Magazine | 5
One destination for all your cybersecurity needs. In today’s cybersecurity, there’s no standing still. The threats are greater, the stakes are higher. That’s why there’s RSAC 2019 Asia Pacific & Japan. Join industry leaders and peers as you explore best practices, get up to speed on new regulations, and stay on top of the latest developments through: •
Informative sessions covering eight tracks
•
Inspiring keynotes that examine where the industry is headed
•
Hands-on demos of cutting-edge products from over 90 companies
•
Innovation in action at RSAC Early Stage Expo and RSAC Launch Pad
•
Networking opportunities that can benefit your company and career
Don’t miss the chance to get all the tips and tools you need to help protect your organization. Register today at: www.rsaconference.com/mysecuritymedia19
Follow us: #RSAC
ENGAGING CO-CREATION TO PREPARE FOR FUTURE SECURITY THREATS 2 - 4 July 2019 Sands Expo & Convention Centre
•
Singapore
www.interpol-world.com
Global Safety Today • Improving Security for Tomorrow • Forecasting and Planning for the Future
Register for INTERPOL World 2019!
INTERPOL World is a global co-creation opportunity which engages the public and private sectors in dialogue and fosters collaboration to counter future security and policing challenges. 30 strategic Co-creation Labs to discuss the challenges and solutions for combating the crimes of the future Exhibition that serves as a business and networking event for 250 manufacturers, distributors, and Research and Development organizations to offer innovative products and cutting-edge technologies
EVENT OWNER
SUPPORTED BY
INTERPOL Working Groups (by invitation only) including the chief innovation officers group, artificial intelligence, drones and the Darknet and cryptocurrency group
INDUSTRY INSIGHTS BY
visitor@interpol-world.com
HELD IN
MANAGED BY
MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.
Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.
My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.
The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations
The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.
Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications
Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies
Your one-stop shop for all things CCTV, surveillance and detection technologies
The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.
MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.
Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.
promoteme@mysecuritymedia.com
www.mysecuritymedia.com
The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE
promoteme@mysecuritymedia.com
www.mysecuritymarketplace.com
Contents Editor's Desk
11
Educating the security professional
16
The security professional’s best friend: Artificial Intelligence
20
Executive Editor / Director Chris Cubbage
The weak link in your supply chain
24
High speed & subterranean transportation
26
Director / Co-founder David Matrai
Data challenges in digital forensics
28
Cyber risk assessment for critical infrastructures
30
Connecting mission-critical push-to-talk
32
Crime | Security | Risk | Protection
35
Going beyond the SD-WAN hype in Asia: The early evangelists
36
Cyber Combat
38
Art Director Stefan Babij Correspondents Jane Lo Sarosh Bana
MARKETING AND ADVERTISING promoteme@mysecuritymedia.com Copyright © 2019 - My Security Media Pty Ltd GPO box 930 SYDNEY N.S.W 200, AUSTRALIA E: promoteme@mysecuritymedia.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Data protection requirements are need of an hour
Page 16 - Educating the security professional
39
Asia blockchain week 2018
40
India: The online matrimonial mayhem
44
Bitcoin 10 years on …
45 Page 20 - The Security
Report review - Parliamentary inquiry established to determine
professional's best friend
whether there is adequate preparation for the protection of crowded places in Western Australia
46
CONNECT WITH US www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Page 32 - Connecting mission
critical infrastructures
www.youtube.com/user/MySecurityAustralia
OUR NETWORK www.cyberriskleaders.com
www.mysecuritymedia.com
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors Page 36 - Going beyond the
SD-WAN hype in Asia www.australiansecuritymagazine.com.au
Jane Lo* www.aseantechsec.com
Dipesh Ranjan
Zafar Ullah
Sarosh Bana*
www.asiapacificsecuritymagazine.com
Also with Lizzie Damiano Lionel Snell www.drasticnews.com
|
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
www.cctvbuyersguide.com
10 | Asia Pacific Security Magazine
David StaffordGaffney
Stephen Rachow
Roderick Hodgson
Page 45 - The online matrimonial mayhem
Editor's Desk
"The Indo-Pacific region has become the epicentre of intensifying great power competition...that's primarily China and the United States moving around.” - Nick Warner, director-general, Australian Office of National Intelligence (ONI)
P
rofessor Graham Allison of Harvard University and Author of Destined for War, studied human history over the last 500 years and found 16 cases of Thucydides trap, where a rising power threatens to displace a ruling power. Twelve of those cases led to war. As China rises to threaten the rule of the USA, it is widely acknowledged we are indeed within a new Thucydides trap. Unless we come to terms with the need to circumvent a deteriorating cycle, the world’s two super powers are heading towards a major conflict, with a historical 75 per cent likelihood of war. Professor Hu Bo of Peking University told the BBC Radio 4 on April 4, “The harder the US push, the greater the China threat will be. The US should be more patient and calm when facing China’s rising. The US should avoid overstating China’s capabilities or judging China’s intentions just on the basis of China’s capabilities. If the US is over reacting based on its own logics and own experience, I think there is a real possibility of selffulling prophecy.” In our podcast discussion with Dr Malcolm Davis of the Australian Strategic Policy Institute, Malcolm explains, “you have a growing assertive confident China that is directly challenging U.S. strategic primacy across the Indo-Pacific region and is seeking to assert itself in and generate a new hegemonic power in Asia and from the Chinese perspective what they're doing is seeking to restore China to its rightful place as the Middle Kingdom in Asia.” “We are most definitely in a period of strategic competition between the established superpower the United States and the rising superpower China. There's talk of the Thucydides trap whereby you have that rising power challenging the established power leading to warfare and conflict. And I think it's quite appropriate to talk about us being in a pre-war phase.” On April 6, Australia’s ONI Director General
Nick Warner confirmed to ABC’s Radio National "Australia is facing some of the most challenging strategic circumstances that it has for decades. The world is more complex and arguably more dangerous than it was." Both the USA and China have already drawn seemingly immovable lines in the sand. And taking away Taiwan’s democratic independence appears most likely to be the line crossed. According to Paul Dibb, Australian National University, “There can be no doubt that China is developing the military means to attack Taiwan decisively. The US assessment is that the People’s Liberation Army is capable of increasingly sophisticated military actions against Taiwan and is overcoming its historical inability to project power across the Taiwan Strait, which is the natural geographic advantage of the island’s defence. Beijing’s options include a maritime blockade, an intense air and missile campaign to degrade Taiwan’s defences, and an outright amphibious invasion to seize and occupy key targets or the entire island. Dr Malcolm Davis refers to us being in Phase Zero, “shaping operations where you can do that at the strategic level through political warfare through influence operations through cyber activities and so forth. I think you're seeing all of those things happening at the moment across the Indo-Pacific region. There's focus obviously on South China Sea but they're also doing it here in Australia in terms of Chinese influence operations against our media against our academic sector against business and even politics itself. So, we are in that pre-war phase leading into the possibility of a major power conflict occurring in the next 10 years. And we need to be ready for that.” In this issue, we cover the broad spectrum of the security domain, from educating the security professional through to how Artificial Intelligence is now the security professional’s best friend. David Stafford-Gaffney provides details
on APT10, among the most motivated and capable criminal groups seeking to gain economic advantage for China through the exploitation of stolen Intellectual Property and how being driven by the strategic objectives of China seek to replicate services and products on the market to improve China’s economic position. In Australia there are several high cost mass transportation plans being considered, such as: Melbourne underground trains ($50 billion), Brisbane Cross River Rail ($5.4 billion), and high-speed rail between Melbourne and Brisbane ($110 billion). Stephen Rachow, currently undertaking a Master of Security Management at Edith Cowan University looks at technology advancements implementing high speed and subterranean mass transportation services for high volume people movement. With this in mind, I provide a critical and sceptical Report Review following Western Australia’s Parliamentary inquiry established to determine whether there is adequate preparation for the protection of crowded places in that state. Jane Lo, our Singapore Correspondent provides reports on a number of significant technology events, including BlockChain Week 2018, Cyber risk assessment for critical infrastructures and Data challenges in digital forensics and we have reports from India, Pakistan and covering the Asia region. And on that note, as always, we provide plenty of thought-provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Sincerely, Chris Cubbage CPP, CISA, RSecP,
Asia Pacific Security Magazine | 11
00
R1 OVE ODES, EPIS ER OV
00 S 0 , 0 5 OAD NL
DOW
www.australiancybersecuritymagazine.com.au 12 | Asia Pacific Security Magazine
PODCAST HIGHLIGHT EPISODES Episode 147 – Pre-War Phase, Warfare & Cyber: Amongst Space, Air, Land, Sea, Time & Perception Interview with Dr. Malcolm Davis, ASPI Whilst in Canberra for the #CyberTaipan National Finals pilot program, we visited the Australian Strategic Policy Institute (ASPI) and met with Dr. Malcolm Davis, Senior Analyst to discuss defence, cyber, space, China, USA, droneswarms, Warfare Tactics in this pre-war phase.
Episode 146 – High-Performance Computing (HPC) and why it matters for Australia: Pawsey Supercomputing Centre Jane Lo, Singapore Correspondent interviews Mark Stickells, Executive Director, Pawsey Supercomputing Centre, based in Perth, Western Australia. Why HPC or Supercomputing – high performance computers that perform at highest operational rate - matters to Australia’s vision for 2030 to be a top tier innovation nation, and the history behind Pawsey, HPC projects, partnerships across the world, and talent development at the centre.
Episode 145 – #GameOn with #OzCyberinUSA2019 - Interview with Michelle Price, CEO, AustCyber in San Francisco for #RSA2019 In San Francisco for the joint AustCyber and Austrade “Australian Cyber Security Mission to the USA”, MySecurity Media's Director Dave Matrai interviews Michelle Price, AustCyber CEO and discusses Australia’s position on the global cyber security stage. The discussion includes how the Australian cyber security industry has changed over the past 3 years and why Australia is an attractive destination for investment into Australian cyber security innovation. Singtel Innov8 and NUS Enterprise to deliver the ICE71 Inspire and ICE71 Accelerate programmes.
Episode 144 – #CyberTaipan joins an International program delivering a critical skills pipeline with #CyberPatriot #CyberCenturian #CyberArabia This interview with Michelle Price, Chief Executive Officer of AustCyber and Diane Miller, Director, Global Cyber Education & Workforce Initiatives for Northrop Grumman provides insight into the CyberTaipan Finals Competition held in Canberra on 16 March 2019 and the program's link to the USA, UK and Saudi Arabia.
Episode 141 – Insights to Illumio Adaptive Security Platform & Micro-Segmentation Interview with Andrew Kay, Systems Engineer with Illumio. The Illumio Adaptive Security Platform® (ASP) secures the inside of any data centre and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps. Illumio ASP delivers micro-segmentation that is enabled by combining vulnerability data with real-time traffic visibility. This combination enables organisations to understand how their applications work, see where they are most vulnerable, and use that visibility to create and enforce microsegmentation policies.
Episode 138 – Cyber Breach Communication Playbook - In-depth interview with author Peter Coroneos This interview starts with a book review but dives into Peter's long and fascinating journey, starting as the CEO of the Internet Industry Association in 1997 and through to his observations of today's contemporary cyber environment and potential for the next cyber crisis - including an existential threat with an apparent escalating Cyber War between the major powers of USA and China. Peter is the CEO of Icon Cyber and the APAC Regional Head for CyAn CyberSecurity Advisors Network.
Episode 139 – Probable not Provable Privacy for Census Data vulnerable to attack - Chief Scientist Optus Macquarie University Cyber Security Hub Interview with Professor Dali Kaafar, Chief Scientist at Optus Macquarie University Cyber Security Hub and Professor at the Faculty of Science and Engineering at Macquarie University. Professor Kaafar and Macquarie University Lecturer Hassan Jameel Asghar, released a paper mid February, titled, ‘Averaging Attacks on Bounded Perturbation Algorithms’ that identifies and demonstrates a vulnerability of the Perturbation Algorithm used by the Australian Bureau of Statistics for its online tool, TableBuilder, that enables querying the Australian Census Data.
Episode 140 – DevOps and the journey to DevSecOps with #OzCyberinUSA2019 - Interview with Paul McCarty of SecureStack Recorded in San Francisco at the RSA Conference and part of #OzCyberinUSA2019, MySecurity Media's Dave Matrai interviews Paul McCarty of SecureStack. This is a great story about an American that’s come to Australia, become an Aussie and is on a mission to take his company back to America! Already working with a number of government clients, Paul discusses his insights into DevOps and the journey he is undertaking as part of CyRise.
www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 13
3-5 SEPTEMBER 2019 | MITEC | KUALA LUMPUR | MALAYSIA
EXHIBIT AT ASIA’S NEW END-TO-END POWER EVENT GAIN VITAL ACCESS TO KEY POWER & ENERGY BUYERS POWER GENERATION
DIGITAL TRANSFORMATION
TRANSMISSION & DISTRIBUTION
PARTICIPATE IN THE REGION’S PREMIER BUSINESS PLATFORM FOR POWER PROFESSIONALS POWERGEN Asia will in 2019 be co-located with the leading smart energy show, Asian Utility Week, as well as DistribuTECH Asia and SolarVision. This one combined show will cover the whole value chain of power - from generation to transmission and distribution to its digital transformation. Attracting attendees from all of the largest and most influential utilities and IPPs, governments and solution providers, it is here that you will discover the future of the Power & Energy industry.
