Australian Security Magazine, Apr/May 2017 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au April/May 2017

RSA Conference 2017 Editor's Review - PART 2

Children of war

Cyber Insurance – Time to start the conversation

Terrorism funding laws

Crisis Management Focus - Communication - User Driven Planning

Digital War against the Islamic State

Modernising your Security Strategy

Drone Terrorism Technology – Facial Recognition & Video Analytics

$8.95 INC. GST

Contents Editor's Desk 2 Cover Feature

Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij

We must to more in the digital war against Islamic State

Children of war - Rise of a nation of young Jihadists

Drone terrorism - The ascent of evil

Is the criminal law on terrorism financing too tough?

National Artificial Intelligence in the financial services

Fortinet - A guide to security for today's cloud environment

CCTV Feature Series

Correspondents Jane Lo Tony Campbell Morry Morgan

The capability: Facial recognition privacy and regulating new technology

Digital video analytics

Women in Security Uniquely placed to lead mission critical information systems

MARKETING AND ADVERTISING T | +61 8 6465 4732

Journey to customers - HPE secure data's innovation application & solution

RSA Conference Review Part 2

promoteme@australiansecuritymagazine.com.au

Crisis Management Focus

SUBSCRIPTIONS

T | +61 8 6465 4732 subscriptions@mysecurity.com.au

Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Page 6 - Children of War

Crisis communication - Reputation management when a crisis hits

User driven planning methodology for crisis management

Corporate Security

Page 8 - Drone Terrorism

Modernising your security strategy

How to see the cyber and disappear completely

Cyber Security Your mum and IoT security

Cyber insurance: is it time to start the conversation

Editor's book review

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Page 20 - Facial recognition privacy

Correspondents* & Contributors

www.youtube.com/user/MySecurityAustralia

www.asiapacificsecuritymagazine.com

Anoosh Mushtaq

Jane Lo*

Dr Monique Mann Eddie Idik

Tony Caputo

Lex Drennan

Morry Morgan*

Tony Campbell*

Meena Wahi

Nicolas Mayencourt

Peter Tran

www.malaysiasecuritymagazine.com

www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

2 | Australian Security Magazine

www.cctvbuyersguide.com

Ron Bartsch

Editor's Desk

ess than 24 hours following a suspected suicide bomber in St Petersburg, with 14 dead and dozens injured, still less than a week following the London Westminster vehicle attack, killing 5 and injuring 50, Islamic State issued a public call to arms via a frequent ISIS Twitter disseminator, urging attacks on Australia, the US and Europe. Twitter suspended the account after the post was made at 3am on April 4. Having spent the last several editions examining technology and cybersecurity risk, in this edition, we refocus on terrorism, the challenge of counter-terrorism and the on-going, daily tragedy emanating from the war’s epi-centre, now in its sixth year. On April 3, there were reports of the worst chemical attacks yet occurring. This is not to say technology and cybersecurity is not relevant. Indeed terrorism, cybersecurity and technology risk is becoming inextricably entwined. The fastemerging cyber-attack vectors are undoubtedly going to merge with the complexity and scale technology offers to terrorists and trans-national organised crime. Add this to the challenge of funding today’s mitigation strategies, applied for tomorrow’s digital world and supported with a lacklustre and slowly responding legislative framework. There is a job ahead of us! Peter Tran, Senior Director of RSA Security’s Worldwide Advanced Cyber Defence Practice confirms that while cloud, mobile and the Internet of Things (IoT) present undeniable efficiencies and opportunities in the business world, the reality is that they also add a multitude of cybersecurity complexity and potential exposure. Peter writes, “In 2016, over 260 billion apps were downloaded over the Internet across approximately 7.5 billion mobile devices communicating in an interdependent web with cloud based platforms and services. This is referred to as the Internet’s “Third Platform”. The explosion in the number of devices, identities, and shared systems isn’t just transforming business but is changing critical cyber security requirements directly related to the sheer scale, speed and complexity by which organisations, both public and private, are migrating legacy systems to the “Third Platform”. While modern organisations are capitalising on cloud, mobile and IoT, they are also expanding their attack surface— and with it, new “hacker hot spots” are left in the wake of IT technology expansion, which leaves a fertile ground for nation state hackers and cyber criminals to exploit.” Anooshe Mustaq provides confronting insight into Syria’s children at war – our next generation of jihadists and adds, “WhatsApp and Telegram are the mobile messaging applications currently favoured by jihadists because of their security features. Telegram offers the ability to destroy messages with a timer feature, and protects

“The idea 10 years ago this would have happened to Syria would have been beyond any sort of human understanding." - Paul Kelly, The Australian editor-at-large, ABC’s Q&A program, 3 April 2017 messages from hacker attacks. WhatsApp provides end-to-end encryption and the assurance that calls are secure. In general, embracing mobile messaging applications with encryption capability is an intelligent shift in IS operations that regularly makes it difficult for counter terrorism agencies to detect the group’s movements. This presents IS with a covert way to orchestrate terror attacks.” We need to start thinking a decade from now and with tech-savvy, yet traumatised jihadists entering a modern digital world, the risk landscape will be a challenge we need to start planning and preparing for, today. Alongside the cyber realm remains connected physical technologies. The UK and Australia are building drone registration systems yet, as Ron Bartsch contributes, “it is far from clear how registration would mitigate an act of terrorism, as it is more of a system for tracking law-abiding citizen’s drones. Up until now it was expensive and required skill to be able to fly an aircraft—which acted as a form a regulation in itself. Now, you can fly these things relatively easily. In the UK, the House of Lords has called upon the EU to introduce a compulsory registration system for the devices, but the plans have stalled. Creating a greater awareness in the broader community of the extent to which drones may be used by terrorists (and other criminals) including publicising the dangers—without hysterics—may be a good start. Also, manufacturers and distributors of drones and training establishments throughout the world should be more vigilant of the possible use of drones for terrorist activities. By way of parallel, many governments have passed legislation requiring retailers of chlorine (for swimming pools) and household fertilizers to report certain sales or suspicious transactions. International arrangements regulating the export of drone technology could be refined and strengthened with terrorist activities in mind, with special attention on drones equipped with technologies that can evade radar or have highperformance capabilities.” In addressing mitigation approaches, we also include articles on terrorism financing, biometrics and video analytics. Stephen Dametto, Detective Superintendent, founder of Australia’s Counter Terrorism Financing Investigations Unit contributes, “the sheer complexity and fluidity of contemporary global financial processes, coupled

with small amounts of money, which can facilitate terrorist acts, means that the stated purpose of the funding cannot and should not be an overriding factor on the illegality of the transfer of funds.” Dr Monique Mann from the Faculty of Law at the Queensland University of Technology contributes on Australia’s national facial recognition system - the National Facial Biometrics Matching Capability or simply ‘The Capability’- which will use existing identification documents, such as licences and passports, to extract and share biometric information between state, territory and national government databases. Alongside this facial recognition capability, Tony Caputo provides insight into Hitachi’s Video Analytics which applies machine learning and recreates three-dimensional space from a twodimensional video image and then adds the 4th dimension (time) for improved performance. As Tony Caputo found, you can also calibrate length of the 3D learning phase and each scene with multiple illumination states – day, night, afternoon, which also improves its performance and accuracy. As Tony proposes, “It really does add more intelligence to cameras and I've tried it on many different types from a generic lowend bullet camera to the popular Axis cameras (including the panoramic), to the top of the line Thermal camera. I was apprehensive at first, but I’m excited…that my dream of the analytics killer app for Smart City has finally become a reality.” Let us hope these ‘killer Apps’ stay only in the vernacular, as a descriptor, and not as a causation of a mass casualty event – technology and terrorism will be a powerful and dangerous combination – and as Syria shows, human suffering and mass murder is not of our past but the reality of the present – and it will be with us in the new digital world. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Chris Cubbage Executive Editor

Australian Security Magazine | 3

4 | Australian Security Magazine

Cover Feature

We must do more in the digital war against Islamic State

C By Anoosh Mushtaq Chair and founder of The Raqīb Taskforce.

yberspace is now officially a war zone, and Islamic State (IS) has the capability to dominate the virtual front line. Abu Bakr al-Baghdadi, the leader of IS, has it all figured out. His slick social media campaign has put the terrorist group out in front in this critical future battleground. Now, IS can have a devastating impact worldwide, regardless of the physical territory they capture or hold. Rather than relying on territorial gains on the ground, IS can covertly and successfully operate in cyberspace – recruiting members and inspiring lone-wolf attacks as they go. Compared to other terrorist organisations, IS boasts a uniquely sustained success with its digital strategies. Al-Baghdadi recognises that social media is a valuable and powerful way to disseminate messages quickly. The use of social media by terrorist organisations is not a new phenomenon: AQAP and al-Shabaab have maintained Twitter accounts since 2010. However, under al-Baghdadi’s leadership, IS has become distinctly effective at the ‘social media blitz’ – using techniques to spread messages rapidly to an audience that is beyond their immediate reach. Since many IS Twitter accounts have reportedly been shut down, IS has been forced to look elsewhere to maintain a powerful online presence for propaganda and recruitment. This is why encrypted applications have become hugely important to the group. It was reported in January 2016 that IS built their own Android messaging application called Alrawi to ensure that communications within the group stay secure. However, reporting from multiple sources as recently as December 2016 suggest that Alrawi isn’t actually used. Instead, WhatsApp and Telegram are the mobile messaging applications currently favoured by jihadists because of their security features. Telegram offers the ability to destroy messages with a timer feature, and protects messages from hacker attacks. WhatsApp provides end-to-end encryption and the assurance that calls are secure. In general, embracing mobile messaging applications with encryption capability is an intelligent shift in IS operations that regularly makes it difficult for counter terrorism agencies to detect the group’s movements. This presents IS with a covert way to orchestrate terror attacks. French jihadist Rachid Kassim, who is behind several terror plots in Europe, used his now-defunct Telegram channel Sabre de Lumière (Sword of Light) to call for the assassination of journalists, political figures and religious scholars, as well as lone-wolf attacks in European countries. His call didn’t go unanswered: He’s been linked via Telegram

to jihadists who have either plotted or carried out these kinds of atrocities in Europe. According to Prime Minister Malcolm Turnbull, our cyber operations against IS ‘are making a difference to the military battle’, but it’s unclear as to whether we have sufficient plans to counter IS’s digital strategies – including their use of social media and encrypted mobile messaging applications. Online operations do have security flaws, but we can’t rely on always being able to exploit these flaws in order to gain new intelligence. IS is already well aware that their communication mediums have security implications, and to counter this, they strategically use Qur’anic verses and Arabic coded language when they communicate. This makes it difficult for westerners and non-Muslims to know what they are really saying, which gives them the upper hand – especially in the planning of terror attacks. For the sake of our national security, we need to be able to proactively decode IS messages. Who better to do that than educated Australian Muslims? It would be beneficial for us to recruit and train people in the areas of cybersecurity and social intelligence whose technical skillset is complemented by a rich, lifelong understanding of Islam. These people would operate in the ‘back end’, interpreting the coded messages spread in cyberspace by IS, using their own fluency in Arabic and the Islamic faith. In a sense, we could fight fire with fire and adopt a recruitment strategy similar to that of IS. The terrorist group is known to target educated, multilingual young people – even from Oxford and Cambridge colleges – who are not yet known to security organisations. These recruits, who often specialise in cybersecurity or engineering, allow IS to enhance their technical capabilities and expand their sphere of influence. A more overt approach to countering IS’s digital strategies would complement our covert one. We need wellinformed Australian Muslims to become more active across social media, debunking the myths spread by groups like IS. Jihadists cherry-pick verses from the Qur’an to inspire support and justify their cause, and often these verses are rooted in the descriptions of historical battles that aren’t relevant to current times. Cyberspace has no doubt complicated the war scene, and IS has turned it to their advantage. Empowering Australian Muslims by giving them an important role in the fight against radical Islamic terrorism would make us a more informed, more unified force in this new digital war.

Australian Security Magazine | 5

Cover Feature

Children of war: The rise of a nation of young Jihadists

T By Anoosh Mushtaq Anooshe Mushtaq is Chair and founder of The Raqīb Taskforce. She is a Canberra-based advisor on Counter Terrorism & Countering Violent Extremism

6 | Australian Security Magazine

housands of Syrian children affected by trauma, unwanted by the international community, and courted by Islamic extremists may be cornered into jihadism. According to the NGO Save the Children at least a quarter of a million Syrian children are living ‘under brutal siege’. Their homes ‘have effectively been turned into open-air prisons’ where they endure ‘enormous suffering and injustice’. What’s in store for these children who’ll grow to shape the Syria of the future? Right now, evidence suggests that they’re on a path to long-term psychological issues – and radicalisation. To date, the civil war has claimed at least 200,000 lives and displaced approximately 8 million inside Syria. Close to 650,000 people are living in areas under regime besiegement, completely cut off from humanitarian access. 12 million Syrians inside of the country are in need of humanitarian assistance (Abboud, S, 2016). The numbers are staggering. The conflict has created 4 million refugees and yet, as the violence and desperation worsens, many among the international community tighten their borders and reject the desperate appeals for refugee status, out of fear of exposing their states to Islamic extremism. Jordan accepted Syrian refugees, but after a suicide car

attack that killed Jordanian soldiers in June 2016, the country restricted all access to refugees – even to the UN and other aid agencies that would deliver food, water and medical care. Save the Children’s recent report details how Syrian children are faring in the conflict. They’re becoming more aggressive, withdrawn, depressed, and isolated and are losing hope for their future. Malnourished, they’ve resorted to eating animal feed and leaves, which has led to an increase in juvenile petty crimes. Military groups have recruited children with the promise of receiving one meal a day. Traditional social structures have disappeared with the physical breakdown of family units. There’s an increase in child marriage in an effort to reduce the burden on families of feeding and housing all their children. Devastating reports describe parents being killed in search of food and medicine, leaving orphans as young as two years old, crying and distraught, wandering the dangerous streets lined with snipers. According to UNICEF, the children of Syria will represent a ‘lost generation’, since they’ve had little to no education for at least five years. Schools have become the targets of shelling and many education workers have fled or been killed. This has effectively collapsed the education system in most parts of Syria and forced approximately 40%

Cover Feature

"Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence.”. of children out of school. We may hope that it can’t get any worse, but in reality, it will. Children are the most vulnerable to the aftershock of war. They’re more likely to show long-term effects than adults when exposed to unrelenting, sustained violence. They can be susceptible to relapse if exposed to subsequent stress later in life. In studies of states that have been exposed to war, it’s clear that, later in life, survivors are likely to have PTSD and a propensity to violence. Their mental health issues include: psychosomatic symptoms; disturbed play; behavioural and emotional issues; sleep problems and nightmares; and anxiety. In many cases, children have been used as suicide bombers or brainwashed into becoming child soldiers – all forms of abuse that shape their futures. Since the end of the the civil war in 1992, El Salvador faced a growing problem of youth street gangs. It’s argued that the country’s current high level of violence and crime is mainly caused by civil war-related poverty, social exclusion, access to illicit guns, organised crime, weak institutions, and corruption. A 2002 study of internally displaced children from the war in Bosnia showed that 94% had features of PTSD. Further to this, over 90% of the children interviewed

expressed the fear of dying in the conflict, and over 80% felt that they could not cope with daily demands and that life was not worth living. There’s evidence that the Taliban and Northern Alliance soldiers are products of traumatic and violent childhoods – children of war. Their narrow and radical views of the world have been formed by a mix of ignorance, isolation and extreme exposure to violence. Today, Syrian children suffer this same mix, which makes them susceptible to the recruitment efforts of Islamic extremists. A sense of belonging to the international community could prevent radicalisation, but surely Syrian children won’t forget the international community’s response to their plight: rejection. It’s likely that they’ll seek revenge rather than acceptance in the future. We can still help these children to heal and to build resilience against the manipulation of Islamic extremists. At the very least, we must provide clear opportunities and compassion to those fleeing the Syrian conflict. If we don’t work to end inhumane religious and political wars, we’ll experience the uncontrollable rise of terrorism. When we ask what’s in store for the children of Syria, we’re asking what’s in store for all of us in the years to come.

