Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2016
How will Australia keep up?
Social engineering attacks
Signs of deception
Protecting children from cyber bullies
Insider Threat Can be eliminated with a proactive approach
The Safe city and Its need for interoperability
PLUS $8.95 INC. GST
TechTime, Quick Q&A, Cyber Security and much more...
CYBer SecurITY
Do we have IT right?
18-20 October
The Four Points Hotel - Darling Harbour National Conference 2016
From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI
Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.
LEARN MORE TODAY 1300 135 897 huntsmansecurity.com
Contents Editor's Desk 3 Industry Insights
4
Quick Q @ A Tony Patterson
6
Corporate Security Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai
Deception detection uncovered: Truth seeking through interrogation
8
Prevention is still better than cure
10
Insider threat can be eliminated with a proactive approach
12
7 ugly truths about compliance
16
Frontline
Art Director Stefan Babij
The safe city and its need for interoperability
13
Asia Pacific Region Correspondents Tony Campbell Prince Lazar
Malaysia: Security and risk environment
22
FORTINET FEATURE
26
Cyber Security
MARKETING AND ADVERTISING T | +61 8 6361 1786
How will Australia keep up
28
The non-IT expert’s guide to surviving a cyberattack
30
promoteme@australiansecuritymagazine.com.au
How has information technology become the latest security threat?
32
Fighting technology with technology
34
Creating a culture of security to defend against social engineering attacks
35
Are security vendors leaving your business at risk
36
SUBSCRIPTIONS
T | +61 8 6361 1786 subscriptions@mysecurity.com.au
Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US
Page 8 - Deception detection uncovered: Truth seeking through
Digital Identity
38
Verizon data breach
40
Locating a new weapon for Australia’s data detectives
42
TechTime - the latest news and products
45
Editor's book review
50
Page 16 - 7 ugly truths about compliance
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
Page 22 - Malaysia: Security and risk environment
www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Sophie Zadeh
David Stafford
Simon Hill
Christopher Hadnagy
www.asiapacificsecuritymagazine.com
Page 28 How will Australia keep up
www.malaysiasecuritymagazine.com
www.drasticnews.com
|
John Lord
Jaqueline M. Hummel
Greg Singh
Per Björkdahl
Tony Campbell*
Prince Lazzar*
Kim Maslin
Keith Suter
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
4 | Australian Security Magazine
www.cctvbuyersguide.com
Lex Drennan
Editor's Desk
“If the process of life is about moving toward increased complexity and organization, a sort of sublime unfolding of greater and greater selforganizing systems, then we’re actually doing pretty well.”
T
here is much to be aghast about when looking at the world in the context of security related events and incidents. But for the security industry and those with vocations within and around the security domain, the market outlook for the proceeding five to ten years remains very promising, in particular in terms of reliability of a market demand. The challenge for security providers will remain to constantly improve and adapt to meet a progressive demand, with always a need for far greater efficacy than is current. For example, with private security manpower standards remaining low across Australia, primarily due to an inept industry unable to influence change to poor State regulation, there is a period of disruption fast approaching. State and Federal Governments have little appetite but to place the onus of responsibility and delivery of social order almost solely on police agencies. Despite setting new records in drug seizures and arrests, Police in turn are increasingly suffering budget limitations, an overwhelming social demand and officers themselves are suffering post-traumatic stress disorders and suicidal behaviour, nationally. Without any meaningful structural industry reform, the solution will increasingly come from the application of technology by police, to improve monitoring, tracking, response and containment capabilities, and anything else which will improve officer safety and to increase the likelihood of offender apprehension. Therefore, technologies with monitoring, surveillance and forensic capabilities will remain in high demand. Having watched the rapid deployment of unmanned aerial vehicles (UAVs) since 2008 and learning the strategic, tactical and operational capabilities and limitations that aerial drones
- Jason Silva
bring, with some of the final limitations almost fully ironed out, it is now the security robot’s turn. Yet this time without the impasse of regulations restricting their use. Across all market verticals, the rise of the security robot will be a new challenge with the obvious ‘pros and cons’ for governments and security providers seeking greater detection, monitoring, awareness and analytical tools to assist security intelligence and law enforcement. Behind this driving demand is a rapidly evolving technology industry and security robot technology will disrupt the security sector more and faster than ever before and not in a manner seen since the advent of the first CCTV Camera. Alongside Security Robot deployments there will be innovation needed in new training and simulation methods, including Virtual Reality training, use of gaming controls for tactical robots and general robotic operations for civil security. It will be the next five years where we will be identifying and closing the gaps in matching technology capabilities to operational security requirements. With this prediction in mind, the proceeding couple of months will be a fascinating period and gets underway in earnest in the first week of September with my visit to the Commercial UAV Asia Conference in Singapore and then launching our new Malaysia Security Magazine at IFSEC South East Asia in Kuala Lumpur. A week later I will head to Silicon Valley for the NetEvents Internet of Things and Cloud Innovation Summit. Then soon after the AISA National conference in Sydney we will be in Macau for the Canalys Channels Forum. Along the way we will provide market insights, updates and analysis. Stay tuned via @apsmagazine @ChiefITme @drasticnews As our cover feature emphasises, we provide insight into the Malaysian security industry
and we will be seeking more of a presence in Asia. Continuing our security review series on South East Asian nations, Malaysia has diverse ethnicity, race and language and faces dynamic security issues and challenges. This calls for maintaining a secure environment in the country, whilst providing opportunities for economic development and better stability. The global economy and financial markets appear relatively stable, and that stability may well last a while longer, however, has been described as “a deceptive, treacherous stability”, as risks are lurking and building in the background. I refer to my book review of James Brown’s Quarterly Essay ‘Firing Line: Australia’s Path to War’. We are in an unprecedented time with ever more elevated asset prices relative to historical norms, mounting private and public debt, diminishing returns to monetary policy and the rise of populism. And these are just those risks we are able to identify. All of this, and the uncomfortable but uncanny presence of radical uncertainty, such as the likes of Donald Trump, leads to a simple conclusion in a security context, ‘expect the unexpected’. And on that note, as always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Australian Security Magazine | 5
....with Tom Patterson
Unisys’s Tom Patterson discusses his career as well as his latest work with Unisys Tom Patterson is Unisys’s Chief Trust Officer and Vice President of their Global Security business. He brings more than 30 years of leading-edge security experience, expertise, and innovation to Unisys, helping commercial and public sector clients tackle some of their most complex security challenges. Like many of today’s leaders in the cyber security industry, Patterson started his career working for the U.S. Government before venturing into the private sector where he’s since worked as a CSO (MCC), big-four partner (Deloitte), chief eCommerce strategist (IBM), and a founder of a tech start-up, backed by the Carlyle Group. Tom has also lectured on security at the Wharton School and Cal Poly, frequently giving keynotes at corporate and government events on security matters. The common thread to Tom’s diverse security career is building trust. With his TOP SECRET government clearance, Tom also works on a pro bono basis with Congress, Federal law enforcement and the intelligence and counterintelligence communities, and has contributed to Presidential Executive Orders. Nowadays, Patterson leads Global Security Solutions at Unisys, where he has helped defend many of the world’s biggest businesses, leading both technical teams in threat intelligence and threat response, as well as consulting at the strategic board/executive level, where appropriate governance is necessary to help the business address the threats of hacking, data-loss and cybercrime. Patterson’s primary focus within Unisys is to help the company bring better products to market, since he firmly believes that, “security will either make or break technology.” Patterson is regarded by many as a cyber security leader, and is regularly invited to consult with C-level executives. When asked what the primary issue he sees in the market, Patterson said, “It’s really hard for companies to know who to trust, since the industry is full of vendors selling the next must-have security products.” Patterson says that his outlook has always been to act in his customers’ best interests, becoming a trusted advisor that the executives can be assured he’s working in their best interests, helping ensure their strategic security direction is cogent and based on real risk reduction. Importantly, investment decisions need to be made on more than mere, “vendor brochure-ware,” so transparency and advocacy are the two pillars of his organisation’s approach and ethos, which Patterson believes are critical in helping them become the trusted
6 | Australian Security Magazine
advisor that executives need. The latest evolution in technology, where everything-as-a-service has shifted focus to the cloud has truly excited Patterson. Unisys has worked closely with Microsoft to help add Unisys Stealth (cloud)™ to the Microsoft Azure platform. Stealth layers additional security countermeasures into the Microsoft Azure cloud platform, helping to unify security management for anyone that wants to shift their line of business solutions into the cloud. Patterson said, “As enterprises shift from data centres to the cloud, security and efficiency are the keys to success. Unisys is pleased to add interoperability with Azure to our Stealth offerings, giving enterprises unparalleled security, greater controls, and lower costs with increased operational efficiency when working with Azure.” Unisys’s Stealth technology actually provides security to both data and applications within Azure, using a clever identity-driven encryption service to deliver its so-called “microsegmentation”. This is a new approach to network security architecture, allowing the division of physical networks into thousands of logical micro-segments. The philosophy is that even if attackers manage to take over one micro-segment within the enterprise, they would not be able to move across to other networks. This effectively takes the old network segmentation principle that security architects have been using for decades to a whole new level, where segments are as small as
single endpoints. In addition, enterprises can extend infrastructure they manage in their own data centres to Azure using the XDC (extended data centre) capability of Stealth. This automates the shifting of secure workloads from local data centres into Azure, which offers a real cost saving to service providers. Patterson is confident that Stealth can remove many of the roadblocks that are in the way of enterprises making the transition to cloud. It allows organisations to extend protection from their data centres to Azure on demand, providing end-to-end encryption from local workstations, servers or virtual machines to virtual machines in Azure. The underlying encryption technology Stealth is built upon means that unprotected Azure VMs are undetectable to unauthorised users.
CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING • FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)
FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION
SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS
w w w. a m l e ch o u s e . co m
Corporate Security
I T R A P
Deception detection uncovered: Truth seeking through interrogation
F By Sophie Zadeh Body Language Specialist
8 | Australian Security Magazine
or years, researchers have been searching for the ‘Pinocchio’s nose’ of deception. As of today, it doesn’t exist; there is no single cue indicative of deception. There is no machine, no technology nor person that can detect deception with 100% accuracy. Any claims that suggest otherwise are, in themselves, untrue. The best that we can do is identify anomalies and patterns in behaviour, physiology and voice, differentiated from baseline and emotional baseline behaviours. We then use these as potential red flags which may, or may not, be indicative of deception. How these red flags are addressed through questioning techniques and behaviour (of the investigator), is key to seeking the truth. With this approach, we can dramatically improve our rate of success during interrogation. As a Body Language Specialist, I want to focus on the body language component of deception detection. Which behaviours should we be looking for, as indicators to dig deeper, and what should we do with our own body to create an environment conducive to seeking the truth? We will explore these concepts over two articles.
There are some nonverbal cues, that can increase when people are not telling the truth; nose touching, increased blink rate, self soothing, etc. However, these are not ‘lying cues’ in their own right, because we also do these when we are telling the truth. Generally, behaviours like these increase with, and are indicative of, stress. They are associated with lying because lying increases cognitive load significantly, therefore causing stress. Our brain does not like it when we lie, and our body reacts with behaviours and responses that can be both voluntary or involuntary. Most people under interrogation will be feeling stressed. Where most people go wrong, is assuming deception as soon as they see nonverbal cues that they believe to be indicative of lying, such as those mentioned above. Perhaps the biggest myths I hear when talking to people about body language, are that you can tell someone is lying based on their eye direction or amount of eye contact. These are not true; let’s bust those myths right now! Most people’s ability to detect deception is 54% accuracy, little more than a toss of a coin. This includes law
Corporate Security
"As a result, fingerprint biometrics is far more accurate than facial matching. In fact, it is possible to perform one-to-many searches against a large database of fingerprint biometric records with very few false matches and false non-matches. " enforcement professionals, so unless you’ve been trained properly and practiced the skills, your accuracy, most likely, will be around this mark. Research also shows, that as soon as we start to dabble in the area, following inaccurate knowledge or beliefs, our ability to detect deception lowers even further. That’s a significantly high number of false accusations, which could potentially result in innocent people being convicted. Unless, you’re prepared to learn properly and practice these skills, I recommend avoiding dabbling in the area. On the bright side, those that are trained properly can get to the truth 90% of the time. Since deception detection is too complex an area to cover in just one article, and given the fact that I don’t want you to dabble, instead, let me aim to pique your interest in the subject and look at it from a different perspective. Let’s start by reframing deception detection and instead look at it as identifying red flags. Think of these red flags, not as indicators of deception, but as indicators of areas in which you may need to dig deeper. Red Flags; Indicators to Dig Deeper When decoding body language, we typically look out for clusters of nonverbal cues and use the cluster as a red flag. In this article, I’m going to highlight a few nonverbal cues, that can independently signal a red flag, due to their meaning. Remember, these are red flags and not ‘lying cues’. This will give you just enough to walk away with, so that you can start practicing to observe them in others. One Sided Shoulder Shrug The one sided shoulder shrug is a clear signal that the speaker is not confident in their own words. The shrug takes place as the words are being spoken, or at the end of the sentence. On the other hand, a full shoulder shrug (both shoulders) indicates the speaker is confident in their words. For example, saying, “I don’t know”, with a one sided shoulder shrug, means there’s more to it and the speaker is potentially withholding information. Saying the same line with a full shoulder shrug, indicates the speaker really doesn’t know. It can be either subtle or pronounced. Remember, do not take this as a lying cue per se, it’s simply an indicator of lack of confidence in their spoken words. For example: Imagine asking a suspect what time they left a venue and they respond with, “1 a.m.” and a one sided shoulder shrug. This doesn’t necessarily mean they are telling a deliberate lie, it may mean they aren’t sure if it was actually 1 a.m. Digging deeper at that point, could be a case of looking for evidence (e.g. CCTV footage) or asking further questions (e.g. “Is it possible that you left earlier?”).
Eyelid Flutter The eyelid flutter is involuntary and signals discomfort or dislike. It can be triggered by stress, and is usually seen when somebody says something that we strongly disagree with, in people struggling with thoughts or in finding the right words. We see this in people that stutter, which makes sense in terms of it’s meaning of struggling to find the right words. “When people are troubled, frustrated, or having silent temper tantrums, their eyelids close or flutter rapidly (Navarro & Schafer, 2001; Knapp & Hall, 1997)” — Advanced Interviewing Techniques: Proven Strategies for Law Enforcement, Military and Security Personnel. John R. Schafer & Joe Navarro Tongue Jut We slightly jut out our tongue when either, we feel like we’ve got away with something, we’ve just been caught or we’ve made a mistake. Sometimes we do this to deliberately signal to others. For example, if we publicly drop something, but then catch it before impact, we may signal to others that we got away with it by means of a tongue jut. In this case, the tongue jut may be accompanied by an eyebrow raise punctuator (to draw attention to the face/gesture; a nonverbal exclamation mark). The observer would clearly see the tongue jut out between the teeth, with lips drawn slightly back. The tongue may remain out for a second or two. Try doing this and you should feel the emotion behind it. However, when we conceal a tongue jut, it would be very subtle. There would be no eyebrow punctuator, the teeth wouldn’t be visible, the lips would be closed and the tongue would quickly jut out and retract. This subtle cue can easily be confused with lip licking. Lip licking is a self soothing, or pacifying, behaviour in which we try to bring comfort to ourselves by licking our lips. Like with other self soothing gestures, lip licking increases with stress. These cues may or may not be present during deception. They do not signal deception, specifically and should never be taken to assume or accuse a person of lying. When observed, these nonverbal cues signal their meanings, alerting us to a potential issue. This gives us the opportunity to seek more evidence or circle back (at the time, or later) with more questions. It’s the ability to spot the cues in context (to know where to investigate further), combined with good questioning techniques, that will be most effective in deception detection. In the next issue of Australian Security Magazine, we will explore the second component, crucial to uncovering the truth; The Role of Your Body in Eliciting Truth.
Australian Security Magazine | 9
Corporate Security
Prevention is still better than cure There is still a defeatist attitude resonating through the industry when it comes to security however Greg Singh, Lead Technical Engineer for APAC region, Cylance argues that security tools should put the focus back on Prevention, rather than Response. After all, isn’t that what the customer expects?