11,000+ Attendees
350+
Leading Exhibitors
Cutting
Edge Content
350+
International Speakers
VISIT WWW.POWERGENASIA.COM OR WWW.ASIAN-UTILITY-WEEK.COM ▪ MAKE A BOOKING ENQUIRY ▪ SEE THE FLOOR PLAN ▪ VIEW THE EVENT PROSPECTUS
Organised by:
Frontline
Overcome pertinent challenges to cyber security management whilst you develop the required security architecture and technology to counter cyber risks and threats
Risk Management: Implement strategies and techniques to integrated into your current strategy
Engage in project exercises with practical tips and advice on planning and implementing an effective strategy
10 REASONS WHY YOU MUST ATTEND THIS MASTERCLASS
Plan and implement an effective cyber security strategy and program
Improve your security architecture design and management
Enhance vulnerability assessment and management for your security operations
Hear recent cyber attack incidents globally and find out how you can prevent similar incidents
Understand how you can manage your cyber security vendors and leverage the most suitable solution
Security Infrastructure Hardening: Best practices and proven techniques Improve security network penetration and application and security testing
Learn how to roll out effective cyber security policies, procedures and frameworks
WHO WILL YOU MEET? This masterclass is designed for Heads, Managers, Engineers, Specialists and Executives from across Energy, Power & Utilities Companies: æ æ æ æ æ
Cyber Security Cyber Risk Management Systems Information Technology Information Infrastructure
æ Smart Grids æ SCADA Systems æ Transmission & Distribution æ Information Security æ Energy Infrastructure
Media Partners:
PHONE +65 6376 0908
Researched & Developed By:
EMAIL enquiry@equip-global.com
WEB http://www.equip-global.com/ Asia Pacific Security Magazine | 15
Educating the security professional: Headlining graduates into the security profession By Lizzie Damiano Edith Cowan University
16 | Asia Pacific Security Magazine
M
ention the word “security” to most people and the image that usually jumps to mind is the stereotypical image of active security –a security guard, perhaps doing his rounds of the building he is protecting, or CCTV cameras or other physical equipment providing tangible security. However, security as a profession is much more than just the hardware or tangible systems that secure the assets those systems are designed to protect; indeed, for security to be considered a profession, its practices must be based on a consensual body of knowledge and educational standards, with defined concepts that form this structured body of knowledge. Security knowledge is structured and the interrelationships and interdependencies within its knowledge base is what allows for the achievement of regularity and consistency in its results. The need for security professionals to base their work upon such understanding and applied use of theoretical knowledge to methods of protection allows for a degree of prediction in their work, which in turn enhances their outputs. It is this knowledge of security theories and analysis that is the driving force behind the development of the security professional. Today, the security professional is required to operate on an abstract service level, one which involves the practice of diagnosing specific concerns,
developing a holistic protection strategy on a diverse range of projects/buildings, and designing and project managing the commissioning of complex engineered physical protection systems. Such complex tasks require an understanding of advanced technologies, analysis techniques, and communication skills to achieve their protection objectives in today’s world. Therefore, for quality work to be undertaken competently by a professional, educated, and experienced workforce, there must be individuals positioned accordingly within relevant organisations; individuals who are at the leading edge of both applied and theoretical security knowledge and who hold the ability to easily and readily transfer this esoteric knowledge. Where does an organization look for such employees that they can leverage off ? The answer is simple – graduates. Graduates come packaged with all of these required attributes, offering your organization their ready access to the codified knowledge required to base their work on, an understanding of advanced technologies and analysis techniques, and excellent communication skills. Overall, graduates are well placed to enhance your organization’s security posture through their broad, wellstructured educational basis of which they have been trained and developed in the most up to date technologies, theories,
Education
“Perth Airport and Edith Cowan University’s Security Science faculty have developed a partnership via the Work Integrated Learning program. This partnership not only benefits Perth Airport, but also ECU and most importantly, the students themselves. For the first time in the aviation security sector, this program encapsulates the critical pillars with an airport and educational institution delivering world best practice in security outcomes with educating, developing and training the future leaders of our industry.” –Tony Sewell, General Manager Security & Emergency, Perth Airport as the current profile of the security profession undergoes significant change, transitioning into a dedicated profession. Why Educate Security Professionals?
and best practice application of the knowledge domain of ‘security’. This means that they will excel in the modern security landscape in the long term, acting as force multipliers and catapulting your organisation to the forefront of the rapidly changing security profession. Security has the reputation, by professionals and laymen alike, as a ‘learnt skill’. That is, the security professional begins at entry level within the organization and learns the skills and knowledge required for implementing holistic security outcomes for clients on the job as they go. However, this idea of security being a ‘learnt skill’ is a shortfall to those organizations operating with such an outlook and is effectively hampering the industry’s ability to mature from an occupation into a profession. Such security practice at the professional level is not just a matter of common sense or extended practice; rather, it involves a complex body of knowledge incorporating specialized technical knowledge relevant to the design and maintenance of physical protection systems as well as knowledge directed towards engineering variables which are designed and applied within the system to systematically receive and defeat a dedicated adversary, all the while knowing how to manipulate the environment. It is this very core knowledge that graduates offer organizations, headlining the next level of maturity for the security industry
As the need for security has increased in the last 10 or so years around the world, dedicated teaching courses are now offered by universities, teaching security and engineering related knowledge. These courses specifically impart the necessary and complex underlying body of knowledge required for the security professional to operate at their best, in turn allowing those who undertake such study as educated security professionals to raise the standard of their hiring organization to a higher level. One of the most well-respected degrees offered within Australia is the Bachelor of Counter-terrorism, Security, and Intelligence through Edith Cowan University (ECU). This prestigious degree brings together the key aspects of security theories and knowledge required for the successful application by security professionals in their practices. The core elements of the theories underpinning security are studied in the foundation year, with specialised security units taught in the following years. These units are focused on building not just the knowledge of the student, but on encouraging the application through real-life assignments and task work. ECU’s reputation for offering industry recognised courses and job-ready graduates is well-known, and graduates from the Counter-terrorism, Security, and Intelligence degree are no exception. This course is taught by lifelong professionals with extensive experience in the areas of their teaching, meaning that ECU Security graduates are handed the skills and knowledge they can immediately begin applying to real-world problems. Instantly, this boosts the output of the organization choosing to recruit graduates, as these graduates emerge from the degree being up to date with the latest changes in the security domain. By far, the biggest value of having graduates enter the security profession is
Asia Pacific Security Magazine | 17
Education
the comprehensive knowledge, superior communication skills, and exceptional problem solving skills they bring with them, which in turn enhances the benchmark of their hiring organization. In particular, ECU’s Security degree is designed with the incorporation of a Work-Integrated Learning (WIL) placement that selected students can undertake in their final semester. This WIL placement allows students to apply their knowledge from the course in a real-world environment as they are given real problems requiring innovative solutions; for example, recently several students from ECU’s Security degree completed a 3-month placement with the operational security team at Perth Airport. The benefits of graduates having completed a placement like this prior to entering the security industry means that they have quality, real-world projects ‘under their belt’ and are even better equipped to enhance the status and operations of your organization through their transferable and ready access to a codified body of knowledge and well-developed research skills. “Perth Airport and Edith Cowan University’s Security Science faculty have developed a partnership via the Work Integrated Learning program. This partnership not only benefits Perth Airport, but also ECU and most importantly, the students themselves. For the first time in the aviation security sector, this program encapsulates the critical pillars with an airport and educational institution delivering world best practice in security outcomes with educating, developing and training the future leaders of our industry.” –Tony Sewell, General Manager Security & Emergency, Perth Airport One student who completed her WIL placement earlier this year at Perth Airport was tasked with solving a complex security problem that required the separating of certain areas of the airfield and working out how a radar solution could be utilised. In so doing, she undertook complex background research and, using the theoretical knowledge and skills gained through ECU’s security degree, produced a comprehensive assessment report. The end product of her work was not simply shelved and forgotten about – both the operational security team and the outside security consultancy contracted to work on the larger project, of which her work was relevant to, ended up using her assessment and background research to guide their work on the project. The Value Graduates Will Add In many cases, those who have simply ‘learnt on the job’, often don’t understand or see the need for applying the theories and methodologies behind security risk management and collating all this information in a usable and readable manner. While these types of employees can still do their job and generate measures accordant with their expected outputs and get the job done, graduates bring the added bonus of having the theoretical underpinnings necessary in order for them to think holistically about the problem and engineer an appropriate security solution based on sound theory and best practice, resulting in undertaking the process in a more thorough manner which in turn yields higher quality results. Graduates, particularly those who undertake placements as part of their degree, don’t just bring better flexibility or a better way of thinking about security or better problem
18 | Asia Pacific Security Magazine
solving skills with them – graduates have transferable skills and will offer your organization their own, unmatched, personal drive, fresh out of a demanding degree, they are enthusiastic and offer an innovative perspective in conceptualising modern-day solutions required of the security profession. Graduates new to the security profession come with their own unique degree of objectivity, one that has not been moulded by organisational biases that inherently will be present in those who have previously worked in the security industry. Industries targeting graduates who have successfully completed a placement prior to graduation are those organizations that will reap the richest benefits, as they will intrinsically be expanding their organization’s knowledge base through hiring individuals who can excel in the modern security landscape. In today’s world, the security professional is one who must match the demands of the fast-changing security industry while producing solutions that are atheistically pleasing to the consumer. The security industry today is fast maturing into becoming a profession, leaving behind its previous standing as simply an occupation. There is a fundamental need for organizations today to be embedding graduates into their organizational hierarchy, as graduates are able to implement security solutions based on sound theory and best practice that is defendable in argument. Failure of security organizations to reach out and seek such graduates will cause the security industry to remain as an occupation, rather than evolve into what should be realized as a profession. The security industry is not just about throwing physical safeguards in protective rings around buildings or assets; the security industry and, indeed, the security professional, should encapsulate the knowledge and theoretical processes underpinning the application of security in order to produce the highest quality outcomes while simultaneously cultivating an advancement of the security profession’s benchmark, moving the industry further from an occupation in pursuit of becoming a profession. Graduates offer your organization excellent leadership ability, superior communication and problem-solving skills, and most importantly, the required codified knowledge that can be immediately transferred into the security domain. The wise security organizations will be those who target Security graduates, affirming this maturity of the industry.
|
|
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 19
Frontline
The security professional’s best friend: Artificial Intelligence By Lionel Snell Editor, NetEvents
20 | Asia Pacific Security Magazine
T
here used to be a simple formula for a security debate: hit them with a round up of the year’s worst horror stories – the latest hacks, viruses and how much they cost business – then introduce the latest most sophisticated technology solutions, designed put all that into the past. The recent NetEvents EMEA Press Spotlight Round Table discussion – The Security Professional’s Best Friend: Artificial Intelligence – added greater intelligence to the mix. It was a combination of Artificial Intelligence (AI) and human intelligence – in the form of greater realism, more recognition of the limits to what is possible. Ovum Principle Analyst, Rik Turner, discussed the challenges, the changes and the tech responses. In the 1990s, he explained, everyone was talking about prevention: “preventing the bad guys getting in, preventing malware from penetrating their networks. Their infrastructure could be safe. They could prevent all of those bad things from happening.” Instead, over the last two decades, we have moved towards a new stance. The vast majority of vendors and practitioners now admit that the best we can do at the moment is to detect and mitigate: “detect once someone’s in, move to mitigate as quickly as possible, potentially do some damage limitation, do some quarantining so they can’t run amok within your infrastructure, and then subsequently to remediate, clean them up, get them out, and start again. Until
the next breach”. That, he suggested, is really a defeat for the cyber-security industry. “It reminds me a little bit of the people defending the city of Constantinople when it was still capital of the Byzantine Empire… gradually the siege made it through the first outer walls, and drove them into the inner walls, until eventually they breached the whole thing. Notice that we use the term breach. We’ve adopted it from the world of siege warfare.” What else has changed? The amount of malware being successfully stopped by anti-virus signatures continues to fall. In 2014 Symantec, in The Wall Street Journal, was talking about 45% success: “I now think it’s between 20 and 30%, not much more, across the industry”. Then of course there is the rise of criminal gangs, hacktivists and state-sponsored malware actors with unlimited resources to play with – not to mention the availability of off-the-shelf hacking kits on the Dark Web. What’s more: “The Cloud: that makes it so much easier to go out, rent a few processors from Amazon, test-drive your new exploit before you’ve even launched it, and make sure it works.” Finally, it is not just volume of revealed vulnerabilities, it is the sheer velocity of their exploitation: “People in security always talk about the needle in the haystack. It’s a horrible cliché, but it’s true. [Actually, later in the discussion someone amended this to “its more like finding a needle in a needlestack”]. In this vulnerability space there’s this
Frontline
“It might be your email server suddenly starts to download the entire payroll database. That’s an entity acting a bit dodgy”.
