Asia Pacific Security Magazine, Sept/Oct 2017 by MySecurity Marketplace

THE REGIONâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Sept/Oct 2017

India regains its privacy

Catwalk to tech-talk Kan Tang, Distinguished Technologist, CTO HPE

Infrastructure Resilience Terrorism & the built environment

Navigating the IT landscape of the future

Functional safety in times of rising

Cyber threats to consumers

Building a modern security operations centre Philippines connect & cybersecurity

CYBER FRAUD THREATS TO CONSUMERS

$8.95 INC. GST

PLUS Regional event reviews | Interpol World 2017 Cyber week in Singapore | Philippines Connect and Cyber security

ASIS International Australia Conference 2017

Conference program and Registration : www.asisvictoria.org.au/events Join conference leaders and innovators as they address real issues in security. Avoid disappointment | Register NOW

CivSec 2018 CIVIL SECURITY CONGRESS AND EXPOSITION 1-3 MAY 2018 MELBOURNE CONVENTION AND EXHIBI TION CENTRE, AUSTRALIA

SECURITY, SAFETY AND SOVEREIGNTY FOR THE INDO-ASIA-PACIFIC

Human Security

Cyber Security

Law Enforcement

Border Security

www.civsec.com.au For further information and exhibition enquiries contact the Sales Team Telephone: +61 (0)3 5282 0500 Email: expo@amda.com.au

Contents

5 6 8

Executive Editor / Director Chris Cubbage

Director / Co-founder David Matrai 18 Art Director Stefan Babij

Page 6 - India regains it's privacy

Correspondents Sarosh Bana Jane Lo

26 30 34

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@mysecuritymedia.com

SUBSCRIPTIONS

asiapacificsecuritymagazine.com

44 46 Page 12 - A safe and secure Australia

Copyright ÂŠ 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@asiapacificsecuritymagazine.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Page 18 - Functional safety in times of rising cyber criminality

CONNECT WITH US www.facebook.com/apsmagazine

OUR NETWORK

www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

www.australiancybersecuritymagazine.com.au

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Page 30 - Cyber security of assets in the interconnected era

Correspondents* & Contributors

www.australiansecuritymagazine.com.au

www.malaysiasecuritymagazine.com

www.drasticnews.com

David Halfpenny

Kevin Riley

Jason Legge

Additional: Matthew Oyston Kan Tang

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

4 | Asia Pacific Security Magazine

Jane Lo*

Michael Travato

Sarosh Bana*

Dr Alexander Horch

Page 34 - INTERPOL WORLD 2017

Editor's Desk

"We express our deep concern at test of a “thermonuclear explosive device for an intercontinental ballistic missile” announced by the DPRK on September 3….We cannot but regret the fact the DPRK leadership is creating grave threats to peace and security on the Korean Peninsular and the whole region by its actions" - Statement of the Ministry of Foreign Affairs of the Russian Federation, 3 September, 2017

n firing, what is believed to be a Hwasong-12 intermediate-range ballistic missile (IRBM) over the northern islands of Japan, and then detonating a thermonuclear device, causing a seismic reading of M6.3, North Korea is clearly intent on continuing its provocation against military exercises by US, South Korea and Japan. South Korea has announced deployment of additional THAAD launchers across the country and has shifted military posture to allow for an immediate switch to offensive operations in the event of North Korean hostilities. Australia’s Prime Minister acknowledged “Right now the risk of war on the Korean peninsula is greater than it has been in more than 60 years”. Alongside this tectonic threat of nuclear war, the Asia Pacific region is showing increasing signs of destabilisation with significant conflict in Philippines, Myanmar and border tensions arising between India and China. Monsoon flooding in India, Bangladesh and Nepal, also killed over 1,200 people, though largely silenced in Western media by Hurricane Harvey which killed over 50. The Australian Criminal Intelligence Commission released an unclassified report Organised Crime in Australia 2017, which (again) verified an unrelenting and increasingly transnational organised crime profile in Australia. The report confirmed that physical geographic boundaries no longer contain criminal networks. The report also concluded, “the two key enabling technologies currently used to facilitate serious and organised crime are virtual currencies and encryption. Virtual currencies, such as bitcoin, are increasingly being used by serious and organised crime groups as they are a form of currency that can be sold anonymously online, without reliance on a central bank or financial institution

to facilitate transactions. Darknet marketplaces such as Silk Road 3.0 and Valhalla Marketplace are used to facilitate the sale and trafficking of illicit drugs, firearms, precursor chemicals and child exploitation materials. Australia’s use of darknet marketplaces is expected to grow, given the increasing popularity of online trading and the perceived anonymity such marketplaces provide. Increased availability and ongoing advancement of technology will continue to provide criminals with a diverse range of resources to conduct criminal activity and impede law enforcement investigations.” In addition, the Second Quarter, 2017 State of the Internet / Security Report released by Akamai Technologies shows that distributed denial of service (DDoS) and web application attacks are on the rise once again. Contributing to this rise was the PBot DDoS malware which re-emerged as the foundation for the strongest DDoS attacks. In the case of PBot, malicious actors used decadesold PHP code to generate the largest DDoS attack observed by Akamai in the second quarter. Attackers were able to create a mini-DDoS botnet capable of launching a 75 gigabits per second (Gbps) DDoS attack. Interestingly, the Pbot botnet was comprised of a relatively small 400 nodes, yet still able to generate a significant level of attack traffic. Also of interest, the release of a consultation paper exploring development of an unmanned systems industry strategy highlighted the need in Australia for a corresponding national plan for the rapidly growing sector according to the Association of Australian Certified UAV Operators (ACUO). Indeed, one may consider this type of strategy could form the framework to be adopted on a more regional scale. ACUO

President, Mr Joe Urli, said “the absence of an explicit national policy framework, direction or strategy for this sector is a significant policy shortfall on the part of all Australian governments and the steps now being taken by Queensland needs to be matched at Commonwealth level and in all states. A national strategy would provide a meaningful basis for policy coordination and unmanned systems industry growth.” In this issue, we cover India’s recent privacy ruling, building infrastructure resilience against terrorism, the functional safety of production processes in times of rising cyber criminality. We examine Cyber threats to consumers, as ransomware attacks increasingly become “preferred” to Credit Card Fraud schemes because of its ease of execution and simplicity of monetisation combined with low risks of attribution. We also have a special and timely interview with Kan Tang, Worldwide technologist with HPE Software Services and her role being responsible for the strategy of DevOps in HPE Software Services, now part of Micro Focus. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Asia Pacific Security Magazine | 5

Cyber Security

India regains it's privacy

I By Sarosh Bana APSM Correspondent

6 | Asia Pacific Security Magazine

n a sharp rebuke to the Indian government, a nine-judge Constitutional bench of the country’s Supreme Court unanimously ruled that privacy is a fundamental right as it is intrinsic to the right to life and personal liberty guaranteed in Article 21 of the Constitution. By this pathbreaking verdict, the apex court bolstered efforts by citizens to legally counter the rightwing Bharatiya Janata Party (BJP)-led government’s moves to mine personal data for putting a mass surveillance system in place, and its rules on personal and public behaviour, speech and expression, and also on individual dietary habits. Consumption of beef from cows has been curbed by a nationwide ban on their slaughter, with the state of Maharashtra, of which Mumbai is the capital city, also empowering the police to enter homes in search of cow beef. There are no similar curbs on buffalo beef, but the measure has evoked vigilantism where those even suspected to be transporting cow beef or having it at home have been thrashed and occasionally lynched. Most of such instances have involved buffalo beef. Vigilantes also intimidate and manhandle those behind posts on the social media that they deem critical of the government and its policies. The government too has countered some critics with the severe charges of sedition and

of waging war against the state. Much to the consternation of the public, government representatives have at times lauded the vigilantes and have also blamed rape victims, urging for sensitivity in attire or for the timings they venture outdoors. The government lost its argument in the Supreme Court that privacy is a common law right, and not a fundamental right. In its ruling on the sheaf of public interest petitions before it, the highest court overturned past verdicts of its own eight-judge and six-judge benches delivered in 1954 and 1961 that had held that privacy was not protected under the Constitution. Heeding the argument that the mandated 12-digit unique identification (UID) number called aadhaar has the potential to be a tool of continuous mass surveillance, the court maintained that though information may exist in silos, it has the potential to profile every individual if interlinks are established. It deemed it easy for such personal data to be routed to state surveillance mechanisms through “state and non-state entities” holding that data. A separate litigation against aadhaar is being heard by a five-judge constitutional bench. Aadhaar is mandated for filing Income Tax returns,

Cyber Security

“While Modi had then maintained that the UID programme violated one’s “constitutional right to privacy”, he changed his stance once he became Prime Minister and in a concerted drive, his government has hitherto enrolled 1.12 billion aadhaar holders of the overall population of 1.33 billion"

and for applying for permanent account number (PAN), housing subsidy, even death certificates and for booking train tickets. It is also compulsory for opening bank accounts, verifying cellphone numbers, and for a range of services, even supplementary meals at crèches, and for children with disabilities. The petitioners contended that aadhaar enrolment, which was previously voluntary and then made compulsory and which requires biometric profiling through iris scan and fingerprinting, treats citizens as suspects and seeks their identification rather than their identity. They cite this world’s largest biometrics-based identity programme as one linking sufficient data to facilitate profiling as it can track one’s spending habits, contacts and assets, even trips overseas, apart from other intrusive information. The government had argued that if citizens can be compelled to give blood samples for testing alcohol levels while driving or in criminal cases, they should be ready to surrender their iris and finger print scans too. But in its 547page judgment, the Supreme Court held aadhaar to be a clear violation of its interim order of a year ago that it is voluntary. Aadhaar is a biometric-based authenticator and a single proof of identity and domicile, but banks, financial institutions and telecom companies can also use it as a

customer verification mode and maintain profiles. It is, however, distinct from the U.S.’s nine-digit social security number (SSN) launched in 1936 to ensure benefits and track individual earnings in the social security system. The Internal Revenue Service used it from 1961 to identify taxpayers, just like aadhar today, prompting the Carter administration in 1977 to halt its use as a national identity document. Neither does the Social Security Administration (SSA) collect fingerprints of SSN applicants, calling this approach undesirable as it was associated in the public mind with criminal activity. The SSA website mentions that an SSN is required to secure a job, collect social security benefits and access some other government services. Laws and conventions across the world uphold the fundamental right to privacy. The Fourth Amendment of the U.S. Constitution protects that right, while the European Union (EU)’s Data Protection Directive of 1995 protects and regulates the free movement of personal data. The EU is also framing new rules next year for providing citizens lawful control over their personal data. Australia enacted its Privacy Act in 1988 to govern the handling of personal information. The aadhaar regulation was introduced by the Narendra Modi government in March 2016, though the Prime Minister had vigorously contested it ever since it was first mooted in 2010 by the previous Congress-led government. While Modi had then maintained that the UID programme violated one’s “constitutional right to privacy”, he changed his stance once he became Prime Minister and in a concerted drive, his government has hitherto enrolled 1.12 billion aadhaar holders of the overall population of 1.33 billion. The BJP-led government came to power on a pledge of “minimum government, maximum governance”. The party had pointed out that India had for decades had “extraordinarily large” governments while ironically the quality of governance had been poor. It had asserted that its leader, Modi, firmly believed that government role should be limited to that of a facilitator. However, while the Prime Minister had nominated a Council of 46 Ministers when his government took office in May 2014, he subsequently raised its strength to 61.

Asia Pacific Security Magazine | 7

Cyber Security

Infrastructure Resilience Terrorism and the built environment By Matthew Oyston Principal, Australia Pacific, Control Risks

he increasing global terrorism threat presents new challenges and concerns for governments, the private sector and communities alike. There are risk-based measures that the public and private sectors should be adopting – particularly in Australia – to address the increased threat environment. Australia and the rising threat of terrorism There is no doubt the global terrorist threat has been rising over the past few years. The heat from this threat is being felt more intensely in Europe than in other Western countries; however, Australia is far from immune. We are witnessing a new phase in the Western Islamist extremist terrorism threat. With successful attacks, attempts and foiled plots across the Western world reaching an all-time high in 2016 and the percentage of home-grown terrorist incidents increasing substantially from the early noughties by over three-fold, the threat to the West is a very real concern and one that is continuing to gain momentum. Foreign fighters, returnees and home-grown terrorists Islamic State’s (IS) so called “caliphate” in the Middle East has been shrinking for some time; however, we have seen an increase in the number of terrorist attacks as IS continues to transmit its online propaganda calling for more attacks

8 | Asia Pacific Security Magazine

against Western countries. As the coalition reclaims this land, there are concerns regarding the impact these returning fighters will have on the security of the respective countries they seek to settle in. There is no doubt the Australian intelligence services are doing an excellent job of monitoring Australian nationals or dual nationals attempting to return to Australia from conflict zones. However, containing the returning fighters will not remove the threat as a majority of terrorists that have carried out attacks are resoundingly home-grown. Global increase in unsophisticated attacks The common modus operandi for the new phase of terrorist attacks has been the unsophisticated attack method of using a vehicle to “mow down” random pedestrians in addition to the use of edged weapons as a secondary attack. The global increase in frequency of these types of low-tech and improvised attacks has also been echoed in Australia where the use of edged weapons has been prevalent. Australia is equal fourth in terms of the frequency of such attacks during the period 2014 to 2016 behind France, Germany and the USA, but ahead of the UK and Belgium, according to Control Risks data. In some instances, terrorists have targeted government facilities and personnel, as seen in Australia with the murder of a Police employee at Parramatta Police headquarters in October 2015, the knife attack against two Victorian Police officers in September 2014 and

Cyber Security

"Owners and operators of crowded places have the primary responsibility for protecting their sites, including a duty of care to take steps to protect people that work, use or visit their site from a range of foreseeable threats, including the threat of terrorist attack."