D By Greg Singh
10 | Australian Security Magazine
r Jackie Craig, Chief of Cyber and Electronic Warfare at the Australian Department of Defence, spoke at the recent Australian Cyber Security Centre (ACSC) conference in Canberra. Classifying cyber security as a science, Dr Craig went on to say “If we had a big science approach to cyber security we could ... begin to educate people more deeply about the types of risks that they're taking if they don't have proper virus checkers." It all sounded so promising until she mentioned virus checkers. We were hoping that the speakers from the FBI’s Cyber division might come up with something more radical when they said: "Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]". The point being made that “all the best tools” are still no match for good old human intelligence. I might have agreed to some extent, were it not for the fact that the example given of “all the best tools” was IDS (intrusion detection systems). That, for me, summed up everything that is wrong with cyber-defence today: the emphasis on detection and response, instead of on prevention. Surely, when a company is forking out thousands for cyber security, they are assuming that they are paying to prevent cyber-attacks? And yet there was very little mention of prevention at this year’s ACSC conference. For example we heard from Latha Maripuri, News Corp, the global information and publishing enterprise in charge of leading brands such as The Wall Street Journal whose
presentation focussed on the attacker only, it was all about how to structure a security program to address modern day threats. So much for Big Science and Threat Intelligence – it sounded more like a reactive response to try and Protect Company Assets after the burglar has escaped! The fact that antivirus has failed is no secret. In May 2014, Symantec itself declared antivirus “dead”. Traditional signature-based AV simply cannot keep pace with hackers who can rejig their malware with a few cosmetic touches to make it unrecognisable. As a consequence, anti-virus industry giants have been desperately buying up new technologies to patch up their reputations. So what solutions are being proposed at the ACSC conference? The key words seemed to be “detect” and “respond”. In other words: having given up hope of being able to recognise malware in advance, the focus is now on detecting that something is suspicious and then using detonation or sandbox techniques to see how it behaves before letting it loose in the network. So a first line of defence is the traditional antivirus search for recognised malware signatures, then a virtual machine is started up with the target operating system (so typically a virtual PC) and the suspicious code is copied into that “sandbox” to see what it does given enough time (typically about 5 minutes). A report is prepared and the VM is shut down and cleaned up. So we should now know if the incoming code is dangerous.
Corporate Security
Sandboxing is a powerful way to detect malware, but costly in terms of time and resources. How far do you go in virtualising the potential target? Should you not replicate the entire corporate network to test for a highly sophisticated attack? And five minutes is an eternity by today’s operating standards. What’s more, recent members of the Upatre malware tribe are using the Windows API GetTicketCount and will not activate unless the host has been running for more than 12 minutes. In other words, it recognises a sandbox VM and refuses to play in it. Artificial Intelligence is Golden The ACSC Conference was a disappointment, as no company seemed to offer a truly radical alternative to “detect and respond”. In the past, Antivirus has positioned itself as the solution but clearly this is not enough, what is needed is a Next Generation Anti-Virus that can identify specific attacks and speed the response to them once they are detected. For example instead of scanning vast databases of hashes, signatures and approved applications, CylancePROTECT makes real-time decisions by comparing against optimally trained statistical models that only need to be updated every few months. Looking for recognized malware signatures fails because cyber criminals simply alter the outer signatures – it is quick and cheap to simply recycle existing, proven malware by giving it a facelift. Instead NGAV recognition looks deep into the coding structure using sophisticated Big Data learning algorithms – and so a successful attacker would have to spend considerable time and money developing whole new coding structures – only to have the new attack promptly analyzed and registered in the NGAV system. This is not how cybercrime chooses to operate, because it relies on quick results with minimal investment before the authorities have a chance to catch up. But if the latest sandboxing solutions are already time and resource intensive, surely adding Big Data mining and artificial intelligence to the mix will bring the average corporate system grinding to a halt? Not so, because all of this heavy lifting takes place in the cloud, not in the client’s own system. The local software only has to analyze code in real time against a far smaller set of characteristics rather than an ever-expanding database of dubious signatures. The software for this approach occupies only 30 megabytes and typically uses less than 1% CPU making it practically invisible to the user, as well as being very easy to deploy and administer. Analogies should always be treated with caution, but try this. In 2003, a group of the world’s most dedicated scientists announced the completion of a 20-year project to map the entire human genome with 99.9% accuracy. Their work has led to many of the scientific breakthroughs we benefit from today. Effectively NGAV is unlocking the DNA of malware and applying artificial intelligence techniques, machine learning and algorithmic science to dissect the malware to almost a molecular level, before it is allowed to enter the network.
"Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]" confirming inbound attacks and intrusions nor the measures used to mitigate or neutralise them, a new “the gloves are off ” approach has been announced by Prime Minister Malcolm Turnbull. At the launch of the government’s new $230 million Cyber Security Strategy in Sydney he publicly announced that “offensive capability” is now a real live option. There is a lot of good and timely material in the strategy as published, but there is still too much evidence of that detect and respond mind set – witness the report’s heading “Detect, Deter and Respond”. The first four essential mitigation strategies are strongly focused on responses to recognised dangers, while the discredited signature based anti-virus approach has actually been moved up from position 25 (in 2012) to position 22 in 2014 in “effectiveness ranking”. This was perhaps the best takeaway from the ACSC conference this year, but it fell short in one respect. Let’s make Prevention once more our top priority – because ultimately that is what the IT user really expects from the industry.
Government gets serious The Australian Government’s recent announcement reconfirmed the level of commitment to cyber security. Instead of the old “keep it under the carpet” policy of not
Australian Security Magazine | 11
Corporate Security
Insider threat can be eliminated with a proactive approach The media would lead us to believe that the greatest threats faced in today’s digital business world are that of ransomware and ID theft. While they may be right, there is an equally damaging malady lurking right under our noses that is often overlooked – insider threat. This article identifies what insider threats are and looks at some of the mitigation strategies we can use to address it.
J By Tony Campbell ASM Correspondent
12 | Australian Security Magazine
ust over ten years ago, I attended a conference in London run by the UK’s equivalent of the Australian Signals Directorate (ASD), GCHQ. The theme of the day focused on insider threats with myriad presentations explaining how UK industry and government agencies should be preparing to detect, defend and respond to this kind of insidious menace. As each of the speakers took to the podium, we were taken through a journey of fear, betrayal, espionage and human vulnerability that showed the audience just how real and pervasive this issue is. Indeed, for some businesses and government agencies handling particularly sensitive information, the threat from rogue insiders can
become existential if not adequately addressed. As I said, this conference was over ten years ago, but the world has changed incredibly over the last decade, with new threats becoming chic and newsworthy, while these kinds of attacker have dropped off the radar of public opinion. Starting with the 2013 Target attack, hackers made off with almost 40 million credit card and debit card accounts from Target’s systems. This was the first major media event of the new world, where large-scale data breaches made news – especially because of their far reaching impact on society. Since then we’ve seen dozens of big brands in the news, such as Sony, Home Depot, Talk Talk (in the UK), with David Jones
Corporate Security
and Kmart also being hit here in Australia. We’ve also seen another peculiar trend emerge from the backrooms of security research companies, where new vulnerabilities are marketed with a sexy name, well-designed websites and sensationalist commentary to make them newsworthy. If the security team is not focusing on these two areas, then they aren’t doing their job right, while all the other threats fall by the wayside. But this approach is wrong. Managing security outcomes aligned with this kind of media sensationalism will only serve to protect one aspect of your castle, so you’ll have all your troops at the front gate, not realising your tunnels are unprotected and your streets are full of spies. The Internal Malady Security is a process and needs to be tackled in a methodical and sequential manner, where you start with a threat assessment, then conduct a full audit of your assets, classifying the assets against a scheme of labelling that allows you to a) determine the impact of loss of confidentiality, integrity or availability, and hence b) the risk to the organisation of this impact being realised. Your threat assessment will undoubtedly categorise a variety of threat actors, along with their attributes, such as likelihood of them attacking you, as well as their means, motive and intent. One such group is this insider threat actor category, which can be further decomposed into the following subgroups: • Current employee with standard system access rights • Current employee with elevated system access rights • Current subcontractor or partner with standard system access rights • Current subcontractor or partner with elevated system access rights
employee is a ‘plant’ and has been untrustworthy from the beginning. The majority of actions an insider will take are keenly planned and will attempt to cover their tracks as they go. Furthermore, no matter what the external influence is, something will have affected the internal threat actor to make them act: mounting up a gambling debt, an extra-marital affair or being addicted to illicit drugs. Once an external threat actor has leverage over a member of your staff, then they can be coerced into attacking you. The vulnerabilities that affect insiders are wide and varied. In some cases, it may simply be due because they have become disillusionment with the company or policy of your government. Edward Snowden, for example, has publically stated that he no longer believed in the U.S. government or trusted the motives behind their national security programs. He felt that their actions and leaders needed to be held to account under public scrutiny, which led to the massively damaging leak of highly sensitive data. It could be that your rogue insider wants to exact revenge on his boss, or the whole organisation, believing they have been overlooked for promotion or discriminated against. The other category of malicious insiders are those driven by personal or financial gain, who are looking for something that the organisation cannot or won’t give them, especially where they have a personal vulnerability, such as gambling debts or a drug habit. The point is, there is no typical profile for what an insider might look like or act like, which is the primary reason they are such a difficult threat to detect and a complicated one to deal with.
When you then consider the three elements of mean, motive and intent,
When you then consider the three elements of mean, motive and intent, you start to build a fairly comprehensive picture of what could happen if any of these threat actors were present in your business and had the associated rights to access information assets.
you start to build a fairly comprehensive
Who are these Insiders?
business and had the associated rights to
Reports of external actors recruiting members of staff to act against their own organisation are common, originating from foreign governments, competitors and organised criminal gangs, all with something to gain. In 2011, the results of a survey conducted by the U.S. Secret Service, the CERT Insider Threat Centre, CSO Magazine and Deloitte , showed that the most common crimes perpetrated by malicious insiders were: • Unauthorised access to or use of corporate information • Unintentional exposure of private or sensitive data • Viruses, worms, or other malicious code • Theft of intellectual property (IP)
access information assets.
History has shown us that few insider threats are acts of impulsive opportunity. Mostly, the crime is premeditated and the motive has come from a change of circumstance – unless it’s part of a longer strategy by an external actor, where the
picture of what could happen if any of these threat actors were present in your
Innocent Mistakes The one area of major concern that you can deal with relatively easily is that of innocent mistakes. If you have not trained staff on how they should behave and ensured they all know what they are doing, how they should act, and how they should interact with your systems, then there is little you can do if they do something wrong. A comprehensive security awareness program, with training, exercises, and regular communications campaigns, will ensure your security messages get heard. Review your induction program to make sure staff know what to do on the very first day of their employment, so that there can be no doubt of what is acceptable and what isn’t.
Australian Security Magazine | 13
Corporate Security
Detecting Insider Threat Audit trails are useful when you know you need to follow an investigation into what someone has been up to. However, how can you get a notification into what that person has been doing that will initially raise suspicion? Firstly, audit trails need to be full of rich information that shows exactly what people have accessed, when they accessed it and for what purpose. If you have enough raw log information, you can pivot this data into an investigation tool and hunt down the evidence of a crime. It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team. You can employ tools that detect and intercept incidents, such as the legacy category of Security Information and Event Management (SIEM) systems, most often found in a SOC, however, if you really want to catch insider threats early and respond in as efficient a manner as possible, you need to be proactive. Look for a system that can provide an early warning of which users might turn bad, as well as one that can influence user behaviour before they do cause a breach, intentionally or by mistake. These kinds of systems are known as Insider Threat Management systems and if you are in the market for one you’ll need to make sure it covers all aspects of the threat management lifecycle: Education. Make sure the product provides the ability to educate staff in real time on what’s permitted and what’s not. Informing users whenever they do something that contravenes policy or could put the organisation at risk is a proven way of influencing and changing behaviour. You can use this to educate the careless, but well-meaning people in your organisation, while reducing the likelihood of someone taking advantage of unintentional mistakes. Deterrence. Deterrence is the process of informing the users when they are operating out of policy, which also serves to deter people with bad intentions as they see that the security team is constantly monitoring their actions. Prevention. Some tools are capable of intercepting and preventing incidents originating from insiders, while real-time education and deterrence can reduce the number of actual incidents that have to be managed by up to 50%. Investigation. Some tools provide a visual record of user sessions, offering incredibly useful insight into what a user has done, so investigations are resolved faster, which helps reduce the overall risk to the business. You’ll need to make sure your selection covers each of these stages, since they are all equally important. There must be a focus on real time education, such as informing the users whenever they do something which contravenes policy or could put the organisation at risk. By doing this, you educate the “good” people and reduce the likelihood of someone taking advantage of unintentional mistakes. This process can also serve to deter people with bad intentions, as they see that the security team is constantly monitoring their actions.
14 | Australian Security Magazine
"It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team."
Recommendation One company of note that is a market leader in this space is ObserveIT. Their technology is specialised in this area and is dedicated to identifying and eliminating insider threats. The product collects a plethora of user related indicators, from anywhere within the enterprise, including application metrics. The product has a dashboard that analysts can use to expose these kinds of insider threats, enabling security teams to coordinate responses to the business before the business is impacted.
PRESENTING THE 14TH ANNUAL
National Security Summit
Policy, Surveillance, Interoperability
30 – 31 August 2016 | Vibe Hotel, Canberra PRESENTATIONS FROM: Chief (Ret’d) Mike Fisher, Former Chief of US Border Patrol, CEO, Scorpion Security Services LLC Colonel Tom Hanson, Assistant Chief of Staff, G-7, US Army Pacific Dr. Marc Siegel, Commissioner, Global Standards Initiative, ASIS International Lieutenant General Angus J Campbell, DSC, AM, Chief of the Australian Army Michael Pezzullo, Secretary, Department of Immigration and Border Protection Admiral (Ret’d) Chris Barrie AC, Former Chief of Defence Force, RAN, Adjunct Professor, Strategic and Defence Studies Centre, Australian National University Nicole Seils, Head of Government Relations, Lockheed Martin Australia & New Zealand Assistant Commissioner Wayne Buchhorn, Investigations Division, Australian Border Force Assistant Commissioner Neil Gaughan APM, National Manager Counter Terrorism, Australian Federal Police Jacinta Carroll, Head, Counter Terrorism Policy Centre, Australian Strategic Policy Institute Professor Peter Leahy AC, Director, National Security Institute, University of Canberra Dr John Moss, National Manager Intelligence, AUSTRAC Tony Antoniades, Head of Export Control and Security, BAE Systems Australia
LANYARD SPONSOR:
CONFERENCE SUPPORTER:
Todd Smithson, Chief Security Officer & Technology Control Manager, Thales Australia
www.informa.com.au/nationalsecurity
MEDIA PARTNER:
Corporate Security
7 Ugly truths about compliance: A primer for new chief compliance officers
M By Jaqueline M. Hummel Managing Director Hardin Compliance Consulting, LLC
any compliance officers live in hope that if they ramp up their persuasive skills, engage employees with spectacular training presentations, and provide succinct and prompt advice, they will receive the respect and recognition that they deserve. Unfortunately, despite all best efforts, compliance officers will struggle to be heard. For those that have just received the dubious honor of Chief Compliance Officer, here are seven ugly truths you should understand on day one. 1. No one reads the compliance manual. Despite all the hard work compliance officers put into the regulatory compliance manual, no one reads it. That may be an overstatement, but, for the most part, employees remain blissfully unaware that the manual contains policies and procedures for many daily activities, until the Chief Compliance Officer discovers an issue, or a regulator points out a specific passage during an exam. My advice is to consider engaging employees in the drafting and revision of the compliance manual. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area. Revise the procedures based on input received, and require supervisors to review and approve them. Supervisors then have accountability for those procedures. Another approach is to read the manual to the employees by providing frequent training. Having short, focused training presentations can be very effective. (Free food is also a big draw.) Consider tailoring training to specific areas of the firm,
16 | Australian Security Magazine
and work with the supervisor to set the agenda and the best date and time for the presentation. Schedule training during periods when the attendees are generally less busy. Request input from the supervisor to ensure you cover topics that he or she identifies as problem areas, even if they may not necessarily be compliance related. Show your willingness to help advance firm-wide goals, as well as your own. Development of a good compliance program is a process; it takes time for everyone to understand their roles. By presenting yourself as a resource and taking the time to discuss the goals of the program, the more buy in you will get. This process can take years, so be patient. 2. Compliance officers don’t get any respect. Being challenged on your opinions or advice is a fact of life for most compliance officers. Executives, CISOs and Risk Managers require data and facts to support a recommended course of action. Unlike financial services professionals, compliance officers don’t tend to have a track record or a way of comparing services to an existing industry benchmark. To make matters worse, the regulatory rules are vague and advice from regulators is not always clear. Advice from experts may not be specific enough to deal with your firm’s situation. Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that
Corporate Security
‘Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that your client understands.’ your client understands. My advice is to be prepared. In areas where you know you are going to get push back, read the underlying rule. Consult your firm’s policy and procedure. Read any materials from the regulators relating to the issue. Look through the materials from the last industry conference you attended. Search the internet for articles written by law firms and other industry experts. Call your contacts at other firms to see how they deal with similar issues. Even if you have dealt with similar issues time and again, it is still helpful to refresh your memory and to see if there are any new interpretations. There may not always be time to do the legwork, and even if you can, there may not be a clear answer. These are the times when you must go with your gut – provide your initial thoughts on how a regulator might view the situation and a recommended course of action. But be prepared to back it up. For high risk issues where there is no clear path, call in an expert. There are two benefits to this approach: first, you will find out whether the advocate of a particular action is serious enough to spend some money for advice from a knowledgeable law firm or consultant, and second, you will have proof for regulators that you acted reasonably under the circumstances by consulting an expert. At best, the expert will back up your opinion, or at worst, you will learn the options available. It also helps to keep up with regulatory issues on a daily basis. Subscribe to blogs, law firm newsletters, SEC updates and read the news. There are many free sources of information to help compliance professionals keep abreast of regulatory developments. Knowing your stuff adds to your credibility. Once you are ready to give your advice, boil it down to its essence, with specific action items and recommendations. Those seeking your advice generally do not want to read the regulations or understand all the legal and regulatory fine points. They want to know what they need to do to solve the problem. Giving constructive, actionable advice demonstrates that you can help the firm reach its goals.