vast number of vulnerabilities [over 15,000 last year] being published but, by the same token, how do you know which ones are actually going to be exploited? …Why waste your time worrying about all the others when there are only 1.9% being exploited?... Also the speed at which the ones going to be exploited are exploited is ever-greater. So you’ve got less time to decide which ones you need to focus on.” Turning from prevent to detect and mitigate, he outlined current approaches. First sandboxing: “You’d rolled a big box in, put it on your network. Anything that looked vaguely dodgy that you could not actually guarantee was malware, you could put it in there, carry out a controlled explosion, and check whether or not it actually was malicious. It was very fashionable for a while, they sold a hell of a lot. Then, the malware guys started writing malware that knew it was in a sandbox, and played dead, effectively, or played good, however you want to put it, so that it was released out into the wilds…” ‘Knowing it is in a sandbox’ sounds like a great example of artificial intelligence – but in the wrong hands. His example of AI learning in the right hands is User and Entity Behavioural Analysis (UBEA), a system that looks at everything done one the network by each user or system, and it learns what is “normal” behaviour. It can then flag a warning about any out-of-the-ordinary behaviour: “It might be your email server suddenly starts to download the entire
payroll database. That’s an entity acting a bit dodgy”. Another information-based response is called “threat intelligence”. It starts with a ton of data and then intelligently narrows it down. He gave the example of a bank branch wanting details of every bank robber alive today, then filtering out those that are currently in prison, and then reducing the field further by singling out those living conveniently close to the branch. Both these information based approaches are best served by AI machine learning that sorts through loads data looking for recognisable patterns – just the sort of data-crunching that becomes incredibly tedious for an intelligent human. Add to that the pressures already mentioned – volume and velocity of vulnerabilities – and this is the sort of process ideally suited to automated AI. AI’s immediate value is that it narrows down the search within a mine of data: like a magnifying glass focused on the most likely area for finding that needle in the needlestack. But can it extrapolate that analysis into useable predictions? “The promise of artificial intelligence down the road is that it might actually get us to some data science where we can start making some realistic predictions about what is the most likely attack on you, what is the most likely vulnerability to be used against you, and those kinds of things. Now, I’m not suggesting for a moment that that’s where we are today, but that’s what people are talking about, and what they are suggesting is possible”. Possible, but is it imminent, or even likely? Jan Guldentops – BA Test Labs’ Director, with some twenty years hands-on security experience on “both sides of the wall” said; “Artificial Intelligence is the next bullshit term… It’s IoT, it’s cloud, it’s something that broad that we understand it, but we don’t really know what it’s about? We’ve been doing machine learning in the security industry for 15 years. Your anti-spam is based on machine learning… The second thing we have to remember is, it’s a tool. It is not magic… we’re 20 years, 30 years away from real artificial intelligence.” Roark Pollock, Ziften’s Marketing SVP, agreed that AI techniques have long played a major part in cybersecurity, but the difference is that the heavy number crunching – the level that once required supercomputers to identify attack signatures – can now take place at the edge. “I can now run artificial intelligence models or machine learning models on those end-points without bringing that device to its knees. I can run machine learning as a security tool on your endpoint, your Apple, your servers, your cloud virtual machines, and it only takes up less than 1% of the device. It doesn’t kill the device from a processing standpoint.” He pointed out that there was no question that signaturebased detection worked, it was just that it was a slow process to identify and broadcast these signatures. Meanwhile, other
Asia Pacific Security Magazine | 21
Frontline
protection was needed to cover that gap. Another sensitive area where AI had a role was around the big increase in fileless attacks, which do not hang around in storage waiting to be discovered, but go straight to memory, without any user action. Secrutiny Founder and CEO, Simon Crumplin said “the reality is, not all threats are risks to organisations. What surprises me about our industry is, we spend so much time talking about malware… But actually, to materially breach an organisation, malware’s just the start, and we spend all our time and focus around this - I call it threat propaganda.” His subsequent argument reminded me of the story of the two blistered barefoot sages trying to solve the world’s problems: the one suggested killing all the cows in the world so that the land surface could be covered with leather, making it more comfortable for walking. The second sage said he’d rather kill just one cow to make leather sandals for their feet. Crumplin suggested that, for all the talk about better technology: “to determine their risk and their risk appetite with the business is the primary thing organisations have got to do and understand. They can then make investments that are meaningful to mitigate just those risks.” A more extreme version of this novel approach came later from the floor: “What we’ve seen over the last three years is a number of research studies highlighting the fact that security breaches, security vulnerabilities, database theft, credential threat, credit card loss, has zero impact on the bottom line of companies, has zero impact on share price.... No one cares about IT security because it has no impact on the business at all. In fact, companies who suffer major breaches, and get substantial amounts of press coverage because of it, actually grow as a result of that business”. This was clearly an overstatement because, as Guldentops and Pollock pointed out, the loss of trust and reputation is bad damage that is not so easy to quantify and dismiss. But it did make a very interesting point. It marked the sort of radical re-thinking that is most needed when technology reaches an impass or crisis point. Is it not time we forgot about leathering the globe and took a closer look at our feet? Jan Guldentops suggested another important role for technology. Whereas people sometimes cry out for more security specialists, what is really needed is more automation: “We need to automate simple things, like configuration management. Like log analysis. Let’s not call it AI yet.” This was made more urgent by the pressures for compliance, as with GDPR where: “First of all, you need to report a data leak within 72 hours. Of my customers, maybe 15% is capable of doing that.” Later commenting: “Code compliance is a perfect area for machine learning and natural language processing”. Pollock took up the latest scary figures for the number of security alerts, saying that this was partly a consequence of the shift from prevention to detection: “One of the reasons we have so many alerts these days is, we’ve got a lot better at identifying issues after they happen… moving from prevention to detection and response. If we’re finding things that are going on, we’re finding more alerts.” The audience Q&A that followed began with a reminder that, in the search for new solutions, we should not forget the traditional perimeter solutions that are still doing a good
22 | Asia Pacific Security Magazine
job. Machine learning is being vaunted all over the place, but there are only so many attack paths actually being used: “there are only so many low-hanging fruits, and criminal hackers are into minimax – having maximum result with minimum effort.” So every old perimeter hurdle still plays some part in deterring them. Otherwise, let’s end with another radical observation from Guldentops that truly reflected what we had heard in this session: “One of the big evolutions between the ‘90s and now is that the security industry has become more modest. In the ‘90s, you could have someone on stage arrogantly saying they had the solution for everything…” The full transcript of this session is available now as well as a short video discussion.
Frontline
Modern workflow without modern risk Dekko is a web-based platform that relies on engineering solutions to provide privacy and security – not anonymity, secrecy, or private cloud infrastructure. Dekko is easy to use, easy to implement and easy to manage. Dekko enables you to navigate:
Threat of intruders Accidental misaddressing Untrusted networks Lack of communication control Protecting your brand reputation Information privacy
Circles
Sharing
Control
Security
Isolate and discuss projects Control visibility
Share files with no size limits Share documents for approval Granular permissions
Branding Data sovereignty
End-to-end encryption Two-factor authentication Completely user-transparent
The Dekko platform tools
DekkoVAULT
DekkoSIGN
DekkoCHAT
DekkoMAIL
www.m ysecurityma r ke tpl ac e .c om / pr oduc ts / de k k os e c ur e
Asia Pacific Security Magazine | 23
National
The weak link in your supply chain
By David Stafford-Gaffney
24 | Asia Pacific Security Magazine
A successful business usually has unique elements that differentiate them from their competitors. It could be they have a unique product formula, or perhaps they have a unique way of servicing an untapped market. Most of these modern products or services are accompanied by marketing collateral, often describing their wares as Impressive, Powerful, and Advanced. Behind these businesses are founders with unique attributes that set them apart from the rest. They believed in something so much they were unfaltering in their conviction to be successful. The motivation to achieve their goals was so focused that they ultimately succeeded. The kinds of words people use to describe these entrepreneurs are Passionate, Driven, and Persistent. Every successful business understands the value of knowledge and the SWOT model used to describe positive and negative, internal and external impacts on the business is cognizant of that value. Each and every business owner at some point has assessed their company’s Strengths, Weaknesses, Opportunities and Threats. Unfortunately, though for most businesses, they don’t always look at all the threats their organisations might
face. Well, not the way cybersecurity people do, and that’s where this story leaves the comfort of uplifting motivation, glorification of hard work and tenacity, heading south to the land of cyberattacks, cybercrime and online extortion. Advanced Persistent Threat’s (APT’s) are among the most motivated and capable criminal groups around. They’re often supported by their governments, typically have organisational structures in place and are well funded. They’re motivations range from espionage, financial gain and political disruption and influence. APT’s are often given names and numbers, typically because there is a wealth of information about them and there are that many of them that researchers need to be able to differentiate them. APT10 is one that has made recent headlines. They follow the same principles as above, their people are passionate and driven, immensely focused and conduct sustained campaigns with razor sharp precision, and a ruthlessness for attaining their own objectives. Their differentiator however is they like to use your suppliers to gain access to your networks and information. Specifically, they seek to gain economic advantage for China through the exploitation of stolen Intellectual Property. The same property,
National
you’ve dedicated part of life your life to creating, the same intellectual property that your entire business trades off. The term afforded to the compromise of a service provider or supplier of any kind, be it hardware, software or services is known as Supply Chain compromise. APT10 is not the first fairly publicised example either. Huawei have made headlines before for their alleged supply chain compromise of hardware through the use of chips containing backdoors. This is a hotly contested topic and regardless of the outcome, it emphasizes the risks that are associated with your supply chain and how serious organisations and governments treat the threat to the supply chain. In a PWC report, APT10 is attributed with: • •
•
•
•
Continued campaigns against Managed Service Providers (MSP’s) since 2016 and possibly as early as 2014 As part of a 2016 intensification of capability and scale, APT10 introduced new bespoke tools (Malware and other attack methods) Through the compromise of MSP’s, both MSP and customer data has been exfiltrated and moved around the world APT10 is very likely to be well staffed with strong logistics support, increasing over time since 2014 with a larger than normal increase in 2016 APT10 is suspected to include many teams to support the operations, including malware development, target research and analysis, infrastructure operations management and more.
APT10 has many alleged objectives and economic advantage is definitely one of them. Most likely driven by the strategic objectives of China, they seek to replicate services and products on the market today to improve China’s economic position. So what does that mean for their targets, you and your businesses? It means your Intellectual Property (IP) is in their sights and ultimately the viability of your business once a Chinese manufactured replica hits the market is at risk. Pleasingly the ISO standard (and others) offer guidance for the management of suppliers. The creation of a Supplier Security Policy is a good place to start and the following 11 step plan should help you create it:
3. They should be reviewing and revoking access to your information when people leave their organisation. 4. You may consider requiring that they use multifactor authentication when accessing systems and information within your organisation. This means they need a username and password as well another mechanism to confirm their access. It might be a token on their phone or a fob they have or an SMS code they get sent. 5. When they have an incident that impacts one of the people that has access to your organisations information you should be informed. 6. You may require that they are certified against a security standard such as ISO27001 or ask to see their security related policies. Not necessarily a copy of them but at least sight them. 7. You may require them to practice effective risk management and ask to sight their documentation and/or risk register 8. As part of monthly meetings you may wish to discuss risk management and work through relevant risks either party has raised 9. State appropriate methods for sharing information with you. What type of information is not acceptable to send via email 10. You may decide to have them report monthly on some or all items within this policy 11. You may state the right to audit them against their compliance to this policy Threats to your business are not always overt and clear. This article highlights the risk that is present in your suppliers. Take some time out to work on the business and think about the suppliers you engage. Pick up a copy of the signed terms of business or contractual artefact and re-read it with this new information in mind. What access do they have to your network? How do they get in? Do they review who in their teams have access? If one of the people that has access to your network is involved in a phishing scam, do you expect them to let you know? The point is the threat is real, it is happening and arguably, it is no longer a risk, it is now and issue! Time to act and find the weak link in your supply chain.
1. Document your providers and the services and products they supply your organiastion, remembering that this may not be just IT. Consider financial services, auditors, any business that has access to your information 2. List them in order of the amount and type of information they have access to and document it. Amount might be no of records or even more qualitative than that and you might rate them from most information to least information. Type might be; website files, financial information, IT systems, medical files, etc. Now think about what you might expect from them from a security perspective. This is regardless of what may or may not be in any agreements you currently have with them. Consider the following:
Asia Pacific Security Magazine | 25
National
High speed & subterranean transportation: Technology advancements for the future
G By Stephen Rachow
26 | Asia Australian PacificSecurity SecurityMagazine Magazine
lobal population growth and continual technology disruption means densely populated cities are implementing high speed and subterranean mass transportation services for high volume people movement. A shift away from traditional ground surface transportation brings its own vulnerabilities, requiring review and implementation of counter-terrorism, security, and safety measures. Capitalising on disruptive technology advancements allows exploitation of science from many industries into the security context to mitigate risks associated with these new transportation forms. Consistent with Sun Tzu’s philosophy, mitigation measures need to be implemented strategically in a sophisticated fashion so that it does not expose or create other areas of weaknesses. Sun Tzu stated, “Should an enemy strengthen his vanguard, he will weaken his rear, should he strengthen his rear, he will weaken his vanguard, should he strengthen his left, he will weaken his right, should he strengthen his right, he will weaken his left, if he sends reinforcements everywhere, he will everywhere be weak.” Displacement of crime or displacement of targets in terrorism driven offences is a real issue, and while catastrophic risk contexts such as terrorism drive the initial implementation, we see the focus shift towards combating serious organised crime as well. Accordant with societal risk management and Garcia’s maturity model of security technology, advanced security commences at defined high-risk facilities (airports, government critical infrastructure sites), but as it matures and costs reduce, derivatives are used across lower risk contexts (places of mass gatherings [PMGs] such as stadiums or transportation hubs). This means that in accordance with security principles, utilising advanced security technology will enable strengthening through exploiting the capabilities of automation in systems at the concentrated higher and lower risk points without weakening resources from other security areas.