Australian Security Magazine | 7

Cover Feature

By Ron Bartsch

f 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected. Even with the most aggressive medical measures that can realistically be taken during an epidemic, a study estimates that approximately 123,000 people would die—40 times more fatalities than from the 2001 World Trade Centre attack. Chilling Scenarios The chilling scenario above was one that was put forward more than a decade ago by Eugene Miasnikov in his report “Threat of Terrorism Using Unmanned Aerial Vehicles” (2005). If drones in the hands of terrorists back in 2005 caused a plausible threat, imagine the threat that exists today. As science and technological innovation continues to rampage we often lose sight of how much the world has changed—and in this instance, the extent to which terrorists

8 | Australian Security Magazine

will go to in order to achieve their objectives. With this is mind, consider the following modern-day scenario. A terrorist organisation parks a small removals van in a crowded street of a major city under the flight path of a nearby international airport. The van’s canopy has an open top but the sides are high and its payload of half a dozen high-performance quadcopter drones are obscured from the view of passers-by. To each drone is attached an explosive device—not dissimilar to those worn by suicide terrorists. The day and time chosen have been well planned to coincide with the runway being used for take-off. The targeted aircraft—an Airbus A380—is departing with a full payload of passengers and fuel, possibly in excess of 500 passengers and over 250 tonnes of fuel. The aircraft lifts off and the drones are launched remotely and rapidly ascend. With the aid of the high-resolution cameras on-board, the controllers are able to direct the drones into the path of the A380’s four enormous engines. The situation described above is not inconceivable.

Cover Feature

If 900g of weapons-grade anthrax were dropped from a drone at a height of 100m just upwind of a large city of 1.5 million people, all inhabitants would become infected.

Hoping that such a deplorable act upon humanity would never eventuate is no deterrent to the minds of terrorists seeking to inflict maximum carnage and media attention. What is the scope of the drone terrorist threat? Outside areas of civil unrest and war zones, there are increasing instances of home-grown drone terrorism. In 2012 the USA came under threat when a graduate student from Massachusetts plotted to strap plastic explosives to small drones and fly them into the Pentagon, the White House and the US Capitol building. In Japan it has been reported that a drone carrying a bottle of radioactive sand from Fukushima landed at the office of the Japanese Prime Minister in April 2015. In the UK the Metropolitan Police has recorded over 30 suspicious drone flying incidents around London between 2015 and 2016. Unidentified drones have also been flown over various landmarks in France, including the US Embassy

and the Eiffel Tower. In 2016 at the Euro Cup qualifying match between Albania and Serbia the game was abandoned after a drone carrying a pro-Albanian banner was seen flying over the pitch. The incident caused brawls to break out between players, team officials and fans. An alarming report, â&#x20AC;&#x153;The Hostile Use of Dronesâ&#x20AC;? (Abbott et al., 2016) was released in the UK in 2016 and warns that terrorists wanting to cause chaos, such as attacking nuclear power stations, have the potential to convert drones that are currently commercially available into flying armed missiles. The report suggests that the technology of remote control warfare is impossible to control. A UK government counterterrorism adviser, Detective Chief Inspector Colin Smith, has warned that terrorists could use commercially available drones to attack passenger planes. The security expert warned that small quadcopter drones could easily be used by terrorists for attacks and propaganda purposes. Terrorists could fly drones into an engine or load them >>

Australian Security Magazine | 9

Cover Feature

...over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports

with explosives to try to bring down a commercial airliner. Smith poses the question: “Are drone mitigation strategies going to be like the concrete bollards in front of airport terminals—something we can expect once the horse has bolted?” Recently in the US, the Department of Homeland Security issued a terror alert warning that drones could be used by terrorists to attack commercial aircraft after three drones were spotted in a single weekend in late 2015 flying above JFK International Airport. The sighting of the first drone was reported by the crew of a JetBlue flight arriving from Haiti. Just 2.5 hours later a Delta pilot, arriving at JFK from Orlando, reported a drone at approximately 1,400 ft. and only 100 ft. below the aircraft. The third report was from a Shuttle America flight arriving from Richmond, Virginia. And all this in the space of just two days. Combating the threat Aviation is generally regarded as the most strictly and extensively regulated industry. It is therefore logical to conclude that the solution for controlling this new form of aircraft will be found in passing relevant laws and regulations. However, attempting to legislate against random acts of stupidity is difficult, particularly in the fast-moving world of technology. Also, “don’t be an idiot” lacks legal clarity. Jonathan Rupprecht, a Florida-based lawyer specializing in unmanned aircraft, divides stupid drone owners into two groups, the “how high can it fly” group and the “I will fly it wherever I want” group. Obviously the latter grouping may also include acts of terrorism. It is the freedom and agility by which aeronautical activities can readily transcend previously restrictive

10 | Australian Security Magazine

geographic and political boundaries that truly differentiates flying from all other modes of transport. To harness this freedom for the betterment of all, aviation regulation provides the requisite authority, responsibility and sanctions. The regulation of aerial activities is as fundamental and rudimentary to the aviation industry as civil order is to modern society. In no other field of human endeavour or branch of law does there exist such a vital yet symbiotic relationship. International harmonization of aviation standards have been achieved through treaties. The Chicago Convention of 1944 is by far the most prolifically ratified international treaty. More than 190sovereign states have ratified this convention and in so doing have agreed, under international air law, to be bound by the technical and operational standards developed by ICAO. Compulsory registration of drones As drones become more common, many governments are considering a number of options to restrict their use. Registration of drones, as with cars, airplanes or even guns, is now being introduced all over the world with the FAA leading the way, and over 500,000 drones were registered in the first few months of October 2015. It has also been suggested that drone controllers should be subjected, at a minimum, to the same background check standards as persons granted unescorted access to security restricted areas of airports as is required under ICAO Annex 17. The UK and Australia are also building similar registration systems to follow suit. It’s far from clear how registration would mitigate an act of terrorism, as it is more of a system for tracking law-abiding citizen’s drones. David Dunn (2016), Professor of International Politics at Birmingham University, believes that any licensing system is unlikely to deter terrorists: Law abiding citizens are likely to register, but it would be very difficult to stop terrorists and other criminals from purchasing drones abroad and then using them here. Up until now it was expensive and required skill to be able to fly an aircraft—which acted as a form a regulation in itself. Now, you can fly these things relatively easily over people’s heads.

Cover Feature

In the UK the House of Lords has called upon the EU to introduce a compulsory registration system for the devices, but the plans have stalled. Drone owners currently don’t have to register their devices in the UK, but operators need permission from the British CAA to fly them for commercial purposes or over long distances. Currently in the UK, anyone can own and operate a drone for non-commercial purposes that weighs less than 20kg (3st 2lb). Mitigating the drone terrorist threat? As we have seen above, it is obvious that legislative restrictions alone on the use of drones would in most instances prove to be futile when it comes to acts of dronerelated terrorism. There has been very little indication that governments are prepared to prohibit the importation or manufacture of drones or even of limiting the payload capacity of commercial drones that are sold. Further complicating this issue is the fact that, in many instances, drones are purchased online. Creating a greater awareness in the broader community of the extent to which drones may be used by terrorists (and other criminals) including publicizing the dangers—without hysterics—may be a good start. Also, manufacturers and distributors of drones and training establishments throughout the world should be more vigilant of the possible use of drones for terrorist activities. By way of parallel, many governments have passed legislation requiring retailers of chlorine (for swimming pools) and household fertilizers to report certain sales or suspicious transactions. International arrangements regulating the export of drone technology could be refined and strengthened with terrorist activities in mind, with special attention on drones equipped with technologies that can evade radar or have high-performance capabilities. While the rapid advancement of drone technological development has created the problem it may also provide the solution. By far the most effective method of protecting targets from drone attacks may be with the installation (or possibly mandating) of geo-fencing or g-gate technology software. Pre-programing geo-fencing areas would mean that drones would be automatically shut down if they tried to enter certain sites. NASA is also currently working on a tracking system but a working prototype is not expected until 2019. Drone manufacturers could be required to install the GPS coordinates of government-mandated no-fly zones and have drones automatically shut down if they approach such a space. DJI, the world’s largest commercial drone-maker, is one of the leaders in geo-fencing technology. With drone sales in excess of US$1 billion in 2015, it recently released its geo-fencing software to restrict drones from flying near aerodromes and other restricted areas on a worldwide basis. The drones will no longer be able to fly near wildfires, prisons, power plants, near professional sporting events or areas the US president is visiting. It is proposed that all DJI drones will have the software installed by default. In practice, this means that drones will not be able to enter into, take-off or land in restricted areas. The software will automatically update with new information on restrictions, meaning drones will be able to

respond to changing environments such as areas of natural disasters or one-off sporting events. Other technological defences against the hostile use of drones are with the installation of security alert systems when drones appear in no-fly zones. One American company—DroneShield—has been awarded contracts to protect certain locations from possible terrorist attacks including the Boston Marathon. It is likely that this technology will be increasing utilized in security-sensitive sites and restricted areas. In the UK the Remote Control Project, run by the Oxford Research Group, has called on the British government to fund the development of military-style lasers to shoot drones down and the creation of jamming and earlywarning systems to be used by police. But such devices would require amendment of UK laws over the use of such jammers. Laser technology to destroy drones in many instances have failed to live up to expectations either struggling to stay fully powered for long periods or being disrupted by dust and fog. However, in the US, Boeing has unveiled its new laserpowered anti-drone technology. The Compact Laser Weapons System is a portable, tripod-mounted device armed with a high-powered laser that can destroy a quadcopter drone in a matter of seconds. The system is relatively inexpensive to operate and features an unlimited magazine, which means a many drones can be destroyed. However, this system will not be available for a few more years. About the Author - Ron Bartsch Ron is CEO of Innovating Australia and currently a presiding member with the Commonwealth Administrative Appeals Tribunal (AAT) having held this position on a part-time basis since his appointment in 2013. Ron is also a Senior Visiting Fellow at the Australian National University and the University of New South Wales and lectures in Business Law and Technology and International Air Law. Ron was admitted as a barrister in 1993 and then took up a senior management position with the Australian Civil Aviation Safety Authority and then later was appointed as Head of Safety and Regulatory Compliance for Qantas Airways Limited and held this position until 2009.

Australian Security Magazine | 11

Cover Feature

L A N I M I R C E H T IS M S I R O R R E T N O LAW G N I C N A N FI ? H G U O TOO T T By Stephen Dametto Detective Superintendent, AFP, founder of Australia’s Counter Terrorism Financing Investigations Unit and UNSW Researcher in law.

12 | Australian Security Magazine

he global community must maintain a tough legislative stance to contain the influence of terrorists who use their contributions to humanitarian activities to win over the hearts and minds of local communities. The Independent Reviewer of Terrorism Legislation in the UK, David Anderson QC, in his fourth report on terrorism financing legislation highlighted the negative impact that counter-terrorism financing legislation is having on overseas aid. He drew attention to the constraints placed by the counter-terrorism laws of various western countries on the activities of NGOs and contributors who seek to provide aid to territories which are under de facto control of proscribed terrorist groups or in which such groups are active on the ground. He highlighted a real risk of a ‘chilling effect’ on UK NGOs’ activities overseas at a time when their efforts are possibly more critical than ever before. Anderson is not the only one with these views and in fact a great number of States and humanitarian organisations have expressed similar concerns. Such laws are perceived as overly harsh and have the effect that people – concerned about doing the wrong thing - stop giving money to legitimate charities. Also, as the penalties attached to such laws are seen as excessive, they can lead to grievance and alienation in the community hindering cooperation with Police and intelligence agencies and potentially assist recruitment to the terrorist cause. The argument follows that tough laws effectively criminalise legitimate humanitarian action by neutral and

independent actors (like for example the International Committee of the Red Cross), potentially impeding their work and aggravating human suffering in war. Further, not all the activities of organisations regarded as terrorist organisations are related to the commission of terrorist activities. An example is when the Tamil Tigers controlled the northern part of Sri Lanka and, in reality, the only means of making humanitarian donations to people within this region was to funnel the money through them. The Tamil Tigers not only engaged in terrorist acts against the Sri Lankan government, but also operated a de facto government, including the provision of civilian services, within this region. The question is then - how do we balance and manage the seemingly competitive interests of the need for humanitarian aid and stop funds going to terrorist organisations? One solution often proposed is to have an exemption in the law for providing or collection of funds for a terrorist organisation where the purpose is to spend the funds on humanitarian activities. Similar laws exist in New Zealand and Australian law already has a statutory exemption for the offences of ‘association’ with proscribed organisations where “the association is only for the purpose of providing aid of a humanitarian nature”. The rationale is that an offence that punishes an organisation or a person providing funding to a ‘terrorist organisation’ - regardless of how the funds are used -

$$ Cover Feature

represents a disproportionate response to the threat of terrorism. Instead, the focus should be upon fund transfers that are related to preparing for, assisting with, or the commission of a terrorist act (and not simply to any financial involvement with a terrorist organisation). Should a similar exemption exist in providing funds?

Firstly, the sheer scale and catastrophic harm to life and property, together with the intent to terrorise the population, to challenge the sovereignty of the state and, in some cases, to secure specific political ends place terrorist atrocities beyond the scope of even the most serious offences. Therefore - there is a greater imperative for prevention - as the risk of prosecuting and punishing the completed offence comes too late. Secondly, it is very difficult to draw a distinction between funds provided for bombs and funds hopefully provided for hospitals or orphanages. The often opaque organisational structure of terrorist organisations substantially inhibits certainty in ascertaining the real and ultimate destination of funds. There is a real risk that exempting funding for humanitarian work of terrorist groups could cloak more sinister use of those funds. As the Independent National Security Legislation Monitor in Australia, Bret Walker SC, stated in his 2013 report on terrorism financing laws, it should properly be an offence to

fund hospitals and orphanages run by terrorist organisations, despite how counter-intuitive this appears to be. Humanitarian activities conducted by terrorist organisations are also a pivotal component of their “hearts and minds” campaign which, any political campaigner will tell you, is key to recruiting new members and gaining support in communities. The sheer complexity and fluidity of contemporary global financial processes, coupled with small amounts of money, which can facilitate terrorist acts, means that the stated purpose of the funding cannot and should not be an overriding factor on the illegality of the transfer of funds. Instead - the answer lies in the proscription process – that is where an organisation is described as a terrorist organisation under Australian law. Once an organisation is proscribed, any funds to that organisation, regardless of the reason or how it is spent, are illegal and punished by criminal sanction. This is where the consideration must be given and the emphasis placed. If it emerges at trial that the funds were in fact used for humanitarian purposes, then this should influence the penalty received – but not the guilt of the party itself. Law makers and legislators must be guided by the big picture issue – terrorism is more dangerous and detrimental than any other offence, prevention is the key, and therefore it must be treated and acted on differently.