3. No one reads past the first three lines of your email. This is a corollary to item 2 above, but is important enough to require further discussion. Many compliance officers love details and have difficulty boiling messages down to their essentials. But people get bombarded by emails, so it’s important to be clear and concise. When a response is required, say that upfront. I recommend using all caps in the subject line: RESPONSE REQUIRED BY JUNE 30, 2016. And then flag these emails with a reminder for yourself, and a reminder for the recipients, to follow up by the deadline. In the body of the email, make sure you get to the point within the first sentence or two. Resist the temptation to provide a detailed explanation. Readers often suffer from email fatigue and seeing more than a screen of text may cause them to hit the “delete” button. If you are responding to a question, the answer should be in the first line of the email. If you need approval or feedback, tell the reader that you need their input on the issue to go forward. Bullet points are also useful to make points without overwhelming the reader with text. You can always attach a detailed explanation to the email; just do not expect that the attachment will be read. 4. If it’s not important to the boss, it’s not important to the employee. This is a hard lesson. When firm management says compliance is important but takes no action to support this statement, the compliance officer’s job is much more difficult. If management is unwilling to put their money where its mouth is where compliance is concerned, the compliance officer’s only leverage are threats of potential repercussions in the event of a regulatory exam or potential lawsuit. For example, if compliance training is mandatory, but the executives do not attend, they send the message that it is not important. On the other hand, if the Chief Executive Officer says that failure to complete required compliance paperwork in a timely manner will result in a reduction in an employee’s bonus, employees will be knocking down the Chief Compliance Officer’s door in an effort to meet the deadline. Getting management to buy in to compliance initiatives is a topic that requires more space that I can devote here. It’s good for business because it can help limit liability and preserve a firm’s good reputation. By way of an obvious example, if the Australian Bureau of Statistics (ABS) were to adopt a number of compliance frameworks that can be used to show the general public they are putting all the required security systems in place to protect census data, that assurance would allay some of the fears we are reading about in the media. Perhaps a more chilling example is the Volkswagen’s recent scandal. In September 2015, the Environmental Protection Agency (EPA) found that VW diesel cars being sold in the United States had software installed that detected when the cars were undergoing emissions testing, and adjusted the car’s performance to improve the results. Ultimately, Volkswagen admitted to cheating emissions tests in the United States. Since then, the firm’s stock price has plunged, the CEO was forced to resign, the EPA plans to impose fines, and car owners and shareholders are lining up to sue. Although all the facts are not in, it’s entirely plausible
Australian Security Magazine | 17
Corporate Security
'There will always be unpleasant surprises like these in the
•
life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the
•
smallest details to understand a process.' • that VW’s management approved the installation of the cheating software. And even if management was not aware of the details, the firm fostered an environment that encouraged cheating to boost sales. This is a worst case scenario and it demonstrates how management’s failure to support and encourage ethical behavior can lead to much more significant financial woes than disappointing sales. 5. You don’t know what you don’t know. Even the most experienced compliance officers can fall into the trap of making assumptions about a firm’s operations and processes. The truth usually comes out as a result of a trading error, client complaint, or, in the worst case scenario, regulatory action. There will always be unpleasant surprises like these in the life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the smallest details to understand a process. This means developing standard operating procedures for all areas of the firm, and understanding the root cause of failures. Although it’s not the compliance officer’s job to write all the standard operating procedures for the firm, you can review and test these procedures to see if they are sufficiently detailed and robust. The compliance officer can also listen and observe. Have the employee responsible walk you through the process step by step, and ask questions. Watching the process from start to finish, or even performing the task yourself, may help you learn what you don’t know. It’s also a good idea to leave your desk and walk around the office regularly. Attend other departmental meetings and listen. Build relationships with people from all levels of the organisation. By making yourself available and visible, people will bring their concerns to you. 6. If it’s not documented, it didn’t happen. This is a lesson learned from numerous compliance examinations. Although an investment adviser might do the right thing, if there is no documentation to show that it was done, for all practical purposes, it did not happen. Most advisers maintain a set of auditable records, but until Australia adopts compliance, even in the area of mandatory breach reporting, records will largely be down to local discretion and may not even serve the purposes of a compliance assessment, should one occur. The government will expect advisers to maintain a variety of records that will be evidenced at various stages of a compliance examination. Here are a few examples of records that are not collected by default, but should be considered: • A current inventory of the firm’s compliance risks that
18 | Australian Security Magazine
•
forms the basis for its policies and procedures. The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers. Information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed. Documentation of employee access controls (i.e. electronic key card entry, locks, security cameras and guards) to physical locations containing customer information (i.e. buildings, computer facilities and storage record facilities). Information about the oversight process the adviser uses for any remote offices and/or independent advisory contractors, and any policies and procedures with respect to such oversight.
Compliance officers should look for pre-existing compliance audit reports along with findings relating to the latest hot topics, which can identify what regulators will expect to see. 7. It’s easy to say no, hard to say yes. Most compliance officers are aware of this truth – this is a lesson for the rest of the firm. Saying no is easy; it requires no additional work or thought on the part of the compliance officer and eliminates risk. To say yes, a compliance officer has to think, research and provide options, which takes time and effort. If you always say no, however, firm employees will stop coming to you for advice and guidance. You will not be consulted when new products are being developed, new marketing efforts are proposed, new types of clients are being sought, and new technologies are being explored. If the compliance officer is not aware of what the firm is doing, then he or she is not going to be effective. My advice is to take advantage of ‘teachable’ moments. For example, take the situation where your marketing team asks if they can use back-tested performance for a client presentation. If they expect an answer immediately, you’ll almost certainly have to say no. However, if they are willing to wait a day or two while you come up with a way to get the same message across, using extensive additional disclosure or a slightly different approach, the results will then show the marketing team how a collaborative approach works for everyone. The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job.
Frontline
The safe city and it’s need for interoperability
M by Per Björkdahl ONVIF Steering Committee Chair
ost people today who live in cities, particularly large ones, have become accustomed to a relatively high level of general and public surveillance, whether it is the police patrolling the streets, cameras in shopping malls or intelligent security solutions deployed in public transportation systems. Many feel that as long as these systems benefit them as citizens and keep them safe, general surveillance can be accepted and people feel safer as a result. It has become part of the fabric of 21st century life for many. Many of us value individual safety, especially in cities. Physical security systems are capable of delivering exactly that to citizens, though the management and operation of these systems can be challenging at times. Cities today often use video management systems or other platforms to view camera footage, protect citizens and property, analyze incidents, evaluate security and to help them determine appropriate responses to events such as natural disasters, disruptions to transportation and other municipal services, and other threats to public safety. They may also use intrusion, access control, building automation and fire detection systems in their management of a city’s security, in conjunction with video surveillance. Cities implementing this connected security approach have been dubbed ‘safe cities.’ Most safe cities share a common infrastructure and operate using sensors and/or cameras over a shared municipal network. Using these sensors and the data
from many different devices synthesized through one interface, government officials and law enforcement are afforded a total, holistic view of a city’s security. Integrating the Many Parts of a Safe City The integration of all of these systems enables a municipality to manage its security comprehensively and from a single point of view from the command center. If, for an example, there is a leak in a water main, the city’s command center can quickly review video footage from a camera positioned at the leak’s physical location, check access control data to see why and how the gate to the water main is open and determine who was the last employee to enter the restricted area. At the same time, the command center can use cameras on the street to monitor street flooding and assess damage to surrounding areas. There are operational challenges that accompany the many systems that are included in a safe city deployment. Interoperability continues to present one of the greatest challenges, particularly with video management systems, video recording devices and cameras. The most common scenario is that municipalities have several different management systems for city operations that were created by different manufacturers, each with proprietary interfaces for integration. In order to connect its different systems together, cities
Australian Security Magazine | 19
Frontline
often end up employing a “build once and maintain forever” approach, in which the continuing cost for integration of the city’s systems becomes prohibitively expensive. In a world where technology and features change quickly, the ‘build once and maintain forever’ scenario is not practical or attractive, as it severely limits an end user’s ability to try new technology and/or different vendor’s products and requires a substantial financial commitment to those specific manufacturers and proprietary interfaces. Another approach that some end users and integrators take is to deploy products from a single manufacturer in order to facilitate systemwide integration. However, this approach can also have an undesirable result: it stifles an end user’s ability to add new products from other vendors and locks an end user into a long-term commitment with the manufacturer.
authorities often receive exported video material in a multitude of formats with a multitude of players for playback. Here, a standardized approach for both file format and associated players, which ONVIF’s specification provides, increases the efficiency of the process and also adds the potential of including meta data in exported materials and reports, which determines the exact time and location of the recorded incident. ONVIF has also released an export file format specification that outlines a defined format for effective export of recorded material and forensics. These specifications together make it possible not only to integrate devices in multi-vendor video security system deployments in safe city environments but offer an effective common export file format that can streamline a post-event investigation where authorities are trying to react as fast as possible to apprehend suspects or to diffuse an ongoing situation. Enter Standards Other standards organizations outside the physical security industry have identified the need for standards in This is where the need for robust effective Safe City deployments, and well-defined standards such as the International ‘Cities today often use video comes into play, particularly for Electrotechnical Commission video surveillance, which is most (IEC) and Institute of Electrical management systems or other commonly at the heart of safe city and Electronics Engineers (IEEE). deployments. Standards, such as IEC has initiated a Systems platforms to view camera those from ONVIF, an industry Evaluation Group - Smart Cities, alliance that offers standardized SEG 1, a group that will evaluate footage, protect citizens and interface specifications for video relevant works and propose a security systems and physical standardization roadmap for property, analyze incidents, access control systems, provides the smart cities, a term often used common link between disparate synonymously with safe cities. The evaluate security and to help components of these systems. group will also provide a mapping Designed specifically to overcome of closely related activities in them determine appropriate the challenges in multi-vendor cooperation with the International environments, ONVIF’s common Organization for Standardization responses to events such as interface facilitates communication (ISO) and other organizations, between technologies from different going forward. natural disasters, disruptions manufacturers and fosters an ONVIF has been working interoperable system environment with the IEC on standards for to transportation and other where system components can be the physical security industry for used interchangeably, as long as the several years. In 2013, the IEC municipal services, and other devices conform to the ONVIF included an ONVIF specification specification. in its IEC 62676 standard for threats to public safety. ‘ Since 2008, when ONVIF Video Surveillance Systems, the was founded, the organization has first international standard for published a number of specifications video surveillance systems to be and profiles for effective integration of devices and clients in established. The ONVIF specification for video, which defines the physical security industry. For Video Security systems, video transmission protocols for communication between ONVIF has released Profile S for Video streaming and Profile network video clients and video transmitter devices, is based G for storage and playback. Currently, Profile Q for easy on Web Services and is referenced in IEC 62676 Part 2-3. deployment is in its release candidate state, scheduled for final This year, IEC will include an additional ONVIF release in July this year. specification in an IEC standard, this time with ONVIF’s In a safe city scenario, much of the recorded video from specification for Electronic Access Control, in the IEC video security systems is used to conduct post-event forensic 60839-11 System and components requirements standard investigations, where operators analyze a specific incident or for Alarm and Electronic Security Systems, based on Web series of incidents and determine suitable actions, which often Services. The specification includes minimum functionality, requires coordination with local, county, state and sometimes performance and testing methods for electronic access federal law enforcement officials. Video clips are exported to control systems and components used for physical access. provide authorities identification of suspects or for evidentiary The inclusion of ONVIF’s specification in the two standards purposes during prosecution. mentioned above indicates a steady continuity in the use of The challenge in a multi-vendor environment is that standards in the industry.
20 | Australian Security Magazine
Frontline
ONVIF Members’ Safe City Solutions Several ONVIF members are using ONVIF’s specifications in the large-scale deployment of video surveillance systems. Two of these, Meyertech and Huawei, have used ONVIF prominently in safe city deployments in large cities. In 2014, ONVIF member company Meyertech helped the city of York, U.K., to deploy a safe city solution for the city’s public spaces and transportation system. Using a Meyertech video management software and information management software, the city was able to integrate IP cameras with the many legacy systems for its York Travel and Control Centre command center. The city’s control room monitors more than 150 cameras from different manufacturers in the city and city representatives say the new system has had an immediate impact on crime rates. The integration of legacy and new IP cameras with the new VMS, which interfaced with the information management software, was made possible through ONVIF’s video specification. Another ONVIF member, Huawei, is considered a leader in smart city solutions. Huawei has deployed smart city solutions in Nairobi, Kenya, and in China in the cities of Nanjing and Shanghai. Huawei’s video management system was used in the Shanghai project as part of the Chinese Ministry of Public Security’s safe cities construction initiative. One of the key challenges of the project was to integrate old and new technology. Huawei’s VMS used ONVIF to integrate the cameras from manufacturers Dahua, Haikang, AXIS, SONY and other brands. A Multi-discipline Physical Security Standard? At present, physical security’s role in safe cities is
primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution. ONVIF’s vision is that all physical security systems will eventually have the same interfaces for interoperability, and is dedicated to facilitating the work of its members in developing a multi-discipline standard. Such an all-encompassing interface would provide a comprehensive approach to interoperability that would satisfy the core elements of video surveillance, access control and other essential operations of a safe city command center. Because safe city deployments and the Internet of Things concept operate on the same principles of connecting disparate systems and devices together, a multi-discipline physical security standard would no doubt also play a role in the further development of the Internet of Things. Many of those in the technology industry at large see standards as an important component in both safe cities and the IoT. The IEEE (the Institute of Electrical and Electronics Engineers) is already working on IoT standards for technology-based industries and some even predict that we may see global IoT standards in place by the end of this year. If an IoT standard is developed, this will likely have an influence on safe city deployments. As standards and industries collaborate even further than they already have and establish minimum interoperability standards together, the need for a multi-discipline physical security standard may present itself. A day will come when it makes the most sense to do so, rather than creating proprietary multi-discipline systems. We’re not at that point yet, as an industry, but a multi-discipline physical security standard is certainly somewhere on the proverbial horizon.