Advances in Security Technologies Robotics, software-based intelligence, sensing and recognition devices, and self-learning systems are founded on the concept of automation and are change drivers providing the platform for significant digital transformation over the next 30 years. Predictions such as ambient computing, ambient intelligence, and transhumanism bring with them augmentation extortion and corruption, increasing vulnerabilities for both cyber and physical security systems. Harnessing technology advancements by fusing various automation security systems enhances threat detection to align with developing superpowers and their associated threats. Australian Transportation Vulnerabilities Within Australia, several high cost mass transportation plans are being considered, such as: Melbourne underground trains ($50 billion), Brisbane Cross River Rail ($5.4 billion), and high speed rail between Melbourne and Brisbane ($110 billion). The high speed and subterranean nature cultivates new vulnerabilities including opportunities to: inflict harm or death to mass numbers of people in enclosed underground and less escapable PMGs situations; cause significant public fear and anxiety with symbolic statements that resonate terrorist objectives; affect more damage to critical infrastructure from the consequences of attacking vehicles running at high speed; and, jeopardise the economy from significant monetary losses against the high costs associated with building and managing this type of transportation if a successful terrorism attack should occur. In addition, there exists the vulnerability of exploitation by organised crime for economic reasons, which where possible, should be countered. Threats to High Speed & Subterranean Transportation By nature, these transport systems are open to the public, very accessible and vulnerable to attack. As such a significant threat is the ability for motivated offenders to carry explosives, weapons, drugs or alcohol in a concealed manner in baggage or under clothing without being detected into
National
restricted areas (rail corridor, driver cabins, and critical infrastructure locations) and unrestricted crowded areas (stations, platforms, trains, buses, and ferries). These vulnerabilities and threats are heightened by the lack of regulated security screening within transportation hubs compared to regulated security measures in airports. Consistent with Australia’s Strategy for Protecting Crowded Places from Terrorism (ANZCTC), in non-regulated environments emerging technologies can be embraced to achieve high detection probabilities for less cost than regulated screening points. This strategy may include Thermal Imaging technologies coupled with traditional CCTV and anomaly recognition software, such as Commodity WiFi, and Biometric Recognition, that all align with the principle of ‘implementing cost effective open environment protective security’. Implementation of these technologies has many advantages with successful outcomes published in research literature, capitalising on automation principles to counter present and future developing threats. Thermal Imaging CCTV for human and object detection and tracking in PMGs, even with automated algorithms to translate raw data into specific structured information with only minimal manpower required, still has significant downfalls with camouflage tactics, poor quality video resolution, and high false alarms with susceptibility to environmental weather and lighting conditions. Thermal Imaging when fused with CCTV provides more accurate offender and contraband object identification measures to build on the concept of CCTV but minimises nuisance alarms or misdetections which undermine security systems. Analysing a change from stable infrared waves to interfered thermal waves (produced by humans or objects) through algorithms and intelligent analysis allows accurate detection, identification, and alarm triggering of an offender or contraband substance compared to other environmental noise or disturbances. Essentially, fusing the field of views of these two systems provides excellent technology for more accurate threat detection in crowded unregulated transportation environments and automation features minimise possible human errors of a manual system. Commodity WiFi & Biometric Recognition Commodity WiFi involves using off-the-shelf commercial devices as an overt or covert sensing technology to differentiate stationary and moving objects in an environment through absorption, reflection and refraction characteristics of signal propagation. Essentially channel state changes can automatically differentiate material and object properties to identify concealed or line-of-sight metals and liquids (weapons or explosives). Accuracy, feasibility, and the significant advantage of detection without disrupting people movement in largely complex environments, is an effective means of contraband detection in PMGs. However, one major limitation is the inability to differentiate types of liquids and therefore volume restrictions must be used as part of intelligent analysis. Nevertheless, alarm notification to
suitable guardians within stations and on vehicles would be highly responsive. This technology can be linked to support an access control policy for entry control through automated verification. A fused input system would not only control unauthorised access based on biometric recognition, but rule programming to deny access to persons who have been detected as carrying contraband substances (both authorised and unauthorised) would counter limitations of a sole biometric system that can be easily overcome with, for example, latex fingerprints or Trojan horses that override the system. Future Considerations Significant vulnerabilities in the high speed and subterranean context, for example, multiple entry points to enclosed locations with ample opportunities and motivations for offenders, means the ability to screen people and baggage and detect contraband substances prior to underground station access, entry onto high speed rail, or intrusion to unauthorised areas should be of significant importance. While CT scanners have been recently endorsed in Australian airports as a successful method of detecting body packing or baggage concealment of contrabands, logistical implementation within high speed and subterranean transportation that has significantly more people and less physical space is less feasible at this time. Therefore, government project development for new transportation systems, must plan for implementation of emerging security technologies in the design phase of future developments. Similarly, new security technologies should also be considered for implementation at existing transportation hubs. Endorsement of advanced technology has already been seen by the TSA in the US with implementation of security screening technology, known as ‘Stand Off Explosive Detection Technology’ in New York and Los Angeles. With significant threats, developing vulnerabilities, and unskilled offenders targeting easily accessible crowded locations with low tech weapons, it is recommended that governments and organisations not only embrace advanced security technologies as part of policy and project management for these new transportation forms, but pursue the fusing of multiple technologies to achieve superior security and safety outcomes in detection, surveillance and control of threat items in mass transportation services. About the Author Stephen Rachow BCrim (CCJ) is the Security Analysis Team Leader at Queensland Rail and is currently undertaking a Master of Security Management at Edith Cowan University under Dr Michael Coole. Stephen has an extensive military background and security experience with a keen interest in intelligence-led counter-terrorism and security intelligence analysis for enabling organisational resilience.
Asia Pacific Security Magazine | 27
Cyber Security
Data challenges in digital forensics In 2013, in what the prosecution described as “the largest, most prolific cyberattacks ... against IT systems in Singapore”, as many as 19 government websites were taken down, servers of a town council website were illegally accessed, media blogs, server containing confidential data belonging to 650 of Standard Chartered Bank’s clients was compromised. The hacker “The Messiah” was caught and sentenced to nearly five years in jail, after pleading guilty to 39 charges under the Computer Misuse Act. This Act together with the recent Cybersecurity bill and Personal Data Protection Act, Act adds a further dimension to Singapore’s data privacy, cybersecurity and cybercrime legal framework, reflecting the increasingly digital era we live in.
T Jane Lo APSM Correspondant
he High Technology Crime Investigation Association (HTCIA) Singapore Chapter 2nd Annual Conference hosted by Deloitte (29th November 2018) in the heart of Singapore’s Commercial Business District was timely and informative on recent regulations and bills passed in Singapore and globally: • the EU General Data Protection Regulation (GDPR) which came into force in May 2018, with new measures such as mandatory breach reporting. • the Singapore’s Cybersecurity Act 2018 which came into force on 31 August 2018, in which the relevant CII owners are subject to statutory duties to comply with codes and directions, and report incidents to the Commissioner of CyberSecurity. • amendments to Singapore’s Computer Misuse and Cybersecurity Act in 2017, such as making it an offense to trade, for example hacked credit card information or to deal in tools such as malware and port scanners for hacking use. Enforcement was also a topic of focus. While Information
28 | Asia Pacific Security Magazine
sharing and training to keep up with technological changes and the latest criminal tactics are necessary, digital forensics also plays an important part. Digital forensics is not straight forward in this Internetof-Things era, where rapid pace of innovations means a relentless proliferation of devices. Aside from ensuring a robust chain of “digital asset and data” custody to avoid allegations of evidence tampering (as with physical evidence), the extraction of this evidence is notoriously challenging. Terry Loo (VP Sales, APAC, Cellebrite) at the Counter Terror Asia Conference (CTAC) 2018 (Marina Bay Sands, 4th -5th December 2018) pointed out that for most cases, the initial problem to overcome is gaining access to the device and its data. Coping with variety is inevitable. Each new feature, hardware, operating systems and applications requires the development of new tools and techniques. Additionally, as case evidences typically reside on several devices, ability to integrate data from these heterogeneous sources for analysis is crucial.
Cyber Security
“Machine learning algorithms can automatically detect and pinpoint images that contain similar items such as faces, objects, symbols and themes. Immediate identification of only the relevant media items saves investigative cycles"
Digital data intelligence gathering also means processing unstructured and contextual information, corroborating consistencies, correlating identities/ locations / timings, and frequently also recovering deleted data. The process is performed on multi-platforms, multimedia, and multi-channels, including social media. In fact, the growing use of social media as a channel for groups to recruit new members and to intimidate opponents is exemplified by the live-streaming of the perpetrator of the 2015 Paris attacks. Clearly intelligence gathered helps in countersurveillance to thwart the Terrorist Planning Cycle. Moses Remero, speaking on “Counter-Surveillance against Hostile Surveillance in Soft Target Businesses”, explained this as “the measures taken, mostly by intelligence agencies, police, or military units, to conduct surveillance operations … to observe, follow, and collect evidence for an arrest, ligation or so on.” Terry also pointed to the Manchester terror attack in 2017, in which “hundreds of devices were seized, and data extracted and triaged, which helped to prevent immediate simultaneous attacks, and identify sleeper cells involved while leaving others untouched for monitoring.” With voluminous data, automating the organization of digital data for meaningful cross-referencing and triaging, instead of the time-consuming manual search process is critical for effective and timely action. “Machine learning algorithms can automatically detect and pinpoint images that contain similar items such as faces, objects, symbols and themes. Immediate identification of only the relevant media items saves investigative cycles. Expanded language search capabilities including enhanced Arabic OCR
(Optical Character Recognition) and key-word search that immediately identify text and image artifacts that contain Arabic textual elements significantly reduces time spent on manual searches,” said Terry. As digital data plays an increasingly important role in investigations and operations, the challenge of storing the voluminous digital evidence cannot be underestimated. As more look to Cloud, governance becomes an important aspect of the operations. “Many customers believe that once they signed up with a Cloud Service Provider (CSP), the responsibility of the data and applications; incident response and forensic investigation lies with CSP. But almost all CSPs set a clear line of their responsibilities in their contracts, so it is important for customers to work with their CSPs to define the boundaries of respective parties and the areas of joint responsibilities and develop an incident response approach with clear understanding and communications,” stressed Felix Lum (HTCIA Singapore Chapter, President). Today’s forensics data easily ranges from several gigabytes on a single device to multiples of petabytes across digital services. With higher speeds of connectivity enabling more communication and transmission of digital data, the storage practicalities and governance is undoubtedly a next challenge for law enforcement agents to tackle.
Asia Pacific Security Magazine | 29
Cyber Security
Cyber risk assessment for critical infrastructures
C Jane Lo APSM Correspondant
30 | Asia Pacific Security Magazine
ritical infrastructures are “luxurious targets”, said Ido Yitzhaki (VP Business Development, ODI Ltd) at the second edition of Asia ICS Cyber Security Conference 2018, held at Resorts World Sentosa, 19th-21st Nov 2018 When the Black Energy malware struck the Prykarpattya Oblenergo power plant in Western Ukraine, reports indicated a spear phishing campaign was the initial point of compromise. 3 years later in Oct 2018, Ukraine critical infrastructures were attacked again - this time by Grey Energy malware. While an evolved and more sophisticated variant, the malware relied on the decades-old social engineering technique to gain access to the network – phishing. Stuxnet, which hit the Iranian Nuclear Power plant in 2010, was delivered via a USB thumb drive into computer systems in the facility. These episodes highlight that despite “air-gapping” - a physical separation of the network controlling the critical infrastructure (commonly referred to as operational technology) from the corporate infrastructure (or corporate information technology), cyber attacks on critical infrastructures are still on-going. These case studies illustrate two main reasons for the occurrences: • heavy reliance on mobile devices for data exchange (legitimate or otherwise) – including USB thumb sticks – which facilitates the malware infiltration or, • infiltration via insider threat through the inadvertent clicking on malicious emails (or phishing), which opens up initial entry points for attacks to remoteaccess, conduct more reconnaissance and in many cases, gain understanding of network architectural designs and activities
and personnel credentials. Increasing awareness on phishing campaigns and instituting a mobile device security policy, or encrypting emails to preserve confidentiality are some standard first line of defences against cyber attacks. What about Penetration Testing? The air-gap design prompt many to argue if penetration testing, typically focused on internet-connected networks, is useful for one that is not connected to the “outside” world. Operational technology is typically multi-vendor, non-homogenous and like any corporate network, legacy equipment adds to the complexities of integration. Inherent shortcomings that are forgotten, unnoticed or simply disregarded become back-doors for malicious actors to gain unauthorized access, become real vulnerabilities in these architecture perimeters. Penetration testing, therefore, is an additional line of defence against cyber attacks on the critical infrastructure. David Ong (Attila Cybertech, CEO), “OT systems: To pen-test or not to pen-test?”), referring to the “Penetration Testing of Industrial Control Systems” by Sandia National Laboratories (2005, David P. Duggan, Michael Berg, John Dillinger, Jason Stamp), stressed “performing network penetration testing on operational systems should be taken with a clear understanding of the testing actions”. These control physical processes can cause real world consequences beyond waste and equipment damage: health and safety risks. Some are time-sensitive – such as those powering air traffic control compared to local train network; some depend on specific external environmental factors for safe operations – such as requiring water at a certain pressure
Cyber Security
or temperature. A clear understanding of the possible consequences of actions, whether spurious or otherwise, activated during penetration testing should be formed prior to conducting the testing. For example, identification of networks, hosts and nodes in the Corporate IT environment typically involve Ping Sweep, but scanning may overload the system in the OT environment with legacy equipment constrained by limited bandwidth. For the operational network, the first step is not necessarily different than for a corporate network – identify the assets, and the threats to these assets and vulnerabilities, and the potential impacts – and conducted at a regular frequency to reflect changes (e.g. additional vulnerabilities uncovered by the penetration test). Cyber Risk Impact Assessment Yosi Shavit (Department of Cyber Defense, Ministry of Environmental Protection, Israel) presented a detailed Risk Assessment approach in his talk “ICS Cyber Security Methodology & Regulation”. The standard risk assessment is derived from a probability and impact measurements of an event occurring. In the context of the “ICS Cyber Security Methodology & Regulation”, probability is derived through a series of questions. “For examples, HMI (Human machine interface) stations technical support that comprises of only employees has the least exposure, whereas constantly changing external suppliers has the highest exposure; an asset linked to the Internet, yet having no defense mechanisms, is highly exposed to cyber-attacks, while an asset isolated in a secured room is less exposed; an asset with orderly full updates and security patches is less exposed than one that is partially updated with no regular schedule”. Impact measurements in the operational technology environment include considering “atmospheric conditions (wind direction and intensity), location (Including height above sea level), container (shape and dimensions of the container of hazardous material) and spreading algorithm (Gaussian dispersion, Heavy Gas dispersion).”, he added. These critical infrastructure “SRP” (Safety, Reliability, Productivity) impacts are linked to the classic information system security triad “CIA” (Confidentiality, Integrity, Assessment) in a Cyber Risk Assessment. He further explained: • •
•
Confidentiality (what is the level of damage caused to the plant following data leakage from an asset?) Integrity (what is the level of damage of a cyber attack, causing disruption of processes related to hazardous materials, such as uncontrolled change of temperature or pressure?) Availability (what is the level of damage to the plant caused by a long-term system shutdown?)