Australian Security Magazine | 13

National

Artificial Intelligence in the financial services

W By Jane Lo Singapore Correspondent

hen the United Kingdom cast its decisive vote on 23rd June 2016 to leave the European Union, a membership in which it held for more than 40 years, the British pound slumped to a 31-year low as the final polling results sent shockwaves during the Asian trading hours. The losses extended to the European and US trading sessions as panicking investors fled to safe haven assets, and stunned traders caught short by the unexpected outcome rushed to cover their positions. On that day, the pound plummeted more than 10% to $1.33, from $1.50. While the financial markets absorbed the news and braced for further turmoil over the following days and weeks, no one was quite prepared for the “flash crash” that happened 3 months later, on 7th October, when the currency plunged within a few minutes from $1.26 to $1.15 – marking a fresh 31-year low. The blame swiftly shifted to “algorithm trading programs”, for triggering market orders that contributed to the massive pressure on the pound as political uncertainties mount. Algorithm-driven robot traders Algorithm-driven robot traders, a form of “Artificial Intelligence (AI)”, mimic real-life trading using logic, if-

14 | Australian Security Magazine

then rules, decision trees to behave in ways that resemble an expert trader. Initially developed to improve trading efficiency by minimizing the manual tracking of financial markets and laborious execution of order (and arguably, also to eliminate trader emotional volatility), these robo-trading algorithms have evolved. From simple sell-buy triggers, to devising trading strategies built on high-speed cross-asset-correlations and other complex mathematical calculations, they have acquired the potential to create systemically contagious impacts as trades from one algorithm could trigger signals of others (as we see in this Brexit example). The coding of the financial markets data tracking and profitable trades structuring is not new; what’s changed is that these algorithms fully harnessed the vast computation power available today to rapidly identify micro arbitrage opportunities across assets, markets, time zones and construct profitable trading strategies within fraction of a second. Processing power, and lots of data “Artificial intelligence” encompasses a vast range of technologies, ranging from problem-solving programs that copy human logical thinking process (as in this case

National

Algorithm-driven robot traders), to “machine learning” that improves these programs over time (“with experience”) using mathematical optimization techniques, to “deep learning” (or deep neural networks as formally referred to in academic research) which are composed of multi-layered neural networks that self-train with vast amounts of data. In the fields of speech and image recognition, for example, Amazon’s Alexa, Apple’s Siri, Microsoft’s Cortana, and the many voice-responsive features of Google – are enabled by the vast computation power as well as volumes of image, video, audio and text file data available on the Internet. There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability. Moving beyond merely programming how human experts think with if-then-rules and decision trees, Google’s AlphaGo (an application of two layers of deep learning nets – Deepmind combined with a reinforcement learning) played against Mr Lee Se-dol last year in the ancient Chinese game of GO. AlphaGo beat Mr Lee, perhaps the best player of the game, in four of the five games. These advances in AI are made possible by the increased computational power referred to as Moore’s Law and graphics processing units (GPUs) – initially built by Nvidiá for 3D visual experiences in gaming - which enable 20 to 50 times efficiency compared to traditional central processing units (CPUs). Google’s tensor processing units (TPUs), or Intel’s acquisition of Nervana Systems and Movidius, two startups that tailor-make technology for deep-learning computations point to how serious technology giants are viewing the potential in this market. Sheer processing power combined with the availability of realms of data are accelerating AI applications across industries. Besides robo-trading, we are seeing innovations in the areas of robo-advising, fraud detection and market behavioral analytics in the financial services. Artificial Intelligence in the Financial Services Robo-Advisors offer digital investment advisory services based on algorithms. By collecting the details of investors’ investment objectives, preferences, style and risk profile, the robo-advisers learn what investors are interested in and deliver customised advice by aggregating relevant research reports and market updates to suggest financial asset allocations. In addition to these data analytics approaches, roboadvising technologies such as Chatbots (robots that converse with humans) or Sentiment Analysis (the “irrational and qualitative” aspect of investment analytics, based on nonbalance-sheet components such as views sourced from Tweets or other social media) which improve the customer experience with natural language processing and unstructured data analytics algorithms, have also being widely deployed. This robo-human interaction technology is in initial phases of innovation. Robo-adviors are yet to understand subtleties in a conversation. “I am worried about my parents’ health” which may prompt a human advisor to review the risk profile and

"There is no question that it is in the machine-vs-human game of chess where this impressive processing power has taken our appreciation of potential of AI to the next level. Deep Blue (IBM’s supercomputer) beat Garry Kasparov, the then world chess champion, in a six-game match in 1997, by using sheer processing power and massive data storage capability." investment horizon of the customer, may not necessarily trigger the same response in a robo-advisor. A robo-advisor may also be limited in its information gathering ability: it may not ask about money held outside of its service, which could give a distorted picture of a customer’s financial health. These examples show that whilst there is still some way to go before a robo-advisor can fully function as fiduciary in the traditional sense, the volume and speed of the data being processed across several sources to deliver timely advice mean that innovations in these technologies will continue. Certainly, for those contemplating using robo-advisers, less biased advice combined with a wider selection of potential investments at a fraction of the cost of traditional service is an attractive proposition. Fraud Detection - AI machine learning techniques are also used to help in fighting cyber attacks, through automatic scanning, detection and response of network vulnerabilities. Similarly, by applying AI to volumes of data to spot suspicious financial transactions amongst millions of normal ones, AI could ease the burden on investigators in combatting money laundering, financial fraud and sanctions violations. With increasing regulatory scrutiny in these areas, financial institutions have adopted over-cautious attitudes, setting thresholds of traditional rules-based anti-fraud systems at levels that raise alert on practically everything resulting in unsustainable increase in false positives. Not only do legitimate customers face unnecessary probes, investigators also consume excessive time clearing these false positives. Adding to this workload is the manual building of the customer profile when swamped with structured and unstructured data about the subject, their social and commercial networks from in-house and other public and commercial sources. By replicating the way an investigator manages a case, AI automatically flags unusual/suspicious activity by mining data from a customer’s and peer group transaction history and thousands of “signature fraud patterns”. At the same time AI also learns new patterns or goes into corrective loop to ignore the ‘false positives’. For investigators facing the tedious job of manual data collation and rules update in the legacy threshold systems, AI not only reduces the burdens but also completes these tasks much quicker. Market Behavioral Analytics - In the fast-paced, high-pressure world of trading where it is not uncommon for millions of transactions to change hands across the global markets of FX, futures, or commodities, most would rank >>

Australian Security Magazine | 15

National

Nick Leeson and the collapse of Barings Bank, the United Kingdom's oldest merchant bank in 1995, as one of the most publicized cases of unauthorized trading. Trading in the futures markets on the Singapore International Monetary Exchange (SIMEX), Leeson was regularly using Barings' error account (accounts used to correct mistakes made in trading) numbered 88888 to hide his trading losses, a practice that remained undetected for at least 2 years. The unravelling was triggered by his attempts to offset losses when the 17 January 1995 Kobe earthquake struck sending the Asian markets and his trading positions into a tailspin. His new trades exacerbated the original losses, the total of which eventually reached £827 million (US$1.4 billion), resulting in Barings declaring insolvency on 26 February 1995. Recent cases of unauthorized trading included Jérôme Kerviel, a French trader convicted in the 2008 Société Générale €4.9 billion trading loss scandal. As a trader at the bank's Delta One desk, he created offsetting faked hedge trades to cover his losses. Three years later in 2011, in what was another incident of unathorised trading loss, Kweku Adoboli, as a Global Synthetic Equities desk trader at UBS, also practiced entering false information into the bank's computers to hide the risky trades he was making, which eventually cost the bank $2 billion. At the heart of rogue trading (or other types of fraud) are human incentives: those who want to profit for personal gain or who enjoy the thrill of excessive and unsanctioned risk taking, and those who are afraid to own up to losses. These incentives are reasons why flagging rogue trading is a challenge in-house using traditional methods. Bank employees do not reveal problems early because they are not incentivized to: they might get fired or lose their bonuses. Employers are not incentivized to be completely open with regulators because of adverse effects on their business. Algorithms and data-driven analysed by external teams of former traders, compliance staff, intelligence officials, and psychologists, to a certain extend solve this incentive problem: systems alert to suspicious activity that is employeeagnostic, supported by an external investigative team that is independent with minimal conflicts of interest. A Re-evaluation of Artificial Intelligence’s potential? Early this year, in a widely hailed new milestone for AI, Libratus, built by Carnegie Mellon University Professor of Computer Science Tuomas Sandholm and his PhD student Noam Brown, won $1.5 million in chips after beating four of the world’s best poker players in an extraordinary 20-day tournament. Training a machine with incomplete, hidden and misleading information to win is significantly more challenging than constructing layers of neural nets to beat humans at chess. Unlike chess where players see the entire board, poker players do not see each other’s hands. From performing probability calculations to manipulating table image, poker is a game where the outcome is tied to players’ actions based on psychology and game theory. The ability to interpret an imperfect set of information and “bluff ” is key to a winning hand – and building this ability into artificial

16 | Australian Security Magazine

intelligence had proven to be elusive. Libratus does this by self-learning: armed with massive computing power, it plays trillions of hands to refine its approach to arrive at a winning strategy. Critically, Libratus does this overnight and repeatedly over the 20 days without needing to “take a break”; whereas the poker pros face a very real physical challenge: they need to eat and sleep. The success of Libratus is special. It challenges our preconceptions about the limitations of AI, and takes us to previously unexplored possibilities: there is potential for applications from negotiating trade deals to devising cyber security defense strategies to setting national budgets – areas that we think of as strategic work with imperfect information. But, AI successes such as this have also raised concerns. Aside from data protection issues in Fraud Detection (will my personal investment data be anonymized for peer group profiling?), or threats of surveillance in Market Behavioral analytics (will the storing of my phone and electronic conversations be done in such a way that it meets legal requirements?), it is hard to escape our nagging suspicions that AI will soon replace us. The news that the world’s largest hedge fund, Bridgewater Associates which manages $160billion is extending AI beyond financial trading to build “a piece of software to automate the day-to-day management of the firm, including hiring, firing and other strategic decision-making” adds to the fears and insecurities felt by many of us. Arguably, the examples provided here – Algo trading, Robo-Advisors, Fraud Detection, Market Behavioral analytics – do not eliminate the human touch; AI merely collates data and draws out key information to allow for more efficient human decision making. An Accenture survey of 1,770 managers across 14 countries concludes similarly: “AI will ultimately prove to be cheaper, more efficient” and so will “free us from the drudgery of administrative tasks”, to allow us “to focus on things only humans can do.” However, some, including the Futurist Ray Kurzweil, disagree and believe that what we think of as strategic work or even creative work can be substantially overtaken by AI. Perhaps, the real question is not if, but when: are we decades in planning for the arrival of full AI systems without human guidance? Is it a quantum leap from today’s AI systems to performing strategic decision making? What research breakthroughs are required to make these feasible? The evolutionarily path is unlikely to be a linear one, and the complexities of human activities mean that some are easier to automate than others. But the rapid innovation of AI technologies mean that we should not dismiss the likelihood out of hand. While the debate rages on, we can plan to adapt to AI’s transformational impact in our future lives. For the time being though, we still hold some cards in our hands: there is no question that AI still needs our direction to set its objectives, programming, algorithms, codes and ultimately, to turn it on.

I N V I T A T I O N

Cyber Security

EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR

5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com

MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation including the following: 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors

Some of the main topics:

PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:

Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting

• • • • • • • •

IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition Forensics

“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK

news.com

Express interest in joining us at this exclusive event interpol_world2017@mysecuritymedia.com Australian Security Magazine | 17

18 | Australian Security Magazine

Cyber Security

Australian Security Magazine | 19

CCTV Feature

The Capability: Facial recognition, privacy and regulating new technology

I By Dr Monique Mann

n late 2015 the Commonwealth government announced that a national facial recognition system - the National Facial Biometrics Matching Capability or simply ‘The Capability’- would be implemented. This system will use existing identification documents, such as licences and passports, to extract and share biometric information between state, territory and national government databases. As is often the case in relation to technological developments, regulation and the legal system have lagged behind. Given limitations in Australia’s privacy framework, such as an absence of a constitutional bill of rights or a privacy tort, there are limited privacy protections in relation to biometric information, and those that do exist are subject to carve outs and law enforcement exemptions. Automated Facial Recognition Technology AFRT systems digitise, store and compare facial templates that measure the relative position of facial features. These processes extend privacy considerations beyond the capture of photographs as they enable automated sorting, database storage, information sharing and integration. AFRT can be used to conduct one-to-one matching to verify identity, or one-to-many searching of databases to identify unknown persons. It identifies individuals and provides a gateway to the large and ever expanding databases held by government, law enforcement and security agencies. Further, photographs (and therefore facial templates) from data rich environments such as social media can be mined

20 | Australian Security Magazine

and integrated into big data used for law enforcement and security purposes. AFRT can be conducted from a distance and can be integrated with existing surveillance systems such as CCTV (known as ‘Smart CCTV’), enabling tracking through public places. There have been recent moves to trial a Smart CCTV system known as ‘iOmniscient’ by Australian councils, including in a Toowoomba library. The Capability The Capability will initially involve the sharing of facial templates between agencies including the Department of Foreign Affairs and Trade, the Department of Immigration and Border Protection, and the Australian Federal Police, with access expanding to other agencies in time. For example, the Digital Transformation Agency is considering the possibly of The Capability forming the foundation of the new Trusted Digital Identity Framework, which will become the basis of identification verification for all interactions with Commonwealth Government systems and services. However, individuals who consented to providing a photograph to obtain a passport did not consent to their facial templates being extracted from that image to be used for law enforcement, security, intelligence or other purposes. This is an example of function creep, where information collected for one purpose is used for secondary purposes for which consent was neither sought nor obtained. The Capability is being established in a manner that

Cyber Security

does not require expanded police powers or the introduction of specific legislation. Interagency agreements will facilitate information sharing. This means it is being introduced through administrative processes outside of a legislative framework, and the increased scrutiny that entails. Concerning aspects of The Capability relate to integration with CCTV and other surveillance systems (municipal, state and federal government), the number of images that will be captured, and how this data will be used. Privacy Impacts and Protections The main privacy concerns associated with AFRT relate to how information is obtained, retained, shared between agencies, and how it is used. AFRT presents additional privacy risks as it can be used to locate and track individuals through widely implemented surveillance systems, and can be used to connect information across databases. Under the Privacy Act 1988 (Cth), sensitive information includes biometric information and templates. Sensitive information must only be collected with the consent of the individual concerned, unless the entity is an enforcement body and there is a reasonable belief that the information is necessary to the entity’s functions. Entities cannot use or disclose information collected for a particular purpose for a secondary purpose without the consent of the individual, unless the information is reasonably necessary for one or more enforcement related activities. These exemptions are significant as enforcement agencies or agencies with an enforcement function do not need consent, a warrant, or a court order to collect and retain photographs, to process this information to create facial templates and disclose or share this information with other agencies. Privacy rights in relation to the retention of biometric information have been upheld in the European Union under Article 8 of the European Convention on Human Rights. A series of high profile cases have reaffirmed that the retention of biometric information or photographs of individuals who had not been convicted of a criminal offence violates the right to private life. In Australia, there is no comparable precedent, no privacy tort and no constitutional protection of human rights. Therefore, in Australia, there are limited privacy protections relative to other comparable Western democracies.

application of surveillance and counter-terrorism powers. In Germany, the Hamburg Commissioner for Data Protection and Freedom of Information challenged Facebook’s automatic photo tagging, requesting Facebook deactivate the feature, suspend the creation of biometric templates and delete all stored biometric information collected without prior active consent. In response, Facebook deleted the facial templates that had been collected and suspended creating new templates for European Union citizens. The US Government Accountability Office conducted an inquiry into the Federal Bureau of Investigation’s (FBI) use of AFRT, finding that the FBI failed to update or release Privacy Impact Assessments, complete audits or conduct testing of identification accuracy, meaning that innocent people could become entangled in FBI investigations. In Australia, the Office of the Australian Information Commissioner (OAIC) is responsible for providing advice, reviewing complaints, conducting investigations and monitoring compliance in relation to the federal Privacy Act 1988 (Cth). However, the OAIC does not have a specific function or officer to oversee the collection, retention and use of biometric information. This means that in Australia no biometric-specific oversight mechanism currently exists. A pattern of hostility towards the OAIC, for example attempts to abolish, and reduce funding to the OAIC, has compounded the regulatory gaps in matters of privacy in Australia. The complex nature of biometric information, coupled with the way it is used by law enforcement and security agencies, and continuing developments in this field, indicate the OAIC may need additional resources and specialisation in biometrics.

"A series of high profile cases have reaffirmed that the retention of biometric information or photographs of individuals who had not been convicted of a criminal offence violates the right to private life"

Conclusion

Regulation and Oversight of New Technology

Considerable developments in the use of AFRT have occurred and urgent policy consideration is required to address legislative and regulatory shortcomings. The expansion of information collection and sharing by law enforcement and security agencies has not been matched with an expansion in oversight. There are broader implications for existing and emerging surveillance technologies. Ongoing developments in technology mean databases will continue to expand and information sharing will become more efficient. A re-evaluation of privacy protections in response to new technology is required, as are additional oversight mechanisms.

The expansion of data collection and information sharing by law enforcement and security agencies has not been matched with an expansion in oversight. Effective oversight of biometrics requires technical knowledge, resources, and the power to advocate for individual rights against strong claims to protect the community from crime and terrorism. Internationally, independent statutory commissioners have demonstrated an ability to limit the scope of AFRT and respond to concerns related to consent, retention and use of biometric information. The UK has created a Commissioner for the Retention and Use of Biometric Material to regulate the collection, retention and use of biometric information, provide protection from disproportionate enforcement action, and limit the

About the Author Dr Monique Mann is a Lecturer at the School of Justice, Faculty of Law at the Queensland University of Technology (QUT). She is a member of the Crime and Justice Research Centre and the Intellectual Property and Innovation Law Research Program at QUT. Dr Mann is also a member of the Board of the Directors of the Australian Privacy Foundation. This article has been adapted from UNSW Law Journal Vol 40(1) Adv – the original article and full references are available here: http://unswlawjournal.unsw.edu.au/sites/ default/files/04-mannsmith-advance-access-final.pdf Dr Mann acknowledges the contribution of Dr Marcus Smith who contributed to the original research on which this adapted article is based.