‘At present, physical security’s role in safe cities is primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution.’
Australian Security Magazine | 21
Asia Pacific Region
S E C U R I T Y
U By Prince Lazzar ASM correspondent
22 | Australian Security Magazine
A N D
R I S K
E N V I R O N M E N T
nderstanding the Security spectrum of Malaysia, it’s worthwhile to run through a bit of the Malaysian geo-political situation & location and the typicality of the South East Asia region with which Malaysia shares boundaries with a few other countries. Malaysia’s location makes it less susceptible to earthquakes and tsunamis than other countries in Southeast Asia. Within the Southeast Asia region, Malaysia is a highly open economy due to its maritime location, historically porous borders, geographic proximity to major trade and traffic routes, smaller population combined with relative affluence, shared ethnic heritages with the neighbouring countries inside and outside of Southeast Asia, government policy to encourage ties with the Islamic world, and globally oriented economic outlook. Malaysia offers lower costs in labour and land migrant workers are attracted to Malaysia because of the country’s relative affluence compared with its Southeast Asian neighbours (excluding Singapore and Brunei) and other countries in Asia. Foreign migrant workers are introduced
both legally and illegally in sectors such as farming, food processing, mining, construction, house-keeping and with the promotion of the tourism industry also requires a large pool of low-skilled labour. Opportunities for transnational crimes has coincided with Malaysia’s growing migrant population and increased trade which can be attributed to the globalisation. Malaysia’s geographic location has exposed the country to long-distance commerce and migration has led to the many transnational issues Malaysia faces today, like drug smuggling and illegal workers. The porous nature of both borders and the corruption at official crossing points are both identified as causes of Malaysia’s ineffective immigration management. Human trafficking is subsumed under the illegal workers category, leading the government to focus on visa violations of the trafficked victims, terrorism and maritime piracy. In sustaining the growth trajectory, Malaysia has become increasingly dependent on data & information systems across verticals, like healthcare, critical infrastructure, defence, finance and technology, which are all potential targets
Asia Pacific Region
for financially motivated cyber criminals and politically motivated actors like nation-states. The proliferation of wi-fi connected tablets for sales service personnel and in-store customer wi-fi access are adding to the complexity of the security challenges for major retailers in Malaysia today. The retail industry is fast becoming a major target for cyber criminals. Hence, for retailers with stores throughout Malaysia, secure network connectivity linking all sites to the head office is critical to business operating processes. Malaysia is considered to be having moderate crime levels, although the country has seen a spurt in the crime rates in the last few years including several reported assaults and robberies, sometimes involving weapons, but overall the security situation in Malaysia is considered still moderate. Other types of non-violent criminal activity include credit card fraud and automobile theft. In the list of security concerns crime, kidnapping, piracy, terrorism, human trafficking, financial fraud and money laundering are among the country’s priorities. Financial and organised crime is
present in Malaysia, but has a limited direct impact on foreign businesses. The threat of cybercrime is growing, however, and companies must ensure they have sufficient cyber protection. The security challenges faced by Malaysia predominantly emanates from territorial complexity and intricacies. Undefined or unclear land and maritime boundaries have given rise to contestation and overlapping claims, which has manifested itself in some territorial disputes and intrusions. To counter this the country has formed a Defence pact with the Five Power Defence Arrangements (FPDA) established in 1971, committing Australia, Malaysia, New Zealand, Singapore and the United Kingdom to consult on a response to any armed attack or threat against Malaysia or Singapore. The FPDA has also recently expanded its focus to address non-conventional security threats facing the region, including terrorism and maritime security. The Territory and Territorial Seas of the Philippines, Indonesia, and Malaysia constitute a single geopolitical space. Long-standing ties facilitate commerce and social relations among the populations of the region, but they are also
Australian Security Magazine | 23
Asia Pacific Region
conducive to transnational dissident, terrorist and criminal activity. Vast areas lie outside government control, and ethnonational, ideological and religious conflicts exacerbate the void in governance. The threat from kidnapping has become a serious issue in maritime piracy which is predominantly prevalent in East Malaysia, particularly in the islands off Eastern Sabah due to its proximity to the Sulu archipelago in the Southern Philippines. The tri-border area (TBA) between the Philippines, Malaysia and Indonesia is a key hub of terrorist and related criminal activity in Southeast Asia, a well-known transit zone for weapons and explosives, and a principal logistical corridor for local and transnational terrorist groups. Terrorism has increasingly become a big threat in Malaysia of late and it remains a potent risk due to the Islamic influenced groups operating in the region and in the Middle-East. While previous terrorist organisations were disparate organisations fighting for separate causes, the regional terrorists may get-together to fight for a common cause across national boundaries and will possess capabilities to target masses using easily-acquired advanced technology weapons or equipment. The insurgency in the Southern Thailand by the Muslim Thai rebels who are active along the Thai border, has also further increased the threat of Terrorist attacks in this region.
24 | Australian Security Magazine
The Revenue in the “Security” segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 International terrorists are suspected of operating out of Malaysia for some time and the growth of Muslim extremism has spurred the development of home-grown terrorist groups and dozens of disparate fundamentalist groups/cells are believed to be operating in the country. The terror threat to Malaysia, however, doesn’t stem from a particular IS terror outfit, but by the presence of regional terror groups like Abu Sayyaf, the Moro National Liberation Front and many insurgent (terrorist) organisations which have always posed a threat to Malaysia’s northern state of Sabah, and now with their given allegiance to IS, the threat has become more potent.
Asia Pacific Region
Malaysia has taken a strong stance on terrorism with the increased terrorism threat; however the counterterrorism posture is still driven by domestic political considerations. Malaysian authorities have arrested several individuals for activities linked to IS. They have also been very proactive, especially in terms of monitoring flight manifests, preventing people from travelling to and from Syria and Iraq and monitoring social media. While Malaysia’s counter-terrorism capabilities are relatively strong, the risk of political violence remains high due to tensions between ethnic groups. Over the last five years, Malaysia has experienced an increased number of demonstrations over political divisions, racial/religious tensions and international developments. The country has recently implemented security legislation introducing indefinite detention without trial has the potential to foster discontent and trigger violent protest. Another growing aspect of security is the threat posed to the tourism industry in Malaysia. With the rise of tourism and Malaysia being known as one among the top tourist destinations in the region, it receives a high number of tourist arrivals, which has increased the issues of safety and security in crime, terrorism, food safety, health issues and natural disasters as the main concern. The security industry in Malaysia, especially the guarding sector, with around 24,000 registered Private security guards, is saddled with problems on issues of employing incompetent, unqualified and unfit guards. There is a need for a comprehensive review of the security industry in the form of a proper security framework & regulations. If Private Security Companies (PSC) can be regulated and they co-ordinate well with the government institutions, they can be a source of tremendous information and can help the police track down criminals and assist in larger law and order maintenance. Public and private sector organisations are investing in several areas to ensure that their economic rise does not slow because of infrastructure disruptions brought upon by cyber sabotage or terrorism or lost revenue because of intellectual property theft. There is an increasing emphasis on security awareness, training & certifications and academic institutions are also focussing on specialised training and certification courses specific to security & safety. Security based job programs, such as internships are in place between the academic institutions, government organisations and the private sector which is a positive boost to security. This manifests in strong information sharing between public and private sector organisations and a general openness amongst organisations, even competitive organisations, when it comes to combating cyber-attacks. Going with the economic growth in the last few years in Malaysia, from securing the physical borders & assets to endpoint and data security, there is a good trend in a holistic approach to security. Security in Malaysia has been seeking an approach from the perspective of: What can be done, What technology/solutions are available and How it can be employed for end-to-end controls, which is a healthy sign towards security. When vetting solutions, security consistently makes it into the top three on the list of musthave requirements. The total Malaysian safety and security sector is
The security industry in Malaysia especially the Guarding sector with around 24,000 registered Private security guards is saddled with problems with issues of employing incompetent, unqualified and unfit guards. estimated at US$2 billion and is expected to grow. Private consumption of safety and security equipment has also risen over the last decade mainly due to the increased rate of urbanisation, a growing middle class owning assets which they wish to protect and a lack of faith in the local law enforcement (Source: Global Safety & Security guide US COMMERCIAL SERVICE). The Revenue in the “security� segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 (Source: Statista market research portal). Public consumption is mostly government initiated purchases for the maintenance of law and public order, which is a long and tedious process. On the private consumption it is usually driven by purchases of new homes, cars and other assets that the common consumer wishes to protect. Until recently, most consumers based their selection process purely on price. In the last five years, there is a significant change in the attitude and mind-set of consumers, whereby quality and reliability also play a major role in selecting the type and brand of security products to invest in. The demand for technologies to keep users updated on the status of their security system. These usually include remote access via smart phones through internet, instant notifications via SMS and/ or monitoring companies. New solutions like intelligent video surveillance and cloud security devices are also gaining popularity, especially among the more affluent segments of the market. US companies presently dominate the Malaysian market for both the public and private market segments. However, Chinese and German companies are fast gaining footholds in the market, especially for point of entry equipment and for the private consumer market, Taiwanese and Chinese are eroding US market share with newer and price competitive surveillance and prevention systems. Some of the leading global security companies operating in Malaysia, which help to provide the latest security technology are Pelco, MOBOTIX, Sony, Avigilon, Bosch, HID Global, Panasonic, Samsung, Arecont Vision , AxxonSoft, CLIQ - ASSA ABLOY, Hikvision, Seagate, Suprema, Surveon Technology, Videotec, VIVOTEK, Chubbs and ADT. Malaysia with diverse ethnicity, race & language, faces dynamic security issues and challenges. This calls for maintaining a secure environment in the country, providing opportunities for economic development and better stability.
Australian Security Magazine | 25
Cyber Security
By Gary Gardiner, Director of Engineering & Services, ANZ at Fortinet
Building a national security fabric:
The Fortinet approach ‘If we don’t hang together, we’ll surely hang separately.’ Benjamin Franklin’s (the face on the American $100 dollar note) quote is as valid today as it was 240 years ago. Building a strong national response to network security has to be a coordinated, nation-wide effort. Otherwise Australian organisations are sitting ducks. Right now Australia’s national security landscape is comprised of thousands and thousands of discrete, individual networks that, in effect, operate in a network security vacuum. There is no significant nationwide policy to share expertise, identified threats, work-arounds or even to alert organisations of the latest malware infections. We have thousands of organisations each duplicating efforts, playing catch-up and, unfortunately, leaving the doors and windows open for cyber criminals. Technology in-place It doesn’t have to be this way. The technology is in-place to share network security information in near realtime. The challenge is, that for far too long, organisations have viewed their network security policies and practices as their own intellectual property. And fair enough. Businesses have invested significant resources into developing security policies, buying, leasing or subscribing to cloud-based security infrastructure and training up their IT staff. But they haven’t been able to take advantage of the efforts of their peer organisations that are doing exactly the same thing. There shouldn’t be competition around network security. There has to be cooperation. Of course many organisations see their network security as a competitive edge,
26 | Australian Security Magazine
especially in the managed security services market. We’re not advocating a wholesale ‘open source’ security policy. What we are promoting is the real-time sharing of threat intelligence across all sectors. We’re not asking how an organisation identified a fast-moving ‘zero-day threat’ – that is and should be proprietary. All we’re saying is that once that threat is detected and analysed to create mitigation procedures, there should be a mechanism to release this information to the public. Extending the reach Fortinet, amongst other leading security vendors, has these capabilities already in place. Right now these capabilities are available to our client base as part of our Advanced Threat Protection (ATP) and FortiSandbox solutions and we are extending these capabilities to the endpoint, access layer, applications, the cloud and event into IoT-enabled devices. What we really want to do is expand this process so that any malware that we detect and the mitigation procedures that we develop are pushed out to the wider community. While we would like to see a wider adoption of Fortinet equipment in the marketplace, we fully understand that there are other players on the market and that many organisations have invested heavily in their security solutions. Indeed this is the whole idea behind a national security fabric. Our clients could benefit immensely if they were alerted to malware picked up by a competing vendor’s security solution. There is a time and place for competition. But there is an equally compelling rationale for cooperation, especially if it results in
the rapid dissemination of mitigation procedures for zero-day threats. Supporting a national Cyber Security Strategy Fortinet isn’t alone in advocating such an approach. Australia’s recently released Cyber Security Policy advocates strong cyber defences with a specific goal of ‘establishing a layered approach for sharing near realtime public-private threat information through joint cyber threat sharing centres, initially piloted in a capital city and an online cyber threat sharing portal.’ The need is clear. The tools are in place. The benefits are manifest. What it will take is coordination. Fortinet is in initial communications with various government agencies to extend reach of ATP, FortiSandbox and the hundreds of researchers at our international FortiGuard Labs to a wider audience. We call on other security vendors and private industry to join us to work together on these initiatives. Our combined resources can and will overwhelm the resources that the bad actors can employ. It’s a strategy that we must adopt. Otherwise we will always be in react mode instead of leading the charge. About the author Gary Gardiner, Fortinet’s senior security executive in ANZ, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
Cyber Security
Working together towards a Cyber Smart Nation There is no shortage of hackers, cyber criminals and rogue operators. And why not? The hours are short, there are no dress codes nor long commutes and the pay is great. Legitimate network security specialists, on the other hand, are in short supply. Indeed, finding people who understand simply the basics of network security is a tough ask for many Australian businesses. And once a business trains up their security staff they are lured away for more pay to a company with deeper pockets. No wonder network security is one of the key concerns of CIOs across the country. This lack of network security specialists and practitioners is made abundantly clear in the recently announced Australian Cyber Security Strategy. It states that “the information security field is expected to see a worldwide deficit of 1.5 million professionals by 2020,” and calls for “programs for all people at all levels in the workforce to improve their cyber security skills and knowledge starting with those in executive level positions.”
By Allan Mouawad, Fortinet Network Security Academy Project Manager
Work in progress
FNSA across the region. “We have developed a curriculum that has proven successful overseas,” says Jon McGettigan, Senior Director Australia, NZ & South Pacific Islands at Fortinet, “and have a number of highly experienced and qualified trainers who have the technology transfer skills to fast track the program once it gets started. What we need now are educational partners.” Ideally the FNSA curriculum would be incorporated in already existing STEM (science, technology, engineering and mathematics) programs but that is in the future. “We can roll out our FNSA course work almost immediately,” says McGettigan. “We offer short courses, workshops, more advanced course work and certifications either at a learning institution, business or conference venue. There will be no shortage of prospective students. We are looking for educational partners who can take our initial material and build on it for their particular stakeholders.” An added advantage of the FNSA is that students who complete the program will have a globally recognised certification. “The training is fully certified,” notes McGettigan, “so that graduates will be able to advance their careers. This particular aspect is a powerful incentive for people to take advantage of the FNSA offerings.” Fast track deployment
Right now Fortinet is in discussions with a number of learning institutions to roll out the
Fortinet is in a position to fast track deployment. Most of the development work is done and
Introducing the Fortinet Network Security Academy Fortinet takes these concerns seriously. Over the years Fortinet has offered a wide range of training and certification programs in Australasia for Fortinet staff, Partners and clients. But as the requirement for more security-aware staff in government, industry and education has grown exponentially, Fortinet has recognised the need to expand training and education offerings to a much wider audience. As a result, Fortinet is introducing its industry-recognised training and certification program, called the Fortinet Network Security Academy (FNSA), into Australasia. Woking in tandem with TAFEs, tertiary institutions and private training facilities, the FNSA is designed to give students a firm understanding of the dynamics at play in network security, training in developing and deploying network security policies and handson knowledge of techniques to enforce network policies in the workplace.