A significant impact could include a scenario where there is a clear and present health and safety danger, a low impact could be where the damage requires minimal time and resources to recover from. Financial consideration is typically an
Delegates at the Asia ICS Cyber Security Conference 2018, held at Resorts World Sentosa, 19th-21st Nov 2018. Photo Credit: Asia ICS Cyber Security Conference 2018
Dan Ehrenreich and Chris Cubbage at the Asia ICS Cyber Security Conference 2018, held at Resorts World Sentosa, 19th-21st Nov 2018.
additional factor in the impact assessment. A further interesting deviation from a standard risk assessment is a scaling of the impact by a factor of 3, to reflect the higher consideration attached to human life where attacks to critical infrastructure are concerned. While performing the impact assessment helps the organisation identify the assets to be protected and the protection level, and the protection gaps (such as running automatic updating of all systems for identifying and preventing malicious code), it is well-recognised amongst the professionals, there is no 100% security. So …. most importantly, test the Recovery Plans! Recovering from cyber events (or incident response) is a necessary aspect of a security framework and best practices include regular testing of recovery plans to enhance understanding of the infrastructure, tools as well as the communication protocols. “Exercise Cyber Star” carried out by The Cyber Security Agency of Singapore (CSA) last year is one example. For the first time, all 11 agencies and owners under the Critical Information Infrastructure (CII) sectors in Singapore were tested on their incident management and remediation plans in response to simulated cybersecurity incidents like a malware infection or a DDoS.
Asia Pacific Security Magazine | 31
Cyber Security
Connecting mission-critical push-to-talk with enterprise grade apps When lives depend on co-ordinated action, there is a requirement for standards that interconnect Push-To-Talk with enterprise-grade communication apps.
F By Roderick Hodgson Director, Secure Chorus
32 | Asia Pacific Security Magazine
irst responders in medical services, police forces, border security, fire service, civil aviation, disaster relief, armed forces and other emergency services, have a requirement to communicate efficiently and securely not only with each other, but with other stakeholders such as government officials. Until recently, connecting enterprisegrade communication apps to first responders using Mission-Critical Push-to-Talk (PTT) communication has not been technically possible, but innovation resulting from Secure Chorus’ interoperability standards can enable such communication. Historically emergency services have relied on dedicated radio systems to provide these mission-critical communication services. The ‘Project 25’ standard was adopted in North America, while Terrestrial Trunked Radio (TETRA) has become widely used in 114 countries across Europe, the Middle East, Africa, Asia Pacific, the Caribbean and South America.
The TETRA standard was designed to be entirely separate from commercial mobile infrastructure. When it was first standardised in 1995, the first 3G infrastructure had not yet been introduced to the consumer market. Since the development of TETRA however, commercial mobile infrastructure has undergone a complete transformation, with the universal take up of 4G. Commercial mobile operators are now rapidly migrating to IP-based systems and are preparing for the roll-out of the nextgeneration consumer mobile technology, 5G. This investment in commercial mobile infrastructure is bringing increased performance and additional features to the user market. Originally developed for voice communication, TETRA remains reliable for that type of communication. But it has limited capacity for handling the vast demands for data bandwidth created by the media-rich communications that have become essential in emergency response environments. Also, agencies adopting TETRA often find themselves “locked-in” to a single supplier, limiting their ability to
Cyber Security
"The TETRA standard was designed to be entirely separate from commercial mobile infrastructure. When it was first standardised in 1995, the first 3G infrastructure had not yet been introduced to the consumer market." has been extended to include “Mission-Critical Data” and “Mission-Critical Video”. As well as providing mobile telephony infrastructure with extra capabilities, many countries are considering it as an opportunity to set worldwide standards to drive interoperability between emergency services agencies and other important stakeholders. However, it is important to note that the increased use of commercial mobile infrastructure also presents a problem, in that it exposes emergency services communications to a number of possible attack vectors, including: • Users disclosing sensitive information to potential attackers without confirmation of the identity of the person they are speaking with. • Attackers gaining privileged network access within an organisation, allowing them to retrieve multimedia data exchanged on a network. • An attacker compromising elements of the public mobile telephony infrastructure or using a fake base station in close physical proximity to its target, and so gaining access to all data and call content, as well as metadata for all users on that base station. • Attackers offering public telephony networks low-cost wholesale data routing, and so potentially having access to all data routed over their network.
upgrade to different technologies. This also places limits on their ability to communicate with colleagues in neighbouring countries or agencies. While features have been added to improve TETRA (such as the “TETRA Enhanced Data Service”), and to build interoperability gateways between systems (such as the “TETRA Inter-System Interface”), these have seen limited uptake to date. Many countries are evaluating the use of commercial mobile infrastructure to provide the necessary bandwidth and are delivering much-needed additional capabilities. Consideration is being given to augmenting or replacing TETRA with an interoperable standard that leverages public mobile telephony infrastructure – the Mission-Critical family of standards, developed by 3rd Generation Partnership Project (3GPP). The term “Mission-Critical Push-to-Talk” (MCPTT) refers to Push-to-Talk solutions that can support the requirements of emergency services applications. To meet this requirement, 3GPP has developed a set of standards that
As a result of these threats, it is essential to ensure that data is protected end-to-end, and that data recipients can be confident that the content has come from a genuine source. To address this, 3GPP has defined the “Security of Mission-Critical Service”, mandating the open cryptography standard MIKEY-SAKKE to be used for encrypting data and providing cryptographic keys. MIKEY-SAKKE is a cryptography standard with a unique key management approach – Identity-Based Public Key Cryptography (IDPKC). Techniques pioneered in the MIKEY-SAKKE protocol were designed to minimise the traffic overhead needed to exchange keys and to establish a secure data transfer or voice call between users, while largely removing the need for a public key infrastructure. Beyond its efficiency, it also has the advantage of helping to minimise infrastructure cost. 2012 saw the UK Government’s National Technical Authority for Information and Assurance (CESG) – now the National Cyber Security Centre (NCSC) – define MIKEYSAKKE as a protocol to answer the security requirements
Asia Pacific Security Magazine | 33
Cyber Security
of the UK government for a cryptographic method for validating an identity, for government communications. This protocol was based upon an existing standard for elliptic curve signatures, the Elliptic Curve Digital Signature Algorithm (ECDSA), and an identity-based cryptographic protocol developed by two Japanese researchers, Ryuichi Sakai and Masao Kasahara. This gave rise to MIKEYSAKKE, which was made an open standard by the Internet Engineering Task Force (IETF), a standards organisation that develops and promotes voluntary Internet standards. MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS). This server distributes key information to the users it manages on a regular (typically monthly) basis. The existence of the KMS means that organisations have control over their own security system, without giving access to their data to unauthorised third parties. A further advantage is that the KMS can be managed entirely by an organisation’s own IT team. It can also be kept offline for maximal security. Ultimately, due to the properties of MIKEY-SAKKE, organisations can retain full control over their security system, and only those explicitly authorised by an organisation can access that organisation’s data. This is especially important in cross-border mission-critical scenarios where a diverse set of stakeholders from different countries and organisations may need to be involved in the emergency response plans in case of hurricanes, floods, wildfires, oil spills, chemical spills, acts of terrorism, and others, threatening the lives and health of the public. While the standards developed by 3GPP ensure interoperability between users of Mission-Critical Pushto-Talk (MCPTT) systems, in certain scenarios emergency services organisations may also need to communicate securely with other stakeholders that may not be users of typical emergency services equipment on a day-to-day basis. Generally, such stakeholders may favour enterprisegrade mobile applications that answer their day-to-day communication requirements. While commonly available secure communication mobile applications may offer a degree of security, these solutions are typically not able to communicate with users of MCPTT, leading to operational inefficiency or the use of insecure communications. One of the solutions for users not using MCPTT on a day-to-day basis is to adopt Secure Chorus compliant products. These are enterprise-grade communication apps that provide the benefits of MIKEY-SAKKE and its unique key management approach. Because all Secure Chorus compliant products contain MIKEY-SAKKE there is now a much lower bar to developing interoperability standards to connect MCPTT with enterprise-grade communication apps. About the Author Roderick Hodgson is a technologist and innovation strategist with oversight of all technology aspects of Secure Chorus, including technical management, setting technical strategy and representing the technology externally. Throughout his career he has defined, developed and delivered disruptive products in video streaming, telecoms, cybersecurity, IoT and Big Data for many organisations.
34 | Asia Pacific Security Magazine
DOWNLOAD THE WHITE PAPER Emergency Services Communications: Secure Chorus Compliant Products interoperability with Mission-Critical Pushto-Talk Products
Crime | Security | Risk | Protection
I
SIO – The International Security Industry Organization is on a mission to bridge criminology, security and risk with investigation to; uncover new crime and discover evolving copycat crime Organized Crime (O.C) is far more active than organized terror (billions in USD$ of reasons). To consider the methodology of organized crime we use the analogy of a highly intelligent creature that uses cognitive skills, namely the octopus. Their brain may control all, but the tentacles make their own decisions of where and why to move. Suckers are tiny cups connected to the tentacles by doing constructive tasks and for gathering information, sensing the terrain and providing feedback back to the tentacles and the brain. Some may believe that they are connected or captured by organized crime, however, they have no idea of how large and versatile the beast truly is. Where there is more than one person doing the deed then organized crime is in session. The biggest nightmare of any practitioner is not knowing what is truly happening in their region of interest, as not all crime is reported for numerous reasons, e.g., blackmail, extortion, bullying which are some of the methods used by organized crime. The majority of criminologists, security and risk practitioners and who’s job it is to know, have no idea of which gangs are in their country, city, neighbourhoods or region of interest. Furthermore, they are unaware that they or their staff are partners, supporters or victims of O.C. These are issues that point to the practitioner that there is O.C in their region of interest; e.g., theft of goods besides company ‘service’ time, taking or paying bribes, using migrant labour, etc, which may be part of OC. Considering the octopus, this may be occurring in distinct or all departments. The people-on-the-ground must know where, how and why to look. Practitioners could be misled by others and provide inside information to a person that they think they can trust. The practitioner must read the situation and the people involved.
• •
Is there a person-of-interest that you are concerned about? Are they working in concert with others, either voluntarily or under duress?
It may be difficult for some to have a deeper look in their region of interest as it may be emotionally expensive. E.g., who truly wants to know if their business partner(s) are authentic and not betraying them to O.C. These are difficult issues, but practitioners must know as lives could hang in the balance, assets lost or damaging issues such as reputational damage which presents a whole different experience of extreme despair. Security success depends on the level-of-situational awareness of the decision-makers on the ground and reaction speed. ISIO works in conjunction with HIM [Human Investigation Management] using New Generation on Organized Crime Virtual and Workshops in person. ISIO www.intsi.org HIM www.human-investigation-management.com
Asia Pacific Security Magazine | 35
CyberCover CCTV Security Feature
Going beyond the SD-WAN hype in Asia: The early evangelists
B By Dipesh Ranjan APAC Head, NetFoundry
36 | Asia Pacific Security Magazine
usinesses in Asia Pacific (APAC) are actively considering increasing their investments in networking technologies based on the cloud. In a study by technology analyst firm IDC they claimed that worldwide SD-WAN infrastructure and services revenues will grow at a compound annual growth rate (CAGR) of 69.6%, to reach $8.05bn in 2021. That is an impressive figure. IDC says that in Southeast Asia, almost 56% of organisations have already deployed, or are planning to deploy, SD-WAN. Almost 30% of those surveyed singled out the policy-based control and WAN optimisation capabilities of SD-WAN as top drivers for implementing the technology. IDC Asia-Pacific says that most WAN traffic today – to and from branch and remote sites – is destined for the cloud on either hosted applications or public cloud. It’s not surprising, since the old-fashioned WAN was designed to start at branch level and end at the datacenter and was never designed to support the sheer complexity of clouddriven traffic. IDC pointed out in their survey that organisations which are still using traditional networks are facing major challenges on performance and operational difficulties.