Mitigation measures and infrastructure resilience

INFRASTRUCTURE RESILIENCE

For Australia to mitigate this increasing terror threat, proactive and reactive measures must be considered. Terrorism and the built environment Proactive measures target the source of the issues, including implementing By Matthew Oyston, Principal, Australia Pacific, Control Risks de-radicalisation programmes and increased31 August 2017 intelligence sharing domestically and with our international partners, while reactive measures include emergency management training of security personnel and staff, and exercising business continuity plans. Evenfor withgovernments, the most The increasing global terrorism threat presents new challenges and concerns the private vigorous, proactive approach to managing risks, “disruptions” sector and communities alike. There are risk-based measures that the public and private sectors should be will inevitably occur and the ability for a development and adopting – particularly in Australia – to address the the increased threat environment. built environment to handle these disruptions will be reflected by the level of “infrastructure resilience”. A resilient Australia and the rising threat of terrorism piece of infrastructure has the capacity and capability to the foiled attack in 2009 against the military barracks at effectively respond to and recover from potentially disruptive There is no doubt the global terrorist threat has been rising over the past few years. The heat from this threat is Holsworthy, Western Sydney. factors and events. Infrastructure resilience starts at the being felt more intensely in Europe than in other Western however,AAustralia isassessment far from immune. However, the vast majority of the more recent, high p feasibilitycountries; stage of a development. security risk ofile attacks, as seen in Barcelona, Paris, Nice, Germany and should be conducted at this stage to identify the key threats, We arehave witnessing a new phase in the Islamist threat. With attacks, London, occurred in public, iconic, crowded placesWestern assets to be extremist protected andterrorism potential vulnerabilities. Thissuccessful results attemptspublic andspace, foiled plotscommercial, across the Western an risks all-time high in creation 2016 and the percentage of (transport, religious, other) that are world in areaching set of identified followed by the of a risk deemed softer targets in comparison to restricted government treatment to early reduce noughties the risks to anby acceptable level. This the threat to home-grown terrorist incidents increasing substantially fromplan the over three-fold, facilities (e.g.is government, police, military). risk tolerance level momentum. will vary depending on many factors, the West a very real concern and one that is continuing to gain

Figure 1: New phase in Western Islamist extremist terrorism threat

Control Risks, August 2017

Asia Pacific Security Magazine | 9

Foreign fighters, returnees and home-grown terrorists

Cyber Security Figure 2: Recent estimates of European foreign fighters and returnees

Control Risks

such as the type of development, stakeholders involved and

pedestrian malls and major events. It provides guidance around how the private and public sectors can partner not performed at the early phases of a development, then the to better protect crowded places underpinned by a new Figure 2: Recent estimates of European foreign and attacks returnees The common modus operandi for the new phasefighters of terrorist has been the unsophisticated attack method project is in danger of not integrating key security measures framework termed the ‘Crowded Places Partnership’. The of using a vehicle to “mow down” random pedestrians in addition to thealsouse of edged weapons as a state, secondary and designing out security vulnerabilities. The mind-set shift paper identifies the responsibilities local, territory attack. The global ina “built frequency of these types andgovernments improvised has approvals, also been is fromincrease a “bolt on” to in” perspective. Rather than of low-tech and federal bearattacks from planning echoed in Australia use ofsolution edged weapons hason”), been prevalent. fourth in terms cobblingwhere togetherthe a security after the fact (“bolt preparing andAustralia respondingis to equal attacks, intelligence and a of incorporating a risk assessment process during the embryonic range of other aspects. In addition, there is a clear of the frequency of such attacks during the period 2014 to 2016 behind France, Germany and the USA, butonus ahead phase of the project allows for a comprehensive security responsibility for owners and operators of crowded places to of the UK and Belgium, according to Control Risks data. solution to be incorporated within the development design provide a safe environment. (“built in”). The advantages of adopting such an approach are This onus includes conducting risk and/or vulnerability clear: In Australia, there are long-standing prescribed security assessments, followed by implementing appropriate risk Figure 3: Low-tech and improvised attacks increasing in frequency requirements that government facilities, including critical mitigation measures that are monitored and audited on an national infrastructure, must meet as part of the planning ongoing basis. Implications for not abiding this process Knife and vehicle by attacks, total by country, 2014-17 process. However, equivalent prescriptive security include personal liability in the event of a breach of obligation requirements are not required for private developments. This by the owner or operator of a site. France is of particular concern given the high percentage of attacks USA Control Risks Germany on non-government buildings and public places globally. Risk-based approach for all developments

Global increase in unsophisticated attacks overall project objectives. If this risk assessment process is

Australia UK Despite this strategy application Belgium being limited to crowded places, a risk-based approachSpain should be applied to all Canada private developments for maximum protection. A robust Finland Sweden

Protecting crowded places Global increase in unsophisticated attacks

The common modus operandiZealand for theCounter-Terrorism new phase of terrorist The Australia-New Committeeattacks has been the unsophisticated attack method (ANZCTC) has recently released a strategy paper of thisofapproach being applied Dhabi. of using a vehicle to “mow down” random pedestrians– in addition example to the use edgedisweapons asinaAbu secondary 0 10 20 Australia’s Strategy for Protecting Crowded Places from The Abu Dhabi Urban Planning Council has produced a attack. The global increase in frequency of these types of low-tech and improvised attacks has also been Terrorism. The objective of this Strategy is to protect Safety & Security Planning Manual with its key purpose echoed in Australia where the use of edged weapons has been prevalent. Australia is equal Knife fourthVehicle in terms of the lives of people working in, using, and visiting crowded being to ensure safety and security are embedded in public the frequency of such attacks during the period 2014 to 2016 behind France, Germany and the USA, but ahead places by making these places more resilient. The paper and private development proposals. Control Risks, August 2017 of the UK and Belgium, according Controlshopping Risks data. defines “crowded places” astostadiums, centres, As part of every planning submission, whether public In some instances, terrorists have targeted government facilities and personnel, as seen in Australia with the murder3:ofLow-tech a Police and employee at Parramatta Police headquarters Figure improvised attacks increasing in frequencyin October 2015, the knife attack against two Victorian Police officers in September 2014 and the foiled attack in 2009 against the military barracks at Knife and vehicle attacks, total Holsworthy, Western Sydney. by country, 2014-17

However, the vast majority of the more recent, high profile attacks, as seen in Barcelona, Paris, Nice, Germany France and London, have occurred in public, iconic, crowded places (transport, public space,USAreligious, commercial, Germany other) that are deemed softer targets in comparison to restricted government facilitiesAustralia (e.g. government, police, UK military). Belgium Spain Canada Finland Sweden 0

10 Knife

2 10 | Asia Pacific Security Magazine

20 Vehicle

www.controlrisks.com Control Risks, August 2017

In some instances, terrorists have targeted government facilities and personnel, as seen in Australia with the

Mitigation measures and infrastructure resilience For Australia to mitigate this increasing terror threat, proactive and reactive measures must be considered. Proactive measures target the source of the issues, including implementing de-radicalisation programmes Cyber and Security increased intelligence sharing domestically and with our international partners, while reactive measures include emergency management training of security personnel and staff, and exercising business continuity plans. Figure 4: Islamist extremist terrorist incidents by target category, 2014-17 Even with the most vigorous, proactive approach to managing risks, “disruptions” will inevitably occur and the ability for a development and the built environment to handle these disruptions will be reflected by the level of “infrastructure resilience”. A resilient piece of infrastructure has the capacity and capability to effectively respond to and recover from potentially disruptive factors and events. Infrastructure resilience starts at the feasibility stage of a development. A security risk assessment should be conducted at this stage to identify the key threats, assets to be protected and potential vulnerabilities. This results in a set of identified risks followed by the creation of a risk treatment plan to reduce the risks to an acceptable level. This risk tolerance level will vary depending on many factors, such as the type of development, stakeholders involved and overall project objectives. If this risk assessment process is not performed at the early phases of a development, then the project is in danger of not integrating key security measures and designing out security vulnerabilities. The mind-set shift is from a “bolt on” to a “built in” perspective. Rather than cobbling together a security solution after the fact (“bolt on”), incorporating a risk assessment process during the embryonic phase of the project allows for a comprehensive security solution to be incorporated within the development design (“built in”). The advantages of adopting such Control Risks an approach are clear: Operational Reputational Mitigation measures and infrastructure resilience  Improve levels of security and safety

 Able to attract security-sensitive

Financial  Reduce insurance premiums

ForforAustralia terror threat, proactive and reactive Minimise measures must be considered. all users to mitigate this increasing investors, tenants, visitors, guests loss and events Proactive measures target the source of the issues, including implementing de-radicalisation programmes  Provide greater synergy between  Reduce expenditure on securityand security and the facilities’ aesthetics  Enhance the overall brand increased intelligence sharing domestically and with our international partners, operations while reactive measures include  More effective and efficient response emergency management training of security personnel and staff, and exercising business continuity plans. and recovery

Even with the most vigorous, proactive approach to managing risks, “disruptions” will inevitably occur and the In Australia, there are long-standing security requirements that government critical ability for a development and the builtprescribed environment to handle these disruptions will be facilities, reflected including by the level of national infrastructure, must meet as part of the planning process. However, equivalent prescriptive security or private, developers or owners must submit a safety and “infrastructure resilience”. security plan (SSP). This production requirements are SSP not mandates requiredthefor private ofdevelopments. This is of particular concern given the high percentage aAsecurity risk assessment, which includes a risk treatment of infrastructure has the capacity and capability ofresilient attacks piece on non-government buildings and public places globally. to effectively respond to and recover from plan detailing what mitigation strategies the development is potentially disruptive factors and events. Infrastructure3 resilience starts at the feasibility stage of a www.controlrisks.com going to incorporate. There is a simple decision support tool development. A security risk assessment should be conducted at this stage to identify the key threats, assets to (DST) for developers to complete to identify the security be protected and –potential This results in a set of identified risks followed by the creation of a risk category of the project either low vulnerabilities. or high priority – with treatment plan to assistance reduce from the risks to consultant. an acceptable level. This risk tolerance level will vary depending on many high priority requiring a security The SSP also has a strong focus on crowded places and uses stakeholders involved and overall project objectives. If this risk factors, such as the type of development, eight core principles to mitigate, not performed only terrorismat threats, assessment process is not the early phases of a development, then the project is in danger of not but also criminal threats. This approach has been successful integrating key security measures and designing out security vulnerabilities. The mind-set shift is from a “bolt in Abu Dhabi, providing government and developers with on” to a “built in” perspective. Rather than cobbling together a security solution after the fact (“bolt on”), clear guidance in relation to the security parameters required incorporating a risk assessment process during the embryonic phase of the project allows for a comprehensive for every planning submission. This provides certainty of securityand solution be incorporated within the development design (“built in”). The advantages of adopting such approach clarity ofto methodology. an Using approach are clear: the ANZCTC strategy paper as a starting point,

Australia should consider applying a risk-based approach similar to the example detailed above to all private developments. Operational Reputational Financial This approach should incorporate a DST to clearly identify  Improve levels that of security safety  Able to attract security-sensitive  Reduce insurance premiums high priority projects require a and formal risk assessment, for all users investors, tenants, visitors, guests  Minimise loss and depending on the scale and complexity of the project, the and events  Provide ofgreater synergy between  Reduce expenditure on security engagement a security consultant as recommended in the security and the facilities’ aesthetics  Enhance the overall brand C O L L A B O R A Toperations ION ANZCTC strategy paper for crowded places.  More effective and efficient response The approach and methodology put forward in the P E R T H Perth Chapter Conference and recovery ANZCTC crowded places document provides an excellent 17 November 2017 foundation for infrastructure resilience. However, until this Crown In Australia, there are long-standing prescribed security requirements that government facilities, including critical Perth level of rigour is applied at the planning stage to all new or national infrastructure, meet as part of the planning process. However, equivalent prescriptive security refurbishment projects, Australiamust will not be raising its level requirements areacross not required for private developments. This is of particular concern given the high percentage of collective resilience the built environment.

of attacks on non-government buildings and public places globally. 3

www.controlrisks.com Asia Pacific Security Magazine | 11

National Security

A safe and secure Australia?

Australians may never have been more insecure By Chris Cubbage Executive Editor

There is a deep divide and disparity between the Australian political message of ‘we will protect you and will keep Australia safe’ and the operational message from police and emergency services of “don’t count on us being there in your greatest time of need – we may not be coming as quickly as you may think.”

n July 18, Prime Minister Turnbull announced; “the Government will establish an Office of National Intelligence, headed by a Director-General, and transform the Australian Signals Directorate into a statutory agency within the Defence portfolio. The Government will also establish a Home Affairs portfolio of immigration, border protection and domestic security and law enforcement agencies. The new Home Affairs portfolio will be similar to the Home Office of the United Kingdom: a central department providing strategic planning, coordination and other support to a ‘federation’ of independent security and law enforcement agencies, including the Australian Security Intelligence Organisation, the Australian Federal Police, the Australian Border Force and the Australian Criminal Intelligence Commission.” This is claimed as the most significant reform of Australia’s national intelligence and domestic security arrangements in more than 40 years. The Prime Minister said, “These reforms are driven by serious threats to Australia’s security and the Government’s determination to keep Australians safe and secure.” The basis and timing of the reform was the central theme of the Independent Intelligence Review Report 2017, which states, “to provide a pathway to take those areas of individual agency excellence to an even higher level of collective performance through strengthening integration across Australia’s national intelligence enterprise. The aim is to turn highly capable agencies into a world-class intelligence

12 | Asia Pacific Security Magazine

community. The theme of establishing strong, enterpriselevel management of the national intelligence community to complement the strengths of individual agencies runs through our recommendations.” The report continues, “Our national intelligence community is facing imposing challenges that, in our view, will intensify over the coming decade. Some of these challenges derive from new forms of rivalry and competition among states, the threat posed by extremism with global reach, particularly Islamist terrorism, and the implications of accelerating technological change for Australia’s national security outlook. Other challenges reflect the changing nature of twenty-first century intelligence, and especially the new frontiers of data-rich intelligence and the risks to comparative technical advantages.” “Australia’s future security environment will demand greater levels of collaboration across traditional dividing lines and more cross-over points….progress towards this objective will require changes to the co-ordinating structures of our intelligence community, new funding mechanisms to address capability gaps, the streamlining of some current legislative arrangements, and measures to further strengthen the state of trust between the intelligence agencies and the Australian community of which they are part.” The report also recommends Government transform the Australian Cyber Security Centre (ACSC) to become, “the credible and authoritative voice on cyber security in Australia. The ACSC should aim to pre-empt or respond at speed to

National Security

incidents and bring a new level of inclusiveness and co-operation with the private sector. It should also drive the development of a nation that is resilient against cyber threats.” The report recommends, “The governance of the ACSC be provided by the current Cyber Security Board chaired by the Secretary of PM&C with its membership increased to include the Director General of the Office of National Intelligence and CEO-level representatives of critical national infrastructure sectors such as telecommunications, health care, financial institutions, other services, energy, water and ports. Private sector members of the Board should undergo appropriate security clearances to allow frank discussions about the ACSC’s capabilities.” This latter recommendation should stand out for the intent of inclusiveness. But nor does it account for the cost or reimbursement to these private organisations for provision of CEOlevel representatives. Who is to benefit from whom and are the costs to be shared? Global Security PLuS Alliance A day following the Prime Minister’s reform announcement, the Global Security PLuS Alliance was launched in Sydney. The culmination of research activities between the University of New South Wales, Arizona State University and Kings College London, the morning’s PluS launch symposium aptly captured the very serious, but more importantly, the very broad nature of the current global security landscape. Presented with a sufficient tinge of Australian context, for the Australian lay-person, the threat landscape is not a pretty picture. Amongst the complex natural world, which encapsulates many inherent risks, Australians appear to me, complacent, uneducated, ill-prepared and with a growing sense of bigotry and racism, grabbing hold of rising global nationalism and Islamophobia. Whilst all occurring within a changing climate, where water resources are being depleted and sea levels are rising. Australians, and humans in general, continue to be intent on adding additional layers of complexity and create wilful threats against this backdrop. Rarely are these all captured in a morning’s session, as they were at the PLuS Alliance Global Security symposium.

“We need to be aware of how terrorist groups use information. We need to understand the propagandists are trying to control the narrative. They don’t have to tell the truth and they don’t have to be accountable. This is the reality of the divide between propaganda and populism.”