Fortinet has a team of ‘train the trainer’ experts on staff. “It will not require a huge build up,” concludes McGettigan. “There is a pent up need for this type of network security training. But it does take a certain commitment on the part of educational institutions. We are a hardware vendor, not a training organisation. We have developed the programme. But now we need partners to roll out FNSA as far and as wide as possible. If we are to build a ‘Cyber Smart Nation’ we need to move quickly.” Both Fortinet and Australian Security Magazine are actively soliciting feedback and partnerships with TAFEs, tertiary institutions and private security and training firms. If your organisation wants to be part of the solution, please contact Fortinet on anztraining@fortinet. com. We look forward to hearing from you. About the writer Allan Mouawad is Fortinet’s senior technology transfer specialist in Australasia and is spearheading the Fortinet Network Security Academy initiative. With more than a decade of hands-on experience on a wide variety of security-related systems and the holder of many advanced industry certifications, Allan is focussed on technology transfer and building a broad base of cyber security awareness across the region.
Australian Security Magazine | 27
Cyber Security
T By Tony Campbell ASM Correspondent
28 | Australian Security Magazine
he UK’s National Crime Agency (NCA) has recently published its Cyber Crime Assessment 20161, highlighting the enormous amount of cyber-attacks targeting the UK. Unsurprisingly, the report says, “A cyber attack that poses an existential threat to one or more major UK businesses is a realistic possibility.” Over the past twelve months, over 2.46 million incidents were reported, including 700,000 cases of fraud, all originating from just a few hundred criminal gangs. The volume of attacks endangering UK businesses is staggering – and we’ve certainly not seen statistics like this in Australia. So, does this mean the threat we face here at home is a lot less? If we look at the threat actors, it’s the same selection of Russian, Chinese, European and American cyber criminals who are perpetrating the majority of the world’s cybercrime. These organised criminal gangs are the most successful and wellfunded cybercrime operations on the planet, all of which are threatening Australian businesses just as much as they would threaten any other nations. Nevertheless, it’s our government’s response to the threat that I find the most interesting. The NCA says the UK government will spend £1.9bn (approx. $3.5bn AUD) over the next five years to help bolster the nation’s cyber-defences. Prime Minister Turnbull has pledged $33 million AUD in the recent launch of Australia’s Cyber
Security Strategy to address the problem here at home. That’s less than 1% of the UK’s budget to fight exactly the same threat. Furthermore, the majority of the Australian budget will be used to swell the ranks within government departments, such as ASD, as well as to move the ACSC into new accommodation, so the investment left to improve our nation’s defences and create a “Cyber Secure Nation” is somewhat unimpressive. The existential threat referenced by the NCA is also mentioned in the ACSC’s Cyber Security Survey2 (albeit a year old). The ACSC recognises that, “the cyber threat facing Australia is undeniable and unrelenting.” In the period covered by the ACSC’s survey (2014-2015) CERT Australia was called in to deal with 11,733 cyber security incidents affecting Australian businesses, of which 218 were related to attacks on national critical infrastructure and government systems. Compared to the 2.46 million incidents in the UK this seems like a much smaller problem, but we know that under-reporting is a massive issue everywhere, so these numbers need to be considered as a mere fraction of the real attacks, so the threat is real and persistent. The NCA says that under-reporting of cyber-related incidents is prohibiting them from understanding the full extent of cybercrime in the UK. This has a knock on effect
Cyber Security
of hampering law enforcement agencies in being prepared to counter the threat, since there is still not enough information on the operating models the cyber criminals use. Unlike Australia, the UK has had mandatory data breach notification laws in place for many years, so it’s little wonder why underreporting is even more of an issue here. We know that here in Australia under-reporting is a massive problem, which is why the ACORN website3 was set up by the AFP as a national policing initiative of all states and territories to allows anyone to securely report instances of cybercrime. With the statistics gathered through ACORN, the government can then decide just how real the problem is, and hopefully invest enough money to start allowing our law enforcement agencies to tackle some of these big, international issues. Who are the bad guys? Russia is home to some of the most successful organised cybercrime groups. Some reports suggest their aptitude for cybercrime stems from the cold war, with ex-KGB spies now commercialising their tradecraft for black market profit. The so-called Russian Business Network (RBN) has shown incredible resilience to international law enforcement attempts to take it offline. Journalist, Brian Krebs’s account of the RBN in his book, Spam Nation4 is an eye opening account of just how corrupt Russia is and how it shows just how Russian cybercrime groups continue to profit. If you want to know more about Russian cybercriminals, read Krebs’s book. A variety of very capable cybercrime organisations also operate out of Africa. Ghana and Nigeria are the two biggest hacking exporters, with Ghana being extremely advanced in terms of its technical capability. Nigeria on the other hand is not as technologically advanced as Ghana, but is certainly rife with cybercriminals looking to target Western countries. The so-called Nigerian 419 scams have been in the press many times before, but the origin of this comes from the Nigerian criminal code, where it reads, “any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.” For more details on the extent of Nigerian scams, take a look here4 The last aspect of cybercrime worth looking at, from the perspective of the threat actors, is the state-sponsored attacks originating from China. Unlike the previously mentioned Russian and African cybercrime gangs, much of the hacking undertaken from China has a state-based economic intent, with links to both industrial and international espionage. In 2015, for example, it is believed by the Federal Bureau of Investigation that the Chinese government was behind the massive attack on the US Office of Personnel Management. This attack saw the
perpetrators make off with over 21.5 million U.S. government workers’ records, including 5.6 million fingerprint records. The Government Standard Form 86 was the basis of what was stolen, which is the form used for government clearance applications. Each record comprised of a complete historical record of the employee’s life: friends, family, run-ins with the law, sexual preferences, history of drug or alcohol abuse, medical conditions, as well as copies of every kind of identification document the employee owned. This is a true treasure trove of information for both cybercriminals, from the perspective of ID theft, as well as from the perspective of international espionage. Clearance details for staff with up to and including access to TOP SECRET information was taken. This problem will affect the U.S. government for the next 30 years, until all those people have retired and can no longer pose a threat to national security. Fighting Back at Cybercrime In the 2015 Strategic Defence and Security Review, the UK Government made building cyber defences a Tier 1 priority, doubling the investment from previous years. This included building a National Cyber Security Centre to perform a similar function to that of the ACSC, along with myriad support for businesses, including two new innovation centres to support talent and drive growth. The Australian Cyber Security Strategy also shows that Australia is raising the bar in an attempt to fend off this global scourge, albeit with limited funding. However, is there more that can be done? The reality is that individuals and corporations need to assume that their systems have already been compromised. Only then will industry and government’s focus be on protecting the national infrastructure we all rely on. There is no easy way to combat cybercrime and it’s as much about educating individuals as it is about putting in technical controls, such as firewalls, IPS’s and content checkers. People are usually the weakest link in the chain, so unless we educate people not to click on the links they receive from the Russian spammers or the Chinese spies, we’ll always be acting on the defensive. Adopt a security framework and make sure it’s been operationalised rather than just documenting a lot of processes that are ignored until audit time comes around. ISO 27001 is a good place to start, since it’s an international standard and one that’s well respected and widely adopted. But don’t stop there – you need to make sure that your staff are living and breathing security in their everyday activities. It just takes one slip of attention, one double click while running on autopilot after lunch, for your whole organisation to be compromised, so regular, immersive training and awareness programmes are needed, with cyber drills showing staff what can go wrong and just how easy it is for them to be the weak point in the company.
Website Refrences links 1) www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016 2) www.acsc.gov.au/publications/ACSC_CERT_Cyber_Security_Survey_2015.pdf 3) www.acorn.gov.au)4) http://krebsonsecurity.com/tag/russian-business-network 4) www.geektime.com/2014/07/21/millions-of-victims-lost-12-7b-last-year-falling-for-nigerian-scams
Australian Security Magazine | 29
Cyber Security
The non-IT expert’s guide to surviving a cyberattack
C By Lex Drennan
30 | Australian Security Magazine
yber-crime is one of the fastest growing industries in the world. In the last year, it is estimated that cybercrime costs business over $400 billion, including reputational damage, costs to remediate breaches and interruption to normal business operations . There is no doubt that the real figures are higher due to under reporting and it is projected to reach a staggering $2 trillion by 2019 . The risks arising from cyber-crime are clearly top-ofmind for the C-suite and those concerns are only likely to increase as the cyber-crime industry grows increasingly sophisticated. This rising level of concern reflects awareness that cyber-crime is no longer “just an IT issue”. The mode of business interruption may be through information technology, but the impacts are organisation-wide and have the potential to destroy businesses. The most common types of cyber-attacks fall into the categories of ransomware, data theft and malicious interruption. Whilst the technical details of these attack modes are relevant at the operational level, at the board-room it is necessary to understand the type of attack mode as it has significant bearing on your response options and the management strategy you implement. The following scenario will call on the skills of all the executive team to address it – whether you consider yourself an IT expert or not. This is the nightmare scenario – compromised systems, breach of privacy, harm to customers and significant reputational damage. Nonetheless, an executive team can take immediate and critical steps to minimise the extent of this breach.
1.) Establish Management Control With a sudden-onset critical incident, employees and customers will naturally look to the business’ leaders to see who is in charge. There is often a grace period where customers and the general public will sympathise with a business as the victim of an attack. However, this grace period does not last long. The absence of clear, strong leadership by the executive team can be taken as a sign of incompetence, rapidly turning a potentially sympathetic audience into a hostile one. For organisations that have pre-defined Crisis Management Plans, this is the time to implement them. Often businesses take a ‘wait and see’ approach to activating these plans, fearing that they may be crying wolf. However, any time lost at the commencement of managing a crisis cannot be regained, and will immediately place the business on the back foot. It is essential that the management team rapidly assemble to assess how serious the incident is, its potential for escalation and, most importantly, to communicate these actions to staff and customers. 2) Address the Technical Issues Whether or not you understand the technical aspects of a cyber attack, you cannot back away from building a strategy to address it. If your business is large enough to have inhouse IT staff, call on them. They may not be cyber-crime experts but asking questions is the best and only way to
Cyber Security
establish the perimeters of what you know and what you don’t. From there, you need to determine if you will call in outside help. Many businesses specialise in providing cyber-attack support in addition to the advice available to businesses from the Australian Government’s Cyber Emergency Response Team (CERT). Regardless of the choice to in-source or seek out-sourced expertise, your next priorities are to: • Confirm the validity of the data leak - Knowledge is power. If the data is valid, this will shape a very different management response strategy to false claims of data theft. The process of validating the data may take some hours so rapid commencement is vital. • Identify and block the breach - This process may take days to many months to complete. It is methodical, detailed and painstaking. This ongoing exposure will pose a continued challenge to the business and the management team as it seeks to reassure staff and customers that the issue is under control. 3) Assess the Extent of Business Interruption Again, knowledge is power. To build an appropriate response strategy, you need to understand what parts of the business have been affected. In part this is a question about what data has been leaked. It is also a question of what other parts of your business’ IT systems have been affected. Anticipate that clearly establishing what has been impacted and what has not may take some time. The picture will become progressively more clear over a period of hours, and potentially days. In the meantime, it is necessary to plan and act on the basis of what you do know. This is where ensuring you have the right people in the room to assist decision making is essential. Whilst the incident may impact IT systems, this has the potential to cripple a business. It is important to consult with operational teams to truly understand the impacts of system outages on productivity. The business may be able to continue working almost as usual, suffering only productivity reductions due to delays and inconvenience. Or, if critical systems such as CRM’s, billing or logistics, are compromised it may be necessary to revert to paper-based work arounds supported by extensive customer outreach. Understanding the criticality of individual systems and developing work around options will enable your business to continue to function whilst the technical aspects of the incident are resolved. 4) Communicate Early and Often Communicating all of this complex and continually evolving information to staff and customers is a difficult challenge. In a rapidly moving media environment, poorly managed or ineffective communication can allow a media firestorm to evolve, leaving the business with two major issues to manage – the cyber attack and the media fire storm. Following a breach resulting in the release of personal data, a business has very few communication options available to it. As Symantec noted in their 2016 Internet Security Threat Report, “Transparency is critical to security”. Efforts to hide the extent of the hack, to shift blame or deny
“Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 monthstwo years and the price of computers would halve every 18 months-2 years.” responsibility will only compound the difficult circumstances faced by the business. Once you have confirmed the data leak is real, your response strategy needs to focus on minimising further harm to customers. This should be supported by your communications strategy. You can expect that every communication channel available to the public, from twitter to snail mail, will receive a major spike in activity. One of the biggest mistakes businesses make is failing to anticipate this deluge, not preparing key messages for rapid response and consequently responding slowly, inaccurately or not at all. Although the situation will change rapidly, and at the outset the business may face many unknowns, it is important to lead the communication process rather than reacting to mounting customer anger. Given all the uncertainties, your communications must be regularly updated. Further, as the incident runs into days, then weeks and months, your communication strategy must evolve to reflect the organisation’s changing objectives. In the immediate term, communications should focus on sharing known information and dispelling rumours. In the short term you should focus on communicating the extent of damage and reassuring customers that you have a clear strategy in place to address the issue. Over the medium to longer-term, your focus will shift to rebuilding your brand and customer confidence. Honesty, and communications centred firmly in your organisation values, is the only path that will allow a business to survive a cyber-attack and salvage its reputation. A major hack will cause disruption to normal operations for weeks to months and will occupy a disproportionate amount of the executive team’s time. However, beneath all the noise, the business must continue to operate, serving its customers and sustaining its revenue and market share. Strong leadership, regular communication and clearly articulated values provide the basis for an effective management strategy. With a clear understanding of the nature of the attack, its current and future potential impacts, an executive team can successfully lead a business through a cyber-attack. About Lex Drennan, B. Bus Mgmt, M. Public Admin. About the Author Lex is a Senior Specialist in risk consulting for CGU, one of Australia’s largest insurers. She has an extensive background in crisis and emergency management, planning and training, complemented by experience in operational response to events spanning bomb threats, natural disasters to counterterrorism operations. In her spare time, she is also an Adjunct Research Fellow at Griffith University where she researches disaster resilience, adaptation and government policy.
Australian Security Magazine | 31
Cyber Security
How has information technology become the latest security threat?
E By Keith Suter Global Directions
32 | Australian Security Magazine
veryday there are security stories which involve information technology (IT). This article provides three explanations for how we have been taken by surprise by the IT revolution: the IT revolution is a “black swan event”, the IT developers were too optimistic and too trusting, and government is being overwhelmed by the IT revolution. The bottom line is that humankind is still on a steep learning curve as it copes with the new IT era Information Technology as a “Black Swan” Event “Black Swan” events are high impact/low probability. They are very difficult to predict because of their rarity. The phrase originated with US financial expert Nassim Nicholas Taleb who lived through a financial crisis. His book is called The Black Swan: The Impact of the Highly Improbable. Europeans thought that all swans were white and then they reached Western Australia and found black swans. “Black swan” events challenge the dominant paradigms of their day. People get taken by surprise people because they extrapolate from current conditions rather than “think about the unthinkable”. Three big technological inventions are Black Swan events: computers, Internet and lasers. They were all unplanned,
unpredicted and unappreciated initially upon their discovery. Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 months-two years and the price of computers would halve every 18 months-2 years. This is the most profound prediction to haunt us this century. The prediction was clear but few could believe the mathematics. People were unwilling to “think about the unthinkable” – the implications of such drastic increasing IT power. The Internet was not designed for all the purposes for which we are now using it. No one predicted how it would come to dominate our lives. No one evidently thought about how vulnerable it could be from people with malicious motives; there are too many points of vulnerability. Meanwhile older senior people at the top of organizations and companies may have been out of touch with all the IT developments. For example newspapers carried stories of how IT was changing society but newspaper board members were slow to ask “what will all this mean for the newspaper business model?” Consequently the old newspaper business is broken and there are no new clear business models. Additionally IT personnel may have had
Cyber Security
difficulty in explaining IT matters in plain language, and so there was a communications problem: the experts who could see the coming changes could not communicate the gravity of the situation. Therefore society has been caught by surprise.
that the power of computers would double every 18 months-
IT Developers Were Too Optimistic
two years and the price of computers would halve every 18
IT developers forgot that there is always a hidden cost for convenience. The Internet was designed to survive a surprise Soviet nuclear attack. The developers were permitted to use a version of it to communicate rapidly between university campuses. Evidently no one thought about the risk of millions of people (including fellow Americans) having malicious motives. The initial development community was small and people knew each other – but it soon expanded and malicious people could become anonymous. (The first major Internet worm was made by Robert Morris – the “Morris worm” - in 1988; after serving time in prison he is now an honoured member of the US IT profession). Although the Internet was developed via US Government money (ARPANET: Advanced Research Projects Agency Network), the US Government did not subject it to US regulation at the time (ARPANET ceased to exist in 1990 when the Internet began as a public network). Perhaps in retrospect, the US Government should have insisted in a more controlling role (certainly China does so within its borders). No one is in charge of the Internet and so who is overall responsible for IT security? Meanwhile, some of the crimes that get committed are based on exploiting a person’s sense of greed (such as the Nigerian scams informing the recipient that a distant relative has left them money in Lagos bank account). Perhaps they are naïve in hoping to get money for nothing. Employers thought it would be a good idea to have a BYOD policy (“Bring Your Own Device”); it saved money for the employer, and it was “staff friendly”. But it can make the company’s IT system vulnerable to cyber-attack. It was well-meaning but perhaps naïve.
months-2 years.”