The network node has to support vast numbers of new applications and massively growing business units as organisations expand, diversify and respond to the new problems and workloads such as the Internet of things (IoT). However, most of APAC CIOs and CTOs feel that SDWAN has been overhyped and that it’s not yet solving top networking issues such as deploying applications to the cloud, hybrid cloud set-ups and Industrial IoT devices in way that is on demand and gremlin-free. While the IaaS market has been growing due to its ability to provision resources quickly, the network as we know it is losing out. Netfoundry addresses this problem by helping enterprises to deploy zero-trust application specific networks across multi-cloud and multi-edge environments. NetFoundry has been able to move beyond the traditional SD-WAN formula and has innovated a cloud-native platform which gives clients not only the ability to instantly connect a fully software-only application-based networks in cloud and IoT ecosystems but also to achieve 3 to 5 times higher performance on their underlay network. For example, NetFoundry can provision Internet with 5 layers of security
CCTV Cover Feature
“One of the major challenges when you drive digital transformation is to build cloud centric environment where application migration within hybrid cloud usage need to be managed with ongoing operation and connectivity. built in to keep enterprises safe from DDoS attacks while connecting them to any provider, such as AWS or AZURE, from anywhere, anytime using any underlay internet provider. Many organisations still have a naïve belief in their traditional technology and either the fear of failure, or lack of imagination, drives them away from adoption of softwaredefned networktechnology. Early evangelists are few and far between but they are reaping the benefits of the new networking paradigm and will shape the future of APAC networking in the same way that it transformed the cloudscape over last decade. Dave Ulmer, Head of Digital, MD Pictures, the leading Indonesian movie production company said: “As one of the largest film production companies in ASIA, MD pictures was looking for an agile yet powerful solution to migrate our applications and large data files to AWS. NetFoundry has enabled us to do this quickly and securely without the need for cumbersome VPNs or expensive direct connect /MPLs circuits. This new type of cloud-native, high-performance, instant networking has increased our internal productivity, accelerated time to market and enabled us to compete as a modern digital enterprise.“ Due to a massive increase in destructive hacking incidents aimed at various govt sites, almost two-thirds of decision makers have planned to make it a priority to attempt to reduce their exposure to the risk of cyber-attacks as the main focus over the next 12 months. NetFoundry’s ability to protect data in motion using a zero-trust approach has helped protect enterprises across APAC. Disposal of Legacy Circuit WAN Networking Cloud-based applications and virtualization have shifted networking needs away from devices and boxes and toward native application-based networking solutions. In a this faster, more agile world - leveraging an application-specific network (ASN) can replace the need for private circuits, proprietary hardware, and old-fashioned telco solutions. All it requires is an Internet connection. ASNs remove the infrastructure and push the perimeter out towards the application, individual device, branch office, and/or user endpoints no matter what or where they are. This simplifies connectivity at scale while enabling granular, zero-trust security that meets and exceeds even the most stringent compliance standards. Chakit Abi Saab, Chief Technology Officer (CTO), OSM Maritime Group that brings over two decades of experience in the Maritime Industry sums up well the need for simplicity of connection and security: “The level of efficiency OSM Maritime Group will gain from working with an innovative organization like NetFoundry cannot be understated. In today’s business, all industries have one commonality, and it is critical to give everyone in the organization the ability to access all applications when they
need it, whenever they need it, no matter where in the world they are, and to have this access securely is no longer optional but a must. For that reason, we have decided to work with Netfoundry as a global partner.” Praveen Sengar, Head of IT & Business Operations at Dimension Data APAC, one of the largest global systems integrator and part of Japanese conglomerate NTT group said: “One of the major challenges when you drive digital transformation is to build cloud centric environment where application migration within hybrid cloud usage need to be managed with ongoing operation and connectivity. High performance & reliability of cloud network with security and compliance is an additional pain when apps are cloud native and need application specific access. NetFoundry was like a light in the tunnel where we found agile cloud native secured networking which will allow us to migrate on premise to cloud in minutes and also build application specific connectivity for our external vendors who need access to work on our projects in real time and on a short term basis. Managing many of these vendors within a single pane of glass with a multiple app based network on the NetFoundry platform will make our life so easier for our next wave of transformation.” A recent Futuriom survey of IT Managers regarding their view on applications networking trends revealed the need for a new kind of applications specific networking (ASN) that includes integrated security and cloud connectivity. These ASNs, or AppWANs, would be able to connect and secure cloud applications without the need for specific hardware configurations of VPN servers. Futuriom surveyed 200 IT managers in application development, networking, security and DevOps to find out what they view as these primary challenges and how they might be solved. The research findings reveal that enterprise users don’t see SD-WANs as a solution for all networking security challenges. For example, SD-WANs may be appropriate for branch connectivity, but they don’t always support applications beyond the network including IOT devices. A large number of IT managers surveyed did not see SD-WAN as an IoT solution, with 43.5% of users agreeing with the statement SD-WAN is not an ideal solution for networking Industrial IoT devices. Based on the results of the Futuriom survey, it’s clear to IT managers are looking for a more flexible and secure software-based networking solution for the cloud. ASNs are likely to serve the future need to connect distributed applications in SaaS, IaaS, and PaaS environments, whether it’s single cloud, hybrid cloud, and multi-cloud environments. Smart businesses in Asia Pacific without a doubt seem to be catching on to this fast and embracing the benefits of fast, secure and compliant networks more than other parts of the world. Watch this space!
Asia Pacific Security Magazine | 37
Cyber Security
Cyber Combat Welcome to Ixia Cyber Combat – where corporate cyber defenders across financial, technology, government, and educational sectors test their mettle by attacking enemy networks and defending their own servers under real-world cyber-attack scenarios in a safe simulated environment.
O Jane Lo APSM Correspondant
ver the 12-hour event, teams attack enemy servers, expose vulnerabilities and discover Cyblocks (units of Blockchain created by Ixia specifically for the event), while defending their own “fortress” from the other teams. Combining the ideas of video gaming and cybersecurity hackathons, Cyber Combat is a highly charged competition, where points are accumulated in defending protected resources (Blue Team) and breaching enemy defenses (Red Team). Red team players use network infiltration and data exfiltration techniques such as: • Discovering, enumerating, and infiltrating Windows and Linux servers defended by a Fortinet NGFW • Exfiltrating and cracking salted, hashed passwords stored in databases • Searching penetrated machines for valuable data hidden via steganography • Combing through metadata for breadcrumbs of valuable information • Writing custom scripts to unlock data Blue team players defend their assets to respond to many scenarios crafted by Ixia’s Threat Intelligence, by • Monitoring SIEM and NGFW logs for ongoing attacks • Modifying configurations to thwart attackers • Examining network traffic, and correlating events to discover and stop coordinated attacks The ability of Red and Blue players within the same team to collaborate under some scenarios also contribute to points accumulated.
38 | Asia Pacific Security Magazine
Held at the School of Arts on 22nd Nov 2018, the second edition of the Cyber Combat - 2018 Cyber Combat Finals Singapore - saw 20 two-person winning teams from Hong Kong, Thailand, Japan and Singapore and fresh warriors showcase their skills fighting real-world cyber-attack scenarios in a final standoff. Supported by IXIA, KPMG and Fortinet, the event brought together Ixia BreakingPoint on Ixia PerfectStorm, Ixia ThreatARMOR, Fortinet Next-Generation Firewall (NGFW), Quali Orchestration, and Splunk Security Information Event Management (SIEM). “This unique format of event, gives an opportunity for the best cyber security experts to compete against peers in the industry in a safe yet challenging environment. The event is intense lasting 12 hours and requires skill and endurance”, said Naveen V. Bhat (Manager Director of Ixia, a Keysight Business for the Asia Pacific region). Echoing Mr Bhat’s views, Ragul Balaji of the winning team T0X1C V4P0R said Cyber Combat “accurately simulated the challenges of performing both audits as well as defence at scale”, providing a “gruelling experience battling it out with the best in our region”. One of the cyber security skill gaps challenges is the development of hands-on experience, including the need for security practitioners “to know the enemy, their techniques, and their view of the IT world”. With a realistic productionlike multi-vendor environment, Cyber Combat is a practical way to develop and enhance these skills. “This event is a way for players to test their security skills and also prepare for potential cyber incidents as a team”, said Eddie Toh, Head of Forensic Technology Asia Pacific, KPMG.
Cyber Security
Data protection requirements are need of an hour
P By Zafar Ullah
akistan is not immune to Data Security breaches and it is pertinent to note that Pakistan has featured recently in international news stories reporting a major data breach involving almost all Pakistani banks. Conflicting reports have emerged in media on the extent of the data breach, primarily owing to inconsistent statements by authorities – which further adds to embarrassment. It was reported by Reuters that “The skimming took details of nearly 20,000 debit and credit cards from 22 Pakistani banks, according to the Pakistan Computer Emergency Response Team (PakCERT), a monitoring group. “Additionally if we only skim media reports for year 2018, local media reported around mid year about a data breach at The National Database and Registration Authority (NADRA), Pakistan, an independent and autonomous agency that regulates government databases and statistically manages the sensitive registration database of all the national citizens of Pakistan. As per the report by samaa.tv “Punjab’s IT board had access to NADRA records. The board had set up mobile phone apps and gave them access to the records. Hackers got hold of this data and made quite some money out of it." Lastly, there were some data security reports by https://www.csis.org/programs/ cybersecurity-and-governance/technology-policy-program/ other-projects-cybersecurity involving Pakistan “April 2018: Security researchers report that an Indian hacking group had been targeting government agencies and research institutions in China and Pakistan since 2013.” “May 2018: Security researchers reveal that the Pakistani military used Facebook Messenger to distribute spyware to targets in the Middle East, Afghanistan, and India in an attempt to compromise government officials, medical professionals, and others.” The Cyber impact of all these breaches is not exactly clear but it does indicate that Pakistan is as vulnerable to cyber security data breaches as any other entity in the world, yet
we are way behind in establishing necessary data protection measures. Pakistan has no data breach reporting requirement as per latest report by DLA Piper: “Data security breaches or losses do not have to be reported or notified to anybody or individual.” https://www.dlapiperdataprotection.com/index. html?c2=&c=PK&t=breach-notification Many countries across the globe have introduced mandatory data breach reporting requirements including famous GDPR in Europe, which mandates all public / private entities to report data breaches and are strongly encouraged to take necessary data protection measures to safeguard data of its customers or else face heavy regulatory scrutiny. It is important to note that introduction of these requirements have not only increased visibility into data breaches, their causes but also are enabling Government, businesses and individuals to better protect their personal data in cyber world. Unfortunately in Pakistan, until now there is no reliable public source of truth to identify all data breaches except the few that catch the eye of media. It is very likely that the number of possible data breaches suffered by businesses and individuals in the country are never identified as there is neither requirement nor means to report such incidents. The problem amplifies for Pakistanis, when you look at data breaches for the year 2018 only, involving big companies with global operations like Uber, Careem & Marriott, when their personal data is compromised in major brands data breaches putting them at risk of identify fraud. It is needed for Pakistan and all stakeholders to come forward and introduce necessary data protection requirements in the county along with Cyber First-Aid facilities. About the Author Zafar Ullah is an information technology professional based in Sydney, Australia with working and life experiences in Gulf countries and law enforcement in Pakistan. Zafar enjoys writing on technology and social affairs.
Asia Pacific Security Magazine | 39
CCTV Cover Feature Blockchain
Asia blockchain week 2018
T Jane Lo APSM Correspondant
40 | Asia Pacific Security Magazine
he first lawsuit involving crypto in Singapore was filed by UK registered business B2C2 against Singapore registered Bitcoin exchange operator Quoine, relating to Bitcoin/Ethereum trades transacted on 19th April 2017. The trade involved B2C2 paying 309.2518 Ethereum to Quonine, in return for 3,092.517116 Bitcoins. This was an inflated level at ~250 times the average market price that day. Despite the abnormal level, the order was filled, and the Bitcoins were credited to B2C2’s account. But the credit was reversed the next day by Quoine asserting it was "mostly trades with huge mark-up over fair global market price". B2C2 sued, claiming that the proceeds were "misappropriated" from the account without authorisation. Today’s valuation of this dispute is more than double the US$3.78 million on trade date - not an insignificant factor in the litigation. Valuation collapses also triggered lawsuits. Two examples were LongFin whose investors sued after disclosures of
material control weaknesses caused a 80% price plunge, and Bitconnect whose investors were guaranteed monthly returns of up to 40% only to see their holdings plunged a month later. Lawsuits brought by disgruntled investors were also lodged against those for misleading statements. Paragon, whose $70 million fund raising to address logistic challenges in the cannabis industry was charged by investors as “simply a method for Defendants to raise capital in order to purchase real estate investments”. Tezos, which raised a high-profile sum of $232 million, was sued by investors citing violations of securities law, when attempted embezzlement allegations surfaced. Criminal lawsuits were also pursued by prosecutors. The most infamous was Mt Gox, which alleged in February 2014 that almost 750,000 of its customers' Bitcoins were hacked. The incident led to its collapse and the arrest of its CEO. There were also disputes settled through “forks” [1] without involving the courtrooms. Examples included the BitCoin Cash 2017 split from the main Bitcoin chain to settle a dispute to speed up transaction processing; the
Blockchain
“The doctrine of unilateral mistake is well developed in circumstances where the error is a human error and the knowledge or lack of it is directly ascertainable from the humans involved. Where computers are concerned, the law is less well developed.”