Is nuance debate obsolete? The Australian Strategic Policy Institute’s Jacinta Carrol commenced with a paper titled, ‘Tweeting with Nuance’ and noted, as many are aware, that “information and knowledge is more accessible and avoidable than ever before”. The enduring challenges in counterterrorism is that government and the communities they serve achieve a balance between privacy and security. It has become the populist versus leftist debate. This is unpalatable and unhelpful to a broader and more nuanced debate. The political debate and public consultation is a matter of conceding to opposite positions, rather than achieving a balanced, informed and transparent outcome. With divisiveness, terrorist propaganda becomes a more serious threat facing the country. In Australia, a terror attack is considered ‘probable’, with five successful attacks and twelve (currently alleged to be thirteen) plots intercepted, including cases of a 15 year old Sydney girl sending money to help facilitate the Islamic State and the arrest in Canberra of a man providing highly technical assistance to the Islamic State. There have been over 100 Australians become jihadists, with 40 having returned home and 70 killed in combat. There is 200 active investigations underway. As Jacinta Carrol highlighted, “the largely overlapping and over tractable issues can quickly accelerate and suddenly appear overwhelming, as if we are trying to achieve world peace. There is no simple cause and effect. Radicalisation is a process, yet, it is a single narrative and is selfreinforcing. Though it is not a simple process. It involves ongoing nurturing and management. This is what terrorism is all about, propaganda.” When established, Islamic State created a formal information headquarters as one of its first steps. Yes. This included ‘Men sitting around tables and brainstorming on white boards.’ They then drafted and pushed this propaganda out online and continue to support the message by using bloggers in different languages and cultures. They create a product suited to the target market. Targeting all Muslims, all migrants – and anyone prepared to listen and engage. The Ideology is based on an image of a war being waged against the West and in support of an oppressed ideology. Jacinta confirms, “We need to be aware of how terrorist groups use information. We need to understand the propagandists are trying to control the narrative. They don’t have to tell the truth and they don’t have to be accountable. This is the reality of the divide between >>

Jacinta Carrol, Australian Strategic Policy Institute

Dr. Luca Vigano, Professor in Computer Science

Asia Pacific Security Magazine | 13

National Security

propaganda and populism.” An example? The debate which occurred around end to end encryption. An extremely important and topical issue. The leading news story and the standard debate was that the Australia Government is seeking a backdoor, whilst there remained a lack of nuanced understanding. The issue is not an open and shut case, with many complexities, rule of law and jurisdictions to consider, before getting to the technical elements. Many of these issues simply weren’t discussed or sufficiently canvassed. There remains serious issues to deal with and global security issues are always complex and too much for commentary to fit into a 140 character tweet. Twitter posts are not effectively dealing with the issue and only drives populist rhetoric. Research of 112 cases of convicted terrorists in the USA found that of the supporters of Islamic State, 83 per cent were American citizens. Thirty percent of those charged in the last three years were converts to Islam and not originally from the Muslim community. They were not a religious conversion but people converted by the link to the extremist ideology – they succumbed to the propaganda. Jacinta concluded, “Whilst we should be celebrating complexity, it is incumbent on security professionals and researchers to engage and help to understand the essence of these serious issues and articulate how they should be understood and interpreted.” Intertwining human and technical factors in cybersecurity Dr. Luca Vigano, Professor in Computer Science (Software Modelling and Applied Logic) at King's College London gave a highly engaging presentation with a focus on the formal methods for the human dimension of cybersecurity. By applying mathematics over the last 40 years, the world has been experiencing a digital revolution. The contrasts of technology is self-evident. It has led to cyberhijackers possibly able to get access and control of a plane, but also a worthwhile technical capability should authorities want to take control of a plane that has been hi-jacked. The same grapple with technology is occurring with drones, with the controlling capability demonstrated by Department 13. When considering the disparity between developers and users, Dr. Luca Vigano refers to the human aspects of cybersecurity, referring to Shakespeare’s only use of the word ‘security’, in Macbeth, Act 3, Scene 5 where the term actually implies having ‘over confidence’. The inherent human reaction to ‘security’ has been observed and studied before. Users are like water, seeking out the path of least resistance. References include Nietzsche’s Turkish fatalism, which is the attitude of resignation in the face of some future event or events which are thought to be inevitable. Thereby the adherence to security requirements is irrelevant and unnecessary. Or at the other end of the spectrum, that being against Freuds fiction of omnipotence, defined as the ‘infantile concept of reality’, in which one expects all of one's wishes to be instantly gratified. This translates to those who will bypass the need or consideration to security requirements over convenience.

14 | Asia Pacific Security Magazine

Dr. Vigano highlighted that the cybersecurity threat is real for everyone. Be it the Heartbleed Bug, Wannacry or as recent as the Australian Medicare data breach. The solution is either unplug and power down computers or continue on working on creating formal validation methods that are traceable, provable and transferable. Heartbleed for example, remains a serious vulnerability in the popular OpenSSL cryptographic software library, the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. This allows stealing of information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. There are validation tools available. The Automated Validation of Trust and Security of Service-oriented Architectures, or the AVANTSSAR Validation Platform developed – ASLan++, the first formal language for specifying trust and security properties of services, their associated policies, and their composition into service architectures, at both communication and application level. This allows automated techniques to reason about services, their dynamic composition, and their associated security policies into secure service architectures. Migrating project results to industry and standardisation organisations will speed up the development of new network and service infrastructures, enhance their security and robustness, and increase the public acceptance of emerging IT systems and applications based on them. Other validation tools include ProVerif, a tool for automatically analysing the security of cryptographic protocols. Support is provided for symmetric and asymmetric encryption; digital signatures; hash functions; bitcommitment; and non-interactive zero-knowledge proofs. The Tamarin prover is a security protocol verification tool that supports both falsification and unbounded verification in the symbolic model. Maude-NPA is an analysis tool for cryptographic protocols that takes into account many of the algebraic properties of crypto systems that are not included in other tools. These include cancellation of encryption and decryption, Abelian groups (including exclusive-or), exponentiation, and homomorphic encryption. As Cyber Physical Systems grow exponentially with the Internet of Things, made up of sensors, actuators, controls, cryptography and humans, the components require differential equations, not just logical models. Security is interdisciplinary and there must be a joining of forces to achieve security. With Socio-Technical Systems, users may perceive security as a burden thus choose to ignore it or choose to bypass it. Anti-Terror Law Creep George Williams, Dean of Law for the University of New South Wales highlighted that prior to September 11, 2001, Australia did not have ‘any’ terrorism related laws. But the country has since developed a body of law in response to ‘The War on Terror’. However, at the time these laws were seemingly intended to be short term, transient and not to be with us for a long time. Yet, after 15 years of war, it hasn’t worked out that way. Having been introduced as a series of measures that is far from transient, these laws have now taken

National Security

on a feeling of permanence. What was exceptional is now becoming normal. In reality, these laws have actually become a long term change about how we are governed and has significantly reshaped Australia with a broad range of policy and legal outcomes. Law is often ill calibrated and in-effective when used against combatting terrorism. Despite a relatively lower threat prior to 2011, previously measured as low, medium and high, with Medium then formally defined as simply, ‘a medium risk’. Australia went from having no anti-terror laws to now having sixty-six separate statutes dealing with antiterrorism activities. Between 2001 and 2007, forty-eight anti-terror laws were passed, an average of one every 6.5 weeks, amounting to hundreds of pages. Never has Australia ever gone through such a sustained period of hyper legislation. The cycle has been, a successful attack provokes a political reaction and a new law. Some of these laws were entered into Parliament and passed in the same day, often passed with full bipartisan support and expedited measures. There has been limited opportunity to scrutinise and for legal engagement on laws that are extraordinary in scope. Now, politicians have run out of sensible things to do and without a clear criminal definition of terrorism, this empowers authorities to pick and choose how and to whom the powers of these laws apply. Some of the laws allows ASIO and the AFP to arrest someone without charge and who is not even a suspect. They can be forced to read a ‘script on arrest’ to advise family members that they are okay but cannot disclose where they are or why they have gone away. Other laws have allowed all Australian’s metadata to be captured and recently the Australian military has been empowered to assist police in terrorism operations. These are extraordinarily broad legal powers and go as far as stripping citizenship, mandatory meta data retention and jailing journalists for 10 years. It is largely accepted that the community demands action and politicians are responding to ‘vote for me and we will keep you safe’; yet with reference to Alexander Hamilton in 1787 who said: “Safety from external danger is the most powerful director of national conduct. Even the ardent love of liberty will, after a time, give way to its dictates. The violent destruction of life and property incident to war, the continual effort and alarm attendant on a state of continual danger, will compel nations the most attached to liberty to resort for repose and security to institutions which have a tendency to destroy their civil and political rights. To be more safe, they at length become willing to run the risk of being less free.” Without a national bill of rights, Australia has not been limited in the extent of how far Government can go and there is no obvious legal limits to how far these laws can continue to go. Some 60 per cent of Australians believe that they have a bill of rights and many even believe they can claim the 5th Amendment – an indication that Australians watch too much American television. The anti-terror laws are also creating riffs and division in the community and are potentially fuelling terrorist recruitment and alienation of young men but inferring that they are not welcome. The law is the front line with $13 million spent on Countering Violent Extremism (CVE) and community building strategies compared to the billions of dollars spent on counter coercive strategies. We can focus too much on the law and often the law is ineffective as a deterrent to terrorism and we need to be more holistic and nuanced. The question should be asked if our own strategies is fuelling more terrorism. The Independent Intelligence Review Report 2017 determined that the warrant thresholds across the various Acts, in particular the ASIO Act, Intelligent Services Act and the Telecommunications Interception Act (TIA), each employ slightly different tests. The Parliamentary Joint Committee on Intelligence and Security has recommended the TIA, which it considered to be “so complex as to be opaque in a number of areas”, be comprehensively reviewed. There is twenty different thresholds that can cause uncertainty for agencies in the performance of their responsibilities. Furthermore, frameworks to protect disclosure of sensitive capabilities in legal proceedings are coming under pressure due to increasing use of evidence derived from such capabilities. The review recommended a comprehensive review of the legal framework under which Australia’s intelligence agencies operate. Such a detailed and comprehensive review and re-evaluation of the legislative framework would help to harmonise and modernise the legislation that establishes and confers powers on Australia’s intelligence agencies and the major independent oversight bodies. Such a review would be a significant, complex and lengthy undertaking requiring thorough and in-depth examination, analysis and assessment of the current legislative framework and the interaction between various component Acts (6.9 – 6.11). >>

Professor Raina MacIntyre, Head of School and Professor of Infectious Diseases Epidemiology

Associate Professor Brian Gerber

Professor Anthony Burke, UNSW Canberra

Asia Pacific Security Magazine | 15

National Security

Conflict, Ethics & Security Governance Professor Anthony Burke, UNSW Canberra presented on Violent Conflict, Ethics & Security Governance. With global manifestations and global causation, such as the links between the Syrian war and climate change, there is a need for understanding of the processes that overwhelm the national security approach. There is a distinct need for a global security perspective, how global ethics, law and institutional action and capacity play key roles, as well as influences, and how the collective security system of the 20th century has failed us. Indeed, we are even less prepared for the 21st century. Professor Burke outlines the three key principles of global security responsibility, future security responsibility and the categorical imperative of security. To secure nation states, the world must be secured as well. Yet, we do not have a long term horizon in public policy. DURC - Dual Use Research of Concern Professor Raina MacIntyre, Head of School and Professor of Infectious Diseases Epidemiology presented on the ‘threat’ and ‘risk’ of infectious diseases and Dual Use Research of Concern (DURC). DURC is research taking place that can benefit humankind but can also result in the harm of human kind. Research areas within science and technology include biology, computing and artificial intelligence (AI). DURC has been controversial since 2011, when scientists sought to publish methods for engineering an avian influenza virus to make it contagious to humans. The harm from infectious diseases research can occur generally by two mechanisms, a laboratory accident or deliberate release. The risk of an unnatural pandemic is far greater than a natural one. There is often concern raised over terrorists becoming biologists, yet there should be more concern over a biologist becoming a terrorist. Today, there is Do-it-Yourself (DIY) labs that can create new threat vectors, there is insect sized drones and the biology is at or near the stage that specific bio-hazards can be created for specific people and delivered in a covert or subverted manner. The creation of precision medicine will enable precision harm. The Dark Web could also begin to be used as a nuanced way for looking for what is being sold and who may be seeking to buy. The market is global and therefore unable to be contained with a localised strategy. Despite this, agencies who are essential first responders continue to work in vertical systems, working vertically. The silo approach is no longer appropriate or suitable. Climate Change, Natural Disasters and Conflict Associate Professor Brian Gerber presented on natural disasters and conflict, with consideration to natural disasters being a causative factor in violent conflict. With limited scale and duration of incidents, these natural events often do not give rise to social unrest. The populations affected do not treat these events as a governance failure, and anti-social behaviour (ASB) does not tend to occur. Only limited cases of unrest

16 | Asia Pacific Security Magazine

have occurred but had specific antecedent conditions that gave rise to conflict. However, the disruption can tend to weaken critical institutions where there is resource scarcity and disruption creates a strategic opportunity for those seeking to challenge or replace a governing regime. There is limited empirical assessment, with Nel and Righarts (2008, ISQ) finding an increase in risk and Omelicheva (2011, Intl Interactions) found disasters do have a small effect in a narrow range of settings but still have a less robust relationship and likely to occur more so where prior instability existed. There can be acute disruption and chronic disruption. Acute disruption can be temporally and spatially discrete, though chronic disruption can have problem tractability and temporally and spatially diffuse, which are a less tractable set of circumstances. Global Climate Change is therefore likely to be a chronic disruption and therefore a catalyst for an increase in natural hazards and represents a catalyst for civil unrest and violent conflicts, with international and national systems unprepared. A 2015 US Department of Defence assessment made findings that Climate Change can lead to intra- and interstate migration and other adverse effects on security. Extreme weather events creates substantial demands on response resources for disaster relief, rising sea levels creates risk to ports and navigation systems and decreases in arctic ice creates new shipping lanes. The Arab Spring and Climate Change (2013) was linked by the Centre for American Progress. Their report from The Centre for Climate & Security made direct linkages between changing climate and the social unrest in Syria, Egypt’s food shortage due to a drought in China (hazard globalisation) and an immigration crisis in Europe with water scarcity in Middle East and North Africa – with further projected vulnerability foreseen. Climate change is therefore likely to be a catalyst for food shortages, water scarcity, and dislocating populations with a climate change diaspora. Conclusion It is therefore, important to see how these global security changes are being managed by Australian defence, security intelligence, emergency, health and law enforcement agencies. The time to be collaborating was yesterday and must include collaboration with the state police counterparts and local governments. In-turn, Australians must be asking how the national and state public fabric overlays across the private cyber-physical security sector. The author submitted that we should start with a Green Paper, discussing how all this should fit together or provide the road map for the 'collaboration' often called for, talked about, but so often missing or seen too difficult. Concerns that 'politics' continues to drive the 'security' agenda indicates that it is largely outside of the strategic and operational control of these agencies. A complex and interdependent public safety domain is one of greatest importance and worthy of continued, robust discussion and full transparency. A nuanced approach is the best way forward – and well worth tweeting about!