IT Challenges for Government Government is on steep learning curve. First, many governments are under siege from different categories of cyber-attack: (i) hostile governments (ii) criminal groups (iii) politically-motivated “hacktivists” (iv) “script kiddies” (younger people who want to see what they can get away with) (v) terrorist groups. Each group has its own motivations. They have different motivations. Second, the technique of nuclear Mutual Assured Destruction (MAD) does not work with groups which have a suicidal apocalyptic mindset. For example, if there were a destruction of the civilian communications network handling financial transactions, Islamic State would not be too worried if it could take the rest of us with them. Third, there is a wide range of “soft” targets: transport infrastructure, water and sanitation, fuel supplies, distribution centres, computer-controlled ground stations, mass deletion of government data, hacking hospital IT systems to murder
“Gordon Moore (a founder of Intel) predicted on April 19 1965
patients on life support systems (“hacked to death”), carjacking. This is new era of conflict because the targets are no longer military ones. Fourth, the full extent of the problems may be obscured because some financial institutions may prefer to keep quiet rather than admit to having problems. This means that there is not necessarily as much learning from experience as one would like (people need to share information on their problems as a way of creating a “learning society”). The Bigger Picture for Government Governments are too concerned with immediate, short-term issues and so get taken by surprise. The issues raised in this article, for example, were not raised in the recent general election. Perhaps politicians may lack the knowledge base with which to consider technological issues (much the same could be said about company directors, who will agree in minutes to spend thousands of dollars on an IT project, while arguing for a long time over the location of a bicycle shed). Therefore: how do governments make sure that the staff are not part of the problem, such as on BYOD? There is a need for new ways of conducting security checks: for example, security problems may arise from idealistic staff becoming disenchanted when they learn about how operations are being carried out (such as Daniel Ellsberg and the Pentagon Papers, Bradley/ Chelsea Manning, Edward Snowden). IT has made government more vulnerable to “leaks”. Meanwhile the complexity of IT developments and the slow response by government, gives the impression that government is out of touch with events: “reputational risk”. Citizens seek reassurance that government is somehow in control but the threat is now possibly faceless and borderless; potentially disruptive IT knowledge itself knows no boundaries and so may be acquired by anyone. Another challenge is how to make the most of “surveillance capitalism”? This is the growth of the technological monitoring industry. It has already had an impact on reducing some crime because criminals now fear they will not get away with their crimes (such as every lamp post is a set of eyes looking over the street). Certainty of punishment rather than length of sentence is a key factor in deterring crime. There is still far more that can be done in this area but it is a positive development. To conclude, IT represents a new frontier for security considerations. The IT industry is making great progress and transforming many areas of our lives. We have to make sure that the security industry keeps up with all the changes and be willing to think about the unthinkable.
Australian Security Magazine | 33
Cyber Security
Fighting technology with technology: protecting children from cyber bullies
T By Kim Maslin
34 | Australian Security Magazine
echnology has altered the way we live. This goes for both positive interactions with technology, such as keeping in touch with family overseas, as well as the negative aspects, such as cyber bullying, cyber stalking and cyber terrorism. Cyber bullying is no different to traditional bullying, aside from it leveraging technology. Cyber bullies use of technologies, such as email, text messages and social networking sites to hurt their victims, prowling the common platforms used by teenagers, including Facebook, Instagram, SnapChat and Skype. But how do we adapt our anti-bullying strategies to deal with cyber bullying, given its innate ability to invade not just our children’s school lives, but also their home life? The answer is that we all have a role to play in combating cyber bullying. Leading the way are our schools. Australian schools have already developed a number of measures to help combat cyber bullying, minimising the impact on our children. These measures include formulating policies that outline how the school will deal with cyber bullies; educating the student cohort about the impact of cyber bullying; responding to cyber bullying complaints; and providing support through counselors and pastoral care programmes for those who have been victimised. Technical measures have also been introduced in the form of content filtering and monitoring. These approaches draw upon digital technologies to filter out communications that may be deemed inappropriate, as well as monitoring the websites students visit and their behaviours while on school networks. This enables schools to collect evidence of cyber bullying incidences and hold those responsible to account. School ICT departments play a critical role in managing these filtering and monitoring systems, ensuring they stay one step ahead of today’s technically savvy teens. This approach goes a long way in minimising the number of cyber bullying incidences reported in schools, but it also aligns with the bigger vision the Australian Federal
Government outlined in the Australia’s Cyber Security Strategy (https://cybersecuritystrategy.dpmc.gov.au). Underpinning the success of this strategy is the development of a ‘cyber smart nation’ – a country complete with highlyskilled cyber security professionals, as well as a nation of citizens who understand the threats from cyberspace. While information security professionals are undoubtedly required to address a broad range of cyber threats – from terrorism to financial scams – protection of our children must remain a high priority. Research has found that one in five Australian children from the age of 12 to 17 have been victims of cyber bullying over the past year. Furthermore, the adverse effect of cyber bullying on our children’s mental health has been shown to be profound, ranging from selfesteem issues all the way through to suicide, so it’s vital that we keep it front and centre in people’s minds as we develop these national plans. As a community, we need to maintain the momentum that is building to tackle cyber bullying. Schools need to continue monitoring and educating our children, while parents need to do wake up to these threats (and their indicators) at home. In order to keep up with the everchanging digital landscape, Australia needs to invest in the future of anti-bullying technologies and professionals. We hope the government hears our call and invests in the future of Australia, which lies in the hands of the children of the digital age. About the author Kim Maslin is an entrepreneur, educator, cybersafety expert, social media enthusiast and founder of 3103 Communications. She is most importantly a ‘digital native’, who has grown up with the Internet and has been around social media for the better part of her life. Her expertise in communications, experience as a Technologies Teacher and Digital Learning Integrator and her passion to empower the community with digital literacy skills are the forces
Cyber Security
Creating a culture of security to defend against social engineering attacks
T By Christopher Hadnagy
he Fifth Annual Benchmark study on Privacy and Security of Healthcare Data by Ponemon Institute (https://www2.idexpertscorp.com/fifth-annualponemon-study-on-privacy-security-incidents-of-healthcaredata) has recently revealed what others have long perceived: There has been a shift in the root cause of data breaches from accidental to intentional. While 90% of healthcare organisations represented in the study had experienced a data breach, for the first time, criminal attacks are the number one cause of these breaches. Criminal attacks are highly targeted. When it comes down to it, attackers will stop at nothing to break into an organisation. They will use whatever means necessary to infiltrate, especially if those means are low risk. It’s far easier for attackers to bypass technical controls and exploit human nature to breach an organisation than to compromise a network surrounded by technical controls. Unfortunately, there is plenty of overlap between the proactive criminal and the unsuspecting employee that really adds fuel to the fire. Despite the balance of breaches shifting to criminal activity, organisations are beginning to recognise the importance of starting with employees first. According to Ponemon’s study, the data backs this up, as healthcare organisations rank employee negligence as a top concern when it comes to the exposure of patient data. Employee negligence goes far beyond the occasional lost or stolen laptop. What about when an employee accidentally discloses confidential data? A whopping 70% of Ponemon survey respondents admitted that careless or negligent employees are responsible for the most concerning security incidents impacting their organisation, but what can be done to help? Also, in Australia, the Australian Signals Directorate has openly acknowledged that Social Engineering tops the list of threats to Australian businesses, so it’s a true concern and one that doesn’t have an easy answer. To add to complication, organisations are gradually increasing their budgets and resources to protect both their data, however, not enough investment is being made in human capital to address the evolving threat landscape. It’s time for organisations to start investing in a culture of security that makes employees the first line of defense. Ask yourself, do your employees know what a phishing email is? Is there a process in place for the verification of a caller’s identity? Do you have a process in place to report security incidents? If you’re unsure of the answers to one or more of these questions, odds are you are not engaging in a culture of security.
What does a culture of security look like? A culture of security begins with active testing and training of employees for security awareness. Employees who know they are being actively tested have heightened awareness for security initiatives and are more apt to shut down an attempt to exfiltrate information or breach confidential client data. Buy-in for the culture of security should start at the top of the organisation and build down: this makes it the responsibility of each and every employee to contribute to this culture of security. Exposure, exposure, exposure! Not only should organisations implement continuous training initiatives, but they should also work to publicly reward employees who successfully respond to or report security incidents. Try publishing regular blog posts, try sending out organisation-wide emails, post your messaging on the corporate bulletin board, try handing out gift cards as prizes for staff who demonstrate they understand the security needs of your business and publicly recognise those who embrace it and live these values. A bit of positive reinforcement goes a long way. About the author Christopher Hadnagy, is the founder and CEO of SocialEngineer, LLC. Chris possesses over 16 years experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. Chris established the world’s first social engineering penetration testing framework at www. social-engineer.org, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.
Australian Security Magazine | 35
Cyber Security
Are security vendors leaving your business at risk?
A By Tony Campbell ASM Correspondent
36 | Australian Security Magazine
n issue that I’ve been mulling over for some time relates to the fundamental nature of customer security engagements, especially concerning product vendors and their place as trusted advisors. This issue led me to a couple of conclusions. Firstly, there is a mismatch between what’s best for the client and what’s best for the vendor. And secondly, the security threat environment is so badly defined that vendors could be peddling "snake oil" and customers would still buy their products if it took away their fear. Today’s security industry is almost entirely product focused and driven by fear-mongering. I’ve even seen some of the big consultancies pitching up at client sites with software products dealt as the cure for what ails them. Every week, another new security vendor hits the news, riding on the back of the venture capitalists' love affair with our industry. And with each new product comes a new story of data mining, artificial intelligence and predictive analytics, which is more and more baffling for the poor old customer who needs to make a risk-balanced investment decision to address their
risks. In part, I blame the media. Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market. What the media has successfully managed to do is play right into the hands of the security product vendors, who are more than happy to sell software that can detect and defend against these kinds of remote attack. However, how many organisations, before having a discussion with AntiThreatWare Inc. have undertaken an actual threat assessment? Consider this. Cyber criminals are not the only category of threat actors that want to attack your business. Moreover, threat actors have a variety of different means, motives and intentions, so you need to understand all of those factors to assess the risk accurately. For example, if you run a medical scanning business, your patient data will be at risk from cyber criminals, that’s a given. But you will also be under attack from foreign nation states who might want the patient data for espionage purposes, who will very likely use different
Cyber Security
'Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market' techniques to hack you than the simple malware drops used by the cyber criminals. What if your patients include celebrities? Now you might be attacked by journalists, so again, you need to be on the lookout for that threat group again acting with an entirely different set of means, motive and intent. Further to these threats, you must always consider the potential of threats originating from inside your network boundary – this can come from employees, contractors, partners, customers, and even the casual staff who empty the recycling bins once a week. Security breaches attributed to insiders can be from two perspectives: unintentional and intentional. No single security product will address all your risk. Instead, you’ll hear a lot about cyber criminals attacking you through malware drops, using phishing campaigns to deliver their malware to your users' desktops. But this vendor won’t tell you that their technology can do nothing to support you if the attacker is a rogue administrator recruited by your competitor to steal your company's IPR. Even if you have a comprehensive threat assessment, are you now able to determine where you most at risk? Do you have data classification or at least some means of determining the value of your data? Are the emails in your corporate Exchange server all of the same classification and if not do you, therefore, treat that data with the security requirements of the most sensitive email it contains, or do you consider the entire Exchange service database entirely benign and without value? Are there even any rules over what can and should be sent using the corporate email system, and what if legitimate users with unfettered access email corporate documents out to a third party. Would you know or even know to care? If asked the question you might say, “But they know not to do that,” but I ask you this. Are you confident that no user has ever accidentally hit reply all to an email that included third party recipients outside the business, unintentionally sending an attachment meant for only corporate eyes? Even if you have the very best approach to classifying and valuing data (which frankly is one area of security management that most businesses are shockingly bad at) without a full and accurate threat assessment, it’s impossible (and I mean impossible) to determine risk. Without a full understanding of the information risks you are attempting to mitigate using new technology, how can you ever hope to measure the benefits of your investment when you can't measure the risk reduction? Businesses need to pause and reflect on what security is and what it means to them. If you think about the word itself, security is simply a state of being where it’s all good unless you have information to the contrary. If you are blatantly ignoring the threats, then, of course, when you are breached is when you'll start to care. Once you become aware of the problem, this is when you can choose to hire and expert
who knows how to navigate the security industry, someone who knows what security is and can manage expectations effectively. If you can’t afford to hire someone directly, it's time to call in a consultant. But you need to make sure the consultant isn't just another product junkie, out to push the latest and greatest cyber security gadgetry. If they immediately jump into pitching products before they've looked at your business and assessed your architecture, frankly, ditch them and look elsewhere. There is certainly a place for security technology in our enterprises, but it's time to start letting the security requirements lead the architecture, and it's this level of planning that will lead the design. At this stage, we can make considered, sensible technology investment decisions based on them meeting real business requirements and we can build test cases to prove they work. It's time to stop vendors leading the market and start basing security decisions on strategic thinking, a true understanding of threats, vulnerabilities and risk, and an architecture-driven approach that drives real security value into the enterprise.
Australian Security Magazine | 37
Cyber Security
Digital Identity How the DTO will improve access to online government services for millions of Australians
T By By John Lord Managing Director, GBG
38 | Australian Security Magazine
he Australian Digital Transformation Office (DTO) has recently published a Request for Information to understand the capabilities of local and international businesses to assist them in the design and implementation of a digital identity assurance (IDA) solution. Now is certainly the right time for the DTO to address this, as similar programs have been deployed abroad – especially recently in the UK with the ground-breaking GOV.UK Verify program. As the Australian Government looks to grow and improve online services, and as the cyber fraud landscape evolves, it is vital that the DTO addresses the digital identity verification challenge. The challenge consists of successfully verifying millions of genuine Australian citizens and residents’ identities whilst rejecting fraudsters and keeping the identification process quick and easy for the user The number of online government services is growing, and Australians increasingly expect that these services should be easy to access. In a world where consumers are familiar with everyday online banking and streamlined e-retail experiences, establishing a trusted government digital identification process that is easy, quick and secure for the user has never been more important.
who they say they are. Additionally, citizens have to trust that the Government will deal with them in a fair and secure way. It is to provide some way for citizens to assert their existence online and with some degree of trust in both directions. The DTO is currently in the early stages of the discovery process, and is evaluating the pros and cons of several identification models. It is in the works of building an ‘Alpha product’ to verify the identity of citizens to a level that is sufficient for them to access government services. The project also involves developing a Trusted Digital Identity Framework (TDIF). The DTO will be working with both public and private sector stakeholders to develop a broader framework for trusted digital identities, better enabling them and other agencies and governments to work together. The challenges
What’s the DTO’s plan?