Ethereum Classic 2016 split following a hack – to accept the hack occurred and “do nothing” to preserve chain immutability, or to pretend the hack did not occur by reverting the chain to the pre-hack status. Differing regulations across jurisdictions also complicated these disputes. We hear the latest developments at the Asia BlockChain Week 2018 (BlockChain Asia at MBS – A Year After, How Chinese Crypto Ban Affected Asian Cryptoeconomics, and Future of Token Economy at SUSS (Singapore University of Social Sciences), 30th Nov 2018). What are current regulatory developments in Singapore with respect to the crypto world? Last year, at Money 20/20 Asia March 2018, Ravi Menon, Managing Director of Monetary Authority of Singapore (MAS), emphasized while “MAS has to-date chosen not to regulate crypto tokens directly … the key risks MAS is monitoring in the crypto world are in the areas of financial
stability, money laundering, investor protection, and market functioning” More recently, MAS provided in its Nov 2018 “Guide to Digital Offerings” that: “If you wish to offer digital tokens in Singapore or operate a platform involving digital tokens in Singapore, you are encouraged to seek professional advice from qualified legal practitioners … When applying the law to your case, you and your legal advisers should look beyond labels and examine the features and characteristics of each token.” One such labelling referred to by industry professionals is an “utility token”, versus a “security token”. Utility tokens represent the right to use a product, service, or a specific function in the ecosystem of the organisation. Security tokens represent holdings of equity or debt in the organisation. Specifically, MAS clarified “where the crypto tokens represent ownership or a security interest over an issuer’s assets or any property, or a debt owed by the issuer, they may be regarded as securities under the Securities and Futures Act”. (The Singapore regulator is not alone in this view. In July 2017, the US Securities and Exchange Commission (SEC)’s report noted “that tokens offered and sold by a "virtual" organization known as "The DAO" [2] were securities and therefore subject to the federal securities laws”). How would securities regulations apply to the crypto world? Under Singapore’s Securities and Futures Act (SFA), all offers of securities are prima facie subject to the prospectus requirements. In addition, SFA also sets out conditions for events relating to the offering, such as book-building, road shows and research reports. Today’s ICO (Initial Coin Offering) subject to SFA, may continue the current practice of publishing a “white paper” online, but would likely need to file a prospectus to enable the targeted investors to have a “full and proper understanding of the applicant's business, financial conditions, prospects, and risks” (Singapore Exchange Rule Book). SFA also requires immediate public announcements where there is material information relating to the company’s activities that might be price-sensitive. For the crypto world, the practice of splitting a crypto currency into two (“fork”)
Asia Pacific Security Magazine | 41
Blockchain
price manipulation, or contentious liquidation proceedings following a cryptocurrency exchange collapse clearly support the need for a framework that builds confidence and protects crypto investors. Certainly, crypto investors would benefit from the principles underpinning the existing securities regulations. What are some immediate concerns? In the case of B2CS versus Quoine, the defender argued that the trades were void because of an “unilateral mistake” at common law. In his decision to order a full trial, the Singapore International Commercial Court (SICC) judge noted that: “The doctrine of unilateral mistake is well developed in circumstances where the error is a human error and the knowledge or lack of it is directly ascertainable from the humans involved. Where computers are concerned, the law is less well developed.” In this case, a "technical glitch" occurred, Quoine said. Changes to passwords and cryptographic keys were not updated completely, causing errors in systems to reflect the true market prices. The judge added: “When can the workings of a computer or computer programme constitute actual knowledge on the part of the programmer or operator of the computer?” For some, this case highlighted the complexity of dealing with the legal issues of mistake, “force majeure”, “misrepresentations” in the new world, suggesting the need for “new laws for modern technologies”. Others cited the case of Chwee Kin Keong v Digilandmall where the complainants argued for the contract to be fulfilled despite a mistake made on the price published on the website. The court found the contract void, which supported a view that new communication methods do not imply a need to create new principles. to settle what could be “a significant dispute or disputes with sub-contractors, customers or suppliers, or with any parties” would likely require announcements on prescribed channels. These disclosures enable informed decisionmaking. How would investors further benefit from securities regulations? At SUSS’s “Future of Token Economy”, Professor David Lee suggested “going back to the spirit of the law”, or in other words, understanding what securities regulations aim to achieve. SFA evolved over the decades from the first (1973) Securities Industry Act. Significant events, such as the 1986 Pan-Electric scandal which led to an unprecedented 3-day closure of the Singapore and Kuala Lumpur stock markets, shaped this regulation. MAS objectives of Financial Sector Oversight, such as transparent and fair-dealing intermediaries and offerors, also play a role in shaping the regulatory landscape, including enforcement actions for insider trading and market manipulation offenses. In the crypto world, recent regulatory actions into Bitcoin
42 | Asia Pacific Security Magazine
What are some challenges when applying “old world rules in the new world”? One is adopting a consistent understanding when we use certain technological terms. For example, when we speak of “smart contracts” [3], is the contract “smart” for coding the entirety of a natural language contract, or for digitising only the payment instruction? Is the technological term that includes the word “contract” automatically legally binding contract as a matter of law, as speakers questioned at SUSS’s “Future of Token Economy”? Legal enforceability is also a challenge, arising from the decentralised nature of smart contracts. “There may be no obvious defendant, or enforcement of a court judgement or arbitration awarded in response of a transaction using particular distributed ledger technologies”, according to R3 and Norton Rose Fulbright White Paper “Can smart contracts be legally binding contracts”. China – a case study Many crypto enthusiasts perceive regulations as barriers
Blockchain
to innovations. The relationship between regulation and innovation is multi-faceted and complex, but arguably, rigid regulations do hamper innovation whereas flexible approaches stimulate innovation. The Chinese landscape demonstrates their way to finding a right balance. At the BlockAsia 2018 show, speakers pointed out that inevitable tensions between the crypto world and the government naturally arise from the characteristics of cryptocurrency – pseudo-anonymity and decentralisation - which are anathema to the Chinese communist doctrine. Chinese capital controls which restrict yuan conversion into foreign currencies to US$50,000 (per person per year) meant that crypto currency conversion will likely be subject to limits, if not outright bans. In fact, as far back as December 2013, the People’s Bank of China (PBoC) issued a “Notice on Preventing Financial Risk of Bitcoin”, prohibiting all crypto-related operations for banks. Then, in Sept 2017, Chinese regulatory authorities declared ICO illegal, and halted Chinese Bitcoin exchange operations. The ban spread to foreign crypto-related platforms in 2018, with access to offshore crypto exchanges and ICO websites blocked. When crypto related activities transitioned to Chinese blockchain news outlets in August 2018, the government promptly banned cryptocurrencyrelated commercial activities and events, and communication channels that spread the ‘crypto word’. But the Chinese government is careful to distinguish between these actions and investments in Blockchain which underpins cryptocurrencies. In December 2016, blockchain technology development was added into the 13th Five-Year Plan 2016–2020. In June 2018, China’s largest TV broadcaster CCTV highlighted “the value of blockchain is 10 times that of the Internet” in an hour-long video. In early 2019, China’s oldest technology publication Beijing Sci-Tech Report (BSTR) accepted Bitcoin for subscriptions “to promote the blockchain technology through practical actions”. The subsidies (tax deductions and cheap electricity supplies) for mining activities – the cryptographic verification of Blockchain ledger – remain in force.
Regulations, as a powerful enabler of Blockchain innovations beyond cryptocurrencies disputes A powerful example of regulations affecting innovation incentives is the “information superhighway” that saw large-scale deployment of devices and applications enabled by high speed internet connectivity. These developments were supported by deliberate regulatory distinctions between information services (wireless broadband) and telecommunication services (legacy telephony) which opened doors to capital flows into broadband. Blockchain holds the promises for innovative applications on its decentralised, immutable, distributed infrastructure. Examples are: document management in shipping finance to eliminate duplicated invoices and double collateralization; authentication to track genuine certificates and credentials; ownership management, of which cryptocurrency is one use case. Blockchain, together with Artificial Intelligence, Data Science, Quantum Computing and more, are frequently referred to as today’s Industry 4.0 innovations. Regulations that influence the adoption of Blockchain applications across sectors, rather than a focus on the means of payment (cryptocurrencies), can exert a profound impact on the level and direction of this new wave of digital transformation. In the meantime, self-regulation in the crypto world Recognising that the industry’s growth could be constrained if investors conclude that trading platforms have a “buyer beware” approach to oversight, the crypto industry formed the Virtual Commodity Association (VCA), with its inaugural meeting in September 2018. John Roth (Chief Compliance and Ethics Officer, Bittrex) said: “The blockchain industry must focus on protecting its customers and operating in a responsible manner to significantly increase adoption globally. By working with the VCA, we can advance our shared goals of improving transparency, accountability and security across all virtual currency trading platforms.”
Asia Pacific Security Magazine | 43
Crystal Eye UTM Series 10 Gateway
Illumio Adaptive Security Platform
Enterprise to SMB/Home Office Solutions - Crystal Eye Series 10 - 200
Enterprise Solution
10% Discount off RRP to Marketplace Users:
The Illumio Adaptive Security Platform® (ASP) secures the inside of any data center and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps.
Crystal Eye Deployed Device that is a Unified Threat Management (UTM) next-generation firewall (ngfw) software/hardware solution for your enterprise or home office, protecting it from a variety of threats and risks through a range of integrated services.
Predictions 2019: Cyber Security Key Trends
The Cyber Breach Communication Playbook
Over 2018 the Huntsman team has seen a number of trends develop which may impact your organisation’s operation and exposure to risk; we’ve created a White Paper Predictions 2019 – Looking forward to next year in cyber security to share these with you.
HUNTSMAN SECURITY CYBER SECURITY PREDICTIONS 2019
44 | Asia Pacific Security Magazine
The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format that delivers on equipping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.”
LISTEN TO OUR AUTHOR PODCAST
Cyber Blockchain Security
Bitcoin 10 years on …
O Jane Lo APSM Correspondant
n January 3rd 2019, it would have been 10 years since Satoshi Nakamoto created the genesis block with the first block reward of 50 bitcoins. Impressive statistics point to the steady and at times dramatic (witness the explosive growth in 2017 when Bitcoin hit the all-time high of $20,000) growth of the network in the last decade: 17 million bitcoins in circulation, 30 million wallet users, 200+ thousand transactions daily, 42 terra hashes generated per second. What also gets many excited is also the potential of Blockchain technology underpinning bitcoin. Malikkhan Kotadia (Co-founder & CEO, Finnovation Labs, Singapore Head, International Business, Singapore Blockchain Industry Association - ACCESS) gave a refreshing take on Blockchain at the 4th ASEAN EXEC-IT 2018 (15th – 16th Nov 2018, Hotel Fort canning). Our understanding of Blockchain is not unlike an elephant and a group of blind men, who having never come across an elephant before, arrived at an understanding of the animal only through his own feeling of one part of the elephant, according to Malik. “Our understanding of Blockchain is also limited to what we hear, and so each of us may not have the same understanding” he added. “One basic Blockchain fact is that it is a means of transfer of value, which does not change though ownership may change.” Handing a $50 Singapore note to a participant, he noted his net worth was down as much as the increase to the recipient; the situation was reversed when the note was re-exchanged. “Many aspects of Blockchain are in fact not new -cryptography, ledgers of record - but it’s how these elements come about that make it exciting,” he said. These elements enable Blockchain’s characteristics: identity, provenance and single source of truth, which found many use cases, including cross-border remittances, with the
potential to become as common as cross border messaging. In fact, just like today’s essentials such as email were not foreseen in the 1990s, tomorrow’s Blockchain use cases could well easily surpass our imagination. One potential scenario is applying Blockchain to disrupt corruption. “At the session, ‘When Machines Fight Machines: Cyber Battles & the New Frontier of Artificial Intelligence’ by Mishaal Ismeer (Director of Sales, South Asia and Southeast Asia, Darktrace), the inevitable question of how cryptocurrencies like Bitcoin have an impact on cyber security arose. Darktrace has observed an abrupt increase of cryptocurrency-related attacks due to the ease of maintaining anonymity and the attackers’ ability to monetize cryptocurrencies”. Indeed, “return on investment”, Malikkhan also stressed, is critical - Blockchain whilst exciting, should be clearly demonstrated to add- value to address an issue. Other challenges that he pointed out included: environmental impact (massive and unviable energy requirement), scalability and costs (10-15 mins to validate a transaction), governance, regulations and public policy (what are the dispute mechanisms? Who regulates and controls a Fork?) But perhaps the biggest quest of all, 10 years on, is uncovering the identity of the pseudonymous creator of Bitcoin Satoshi Nakamoto. Enthusiasts have proposed candidates, ranging from Japanese mathematicians to Irish graduate students, cryptographist, computer scientist or a group of people. This quest remains part romance, part challenge and perhaps part desire to reach a conclusive and ultimate answer to the question: was Satoshi Nakamoto chasing an elusive dream for bitcoin when he envisioned it as “an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party?”
Asia Pacific Security Magazine | 45
The online matrimonial mayhem
I By Sarosh Bana APSM Correspondent
46 | Asia Pacific Security Magazine
ndia is among those countries most vulnerable to cyberattacks, the RSA Quarterly Fraud Report putting it alongside Canada, the United States and Brazil as the top four target countries for phishing and malware-based attacks worldwide. Among the myriad ways in which cyber fraudsters have been assailing India is by targeting young women, divorcees and even widows who are keen on marriage or remarriage. These scamsters have been exploiting women who are obliged to marry at an early enough age so as not to be frowned upon by the relatively conservative milieus of Indian society. Often, the families select suitors for these young women in what is commonly known as “arranged marriages� and these to-be husbands are usually from similar religious, caste, social and economic backgrounds. In traditionbound communities, these concerns usually override all considerations of compatibility in married life. Also targeted are the parents of girls who are in quest of well-placed businessmen or professionals from the software or finance industries. The tricksters exploit social networking sites such as Facebook through fake profiles on matrimonial websites by posing as prospective suitors having the coveted credentials, namely, senior positions in these industries, preferably in
the US, which come with impressive salaries. Many of these cheats may be operating from some country overseas or even from some part of India. Police investigations reveal that many Nigerian men who often overstay their visa periods in India have also muscled into this area of online hoax and honed it into a lucrative business. These web gangs are now resorting less to phishing emails about lotteries and charity as less people are falling for them, and diversifying into duping prospective brides as also deceiving people on questionable investment schemes or on claims of representing multinational companies. The fraudsters register themselves with fake profiles on popular matrimonial websites on which women wishing to marry or remarry are also registered. They identify their targets and enter into correspondence with them to build up their trust and eventually propose marriage. They then express an eagerness to travel to India to meet the woman and her family, informing that they will be putting up at a luxury hotel during their stay. However, they soon fabricate a story that they were detained by the Customs at the airport and ask for money to be wired to them to buy their way out of the problem. Often, the waiting women fall for such alibis and pay up unhesitatingly only to never hear from the conmen again. There are also any number of instances where men
Regional
An estimated 10-12 million weddings take place in the country each year, considering that India has one of the youngest populations in the world where the median age is around 29 years.
looking to marry or remarry have been cheated by fraudsters posing as women. One case involved a 40-year-old widow from Mumbai who desired to marry a second time and was similarly contacted by the one she was awaiting. The man telephoned to tell her that he had landed at the Delhi airport en route from London to Mumbai, but was detained by Customs officials for not declaring the vast amount of currency and expensive gifts he was carrying. A woman then came on the line posing as a Customs official and told her she would need to furnish the bail amount of Rs74,00,000 (about Aus $142,300) if she wanted her acquaintance released. The luckless woman revealed her credit card details as instructed and never heard from the man thereafter. Another woman from the southern Indian city of Visakhapatnam was similarly duped of Rs40,00,000 (about Aus $77,000). After gaining the trust of their victims following initial correspondence, online criminals with fake profiles then share telephone numbers, email addresses and other personal information. Shortly, they start demanding money on various pretexts, such as for Customs clearance of costly gifts, conversion charges for foreign currency, or government clearance for jewellery or inherited wealth. All the money demanded is sought as online transfer and the victims
often go through the process without informing anyone that they were communicating with these people. In most circumstances, the victims do not carry out any background checks on those who contact them online. Police say that at times some women have even sold off their properties to arrange for the payments required by the fraudsters. There are cyber cells set up in various police stations across the country that aggrieved netizens can approach with their complaints, but the police authorities concede that investigating these cases and identifying the culprits is not easy. With many of the conmen operating from other countries and constantly changing their identities to cover their tracks, recovery of money from them is also difficult, if not impossible. Pointing out that many victims hesitate to lodge complaints because they find their predicament embarrassing, the police have been urging them to come forward and lodge complaints and to ensure that they meet the “suitors” in person so that they do not fall prey to them. India has a flourishing wedding market that has become famous for its flamboyance and extravaganza staged across multiple venues, including luxury liners and European castles and palaces, and across several days. Like the glitzy Bollywood film industry, the spectacular Indian weddings have been drawing attention across the globe, to the extent that foreigners are willing to make hefty payments to secure invitations to some of them. Such fascination has engendered what is now called “wedding tourism” where people from various countries are paying the organisers of these Bollywood-style events as much as Rs10,000 to Rs30,000, depending on the status of the hosts and the number of days of attendance. Some of history’s most extravagant weddings have been performed by Indians, such as the double wedding of nowjailed industrialist Subrata Roy’s two sons in the northern Indian city of Lucknow in 2004 that cost a stupendous Rs552 crore (Aus $107 million). The cuisine comprised 110 dishes from across the world. Costing a shade less at Rs500 crore (Aus $96 million) was the engagement of global steelmaker Lakshmi Mittal’s niece that was held at the Palace of Versailles and the marriage held at Le Bristol Hotel in Paris with performances by Kylie Minogue and Indian film stars. An estimated 10-12 million weddings take place in the country each year, considering that India has one of the youngest populations in the world where the median age is around 29 years. A report describes India’s wedding business as a “recession-proof industry” that is worth around $40-50 billion in size.