Asia Pacific Security Magazine | 17

Women in Security

Catwalk to tech-talk Insights with Kan Tang, Distinguished Technologist and Worldwide Chief Technologist for DevOps, HPE Software Services

Kan Tang CTO, HPE Software Services WW DevOps

By Kan Tang CTO HPE Software Services, WW DevOps & Chris Cubbage Executive Editor

18 | Asia Pacific Security Magazine

am the kind of person who loves to learn, but when I have learned something I want to move on to the next challenge. I commenced my technology career in coding, as an Application Developer and moved on to become an Application Architect, then Solution Architect. This allowed me to be increasingly exposed to IT operations. With a desire to balance my knowledge between Dev and Ops, I moved to a project with Sabre Airline Solutions, one of the world’s largest Airline suppliers and worked on their operational side of the business. This involved configuring Network Interfaces, IP address, Network security, firewall, load balancer, Disaster Recovery, proxy server and so on, which provided a greater sense of what operations are about. It has been a benefit to start out as a Coder and Application Developer. In DevOps, if you want to maintain some credibility, you still need to be somewhat hands on. You have to get your hands dirty, otherwise you’re just talk. I worked on a lot of heavy duty Java applications early on, including with American Airlines, General Motors, Adobe, Disney, FedEx Office, Delta Dental, Shell, US National Veterans Healthcare and each in different industries. In my early career, I spent most of time in technology, but I realised that a lot of inefficiencies are actually in the processes. When I was at FedEx Office, I was involved with Agile software development and took a role of Master of Scrum Master for their Agile transformation. I learnt a lot of the ‘good and bad’ of software development, testing and operations, as well as people and team dynamics. It is a challenge to keep the team focused, innovative and working together, with different personalities and hierarchy of the organisation, including working with the senior level executives. I then worked for Disney, as a Lead Chief Technologist and assisted in the build of a $1 billion system, called Disney NextGen Experience (NGE) using Magic Band, with a focus on designing for the Media group. The system was

architecturally challenging, with multiple programs and we used the HPE Fortify for the code scanning. The Magic Band is effectively the key to the kingdom and can be used for all transactions, be it to access your hotel room, make purchases, as well as set up the allowance for your kids. For the Media Group, we were designing how to use the band to link to guests’ media which include photos, videos and eBooks. As you tour Disney and have a photograph/video taken, you can access it immediately from your mobile apps or within the minute can walk into a view station, see your media, as well as allow you to do editing including rotations, black and white, cropping and add Disney Characters to your photos. When we evaluated these use cases, we asked; what are the security risks surrounding this? At the beginning, being the Media group, some asked; what has this got to do with security? However, the architecture leadership team determined that these media are the company’s most important Intellectual Property that can be stolen or manipulated. Or by an attack, such as SQL injection attack, you can manipulate the resolution. The images were able to be displayed in low, medium and high resolutions, with the highresolution images requiring to be purchased. We would only allow the low-resolution for guests to choose their preferred images. But by SQL injection or with privacy violation, with this level of access you could allow free downloads or downloads of other guest images. This type of unauthorised access could be used for all kinds of nefarious things. So, the DevOps team ensured they were conducting code scans and checking the code for these types of vulnerabilities. Identifying and accepting these types of ‘user’ behaviour risks was a cultural change for the team to appreciate the wider risks involved. This is where the HPE Fortify allows architectural teams to build, test and verify the code, often multiples of times to truly force the team to meet security requirements,

Women in Security

"I then worked for Disney, as a Lead Chief Technologist and assisted in the build of a $1 billion system, called Disney NextGen Experience (NGE) using Magic Band, with a focus on designing for the Media group. The system was architecturally challenging, with multiple programs and we used the HPE Fortify for the code scanning. " as part of the build process and throughout the pipeline. The automation captures code vulnerabilities earlier and makes sure the fixes are made before verification. We have successfully launched Disney NGE with an enormous impact on the guest experience. When the NGE launched, millions of Disney guests enjoyed their online editing on their photos and keep their precious memories with Disney characters that they customized to their own photos. Industry has not put enough focus on Application security. Gartner Maverick Research, found that 84 per cent of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1. This is confirmed by Forrester’s recent research, which also determined that Security pros should be alarmed at the growth in breaches

through web apps which rose from 7 percent in 2015 to 40 percent in 2016. Another area that is often lacking is identifying the security non-functional requirements of new applications. In a security context, culturally people are often not attuned. They may be a developer who is in a different mindset - they have enough to do and focus on, so can’t be thinking about the broader security context that the application relates to. Security is also often seen as ‘the police’ who are there to stop innovation or creativity and so don’t get invited early in the DevOps process, as they are viewed as not being needed, yet. It is a cultural aspect of the industry to exclude security. From a skill set, there are a lot of developers who understand functionality requirements, they understand nonfunctional requirements from performance and scalability aspects, but a lot of them ‘don’t know what they don’t know’ and that is they don’t understand the Application security part. I see it is very weak in the industry and it is a huge opportunity to really understand the non-functional security requirements that need to be captured at the beginning of DevOps projects. Diversity and Mentoring I’ve now been with HPE for 17 years and have worked mainly in the services role, often with a client for two years and working on their projects from beginning to end, and then moving on to the next account. Now I’m in a worldwide role in DevOps space and find I’m not as project focused, travelling extensively for the face-face contacts. Still nothing can replace the face-face relationships. I’ve found that the higher you go, the less females there are, so I’m one of very few females in the CTO role. I’m very blessed to have a leadership group which supports my development, including the opportunity to attend the

Asia Pacific Security Magazine | 19

Women in Security

Our Solution: HPE Enterprise DevOps Operating Model

Harvard Business School Leadership Programme. This is where I learned about strategy. Working with Harvard Professors there was two key things I learned. First, what strategy is, three basic elements: Objective=End goals; Scope=Domain; Competitive Advantage=Means. These three areas you have to get very clear, so you have a full understanding of the state of play. The second thing I learned is to have passion for customers. This involves thinking on behalf of customers or having their long-term goals and perspective in mind and also responding to customers quickly. Though this doesn’t have to be providing an immediate answer, but acknowledging their question and keeping them informed as you undertake to provide it to them. I am involved with mentoring, including mentoring many women in IT. I mentor not just HPE personnel but also external women in IT across the world, and this is both formal and informal. Mentorship is a bi-directional relationship. People often say: find a mentor so you can excel. I always believe when you excel, you will find a mentor because people like to invest in people with future potential. In my early career, I decided to follow people with integrity, competency and energy regardless of their level or title. That was the best decision I have ever made in my career. Those people I called mentors made me who I am today. I had a very unusual career change, many years ago, while I was at College, I did five years professional modelling and so I wrote a paper on Linkedin, ‘My Journey from a Fashion Model to a Chief Technologist’ to provide insight and my personal experience for those who transition into technology from other careers. I am very fortunate to be mentored by many senior leaders and this helps get guidance on my own career aspirations. One valuable lesson I learned from my mentors is the bigger the challenges, the bigger the opportunity, the bigger

20 | Asia Pacific Security Magazine

the learning. As long as I’m learning and I will always welcome the next challenge. As it happens, as at September 1, 2017 HPE Software will formally transition to be Micro Focus. I’m looking forward to this business challenge and the opportunities the transition brings. Kan Tang, CTO, HPE Software Services WW DevOps As a DevOps CTO of Software Services, Kan is responsible for the strategy of the DevOps in HPE Software Services through a deep understanding of customers’ challenges and business requirements, the market, the industry trend, competitive landscape, HPE & HPE Software strategy and software services portfolios. She contributes to thought leadership vs. internal and external presentations, webinars, blogs, and social media. She actively participates and represents HPE in HPE-sponsored and industry events. She has won many awards such as “Distinguished SE” Award, GM CIO Supplier Award, Global Diversity Pacesetter Award Nominee, Outstanding Contribution to Disney NGE Award, One PS Award worldwide winner, Debut of the Year worldwide winner, world-wide Leadership Star Award, Innovators at Heart and many Client Service Awards. She also won several innovation awards at HP TechCon. She was invited as a guest speaker at Korean CIO Forum for DevOps in 2016 and Keynote Speaker of Secure DevOps in Australia Government Summit in 2017. She graduated with a Bachelor of Engineering degree in Electrical Engineering, and a Master of Science degree in Computer Science from Rensselaer Polytechnic Institute, NY, US. She recently graduated from Harvard Business Leadership Program. She was a musician and a track & field athlete. She is interested in IoT, 3D printing, Forensic Science, Media & Entertainment and psychology. She enjoys reading, writing, teaching, sports and activities to support women in technology.

Women in Security

Looking to commercialise innovative cyber security or physical security related technologies?

GET IN TOUCH www.securityventures.com.au

Asia Pacific Security Magazine | 21

Cyber Security

Functional safety in times of rising cyber criminality Every production process has inherent risks. Cyber criminality is now one of these risks. To achieve the greatest possible degree of safety and security in production processes, it is extremely important for enterprises in the process industry to implement effective separation of their process control and safety systems, as required by standards for functional safety and cyber security. After all, a lot is at stake: the safety of employees, assets of the company and the environment.

A By Dr Alexander Horch, head of the R&D and Product Management business area at HIMA Paul Hildebrandt GmbH.

22 | Asia Pacific Security Magazine

sia is the manufacturing factory of the world. Plus, because of all the incoming investment and the establishment of high value manufacturing operations by MNCs, the advent of the Industrial Internet of Things in Asia is gaining ground. More businesses in the industrial sectors are leveraging the technology of digitalization for their manufacturing processes. Indeed, as manufacturing and trading volumes rise, cross border digital data transfer is increasing. There is no doubt that technology brings progress but on the other hand, there are also serious security concerns arising from the fact that as Asia becomes more connected digitally, it is becoming more open to cyber-attack. However, Asia is under-performing in the area of cyber security as compared to North America and Europe. A recent study found that most breaches never became public and discovery time on average is 520 days against a global average of 146 days. Industry analysts believe that the reasons for this trend is that there is low awareness of cyber security, a lack of regulations and enforcement, and even if there is a security framework in place, companies are implementing security

measures haphazardly rather than taking a holistic view. Thus, Asia is fast becoming the ideal environment for cyber criminals. Criminals will and have targeted high-value assets like plants and factories using more sophisticated and innovative ransomware. On top of locking up data, demanding a ransom, and threatening to release sensitive information, criminals have also developed an additional capability to find more lucrative and vulnerable individual targets in companies to enhance the chance of victims paying up. Recently, big companies like Hitachi, Nissan, Renault and Honda were targeted by cyber criminals. Honda was forced to stop production at its Sayama plant near Tokyo after finding the WannaCry ransomware in its computer network. The virus had infected networks across Japan and China, despite efforts to secure the systems. Nissan and Renault also stopped production at plants in Japan and India because of WannaCry. WannaCry had infected companies that were using aging technology and outdated software. Therefore, as the manufacturing industry in Asia embarks on a journey towards digital transformation, the management staff must be aware of the risks the region

Cyber Security

Open Integration, can easily be

I/O bus systems, CPUs and software. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations and philosophies. In concrete terms, this means that the system architecture must fundamentally be designed so that no component in the process control system level or the safety level can be used simultaneously.

integrated into process control systems

Rising risk of cyber attacks

despite physical separation "

At least since the attack by the Stuxnet virus on an industrial controller in 2010, we know that industrial systems are also vulnerable and are attractive targets for cyber attacks. In the last five to 10 years, the risk of cyber attacks on industrial systems has risen significantly due to increasing digitalization. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety. System operators must be aware of these risks and actively address them. This can be done by means of various systems and measures to increase cyber security. Unlike functional safety systems, which are mainly intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation and attacks intended to disrupt production processes or steal industrial secrets. Due to the conditions mentioned above, safety and security have become closely meshed topics. Cyber security plays a key role, particularly for safety-oriented systems such as those in the process industry, because it forms the last line of defense against a potential catastrophe.

"...systems which are independent of the process technology and which, thanks to the principles of Independent

faces and take the appropriate action to build robust and secure networks and systems. To better understand the interaction of safety and security, it is helpful to clarify several terms. There are numerous definitions of safety. However, a general definition is that safety is the absence of danger. This means that a condition is safe when there are no prevailing hazards. It is frequently not possible to eliminate all possible risks, especially in complex systems, so people in the industry often say that safety means the absence of unacceptable risks. Reducing risks to an acceptable level is the task of functional safety. This means that the safety of an application depends on the function of a corresponding technical system, such as a safety controller. If this system fulfills its protective function, the application is regarded as functionally safe. This can be clarified by the following example: If oil is flowing out of a pipeline and endangering people in the vicinity, that is a safety issue. If a system cannot prevent icing in a pipeline, even though that is exactly its task, and a critical situation subsequently arises, that is a functional safety issue. Functional safety systems protect people, facilities and the environment. For example, they start up or shut down systems when hazardous situations arise suddenly and people do not respond or are not able to respond, or when other safety precautions are not adequate. Functional safety systems are intended to prevent accidents and avoid costly or undesirable downtime of equipment or systems. Separate safety layers reduce risks Enterprises in the process industry are becoming increasingly aware of the importance of relevant standards for the safety and profitability of their systems. The IEC 61511 standard for functional safety clearly defines the best way to reduce the risk of incidents and downtime. It prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures (see Figure 1). Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process. IEC 61511 also prescribes independence, diversity and physical separation for each protection level. To fulfill these requirements, the functions of the different layers must be sufficiently independent of each other. It is not sufficient to use different I/O modules for the different layers because automation systems are also dependent on functions in

Standards define the framework Compliance with important international standards is necessary in the design, operation and specification of safety controllers. The first of these is IEC 61508, the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic and programmable electronic devices) in all industry sectors. The previously mentioned IEC 61511 standard, which is derived from the basic standard, is the fundamental standard for the process industry and defines the applicable criteria for the selection of safety function components. The IEC 62443 series of standards for IT security in networks and systems, which effectively forms the standard for cyber security, must also be considered. Among other things, it specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full life cycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS) and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthorized access (see Figure 2). Cyber security by design Safety and security are closely related aspects of process systems, which must be considered separately and as a whole.

Asia Pacific Security Magazine | 23

Cyber Security

Standardized hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult or impossible to analytically assess the risks which could arise from a system update. For instance, updates to the process control system could affect the functions of the safety system integrated into the control system. To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. This is the only way to ensure that control system updates do not impair functional safety. For effective cyber security, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cyber security in mind, right from the start. This applies equally to the firmware and the application software. Effective protection against cyber attacks A proprietary operating system specifically designed for safety-oriented applications runs on HIMA’s autonomous safety controllers. It includes all functions of a safety PLC and excludes all other functions. It is therefore immune to typical attacks on IT systems. The operating systems of the controllers are tested for resistance to cyber attacks during the development process. In HIMA’s controllers, the CPU and the communication processor are separate, ensuring high operational security even in the event of an attack on the communication processor. The controllers allow several physically separate networks to be operated on a single communication processor or processor module. This effectively prevents direct access to an automation network from a connected development workstation. In addition, unused interfaces can be individually disabled. Furthermore, the SILworX® configuration, programming and diagnostic tool runs in a Windows environment and works in a manner as independent as possible from Windows functions. This concept enables secure operation without interference from other programs or updates. It provides maximum protection against operator errors and creates a set of proven data components for programming the safety PLC. Nevertheless, SILworX allows automatic import of configuration data from outside systems into the proven data set via interfaces. In addition, the programming tool supports two-level user management. This allows user permissions to be set individually, providing optimal protection for both the application and the safety system. For example, in the event of a password change, there is no need for a new update or recertification of the system. Cyber security is essential for functional safety A noteworthy common feature of the process industry standard and the cyber security standard is that both require separation of the safety system (SIS) and the basic process control system (BPCS). Along with being a basic prerequisite for the effective protection of process systems, this

24 | Asia Pacific Security Magazine

independence of safety systems is a good idea from practical and economic perspectives, for example, because the SIS and BPCS have very different life cycles and rates of change. System operators are thus free to choose “best-of-breed” solutions from different manufacturers. Integration of comprehensive operational and maintenance data is necessary to enable cost-effective operation of safety systems. Despite the required independence, HIMA systems can easily be integrated into all leading process control systems (Independent Open Integration). In this connection, HIMA looks after PLC-SIS integration and enables the desired functionality. Integration is implemented using high-performance, manufacturerindependent communication standards. In summary, we can say that systems which are independent of the process technology and which, thanks to the principles of Independent Open Integration, can easily be integrated into process control systems despite physical separation, offer the highest degree of safety and security in safety-critical applications. Practical experience shows that they are the best way to increase the operational reliability and availability of process systems, and thereby to improve the profitability of production processes.

Figure 1: Both the safety standard and the cyber security standard require separate safety layers.

Figure 2: Along with separation of the safety logic and automation logic, the cyber security standard requires safety zones (DMZ),

Cyber Security

2 ANNUAL ND

GLOBAL PREDICTIVE ANALYTICS FORUM IN MENA

HEAR FROM LEADING EXPERTS ABOUT: •• INCREASING INCREASING PROFITABILITY PROFITABILITY •• IMPROVING IMPROVING OPERATIONS OPERATIONS •• REDUCING REDUCING RISK RISK •• DETECTING DETECTING FRAUD FRAUD •• HOW HOW CAN CAN PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS SAVE LIVES? SAVE LIVES? •• AA HOLISTIC HOLISTIC VIEW VIEW ON ON PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS

•• PEOPLE PEOPLE BASED BASED DATA DATA AND AND ANALYTICS: ANALYTICS: HELPING IMPROVE PREDICTABILITY HELPING IMPROVE PREDICTABILITY OF OF BUSINESS BUSINESS OUTCOMES OUTCOMES •• ENHANCING ENHANCING LEAN LEAN SIX-SIGMA SIX-SIGMA USING USING ADVANCED ADVANCED PREDICTIVE PREDICTIVE ANALYTICS ANALYTICS •• DIGITAL DIGITAL CUSTOMER CUSTOMER CARE CARE -- COGNITIVE COGNITIVE ANALYTICS ANALYTICS •• MOBILITY MOBILITY ANALYTICS ANALYTICS

SPEAKERS

+44 20 3129 1775

info@c-parity.com

Asia Pacific Security Magazine | 25

www.corporateparity.com

Cyber Security

Cyber threats to consumers: From credit card to ransomware The half-day Ransomware seminar at the RSA Singapore 2017 conference dived into the latest waves of attacks in Cyber Space. Through innovative research, case studies and panels, the seminar discussed and offered insights into the technical, policy, compliance and economics of the issue and the underground economy - its motivation, actors and organisations, and impacts on the wider economy

By Jane Lo Singapore Correspondent

26 | Asia Pacific Security Magazine

Ransomware When WannaCry struck computer systems of private and public organisations across 150 countries in May, notably the NHS (National Health Service in UK), several competing attribution theories were put forward with no consensus view: How similar to previous attacks were the use of the DoublePulsar backdoor, the EternalBlue exploit, and the SMB (Server Message Block) vulnerability for propagation? Were there consistent evidence linking the threat actors and their motivations to a sophisticated financially motivated group, or a national or state-affiliated actor conducting a disruptive operation? Some pointed out that the low number of Bitcoin wallets could be attributed to either unsophisticated actor, or a state-sponsored actor conducting a trial run. The initial infection vector remained unknown. IBM X-Force scanned over one billion emails passing through its honeypots and found no evidence suggesting that spam/phishing was the first stage of attack and functioned as the delivery mechanism of the ransomware. Over time, new information will come to light and support or discredit the theories of who was behind the

WannaCry campaign. The recent arrest of the alleged NotPetya perpetrator operating from his Ukraine home illustrated how, in some cases, the plausible identities of the attackers may not even form part of the widely discussed theories.

Credit Card Fraud At the Ransomware seminar, the speakers agreed that Ransomware is a simpler and more effective means of monetizing an illegitimate activity, compared to, say, Credit Card fraud. To execute the latter scheme, there are complications, including the need to gather credit card credentials (Security Code, PIN), search for â&#x20AC;&#x153;droppers, runners, or shoppersâ&#x20AC;? to convert to legal tender currency or real-economy goods and services, and third-parties to create counterfeit cards with the stolen details. These activities form the chain of a Credit Card Fraud cycle that involves the Harvesters, Distributors, Monetisers. As with Ransomware, the chain of events is triggered with an introduction of a malware through vulnerabilities exploitation and/or Phishing, Key-Logging, or even via an

Cyber Security

“Over 15 years have passed since the Anthrax attacks, and while global terrorist incidents are seemingly on the rise and dominating mainstream media, there have been no significant bio-incidents following the 2001 Anthrax event."

Insider. Other attack vectors included ATM skimming, where a device is attached to the machine capturing User IDs or Public Wifii sniffing to capture credentials in-transit. Attacking the Point-of-Sale terminal, the primary processing device for card based payment system directly, is also a widely implemented attack vector. As with Ransomware, there are online fee-based lectures available for potential operators of these schemes, and even Social Engineering courses on manipulation techniques to elicit credentials from card owners. On the other hand, attribution, a means to put a face to the crime to discourage others, seemed to be more “successful”, based on public disclosures of arrests and prosecutions of Credit Card fraud. In the US, through seizure of his laptop which were found to contain more than 1.7 million stolen credit card numbers and evidence linking to servers, email accounts and financial transactions involved in the scheme (which caused financial institutions more than USD169million in losses), a cyber-criminal was convicted of PoS hacking and malware installation. In the case of UK’s Operation Dulse, through infiltration and evidence linking the anonymous cyber identity to the defendant, law enforcement was able to serve

a fully comprehensive summary prompting the defendant to change his plea to guilty. Other than Harvesters and Distributors, Monetisers have not escaped prosecution. In an example of a case in Singapore, “shoppers” were arrested and subsequently prosecuted when staffs’ suspicions were roused on multiple failed processing of the (counterfeit) credit cards. Nevertheless, these law enforcement processes – infiltration, evidence collection and examination, disclosure of materials for a fair trial process, obligation on the investigator to pursue all reasonable lines of enquiry - are time consuming and crimes may not be investigated due to resource constraints. There is no certainty either that, in the event of a successful prosecution, the sentence would be a strong enough deterrent. Australia’s Operation Carpo, placed a novice cybercriminal who failed to cover his tracks under surveillance within days, and charged him – though a $2000 fine and a one-year jail sentence could arguably be seen as light. Ransomware attacks are “preferred” to Credit Card Fraud schemes because of its ease of execution and simplicity of monetization combined with low risks of attribution. Regardless, Credit Card Fraud is not slowing down. This could be due to that consumers have grown used to expect the fraud would happen, whereas the attitude towards Ransomware is “if ” it will happen at all. Aamir Lakhani, Senior Security Strategist at Fortniet/ FortGuard, speaking at the RSA Conference 2017 on “Everything of Nothing: Understanding Cyber-Crime Organisations”, pointed out, “Fraud is built into the cost of the card services; Card Companies and most consumers expect fraud; and Credit Card Fraud was never taken seriously”. What are Card Brands doing? At the timely MasterCard Global Risk Leadership Conference held at Sentosa Singapore in July shortly after the RSA Conference, Mr. Ajay Bhalla, President, Global Enterprise Risk & Security, pointed to recent anti-fraud technologies such as EMV, Tokenisation and Biometric Authentication. EMV payment cards have a built-in mechanism to ensure they can’t be copied. They produce unique one-off codes that enable the issuer to determine that a transaction is genuine and has not been modified – hence they significantly reduce counterfeit fraud. EMV cards can be used with PIN and biometrics to tackle lost and stolen fraud too. EMV technology has been adopted all over the world as a move towards a more secure, global payments environment. For example, Bangko Sentral ng Philipinas extended their deadline, which was originally set to 1st of January, 2017, to June 2018 for issuing EMV compliant cards to all clients. In 2016, MasterCard reported a 54 percent decrease in counterfeit fraud costs among its EMV-ready merchants in

Asia Pacific Security Magazine | 27

Cyber Security

Eugene Aseev, Head of Singapore R&D Centre, Acronis, in his “Ransomware Of Tomorrow: How To Be Ready For Future Threats” talk. Photo Credit : RSA Conference Asia 2017

the U.S. from April 2015 to April 2016; conversely, they saw a 77 percent increase in counterfeit card fraud costs year-overyear among large U.S. merchants who had not yet moved to EMV or were early in the process of doing so. Mr. Bhalla also highlighted areas of maintaining awareness for Small-Medium-Enterprises, who are attractive targets for online and offline fraudsters: keeping current on the latest anti-fraud measures such as 3D Secure, making security as important as user experience, and training on fraud methods such as social engineering and phising. Aamir Lakhani, Senior Security Strategist at Fortniet/ FortGuard, speaking at the RSA Conference 2017 on “Everything of Nothing: Understanding Cyber-Crime Organisations”. Photo Credit: Fortinet

Mr. Ajay Bhalla, President, Global Enterprise Risk & Security, at the MasterCard Global Risk Leadership Conference Sentosa Singapore, July’17, with the moderater [left], Paul Trueman, Senior Vice President, Product Advancement, Enterprise Risk and Security. Photo Credit: MasterCard Global Risk Leadership Conference Singapore 2017

What should consumers do? Mr. Lakhani suggested for Credit Card Fraud victims: • Do not ignore the situation • Work with law-enforcement • Report to your employer’s IT department, e.g. phising emails • Practice basic Cyber Hygiene, e.g. changing passwords regularly, beware of social engineering tactics • Use VPNs • Do not use open wireless Eugene Aseev, Head of Singapore R&D Centre, Acronis, in his “Ransomware Of Tomorrow: How To Be Ready For Future Threats” talk, presented a mile-stone approach to backing-up in case of a Ransomware (or Wiperware) attack: • Next week [following his presentation] you should: Backup all your devices (just in case you have not done this yet) • In the first three months following this presentation you should: Configure 3-2-1 backup, choose and install comprehensive anti-malware solution (3 copies of your data, 2 different medium, 1 copy off-site) • Within six months you should: Implement all ransomware prevention practices at home and at workplace

28 | Asia Pacific Security Magazine

Cyber Security

Mr Chester Wisniewski, Principal Research Scientist, Sophos, concluded at his “A Glimpse Behind the Curtain: A Look into Crimeware-as-a-Service”. Photo Credit: RSA Conference Asia 2017

We are all targets These publicly reported Cyber attacks to deliver Ransomware or perpetuate Credit Card Fraud demonstrate that no one is too small –“commodification makes us all targets”, Mr Chester Wisniewski, Principal Research Scientist, Sophos, concluded at his “A Glimpse Behind the Curtain: A Look into Crimeware-as-a-Service”. Tactics will become more advance, and there is no question we will see more massive attacks with higher profile impacts to sensitive personal, financial or health data held by governments, businesses and individuals. For sure, these

attacks cause reputation and financial damage, as in the case of Credit Card Fraud. But, let’s not forget there are also human impacts. Consider data breaches at a hospital where health data are withheld or deliberately altered, as in the case of WannaCry. These attacks grabbed headlines and became focal points of public’s attention for weeks. While organisations further strengthen their security posture to protect and defend against these increasingly sophisticated tactics, consumers will undoubtedly become more savvy, cautious when opening email messages, visiting websites, downloading files.

Asia Pacific Security Magazine | 29

Cyber security of assets in the interconnected era Held at the Singapore Marina Bay Sands Convention Centre, the Smart Facilities Management Solutions (20th -21st July 2017), the International Association of Privacy Professionals (IAPP) Asia Privacy Forum (24th – 25th July), and the RSA Conference Asia Pacific & Japan (26th-28th July) shone the spotlight on By Jane Lo Singapore Correspondent

the pivotal role of CyberSecurity in technology-driven conversations today.

rom the world of Formula One ® racing to facilities operations and events management in the hospitality industry, at the heart of discussions centering around digital revolution is the question: how do we safeguard assets in a world underpinned by digital revolution and where data is increasingly viewed as an important asset, as a new commodity, as well as a currency? Cyber Security of Data Data analytics plays an extremely critical role in monitoring and optimizing the performance of Formula One ® cars. At the RSA Conference, Formula One ® and Indy-Car Series Champion Jacques Villeneuve and Formula One ® Senior Executive Mark Gallagher took delegates through the development of racing technology (from sardine-tin-can with pop-rivets to today’s heavily instrumented connected cars with hundreds of sensors on each car) and the importance of Data-Driven Performance, risk management, safety and security on the racetrack in the adrenaline-fueled, highoctane sport world of F1. Vital statistics such as tire pressure, fuel burn efficiency, wind force, GPS location, engine and brake temperature, are captured in real-time and analysed in a continuous feedback loop to the Team’s crew, data analysts

30 | Asia Pacific Security Magazine

and engineers on-site and back at headquarters. Performing at the highest level of competition where a difference of a fraction of a second could either win or lose the Team a podium finish, the technological ability to measure and react on such metrics culled from the chassis, tires, and throughout the engine to maximise the car’s performance, is crucial to the Team’s winning strategy. Alongside the simulations and the modelling that are as sophisticated as Aerospace industry technology in predicting the car’s performance and safety, the value of the gigabytes of data tracked and monitored during practice runs and race day is an important source of competitive advantage. This is seen through an example of cyber industrial espionage whereby a staff was leaving for a competing Team, deliberately copied statistical data with the intention to leverage off the analytics to the advantage of his new employer. He was subsequently disciplined and barred for life from the industry, highlighting that managing the risk of data leakages is not an element to be overlooked. WannaCry and Ransomware Beyond the fascinating world of F1, manufacturing, logistics, and a host of other industries around the globe are not

Cyber Security

immune to the dangers of data breaches and leakages. Victims falling prey to WannaCry and NotPetya campaigns of the last few months who saw their data either being held ransom or completely wiped off, learned painful lessons. In many cases of data breaches (as the F1 example illustrated above), humans are the weakest link. User training and awareness to minimize opportunities for threat actors to launch/ reuse tactics such as phising attacks is one step towards plugging this aspect of the security weakness. User behavorial heuristics, not only to monitor for example anomalous login patterns, could also be adopted to test the effectiveness of user training. Another lesson is the necessity of well thought-out preparation plans - such as having established a digital wallet with an adequate store of bitcoins for (potential) ransom payment. Others include rigorous discipline on updating patches, escalation procedures, recovery plans, and well-tested and workable backups. Whilst backups could help restore and preserve the integrity of the organisation’s data and therefore potentially remove the need to pay ransom, the theft of valuable data leading to loss of intellectual capital is a risk that needs to be proactively identified and managed. WannaCry reportedly affected more than 150 countries, hitting critical infrastructures, and hospitals in UK. Within the region, according to the Singapore Computer Emergency Response Team (SingCERT) from the Cyber Security Agency of Singapore (CSA), “about 500 Singapore IPs could have been affected” by the ransomware attacks. “Global in Perspective - Regional in focus” In his Key Note “Australian Cyber-Engagement: Global in Perspective, Regional in Focus” at the RSA conference, Dr. Tobais Feakin, Australian Ambassador for Cyber Affairs, noted that the “Indo-Pacific is particularly vulnerable to CyberCrime”. According to some studies, the region is “losing 33% more revenue to cybercrime than Europe; 27% of ransomware targets are in the region, more than any other; Indo-Pacific Cyber incidences growing 35% annually”. “Cyber Affairs is about maximizing prosperity and an opportunity for the region, with data flows generating greater impact on GDP growth than Trade In Goods – but it is dependent on a free, open and secure internet,” he added. Indeed, converting the benefits of digitalization to economic growth and development works only when the Cyber Space is safe and secure. As technology allows organizations (public and private) to make use of data on an unprecedented scale in order to pursue their activities, implementing security measures for an organisation’s own data – to minimize data breaches and in turn surrender their competitive advantage – must be a key element of a Cyber Security framework. This includes ensuring privacy safeguards for the customers’ data the organisation collects, which in an event of a breach, could cause damage to both the organisation’s reputation and the society’s confidence in the use of Internet. To envigour trust and reputation, Governments have been drafting Data Protection and Privacy rules and guidelines. Much of the attention recently has been on the General Data Protection Regulation (GDPR) passed by the

Formula One ® and Indy-Car Series Champion Jacques Villeneuve and Formula One ® Senior Executive Mark Gallagher share the importance of data-driven performance, risk management, and security on the racetrack.

The APEC CBPR System: Growth and Opportunities panel (from left to right): Andrew Flavin, Policy Adviosr, International Trade Administration, U.S. Department of Commerce Josh Harris, Director, International Rgulatory Affairs, TRUSTe Raymund Liboro, Chairman and Commissioner of the Philippines National Privacy Commission Daisuke Nagasaki, Deputy Director, International Affairs Office, Commerce and Information Policy, Ministry of Economy Trade and Industry of Japan Huey Tan, APAC Senior Prviacy Counsel, Asia, Apple

Dr. Tobias Feakin

European Parliament and which is coming into force in May 2018. Specific in the region include the APEC Cross Border Privacy Rules (CBPR), Singapore’s Personal Data Protection Act 2012 (PDPA), and Philippines’s (The Republic Act No. 10173) Data Privacy Act of 2012. Data Protection and Privacy Acts in the region There are more similarities than differences between these rules. For example, whilst the detailed requirements may differ, Singapore’s PDPA and GDPR tackle the challenges of Principles around consent, access, rights of the data subject (such as erasure, portability), breach reporting, crossborder transfer. At the IAPP (International Association of Privacy Professionals) Asia Privacy Forum 2017, “APEC CBPR >>

Dr. Tobias Feakin: “We live in the most excitingly interconnected era in human history. Instantaneous communications, transactions and access to information keep our economies growing, infrastructure working, governments enabled and social flourishing”. Centering around six themes: digital trade, cybercrime, cybersecurity, international security, intent governance, human rights and technology for development, Australia’s international cyber-engagement recognizes that cyber-affairs have shifted from being technical, niche issues to a key strategic foreign policy issue.

Asia Pacific Security Magazine | 31

Cyber Security

Mr Leonard Sng CPP, FCiiSCM Regional Vice President, ASEAN ASIS International (Singapore Chapter) presenting on the topic of Physical and Cyber security convergence at the SMART Facilities Management Solutions Exhibition 2017.

an event of a breach? - “it is everyone’s responsibility” stressed Commissioner Liboror. He underscored the importance of data protection in the Internet age – and with so many services online, and the majority of Philippines’ citizenry participating in Social Media, users also have responsibilities in self-education of the potential impacts of loss and/or alteration to their personal information, whether accidentally or unlawfully. These questions and dialogues reinforce views across the public and private sectors, that data is gaining recognition as a key asset in today’s digital world. With the advent of Internet-of-Things (IoT), as data is increasingly gathered from “physical” objects (i.e. F1 cars, CCTV, printers, mobile phones) in performing value-add analytics to gain a competitive edge, the challenge therefore, for security professionals is to rethink the environment which accesses, stores, processes, and transmits data. A rethink of “assets” in today’s interconnected era

System: Growth and Opportunities” panel, Raymund Liboro, Chairman and Commissioner of the Philippines National Privacy Commission, highlighted the Data Privacy Act, complemented by The Republic Act No. 10175 “Cybercrime Prevention Act of 2012”, which are directed towards enforcing a culture of treating the security of data seriously. These form a vital foundation for data protection as the Philippines embarks on revolutionizing its digital infrastructure. As with GDPR, the Philippines’s approach addresses financial and criminal penalties, and accountability of data controllers and processors (though the details vary). Commissioner Liboro pointed out, with more than 50% of data security breaches originating from internal users, whether negligent or malicious, the Data Protection Officer (DPO) has an important role to play in facilitating the organisation’s compliance with the Acts. This includes regular and relevant user awareness and compliance training for the organization, to instill a sustainable, resilient mindset towards data protection and privacy. To the question – and this is not unique to Philippines - will the DPO be held financially and criminally liable in

32 | Asia Pacific Security Magazine

Viewing security through two lenses: the cyber and the physical lens – is necessary in today’s digital world. At the SMART Facilities Management Solutions Exhibition, Mr Leonard Sng, Regional Vice President, ASEAN ASIS International (Singapore Chapter) presenting on the topic of Physical and Cyber security convergence, stressed the need for a re-think of Facilities Management, as “Manager of Assets”. That is, the term “assets” is not limited to the obvious physical objects such as static infrastructure assets of the building (such as doors, windows, gates), but rather, is a holistic system including people, computer centres, IoT devices, air-conditions, computer-controlled generators and pumps, and third-party dependencies. To effectively address the security concerns across these groupings, Mr Sng emphasized that cross-departmental communication is vital. “For example, we see this with The Shangri-La Makati and its lamination of its glass facade”. While a focal point of each guestroom is the floor-to-ceiling glass windows, this feature also presented twin challenges to the Security team and the Engineering team: the former with minimizing bomb-blast impact, and the latter with reducing the air-conditioning costs of 28-storey 5-star hotel. The approach both teams arrived at solved both challenges: a lamination layer on the glass not only reduced the “greenhouse” effect which contributed to lower air-conditioning costs, it also minimized the threat posed by an explosion or bomb-blast and shattered sharp fragments resulting in potentially lethal situations. … and a rethink of the security perimeter … Conversations at these events leave no doubt that data is increasingly considered as an asset in its own right which demands appropriate Cyber Security treatment. At the same time, it is also necessary, as the attack surface undergoes continuous expansion with the exponential growth of assets being added to the internet, for security professionals to continuously re-evaluate and re-draw the “security perimeter” of the organization they need to protect and defend.

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

.a www

ustr

alia

Post

000032

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1

Approve

ine.

com

.au

te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia

nsec

uritym

agaz

ep 20

Aug/S

RNM

OVE

DIN

LEA

.au

ov 20

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

N COU

ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95

INC.

ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech

GST

Time Tech

erl Cyb

1 YEAR SUBSCRIPTION

city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive Can a proac with oach appr

TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00

A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Asia Pacific Security Magazine | 33

Cyber Security INTERPOL WORLD 2017

INTERPOL World 2017

World Economic Forum’s Cybercrime Dialogue ‘Cybercrime Dialogue’ In the company of Jurgen Stock, Secretary General, INTERPOL, Cheri McGuire, CISO, Standard Chartered Bank, Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank and William Maheu, Senior Director, Qualcomm Cyber Security Solutions. Moderated by World Economic Forum’s Dr Jean-Luc Vez, Head of Public Security Policy and Security Affairs.

What measures are you taking around resilience and information sharing? It is just one aspect. We need to create resilience for mutual aid and collective response. People, process and technology are all critical components and go out to the broader ecosystem. People involve skills, culture, awareness and beyond just employees to customers, clients and vendors. Process involves legal mechanisms for sharing information, privacy and Secrecy Acts. Technology is more of information sharing systems, data forensic systems and public private partnerships. - Cheri McGuire, CISO Standard Chartered Bank

34 | Asia Pacific Security Magazine

We are target number 1 for hackers and are subjected to thousands of attacks against our systems and yet we have to remain secure. We have a model of threat and build our protection system against that threat. This involves the protection of our core systems from a special operations centre and the KPI (key performance indicator) is zero successful attacks. The second core focus is protection of our clients. We see fraud and anti-social media methods which involves contacting clients and tricking them to handing over credentials. We use such things as AI and machine learning in protecting clients. The third point is building a Security Operations Centre (SOC) with IBM support and using AI cognitive models, beta testing and Watson AI system and we are having very, very good results. Trust is also very important and also responsibility. We have to have reliable products and know more about the current and emerging cybercrimes. - Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank Security is everyone’s responsibility. If we do the architecture correctly and connected devices become sensors for alarms, rather than vulnerabilities, with hardware based

security this will be tremendously powerful. It is incumbent on security professionals to demand an end to end hardware and multi factor authenticated ecosystem. - William Maheu, Senior Director, Qualcomm Cyber Security Solutions Crime fighting involves prevention and investigation. There is nothing new, but the level of threat is expanding at exponential growth and this also provides unprecedented tools. Much of this cybercrime is not being reported to police and we need the information to prevent and investigate. We expect 85-95 per cent is not being reported to police. We need to encourage the reporting to police. The professionalism in the darknet and underground economy which is growing. Anonymisation and encryption is a massive challenge for us and our law makers. Freedom and security is a very important discussion but for law enforcement, it is a problem that we haven't had to have in the past. The nexus between cybercrime and terrorism is still something that needs to be in our focus. Police can be successful in fighting cybercrime and using regional and international platforms like INTERPOL but

INTERPOL WORLD Cyber2017 Security we need to ensure the crimes are reported, evidence preserved and investigation supported. We can be tremendously successful. No nation can fight cybercrime in isolation. We need a global approach and this is what INTERPOL is about. We have a new user alert system. We are tracking global information sharing trends and alert platforms are used for releasing intelligence reports. We are also capacity building and training police to become cybercrime fighters and in cooperation with the private sector. We provide a global platform for cooperation with the private sector for information sharing and coordinated response, as well as in researching new solutions. From the recent ransomware attacks, there is a message to do more to protect systems and much of the damage was preventable, had systems been kept current and updated. We need trust, as well as rules to guide our cooperation. INTERPOL provides a global system to join together global systems to fight and coordinate cybercrime efforts. - Jurgen Stock, Secretary General, INTERPOL

Is the public sector doing enough? It varies. Global capability, platforms and reach is critical for capability building and to raise the bar globally, nationally, regionally and locally for development of people, policies and architectures. Unless there is a deterrence we will see a continued explosion of criminals in cyber. - Cheri McGuire, CISO Standard Chartered Bank The bad guys have unlimited funds, unlimited resources and will spend those to break whatever we put in place. - William Maheu, Senior Director, Qualcomm Cyber Security Solutions Law enforcement should be able to investigate in cyber, as it does in physical. We need the tools to investigate but we also need the crimes to be reported. Law makers need to understand there is limits to our cyber capabilities around encryption. Law enforcement needs to educate the victims in the private sector as to what police will do when seeking evidence. We have to overcome the silo mentality. - Jurgen Stock, Secretary General, INTERPOL We need to educate many people to achieve a new level of cyber security culture - this >>

Asia Pacific Security Magazine | 35

Cyber Security INTERPOL WORLD 2017 includes new legal foundations including a UN convention. - Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank Banks have come together under the cyber security alliance to build cases before handing to police. We have many restrictive laws on sharing information but it can be done. - Cheri McGuire, CISO Standard Chartered Bank Is law enforcement ready to share? We can be self-critical and sharing information should not carry legal or litigation risks. We are also building through the United Nations a legal platform to share information and global conventions are important. This continues to be a work in progress. It is not just law enforcement but also the judiciary. We can take some risks but we still have to act within and be on a solid legal basis. - Jurgen Stock, Secretary General, INTERPOL How can AI facilitate information sharing? We start with what we can share and let that knowledge base grow and neural learning is going to be an amazing development. If we can prevent the ‘bad guys’ from being successful and making it so difficult for them to achieve their goals, that will be the real success. The power in the smart phone today is more than that which put man on the moon. It’s not just the bits and the bites but it’s the processing power. We should be working to have the system identify attacks as soon as they occur and can automatically stop or attack back, as well as report and share. Then it will be a powerful, secure system. William Maheu, Senior Director, Qualcomm Cyber Security Solutions

Moderator Interview’ The World Economic Forum’s Dr Jean-Luc Vez, Head of Public Security Policy and Security Affairs spoke with the Australian Security Magazine about end-to-end encryption and the state of cybercrime worldwide: “The ICT industry wants to go ahead fast but is facing competition and the fact is that criminals are using the same technology. The discussion around encryption will remain a major hurdle in the fight of cybercrime. As a lawyer, I understand the conflicting interests of the right to privacy and the effective protection of citizens from cybercrime. The World Economic Forum does not

36 | Asia Pacific Security Magazine

INTERPOL WORLD Cyber2017 Security have a position on encryption. We are a facilitator and a global platform. I do believe, however, that we need to find the right balance between privacy on one side and the fight of crime on the other side and it needs to be rapidly addressed. There are states worldwide who are not interested in the protection of peopleâ&#x20AC;&#x2122;s privacy. The diversity of the legal systems worldwide wonâ&#x20AC;&#x2122;t facilitate the search for a global, implementable solution. Brad Smith, President of Microsoft, presented the concept of a Cyber Geneva Convention and Cyber Accord in San Francisco at the RSA Conference in February. I think this is a very good idea and probably a very good trigger for enhancing the awareness of the world community. Action is needed. The question is how to implement such a convention? It seems like one half of the world believes such a convention is necessary while the other half is convinced it is not and that existing regulations are enough. The idea for the creation of an international cyber agency is also a good idea, like the IAEA (International Atomic Energy Agency) with the difference that, in cyber you need to call out the offenders more directly. Would INTERPOL take on that role? The International Committee of the Red Cross is an example for not naming and shaming countries and institutions, but they are still taking action in visiting prisoners. I think there are elements from this initiative that are very good, such as more information sharing, between the governments to the private sector, and I am convinced that this is the key to success.

Asia Pacific Security Magazine | 37

Cyber Security INTERPOL WORLD 2017

Policing of the future in global cities As the programme shifted from cybersecurity to Future Cities on the second day of INTERPOL World 2017, Anselm Lopez, Singapore’s Ministry of Home Affairs, proposed in his opening address “There have been more new cities built in the last 10 years than in the last century.” Jamie Wylly of Microsoft outlined that “if cities become smarter they should also become safer. Microsoft has the concept of a city as a sensor but nothing remains more important than police on the street.” Koh Hong-Eng, Global Chief Public Safety Expert for Huawei Technologies countered this, saying, “you have to be a safe city before you can be smart city.” and highlighted the key issues involved with developing ‘future cities.’ These include the silos still operating within systems and agencies. Another issue is that ‘cyber’ gives new capabilities to all, so anyone can start a taxi service as an Uber driver, or anyone can become a hotel operator with Airbnb, and likewise, anyone can become a terrorist or hacker. The next issue is police budget and the need for collaboration – law enforcement needs to find ways to do more with less and this includes new collaboration concepts, such as, collaborative policing, collaborative surveillance and collaborative communities. “The ‘bad guys’ are evolving and they know what ‘we’ (police) are doing. ISIL is developing its own platform for communication and using blockchain

38 | Asia Pacific Security Magazine

technology. For communication, one of the world’s largest organised crime groups, Italian Mafia ‘Ndrangheta’ is creating their own language. With 60,000 members and revenues of over US$4 billion, groups like these don’t need to call for tenders like police and government agencies do” said Koh Hong-Eng. Michael Hersham, CEO of the International Centre for Sport Security outlined the three key societal pillars; government, private sector and civil society and that each has a responsibility to reach out and form a better form of trust between them. Michael said, “Civil society must trust the police, as success will always rest, based on this level of trust.”