Australian Security Magazine | 21

CCTV Feature

Digital video analytics: Test results

B By Tony Caputo

22 | Australian Security Magazine

efore we discuss digital video analytics I need to explain, as painless as possible, why the following examples have inspired me to write this. You see, I’ve been working with digital imagery and video since the 1990s and I’ve come to understand that the image presented on your screen is made up of digital pixels. In the digital world of absolute mathematical equations, pixels are not measured in dots of Cyan, Magenta, Yellow and Black, like the offset printing process, but rather in bits and bytes. A digital pixel represents visual colour. There are 8-bits (1 byte) in a black and white image and 24-bits for a colour image (1 byte each for Red, Green and Blue). So, each pixel contains 256 shades of gray (for black and white) or 256 shades of Red and 256 shades of Green and 256 shades of Blue, or 16,777,215 colours for a colour image. If you’re wondering what happened to the Black in the transition from CMYK in print to the RGB of pixels, mix Red, Green and Blue paint together, and see what you get – black. The richness of the blacks is also defined by brightness and contrast in the digital world. This is why your 1080p television looks so much sharper and more colourful than that old CRT television, because the digital image has more pixels to pick up more detail and colour variables. However, more pixel depth doesn’t make a smarter camera, only a better-quality image. Now that you understand how the IP camera image

processor captures visual images in the analogue world, the next step is motion. Digital motion pictures are achieved the same traditional way Thomas Edison achieved motion back in 1901, with frames per second. The rapid succession of multiple snapshots of the field of view captures the colour changes at a rate per second providing the illusion of movement on screen. The real magic of digital video is the compression and decompression (Codec) algorithms. These codecs analyse motion within the multiple frames and dissects them into blocks, categorizing them into special frames and data for transmission. This is a necessity for the transmission of digital video because transmitting full 1080p frames per second (MJPEG) requires about 31 Mbps bandwidth (yes, thirtyone megabits per second), versus the H.264 codec, which can transmit the same quality imagery using only 2.5 Mbps. Further details on Codecs isn’t necessary for this post, but only to explain that Codecs do not care what is moving within the digital image to encapsulate that movement within its macroblocks. Its only function is to shrink the video stream for transmission and populate less storage space when recording. Digital pixels identify colour. Multiple frames create the illusion of motion. Codecs just shrink it for transmission and storage. The fact of the matter is, IP cameras are not very smart. They do not know what they are “seeing.” They

CCTV Feature

do not know what is moving; they just capture, replicate and transmit. They don’t know the difference between blowing snow and a person walking across the scene. This is why video analytics systems have failed in the past, because software only cares about the pixels so you’re limited in trying to understand what is actually being “seen.” Traditionally, analytical software is limited to the data received from these IP cameras, and so they analyse pixels (colour), motion (FPS) and once calibrated, begin to understand a difference between something that’s 10 pixels and 50 pixels in size, calculate the time between frames and determine that the 10 pixels maybe a person walking and the 50 pixels is a car speeding, if its calibrated as such. The moment the lighting changes (which changes the colour), or that person opens a giant umbrella, or that car slows down, it needs to be able to categorize shapes in order to remember that, “wait, that’s still a car.” So, you see, when I was assigned the task of testing and creating demonstration samples for Hitachi Video Analytics (HVA) Suite, I was quite apprehensive in accepting the project. I envision hours of frustration ahead of me because IP cameras and software are not that smart. I wanted the killer app (analytics) to be that smart. I envisioned re-purposing the tens of thousands underutilized security IP cameras into Smart City sensors. HVA not only surprised me, it impressed me. One of the first examples I created is below. When I realized HVA Object Detector could be calibrated to ignore moving objects, I remembered a use case from a decade ago that involved sending a real-time alert if there was a stalled vehicle or person at a railroad crossing. I recalled it took a freight train over a mile to stop and cost millions of dollars a day for delays, let alone the liability. HVA Object Detector ignored all movement, including any cars crossing the tracks and sent an alert when the person fell on the tracks. HVA Intrusion Detector includes a built-in filter for weather conditions. I inadvertently performed a test comparison between the analytics built into a camera and HVA by tapping into a video stream from a backyard camera which I had configured with its built-in analytics. The only method of calibration and configuration for the built-in analytics was adjusting its sensitivity. Although all the false positives from animals made me realize what a jungle the neighbourhood was (squirrels, cats, raccoons, possums), I eventually disabled the built-in analytics, as I was sick of getting email alerts with snapshots of rain and snow. After a while, the continued reducing of its sensitivity doesn’t alert you to anything but the huge afternoon shadows that cause dramatic changes in pixel colour. Absentmindedly, I did notice that I didn’t receive any false positives from the HVA Intrusion Detector, ingesting another RTSP stream from the same camera. That’s when I decided to create the example below. Simple area protection configuration, taken during snow fall. HVA ignores the snow, and the squirrel running around, and only alerts me when the person walks into the frame. HVA knows what snow is. The intelligence behind the snow, rain, haze and fog filter that’s built into HVA Intrusion Detector is also available in the HVA Video Enhancer module. Impressed, I decided to give it an even bigger challenge. How

about a Chicago-style snowstorm? Analyse This! To the left is the actual footage, crazy windblown snow creating white out conditions. It gets to the point at the end of the clip that there’s so much snow, it tricks the camera back to colour mode, thinking it was daylight. The clip to the right is the sample video processed through HVA Video Enhancer, which now can be ingested into other video analytic modules for better accuracy and performance. HVA really does know what snow is.The HVA Intrusion Detector sample clip below is configured for Perimeter Intrusion. A person must walk from the green zone into >>

Australian Security Magazine | 23

CCTV Feature

Protector is engineered for static fixed camera views, noticed how the persons-of-interest are still fully pixelated even when standing still? This stream is now available for input into other systems and/or analytics, such as Intrusion Detector or Object Detector while still protecting the privacy of individuals. The secured archived footage can only be seen by authorized personnel with the correct security clearance. You can even add a second layer of security using a Smart Card and transaction authentication number (TAN) for protection. I created over a hundred test samples for all the HVA modules (listed at the end). HVA is impressive because each module has its own analytical engine, engineered to do that specific function. It’s not one pixel analyser, and movement calculator that was built upon to do something more than its core capability. HVA also recreates three-dimensional space from a two-dimensional video image and then adds the 4th dimension (time) for improved performance. You can also calibrate length of its 3D learning phase and each scene with multiple illumination states – day, night, afternoon, which also improves its performance and accuracy. It really does add more intelligence to cameras and I've tried it on many different types from a generic low-end bullet camera to the popular Axis cameras (including the panoramic), to the top of the line Thermal camera. I could go on with other samples, but you get the idea. I was apprehensive at first, but I’m excited to have been a part of this new technology release, and the thought that my dream of the analytics killer app for Smart City has finally become a reality. The Hitachi Video Analytics Suite:

- Activity Visualizer - Camera Health Monitor - Face Collector - Intrusion Detector - License Plate Recognizer - Object Detector - Parking Space Analyzer

the red zone in order to be recognized as an intruder. Even though I configured the zones to be the same size, HVA’s ability to recreate a three-dimensional space from the twodimensional image, it understands perspective so it recognizes that the figure attempting to enter the facility is 1.8 meters tall, and an intruder at each door. A unique and very effective module is the HVA Privacy Protector, which enables the ability to protect the privacy of individuals and still allow for video monitoring for safety and security. I configured the HVA Privacy Protector example below with a couple layers. First, I wanted the ATM to always be pixelated, to protect PIN numbers, and the vehicles on the street, to protect license plates. Although HVA Privacy

24 | Australian Security Magazine

- People Counter - People Counter 3D - Privacy Protector - Queue Detector - Traffic Analyzer - Vehicle Counter - Video Enhancer

Women in Security

Uniquely placed to lead mission critical information systems With Christine Zeitz Managing Director of Leidos Australia

ASM: How did you get into the security Industry? I’ve been working in the defence and security arena for most of my career, spanning 25+ years. I landed a graduate role at BAE Systems, and while I didn’t target the defence and security sector, I have become committed to the mission of defence and security and couldn’t imagine leaving the sector. ASM: How did your current position come about? I joined Lockheed Martin (LM) in August 2015, where I managed LM's Information Systems and Global Solutions (IS&GS) business in Australia and Asia Pacific, then the business merged with Leidos in August 2016 and I was appointed the Australian Managing Director. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? There are daily reports and accounts around the security threat our country and our allies face. Security is the priority of the new US president and our Prime Minister has launched his new cyber policy. The current and most immediate threat we face is the security of our businesses and government. The security business is people driven. Without the right skilled people who have experience in areas like analytics and computer sciences we can’t operate. Resourcing this skill base is the key challenge. To counter the threat, we need to build the right skills and knowledge in the security sector. To this end, we need to access the whole talent pipeline, which includes both men and women. We are missing a large talent pool by not attracting women into this industry, we can't afford to do this. At Leidos, we have equal representation of women and men on my executive team. Through this leadership I look forward to improving the representation through the rest of our company. I am very supportive of the many focussed initiatives across our sector to improve the representation of women in our industry including women in security forums, STEM training activities and mentoring programs. ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? There is a greater need to collaborate with our allied countries. We also

need comprehensive tools to collaborate within the many agencies that exist in Australia to really make a difference. Regarding women in our industry the statistics are slightly better for government than industry. Frankly, the defence and security industry needs to do better. Defence industry employs around 15% - 20% of females. In leadership roles, there is even less women – sadly of the top twenty defence companies in Australia, I don’t believe I share a female peer in an MD/ CEO role. ASM: Is there anything else of importance to note about your current position/company? It is a really exciting time to be working in the Leidos Australia business. We have nearly 1,000 highly skilled people based in Australia, primarily in Canberra and Melbourne. This number continues to grow, as does our footprint across the country. We work on a wide variety of projects for Defence and the Australian Taxation Office (ATO) and have a culture of working hard and delivering critical outcomes on complex projects for our customers. Leidos Australia is uniquely placed to support clients' mission critical information and data analysis systems, as our heritage gives us a deep understanding of the outcomes required. We understand the role of major platforms in the collection of data, how to securely transmit large volumes of data, how to analysis the data and most importantly how to represent the data in a meaningful way to multiple audiences. This enables clients to make better decisions and improve processes based upon large volumes of data. The security of the data is critical to Government and commercial organisations alike. At the moment, we have over 100 vacancies based in Melbourne and Canberra so our business is in serious growth mode. What excites me is that we are building an enduring capability in Australia to deliver a long-term profitable business to our shareholders, while meeting the current — and future — challenges of our customers. ASM: What is your previously notable positions? Prior to joining Lockheed Martin, I was President of BAE System’s North East Asia region in Japan where I carried responsibility for government, customer and industry relationships for the region with annual orders of $US600M per annum. Before that, I was part of BAE System’s management board and held senior positions in logistics, strategy, business development, commercial, procurement, government relations and communications. I also held the role of Director of Defence Logistics in Australia (20102013) at BAE Systems was responsible for P&L of $A200m per annum, 1,500 staff, and 1 million hours of maintenance per annum across 26 sites. Earlier in my career with BAE Systems I held a number of senior procurement and commercial positions responsible for the negotiation, execution and administration of commercial agreements in a number of countries, including Israel, USA, Canada, Kuwait, UK and Indonesia. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I strongly believe in the value of mentoring and actively do so. What is equally important is to become more of a ‘sponsor’ than a mentor. This means that you don’t just provide counsel, but you take an active part in supporting people by providing real career opportunities (where possible) and actively promoting them through your own networks. What do you do when you're not working? I am a bit of a football tragic so you can find me watching my favourite team - Port Adelaide. I also love the outdoors and sport. Spending quality time with my husband and two children is also very important to me.

Australian Security Magazine | 25

Women in Security

Journey to customers:

HPE SECURE DATA’S INNOVATION, APPLICATION & SOLUTION Insights interview with Tammy Schuring, Vice President of Sales, Hewlett Packard Enterprise

W By Chris Cubbage Executive Editor

26 | Australian Security Magazine

hen discussing the focus for data security at Hewlett Packard Enterprise (‘HPE’), it becomes apparent that the worldwide news and headlines of cyber-attacks over recent years, remains a prime motivator for treating the risk of a data breach. Based in Silicon Valley, Tammy Schuring, Vice President of Sales for HPE Security – Data Security, came into the role in 2015, having dedicated over a decade to growing a loyal customer base. Tammy continues to evangelise a fundamental security approach, protect ‘the data’. Tammy was in Australia meeting with customers to provide her own insights into the capability of monetising data—be it personally identifiable information, healthcare, financial or similar sensitive information. Tammy asserts, “unfortunately, companies the world-over are faced everyday with the daunting realisation that it’s not a matter of ‘if ’ they are breached, it’s a matter, ‘are’ they being breached now, have they ‘already’ been breached or are they ‘about’ to be breached. It’s a change in mindset. Whether it’s an insider threat, or a cybercrime organisation that’s patiently looking for a way to get in or that is already syphoning off data. It’s stepping out and saying at the outset: it’s not a matter of whether we can keep them out, we need to start seeing through the lens of its already happening.”

INOCULATING SENSITIVE DATA HPE is attacking the data protection problem right at the heart of a much-needed solution. Tammy explains, “What we do at Data Security inside HPE is inoculate sensitive data, so when it’s in the wrong hands, it cannot be used against the customer, be it a company or person. The ability to take sensitive data that the cyber criminals can use, to create money, be it a fraudulent tax return, or credit information, and protect it yet have the data retain its format and its logic inside the company, is huge. This way, if the protected data gets stolen, it cannot be monetised. It cannot be used somewhere else – it’s not actually the real data.” Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data. “The other key element,” Tammy highlights, “is it can

Women in Security

“There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the 'get out of jail free' card." also retain data relationships, with what in technology is called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.” “We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”

Tammy Schuring - Vice President of Sales for HPE Security – Data Security

ABILITY TO DECIDE ON SECURITY HPE SecureData has built a loyal customer base across a wide range of industries, with the standards-based technologies of HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST). HPE FPE is an encryption technology that preserves the original data format in the encrypted state, as well as context value, relationships and meaning, enabling business process and secure analytics. HPE SST provides advanced data security without token databases. HPE SST improves speed, scalability, security, and manageability over conventional and first-generation tokenization solutions. These technologies protect the data, and the protection is carried with the data itself – wherever it goes – in-motion, at-rest, and while in-use. Tammy described how customers have the ability to decide, from a rules perspective, how they want the deidentified data to appear, either once it’s been encrypted or decrypted, she said, “One of the things customers can do is called ‘obviously protected’. They can choose to transform it, perhaps as an example, add letters and visually see that this is in fact not the real data, so there are ways to decide, for a particular attribute of the use case or bi-product of the system.” PSEUDONYMIZATION MEETS GDPR There are a number of regulations that companies must comply with, such as PCI DSS (Payment Card Industry

Data Security Standard) through to the emerging regulation of GDPR (General Data Protection Regulation), and a wide range beyond that. Tammy notes, “At the end of the day, interestingly, regulations and audit compliance may be only pointers in the right direction. Just ask any compliant company that has still experienced a data security breach.” Tammy assured, saying, “If anybody believes that compliance equals security, just go read the news any day of the week. Customers are able to leverage our solution to greatly reduce their compliance scope and save personnel hours, and that’s not even the best part of the story.” “The best part of the story,” Tammy says, “is where they end up at the other side. It is truly addressing the risk. The risk that even if you were compliant, and have reduced the compliance footprint, like we do with PCI so dramatically, and you still suffer a breach. If that data is stolen, that data itself cannot be monetised. The ability to leverage the format preserving encryption and format preserving tokenisation, that we bring to the market, enables them to protect the data at capture and keep it protected throughout its lifecycle. There’s no longer a need to decrypt it to determine where it goes next. It ends up staying in its protected state.” >>

Australian Security Magazine | 27

Women in Security

“When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. GDPR will greatly impact how companies will deal with data, going beyond just fines and protecting personal information, but opening avenues to a world of lawsuits and empowering the individual to take action. Up to four percent of a company’s annual turnover (Article 83, GDPR) is potentially at risk, so the stakes are tremendously high. Tammy explained, “There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the “get out of jail free” card.” Tammy said, “If you are taking this personally identifiable information as defined by GDPR, and you’re leveraging a data protection solution such as HPE SecureData, you’re keeping all the benefits of the data but you’re leveraging pseudonymization. Such that, should something happen to the data, and it is lost or stolen, the data is useless to the attackers, and is therefore a nonevent and that is the ideal scenario.” BIG DATA INNOVATIONS One of the big innovations is around data itself. Tammy notes, “If you go back just a few years, the amount of data that we could consume and do real-time analytics on pales in comparison to what we can do today. There is so much value in being able to take not only the data a company has, but bringing in data from other sources. Working with some of the car manufacturers and their belief there should never be a recall on a car again, because these cars are so instrumented and with so much data coming out of them, they should get ahead of any problem that would come up. But it wasn’t until ‘big data’ that they could see the patterns light-up in real time, in order to determine where they needed to make adjustments. Once they figured out with these innovations in technology, there was a major inhibitor standing in their way – and that was security.” “The proposition was there, but how could you take so much sensitive data about just one person? Their personally identifiable information, the vehicles’s identification number or VIN, where they’re going, GPS data, how fast they’re driving, you name it. How many times are they are hitting the breaks, and to put that essentially into a huge soup pot that’s based on Hadoop, innately probably the most insecure platform on the planet right now. The risk was too high.” “What we’ve been able to do with the SecureData

28 | Australian Security Magazine

technology is apply it into the world of big data analytics. For example, with the car manufacturers, that ability to protect the data in a way that the format is preserved, the logic is preserved, and most importantly the relationships. It is not important to know all the individual pieces of information and details. What is important is ability to detect the patterns. There is so much data there, the problem really isn’t an ability to associate with one particular person, but the ability to see those patterns.” WAVES STARTING TO HIT: ACCESS TO THE CLOUD & INTERNET OF THINGS Tammy highlights, “One of the key aspects that is shining a light on this technology’s evolution is access to the cloud. The ability to embrace public cloud can save companies a tremendous amount of money by giving them access to things that they didn’t have access to before.” Referring to a large car brand as a customer, Tammy said, “they discovered they can save 40 per cent, per application, per year, if they moved their .NET applications to Microsoft Azure. This value proposition is potentially tens of millions, if not hundreds of millions of dollars in some cases, over a five-year period. When this was realised in one of the business units, the CEO was naturally very excited with such an innovative, costsaving measure. Before proceeding, Security asked one simple question—is there any sensitive data, including PAN data, involved? The answer was, ‘yes’. Yet before objecting to the project, someone on the CISO’s team had recalled our ability to secure the data and preserve the format. Without creating a bigger processing footprint in putting this data into the cloud, in these .NET applications, the concerns the customer had around the data were addressed. The applications did not have to change their data model. With the data format and data relationship integrity staying intact, there was no need for any rule changes.” “We match the elasticity model in the underlying platform,” Tammy continued, “so most of our customers decide they want this data-centric protection model across their entire organisation. They don’t want to have to decide if it will only be in the Hadoop environment, or only in their mainframe, or .NET, or J2EE ( Java Platform Enterprise Edition) applications, or open system applications. What we do is match to the acuity model of that environment. Such as in Hadoop, that is a node-based environment and we can sell our product based on the node count; for a smaller organisation with 10-20 nodes, through to some of the largest customers in the world, with tens of thousands of nodes, we have a model that can be adapted for all.” IoT is an exciting paradigm and the wave is just starting to hit. However, Tammy asserts, “there is so much data and this can be used very maliciously. Be it a driverless car or a medical device, should someone manipulate that, the impact is no longer how much data can I monetise, the impact is on people’s lives.” The HPE SecureData technology comes packaged as either an API (Application Programming Interface) or an SDK (software development kit). HPE has a mobile SDK which allows companies to build right into their mobile applications. The capture of data and format preserving

Women in Security

encryption paradigm, as we’re all out on the go, entering various information into our devices, right at capture, can be protected. Tammy explained, “It’s not sitting in memory in clear text. The vulnerability aspect of what these mobile devices bring is addressed. We’re seeing with IoT, the power, scale, innovation, is exponentially improving, not in years now but in months. What could be done a year ago, pales in comparison to what will be done a year from now. The ability to build in this encryption, right at capture from inside these IoT devices, is there in many cases, or on the verge of being there.” “When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. SecureData has the ability to take any production data, like transaction information, be it per second information, latency information, and then turn it around and apply it in the world’s top financial institutions, healthcare and retailers. We can show that at scale, so the customer’s requirements are often so much lower than we’re already being applied to.” “One of the key elements of what powers a lot of what HPE SecureData does and why this is being adopted so broadly now, is that the technology has format preserving encryption, now a mode of AES (Advanced Encryption Standard). We have received our NIST (National Institute of Standards and Technology) certification as FFX1, and our FPE technology provides accelerated encryption performance up to 170 per cent in conservative scenarios. Building on today’s proven high-speed FPE technology, while aligning to the high-volume needs of next generation Big Data, cloud, and IoT scenarios. With the power of what this algorithm can do in terms of enhancing the encryption footprint, the US Federal Government fast-tracked it to make it a standard and now, as we’re finalising our FIPS 140-2 and Common

Criteria, this opens up many areas. Where it was already being leveraged before that certification, it is now able to be used by government entities and other entities who set the bar and this standard is a requirement.” CAPTIVATING AUSTRALIA “Australia is a very interesting market,” Tammy observes, “we started investing here about seven years ago and have a lot of interest. One of the main discussions back then was PCI (payment card industry) and companies wanting to get to compliance – there wasn’t the view that there was the same kind of risk as there was in other parts of the world.” “Paradigms like big data, cloud, mobility and with data so transient now, the Australian market is much more exposed, and a light has been shone on it. Big data is probably the biggest driver now, and regulations like GDPR are right behind it, as well as the drive to public cloud.” The Australian market has a tremendous need, Tammy notes, “I spent time with the Government and large financial services, telecommunications, retailers, sports betting—and I was shocked. I was last in Australia, literally at the time when the Census breach was happening, and seeing the way that sensitive information is being used in this country. I found having been an evangelist of this approach across the globe, it has really surprised me how often a national ID, or a credit card number or an account number is used as a primary key and mode of identification. There is a lot of ground to cover here.” Tammy concludes, “I think the Census example, of showing how systems can fundamentally break down, showed when the confidence of the citizens in those systems evaporates. So, having returned to Australia this year, there is such a desire now to protect the information and it’s no longer about meeting a particular regulation as the driver, be it PCI or GDPR – it’s really about the overarching sense of confidence and protection of brand.”

Australian Security Magazine | 29

RSA CONFERENCE 2017 FEATURE REVIEW

THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 2 Editor’s RSA Conference 2017 Review

// ARTIFICIAL INTELLIGENCE PROTECTING THE ACTIVE DIRECTORY Interview with Javelin founders Guy Franco and Roi Abutbul, CEO At RSAC 2017 Javelin announced the release of AD Protect™, an AI-based platform designed to stop the use of stolen and misused directory credentials to move laterally into an organisation. Thwarting attackers at the point of compromise, it contains the breach to just one machine. The AI autonomously projects to the attacker a false set of organisational resources, including the Active Directory, that look and act real, yet get the attacker nowhere. The result is Javelin’s automated incident response (IR) and breach containment that improves attack

30 | Australian Security Magazine

compromise detection and directory credential theft or misuse, while assisting efforts to investigate and contain any further attack. The story behind Javelin arcs back to three young men meeting in the Israeli Airforce and Intelligence Corps. Guy and Roi, along with co-founder Almog Ohayon, started out in 2014 and after $2 million in seed funding, in early February 2017, they announced a $5 million Series-A Financing Round to fuel further development and growth. Based in Tel Aviv, the company is now also situated in Palo Alto, CA and Austin, TX. As Guy explained, “the industry is focused on protecting networks, computers, devices and applications, but at the end of the day the key element being targeted is the Active Directory (AD) – it is used 9 in every 10 companies around the world and remains mostly unprotected. All the campaigns APT attacks are based on is achieving AD manipulation – the attacker’s aim is to be stealthy, leave no evidence and achieve a high gain and mostly, a financial gain.” After almost two and half years working just on the technology with a dedicated ADP

(Automatic Data Processing) design team, the company launched in the second half of 2016 and hired former Cylance Executive, Greg Fitzgerald to drive the message that all the attacks and all the threats are focused on the AD – the heart of the organisation. Javelin reports seeing immediate traction with customers, with one customer, despite having a $50 million security budget, discovering they still had limited protection of the AD. Javelin can support 20,000 devices and then scale out to 500,000 end points. The learning phase is rapid, within minutes, acquiring 200 devices at a time – so a large enterprise network can be acquired within an hour or two. Roi stated, “the greatest thing we have accomplished is we have created an autonomous IR mechanism and the only one specifically designed to work in a domain environment. That domain environment has its own rules and we have built that from scratch – once we find an infection on one computer and deployed inside a domain, the AI establishes the elements of the infection and will automatically look across the network for those elements,

FEATURE REVIEW RSA CONFERENCE 2017

International

called automatic IRN counting. The challenge is to decide what type of attack it is, is it a single murder or a serial killer.” The breach is contained at the point of the breach. It is a combination of resources using AI to connect the dots. It then establishes the actual process and looks out for the same malicious behaviour so a decision can be made to either kill it, or deal with it forensically. This pattern recognition algorithm is continually fed

and creates automatic patterns based on the environment and data sets that is deployed in that environment. The company has 5 patents based on this approach, with one specifically an AI patent on how it creates the virtual environment. As part of the hunting and cross reference to other computers, it looks to where the malicious processes came and what method was used for compromise, such as is it local or part of a bigger effort. This allows a forensic report to be

formulated. Javelin is not an EDR solution, Roi explained, “we don’t reduce the noise, we just pinpoint for only this type of (AD) attack.” With Javelin, the attacker will not get valid credentials or organisational topology. Without this, the attacker cannot move beyond the endpoint nor do so undetected. Javelin protects the entire organisation from the point of attacker entry without unnecessarily adding to the >> infrastructure nor altering the AD itself.

Australian Security Magazine | 31

RSA CONFERENCE 2017 FEATURE REVIEW

International

// EXPERT ROUNDTABLE: CREDENTIALS THEFT Kowsik Guruswamy Chief Technology Officer, Menlo Security

Scott Scheferman Director of Consulting, Cylance

Roi Abutbul Chief Executive Officer, Javelin Networks

Stefan Lager Vice President of Services, SecureLink Credentials are a lot more than logins and passwords. It can be, for example, if you have a directory service like active directory, it could be the keys to the kingdom of every asset on that network. If you are an end user, you may have access to a small number of resources. If you are a senior manager, you might have access to more. If you're an administrator, you could have access to everything. In a special roundtable discussion organised by NetEvents in San Francisco, we discussed credentials, phishing and cybersecurity risk. This is an edited extract of that discussion:

Kowsik Guruswamy: I think it really depends on whose credentials are being phished. If somebody sends me an email from my favourite bank saying my account has been comprised and I happen to fall for it, enter in my user name, password, somebody is going to get my bank account. So they can do wire transfers et cetera. This is on a personal basis. If I'm the CFO or the controller for some organisation and that same thing happens to my corporate credentials, now all of a sudden it's a whole different ball game. Now they've got the company's bank account. Again, it goes back to things like salesforce, from a salesforce admin. I may not be a C level executive in a company, but if I'm salesforce admin and I'm getting phished, then all of a sudden my entire company, all of the pipeline, all of the revenue information is now in somebody's hands. So it really depends on who is getting phished and what sort of information that they possess that could be very, very valuable. â&#x20AC;&#x153; Scott Scheferman: Maybe from a slightly different lens as well, so when we're doing consulting, a lot of what we do when we're doing response and compromise assessments is address this credential problem. Other than execution, credentials are the other choke point common to every single breach. So the thing about credentials are that an attacker would prefer to just have legitimate credentials as opposed to leave behind malware that might get detected. So once

RoundTable - Javelin, Cyclance & Menlo - Roi Abutbul, Scott Scheferman, Guy Franco & Stefan Lager

32 | Australian Security Magazine

they get to the credential part of that kill chain, they're off and running and they're able to use white listed tools and other types of normal authentication to salesforce, whatever it might be, and there is no more malware so they can evade your detection systems. Stefan Lager: I think we can never be 100 per cent to protect against this kind of threat. I think limit the damage you can get if a credential is stolen and also making sure you can detect and respond to that as quickly as possible I think is really key. So the way we look at it is from kind of a matrix where you have people, you have processes, technologies and you have protection, detection, response. You need to have a good mix of capabilities within all these different areas. Kowsik Guruswamy: In the case of phishing and credential theft specifically. There was no malware or anything involved and it was not state sponsored. None of that stuff. There was a website, it looked like your bank and you typed in your password. It was very simple. I think that goes back to what phishing is all about. As my friend and colleague here says, it used to be about stupidity. We used to tell users that hey, you need to be trained and all of that. It's really become about sophistication. Every one of us I'm sure has fallen for it. I'm not a private investigator, but if I googled your name and there was something on your blog about a hit and a run that you saw

FEATURE REVIEW RSA CONFERENCE 2017 and I sent you an email about an insurance quote for hit and run, the chances are you're going to take a little bit longer to read it and I got your attention. So, it's really about personalising that information, knowing some context around whether this person is going to read it or not. So personally, I just delete all my emails that I get from people that I don't know. But every email that I take more than five seconds to read, I treasure them because they've got me. They've got my attention. Spear phishing is just a concept. It's really about contextualising the data that is being presented, so you fall for it. Scott Scheferman: So, much like you're saying, so a lot of what we were calling breaches or compromises are actually starting outside of the organisation all together. So if somebody does a massive database dump and they grab the whole database, user names and passwords for a common social media site or something else, those passwords are then very readily available, email addresses and passwords. Well, so many of our users, as you all know, probably somebody here at this table, has reused a password for their personal life as they do, right. Not all organisations are using two-factor authentication for all of their external phishing applications. You put those two facts together and what you realise is that there is a massive market for the stealing and reselling of credentials so that you don't have to use any malware. You can opportunistically target a certain vertical that you're looking to target as an actual attacker. Attacker not being a hacker, but an attacker being an organisation that's interested in a certain vertical. Why not just buy the credentials for that vertical as opposed to try to touch your victim? You never want to touch the victim if you don't have to. Much like spear phishing, just put in your user name and password and you barely touch the organisation at all and they've done all the work for you. Kowsik Guruswamy: At Menlo I think the underpinning technology behind Menlo is what we call isolation. The concept of isolation is very, very simple. If you look at the overall risk from the web, it's active content, flash, Java script, all of that stuff. That's the risky part. If you go back 20 years in the old Netscape days when the Internet was filled with five web pages that were all static there was about this much risk, zero. There was no problem. Fast-forward 20 years you've got this

interactivity and CBNs and ad networks and all of that, everybody rushing to inject interactive content into the web browser, that's a risk. So the concept behind isolation is very simple. Let's stop playing this game of trying to figure out is this website good or bad and just execute all of this stuff away from the user just up there somewhere in the cloud. But do it in such a way that the end user has no idea

that we're doing that and keep the native user experience. That's the underpinning model behind isolation and that's what Menlo does. Specific to phishing, if you look at how phishing links come to the user and what it does, it falls into three buckets. First is what we call the known bad. Everybody knows it is a phishing site, it's on some list, Google has it, other feeds have it, everybody knows it is >>

Australian Security Magazine | 33

RSA CONFERENCE 2017 FEATURE REVIEW

Corporate Security

a phishing site. You do the obvious thing, you block it. The next one is what we call the known good. Like amazon.com is not a phishing site. Yes, there might be some ads that give you malware, but it's not a phishing site for sure. So there is a known good. Then the grey area. If you look at the grey area, we're doing the same thing that we've been doing for the last 20 years to phishing which is trying to figure out if it is a phishing site or not. So what Menlo does is we gave up on that

34 | Australian Security Magazine

idea. It's not working. It's very difficult. Instead what we do is when people click on the link we end up isolating them and we have certain workflows which basically combines the training aspects of it and it also puts the website into a protective shell. It's a read only mode. People can't type anything. So the combination of that effectively means when you're about to enter the password into your bank account, you've got to pause. Also there is some training that's built into the workflow that tells the user, hey you're about to enter the password into a bank looking site, are

you sure. So that really helps eliminate phishing, in our opinion. Scott Scheferman: I love the pause part of that description because I think in security, any time you're looking at this kill chain we've been talking about, it's important to pause before each one of these things. In your case it's before the user clicks. In Cylance's case, the best way to describe it would be we have tried to solve the problem in those 100 milliseconds prior to an executable executing and allow the AI to predict whether or not that file should run or not within those 100 millisecond pause, if you will. So in the space it takes you to blink your eye, we would look at seven files. We can look at seven files and convict them to be able to run or not. It's a very interesting thing because what we're using is predictive AI. What that looks like is if you think about it, if you take something like Shamoon 2 that's just been out recently, and this is just one at the top of my mind because that's recently been going around LinkedIn and things. If you look at Shamoon 2, Wave 2 that just came out in the Palo Alto report 42 which they did an excellent exposĂŠ on what that threat actor is and motivations, the TTPs, the IOCs, all these buzzwords of intelligence, we were actually able to prevent that pre-execution 430 days before Palo Alto's report. This is nothing about Palo Alto. I mean all credit to Palo Alto. I came from a long line of working on intelligence and reports and exposĂŠs as an intelligence liaison for these kind of packaged intelligence products. If you look at Saron, for example, and you take the 15 hashes in the [Remsek] Saron report from Symantec last summer during DefCon August of 2016, we were 18 months in front of that discovery that the rest of the human race made on August of 2016. We would have fully prevented that executable from ever being able to run. So when we say prevention, we're literally talking days, weeks, months or sometimes years in front of when the threat actors, in some case like ZCryptor before they even compiled their first binary, we've predicted that binary and are able to block it. So that's what our pause is. The other aspect of what Cylance does extremely well is when we do our services, we do our compromise assessments. We leverage that same machine learning as well as machine learning that's focused on the credential aspects of this problem space. So I'm looking at user account profiles and applying machine learning to that problem to instantly discover accounts that are probably compromised based

FEATURE REVIEW RSA CONFERENCE 2017

Corporate Security

on statistical confidence. So we have about 86 per cent efficacy that we have baked into our compromise assessments where we hit the big red button and out pops all the accounts that we know that we know, mathematically we know that we know in the pure sense of those words that these accounts have been comprised. For us, that allows us to move very, very quickly, or allows the organisation to pivot to containment and the rest of this back half of this kill chain and all the rest that goes with doing instant response. On the product side, it's predictive prevention via AI and that's a really big exercise. We're in the top 100 customers of Amazon where we're crunching these millions of files. For each file we're breaking them up into 2.7 million features that we're looking at. So it's not just 30 features or 200 features that malware analysts understand and the rest of the whole industry, but actually features that the human race doesn't even have words for. So the machines are telling us about features and absences of features and combinations of features that we know to indicate this malicious software and we're able to, because of the confidence we have, make an autonomous decision and put that 100 millisecond pause before execution to say no you can't run. I think risk is relative, but actually in some ways if the Board is driving the organisation to understand its risk and quantify it, it's a very lengthy exercise. The ironic part is if you plug your researchers into solving the problem before you worry about quantifying your risk, you actually shift the risk curve way to the left and

you actually are reducing your risk before you can even qualify it. So we have to approach this with a degree of wisdom. It's very difficult to go into a mission like a satellite programme, or what is the risk to the war fighter or to a theatre of battle or something if we get malware on our system or somebody enters an email? Quantifying that risk actually takes the NSA and some of their brightest minds and 30 years of intelligence if you actually want a value for risk. Nobody is armed with that intelligence. So let's move quickly, let's address areas that we know we're weak in - active directory, user

behaviour, browser exposure and malware. You mention confidence. To me that's a much more valuable word than risk. Confidence is the ability for an organisation in my mind to say look, I know that I know that I'm compromised or not or that I've been compromised in the past or not. Even that binary question I think is a quintessential question for us. What we try to do when we do compromise assessments, we're leveraging the AI is to provide a degree of confidence so that we know that we know you are or are not compromised. >> We're seeing a massive shift in money

Australian Security Magazine | 35

RSA CONFERENCE 2017 FEATURE REVIEW

Cyber Security

from doing penetration testing in traditional services, shifting over to doing annual, biannual or quarterly compromise assessments because the value is much more to the Board than hiring a small team for a small period of time because you're able to tell the Board I know I'm not compromised and oh, by the way, or I am compromised and I've been able to learn how the bad guys got in that were targeting the organisation. Instead of hiring pen testers hypothetically to protect you, hire the entire Internet that has targeted you the last two years and learn from that. That's how we get to the place we are today where we understand there are some asymmetrical ways that we as vendors and the three of us here for sure, the AI aspect that you mentioned that's well beyond Cylance, we're sitting in the middle of this revolution. Those are the ways that we can solve these problems with confidence. Confidence ends up being a mathematical definition. It's a mathematical term. We actually have a degree of confidence index. Roi Abutbul: I want to add to your comments that if you look at it, the CISOs today are swamped. The security teams are overloaded with, as you said, data and a lot of work that they need to do at the end of the day. But from the other equation, if you look at the effort that attackers need to invest in order to penetrate, in order to bring down an organisation, is exactly that asymmetric problem. Their investment in order to bring down an organisation is low and our investment as defending the organisation from literally being breached is high. That's the main problem

in this industry. Also, the CISOs today, on top of that, are over swamped and they actually don't know. They are understaffed and with limited budgets. If you look at here at RSA, if you go inside under the expo of North and South, most of the vendors are saying the same. It is very hard for them even to distinguish exactly what they are doing. It's very difficult.

/// MENLO SECURITY UNCOVERS NEW SPEAR PHISHING CAMPAIGN Leveraging multiple scripts to customize attacks on US enterprises Menlo Security, a pioneer of cloud-based isolation security technology, announced that its cybersecurity researchers recently uncovered a sophisticated spear phishing attack at a well-known enterprise that went undetected by existing security solutions. A close examination of the recent spear phishing event by Menlo Security researchers revealed the following details: • The attackers performed various checks on

the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack. • The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page. • The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account. • The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city. “Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, Chief Product Officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials, they have the keys to your kingdom.” The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis. In the case of spear phishing attacks, which target specific individuals within an organisation, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device. For more details on the anatomy of the spear phishing attack, please visit: www.menlosecurity.com/research-brief-2017

The FULL RSA Part 1 and 2 Conference Review available at www.australiansecuritymagazine.com.au

36 | Australian Security Magazine

Crisis Management Focus

: N O I T A C I N U M M O IS C

s t i h s i s i r c a n e h w t n e m e g a n a M n o i Reputat

CRIS

A By Eddie Idik

ll too often, leaders within companies, organisations and governments involved in a crisis have had to learn the hard way that major disruptions, or events once seemed unthinkable, can become a reality. Whether it be death caused by an accident within the workplace, share prices declining due to a failed takeover, a major environmental catastrophe such as an oil spill, or toxic food and medicines leading to boycotts and community outrage, the attention quickly falls on the organisation responsible and other perceived ‘guilty parties’. Thanks to the internet and social media, information about a situation or a crisis in Sydney can reach Dubai, London or Moscow within minutes. In many cases, details will often be grossly exaggerated by the media before any official comment can be made. Stakeholders, familiar with past events such as the Tylenol Affair (1982), BP Deepwater Horizon (2010), Volkswagon Emissions Scandal (2015) and more recently, the DreamWorld Ride Accident (2016), will not only be demanding explanations but closely watching how the organisation manages its response. A “No Comment” approach or burying your head in the sand just doesn’t cut it anymore. What is Crisis Communication? I define it as “a proactive response to protect the reputation of an organisation during a crisis by maintaining a level of media control”. It also includes the collection and dissemination of information in a timely manner to address the crisis situation. Many organisations fail to address the communication

issues related to crisis response – leadership teams often don’t understand that in the absence of internal and external communications, stakeholders don’t receive the necessary information to know what’s happening, resulting in confusion and anger. Operational responses break down and the financial impact to the bottom line becomes more severe. Internal crisis communication is vital to mitigate the stress of the event on employees, and also to inform them as to how they can be ambassadors or assets for the organisation during this crucial time. When my clients ask me “what is the best approach to crisis communication?”, it’s simple – preparation! Anticipating crisis scenarios, assembling the crisis communications team and on-going training is the key. Crisis Communication Principles - Preparation, Speed and Consistency Preparation (Pre-crisis)

Be proactive. Always assume the worst case scenario. Do not assume that nothing will go wrong. Why? Because when an organisation plans for the worstcase scenario, they take all potential issues into account. It is better to think about the possible responses now, rather than under pressure during an actual crisis. Have a plan

A Crisis Communications Plan is an essential tool in dealing with a crisis or disaster event. Regardless of the sector in which they operate, every organisation needs an up-to-date plan. At every stage of a crisis, from the moment it breaks to the post-crisis evaluation, the company’s image, reputation, >>

Australian Security Magazine | 37

Crisis Management Focus

When my clients ask me “what is the best approach to crisis communication?”, it’s simple – preparation! and good name is at risk. The Crisis Communication Plan needs to address the objectives of: • communicating the right message; • at the right time; • to the right people. Selecting the Crisis Communications Team The team members within this small group need to be agile, alert, reachable and have absolute authority when a crisis unfolds. This team will usually be led by a senior executive such as the CEO, owner or ultimate stakeholder, and include the company’s legal representative, two official spokespersons (in case back up is required if one is unavailable), the lead in-house communications manager and/or an external public relations agency to support in-house communications where additional expertise is required. In my experience, having legal representatives as members of the crisis committee (remember, these are the key decision makers during a crisis) can potentially lead to disagreements when strategy and messaging are involved. Legal representatives that are included last minute may adopt a low-risk approach and push for a “no comment at this stage” response, which can bring an organisation’s reputation crashing down, especially when media and the public are hungry for information. I recommend having legal representatives involved as a proactive measure at the planning stage, rather than as a reactive response, to ensure a clear, structured and timely response during a crisis.

Communiations Manager

Crisis Committee CEO, COO, CFO, FM Legal Advisor External PR Team

Spokespeople

Figure 1: Crisis Communications Team

38 | Australian Security Magazine

Crisis Management Team Roles and Responsibilities

Each team member will have a specific function in a crisis. The ‘Voice’ – Spokespeople Spokespeople alone do not decide what is communicated to the media. They convey what information has been agreed on by the Crisis Committee. They are the ‘Voice’ of the organisation and must be professional, well presented, and comfortable standing and presenting in front of a camera and dealing with the press. Media training helps to build this confidence and is essential for anyone representing the organisation. CEOs commonly assume this responsibility, but let’s face it, they are not always the right person to be fronting the cameras. If this is the case, then best leave the task to the nominated spokespeople. The ‘Head’ – Crisis Committee The Crisis Committee is led by the CEO, and is also known as the ‘Head’. The committee, generally comprising 3-5 members as discussed earlier, is responsible for ensuring a majority vote is received for all decisions made relating to the crisis. This will avoid delay in taking required actions. Depending on the crisis, the committee may also need to include subject matter experts with specialised knowledge to inform decisions. The ‘Doer’ – Communications Manager In the event of a crisis, it’s important to have one person at the centre of all communications to ensure timely and consistent messaging reaches all audiences. This is the role of the Communications Manager, who is responsible for: • activating the Crisis Committee (the Head); • developing close media/press contacts who can be notified directly when required; • having access to the company website to update company information for the public; • communicating the decisions of the Crisis Committee to the Spokespeople (the Voice); • preparing ‘holding statements’ for the Spokespeople; • approving communications messages before they go live; • reporting developments back to the Crisis Committee as they happen. The ‘Doer’ is also responsible for pre-preparing media messages and contacts and having this information, as well as standard company collateral, available at all times. This will ensure operational readiness – an understanding of possible crisis scenarios, what the organisation’s response will be in advance of an event occurring, and to whom it will be directed. It’s important to remember that during a crisis, time is of the essence and the Communications Manager does not want to be developing or recreating materials from scratch. Consider having high-resolution images of the company, spokespeople, company products/media documents and stakeholder information already uploaded to an accessible location, such as a cloud server, in case of a power failure. This ensures all relevant crisis information and media contacts are retrievable via any browser or device in any location.

Crisis Management Focus

A crisis may be perceived as a ‘oneoff’ incident which the public trusts the company will resolve quickly and effectively, however it is still important to be proactive in communications as soon as possible.

Relief • Express relief by demonstrating some of the company’s safeguards. • Provide information on any positive outcomes regularly (e.g, “all persons have been evacuated from the building without injury”) Reassurance • Provide reassurance that all possible steps are being taken to right the wrong. • Communicate the actions the company is taking to prevent the event from occurring again. • Keep the public and media informed on a regular basis (usually every hour in the initial stages of the crisis).

When Crisis Hits!

Analysis (Post Crisis)

In most cases, by the time an organisation first learns of a crisis, they are already on the back foot and in a reactive position. The goal is to gain control as early as possible. In this world of always-on social media, news will spread globally whether it’s with information provided by the company, or with information the media has ‘assumed’ or obtained from uninformed sources. By being prepared, organisations can be in control of this. Be proactive, utilise holding statements and address the media without delay. Holding statements are short messages prepared in advance; designed to be used immediately after a crisis hits. They are ideal for filling in the media ‘vacuum’, and give the Crisis Committee more time to prepare their full response. A company’s reputation can be an advantage at this time. A good reputation not only supports business growth, it can help deflect or minimise negative events when they occur. A crisis may be perceived as a ‘one-off ’ incident which the public trusts the company will resolve quickly and effectively, however it is still important to be proactive in communications as soon as possible. An example of a basic but effective holding statement is:

After the dust has settled and the media approach is no longer ‘in your face’, it is important for the Crisis Committee to sit down and evaluate their communications approach: what did they do well; what have they learnt; and what will they do better next time? Answering these questions will improve the Crisis Communications Plan and help the organisation to be better prepared in the event of a future crisis. I recommend documenting this round table debrief and filing it along with communications documents such as media logs and holding statements for use at future training sessions. And I can’t stress enough the importance of spokesperson/ media training in benefiting a company’s reputation in times of crisis – an organisation’s public face throughout a crisis must be calm, confident and trusted by both the media and community. In conclusion, it is one thing to anticipate a crisis event; however, it is another to be prepared when the event unfolds. I hope that organisations are getting the message these days that the need for crisis preparation, whether it be crisis communications, disaster response or business continuity, has significantly increased over the past decade. In today’s ever-changing environment of high speed communications through digital and social media platforms, organisations cannot afford to just have a plan in place. The question they must ask themselves is, “are we really ready to act on it?!”

“At 9:30am this morning, we were informed of a power failure to our network. No injuries have been reported at this time. The cause is under investigation and we expect to have more information within the next couple of hours. For updates, please visit our website (web address) or contact our communications department (contact details).” Remember: Human life must always come first. Ensure this message is evident across all communication channels – press conferences, media releases, radio, website and social media.

About the Author Eddie has a background in the development of security, emergency / crisis management frameworks and specialises in the convention, exhibition and live event sectors in Australia.

Concern, Relief and Reassurance All communications should convey “Concern, Relief and Reassurance”. Concern • First, ensure messaging demonstrates concern and consideration as to what has happened. • Be honest and open that a crisis has occurred. • Communicate that the organisation is doing everything in its power to find out exactly what has caused the event.

Australian Security Magazine | 39

Crisis Management Focus

User driven planning methodology for crisis management

A By Lex Drennan

ny consultant or practitioner who has been in the crisis management game for some time will know that exercising is a vital part of organisational preparedness for a crisis. Similarly, conducting post-incident reviews is an essential part of learning and improving an organisation’s capability. However, organisations have shown a remarkable inability to learn from experience when it comes to crisis management. There is a significant body of research and experience that points to this limited ability. This issue is so prominent now that post-crisis and post-exercise reviews discuss lessons identified, rather than lessons learned. In this article, I explore the idea that the failure of organisations to learn from experience arises from the planning methodology employed rather than from an inherent inability to learn from experience. With this idea in mind, an alternative approach to crisis management planning, driven by the user experience, is proposed. A Failure to Learn A significant body of research and practise has evolved about how to create learning organisations that learn from their experience managing crises. The underlying assumption with this approach is the problem lies in the organisation’s ability to learn. Whilst this may be true, it may not reflect the whole story. What if part of this repetition of error lies in the crisis management practises asked of an organisation? What if asking organisations to learn these lessons is akin to asking a left handed person to write right-handed? Whilst it may be possible, it does not come naturally or easily and requires an extensive investment of time and training to master. The Problem with the Traditional Approach The traditional approach to crisis management planning tends to be top-down and ‘expert’-driven. Plans and frameworks are developed, generally in isolation or with small scale consultation, and superimposed upon the organisation and

40 | Australian Security Magazine

the crisis management system participants. These expertdriven plans dictate what ‘should’ be, in accordance with prevailing best practise. A significant amount of time and energy is then invested into training people and adapting the organisation to the documented system. However, there is often little understanding of or engagement with existing organisational crisis management practise, culture and behaviour. The saying “a failure to plan is planning to fail” is almost axiomatic in the crisis management industry. This sentiment is often, potentially unwittingly, taken to mean that the absence of a documented plan means no crisis management capability exists. The organisation without a documented plan is, in essence, treated as a blank canvas on which ‘the plan’ can be readily superimposed. In practice, this necessitates on-going training for organisations to learn and maintain their understanding of this expert-driven plan. Sustaining a crisis management training and exercising program is often challenging, and can rarely be conducted with the frequency necessary to ensure deep capability is built and maintained. This training liability is generally shown during exercises and/or real incidents when plans are not followed or even referred to. Post incident reports and debriefs then take on a wearying familiarity as the same lessons are identified time and again. Approaching the Problem Differently The standard approach to building crisis management capability is to document the system, then practice increasingly complex elements of the system. This generally progresses through training individuals, training teams, to exercising one team then multiple teams simultaneously. This approach could be reversed by taking a ‘user-driven’ approach which makes two assumptions: i. The organisation knows itself and its business best; and ii. The organisation’s instinctive crisis management process is already embedded in its DNA.

Crisis Management Focus

User-driven planning (UDP) is a facilitated ‘bottomup’ planning approach that captures the ‘as-is’ in the organisation response to a major business interruption. This approach turns the traditional planning methodology on its head. In UDP, the planning process commences by conducting a crisis management exercise without training or preparing participants. This allows the observation and documentation of the ‘as-is’, raw organisational approach to crisis management. The observed process is then shaped by best practice planning principles in an approach that seeks to mould the instinctive response to enhance effectiveness rather than dictate an entirely new system. The benefits of this approach are that it leverages day-today organisational practise, lessens the training liability required to maintain organisational capability, increases the utility of crisis management plans and provides a crisis management framework that is instinctively understood by users. Inside the User Driven Planning Methodology Uncovering the User Experience The first part of the UDP process is to conduct an exploratory exercise to enable the observation and documentation of the ‘as-is’ organisational approach to crisis management. UDP begins by uncovering the untrained, reflex reaction of an organisation to managing a crisis. In the UDP process, planning commences with a full scenario-based exercise. This simulation is, ideally, as close to ‘real life’ as budgets and organisational appetite will allow. The exercise is ‘cold’ in the sense that pre-warning is limited, reducing the opportunity for people to prepare or, as is frequently the case, be busily engaged elsewhere. Exercise control assumes two functions during the exploratory exercise – exercise coordination and detailed observation. This extends beyond the normal duties of exercise control to observe participant activity. In an exploratory exercise, it is essential for Exercise Control to document all activities, management pathways and decision points. These pathways will be retrospectively mapped and explored by participants as part of the exercise debriefing process. Capturing the User Experience The second step in the UDP process is to engage exercise participants in mapping their response process, decision pathways and decision logic. This is conducted as part of the exercise debrief and also includes a forum for participants to identify what elements of the raw process should be sustained and which parts were not effective. Gaps in capability can also be identified at this stage. At the conclusion of the exploratory exercise, the traditional post-exercise debrief becomes a planning forum for participants. The process of identifying learnings and brainstorming improvements can be directly captured and written into plans. These ideas generate a structure and approach that has meaning to participants and addresses issues they have experienced first-hand. This debrief also provides participants with the opportunity to identify capability gaps and collaboratively generate a capability development program that is meaningful and supported. In this context the Post-Exercise Report documents the

instinctive crisis management process within the organisation, and participant observations on how this process can be improved. Refine the Plans and Framework through User Application In this step, the observations and mapping conducted during the exploratory exercise and debrief are translated into the crisis management framework and plan/s. This activity involves refining the ‘as-is’ process to produce a plan that is consistent with organisational instinct and reflective of good practice. Documentation is then reviewed through an iteration of the user-driven planning process, with participants applying the draft plans to a desktop exercise scenario. The Post Exercise Report forms the basis for developing the crisis management framework, plans and training and capability development program. The actual documentation of the framework and plans then involves the careful application of planning principles to shift the organisation towards good-practice that builds on and reflects its existing, instinctive processes. To ensure the UDP process remains consistent with its guiding principles, it is important that draft plans are subject to review and input by users. Commonly this is done by circulating documents for mark-up and feedback. However, this approach lacks the immediacy of applying the plans to a scenario. Consequently, the refinement step of the UDP calls for user revision of plans through a desktop exercise. Participants are then able to meaningfully determine the utility of the plans, the ease of application and identify areas for improvement. User Driven Training & Capability Development Throughout the process of the exploratory exercise, debriefing, then the review exercise, participants will have numerous opportunities to identify where the organisation needs to build capability. This feedback should form the basis of a capability development and maintenance program that reflects participant understanding of their needs. Making these activities short, regular and targeted moves the program away from repetitive training of the plan to building the complex skill sets necessary to effectively manage an incident. Conclusion User Driven Planning puts the crisis management practitioner in the position of chronicler and observer. The focus of planning becomes about subtly adapting the embedded crisis management DNA towards better practice rather than dictating best practice. This approach fundamentally relies on the premise that under stress, people and organisations revert to doing what they know by instinct. Identifying that instinctive process, making it explicit and harnessing it forms the basis of User Driven Planning. About the Author Lex Drennan is an industry leader in crisis management and business continuity. She has held senior roles in the public and private sector, with broad experience across mining oil and gas, natural hazards management, critical infrastructure protection and business continuity management financial services. Lex is an Adjunct Industry Fellow within Griffith Climate Change Response Program at Griffith University, researching in the field of disaster resilience.

Australian Security Magazine | 41

Corporate Security

Modernising your security strategy

W By Peter Tran General Manager and Senior Director of RSA Security’s Worldwide Advanced Cyber Defence Practice RSA

42 | Australian Security Magazine

hile cloud, mobile and the Internet of Things (IoT) present undeniable efficiencies and opportunities in the business world, the reality is that they also add a multitude of cybersecurity complexity and potential exposure. In 2016, over 260 billion apps were downloaded over the Internet across approximately 7.5 billion mobile devices communicating in an interdependent web with cloud based platforms and services. This is referred to as the Internet’s “Third Platform” and is where innovating your information security strategy is imperative. Many organisations are finding the increased efficiency gained from new technologies is paramount to remain competitive in today’s “Third Platform”, as these technologies are foundational to many critical key business and operational innovations. The number of devices, identities, and cross-functional systems across hybrid cloud, on-premise, public/private infrastructures, mobile platforms and shared business IT services is skyrocketing. To date, there are over 22 billion connected IoT devices on the World Wide Web with a projected growth to over 50 billion by 2020. This is predominately driven by an increased adoption of cloud collaboration infrastructures, mobile workforce, sales and operations teams as well as an expanding number of global trusted partner networks and privileged external/ third party users. The explosion in the number of devices, identities, and shared systems isn’t just transforming business but is changing critical cyber security requirements directly related to the sheer scale, speed and complexity by which organisations, both public and private, are migrating legacy system to the “Third Platform”. While modern organisations are capitalising on cloud, mobile and IoT, they are also expanding their attack surface— and with it, new “hacker hot spots” are left in the wake of IT technology expansion, which leaves a fertile ground for nation state hackers and cyber criminals to exploit..

The worldwide cybersecurity spend for 2016 topped US$74 billion according to research analyst firm, IDC with projected spend to reach over US$102 billion by 2020. Despite this level of spending, we have seen over 2,000 data breaches, 700 million personal records stolen with an average financial loss of US$3.5M per incident. That said, the most shocking statistic is that on average, organisations were aware they had been hacked less than 30 percent of the time. Another way to look at it is that with today’s aging security capabilities, hackers have a 70 percent chance of breaching an organisation’s network undetected. It’s a reality check now, and time is not on our side, for organisations to face the hard facts. Traditional security measures no longer stack up against the advanced cyber risk that organisations face today. They are ineffective because they are built around the belief that attacks can be prevented based on conventional perimeter-based designs. The rapid transformation to the “Third Platform” coupled with new attack techniques and tactics are driving a call to action for strategies to be put in place to manage attacks based on business context and operational risk or “business driven security”. Traditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that have already been put in place within legacy on-premise infrastructures. Business initiatives were and in many instances are still developed without considering the cyber risk exposure associated with them. In fact, many organisations have not even gone through the exercise to determine what their cyber risks are. Simply put, the right hand doesn’t know what the left hand is doing. The widening gap between business context and cyber risks is where breach exposure exists. The gaps in traditional security strategies become wider with the proliferation of cloud, mobile and IoT, as well as a surge in third party workforces within organisations, all

Corporate Security

"The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities." adding to business complexity and risk. If businesses want to modernise their security operations, technology investments alone is insufficient. Security innovation and transformation begins with a balanced strategy between IT architecture, infrastructure, technology, process, automation, data analytics, effective workforce management, compliance and governance. Cloud technologies provide enterprises with on-demand anytime/anywhere access to key applications, services and platforms. However what many organisations fail to realise is that all the convenience provided by the cloud is in fact at the heart of the problem; better, faster, cheaper but NOT necessarily secure. Decisions about cloud systems are often made by siloed and federated departments while bypassing formal approval channels and without the knowledge of IT - a practice that is called working in the shadows or “Shadow IT”. It’s easy for malicious insiders and other attackers to take advantage of Shadow IT. Cloud systems often interact with other business and operations systems and/or are used to store the organisation’s valuable data about engineering/developing, partners, prospects and customers. In this way, attackers can easily compromise cloud systems in order to steal proprietary and/or confidential information completely undetected.. The best way to control cloud technologies is to gain complete visibility into the cloud infrastructure and services being used and implement appropriate controls. Although this is easier said than done, it is a sound security strategy that drives continuous monitoring and early detection across the cloud and to the end points. Additionally, “Bring Your Own Device” (BYOD) has now become common practice for most organisations, allowing employees to work remotely and/or have access to the organisation’s information from their personal devices. Does this further compound the problem? Absolutely! The combination of mobile or potential rogue devices and an Internet connection is enough to breed mass scale mobile security risks. Users may rely on a device and/or connection that is not owned, provisioned, managed, or controlled by the organisation. If businesses provide mobile devices to employees or have a BYOD policy in place, then it’s critical to closely monitor activity for all devices accessing organisational data. Modern organisations are aware of the risks involved and as such, they have control over which business data can be accessed by and saved to mobile devices. More importantly, continuous monitoring and early detection of user behavioural analytics (UBA) in context to business risk should be a top priority with an adaptable security strategy. In only three years there will be over 50 billion

connected devices and sensors worldwide. How prepared are organisations to integrate and cope with the influx of business-enabled, internet-enabled devices? Many of these devices and sensors send continuous streams of unstructured information about business and operational activities across the Internet where that information is harvested for insights. As such, IoT is often referred to as the “Next Industrial Revolution” – with the promises of dramatically increasing the production and efficiency of manufacturing, healthcare, banking, workforce productivity and more. This is the promise of “connected and enhanced living” and business driven security will be a force enabler in managing “Third Platform” risks of intrusion, data disruption and destruction. As security strategy shifts from perimeter to managing dynamic, business driven security environment, a stronger partnership between business leaders and their security experts is essential. Business leaders want to know what the business impact is or would be of a security breach. Security experts focus on the technological details and implications of a security breach. This gap in understanding stands in the way of being able to answer THE critical question when an incident does occur… HOW BAD IS IT TO THE BUSINESS? The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities. As such, modern organisations are moving rapidly toward a businessdriven security strategy—developed in collaboration with the broader IT team, operational and business leaders—that prioritises security efforts by connecting security risk to the business and operational risk. Fully understanding the security risk in the context of impact to business and operations is key. With a businessdriven security strategy, organisations can connect security risk to business risk that is contextual and specific to the growing organisation. About the Author Peter Tran is an Advanced Cyber-defense Technology, Security Operations Practitioner and Executive Leader with over 18 years of demonstrated field experience focused on developing, implementing and growing cutting edge cyber-counterthreat, exploitation solutions and operations to address new innovations, applications and applied information security defence methods. As the GM & Senior Director for RSA’s Worldwide Advanced Cyber Defence (ACD) Practice, Peter is responsible for global cyber defence strategy, breach readiness, security operations design/implementation, intelligence and proactive computer network defence solutions and services. Prior to RSA, Peter led Raytheon’s commercial cyber professional services and solutions business as well as its Enterprise Security Operations and Cyber Threat Programs for SOC/CERT, intelligence, APT threat analysis, technical operations, exploitation analysis and adversarial attack methodologies research/tools development. He possesses over 18 years of combined government, commercial and research experience in the field of computer network forensics, exploitation analysis and operations.

Australian Security Magazine | 43

Corporate Security

How to see the cyber and disappear completely After 20 years of research, we have condensed our hacking experience into two innovative products: A cyber radar system that visualizes, measures and controls the whole cyberphysical space, and a moving target security solution that makes data traffic and networks invisible to the outside world

Technology to the core

By Nicolas Mayencourt CEO of Dreamlab Technologies Group

Over the last 20 years, I have attacked and penetrated my client’s networks and infrastructures. When I started my business as a professional hacker in the late 90s, the topic was a marginal one, followed only by a small, peculiar but very skilled community. We literally penetrated our customer’s infra¬struc-tures to the core – to the bits and bytes. During these years, IT developed into being the most central element of modern societies, from running banks, telecoms or governments to our very own pocket smart phones. Nothing works without it – we are completely dependent. “Cyber” has become “physical”. It is part of the world we live in: houses, doors, cars, planes, trains ... But the technology used to transfer data over networks is still the same, with all its weaknesses and vulnerabilities. It was envisioned forty years ago in a research project within trusted peers. With the effect that, as Verizon states in its 2016 Data Breach Investigations Report, “no locale, industry or organisation is bulletproof when it comes to the compromise of data” . Insecure by design This technology has been developed to reliably transfer data. It has not been designed to be secure, private, or confidential. Therefore, cyber-crime has become a very profitable business,

44 | Australian Security Magazine

reporting an average cost of AUD 5,2 Million per data breach in 2015 . Politics are influenced by state sponsored cyber-activities. While there are still very serious allegations on the US Presidential elections back last year, decision was made by Dutch authorities to roll back electronic voting on the march 2017 government elections. Media reported that there were concerns on Russian interfering those systems . And without being fully aware of it, we are already critically exposed to the danger of remote killings by cyber terrorists, as allegedly disclosed by WikiLeaks on their latest dump of CIA papers . Time for a change in cyber defense For 20 years, I fought cybercrime. I discovered malicious attacks and tricky frauds, web-based criminal organisations, disguised terrorists. While studying their methods and “business models”, I began to ask questions: “What if we could change the concept of our networks fundamentally? What would it need to prevent attacks and crime once and for good?” One possible reaction (and not the worst) is: Back to manual / pre-IT methods (i.e. counting votes by hand in the Netherlands). Disappear from cyber-physical space by not using it anymore. But, this means surrender. Another one is the common practice of bug fixes, patches, hardening. But, this is no active defense, just a reaction and always one step behind the aggressor, as proved by the continuous stream of

Corporate Security

“After 20 years of research, we have condensed our hacking experience into two innovative products: A cyber radar system that visualizes, measures and controls the whole cyber-physical space, and a moving target security so¬lution that makes data traffic and networks invisible to the outside world”. about. Users are no longer directly visible to the outside world. All data traffic is encrypted. Any intruder moving laterally will inherently be spotted. Moving target security, writes the new rules of cybersecurity. It re-establishes full control to the network owner. _equilibrium is delivered as an easy overlay network, a software defined network, that is retrofit com-patible leveraging existing networks as a transport, but building atop the dynamic flow control and inspection, the stochastic network obfuscation with random topology mutations and cryptography to ensure that you are not just protecting the message, but the messenger too.

data breaches in all kind of sectors. I gathered my team of the best hackers worldwide and step by step we developed better ideas. And we elaborated the reactions into solutions: Make the cyber¬-physical space fully visible and / or disappear completely. “See the cyber-physical space” We developed “cyobs ”, a cyber radar system that makes all vulnerabilities and dependencies of the own cyber-physical space fully visible, measurable, and thus controllable. Only what is known can be protected. cyobs serves as a command information system that makes it possible to manage information security over wide expanses and to the edge of it. At Government level, cyobs helps armed forces and security services to protect points of access and territories against cyber threats and cyberwarfare.

About the Author Nicolas Mayencourt has 20 years of professional experience in Information Technology. He is a Cyber Defense specialist of the 1st generation. As a member of the board of ISECOM he defined todays security standards. Dreamlab Group is an internationally operating think tank, lab, and network, focussed on cutting-edge security. Part of the Group are cyobs, the word’s first Cyber-Radar System, _cyel, the moving target security pioneer, Kolab, the world’s only secure com¬munication and groupware. Furthermore, Dreamlab developed tools for advanced cyber forensics. For over 20 years, Dreamlab is securing its customers data and infrastructures, and fighting cybercrime – worldwide.

“Hide the cyber-physical space” To protect your own cyberspace, the only thing you need to do is: make it invisible. Because you cannot attack what you cannot see. You cannot destroy what you cannot find. You cannot steal what you cannot catch. Instead of preventing intrusion into a static network, the network becomes a proactive, dynamic system of moving targets. This is what our innovation, _cyel equilibrium , is all

Australian Security Magazine | 45

Cyber Security

Your mum & IoT security

O By Morry Morgan IoT & Technology Correspondent

46 | Australian Security Magazine

n October 21, 2016 the USA suffered one of the largest cyber attacks of its kind. But this wasn’t the Russians. The culprits were much more terrifying. Thanks to the boom in Internet of Things (IoT) devices and poorly configured innate security features, the culprits were ordinary and naïve mums and dads spread across 164 countries. To be more precise it was their 500,000 plus unsecured routers, digital video recorders (DVRs), security cameras, and even refrigerators that caused the outage – turned into ‘zombies’ by a botnet called Mirai. These mundane appliances, albeit with Internet connectivity, were one minute keeping vegetables fresh or recording an episode of Game of Thrones, and the next sending look up requests with the combined volume of 1,100 gigabits per second; all to a single IP address. Had the victim been a lone website, as was the case in December 31, 2015 when the BBC was hit by a Distributed Denial of Service (DDoS) attack from ‘New World Hacking’, only a small number of users would have been inconvenienced. But the Mirai botnet was more strategic. It attacked the Domain Name Service (DNS) provider, Dyn, based in New Hampshire, and in doing so made the websites of Amazon.com, AirBnB, Netflix, and over 70 other significant companies, invisible for six hours. The IoT had successfully been used for evil, at a cost to companies of roughly $110 million in potential lost revenue. Mirai represents a new type of threat for the interconnected world. By its very nature, IoT creates the condition for rapid proliferation of botnets that often have, as was the case for Mirai, scanning programs that automatically search the Internet for unsecured devices. They then infect,

replicate and then hibernate, until a command is given to awaken and unleash cyber chaos. Worse still, IoT DDoS attacks originate from thousands or even hundreds of thousands of devices worldwide, whose owners are completely ignorant that they are accomplices in a crime. And even if they did know, many IoT devices have no simple patch, update, or virus scanning functionality, meaning the IoT device will be part of the problem until it is replaced. That could be years or decades. In the mean time, the exponential growth of IoT devices is estimated to reach 20 billion by 2020. One solution lies with the regulation of manufacturers. Frank Zeichner, the CEO for IoT Alliance Australia (IoTAA), says that modems in Australia that are “behaving badly” are visible to Internet Service Providers (ISPs) and that these ISPs are responsible for sharing this information with the Australian Communications and Media Authority (ACMA). But while vulnerabilities are being reported, “currently in Australia they are not being acted upon. There are no teeth in responding to this threat.” Zeichner believes that it’s just as important to get information out to the consumers regarding the vulnerability of their routers, cameras and IoT enabled white goods. But he adds that this education will take time and investment. “If Harvey Norman sales people don’t know about the vulnerabilities, then their customers aren’t likely to know either.” This is made further challenging by the eagerness of many manufacturers to release ‘smart’ products without complete understanding of the repercussions of lax security. Evidence to this is last week’s warning that an IoT dishwasher, produced by German white goods giant

Cyber Security

“HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to the service receive a bug report in less than 24 hours." Miele, was ‘prone to a directory traversal attack’. These types of attacks let hackers access directories and data, such as sensitive configuration files, and potentially hijack the machine and infect it with malware or a botnet like Mirai. In a worse case scenario, the Miele dishwasher would still give you spotless plates, but could simultaneously crash your favourite shopping website. Zeichner hopes that the ACMA can encourage IoT manufacturers to follow a code of conduct on security, with a kind of ‘Heart Foundation Tick of Approval’ for those abiding by the rules. Failing that, he believes that “badly behaved manufacturers should be made public and suffer the consequences to their reputation.” And he hopes that as the IoTAA grows, from its membership of 140 companies, 450 individuals, as well as observers from both State and Federal governments, its recommendations become full-blown legislation. At which point, the second solution becomes available – legal action. In the United States, where IoT regulation is slightly ahead of Australia, the Federal Trade Commission (FTC) has filed a complaint against the Taiwan-based computer networking equipment manufacturer, D-Link Corporation and it’s US-subsidiary. The claim, submitted in January, states that the company “failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras.” This is despite the company stating on its website that the hardware was “easy to secure” and had “advanced network security.” This was clearly not the case; D-Link was a favorite target of the Mirai botnet. Further, the company’s inadequacies in security have been documented as far back as 2009. The hardware-hacking site, Hackaday.com, has it’s own section on D-Link, with step-by-step guides on how they’ve hacked the company’s many routers over the years. The FTC’s action is a warning shot across the bow of the IoT industry, although it will be a while before the outcome is known. In the mean time, the agency is also trying to be part of the solution by launching the ‘IoT Home Inspector Challenge’ - a kind of ‘bug bounty’ for freelancers, with a grand prize of US$25,000 for the best tool that helps “protect consumers from security vulnerabilities caused by out-of-date software”. The FTC hopes to employ the collective skillset of the IT community, which has been a model used by the likes of Facebook, Google, and the original ‘bug bounty’ pioneer, Netscape. Some companies have also profited from this outsourcing trend, developing a solid business model of rallying ready-for-hire ‘white hat’ hackers. HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to

the service receive a bug report in less than 24 hours. That efficiency will be necessary with the exponential growth of IoT products, combined with ignorance and too often callous behavior of manufacturers. Of course, there is one other possible solution to ensuring IoT security, although Zeichner is quick to add that the consequences could be damaging to the entire industry. “Cyber-security insurance in the United States currently sits at about 3%, and there’s an indication that this will grow. And since insurance companies don’t like paying up, they will look to sue the culprits of the security breach.” Their targets are not necessarily going to be the hacker, or the manufacturers who have skimped on security. It’s also possible that they will ignore the distributors and wholesalers, who have ‘aided and abetted’ in distributing susceptible IoT devices. The most terrifying scenario is that these insurance companies, in their goal to recoup losses, could target those harbouring the infected routers, DVRs or Miele dishwashers. They could be coming for your mum and dad.

Australian Security Magazine | 47

Cyber Security

Cyber Insurance: Is it time to start the conversation?

B By Meera Wahi

48 | Australian Security Magazine

usinesses are investing in security to manage cyber risk. They wish to safeguard the digital boundaries of their enterprises to prevent external agents from finding a way through their cyber defences. External agents, on the other hand, are continuously trying to access the digital networks, assets and transactions of businesses for malicious gains. Such attempts, classified as cyber incidents, are unauthorised, uninvited and unlawful and frequently successful. Businesses embrace digital technologies for their increased efficiency over dated alternatives, as well as to provide greater value propositions for the customers. However, despite these benefits, acceptance of the risks and liabilities that come with operating in the digital world is necessary, and only taking place now. In this process, general security measures are implemented usually starting with firewalls, anti-virus software, cloud and email security, data encryption, and cloud storage. Additionally, there are NIST framework and compliance, PCI compliance, penetration testing, patch management practices, regular password management, and staff training. The approaches above lend to operational resilience and, in conjunction with implementation of business continuity planning and incident response, the enterprise believes it has fulfilled criteria of fiduciary responsibilities and selfsustainability.

Privacy With the digital world comes customer data, big data and analytics. In implementing digital strategies to target and understand these data subsects, businesses continue to collect large amounts of third-party data from multiple sources. The gain is the insights into customer behaviour, and behavioural data to help corporations serve consumers more effectively. Data comes with obligations to protect privacy of personal data and consumer identity, as well as privacy of digital storage, sharing and/or disclosure of data. If said obligations are not met, businesses can be held liable for privacy breaches, with the consequence of regulatory fines. Risk Management Having summarised current concerns of operating in the digital world, let us visit cyber risk. Cyber risk like others must be measured and managed. Risk can be managed either through elimination, mitigation, transfer â&#x20AC;&#x201C; or by acceptance. How are businesses managing cyber risk? Due to increased investing cyber security controls are becoming more sophisticated. However, cybercrime and other cyber incidents are increasing as well. Cyber risk cannot be eliminated entirely, yet ongoing

Cyber Security

mitigation of cyber risk, as well as to risk transfer through insurance. A risk strategy must explore all options available and must be driven by ROI principles. Cyber risk brings financial, compliance, reputational and operational risk. A straightforward investment in security may miss out on the impact of such risks. Businesses, after having achieved a risk register, must then offer an insurance register for all risks. This register must be paired with a specific insurance policy for every risk scenario that the business feels is appropriate. Thus, conversation on insurance cannot be ignored in any cyber risk management situation, as it is an intrinsic part of the total strategy. An insurance broker is as much a part of cyber risk consulting as a security vendor or consultant. Coverage & Benefits

investment in security is necessary. However, investment is justifiable until incremental returns on the security expenses do not produce equal mitigation of risk, thus incurring diminishing returns. Risk transfer is possible through outsourcing data, yet general law does not allow outsourcing of liability or ownership of data. Furthermore, risk transfer is also possible through insurance. Insurers accept risk on behalf of the insured, for a premium and certain pre-defined conditions. If an event occurs that causes loss to the insured, then a claim can be made to the insurer. In my conversations with security consultants and vendors, I commonly heard, â&#x20AC;&#x153;insurance works against what security vendors or consultants do. If they do their job well, then their clients would never need insurance.â&#x20AC;? So when is the right time to speak about insurance? The process of risk management starts with a business listing all cyber risks as part of a risk register, which rates and defines risk according to their impact and probability. Each risk then corresponds with a specific strategy, aimed at providing proper solutions, whether that be elimination, mitigation, acceptance or transfer. The conversation at this stage concerns implementing security controls and relates to elimination and

Insurances for business are covers for indemnity or liability. A business may wish to offset costs where a damage or loss has occurred with which the business needs to spend money. Costs associated with restoration of a business to full operation is covered by indemnity insurance. Liability cover is provided for incidents where a business may be in breach of a legislation and may incur legal action, payouts or regulatory fines. Businesses in their operating environment must abide by legislations. Cyber insurance is an insurance of indemnity and liability expenses related to cyber incidents. It also pays for crisis response expenses, such as forensic testing, public relations and mandatory notification expenses. With passing of a mandatory disclosure bill in parliament, crisis response became a necessity of cyber insurance and a must-have for businesses covered by the privacy act. Cyber insurance comes with an expert panel of legal, forensic, IT and PR experts. They are made available to the business within twenty four hours of an incident report. All expenses related to the claim are borne by the insurer, and any out of pocket expense can be claimed. Insurance saves a business time, money and expensive payout in managing a data breach. A business, depending on their size and risk profile, can get one million dollars in coverage for ten thousand dollars delivering a high return on investment. Conclusion Recognising that cyber risk has to be managed through all components of a risk management strategy would lead to robust discussion on cyber resilience. Businesses must include all available options whilst continuously investing in security. About the Author Meena Wahi is the Director, Cyber Data- Risk Managers a specialist insurance brokers for cyber insurance, data breach, Intellectual property, reputational loss insurance. Meena has been engaging with stakeholders in the evolving cyber risk space since 2011. She has an MBA from Monash University.

Australian Security Magazine | 49

EDITOR'S BOOK REVIEW A

BOMB SAFETY AND SECURITY A Manager’s Guide How to prepare for and respond to: Bombings, Bomb Threats, Unattended Items and Post Blast Available at www.asrc.com.au/publications/ books/bomb-safety-andsecurity-the-managers-guide/

50 | Australian Security Magazine

s a police officer between 1990 – 2005 it is ominously easy for me to draw on my own recollection of bombing incidents – be it the 1986 car bomb outside Police Headquarters in Russell Street, Melbourne, killing a policewoman, the 1994 NCA bombing in Adelaide that killed a WA colleague Detective Sergeant Geoffrey Bowen or the 2001 car bomb in Perth killing former WA CIB chief Don Hancock and his friend Lou Lewis. Any bombing attack will be framed around a motive, access to the materials, knowledge and understanding of those materials and the opportunity to execute a plan. These essential elements for a successful bombing are critical to understand the moment a bomb threat is received or should a bomb incident suddenly occur. Don Williams CPP has a passion and wide industry recognition in this field and sets out to share this understanding and appreciation of the fundamentals of bomb safety and security. This text provides the necessary insight and structured information to develop an important knowledge base when applying bomb security management principles and knowing how to plan, prepare and respond. Whether it’s in the form of a bomb threat or post an explosion, "experience and statistical analysis show that bombings are still the preferred weapons of terrorists as well as being a common tool for criminals." Therefore, this book is an important contribution “designed for government and corporate managers whose primary consideration is how to protect life and the organisation while minimising unnecessary disruption.” The fundamentals for managing bomb incidents are: • An understanding of bombs, their effects and why they are used; • An understanding of the different types of bomb incidents; • The application of basic security practices to prevent bomb incidents, as far as is possible; • Consideration of the factors related to bomb incidents in relation to the organisation; • Application of the principles for determining if a hazard may exist and for selecting the most appropriate response; • Drafting, implementing, practicing and on-going reviewing of a Bomb Incident Management Plan; and • Integration of Risk Management, Emergency Management, Business Continuity/Resilience, Human Resources, training and other management disciplines o provide sound bomb incident management capability.

Chapter 4 deals with preparing for and responding to bomb threats with the best practice approach of appointing a Threat Evaluation Team, including for each site, to enable different areas of knowledge, however the final decision should still rest with a single person in their role as threat coordinator. The five phases to the threat evaluation, known as the 5 R’s - receipt, record, report, review, respond. Importantly the threat evaluation time calculation is discussed, and responding to unattended items, hazardous mail, including white powder incidents, through to search techniques. Modelling blast effects and blast calculations are discussed in Chapter 13 which may have been expanded with computer modelling examples. Threats from social media channels and response using social media receives somewhat limited discussion. Despite these points, this is indeed an important and needed guide to be had on the bookshelf or within reach of any manager with security, emergency or facility management responsibilities. The use of chapter checklists and list of fifteen bomb incident examples also provides a degree of immediate application and enhanced readiness should an incident occur. If you don’t have a bomb response plan or even aware of the relevant text to have at your fingertips – here’s your opportunity – have it on the shelf ! Well done Don! Chris Cubbage CPP, RSecP Executive Editor

Have you recently published a security related book? Or have you just read a new, great security book? Please email us at editor@australiansecuritymagazine.com.au

N I G N I H C N U LA

7 1 20