Asia Pacific Security Magazine | 47
REPORT REVIEW | by CHRIS CUBBAGE WA POLICE FORCE RETICENT, UNACCOUNTABLE AND INADEQUATE: REPORT 4 0 T H PA R L I A M E N T
Community Development and Justice Standing Committee
Report 5
NO TIME FOR COMPLACENCY Final report for the inquiry into the protection of crowded places in Western Australia from terrorist attacks Presented by Mr P.A. Katsambanis, MLA March 2019
NO TIME FOR COMPLACENCY FINAL REPORT FOR THE INQUIRY INTO THE PROTECTION OF CROWDED PLACES IN WESTERN AUSTRALIA FROM TERRORIST ATTACKS Review By Chris Cubbage, Executive Editor
W
A Police Force declined to assist the Review, are unaccountable for millions in spending and are not adequately regulating the security industry. Is public safety at risk? This report is the outcome of a Parliamentary inquiry established to determine whether there is adequate preparation for the protection of crowded places in Western Australia (WA). It was motivated, in part, by the release of Australia’s strategy for protecting crowded places from terrorism (the Strategy) in August 2017.
Background In March 2018, just 12 months away from the Christchurch massacre in New Zealand, in WA a Community Development and Justice Standing Committee was seeking submissions as part of its inquiry into the protection of crowded places in WA from terrorist acts. In particular, the Committee set out to consider the flow of information between agencies and other relevant stakeholders and the WA Parliament’s role in overseeing counter-terrorism arrangements to ensure that it can properly evaluate the: 1. 2. 3.
4. 5.
state-based emergency management framework; implementation of mitigation and protective security measures; relationships between state government departments and agencies and owners and operators of crowded places; capability of the Western Australia Police Force to respond to a terrorist attack on a crowded place; and security licensing, registration, and assurance processes in Western Australia.
In making a submission, it was quite apparent that the terms of reference was too broad. As the inquiry progressed, “the complexity of protecting crowded places quickly became apparent.” One may argue the Committee had limited experience or insight not to realise this at the outset given the scope it set for itself. Not surprisingly, the Committee chose not to consider in detail the other three elements of the PPRR
48 | Asia Pacific Security Magazine
(prevention, preparedness, response and recovery) model and likely targets of terrorism and indeed, crowded places such as the airport or domains in maritime, transport or health were also not examined extensively. Yet despite this, in October 2018, the Committee released an initial report identifying 30 matters they felt required further consideration. This report proclaims the inquiry and outcomes “will not reduce the complexity of both counter-terrorism and the protection of crowded places in WA.” In other words? It will achieve little and tells us much we didn’t already know. However, there is one striking takeaway from the inquiry worthy of note. The WA Police Force isn’t performing, isn’t accountable and isn’t prepared to assist when asked to.
WA Police Force reticent to share information Throughout the inquiry, the Committee struggled to access information and documentation it considered important to fully inform itself about the preparedness of the Western Australia Police Force and Western Australia more generally. The report noted, “It is impossible to determine whether the millions of dollars of government funds directed to WA Police counterterrorism capabilities has actually increased the state’s counter-terrorism preparedness.” “There is a lack of independent oversight in relation to the state’s preparedness for a terrorist attack. The Counter Terrorism and Emergency Response Command of the Western Australia Police Force received over $49 million in 2017–18 and there is currently no third party scrutiny to ensure the people of Western Australia that this money was used effectively, efficiently, and ultimately increased the state’s counter-terrorism preparedness.” “The apparent reticence of WA Police to engage meaningfully with this inquiry was particularly evident when contrasted to some UK police services’ purported responses to recent, independent reviews. The reticence of WA Police to cooperate with the inquiry also differed from the ‘dare to share’ approach to information-sharing that Victoria Police Deputy Commissioner Shane Patton told us he employed.” “The requirement to seek approval from the ANZCTC—a creature of the Council of Australian Governments (COAG) and therefore outside the authority of the WA Parliament—reduces the effectiveness of the traditional vehicles for scrutiny.” “Unlike Victoria or New South Wales, WA does not appear to have developed an up-to-date, publicly available state strategy or coordinated suite of policy documents elucidating the various counter-terrorism
REPORT REVIEW | by CHRIS CUBBAGE roles of government and non government entities. WA has also not developed a protective security advisory capability to support owners and operators to enhance the resilience of their crowded places.”
WA Police Force lacks independent oversight and accountability to auditing and governance “There is an assurance gap, however, in relation to owners and operators of crowded places that are neither the recipients of public funding nor covered by specific regulatory regimes.” Auditor General Caroline Spencer said she preferred for this emergency management assurance role to be legislatively defined and accompanied by appropriate funding to reflect the expansion of her role. She explained the estimated cost of an initial scoping audit of the emergency management sector is $500,000, or just over 8.3 per cent of the total Auditor General 2008 audit budget. Considering the average amount spent on a performance audit is $300,000, the estimated cost of the initial audit is significant. Expecting the OAG to fulfil a permanent assurance role without additional resources risks inadequate consideration of other, equally important, topics. As an example where oversight and auditing is required, the Committee determined that “despite monitoring an industry with over 30,000 active security licences, WA Police issued no infringements in relation to the Security and Related Activities (Control) Act 1996 (WA) between July 2017 and May 2018. While WA Police aims to audit 275 licence holders per year, only 100 people (or 0.003% of the industry), were audited between July 2017 and May 2018. WA Police noted that sometimes the audit target is not reached due to ‘other policing priorities’. In the 2016–17 financial year, WA Police issued only five infringements, one summons, and 86 cautions in relation to the Security and Related Activities (Control) Act 1996. The Queensland Office of Fair Trading has a similar number of active security licences as WA but issued a far greater number of infringements—55 infringement notices and 74 warnings—in the same period. WA Police said there was no reason why it could not also release de-identified compliance information, and pointed out that similar information relating to pawnbrokers and second-hand dealers was already published in the WA Police Force Annual Report. Yet the reason they don’t make this information available is most likely because they’re not actually regulating the industry effectively and one may argue, not at all. Another area WA Police were subjected to criticism was the State CCTV Strategy. Subject to complaints when it was first received (including formal complaints by this author), the Committee stated, "Because of evidence we received early in the inquiry, we raised questions about the effectiveness of the State CCTV Strategy. Some respondents identified specific issues with the CCTV strategy and sharing of data. Concerns were raised, for example, about the cost and technical
difficulties associated with creating and managing a central security information system from which WA Police can monitor CCTV data from multiple cameras.” “SAIWA (Security Agents Institute of WA) said the system may also prove costly for donors of CCTV data as they may have to obtain legal advice, upgrade their equipment to a different standard in order to add their CCTV cameras to any ‘joined-up approach’, and spend money on ongoing maintenance. Further, one local government told us of its reluctance to join the State CCTV Register because of ongoing questions about the governance measures and security of shared data.”
Terrorism is a silo risk – Holistic & Risk Based Approach is needed. “In the course of the inquiry, it became evident that whether or not an attack on a crowded place was terrorism was largely irrelevant from a protective security perspective.” “One document, the State Hazard Plan: Terrorist act, represents the totality of strategic counterterrorism arrangements in WA and embodies an outdated approach to counter-terrorism. This means WA’s counterterrorism preparedness is also largely unscrutinised as terrorist acts are managed under the state emergency management framework along with 26 other hazards identified as posing a risk to WA.” “With neither an up-to-date state strategy nor policy framework to guide counter terrorism efforts in WA, some of the stakeholder groups identified in the Strategy have contested the exact nature and extent of their roles and responsibilities. Some sought to minimise their responsibility for achieving this goal. The strategy is not linked to any legislation or policy framework within WA and is therefore not mandatory.” “Terrorist use of drones is one example of an emerging threat where there are legislative impediments on police use of drones for incident response and other purposes. There is clearly a need for legislative reform. It is inevitable that legislators will have to respond.” “We found there was a clear expectation amongst owners, operators and the public that authorities such as WA Police would take the lead in protecting crowded places. WA Police appeared reluctant to step into this space, however, distancing itself from any overarching responsibility for implementing the Strategy and stressing that it was not the role of WA Police to provide protective advice to private industry.” “WA Police and DPC had different positions about whether WA Police was responsible for implementing the Strategy: while DPC said WA Police is the ‘lead agency for implementing the Strategy in Western Australia’, WA Police said the CPAG is ‘responsible for the implementation of the National Strategy.” “Implementing proportional security and mitigation measures can be costly and—importantly—reduce the profit generated. As one inquiry participant pointed out: Any costs for additional protective security measures have no value in terms of marketability of the venue/ event. In fact, these protective security measures are wherever possible concealed so that attendees are not
consciously aware of the existence of a threat being mitigated.” “The Strategy does not set out a mechanism by which owners and operators can be compelled to fulfil their responsibility to protect their crowded place. This may become a problem should owners or operators weigh the quantifiable costs of implementing security measures against the less well-defined costs arising from non-implementation (i.e. reputational, asset damage, public safety) and decide not to invest in its security. Their preference was instead for the risk-based approach currently advanced by the Strategy.” “As the Queensland Police Service said: identifying a minimum standard of protection would result in the general adoption of that standard. Without a risk-based approach, owners/operators would likely to be either under-protected or would be required to implement unreasonable measures.” “Those indicating support for a prescribed minimum standard tended to be the owners and operators of crowded places who felt they did not have the skills or knowledge to either implement adequate protective security measures or identify consultants who could do it on their behalf.” The Committee reported, “We believe the debate around security standards reinforces the need for owners and operators to be able to identify and engage qualified, experienced and skilled security consultants who will ensure risk assessments (and any subsequent implementation of recommendations) are appropriate and commensurate with the circumstances This standard is a process-based standard of preparation. We can surmise, therefore, that those inquiry participants who preferred a risk-based approach to protective security would support this use of AS/NZS ISO 31000:2009.”
Thanks for the Report – but frankly no change will happen Whilst the Australian Government rams knee-jerk, politically motivated legislation like the Criminal Code Amendment (Unlawful Showing of Abhorrent Violent Material) Bill 2019 through parliament without ‘any’ oversight and informed consideration, actual calls for legislative reform by Parliamentary committees like these are ignored. The national security system which has the ‘intention’ of protecting Australians is in large parts broken, largely unaccountable, overly complex and politically manipulated. There is little that will change this and if a major terrorist attack is successful on Australian soil, the system is inherently designed to allow the blame game to cycle through again.
This committee focused on preparedness. What should have been the first part is prevention. Australia has prevented a number of terrorist incidents from good intelligence and operational policing but for the protection of crowded places it should be how CPTED and a risk based approaches is best applied, the legislation frameworks needed to deal with emerging threats (drones, robotics etc) and how police can be supported by a robust and appropriately regulated security industry.
Asia Pacific Security Magazine | 49
Out Now!
Out Now! Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au
THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag ISSUE #7 2019
OT Cybersecurity must improve in 2019
Women online: Australia’s e-Safety Commissioner
The Encryption Act
Waking up to the benefits of diversity
Monitoring threat actors
Teaching cyber hygiene in schools
Biometric data and potential for misuse
My journey, from student to cyber security graduate
Cyber risk management in finance
Cybersecurity journey empowered by diversity
Oct – Dec 2018
Many modes of supply chain attacks The dawn of the digital Manager
Biological Protection-In-Depth
Australian-made FLAIM Trainer
How to minimise roulette wheel motion blur
The rise of hashgraph
Cyber Risk Meetup - Wrap-ups & Launches
A cyber week in London – Part 2
Penetrating real-time threat behaviour
BOOK GIVEAWAY Troll Hunting
India’s Supreme Court reins in citizen profiling
$8.95 INC. GST
Resilient organisations begin with resilient people
Migrating to IP video SURVEILLANCE PLUS
Techtime
#BalanceforBetter
THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Nov/Dec 2018
ALL WOMEN SPECIAL EDITION
Many modes of supply chain attacks The dawn of the digital Manager
India’s Supreme Court reins in citizen profiling Biological Protection-In-Depth
Australian-made FLAIM Trainer
How to minimise roulette wheel motion blur
The rise of hashgraph
Cyber Risk Meetup - Wrap-ups & Launches
A cyber week in London – Part 2
Resilient organisations begin with resilient people
THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 3, 2017
The active directory botnet
Mandatory Breach Notifications and the GDPR Effect
$8.95 INC. GST
ROBOTICS GROWTH & OPPORTUNITIES
PLUS
Techtime
Cyber insurance: A buyer’s guide Part 2
Machine Learning in Cyber Security
Know your enemy : Part 2
Honeycutt Social Engineering
DRONES, ROBOTICS, AUTOMATION, SPACE, TECHNOLOGY, INTELLIGENCE, COMMUNICATIONS | www.drasticnews.com
ISSUE #1 2019
Interview with ANZ's Security Team
A New Race: Robotics, Artificial Intelligence & Human Convergence
The RoboCop Continuum
The rise of autonomous vehicles
Cyber data protection in Formula 1
WA’s Capture the Flag Competition
The Security implications of driverless vehicles
- PLUS -
D I V E R S I T Y F E AT U R E S Gender Minorities within STEM | Bridging the Gender Gap | Seeking diversity in Cybersecurity
50 | Asia Pacific Security Magazine
Plus Techtime!