Law enforcement ‘Darknet’ case studies A cyber investigation is not too different from a physical investigation. An objective and tenacious approach, along with collaboration is critically important. For police, it is not just about detection, it is about securing a criminal conviction. With Darknet markets allowing people to remain anonymous, illicit drugs remains the most dominant commodity being traded. One of the most common drugs being traded is MDMA (Methylenedioxymethamphetamine), which can be easily posted and in high volumes, using different types of parcels, predominantly coffee and protein related products. In response, the Dutch National Police

(DNP) started a separate Darknet unit, specifically in response to trades in MDMA. Nils Andersen-Roed, Head of the Darkweb Team for the Dutch National Police (DNP) presented Darknet investigation case studies, Operations #Lancashire and #Nyack. The Lancashire case study highlighted a range of identification methods used that ultimately led to the arrest of a 55 year old man. Identification came with the interception of 100 parcels and 7,600 messages on Silk Road. With analysis and assessment of the messages, it was found within these messages there were mentions of the offender’s personal description, city of origin and his partner’s first name. With this skerrick of information, police were able to track down the offender, who was convicted of trafficking and sentenced to six years imprisonment. Operation Zyack involved a 25 year old man, who was consistently sending packages from the same post office. Police were surprised to learn the post office did not have a CCTV system. However, there were other CCTV systems operating near the post office and with patience, the cameras were able to be used to systematically track the suspect to his car, and included fortunate footage of capturing the vehicle registration number…the young man happened to be using his own car. Anish Prasad, of the Central Bureau of Investigation (CBI) India presented Operation Fire Cracker which involved an ‘email hacking as a service’ criminal enterprise facilitated out of India and Romania. The group had developed an active database of 1,900 email accounts, which has been

INTERPOL WORLD Cyber2017 Security

compromised and were accessible. The group had comprised 6,600 emails over a three year period. The group’s IP address was pointing to Pune, one of India’s most populous cities and the second largest city in the state of Maharashtra. The IP address was then tracked to an address and a young man was ultimately arrested and charged under the Information Technology Act of India, but Mr. Prasad also highlighted there was a money laundering aspect to the case.

Robotics on show Officially launched in late 2015, the patented I-Man Facility Sprinter (or “IFS”) is essentially a mobile command and control centre equipped with advanced monitoring and wireless communication equipment managed by a team of 3 Intelligent-Man (I-Man). Wirelessly connected to a cluster of buildings, IFS provides security surveillance to these building and responds immediately to any security incidents. The drone and robot deployment is currently engaged in a project which unfortunately remains confidential until October 2017.

Oneberry Robot The Oneberry Roboguard™ made its debut at INTERPOL World 2017. Oneberry Technologies, a security and surveillance technology provider in Singapore, developed this solution to address the security manpower shortage in Singapore as well as

to increase productivity and raise the level of security of its clients. These robots, which are powered on fuel cell technology, are able to operate autonomously up to a month without any downtime. They can be deployed to conduct surveillance checks and monitor large remote areas, freeing existing security personnel from foot-patrol duties and allowing them to perform higher value skilled tasks. Security information gathered by the RoboGuard™ can be sent via triggered alerts to a command centre that can also take over control of the robot remotely if required. With the new Public Order Act announced in March 2017 by the Ministry of Home Affairs entailing tighter security rules for largescale events and for commercial buildings in Singapore, the Oneberry RoboGuard™ could be an additional security measure that promotes productivity for property owners. They can be deployed in commercial or industrial buildings for 24-hour surveillance and inspections, to complement security officers on the ground. These security robots are integrated with robust high resolution IP cameras from MOBOTIX that have inbuilt video analytics and activity sensors, and will proactively send alerts to patrolling officers, or to a central command centre in the event of an alert or emergency. One command centre staff can operate up to ten robots, which is more productive than having ten static security officers on site. Also, a key highlight of the RoboGuard is its unique power source - direct methanol fuel cell technology from SFC Energy, which will provide reliable, green and autonomous power that lasts up to one month without

any maintenance; requiring just a simple 10 second hot swap of the methanol cartridge when it is depleted. “There are a lot of solutions and technologies in the market, but without power, the solution is useless. Having to change batteries every few hours or to get a robot to change “shifts” to recharge is unproductive and less effective than a security officer on a 12-hour shift. A reliable and autonomous power source is key to deploying any solution, especially for surveillance where having downtime is critical.” said Ken Pereira, CEO of Oneberry Technologies. Oneberry asserts it is currently in discussions with several partners in industrial and commercial sectors to deploy this solution, and aims to roll out 20 RoboGuards™ by the fourth quarter of 2017 via a flexible leasing model. The company hopes to encourage more companies to adopt such innovative solutions to increase productivity in the security industry.

Asia Pacific Security Magazine | 39

Cyber Security

Philippines connect and cyber security The newly-formed Department of Information and Communications Technology (DICT) of the Philippines has been directed to craft a National Broadband Plan (NBP) to further improve the connectivity in the Philippines, with proposed plans for better internet connections and free WiFi. Co-organised by DICT and CommunicAsia 2017, the half-day Philippines Connect seminar on 24th May 2017 at the Singapore Marina Bay Sands Convention Centre addressed the upcoming opportunities and changes for the nation. We sat down with Mr Monchito B. Ibrahim (Undersecretary, DICT, Operations and Management), and Mr Allan Salim Cabanlong (Assistant Secretary, DICT, Cybersecurity and Enabling Technologies) to understand the Cyber Security considerations of these initiatives to achieve the country’s sustainable development goals through information and communication technologies (ICTs).

O By Jane Lo Singapore Correspondent

40 | Australian Security Magazine

pening Philippines Connect at CommunicAsia 2017, Antonio A. Morales, Ambassador of the Philippines to Singapore invited Singapore businessmen to partner with Philippines in pursuing development of innovative, job-generating and inclusive growth in the country before an audience of major technology and information system service executives, professionals and startups. “The continued positive economic performance of the Philippines has renewed the sense of vigor among industries, with emphasis on ensuring ease of doing business and allowing for efficient delivery of government services backed by technological innovations. It is with this commitment that the Duterte administration has directed DICT to develop the National Broadband Plan (NBP), which will serve as a blueprint to accelerate the deployment of fiber optic cables and wireless technologies, and improve the internet speed in the country,” he said. Studies cited in the NBP draft, approved by President Rodrigo Duterte in early March, point out that the Philippines ranked 110 out of 187 countries when it comes

to active fixed broadband subscription; and 89 out of 179 for active mobile subscription. Additional statistics on digital, social and mobile usage further support the call to action in making connectivity available and affordable, which has the benefit of stimulating economic activity. As part of the NBP, The Philippine Government aims to increase broadband take-up and usage through measures such as the promotion of the use and production of local contents and applications; and the introduction of conditional fiscal incentives to broadband users. What the NBP envisions, said His Excellency Ambassador Antonio Morales, is “a resilient, comfortable and vibrant life for all, enabled by open, pervasive, inclusive, affordable and trusted broadband internet access.” However, converting the benefits of digitalization to economic growth and development works only when Cyber Space is safe and secure. The Philippines Republic Act No. 10175 [“An Act Defining CyberCrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties Therefor and For Other Purposes”] states:

Cyber Security

considerations of these initiatives to achieve the country’s sustainable development goals through information and communication technologies (ICTs). Cyber Security is an active part of the conversation in the development of the National BroadBand Plan (NBP)

“The State recognizes the vital role of information and communications industries such as content production, telecommunications, broadcasting electronic commerce, and data processing, in the nation’s overall social and economic development. "The State also recognizes the importance of providing an environment conducive to the development, acceleration, and rational application and exploitation of information and communications technology (ICT) to attain free, easy, and intelligible access to exchange and/or delivery of information; and the need to protect and safeguard the integrity of computer, computer and communications systems, networks, and databases, and the confidentiality, integrity, and availability of information and data stored therein, from all forms of misuse, abuse, and illegal access by making punishable under the law such conduct or conducts”. We sat down with Mr Monchito Ibrahim, and Mr Allan Cabanlong from DICT, to understand the Cyber Security

Mr Monchito Ibrahim, speaking at Philippines Connect on the government’s ICT initiatives to gear up as a digital nation, noted that the IT sector is the second largest contributor to the Philippines economy. NBP will further strengthen its IT sector, as the platform enabler of the state’s e-government plan to have one digitized network for its online services for citizens, businesses, and government. To support NBP, Mr. Monchito Ibrahim also highlighted key “Acts” enacted by the Senate and the House of the Philippines in Congress: The Republic Act No. 10175 “Cybercrime Prevention Act of 2012” (as mentioned above), and the No. 10173 “Data Privacy Act of 2012”, and accompanying initiatives, including the establishment of “The National Cybersecurity Plan” and “The National Privacy Commission”. It is now imperative to operationalise these plans to raise awareness about the importance of digital security. Specifically, given the high levels of engagement on social medial (there are approximately 48 million active social media users in the Philippines and 41 million of this access social media via mobile), he expressed the importance for users to understand the privacy implications of sharing personal data on social media, and the challenge for users to filter out the fake news from facts. Data breaches are also occurring on a more frequent basis, the most recent being the WannaCry virus that infected information networks and computers in more than 150 countries during May. With the appropriate (physical, legal and regulatory) infrastructure and policy in place and awareness raising events, he said, users can be made to feel safe and confident in the Cyber world, which further encourage digital adoption in the country. One such awareness raising event is the National ICT (Information and Communication Technology) Month in June 2017. In recognising that technology has “the power to foster inclusivity, enable security and efficiency, as well as strengthen connections between individuals, communities, and sectors”, the theme for this year’s ICT Month is “ICT for a Better and Safe Philippines.” It was also timely that the National Cybersecurity Plan (NCSP) 2022 was finalised just recently. National Cybersecurity Plan (NCSP) 2022 Drafted last December, the final version of the National Cybersecurity Plan 2022 was officially launched on 2 May 2017. It incorporates the strategies, programmes, and imperatives that the government need to create a cyber safe Philippines, said Mr Allan Cabanlong. The four key strategic imperatives of the National Cybersecurity Plan 2022 are: “Protection of Critical Infostructure (CII)”, “Protection of Government Networks”, >>

Asia Pacific Security Magazine | 41

Cyber Security

Ms Emmy Lou Versoza-Delfin (Program Manager, ICT Industry Development, Republic of the Philippines, Department of Information and Communications Technology - DICT) introducing the panel at Philippines Connect 2017, co-organised by CommunicAsia 2017 and DICT. Joining the Ambassador was Mr. Monchito B. Ibrahim, Undersecretary – Department of Information and Communications Technology (DICT), and the representatives from The Philippine Government trade and investment center, IT-BPM (Information Technology – Business Process Management) and the telecommunication giant (PLDT). From Left: Mr. Jonathan de Luzuriaga, President-Philippine Software Industry Association/ Board Trustee Information Technology and Business Process Association of the Philippines On “Philippine IT-BPM Industry Roadmap 2022” Mr. Glenn Peñaranda Philippine Trade & Investment Centre – Singapore On “Doing Business in the Philippines” Mr. Monchito B. Ibrahim Undersecretary – Department of Information and Communications Technology On “Philippine Government ICT Initiatives” His Excellency Ambassador Antonio A. Morales Ambassador of the Philippines to Singapore Opening Address Mr. James L. Melon PLDT Enterprise, Country Manager, SIngapore On “PLDT Singapore

42 | Asia Pacific Security Magazine

As Philippines accelerates its broadband connectivity plans and prepares its users to new challenges posed by the evolving digital ecosystem, there is also an awareness to prevent another catastrophic incident like the 2016 Commission on Elections (Comelec) breach where millions of voter biometric profiles were harvested. “Protection of Business and Supply Chains”, “Protection of Individuals”, to enable Philippines to become a cyber resilient nation. To strengthen the Cybersecurity of private and public sectors, DICT will establish a National Computer Emergency Response Team (NCERT) which will serve as the focal agency for computer emergency response. NCERT will work with Government Computer Emergency Response Teams (GCERTs), Military CERTs, Sectoral CERTs, and with partner International CERTs. This will facilitate the centralization of the collection of actionable intelligence, enabling early warning systems and digital analytics, and conducting incident response Increase the Pool of Cybersecurity Experts NCSP 2022 also sets out progams to building the cyber skillset within the educational, public and private sectors, and international collaborations to exchange knowledge with Regional (for examples, CyberSecurity Working Group of

ASEAN Defense Ministers) and international agencies (for examples, Interpol, Europol, US FBI agency), through: • Establishment of Cyber Training facilities and Certification Programs • Promote National Cybersecruity R&D Program to attract and cultive Cyber Experts • Trainings to Develop Cybersecurity Specialist • Promote Communities of Practice In particular, within the educational sector, DICT looks to integrate cybersecurity into the academic curricula of senior high school and undergraduate and graduate levels. For example, foundational work with one of the Universities in Pampanga City, for the first offering of a Master in CyberSecurity, covering aspects of cybersecurity, risk management, forensics, and incident response, had already begun. To successfully incorporate cybersecurity into schools, DICT will implement a Training of Trainers (ToT) project, and partner George C. Marshall Centre (GCMC) — a centre for security studies — on the acquisition of relevant skills by trainers, in order to teach Cybersecurity and deliver on this objective. In the public sector, the CICC is “mandated to do capacity building and to support law enforcers in combating cybercrime.” DICT is also offering training programmes to law enforcement officers. Mr Cabanlong stressed that it’s imperative to equip law enforcers, lawyers, judges on technical investigation, such as network forensics and digital analytics, to better understand cyber-related cases and facilitate resolution. Looking ahead As Philippines accelerates its broadband connectivity plans and prepares its users to new challenges posed by the evolving digital ecosystem, there is also an awareness to prevent another catastrophic incident like the 2016 Commission on Elections (Comelec) breach where millions of voter biometric profiles were harvested. This attack which occurred right before national elections was one of the largest ever done on a specific country.

Cyber Security

Looking ahead, as Cyber attacks become increasingly transnational, where an attack originating in a different part of the world have cross-jurisdictional impacts (an example being Philippines’s well-regarded business outsourcing sector, which hosts data of global organisations including financial institutions), we see that NCSP 2022 and the NBP clearly demonstrate serious efforts by The Philippine Government to protect itself, the country’s internet use, its citizens, and businesses from cyber attacks.

Mr. Monchito B. Ibrahim, Undersecretary – Department of Information and Communications Technology, speaking at Philippines Connect, on “Philippine Government ICT Initiatives”, and noting Photo Credit: CommunicAsia 2017

Mr Mohamed Abulkheir,

Mr. Allan Cabanlong, Assistant Secretary, DICT and Executive Director, Cyber Crime Coordinating Centre (CICC)unveiling the National CyberSecurity Plan 2022. Photo Credit: DICT, CICC

Asia Pacific Security Magazine | 43

Cyber Security Cover Story

Navigating the IT landscape of the future: The cultural shift your business needs

T By Dr David Halfpenny Course Coordinator – Bachelor of IT (Network Security), TAFE NSW

44 | Asia Pacific Security Magazine

he future IT landscape is scary for businesses of today, but it is certainly not insurmountable. Naturally, as the value of data to people and organisations grows, ransomware attacks, data theft and extortion will also continue to be on the rise. But the threats are not just perpetrated through stealthy backdoor tactics, in fact, according to Verizon’s latest Data Breach Investigations Report (DBIR) the vast majority (82 per cent) come straight through the front door via internal staff and contractors. Unfortunately, for the most part, organisations are not equipped to deal with the threat that employees pose to the ongoing viability of the business, particularly from a talent perspective. The disruption achieved by the underworld of cyberattacks has been quite significant over the past five years, and it isn’t likely to slow down any time soon. While we are quickly finding advanced methods of protection and defence against these attacks, businesses are generally not equipping themselves adequately to implement them. Big companies such as banks that understand the value of their data have moved quickly to action what is expected of them to protect it. The problem stems from businesses that aren’t big enough or experienced enough to handle their own security, and don’t have capital to invest in it being managed as a service. It lies in both a lack of technical investment and perhaps more importantly, a failure to address the vulnerabilities exposed by people in the business.

The BIG threat One of the most common (and perhaps more dangerous) preconceptions is that businesses attract most cyber-attacks from the outside. This couldn’t be further from the truth. The biggest threat is, and always will be, people. No matter how good your security infrastructure, processes and procedures are, employees will always provide the easiest attack vectors. While the technical solutions to the problem are certainly not simple, they can be implemented without too much disruption. However, equipping a company with a healthy culture and standards around cyber security is a challenge that many deduce is too complicated to do anything about. The issue with this is that technical solutions can only go so far to protect your company if you have malicious, or more likely, negligent or ignorant employees with access to business data. Just about every workplace now has a dedicated program of occupational health and safety, but very few have similar schemes for creating a healthy cyber security culture. Interestingly, the concepts of physical safety and well-being are very similar to the concepts of cyber security. They all begin with creating a culture that sees and understands the threats, and propagates a natural predisposition to take appropriate action. The government’s recent budget demonstrates a renewed commitment to protecting existing infrastructures and invest in training for the cyber security

Cyber Security

Like earthquakes and floods, far too many businesses seem to think cyber-attacks are something they can’t do anything about. The advancing technologies of today are a testament to the fact that this is not the case.

experts of the future, but this practice needs to become a regular cultural fixture within organisations. Combatting threats, starting with culture So, you want to create a healthy culture around cyber risk practices? Culture can’t be cultivated overnight. It’s a shift that starts with a conversation, education and eventually, changed attitudes in the workplace. There have been numerous and much needed calls lately for Australia to increase its investments in cyber security training. The cyber security industry is seeing enormous growth and has begun to reach the limit of its talent supply. Many cyber security students are frequently offered work before they’ve even graduated from their degrees, paired with regular requests for internship and graduate placement arrangements with companies. Organisations from many different industries are learning the benefits of using “blank slate” specialists with cyber security training that allows them to hit the ground running. Despite this, the reality is that the majority of organisations do not have the resources to invest in “blank slate” candidates, and a cultural shift should not just be siloed within the IT department. If employees are the greatest risk to business data, they need to be treated as such – as simultaneously the most valuable and either knowingly or

unknowingly, most high-risk resource. Change across the board requires this investment to be directed toward training and upskilling of employees throughout the entire business. Even base-level training of employees can help them to identify and respond accordingly to cyber risk, which helps enormously to keep inadvertent risk exposure to a minimum. It is also important to note that security is and will continue to be an area of IT that is unlikely to be outsourced to another country. This is why it is so vital that businesses and government work together to develop our own local talent, and safeguard for the future. The more educated your employees are, the more this necessary cultural change will begin to take place. Ultimately, this cultural shift needs to become a standard and integrated part of working life – leaders need to be instigating these conversations around cyber threats and security. Normalising the cyber security discussion in the workplace, investing in education and training and implementing regular workplace practices that make it an integrated daily business precaution are all important elements of this changing business focus. Like earthquakes and floods, far too many businesses seem to think cyber-attacks are something they can’t do anything about. The advancing technologies of today are a testament to the fact that this is not the case. However, businesses can’t leave it entirely up to technology to protect them. For many organisations, it is now not only important but necessary, to invest in upskilling staff to protect the organisation. While the completion of a degree is a step in the right direction for developing cyber security experts, the biggest threat to organisations is, and always has been, its people, which is why upskilling staff in cyber security activities is vital for the businesses of the future. No matter how good the security infrastructure, processes and procedures, an organisations’ people will always provide the easiest attack vector. It’s time businesses equip themselves with the skills to navigate the IT landscape of the future. About the Author Dr. David Halfpenny is the course coordinator for the Bachelor of IT (Network Security) degree program at TAFE NSW. He has over 20 years of higher education teaching and IT experience. With his team of highly talented teachers, his program is producing graduates that are being snapped up by the security industry In its first year of operation, Data61’s Year in Review reports making significant strides in support of the Government’s Cyber Security Strategy, with more than 70 cyber security research initiatives active across the network of universities, research institutions and government sectors.

Asia Pacific Security Magazine | 45

Cyber Security

- Australian Cyber Security Magazine

The ASX 100 Cyber health check report What’s next for your board?

T By Michael Trovato GAICD, CISM, CISA

46 | Asia Pacific Security Magazine

he Australian Stock Exchange (ASX) and Australian Securities and Investment Commission (ASIC) along with the “Big 4” accounting firms have released the ASX 100 Cyber Health Check Report ASX Report PDF to establish a baseline in cyber security via a high-level “health check”. I commend the ASX and ASIC and the other participating companies for the leadership they have shown. Efforts like these are real accomplishments of cooperation and collaboration towards a common goal of a resilient ecosystem. Although the arc of progress described in the ASX Report might be tilted towards goodness, it is also clear - much more needs to be done. After reviewing it and reflecting, I would recommend: 1. Make sure the board has sufficient cyber security expertise or advisors; 2. Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; 3. Use the results of the ASX Report for discussion at your next board meeting; 4. Commence or update your organisation’s detailed cyber security strategy and report on the security

transformation program regularly; 5. Include cyber security as a quarterly agenda item, or more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Today, I want to focus on the first item. Most importantly, expertise at a board level comes from knowing the that, how, and why of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or, as an advisor. In the ASX Report, they made a clear effort to survey persons like this – but in some cases companies struggled to find a person to answer the questions, or they feared sharing details, since 24% of companies did not respond. The ASX 100 Cyber Health Check Report, as a baseline The ASX Report says that it “can act as a baseline where companies can see how they rate against their peers and can take practical steps to improve their cyber security.” I would

Australian Cyber Security Magazine -

Cyber Security

Boards must be able to ask “why?” They must be able to ask, “Why is this happening?” Or “Why is this getting worse?” In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers. caution using the ASX Report as a benchmark though – as it may reflect a perceived vs. an actual cyber security profile. Each company must do the hard work of learning where they stand and while baselines may be useful, they are a single data point or a vehicle for discussion. In the ASX Report, cyber security is often the domain of the board’s audit or risk committees (64% of respondents), allowing a subset of directors with relevant skills to focus on cyber risk. Considering the maturity of cyber security governance in Australia, this is the result I would expect and those committees are probably the most qualified to evaluate cyber risk. This is good, but is it good enough? The answer to is it good enough depends on your board’s capabilities and strategic industry focus… I recently read in The New Yorker that the ‘British philosopher Gilbert Ryle gave an influential lecture about two kinds of knowledge. A child knows that a bicycle has two wheels, that its tires are filled with air, and that you ride the contraption by pushing its pedals forward in circles. Ryle termed this kind of knowledge—the factual, propositional kind— “knowing that”. But to learn to ride a bicycle involves another realm of learning. A child learns how to ride by falling off, by balancing herself on two wheels, by going over potholes. Ryle termed this kind of knowledge—implicit, experiential, skillbased— “knowing how”.’ So, boards must know their organisation’s risk framework, risk appetite, regulatory or other stakeholder obligations, the data and systems that must be protected, strategy, and investments. But they must also learn how to apply this knowledge – thereby understanding how they impact strategy, financial results, risk, or compliance outcomes. The article went on to describe how the most powerful element of interaction was not knowing that or knowing how—not mastering the facts of the case, or perceiving the patterns they formed. It lay in yet a third realm of knowledge: “knowing why”. This is what is key for boards and their risk committees to be able do, it is critical to their success. Boards must be able to ask “why?” They must be able to ask, “Why is this happening?” Or “Why is this getting worse?” In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers. Cyber security is a pervasive risk and an arcane, deep, and fast moving area of knowledge, lacking for many board members. The 2016 Global Board Directors Survey by

retained search firm Spencer Stuart indicated cyber security was a weakness in most boards. Board and risk committee evaluations - identifying areas of board strength and weakness in skills, behaviours, meeting effectiveness, reporting, composition, and stakeholder engagement are required for cyber security. Further, cyber security experience at board level, through its members, committees, and advisors is required on an ongoing basis, across the entire board agenda to build skill and knowledge. Progress at board level may be happening more slowly than we need and as a result, government and the courts may end up driving the process. In the US, the Cybersecurity Disclosure Act of 2017, or S.536, is being deliberated. It would mandate that companies have a cyber security expert sitting on their board or explain why it is unnecessary in their industry. Australia may not follow this direction, but we would be advised to follow it in spirit. The Australian Institute of Company Directors (AICD), ISACA, and ISC2 and other professional organisations are positioned to promote this idea to boards and executives, with further support from ASIC and ASX. For most boards today, they are outgunned by cyber criminals. Getting the right knowledge and experience integrated into the board will be essential to achieve the desired outcomes of organisational resilience. There is still much work to be done. About the author Cyber security and technology risk advisor to boards, board risk committees, and executive management including CEOs, CIOs, CISOs, TSOs, and CROs. Helps key stakeholders understand the obligations and outcomes of effective cyber security. This includes solving an organisation’s greatest issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment. Key Australian and US roles: ICG, Global Cyber Practice Leader; Cyber Risk Advisors, Managing Partner; EY Cyber Security, Lead Partner; NAB Group, GM Technology Risk and Security; KPMG, Partner Information Risk Management; Salomon Brothers, Internal Audit; MasterCard International, Principal. Graduate Australian Institute of Company Directors (GAICD); ISACA Melbourne Chapter Board Member. Certified information Systems Manager (CISM); Certified Information Systems Auditor (CISA); PCI DSS Qualified Security Assessor (QSA). MBA Accounting and Finance and BS Management Science, Computer Science, and Psychology.

Asia Pacific Security Magazine | 47

Cyber Security

- Australian Cyber Security Magazine

Building a modern security operations centre How to protect your organisation’s information

S By Jason Legge Head of Security Consulting, Huntsman Security

48 | Asia Pacific Security Magazine

ecurity Information and Event Management (SIEM) technologies are not new, but there remains plenty of misinformation and misunderstanding about how to use them. Critics focus on them being little more than log collector and storage tools, that due to their management overhead, gives little in the way of return on investment (ROI). What these critics fail to acknowledge is that by rethinking how security operations centres (SOCs) operate, SIEM technologies deliver significant operational benefits and efficiencies. Do you know what it takes to deploy a SIEM and upgrade your security to enable proactive threat hunting? By integrating a SIEM into the core of your SOC and re-engineering some of the processes, you can start to improve your cyber assurance and realise a highly favourable ROI. Let’s start with staffing; you might already have a security team looking after firewalls, antivirus products and intrusion prevention systems. That’s a lot of “security systems” to monitor and the addition of a SIEM may just add yet another thing to do. But what if you look at the SIEM from the perspective of a consolidation technology, which merges

information from all these systems into a single screen. Instead of going straight to security operations, start talking to your network, server and desktop teams, and maybe even your database team, to see which aspects of security operations would sit more naturally with them. For example, adjusting the rule-set on a firewall is not unlike changing the configuration on a router or core switch. Your network team almost certainly knows all about firewall administration already. Firewalls are simply another networking device. If you can move the operation and management of your firewalls to the networking team, you’ll have freed up the time for your security operations team to focus on threat management and assurance. A second example might be to consider reallocating responsibilities for your antivirus technology to your server and desktop team. That team usually manages the configuration and software build of operating systems, along with software distribution and general systems administration, so adding your antivirus technology to their portfolio makes logical sense. These small changes are starting to free up enough time for your security team to initiate

Australian Cyber Security Magazine -

'By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating change-related activities.'

proactive threat hunting practices and develop more rigorous vulnerability assessments. Reallocating workflows and IT management activities to other technical teams can free up valuable security resources to refocus on streamlining processes and making proactive improvements; but don’t stop there. Run the next phase of modernising security operations as a project. Appoint a project manager, set the scope and identify all the requirements of a contemporary security operations centre. Now you can focus on getting the best out of your SIEM platform. The scope of your operational activities includes maintaining compliance, detecting and reporting on threats, and incident response. To achieve these deliverables, you will be collecting and analysing significant amounts of data to allow your operations team to undertake two kinds of activities: 1. Historical log analysis used for audits and forensic investigations; 2. Real-time alerting, based on identifying threats from individual records or correlations that fire when a series of security events are detected. Your design team should produce workflows and process documentation for all the activities the security operations team will undertake, including any incident management and compliance reporting that the organisation needs to consider. Integration of operational security processes with the rest of your service management team’s processes is essential to optimise successful security outcomes. The security team needs representation on your Change Approval Board (CAB) so that they are aware of any changes to the infrastructure or network that might impact the SIEM application directly or indirectly. Security analysts can also use the CAB approval of a database update to trigger a proactive response, for example, to run exercises with the database administrators to identify any vulnerabilities in the new system (producing specific events when identified attacks occur). If you already have an effective incident management procedure, make sure you integrate security incident management processes into it so that first-line resolver groups (service desk) know how to handle all types of incident. Equally, if you have a problem management process, extend it to include resolution of security problems. All of

Cyber Security

this becomes an extension of the SOC. Working closely with other operations managers from diverse areas of the business is critical to make sure security obligations and requirements are coordinated and delegated appropriately. Enlist them as stakeholders and train them to understand security requirements. In doing so, you will improve general operations and streamline the processes to deliver proactive security, as well as pushing security awareness throughout the IT management team. By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating change-related activities. This shift in emphasis will take hold over a transition period as the number of incidents starts to reduce (cutting false positives). The quality of security reporting will also improve, and you’ll notice better collaboration between the SOC and the rest of your service management team. The establishment of formal processes and workflows will enable performance measurement and form the basis for continuous process improvement and ongoing refinement of your security capability. Now that you have installed your SIEM at the heart of the security operations centre, analysts can add the specialist oversight necessary to drive the delivery of new and improved outcomes. Continual improvement of analysts’ processes and training them in threat modelling and threat hunting skills will ensure cyber-readiness across the team. Your SOC now monitors the pulse, blood pressure and temperature of your organisation, and as soon as it gets sick, your analysts will know about it. Welcome to a modern security operations centre. About the author Jason works directly with customers, Huntsman’s channel partners and internal teams to provide solutions to cuttingedge cyber security challenges. Jason’s extensive experience in the areas of security threat analytics and incident response means he is well aware of the demands faced by analysts in quickly and accurately resolving cyber threats. Before joining Huntsman, Jason headed up the High Security Operations Centre for a UK government agency for six years. During that time, he advised business leaders, security accreditors and IT operations managers and analysts at a national level on IT and cyber defence threat mitigation strategies and SOC design and operation. Jason may be contacted at jlegge@huntsmansecurity.com Please visit the Huntsman Resources page at www.huntsmansecurity.com/resources/ for White Papers, Compliance Guides, Solution Briefs and Product Brochures.

Asia Pacific Security Magazine | 49

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au