The ultimate objective for the Australian Government is to encourage citizens to manage more federal – and potentially state – related requests and processes online, to increase efficiencies and reduce costs. This is likely to have a win-win impact for both the Government and citizens, but to achieve this goal, the DTO should address two important issues:
Rachel Dixon, Head of Identity for the DTO, recently explained that managing ‘digital identities’ means the ability for the government to trust that citizens who are logging in online or via their mobile to online government services are
1) Build trust in a climate of increased cyber threats Cyberattacks and data leaks are spreading in Australia, as described by many recent studies including the ACSC’s last Cyber Threat Report. As we are using multiple devices to
Cyber Security
‘The DTO is currently in the early stages of the discovery process, and is evaluating the pros and cons of several identification models. It is in the works of building an ‘Alpha product’ to verify the identity of citizens to a level that is sufficient for them to access government services.’ log on to our favourite websites and apps, the potential for breaches of valuable information has widened. The growing number of financial transactions we conduct online also incentivises hackers to try and gain access to our personal data. For citizens to use online services, you need to ensure that those services are trusted. This means guaranteeing security won’t be breached, and that your users’ personal data will be safe. As soon as sensitive data or money is involved, an extra layer of security is needed, and an extra layer of trust needs to be built. This is where using trusted third party digital identity providers can be highly valuable, meaning there is no central Government-owned database containing all its citizens’ information. If the DTO wants to provide a trusted identification process, they need to partner with the right organisations. Security can be ensured through an identity assurance solution that can verify an individual is who they say they are by referencing on demand multiple datasets from a number of accredited sources. In the UK, the GOV.UK Verify program has benefited from a competitive model, drawing from private sector knowledge and expertise in order to drive innovation in the development and provision of the service. 2) Make the identification process quick and simple, through a single best-in-class platform The Australian Government already offers a wide range of online platforms, each of which enable citizens to access specific services: MyGov, Medicare, and the Tax Office. This is a great first step. But if the Australian Government wants to encourage citizens to process more of their requests online, they need to make it easier for them, and follow a model that enables citizens to login once to a platform that redirects them to all online services whether it is related to tax issues, requests to their local councils, or managing their Medicare profile. The DTO is currently studying the relevance of a federal model. The decision they will make will impact how they need to think about their digital identity approach. Having one common platform with a choice of trusted third party identification providers would give citizens a choice in who verifies them. For now, the DTO needs to evaluate the impact of moving the three above services into one.
Taking the right approach, using the right technology You can find many identification solutions on the market today, from Single-Sign-On (SSO) to manual verification of official identification papers such as Passports or Drivers’ Licences. Each of these solutions has pros and cons, and can be proved efficient in specific contexts, but none of them are highly secure. In order to offer a trusted identification assurance service to Australian citizens, the Government needs to partner with organisations able to swiftly and reliably verify individuals, and provide them unique login credentials that guarantees they are who they say they are without having to go through the identification process again and again. The Government also needs partners able to quickly detect if an identity has been previously compromised, to prevent any loss for both parties – the Government and the citizen. This is a highly complex process. Certified IDA providers use multiple verification techniques that need a high level of expertise. For example, this can include triangulating sources of identity data and verifying somebody is who they say they are through a multitude of checks, including address and financial history, personal knowledge, and document validation. Two-factor verification is an element of this – in other words being asked for something you know as well as proving something you own. For example, you know your username and password, but you need to own a mobile phone to which a security code is sent. Biometrics: the new IDA technology…or is it? When I talk to public and private organisations looking to strengthen their digital identification processes, I often come across decision-makers considering biometric technologies. Many organisations providing online services are indeed looking into biometrics as a possible alternative solution to the conventional ‘password login’ for authentication. Biometric technology undoubtedly has an important role to play in improving service delivery and user experience, with the dual benefit of removing friction for the user and helping to reduce fraud. However is it a technology that the Government should be looking into? Yes, but when it comes to biometric verification – which can include fingerprints, voice and facial recognition – the present consumer technologies available at scale on the market are not robust enough to stand alone and ensure the level of online security vital to verifying identity in the modern age. It must be combined with other proven verification techniques to be truly successful. Regardless of the technology mix that comprises the new digital identification model, this is certainly an exciting opportunity for the DTO to transform how Australian citizens experience online government services.
Australian Security Magazine | 39
Cyber Security
Verizon data breach The 2016 Verizon data breach indicator report (DBIR) was released recently, described by Verizon as “… bigger than ever, examining over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. With data provided by 67 contributors including security service providers, law enforcement and government agencies, this year’s report offers unparalleled insight into the cybersecurity threats you face.
T By David Stafford
40 | Australian Security Magazine
he report revealed that we continue to leave our information systems exposed for many months (even years in some cases), subscribing to the age old belief that the bad guys won’t be targeting us. Really? Surely, we don’t all subscribe to that belief ? Not all attacks are targeted. In fact, a large number are simply opportunistic. And who can blame them, especially with the gold mines of valuable information just sitting out there on the Internet, ready for the taking. With a new data breach in the headlines every other week, one thing is certain: we cannot afford to leave our systems unpatched? Of all the mitigating controls used to reduce the risk of a breach, keeping systems and applications patched up to date is one of the best. It’s not necessarily the easiest, however, it is the most cost-effective. Despite this, it’s clear that we still don’t patch our environments properly, leaving most businesses exposed to some extent or another. You need to consider your entire environment. Where are all your systems? What versions are you running? Where are they located? What applications might also be exposed and require patching? All this being said, there will be
systems that have dependencies of running outdated, legacy software where the replacement cost is high, so they possible need to be handled differently. Nevertheless, ignoring these issues will lead to a financial headache, and at some point you will be offering a sincere apology to your customers when their data appears on Pastebin. In some cases, you can use network segmentation to reduce the risk, so doing nothing is not the answer. Before we look at the motivation behind attacks, one further statistic caught my eye. There is a dramatic upward trend of breaches affecting this type of asset, one that can’t be patched and somewhat unfortunately has a mind of its own. The human! Phishing campaigns yield incredible results for attackers, however, there are simple controls that can help reduce the risk. The most cost-effective and arguably simplest control is procedural in nature. A well-developed Security Awareness training and education programme will go a long way to building a security aware culture within the workplace. This will result in a reduced likelihood of phishing campaigns being successful. Credential theft will reduce as staff use more complex passwords as good practice – arising from their
Cyber Security
Figure 1- Extract from the Verizon 2016 Data Breach Investigations Report
“The U.S. Federal Bureau of Investigation received 2,453 complaints about ransomware cyberattacks in 2015, which the FBI says cost the victims more than $24 million dollars in ransom. Who knows how many people quietly paid and didn’t tell anyone, because of shame, perhaps, or lack of knowledge about who to tell?”
heightened awareness. Now to the why? The main motivator is consistent: financial gain, with espionage a fair way down in second place. However, you shouldn’t take this on face value. Banks are not the only targets for financially-motivated, unscrupulous attackers or sophisticated criminal syndicates. User information, even without bank details, has a price on the black market. Recently, LinkedIn had their dirty laundry aired for the second time, with media reporting that the stolen data, email addresses and hashed passwords, were for sale on the black market. Let’s not forget another element of the Verizon report. Incidents and breaches are specifically referenced as, “Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.” And “Breach: An incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.” One thing this report implies is that breaches aren’t likely to decrease, so we have to expect a breach sometime soon. This is why a well-reviewed and drilled Security Incident Response plan is essential. Initially, a breach begins as an incident, where strategies such as patching and security awareness will assist as a preventative measure. You need to fully understand your environments. Gathering a list of all your operating systems and software applications is critical. Requesting confirmation of patching
cycles from resolver teams, as well as patching plan for applications from developers. But don’t stop there. Get them in writing and ask to see compliance reports from testing tool. Dust off your Security Incident Response plan and review it. Have someone else review it, someone that is not in your immediate team, ensuring it makes sense and can be followed. Furthermore, run a drill. Utilise standardised incident management plans and adapt them to the Confidentiality, Integrity and Availability (CIA) needs of your systems. Lastly, consider sharing the risk report with all of the stakeholders (as well as the executive) as a means to better understand the harsh reality of what could be in store for the business. These activities will go a long way to improving your security posture and reducing the likelihood of your organisation’s data ending up on the black market, or being splashed across the front page of your local newspaper. The Verizon report, in all its glory, should be in every Information Security Manager’s toolkit. You can access it here www.verizonenterprise.com/verizon-insights-lab/dbir/2016/. There is undoubtedly a lot of information to consume within this report, information that will likely leave you shaking your head at some of the bad practices your teams may be undertaking. However, and let’s be clear about this, this report is brutally honest, which is something we should all be striving for.
Australian Security Magazine | 41
Cyber Security
Locating a new weapon for Australia’s data detectives
I By Simon Hill Regional National Security Lead for Esri Australia and Esri South Asia
n an era of big data, where every officer and vehicle is a sensor, how do you make sure you integrate, analyse, and disseminate this information swiftly and efficiently? How do you transform your data into actionable intelligence that radically improves decision-making at all levels? Given everything law enforcement manages has a location, analysing from this geographic starting point provides a basis for anyone – crime analysts, investigators, commanders, and patrol officers – to visualise data in a way that helps them identify, predict and ultimately reduce crime. Location-based analytics, also known as location intelligence, provides the platform for understanding the patterns, links and correlations of crimes, criminals and victims through the universal language of maps. Identifying crime hot spots Heat maps are produced by mapping crime over a period of time, using colour keys to highlight hot and cold spots. Viewing the information spatially in this way exposes underlying criminal movements and patterns in the data, particularly when it is analysed even further. For example, by setting date parameters, users can limit the heat map to a specific time period, type of stolen goods, or whether violence was used. They can then overlay further information, such as active warrants or prison releases, to identify suspects based on past criminal behaviour or location. Other layers provide insights into the dynamics of specific cities and suburbs, including events and locations that draw crime such as festivals, businesses and buildings. Ultimately law enforcers can focus their attention on specific areas to make sure police are present in the right place at the right time. The result is more effective and efficient policing
42 | Australian Security Magazine
and higher levels of service via more efficient allocation of resources. When this capability is pushed out across a department or station beyond specialist analysts, every member of the force becomes empowered by location-based analytics. So officers can access current crime analysis and suspect information while in the field or during an investigation; while command staff can use location-based analytics to understand trends, make critical decisions when crime spikes, and collaborate with other law enforcement agencies to allocate resources. Transformation of a crime capital Once the second deadliest nation in western Europe, Scotland provides a compelling case study into how location-based analytics can aid in cutting crime rates dramatically. Not too long ago, Scots were remarkably three times more likely to be murdered than their English neighbours. Scotland was declared the most violent country in the developed world by the United Nations as more than 2,000 people were subject to an aggravated attack each week. In Glasgow, Scotland’s most violent city, the local Strathclyde Police set up a Violence Reduction Unit to address violent crime by using location intelligence to prioritise the strategic, focused use of resources. Part of the solution involved collecting data from external sources, such as hospitals, fire departments, schools and social services organisations. They mapped this with other data related to factors known to impact violent crime – including poverty, housing, unemployment and environment. Hidden trends and patterns in criminal behaviour in the city were revealed, enabling the unit to understand where crimes were happening and why. Armed with this powerful insight, law
Cyber Security
“VRU’s use of location-based analytics to both understand and predict crime led to a 39 percent fall in all crime – not merely violent crime – in the Glasgow city centre. Statistics from 2015 show homicide rates in Scotland are now at their lowest levels since records began in the 1970s.” enforcers could make predictions about where crimes were likely to occur, so that they could discard their previous ‘needle in a haystack’ approach and better target resources to prevent them. For example, the team mapped knife-crime alongside ‘pathways’ to crime, using transport and vandalism data from bus companies to visualise previously unidentified links between the two. Consequently, the VRU was able to advise local police forces on where to establish the best locations and times for stop-and-search operations. VRU’s use of location-based analytics to both understand and predict crime led to a 39 percent fall in all crime – not merely violent crime – in the Glasgow city centre. Statistics from 2015 show homicide rates in Scotland are now at their lowest levels since records began in the 1970s. The Glasgow case study offers valuable lessons for Australia’s law enforcers on how location-based analytics can be used to develop crime-related forecasts and inform policy development. Information collaboration and integration Given our often sparsely located police forces and stations, the collaborative capabilities of location-based analytics would allow you to integrate and share data effectively. This becomes even more apparent considering that keeping our communities safe requires partnerships between a range of agencies, not just state and federal police, but also intelligence agencies and defence forces. National security, for example, is a multi-department, multi-agency mission. Critical to this approach is an ‘allsource intelligence fusion’, where agencies use and contribute common data to each other. Benefits include greater economies of scale and increased efficiencies, and improved sharing of intelligence data. This leads to more efficient allocation of resources and ultimately reduced crime rates. Location-based analytics can effectively deliver this level of connectivity and sharing of static and dynamic data across agencies and organisations by bringing all this data into one common map-based picture.
Dismantling silos Similarly, location-based analytics can successfully integrate internal information silos. With unprecedented amounts of data being collected internally, the ability to share and analyse this information has never been more crucial. The advent of body and dash cameras, and technologies such as digital number plate recognition, means every individual police officer is now a sensor, collecting and streaming immense amounts of data. The fact that much of this data is hived in silos without an easily accessible linking element only increases administrative burden and, more importantly, impacts analysts’ ability to produce real-time, valuable insights to be actioned. In short, information is prevented from getting to those who need it. This was a problem faced by Canada’s Vancouver Police Department (VPD), which struggled with having large amounts of mission-critical data stored in disparate, internal management, analysis and project systems. Apart from the resultant widespread duplication of efforts and data redundancy, these silos also hindered police investigators. Critical elements of investigations were scattered over multiple jurisdictions and could not be easily shared. Often, by the time data was located and consolidated, it was out of date and no longer useful. VPD used location-based analytics to bring this data together and, via a user-friendly geo-dashboard, provided accessibility across the department. This provided crime analysts with instant access to offender information and datasets to identify suspects, predatory behaviour, resource inefficiencies and response times. This meant they were able to focus on conducting analysis at a much deeper level, instead of spending significant amounts of time completing nonanalytical tasks. The system was also relied on heavily to plan for the 2010 Vancouver Winter Olympics, where it was used to monitor street closures and deploy police, among other tasks. The good news for the region’s law enforcers is this innovative ‘smart policing’ approach to location analytics can ensure forces are agile, responsive and intelligence-led; and able to meet the demands of the 21st-century law enforcement environment effectively. To learn more about how location analytics solutions are being used by some of region’s – and the world’s – leading law enforcement agencies to solve and prevent crime, visit: www.esriaustralia.com.au/ law-enforcement. About the Author Simon Hill is the Regional Industry Lead for National Security, providing leadership and industry expertise to teams across Australia, Singapore, Malaysia, Indonesia, Brunei, Bangladesh and Timor-Leste.With almost 25 years’ experience working within the defence and public safety sectors, Simon is passionate about partnering with national security agencies to help them leverage the power of geography and spatial analytics to defend borders and increase security for their respective nations.
Australian Security Magazine | 43
Available online!
10110
55003/
Y’S NTR
AND
ENT
RNM
OVE
GG
DIN
LEA
ATE
POR
E
ZIN
AGA
YM
URIT
SEC
|
ed PP2
Approv
See our website for details ma
lian
sec
urity
U
CO
15
|
.a www
ustr
alia
Post
000032
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
d PP1
Approve
ine.
com
.au
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
nsec
uritym
agaz
16
ep 20
Aug/S
E
RNM
OVE
GG
DIN
LEA
.au
ov 20
27
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
om
Oct/N
rity in Secu ment, rn Gove anberra C
of cult The ware the a
’S TRY
ne.c
URE
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
THE
gazi
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
R CO
Post
N COU
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
INC.
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
US
GST
PL
Time Tech
erl Cyb
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
US
PL
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
$8.95
INC.
GST
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
AUSTRALIA
A$
88.00
(inc GST)
1 YEAR
☐
INTERNATIONAL
A$
158.00
(inc GST)
1 YEAR
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
Go to
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
44 | Australian Security Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
Email subscriptions@mysecurity.com.au
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
DCS-960L Wide Eye HD 180Ëš Panoramic Camera
To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au
Latest News and Products Australian Security Magazine | 45
TechTime - latest news and products
Axis introduces the industry’s first IP cameras with i-CS lens “The new i-CS lens technology is based on an open protocol standard allowing the lens and camera to communicate. The release of the i-CS lens will truly help drive the industry forward,” said Fredrik Nilsson, VP, Americas, Axis Communications. “Additionally, the release
of the new indoor AXIS Q1615 Mk II and the outdoor AXIS Q1615-E Mk II shows that we’re taking a step toward the future of the industry.” Due to several motors inside the i-CS lens; zoom, focus and iris opening can be remotely adjusted. Furthermore, the exchange
of information between the i-CS lens and the camera, enables easier formatting of Electronic Image Stabilization (EIS) and Barrel Distortion Correction (BDC), which reduces the time needed for setup. Both of the new fixed cameras can provide HDTV 1080p video at frame rates of up to 50/60 fps or HDTV 720p video at frame rates of up to 100/120 fps. This allows for detailed video capture of fast moving objects, which can be of great importance in industrial applications, especially when monitoring a production line. Details of parts and packages can be monitored easily and precisely, enabling full control of the production process. AXIS Q1615-E Mk II features Axis’ Zipstream technology, which significantly reduces bandwidth and storage requirements, while maintaining video quality. Both cameras also support Wide Dynamic Range (WDR) – Forensic Capture as well as Axis’ Lightfinder technology to ensure qualitative images in complex scenes. The indoor AXIS Q1615 Mk II and the outdoor AXIS Q1615-E Mk II are planned to be available in Q3 2016 through Axis’ standard distribution channels at the suggested retail prices of $999 for AXIS Q1615 Mk II and $1299 for AXIS Q1615-E Mk II.
D-Link launches 180˚ wireless AC wide eye camera D-Link ANZ has released the DCS-960L Wide Eye HD 180˚ Panoramic Camera Joining a growing range of mydlink-enabled cameras, the Wide Eye HD 180˚ Panoramic Camera can be easily and securely accessed, remotely viewed and managed via a smartphone, tablet or PC. Accessed through the free mydlink app or the mydlink online portal, users do not incur ongoing subscription charges or require special software. For ease of use, the included 16GB microSD card means users can record video locally onto the camera, without incurring monthly fees. It can be set to start recording either by an event trigger, schedule or continuous record. Features • 180 Degree Field of View – Widest angle lens on a fixed consumer camera, ideal for
46 | Australian Security Magazine
•
• •
large rooms and areas with multiple entry points HD 720p Quality Video – Rich detail and crisp image quality for monitoring your home Unique De-Warping Technology – Maximises video quality with less distortion Wireless AC – Latest dual-band Wi-Fi technology for better bandwidth and improved range
•
Motion and Sound Detection – Push alerts notify you of detected motion or sound • Local Recording – 16GB MicroSD card for local recording Night Vision – See up to five metres in complete darkness with built-in IR LEDs The DCS-960L is available now at an RRP of AUD $349.95
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
New major release of MxManagementCenter 1.2 MxManagementCenter (MxMC) is a MOBOTIX application for PC/MAC systems with the focus on a unique and intuitive user experience, providing the highest cost savings and flexibility in the market. Following the MOBOTIX software concept, MxMC is 100% included in the MOBOTIX portfolio, requiring no extra software, license or update costs. MxMC can be used in projects independent of the number of cameras or the mix of products incl. doorstation, MxDisplay, accessories, storage devices, etc. All MOBOTIX products in the network will be automatically detected and can be configured with the brand-new graphical user interface without any web browser, easy and intuitive. So, it is possible to setup a complete system of cameras, home automation and alarm devices in the shortest time without extra software and license fees. Especially the configuration management of MxMC will help to reduce installation, configuration and maintenance costs dramatically. Unlimited number of cameras, touchscreen-optimized operation, camera groups with representation in Grid and Graphic views, Grid views with a focus window and controls, quick display of particular cameras in the focus window by “drag and drop” from the camera bar. Graphic views with freely definable icons,
“soft buttons” used to execute any URL and live windows, quick switching between Grid and Graphic views, optical and audible alarming of new events, quick switching to the Playback view to allow playback of events and continuous recordings. Instant Player allows for quick viewing of the latest events during live video monitoring
operation, a special Research view for easy viewing of a large number of events, easy use of multiple monitors by double-clicking on the live image, grid or event image, camera sequencer, door station functions (intercom, open door, turn light on/off, etc.), data export, subsequent distortion correction of hemispheric camera images – in live images and in recordings.
Security by Design at 200 George Street 200 George Street, Sydney is Mirvac’s latest Premium grade office tower. Designed by award winning architects Francis-Jones Morehen Thorp 200 George Street is set to be one of Australia’s most environmentally advanced and sustainable buildings with a 6 Star Green Star. Part of the requirement for the building was for an integrated access control system, lift destination control system and turnstile solution to limit building access to only authorised occupants and visitors whilst speeding up pedestrian movement in to and up through the building. The caveat being the turnstile design had to blend in with the overall building design. Based on the EasyGate HG, the design was customised so the pedestals where clad in the same stone as the concierge desks and the metal work was finished in black to ensure the speedgates complemented the overall design concept for the buildings striking lobby. Centurion EasyGate uses glass barriers of up to 1800mm in height, in conjunction with state-of-the-art optical technology to provide
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
a high throughput security gate. The bidirectional glass barriers are designed to work in a ‘normally closed’ mode and swing open after a valid card has been presented to allow the authorised user to pass. The barriers are designed to close quickly behind the authorised person to deter tailgaters whilst the IR sensors monitor the lane to detect unauthorised entry and ensure the safety of users.
The final solution incorporated a Schindler PORT access and lift destination control system integrated with Centurion EasyGate speedgates so when staff enter the building they scan their card at the turnstile, which in turn directs them to the next available lift going to their specific floor whilst verifying they can access the building at that specific time.
Australian Security Magazine | 47
Cyber TechTime - latest news and products
Hellenic launches payband using Gemalto’s waterresistant contactless EMV payment wristbands Gemalto has supplied Hellenic Bank with its Optelio contactless EMV Payment wristbands. These water-resistant NFC wristbands that are marketed as PayBand to Cyprus consumers will ensure that Hellenic Bank customers no longer have to worry about carrying cash or cards, even when they head to the beach or pool this summer. The solution features an embedded Visa applet and links seamlessly to the user’s
Hellenic Bank debit or credit card account. Fast and secure cashless transactions are therefore possible across Cyprus, which was recently named in Visa’s ‘Top 8′ for contactless terminal penetration in Europe. Well over 50% of the country’s POS terminals are contactlesscompatible, and one in five cashless transactions, is already completed using this time-saving technology.
Juniper networks introduces cloud-enabled branch to deliver on-demand cloud services Juniper Networks has announced Juniper Networks Cloud-Enabled Branch, a transformative solution that will allow enterprises and managed service providers alike to seamlessly create and automate delivery of branch office networking services on-demand. As part of Juniper Networks Unite, an agile enterprise cloud architecture, the new solution suite helps companies accelerate deployment of real-time services and applications, including SD-WAN functionality, across branch locations incorporating network automation, zero touch provisioning and an open platform. The suite includes security capabilities to proactively identify and intelligently respond to threats and enforce polices across all branch locations.
48 | Australian Security Magazine
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Cyber TechTime - latest news and products
Ixia expands cloudlens support for private clouds Combining the power of Ixia’s virtual tap, packet and application flow filtering, SSL decryption, and rich Netflow metadata generation, Ixia’s CloudLens platform provides service providers and enterprises with unprecedented insight into physical, virtualised, and hybrid environments. CloudLens enables security monitoring, performance analytics, and troubleshooting in a seamless, integrated solution. In addition to OpenStack KVM, VMware ESXi and NSX, the CloudLens platform now supports Microsoft Hyper-V and VMware vNetwork Standard Switch (vSS). As a result,
customers can easily manage a virtualised computing environment, while reducing IT costs. “Ixia works hand in hand with our customers to understand their unique challenges when initiating or managing their cloud deployments,” said Christophe Olivier, Senior Product Manager at Ixia. “It’s this close collaboration that enables us to develop visibility and virtualisation solutions that eliminate these challenges, and enable customers to fully benefit from the advantages offered by the cloud.” A platform consisting of existing Ixia solutions and planned products that will
integrate network visibility, CloudLens enables customers to easily and quickly deploy a highly scalable traffic monitoring system spanning private, public, and hybrid cloud deployments. CloudLens currently includes Ixia’s Virtualization Tap™ solution to access private cloud East/ West traffic, as well as the company’s Vision™ series of Network Packet Brokers with the Application and Threat Intelligence Processor™ (ATIP™) for actionable insight into network activities and the ability to visualise and analyse user, device, and application behaviours.
Norton ships new app to stop hackers from stealing private information over unsecured wi-fi The newly released Norton Wi-Fi Risk Report reveals that the online habits of consumers gives hackers unimpeded access to sensitive data like banking information or social media passwords. “What turns people into easy targets is confusion about the security of public Wi-Fi networks. Norton found that only 34 percent of Australian consumers are able to distinguish between a secure and an unsecure Wi-Fi network,” said Mark Gorrie, Director, Norton Business Unit, Pacific region, Symantec. “Most people assume that all Wi-Fi networks available in public places like airports, hotels and cafes have security built-in. That’s not the case. When consumers log onto an unsecure network, hackers are able to steal information as it travels across the web, sell it on the dark web for profit or even use the information to drain consumer bank accounts,” Gorrie added. Even popular apps found on Android devices lack security – in Australia, 14 percent of Android apps transmit sensitive information without encryption, leaving their data unprotected. To combat this, Norton Wi-Fi Privacy uses sophisticated encryption technology and scrambles consumer information to help protect their information and identity online. The Norton Wi-Fi Privacy app is available on Android and iOS platforms for purchase in the iTunes and Google Play app stores. A yearly subscription service includes protection for one mobile device and 24/7 in-app support. PC, Mac and multi-device availability coming soon. For more information: www.norton.com
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Australian Security Magazine | 49
I
Quarterly Essay – Firing Line: Australia’s Path to War by James Brown www.quarterlyessay.com
50 | Australian Security Magazine
n early July I was fortunate to attend Perth’s new public library at the invitation of the Perth USAsia Centre and United States Studies Centre for a public discussion featuring James Brown, a former Australian Army officer and presenting his piece Firing Line: Australia’s Path to War. James has appropriately, I think, progressed to be at the forefront of national security discussion and conveniently, has the casual ear of our Prime Minister, being Malcolm Turnbull’s son-in-law. Published in the journal, Quarterly Essay (Boffin Books) James has generated a necessary and much needed consideration to the circumstances of war, how it relates to Australia and most critically, how war relates to Australians today. “In Australia’s bright and blessed circumstances today, we rarely think of war: it is something we go to, not something that comes to us. It seems we often shrink from talking about war in any detailed way, as if to speak of evil might set us on an inevitable path towards it. And in the few moments when we publicly discuss or politically deliberate on new wars, our involvement in Iraq seems to set the template for our imagining of what war should or should not be. That’s problematic, because warfare is rapidly evolving and remains a possibility – particularly within our region.” “The conflict began,” reads a small plaque beneath interviews with atomic survivors, “when the tensions between Japan and China of 1931 boiled over in 1937.” It is a salient reminder that the seeds of war are usually sown long before any crisis, and that the signs of war may be apparent years in advance.” As Australia and the greater Western world is effectively already in a global war against Jihad, the rumblings of another ‘Great War’ between nations is readily observable. It would seem only a spark is needed to fuel the churning unending conflicts, a spark that will connect and combine the existing complex and interconnecting conflicts in the Middle East, Eastern Europe, North Africa, Korean Peninsula and the South China Sea. James takes a sobering assessment of the Iraq War and how Australia chose to be involved in this war and these select excerpts help explain why these choices will be upon us again. “It is thirteen years now since that international wound was opened. At best it was a tragic mistake, taking thousands of military and civilian lives and disrupting entire nations. At worst, a deliberate and evil calculation, fuelling and fostering conflicts still claiming hundreds of thousands of lives right now.” “The build-up of the Australian Defence Force is well underway; the government has backed up its judgement that war could be a possibility within the next two decades with many
billions of dollars. But Australians have barely begun to think through the consequences of all this, nor thought seriously about the circumstances that might bring our nation to the point of conflict. There is some intriguing North American political science literature that analyses the rise and fall of policy regimes and examines how they correlate with, and help determine, the cycles of (presidential) politics. We can discern something roughly similar when we reflect upon the patterns of twentieth-century Australia. The horrors of World War II created a sense of generational responsibility in governments and citizens alike that not only led to an economic boom, helped along by public investment in education and infrastructure, but also caused the only recorded period in human history where economic inequality was noticeably reduced. We live in very different times. The victory of neoliberalism has allowed for an all-consuming belief that economies are best left to run by themselves. We have witnessed a hollowing out of public investment and a subsequent and related decline in public trust in government and institutions.” As a practitioner and security industry commentator, who tries to remain abreast of much of the human conflict and clashes that occur, be it in the social and civil domain, or at a national and regional scope, it remains apparent that humans will always create conflict and ultimately will always go to war at some point within each generation. As was pointed out on the evening by James, many Australians “live in a bubble” when it comes to the world’s woes. This work by James is therefore a necessary read by all Australians, to be introduced to high school students if need be, and I trust has formed the basis of much further discussion yet to be had, as indeed, Australia continues on the path to war.
Have you recently published a security related book? Or have you just read a new, great security book? Please email us at editor@australiansecuritymagazine.com.au
TechTime - latest news and products
Drones Robotics Automation Security Technology Information Communications
news.com
www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Protection from the core to the edge and beyond Today’s threats attack your network from all angles:
Nationwide Partner Network
•
DDoS (distributed denial of service) at the gateway
•
Ransomware sneaking through via your wi-fi access points
•
Viruses via social engineered email
•
Zero-day threats coming at you via BYOD (bring your own device) and IoT (internet of things) enabled devices.
It’s simply not possible to protect your data, applications, users and network with a heterogeneous security approach. Today’s fast moving threats require a single, unified, centrally-managed security fabric that ties everything together under a comprehensive secure access architecture. Welcome to the world of Fortinet.
Comprehensive Solution Set Fortinet’s solution portfolio, consisting of scalable and powerful next-generation firewalls, secure access points, analysis and management consoles, client-side security, advanced threat protection, automated realtime security updates round the clock and more, is built around the world’s only secure operating system, FortiOS 5.4. And powering all of these devices is the FortiASIC CP9 Content Processor which provides the largest number of connections per second in the industry and deep content inspection with low latency. With Fortinet, you get world-class security combined with lightning-like speeds.
Security doesn’t just happen. Fortinet’s nationwide network of fully-accredited and highly-experienced Partners are with you with at every step of your security quest. Starting with the complimentary CTAP (Cyber Threat Assessment Program), Partners can quickly audit your security profile and identify where any potential vulnerabilities might exist and recommend costeffective strategies to harden your defences. And once you have upgraded your security profile, Fortinet’s Security Subscription Service ensures that your defences are always up-to-date.
AT A GLANCE •
World-class security solution set & technology
•
Nationwide Partner sales and support
•
Real-time, automated 24x7 security updates
•
Regular enhancements, updates and innovation
•
Cost-effective, comprehensive and manageable
FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 600 anz_marketing@fortinet.com
www.fortinet.com
Continual Improvement The bad guys don’t sleep. And neither does Fortinet. Driven by the 200-plus staff at the global constellation of FortiGuard Labs, Fortinet is constantly upgrading, improving and enhancing. New products, which can be quickly integrated into your security landscape, are released almost every month. Fortinet is extending their intellectual property. Their recent acquisition of AccelOps in June will result in FortiSIEM which will in turn provide deeper transparency across the network. And their policy of soliciting thirdparty competitive evaluations means that Fortinet is confident that their products can stand up to the most stringent scrutiny.
Getting Started Fortinet’s Australian team and Partner network is ready, willing and able to help you secure your network. It all starts with a call. Our contact details are listed. Talk to us. It’s a call you have to make.
FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS