Australian Security Magazine, June/July 2018

Page 1

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au June/July 2018

Top tax tips for security employees

This is cyber – So what is cyber?

Much more to do in locking down

Hostile vehicle attacks: Smart city planning IoT – Securing the connected world

The AV system done it!

Digital Forensics 101 Encryption Headaches The State of the Security Union

A cyber week in London – Part 1

READY FOR TAKE OFF $8.95 INC. GST

PLUS

Techtime


2018 #SecurityAwards Call for Nominations g By

Anna Ho, Marketing and Communications Officer, Australian Security Industry Association Limited (ASIAL)

T

he vital role performed by Australia’s private security industry will be recognised later this year at a special awards ceremony in Sydney organised by ASIAL. The 2018 Australian Security Industry Awards for Excellence and Outstanding Security Performance Awards will recognise excellence in the security industry. Nominations are open to all and provide an opportunity to recognise individuals, including frontline security personnel who have gone beyond what could reasonably expected of them in providing a level of service that exceeds client’s expectations. Likewise, organisations and teams who have demonstrated leadership and innovation will also be recognised. Judging of the awards will be undertaken by an independent panel of judges, that includes Damian McMeekin, Managing Director of CT Intelligence & Insight; John Adams, Editor, Security Electronics and Networks Magazine; John Curtis, Director, IPP Consulting Pty Ltd; Michael Walker, Senior Manager, Security Services, Facilities Management, Reserve Bank of Australia; Rachell DeLuca, Senior Security Consultant, ARUP and Vlado

Damjanovski, CCTV Expert Specialist and MD, ViDi Labs. Nominations open 1 July and close 31 August. Winners will be presented at a special awards ceremony to be held at Sydney’s Doltone House Hyde Park on Thursday 18 October 2018.

2018 AWARD CATEGORIES INCLUDE: • Individual Achievement – General • Individual Achievement – Technical • Gender Diversity • Indigenous Employment • Special Security Event or Project – Under $500,000 – Over $500,000 • Integrated Security Solution – Under $500,000 – Over $500,000 • Product of the Year – Alarm – Access Control – CCTV – Camera – CCTV – IP System/Solution – Communication /Transmission System

– Physical security (bollard, gate, barrier, lock)

AWARD CATEGORIES INCLUDE: • Outstanding In-house Security Manager/ Director • Outstanding Contract Security Manager/ Director • Outstanding Security Team • Outstanding Security Training Initiative • Outstanding Security Partnership • Outstanding Security Officer • Outstanding Female Security Professional • Outstanding Guarding Company • Outstanding Security Consultant • Outstanding Security Installer • Outstanding Information Security Company For more detailed information on the award nomination criteria and process visit www.asial.com.au/ securityawards2018


RECOGNISING EXCELLENCE

#securityawards Organised by:

2018

AUSTRALIAN

Security Industry The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals. www.asial.com.au/securityawards2018 Date: Thursday 18 October 2018 | Venue: Sydney’s Doltone House Hyde Park Entertainment Sponsor:

2018

Lead Dinner Sponsor:


09 - 10 July

Conrad Hong Kong Hotel

ENRICH. ENABLE. EXCEL. At (ISC)2 Security Congress APAC 2018, you’ll get to engage with over 400 security-minded individuals, discover solutions to the latest cybersecurity threats, and gain insight from international industry experts.

2 Days 6 Tracks 35+ Sessions

40+ Speakers

Sw

is

if e

Tracks Include:

n sA rmy K

Keynote Speakers:

Cloud Security

Critical Infrastructure

Emerging Technologies & Security

Governance, Risk & Compliance

Professional Development

Security Operations

Jason Pun, Assistant Government Chief Information Officer (Cyber Security & Digital Identity), OGCIO, HKSAR

Hon. Charles Mok, JP Legislative Councillor (IT) HKSAR

Dr. Kevin Charest, CISSP Chairperson, Board of Directors, (ISC)²

Register Today & Save! David Shearer, CISSP Chief Executive Officer, (ISC)²

Enjoy 10% off with the code: M18MSEC Standard Price: US$ 432

Dr. Frank Law, CISSP Senior Superintendent of Police, Cyber Security & Technology Crime Bureau, Hong Kong Police Force, HKSAR

5% additional discount for group purchase.

For inquiries: (852) 2850 6953 securitycongressapac@isc2.org Supported by

In Partnership with

Gold Sponsors

Platinum Sponsors

Silver Sponsor

Technical Workshop Sponsor

REAQTA


Are your people, really your people? Analysing human behaviour for real-time early risk detection

FREE TRIAL

Expose the Hacker [before they do damage] Security breaches happen every day, every hour. The costs are enormous and create complex damages for the attacked organisation.

Real-Time Alerts By using ResponSight’s behavioural analytics software you will be able to monitor desktop, laptop and server use, identify abnormal user behaviour and detect real-time enterprise risk, giving you confidence that your people are really your people. ResponSight is an early warning risk intelligence and business decisionmaking tool.

FREE TRIAL - Register today: www.ResponSight.com/freetrial

www.ResponSight.com


Contents Editor's Desk

7

Frontline Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai

Top tax tips for security employees

10

Much more to do in support of locking down

12

Hostile vehicle attacks

14

Ready for take-off - Australia's Airport security policy review

16

Cyber Security

Art Director Stefan Babij Correspondents Jane Lo, Bennett Ring

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/ Copyright Š 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

IoT - Securing the conected world

18

This is cyber, so what is cyber?

20

The AV system done it

26

Digital Forensics 101

28

Encryption headaches

30

The state of the security union

32

A Cyber week in London - Part 1

34

A new race - Artificial intelligence and human convergence

38

Moving the dial - The relationship between user and machine

42

TechTime - the latest news and products

46

Book review

50

Page 14 - Hostile Vehicle attacks

Page 18 - IoT - Securing the

connected world

CONNECT WITH US www.facebook.com/apsmagazine

Page 28 - Digital Forensics 101

@AustCyberSecMag

OUR NETWORK

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.australiancybersecuritymagazine.com.au

Page 38 - A new race

www.asiapacificsecuritymagazine.com

Jane Lo

Mark Chapman

John Coyne

www.aseantechsec.com

www.drasticnews.com

Annu Singh Also with Bennett Ring Konrad Buczynski Joseph Wentzel Michael Warnock

www.chiefit.me

Page 42 - Moving the dial |

|

www.youtube.com/user/ MySecurityAustralia

6 | Australian Security Magazine

Rob Newby www.cctvbuyersguide.com

Simon Pollak

Stephan Rachow


Editor's Desk "We may not know how to architect trusted institutions at scale in public space. Our institutions—their weight-bearing effectiveness for social problems of enormous complexity is being called into question now across the board.” - Jane Holl Lute, the former deputy secretary of the U.S. Department of Homeland Security, at a separate session at the Aspen Ideas Festival 2016

W

ithin the last number of weeks we have learnt of mass breaches of trust by public and private institutions, with responsibilities of great social significance. The breadth and degree of the breaches admitted should be of deep public and political concern. The challenge here, is they are seemingly misaligned and independent of each other, but surely at a macro level they are signs of institutional fragmentation in Australia and symbolic of the ‘Trump’ era. The adage of ‘trust no-one’ rings true! We could raise the more notable examples of trust being breached, such as Facebook and Cambridge Analytica, or coverups in the Catholic Church of child abuse, but instead highlight a number of recent Australian examples, namely the Commonwealth Bank of Australia (CBA), AMP Limited (AMP), Wilson Security and Victoria Police. The CBA admitted it contravened the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 on 53,750 occasions. An agreement was subsequently reached with AUSTRAC to pay AU$700M to resolve Federal Court proceedings. The largest civil penalty in corporate Australia. Rowena Orr, QC, senior counsel assisting the Royal Commission into misconduct in the banking, superannuation and financial services industry, has alleged that AMP breached criminal provisions for misleading ASIC. Ms Orr told the commission that AMP made a business decision in 2013, or earlier, to deliberately charge customers for services that it would not provide. Until at least November 2016, over 15,000 customers were unlawfully charged ongoing service fees while not receiving any services. AMP is alleged to have made 20 false or misleading statements to ASIC in a breach report concerning charging fees for services not provided. Both AMP’s CEO and Chair of the Board have resigned, whilst the company share price fell over 10 per cent. Somewhat similar in nature to the AMP case, in late May 2018, Wilson Security admitted to the Australian Competition and Consumer Commission (ACCC) they engaged in misleading

or deceptive conduct and made false or misleading representations by charging customers for services that were not provided. Approximately 48,000 missed internal premise security patrols were charged to customers between July 2011 and September 2017 in Western Australia, affecting 320 customers at a cost of $740,000, in breach of Australian Consumer Law. Then in early June 2018, Victoria Police had $4 million of road safety funding suspended after an investigation revealed officers ‘falsified’ more than 250,000 roadside breath tests over a five year period. In that period, of the 17.7 million tests conducted, more than 258,000, or 1.5 per cent of all tests, had been falsified. Seemingly, for police officers to reach productivity targets. Should we now question all crime statistics? For interest of the Australian security sector and those of ‘us’ calling for reform to security provider legislation, take a look at Singapore’s Cybersecurity Act, passed by Parliament in early February, 2018. Penetration testing and managed security operations centre ("SOC") monitoring services are licensable cybersecurity services that cannot be performed without a licence. Critical Infrastructure operators now require audits at least once every two years and risk assessments once a year. The Act also clarifies that employees who are hired to provide cybersecurity services are no longer subject to licensing requirements. In other words, licensing is only compulsory for those in the business of providing cybersecurity services, whether they are individuals or corporate entities. A company does not require a separate license if a related company already has such a license. "Related company" in the Act has the same meaning as the term in the Companies Act. A licensee must keep records for only three years. Let’s hope Australian regulators take a lesson from our northern neighbours on how to listen and respond to an industry and the needs of the Critical Infrastructure sector. In this issue, as always, we present a broad spectrum of what the security sector represents. Jane Lo, our Singapore Correspondent presents two important reports, from London and

the affects of the GDPR and on Quantum computing. While today's small quantum computers are not a risk, the industry is moving fast – companies including IBM and Google are rapidly increasing the size of their machines. The interest is now focused on designing the next generation of cryptosystems which are immune to quantum attacks, or quantum-safe cryptographic systems, to ensure future-proof data protection. Konrad Buczynski, of Industry Risk provides lockdown considerations, Stephen Rachow provides vehicle mitigation and smart city planning considerations and John Coyne of ASPI provides our cover feature, with his opinion on Australia’s recent airport security changes being implemented by the Australian Government. As John proposes, it appears abundantly clear that we need another comprehensive independent review of Australia’s airport security and policing. And this needs to occur before we rush into introducing any further ad hoc aviation security measures. We also deep dive into cyber security with consideration to robotics, application security, encryption, digital forensics and of most concern, IoT security, from Bennett Ring and Simon Pollak. As Simon writes, “Until such time as security becomes a key differentiator when selecting operational technology, the proliferation of poorly secured OT will continue, and even once it does, their long-life cycles means that it will be many years before these devices are out of our environments. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Australian Security Magazine | 7


E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au 8 | Australian Security Magazine


PODCAST HIGHLIGHT EPISODES

Episode 73 – Tech convergence - Drones, 3D printing & payloads – Nigel Brown, Autonomous Technology Nigel Brown, Director of Autonomous Technology provides insights into running a certified drone operation, with a particular focus on the mining and resources sector in Western Australia. As a recent client of Konica Minolta’s 3D printing technology, Nigel Brown provides discussion on the application of 3D printed parts and payloads and how the application of fast-developing 3D printer systems provides new business opportunities with developing smaller and lighter payloads.

Episode 71 – Tech-crime & international policing 2.0 Europol's former executive director Rob Wainwright Technology has transformed a whole range of different crimes and new avenues for terrorists to explore, including exploitation of social media platforms, as seen by the Islamic State. We are always racing against criminals to a certain extent but have great potential on the policing side. Rob Wainwright, former Executive Director at Europol, gave an earlier presentation at Cebit Australia. His presentation, ‘Data – the new oil in the network economy fighting crime and terrorism’, highlighted a different age to come. Rob termed this ‘International Policing 2.0’, along with the AI race with crime, security by design and privacy by design.

Episode 69 – Moving the dial: Measuring the relationship between the user and their activity on a machine: Interview with Jeff Paine, CEO & Founder, ResponSight Jeff Paine, CEO and Founder of ResponSight, a three year old Australian startup that elevates enterprises away from focusing on technology alone, discusses the link between the technology and user. Statistical and telemetry based, ResonSight has a lightweight footprint in its risk analytics and risk profiling outcomes that help enterprises make decisions. Chris and Jeff talk about the three key components, the ResponSight Collector, ResponSight Aggregator and ResponSight Cloud Service, each working in conjunction. By combining large volumes of raw numerical telemetry and selected metrics, it’s possible to build activity and behaviour profiles about users and their devices, without ever knowing who that user is or what that device is. This also provides the ability to profile the organisation's risk at a point in time, and over time. The design philosophy is to not collect private or sensitive data. There isn’t a need for rich and potentially sensitive data for security.

Episode 67 – Tech & terrorists, drones & devices – insights from australia’s leading terrorism researcher – Professor Clive Williams, ANU Professor Clive Williams, Centre for Security and Military Law at the Australian National University has been a staple provider of research into national security and counter terrorism for many years. Professor Williams provides current insight into terrorism activity in the Asia Pacific, including the Marawi seige in 2017 where 1,000 insurgents were killed, and provides a chilling warning which rang true about Islamic State fighters returning to their homeland and posing a threat. Bombings in Surabaya, Indonesia two weeks (13 May) after this warning proved him correct.

Episode 62 – Austcyber's knowledge priorities - interview with Mike Bareja, Program Manager National Network In this interview, Morry Morgan speaks with Mike Bareja, Program Manager National Network at AustCyber - The Australian Cyber Security Growth Network Ltd following his presentation at CIVSEC 2018 in Melbourne. Mike outlines AustCyber’s Cyber Security Sector Competitiveness Plan and the 5 DARPA Grand Challenges or Knowledge Priorities, where resources and attention are focused on: · Emerging prevention, detection and response technologies; · dentity, authentication and authorisation in the cyber domain; · Ensuring security, privacy, trust and ethical use of emerging technologies and services; and · Approaches to deal with the increasingly ‘shared’ responsibility of cyber security. Funding of $15M over 4 years is available for industry-led, collaborative projects that address the key issues from the Industry Knowledge Priorities. Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 60 – The fundamentals of operating a secure cloud, Rupert Taylor-Price, CEO of Vault Systems In this interview, Chris Cubbage talks to Rupert Taylor-Price, Founder and CEO of Vault Systems, an Australian-owned, sovereign cloud provider, for highly protected data, purpose built for the Australian government. Created to enable multiple departments share cyber security infrastructure, Vault Systems have moved into a mainstream government cloud platform, in part by the 2014 cloud-first initiative. Since then, Vault, which was founded by Rupert, has smashed expectations, and recently secured the biggest cloud deal in the history of the Australian government.

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 9


Frontline

Top tax tips for security employees

W Mark Chapman Director of Tax Communications at H&R Block

ith the end of the financial year rapidly approaching, it won’t be long before its time to lodge your income tax return for 2017/18. To get the best possible tax outcome, it’s essential that you understand what you can – and what you can’t – claim against your taxes, so here’s my checklist of the deductions all workers in the security industry should be considering claiming this tax year. Remember this list isn’t exhaustive and not all the deductions will apply to everyone. Similarly, you may be entitled to some deductions that aren’t listed here. Make sure you get professional help from a tax agent like H&R Block to ensure that you’re getting your return right! Travel and meals You can’t normally claim the cost of the daily commute to and from work. The only exception to that rule is if you have to carry bulky tools or equipment to and from work and there is no secure place of storage for them at your work.

10 | Australian Security Magazine

Travel between home and work does not become deductible just because you may be on call at inconvenient hours, or work shifts. You can claim the cost of travelling between two different work sites for one employer or between two different employers. If you plan to use your own car for work purposes, you can either claim a set rate of 66 cents per kilometre for all work journeys or you can claim the actual expenses incurred. If you choose the latter, you’ll need to keep receipts for all costs and also keep a logbook of all your journeys for a 12 week period. If you are required to stay away from home overnight because of your job – for instance, you are hired to provide security at an event staged interstate – you can claim a deduction for the costs of travel, accommodation and incidental costs. You can claim overtime meal expenses as long as you receive a genuine overtime meal allowance from your employer and you aren’t reimbursed by your employer.


Frontline

“If you work outdoors, you can claim the cost of sun protection gear such as sunglasses, hats and sunscreen.” extent that the course relates to you current employment and you’re not being reimbursed. You can also claim associated costs such as text books, travel to the educational institution and stationary. You can't claim a deduction for a pre-vocational course such as training to become a licensed security officer Guard dogs If you are required by your employer to provide your own guard dog, you can claim a deduction for any associated costs such as food and vet bills. It should go without saying that the dog needs to be suitable for the task and should not be the family pet! The actual cost of the dog itself, as well as any training expenses, can be depreciated over the expected life of the animal. Other deductions They may not be as significant in dollar terms as some of the items listed above, but make sure you claim the following: • Any work-related subscriptions or membership fees • Magazines, journals, books, apps or websites which are related to your work • The cost of using your personal mobile phone for workrelated purposes • Equipment hire You can’t claim the cost of obtaining a security license, but you can claim any costs associated with renewing this license. Gym memberships Work-related clothing You can claim a deduction for buying and laundering any clothing that you’re required to wear as a uniform to work. Unfortunately, you can't claim a deduction for the cost of purchasing or cleaning a plain uniform (such as a pair of black pants and a white shirt) or other items of conventional clothing you wear to work, even if your employer tells you to wear them and even if the clothing is oversized and used to conceal protective vests or weapons. If you work outdoors, you can claim the cost of sun protection gear such as sunglasses, hats and sunscreen. You can claim a deduction for any items of clothing you wear to protect yourself from the risk of illness or injury in your job. Work-related training You can claim expenses for university or TAFE fees to the

You job might require you to be in peak physical health but sadly that doesn’t mean that you can claim the costs of gym membership or other fitness costs. The ATO takes a hard line on gym memberships, saying that they are only claimable where the person claiming them needs to have a level of fitness well above normal. Professional sportspeople and some defence force members (such as members of the SAS) are quoted by the ATO as an example of who can make a claim. Security employees sadly don’t qualify. Remember to keep records! Even if you’ve incurred any of the above expenses, the golden rule is that you can’t make a claim unless you can prove you spent the money (and also that you weren’t reimbursed by your employer). So, make sure you keep all relevant receipts, invoices, bank statements and credit card statements. If you’re not sure if you can make a claim, keep the receipt anyway and discuss it with your tax agent.

Australian Security Magazine | 11


Frontline

Much more to do in support of locking down By Konrad Buczynski Industryrisk.com.au

12 | Australian Security Magazine

P

lanning for a truly ‘effective’ lockdown security regime can be a complex and challenging issue, especially within Australian workplaces, where building design has not historically been predicated upon security factors. Perhaps because of this, and despite the heightened threat of terrorism within the community, many organisations have done little in preparation for a serious incident, such as one involving an active shooter. The reasons for this may vary widely; limitations caused by infrastructure, and a requirement for a high degree of public access are two key factors that can hamper planning. Gaining explicit management support to practice realistic drills may also be difficult, and adequate resourcing may not be available to address the most critical needs. However, even those that have implemented good lockdown arrangements would invariably agree that there is no solution that approaches anywhere close to perfect. Even when infrastructure and funding prove favourable and forthcoming, the nuances of any given scenario would invariably expose vulnerabilities in established processes and systems. A disgruntled insider also has the potential to render any capability that is effective, largely redundant, as various recent events have shown. Those that have seen an example of what might be regarded as a best-practice lockdown regime are in the minority. Indeed, many businesses are still in the early

process of considering how to adjust their ‘AS 3745-2010 Planning for emergencies in facilities’ style plans to account for such a regime in a procedural sense. This is exacerbated by volunteer-staffed Emergency Control Organisations (ECOs), the potential for key person/coordinator absence, and an unwillingness for management to address the nature of the threat directly with staff. The ANZCTC ‘Active Armed Offender Guidelines for Crowded Places’ [1] offer a helpful, albeit limited ‘Escape, Hide, Tell’ approach to personal protection, and other international jurisdictions also offer approaches based loosely on the ‘run, hide, fight’ concept. Much expertise will have gone into developing this simplistic approach, and it carries a lot of merit; a simple message is key in a confused situation. The onus must then fall to those that operate facilities to take this to the next logical degree, rather than assuming an ‘everyone for themselves’ doctrine, should the worst occur. People should be entitled to expect to have places/routes to escape to/through, or have been instructed on locations to hide, prior to such an event occurring. It is after all a reasonably foreseeable, if not a frequently realised, security risk. The absence of advanced planning may be somewhat explained by dismissiveness within segments of the Australian community for the potential for an active shooter incident to occur (due to the lack of a significant history of such events here). It can thus be a difficult task to directly engage and


Frontline

In Australia, and despite touching on

correlate with specific details about lockdown arrangements. More can be done.

the subject in security officer training

Lockdown considerations

curriculums, such training within the

Each context/site and organisation is different, but there are a range of principles and considerations that can be factored into planning. Some of the key ones include: • Some organisations risk an impasse in trying to design an ideal solution – anything that can be done to improve the ability to save lives should be embraced. • What are the most likely scenarios (i.e. how could they play out) that you are planning for, and have these been subjected to a risk assessment? • Strongly consider dividing areas into zones, with safehavens clearly identified (and hardened), and lockdown protocols defined for those spaces. • Communications arrangements should be tested and assured. Consideration should be given to protocols and the need to communicate internally (among the ECO and to the wider employee/visitor base), and externally to Emergency Services, while not placing individuals in unnecessary danger. That is to say, the utility of mimic EWIS panels in the foyer will be next to useless in an active shooter situation. • CCTV and its potential use in tracking an armed attacker and informing stakeholders accordingly. • Modifying/designing infrastructure to support emergency planning, including access controls. • Where one has been engaged, is it best to appoint a contracted guard force to the ECO role to ensure that wardens are always onsite? Or is it inappropriate to ‘outsource’ this function? • More broadly, what role does the ECO play, and are expectations of its individual, and collective abilities realistic? • Designated safe-havens should be adequately resourced – a lockdown may last for an extended period. • If the opportunity exists, engage with local Police to familiarise them with your facility. • Specialist and general employee awareness training is critical in underpinning all aspects of a lockdown regime. It should be tailored to account for workplace variables, and make clear the roles and responsibilities, and convey very clearly recourses available in different situations. This includes expectations of those taking shelter.

workplace context is very rare, and does not necessarily correlate with specific details about lockdown arrangements. More can be done. educate workers on the subject. This is not the case in some other countries. In Israel, as an obvious example, and “…because of nearly universal military training and the prevalence of firearms, many if not most terrorist attacks are stopped by civilians [2].” This is sadly assumed to reflect Israeli culture in the current day world, one which is underpinned by a shared history of violent acts by extremists within its communities. Even here in Australia, people within the Jewish community are instructed to be cognisant of potential threats consequent to their faith, and global businesses are strongly advised on how to mitigate against the risk of such a violent act. The US also does the same through its Overseas Security Advisory Council (OSAC) [3]. Frustratingly, few organisations in Australia appear to address the way in which an ECO could/should respond, when the opportunity to exercise a degree of command and control does exist. If an unfolding incident is detected early for example, in a separate part of an occupied space/ precinct, should the default initial option for ECO members be to escape/hide/tell, or would they be expected to direct/ assist others to escape via routes that they are intimately familiar with through their training? While the latter may occur in reality in the event of an incident, it is rare to find it documented well. Having said this, even when such arrangements have been defined, things cannot be expected to go smoothly. In the US for example, and following a State District Court’s opinion, a company employing two (unarmed) security guards stationed at the entrance to a client site was fined more than $USD46.5M [4] after the guards failed to alert staff to the presence of an active shooter. After more than several minutes of “…panic and confusion”, both guards called 911, but failed to notify those within the plant via a designated alert system. Three employees were subsequently killed, and one seriously wounded, before police arrived and took the offender into custody. Clearly one of the lessons in this is the need for realistic drills, to ensure that those charged with carrying out specific functions during serious incidents are programmed do so without pause. It also goes to staff selection. In Australia, and despite touching on the subject in security officer training curriculums, such training within the workplace context is very rare, and does not necessarily

It is not the intent of this article to suggest that a good lockdown regime is simple to achieve. Indeed, some of the issues identified cannot truly be overcome in many organisations/locations, leaving a degree of residual risk that should be carefully monitored. Should the risk exceed tolerances, strong consideration should be given to closing access to a site until the level of threat has eased. The very least that organisations can do is to understand what is available to them right now. Explicitly making sure that all employees are aware of the Government’s advice on Escape/Hide/Tell would be a very good start. Considering and communicating options on places to run, hide and who to tell would be just as beneficial.

Australian Security Magazine | 13


Frontline

Hostile vehicle attacks

Smart city planning for Transparent Security

T By Stephen Rachow

14 | Australian Security Magazine

errorism in the 1970s was predominated by airline hijackings, the 1980s fell victim to suicide bombings, the 1990s and 2000s involved an abundance of improvised explosive devices, and now vehicular terrorism to ram down pedestrians in public places is at the forefront. Notable in the last 10 years is the global rise of hostile vehicle attacks (HVAs) in western countries. For such attacks, resources are plentiful and target choice random. The use of readily available vehicles disguises an otherwise obvious weapon choice at places of mass gatherings (PMGs) in densely populated cities. Low cost technological advancements also enable low-skilled coordinated simultaneous attacks on exposed targets poorly protected from the design nature of city planning. The recent horrifying attacks in 2017 on La Rambla in Barcelona and Westminster Bridge in London, as well as the 2016 Bastille Day promenade attack in France and the Christmas market place ramming in Berlin, highlight the current nature of terrorism which now focuses on converting common vehicles into readily available weapons for inflicting harm to pedestrians in PMGs. Collectively these attacks, albeit only a few of many others, have killed over 100 innocent civilians and injured over 700 more. Common to HVAs is the perpetrator’s motivation. Individuals driven by ideological or religious beliefs, particularly those subscribing to Al-Qaeda and ISIS extremism, will use common vehicles as weapons against pedestrian targets for mass terrorism. Car ramming incidents in Melbourne and Heidelberg in 2017 also highlight that even mentally disturbed persons are also using vehicles as hostile weapons. The aim, regardless of

the motivation, is to cause mass injuries, death and destruction. From a theoretical standpoint, the success of HVAs is in accordant with the traditional security risk triangle. That is, their motivation plus vehicular capability plus environmental opportunity enables a perpetrator to carry out an attack of this nature. The low-tech, low-skill requirement makes vehicular violence significantly easier to execute than other forms of terrorism and the propagation of intent through the internet has assisted recruitment of perpetrators to follow such motivators on a global level. An analysis of historical events supports that PMGs, accordant with high volume periods, represent the highest likelihood targets with innocent civilians as the most likely targets in danger rather than VIPs, government officials, military targets or critical infrastructure. As such, we can foresee HVAs typically occurring at parades, festivals, concerts, international sporting events, protests, and crowded city streets. The societal outrage in communities caused by successful target execution further amplifies a perpetrator’s satisfaction and intrinsic motivation. Current limitations and in some cases the complete absence of integrated security barrier designs to protect pedestrian and physical asset zones further enables threat groups, increasing their likelihood of success and reinforcing their intrinsic rewards. Current security measures are not enough There have been over 40 HVAs worldwide since the year 2000, predominately terrorism driven against innocent civilians, which has given rise to cities introducing ‘add-on’ measures to mitigate attacks. However, a significant aesthetic limitation


Frontline

is the lack of transparency with temporary add-on measures without a systematic permanent plan. Incorporation of counter-terrorism measures such as hardened metal pedestrian barriers that line footpaths or solid metal bollards for road closures around buildings creates an unappealing environment to the community and lack of social acceptance. As such, these security explicit barriers have been condemned as ‘militarising’ places and spaces, and the subsequent demise of iconography of a city and its buildings has led to increased fear and impeded civil liberties. A disproportionate sense of fear towards hostile vehicles compared to other types of risks means cities have become spatially and socially restructured with perceived negative effects. Three cities in the USA have closed or severely restricted publicly accessible space by 17% and even though this may have been done with gardens or ponds, it has contributed to the ‘fortification’ of urban space. Research by Wolfendale proposes that “…current counterterrorism practices pose a greater threat to individual physical security and well-being than non-state terrorism. We should fear counterterrorism more than we fear terrorism…” Safeguarding our future with Transparent Security and smart city designs Integrating the theoretical security framework of target hardening, surveillance and rule setting with physical zone demarcation into the notion of Transparent Security addresses the current limitations of fortified counterterrorism measures. Traditionally, physical security in the context of mitigating HVAs, involves omnipresent physical measures to safeguard people, prevent unauthorised and unwanted access to physical space areas, and protect assets from sabotage and damage. Transparent Security, on the other hand, still involves safeguarding assets with these principles in mind, but in a way that protection measures are invisible by blending robust barriers into the natural surroundings through a comprehensive security plan. Specifically this achieves physical security robustness without causing undue attention and alarm. Smart city design is the overarching concept that aims to protect targets in danger by future planning cities to be safe, secure, environmentally friendly, green, and efficient in a manner that can be maintained. Future smart city design must include Transparent Security, implemented in an adequately sophisticated manner to be both appealing to the community but importantly mitigate threats, noting that the nature of risks associated with HVAs means mitigation is the goal rather than elimination. Invisible measures through landscaping and urban design, and stealthy security features such as street furniture, water features and public art, are CPTED principles that are aesthetic methods which allow for social acceptance with individual and community fear reduction while reducing the risk of HVAs as much as security-explicit barriers. Supplementing this, is the effect of dissuading a motivated offender as while Transparent Security may be invisible to the casual eye, hostile reconnaissance would easily identify the transparent barriers reducing the likelihood of a successful attack.

Standards Noting these design principles within a smart city concept, particular standards by both the Australian federal and state governments have been published to guide the implementation of Transparent Security. Creating standoff space between vehicles and pedestrians or buildings where every metre counts; traffic management planning for exclusion, restriction, inclusion, and temporary barriers; vehicle access control; traffic calming; and, vehicle security barriers including security-explicit, street furniture, landscaping and nature for both passive and active barriers, are all examples of measures outlined in the standards. For future implementation, smart cities should plan the design of Transparent Security based a considered threat analysis, and published guidelines which, for example standardise: a certain distance between vehicles and pedestrians, the use of road/street design to reduce the possible velocity of hostile vehicles by enforcing angled or ‘inturn’ impacts into buildings rather than head-on impacts, and the use of inclines and speedbumps up to buildings or near pedestrian access zones for vehicle deflections. In essence, the technical specification of barriers can be achieved to meet the threat, but in an aesthetically blended manner. Remaining future concerns Despite published standards and evidence for Transparent Security amongst security professionals, policy for mandatory requirements is lacking. The Australian Government imposes mandatory requirements and policy under the Physical Security Policy Framework, however the Transparent Security elements in building and site design are yet to be developed. In contrast, the US General Services Admission formalises a multidisciplinary approach requiring building designers or architects to be employed to work with government security objectives in existing or planned building site developments for optimisation of public spaces. Nonetheless, some Australian jurisdictions require CPTED evaluations as part of new planning applications, and therefore an extension to include transparent physical security is not beyond considerations. The critical importance of Transparent Security to mitigate HVAs in public spaces means that Transparent Security needs to fit into this policy framework as a mandatory requirement transnationally. Within a smart city framework, architects, local government planning committees, and built environment developers should be required to conform to policy that specifically uses the published standards and guidelines on the implementation of robust transparent barriers for best practice security management. About the Author Stephen Rachow BCrim (CCJ) is currently undertaking a Master of Security Management at Edith Cowan University under Dr Michael Coole. Stephen has extensive military experience with a keen interest in CPTED, specifically physical security for counter-terrorism and crime prevention management.

Australian Security Magazine | 15


Cover Feature - Frontline

‘Read for take-off’: Australia’s need for a comprehensive airport security and policing review

F By John Coyne ASPI.org.au

16 | Australian Security Magazine

or seventeen years, Australian governments only needed to mention ‘terrorism’ and ‘airports’ in the same sentence to get public support for new security measures. With each new disrupted terror plot, or tragedy, consecutive governments would announce new security measures, and of course additional resources, with little or no opposition. It is unsurprising then that today, we have not so much a well-designed security framework protecting our airports, as a legacy of layered new and old measures. With the Western Sydney Airport set to open in 2026 the time is right for a rethink of what the next generation of airport security ought to look like. And if we move fast enough, there might be time to build this system from the ground up in Western Sydney. The last time Australia substantially reviewed its airport security was in 2005, when Northern Ireland’s former Security Minister Sir John Wheeler completed ‘An Independent Review of Airport Security and Policing for the Government of Australia’. At the time Wheeler found that ‘Experience around the world has demonstrated that airport policing and security is a specialist field requiring dedicated and trained officers, integrated systems, appropriate technology, and real partnerships between federal and state agencies and relevant private sector personnel.’ Wheeler was right, and arguably these principles are still axioms for those

responsible for airport security today. Although, I would argue that he left out one key adjective: ‘holistically managed’. At the time of the review, Wheeler caveated his assessments with the observation that ‘there is no ongoing mechanism to draw together and assess regularly the threat of crime and criminality at major airports’. Without the benefits of this kind of reporting, nor the ability to divine the future, he could never have anticipated the domestic and international incidents that have occurred at airports over the proceeding 13 years. Deadly bikie brawls as seen in 2009 in Sydney, heightened terror threats, meat mincer bomb plots and mass casualty attacks at airports illustrate the changed scope of threats and risks faced at airports. To be fair, the Government did respond to the Wheeler review with policy and new money. Command and control was drastically improved with the appointment of airport police commanders. Engagement between security providers, airport operators and airlines was also radically enhanced: due to the efforts of all involved. There were more, and better trained, police at all of Australia’s major airports. However, like many policy initiatives, the funding for the project eventually terminated. With time, staff numbers and policy focus waned. In 2005, Wheeler astutely recognised the dual importance of new technology and system integration.


Frontline

‘ An Independent Review of Airport Security and Policing for the Government of Australia’. At the time Wheeler found that ‘Experience around the world has demonstrated that airport policing and security is a specialist field requiring dedicated and trained officers, integrated systems, appropriate technology, and real partnerships between federal and state agencies and relevant private sector personnel.’”

However some 13 years later smart gates and new explosive detection capabilities, biometrics and close circuit television are not emerging technologies. Government has taken what were emerging technologies in 2005 and deployed them to great affect at our airports. However, in the absence of a substantive independent review, questions remain over whether they have been fully integrated into airport security. The ad hoc nature of security developments at airports hardly brings confidence that this kind of integration is occurring. In the years that have passed since the initial response to the Wheeler review, there have been targeted ad hoc efforts to increase security at Australia’s international and domestic airports. For the most part these have been aimed at addressing particular vulnerabilities or mitigate specific threats: often in response to terror attacks or plots. The public had in the past appeared one part buoyed by announcements and security presence, and one part disturbed by the inconvenience such measures caused to the traveling public. Regardless, there was a trust that the measures were necessary for safety. Last month the Turnbull government announced, with little warning, a proposal to provide police at Australia’s domestic airports with new powers to demand identification from travellers. The announcement was part of a broader range of budget measures on aviation security, from the use

of body scanners, the deployment of additional Australian Federal Police officers at airports, upgrades to inbound air cargo technology, and extra funding to support regional airports to upgrade security. Prime Minister Turnbull argued that ‘dangerous times’ demanded these changes. Something seems to have changed in the public mood towards security because Turnbull’s announcement was not met with support, nor the admiration that he probably desired. Instead, the coalition announcement was faced with widespread criticism for the measures. There’s plenty of empirical evidence that public trust in governments globally has been in steep decline since the end of the Cold War. And after numerous leaks and whistle-blowers, the public is more cautious than ever about its support of new powers for police, security and intelligence agencies. For sure, any announcement of new measures supported by ‘trust us’ like arguments will be met by scepticism. The days of ad hoc and incremental changes to airport security without detailed explanations for the public are passing by. With all this in mind, it appears abundantly clear that we need another comprehensive independent review of Australia’s airport security and policing. And this needs to occur before we rush into introducing any further ad hoc aviation security measures. This review needs to avoid the temptation of bringing in another international expert to tell us what we need to do. Instead, it should bring together a small review team comprised of well-respected public and private sector security thought leaders, with representatives from the airport, airline and security industries. The terms of reference for this review need to focus on building an airport security system that is comprised of integrated systems that collectively provide the capability to mitigate risks, but just as importantly support the facilitation of smooth travel. It will also need to consider how to make these arrangements more agile than ever to keep pace with the rapidly changing threat environment we face.

Australian Security Magazine | 17


Frontline

IoT – Securing the connected world By Bennett Ring ASM Correspondent

18 | Australian Security Magazine

W

ith the recent news of a Las Vegas casino’s database being hacked via a connected aquarium thermometer, as reported by Business Insider, it’s becoming ever more apparent that Internet Of Things (IoT) devices are increasingly being used as soft-spots to attack networks. Raising the awareness of IoT security was one of two key themes at this week’s IoT – Securing the Connected World event, held at Telstra’s Melbourne Gurrowa Innovation Lab. The first guest speaker at the two-hour event, which saw over 100 guests attend from both the Cyber Risk in Melbourne and Cybersecurity Melbourne meetup groups, was Matt Tett, MD at Enex TestLab. Mr Tett is also part of the Internet of Things Alliance Australia, where he chairs the Work Stream 5, a group of over 120 volunteer members representing 65 organisations across Australia dedicated to developing an IoT framework. The group has already published a strategic plan with a top-line view of securing these devices, which is available for download and has been shared with many overseas partners, including IoT security groups in Germany, China and Hong Kong. Over the course of his presentation, Mr Tett outlined several key areas where the group is focusing its efforts. First and foremost is to identify, reconcile, publish and

promote IoT security guidelines and standards. With over 450 existing IoT platforms, many of which lack even the most basic security, this initially seemed to be an impossible mission. According to Mr Tett though, things weren’t quite as bad once a member of the group examined the issue. “One of our volunteers took the initiative and what started as an exercise to define a sample IoT security architecture rapidly evolved into an amazing overall IoT framework which is applicable to all areas of IoT and has now been adopted by most, if not all, of the other Work Streams at IoTAA”. Part of this work is to develop an IoT product security certification program, where an independent body can test devices before giving them the “trust mark” of approval, showing they’re secure enough for their needs. Given the lack of awareness around IoT security, it’s not surprising that another mandate of the group is to educate suppliers about the need for secure devices. Mr Tett explains that, “… until security is a key factor in information systems, not just IoT, the same thing will keep happening time and again. Deliver first, secure later is still a prevalent culture because those procuring such systems do not ask the tough questions about security”. Part of the issue is that many so-called smart devices don’t


Frontline

“While the consumer may save a few dollars by procuring a (cheaper) product, the actual cost to them in terms of compromise and information loss may be significant, not to mention potential for reputational damage”

have updatable firmware, as a result of using low-cost items. “While the consumer may save a few dollars by procuring a (cheaper) product, the actual cost to them in terms of compromise and information loss may be significant, not to mention potential for reputational damage”. Ensuring IoT devices are secure is just the first step though, with the Work Stream also developing guidelines for the actions and notifications that need to take place when a breach is detected. The second half of the evening was dedicated to drone security. Key speaker Mike Monnik is a Senior Consultant at PrivasecRED and director of DroneSec, and his passion for drone technology is obvious, being an avid drone-user himself. “I absolutely love flying my own drones and hope that stricter regulations do not stifle innovation or remove the ability for commercial or hobbyist flyers to enjoy this technology”. Given that drones as we currently know them are basically flying computers, Mr Monnik explained why it’s important that these devices need to be held to the same strict security regimes as other devices, especially given their ability to penetrate once-secure areas. “Drones are unlike planes or cars where the operator is within the vehicle, ownership is clear and fines enforce regulation. Operators are disconnected from drones and penalties are harder to enforce

– and (easier to) bypass.” Some of the key areas Mr Monnik identified as upcoming security threats involving drones include their use in counter-surveillance of police and military operations, quoting the recent use of a US$3 million Patriot missile to take down a small consumer drone being used to observe US armed forces during an overseas military operation. Many drones can now also be equipped with Wi-Fi sniffing devices, allowing operators to remotely access networks that are behind secure perimeters or in skyscrapers. While some drones already have GPS-based geofencing, stopping them from flying into certain restricted areas, this can easily be bypassed by hacking the drone’s firmware. To combat this, Mr Monnik thinks it may be necessary to install dedicated anti-drone infrastructure. “I don’t believe geofencing is a sufficient defense mechanism when reliant on the manufacturers, and so dedicated anti-drone infrastructure does become more appealing. It’s also advantageous in that it’s protecting a specific site.” Australian company DroneShield is one such manufacturer of these devices, which recently received Airport Environment Certification ensuring that its anti-drone technology does not interfere with aircraft or ground control avionics. Another security threat concerning drone use is that of a user’s camera feed or drone controls being hijacked by a third-party. Highlighting just how easy it is to take over a

drone, 200 people at recent events including PlatypusCon, GoGirlGo4IT at Deakin University and SecTalks managed to do so in under two hours. Yet introducing heavy encryption between the user and the drone can result in increased latency and higher processing requirements, both of which lead to a less than optimal user experience. Mr Monnik hopes that work in this field might lead to, “…innovation in encryption standards that require being robust while providing speedy communication.” Overall, Mr Monnik believes that drone users with enhanced security needs should have security embedded into the drone program, be it via encrypting the drone’s storage devices, customising the operating system in Wi-Fi based systems, as well as other methods that require a specialist to focus on the issue. With cybersecurity still lacking in many traditional computer-based networks, it seems there is an entirely new field of security yet to be tackled. It’s heartening to see Australian groups are already forming to take this realm headon, with the end goal of a safer, secure cyber-ecosystem. With smart-devices, autonomous vehicles, and armed drones becoming ever more popular, the need is greater than ever.

Australian Security Magazine | 19


Cyber Security

This is cyber! so… what is cyber?

I By Rob Newby

had a call from a younger security industry peer, we chatted about governance, risk and controls for a while. After 10 minutes or so he said: “it sounds to me like you’re from more of an InfoSec background rather than a cybersecurity one.” InfoSec vs. Cyber There was a time when I would have asked him to define “cyber-” as opposed to “info-”, but experience tells me that this usually draws people into embarrassed ramblings or strident declarations that I feel duty bound to chase down rabbit holes – and apparently nobody likes a smart arse. The language does reveal something of the modern approach to security however – the view is that Cyber is dynamic: real-time analysis of threats and attacks. InfoSec is boring: collection of asset information, impact analysis, setting of rules and management of risk. I get it, I really do. I was a CLAS consultant for 5 years until the scheme closed in 2014, and it was used by the majority as an excuse to sit and write reams of paperwork. I always challenged that approach and spent more time turning it into pictures than was probably strictly necessary. That worked for me and it helped to explain risk at a time when it was sorely misunderstood. In those days (when all of this was fields) it was a requirement of government accounts that this work was done. A Senior Information Risk Officer at the Home Office would sign off my papers, accepting any residual risk I had decided was still in place after many months of design,

20 | Australian Security Magazine

assessment and redesign – all this AFTER an assessment against ISO27001 and a ListX certification for our working environment. Yes, this took years, but this was in the design, and operation was going to be monitored as per GPG13 (remember that CLAS fans?!) How Cyber has changed the world! We hear it everywhere. Even President Trump knows about The Cyber, it’s frightening what his 10-year-old son can do with a computer. If only he knew. But has it really changed? The Cybersecurity Framework And so, to the real point of this post. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was re-released at version 1.1 today to very little fanfare. An hour-long webcast accompanied this release and I watched it live, avidly awaiting some deeper insights into the framework. It sounded like the release of an academic paper, written and produced by extremely clever people in lab environments with external corporate and public-sector feedback guiding their complex and frankly ingenious thought processes. At the development end, it excited me, they are at last looking at integration with Corporate Governance and Enterprise Risk Management, but the presentation itself was quite dry and complex sounding. If you are new to CSF, I will explain it in a little more detail. Conceptually, it is a way of describing all the security processes required to achieve information security within a business environment, whether that be as consultancy,


Cyber Security

within an IT department (if it’s still 1995 where you are), within a programme or as part of a fully functioning security department within an enterprise business. I have used it in all the above situations and (so far) with very good results. Notice I didn’t say “Cybersecurity within a business” above, even though NIST, those bastions of all things technological and standard (nationally), do. That’s because nothing has really changed except the colour of my hair. Consider the NIST CSF “Core” – Identify, Protect, Detect, Respond, Recover. Identify is just a bunch of risk management processes, the things we did as CLAS consultants all those years ago. Protect is what architects and engineers did and still do all day every day. Detect and Respond was covered largely by GPG13, and Recover is the oft-neglected area of BC/DR that no-one really thought about until it was already too late. Of course, the emphasis has changed since 2009, of course it has, it’s nearly 10 years later, Kim Jong-un walked into South Korea today, the President is called Trump and the UK is leaving Europe. There are some good changes as well though: • we can detect attacks and breaches much more effectively, it’s no longer all logs and rules. • we respond better through experience, we have playbooks from people who have the scars. • we’ve learnt that our BC/DR is an important part of overall resilience This is Cyber, apparently. I can forgive my young colleague for thinking Cyber is all about SecOps and InfoSec is all about GRC, because the majority of the focus has been on improvements to detection and response in the last 10 years. Interestingly we are now hearing a new buzzword: “threatled”. Back in 2009, we looked at threat actors and their threat levels as the first step in risk assessment, the very definition of “threat led”. Whether we are talking about “InfoSec” or “Cyber”, the processes are the same. CSF recognises and realises that for us, but this is a double-edged sword. Using the Framework I picked up CSF reluctantly a couple of years ago thinking it was “just another framework”, but I have come to both respect and appreciate it. It is robust, flexible and measured, and who wouldn’t want that in their Cyber environment? I have worked in security for the last 20 years, give or take. I have some very old and very wise friends who have likewise grown up with IT, security, InfoSec and latterly “The Cyber”. I am fortunate to count CISOs in US and UK stock exchange listed companies as close personal friends. I have recently started discussing CSF with them in more detail (for my own benefit), and almost to a man they have, at least initially, been confused. On the flip side, I have also worked with project managers who are new to security, with limited exposure to controls, governance or risk management, and they have found it an immediate and almost unlimited source of information to talk intelligently and comprehensively about information security. Is this a reflection of the modernity of Cyber? No. Is it a reflection of my inability to communicate effectively? Possibly.

What it certainly is related to is the way we have previously spoken about InfoSec – whether that is “old-fashioned” or not. But if we are inadvertently making it difficult for professionals to understand, what is needed is a simple view of CSF: what it isn’t, what it is, and most importantly, how to use it in its simplest form. Clarifying the Framework, What it isn’t CSF is a double-edged sword. Say “Framework” to any information security professional and they will think of risk management frameworks, or control frameworks. CSF is neither. If you assume that CSF is to be used for risk management, you will quickly become confused as there is no way of quantifying risk with it. Likewise, say “NIST” to many security professionals and they will think of NIST Special Publication 800-53 – a complex and technical control set (so much so that I have only ever used it to write architectural patterns for specific systems where I already knew all the variables. Using it in enterprise environments is frankly rather difficult.) If you assume it is a control set, you will be searching for the detail and wondering how it can ever be measured. What it is As previously mentioned, the CSF Core is a set of security processes. It describes them to different levels of detail: 1. Functions: as described above, Identify, Protect, Detect, Respond and Recover. 2. Categories: there are 23 of these in v1.1, they break the Functions into lower level processes from Asset Management through to Recovery Communication (media handling and the like). 3. Sub-categories: 108 lower level processes which begin to sound like controls described in business language. There are 2 other parts of CSF, the Implementation Tiers and the Profiles. In simple terms, the Implementation Tiers are the basis of a maturity assessment, and the Profiles are a way of prioritising the gaps found in such an assessment. For me, these are nothing ground-breaking, although very structured and useful. The real value of CSF is the Core as described above. How to use it in its simplest form As a consultant I am often dropped into new environments, or even just listening to people talk about their environments without any reference point. With no corporate history it can be hard to judge maturity or know anything about the culture, governance and risk management environments that will drive how security is implemented. To get a very quick picture of how well a security environment is working, do a quick check of the 5 Functions: 1. How well can you identify risk? 2. How well are you protected? 3. What are you detecting? 4. How do you respond? 5. Could you recover?

Australian Security Magazine | 21


Cyber Security

I won’t write out all of the questions required to go to the next level – you can pick up a copy of the CSF Core yourself. You will get to a point where you will know you aren’t doing the things it asks for. If not, and you ARE doing everything it asks for, you can start to apply the Implementation Tiers – increasing the level of risk management across the board so that you are moving towards a fully adaptive environment. There will then come a point where it is not cost effective to increase your level of risk management, hopefully that comes at a point where you are happy with the level of control you have. In 100% of the cases where I have used this so far, “Detect” and “Respond” have been the places needing the most investment and focus. “Protect” – the traditional resting place for CIA controls and InfoSec tools remains relatively strong and “Identify” seems about half done, governance is still weak in general, and risk management is not yet properly linked to the business. All of this is “generally speaking” and from a UK-centric standpoint. “Threat-led” A colleague of mine, an experienced CISO, stated that a true threat led approach is down to objective testing over theoretical modelling. He said that at the most basic level, a Red Team exercise using the current tools and techniques of prevalent threat actors working against a particular industry sector is much more objective than a paper-based threat model, and it brings things to life for non-InfoSec professionals in an impactful way. I jumped to an answer based on personal experience: the framework is only an architecture and it needs testing in operation, so the Red Teams are effectively testers of the CSF process architecture. On closer analysis I found that my statement that “threat-led” is part of risk assessments is borne out by CSF: the “Identify” Function has a Category within it for Risk Assessment (see Table 1 below). Within that the first Subcategory (ID.RA-1) states that “Asset vulnerabilities are identified and documented”. It gives several Informative References, including NIST SP800-53r4 control CA-8, which contains the control enhancement for Red Teams. So, there are 2 models of where Red Teams sit and it’s worth spending some time to examine which approach is “more correct”: - Red Teams as a testing function for a set of security processes or - Red Teams as a control? For those of you who have just asked the question “what’s the difference?”, there is an interesting endpoint to this that I want to explore in more detail. As per my reactive answer, the cybersecurity Framework, like many/most frameworks doesn’t have a very obvious

Table 1 - Extract from CSF

Function IDENTIFY (ID)

Category Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

22 | Australian Security Magazine

Subcategory ID.RA-1: Asset vulnerabilities are identified and documented

Informative References NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

feedback loop. It’s a point-in-time setup that leaves you to operate at your own pace. It needs a risk management methodology to prioritise, fix, then operate. To put it in slightly different language, process gaps need putting into a programme then testing before moving into BAU, just like controls. However, the power of processes over controls is that processes are easy to visualise and communicate, whereas controls are point solutions to points of risk. Why do we have controls? This has been an almost continual conversation amongst friends and colleagues in the industry recently. Often in relation to risk management, but more recently, also in terms of compliance and even governance – why are we making it so hard for ourselves? Wouldn’t it be easier to have one control that says, “do it” and the testing methodology that said: “did you do it?” (this is the printable version of this control. My friend and colleague, Nathan Varney, first postulated this as “JFDI”). When you choose a control set, what is it that you are doing? I had difficulty articulating this, so asked my long-suffering wife to listen to my explanation and help me simplify. Now, she is a smart lady, but has no background in IT, let alone security, and a degree in theology. It took me a few attempts, but I settled on a description based in risk: “You have controls to address the risks. You put a baseline level of controls in place, to address a known level of risk and measure anything above that. If there is any residual risk not treated by the baseline controls, you either increase the level of control, add more or accept the risk.” “Ugh,” she said, eating an apple and looking at her iPhone. I have come to realise that this means the information is being processed, not that I am being ignored. Assembly complete, I went on to describe my hypothesis, and the crux of my dilemma, as relates to CSF processes. “If you look at security as a set of processes rather than a set of risks, you can treat gaps by continual red and blue teaming (I had explained these previously). If you look at security as a set of controls, you have to check each one of them for correct implementation, before you look at risk, which makes it a really slow process.” “I love that you challenge and stimulate me with your intellectual pursuits, as well as including me in your life’s work”, she didn’t say this, I imagined it again. It strikes me now that not only is controls-based compliance and risk management a slow process but reporting on it is probably out of date as soon as it’s produced. Cyber is fast-moving, boards need to be able to make decisions based on it quickly, to address issues. Traditional risk management processes are slow, as described above, CSF gives us something which can accelerate it. “So, why do you need controls at all?” I asked. This has been a source of continual debate with colleagues recently. What’s their use, there has to be a better way, etc. I can see that architects might want a standard view, but there are ways around this – they can keep dynamic patterns in their own database. I can see that engineers might want a reference, but the architects can drive this with designers, if anything it keeps the technical control loop more active – a step towards


Cyber Security

DevSecOps at Enterprise level? Raising her eyes from her phone for a moment and putting it down on the sofa in a way which indicated I had interrupted some important reading, she delivered the killer line: “What about the people who don’t understand it? It’s quite complicated to understand all the processes and that’s a very specific set of skills for red and blue teams. It’s going to be prohibitively expensive to run that against all your IT. If you have controls in place, there’s a point at which it won’t get any worse.” This is the important point about controls and this method of looking at risk: controls are there as a backstop, think of them as the ground troops. Risk management is your sniper, and should be quick and agile like one. At the moment we are using teams of snipers in hand to hand combat. We end up trying to understand why it’s so expensive and we’re not getting the results we want. This is not agile or cost effective. One of the things CSF will not do, is tell you whether you are compliant, and as someone who is comfortable in a “Cyber” environment that’s why I like it. It will tell you that you are performing all the right tasks, but not whether they are correctly implemented. You have to rely on professionalism, which I think is a good thing. The larger an organisation, however, the more detail is required to support that professionalism – a layer underneath CSF to define the requirements, to meet the processes, maintains a baseline of understanding. It is important to note that these are technical controls though, not business controls. I strongly believe that this is all a control set should be used for – to inform the technical implementers, not to drive them into ever decreasing circles of compliance hell. The business should be using business language for agile risk management, not technical language. Time and again I have seen this poorly implemented, and we end up with hundreds or even thousands of technical controls, mapped against hundreds of risks, and ending up with no signal remaining in the noise. Then people say that risk management doesn’t work, and return to reporting on controls, because it makes more sense. And we wonder why IT environments aren’t maturing, or worse, are being breached. It can be a soul-destroying process to prove compliance to a control set, and ultimately it doesn’t give you any additional security, just a tick in the box. Ask Sony. Ask TalkTalk. Integrating Cyber and Risk Management Anyone who has practiced risk management with the technical risk management methodologies: IRAM2, IS1/2 or NIST’s own RMF, will know how complex things can get very quickly. The problem is, the more vulnerabilities and threats, the more risks you see, so the more controls you need, and the more these calculations multiply, up into an unmanageable mess. Prioritising any of it needs a spreadsheet or database and at that point you know you’ve lost the interest of the majority, let alone the board. If you assume your probability of being breached is 1, i.e. a certainty, and set about fixing every process as well as you can, the only risk calculation you need to do is when to stop spending money, a cost/benefit analysis to set your departmental budget for the year. This is far more useful

to any board, than a visualisation of missing controls or a statement of technical compliance, based on ticking boxes. The logical endpoint for this is risk, as the lack of a function or process. Instead of multiplying controls and threats and risks, you could choose how detailed your endpoint is when you start. The gap analysis required to show these risks is quick and layered with CSF. If you know a process exists, then move on to the next. This is impractical to do at the functions layer – but looking at the categories gives a quick idea of where you might have issues, for more detail move down to the sub-categories. Risk Reporting Reporting on that risk is simplified with CSF too. The functions are blocks that most people within the business can understand. If your board is not ready to hear the full set of functions, start with the all-encompassing top level of “cyber Incident” as your risk. Any board will understand they are at risk of a cyber incident, even if they have their heads in the sand. I chair a local Scout committee, and even at this size of operation, they are very aware of this (although this is possibly because their Chairman is a security consultant). Certainly, as a CISO moving into a new business or consultant on a new client engagement, asking 23 questions relating to these processes for the scope you are responsible for maintaining, can give you valuable insight into where you need to focus efforts for deeper diving. The classic 6 days, 6 weeks, 6 months detail that new CISOs are expected to give back fits nicely with CSF’s view of the world. In 6 days you can comfortably report back on the 23 categories and indicate where you are going to focus. You can do this in terms of the functions or the categories themselves. In 6 weeks you can dig deeper into the detail of the sub-categories and give a more granular view, prioritising the areas that need the most attention, leaving you free to mobilise a programme of work around the findings and start work on your Target Operating Model (TOM). Integrating Cyber and Governance Even if controls are incredibly strong, weak governance will kill a compliance process, and make risk hard to manage. If governance is good, controls can be terrible and “control” will still be OK. If hierarchy follows processes and everyone owns the right part of the process, the implication is that we could give up on controls. When people don’t understand them, like my wife hypothesised, the governance in place would cater for that, educate them and improve the whole organisation. What is CSF if not a ready-made TOM? The level of detail roughly mimics the responsibility levels you would find in an organisational structure. Under the CISO in a global enterprise, the functions would typically have a Director responsible - Director of GRC (Identify), Director of Technical Security (Protect), Director of Security Operations (Detect & Respond), Director of Business Continuity (Recover). Then at category level you will typically find heads of department (Head of Risk, Head of Governance, etc.) and finally at the subcategory level you will find management

Australian Security Magazine | 23


Cyber Security

roles – tasks that need carrying out. I said previously that subcategories sound like business controls. In fact, all of the processes within CSF could in fact be called controls, and the people aligned to them are the owners that set the governance structure. The controls are ultimately operated by staff who can use the chosen control set to maintain compliance. This gives a really neat view of governance without it getting technical. So, where does all of this leave us? I feel like I’ve been tearing down the walls and for the sake of my own sanity and yours, I should start to rebuild them. Before I do, let me recap on where the pieces currently lie: 1. InfoSec and cyber are the same thing, just at different points in time. 2. Both are just a set of processes. 3. Processes with testing are better than individual siloed controls with metrics and measurements. 4. Risk management is pointless, it’s going to happen anyway so spend time and money fixing the processes the best you can. 5. To manage it all, build your environment in line with the processes. InfoSec and cyber are the same thing, the processes of cyber are just an evolution of the controls in InfoSec. That doesn’t mean they ARE controls, not in the technical sense at least, but they control the level of the organisation they are intended for, to the intended level. This still means that complex control sets are wasteful, but they serve a time-honoured purpose. I am not an expert in every area of security, despite 20 years in the industry. I have focused on consultancy and due diligence, so have a pretty good idea of my way around GRC, strategy and architecture, but also some fairly in-depth roadmap ideas for incident detection, engineering experience in key management and implementation of 2-factor authentication from various points in my career. One area I don’t have all the answers to, is response planning. I was asked recently to address a requirement for an incident response plan, as part of overall business resilience and I found myself in the unfamiliar territory of not knowing where to start or worse, for me, what to say. I turned to my old friend CSF, and it told me to start by preparing a response plan. I asked it ‘where I should look’ and it directed me to a multitude of control sets, each with more detail than the next. And there I stood, the scales fallen from my eyes, fully informed about how I would go about my task, from initial principles to comms plans and ownership. The thing is, I’ve read all of those controls before. I literally have every major and a few minor control sets ever written, in storage on my home network. I’ve worked closely with response teams in corporate environments and watched them write these plans. But they’ve never been my responsibility, so I haven’t committed them to memory. So, I shouldn’t be surprised perhaps that people who aren’t working in risk management every day need reminding of how it works, or that IT guys don’t understand the precise level of detail we need for our asset management system. What this does show, is that we are maturing. We are

24 | Australian Security Magazine

showing layers of process that mimic our business, and we’re pretty close to nailing it. As security departments continue to evolve, no doubt the layers will spread out further, and no doubt we’ll call it something else (can I be the first to suggest Amoeba Security – no it doesn’t make sense, but neither does cyber and we’re all saying that). I believe there are 2 more important steps to be made. One that I am already seeing happen, encouragingly, is CISO’s reporting into boards. It used to be that CISOs reported to CIOs and received minute fractions of their budget, whilst directly opposing their business model (I talk about this in my book – to be released in August if you are interested in reading more), the reporting lines then changed, often quite quickly to COO or CRO, where a level of challenge to the IT organisation could be maintained. I still like the CRO reporting line, as it happens, but security governance HAS to be done correctly or this does not work. I like it because I also like making sure that governance IS correct, but I digress. CISOs are now reporting directly to CEOs, presenting to whole boards, discussing findings with NEDs. I am currently studying for a Non-Executive Director Diploma with the Financial Times, and can see that this is an area that is about to expand rapidly. Cyber is now a board agenda item, it’s an enterprise risk (a thing I have learnt from my course - it was number 9 of Carillion’s top 10 risks), and an operational risk. The other important step is for risk to be reported appropriately at ALL levels. This requires good governance, but also the splitting out of controls into levels that align with the organisation. What this does is give the ability to talk about the RIGHT risks to the right level of people, the people with the correct level of ownership, and leave the lower level detail to the people who have the focus on that area, right down to the technical controls. What you don’t want to end up with is technical controls in enterprise or operational management systems, that breaks the model. This is what NIST have reflected in their simple, superb, simply superb and superbly simple CSF Core. The CSF Profile allows gap analysis, akin to risk identification, and the Implementation Tiers set the way you manage those risks. It’s just like infoSec used to be, but this time it’s cyber.



Cyber Security

The AV system done it

What insecure technology is lurking on your networks?

O

By Simon Pollak

26 | Australian Security Magazine

perational Technology. It turns lights on and off, heats and cools our buildings, and controls our conference rooms. It sits there innocuously ticking away year on year, rarely given more than a passing thought at best. When was the last time you took a close look at the operational technology connected to your network? What risks does your OT carry that your environment may be exposed to? For the purpose of this article, I'm only going to consider OT in mixed use environments with SCADA systems, plant and production systems, and pure OT environments having different challenges and control requirements. Historically, and in many modern organisations, IT and OT fall under differing management regimes that often have little interaction with one another. AV may be managed by a subset of IT, but is often ignored when setting security policies. As these systems increasingly connect to a common network, this can result in both systems exposing the other to risk. Whilst awareness is increasing, too many people regard OT as dumb devices that don’t pose a security risk. It is

critical to bear in mind that at some level, all of the connected OT equipment is a computer and must be treated as such. Many AV and smart home systems run a web server to provide the user interface on both native devices as well as from a browser. These web servers may be readily accessible and the code readily modified with little if any security controls. In the IT world, the idea of putting an unsecured web server inside our environment is almost unimaginable, yet we risk do so in connecting some control systems. To add insult to injury, some of these systems require active X or admin privileges for them to function properly. Many of these systems were designed to operate in an analogue environment, typically using serial connections with simple, published protocols for communication. The transition to IP was typically the addition of a Network Interface and the same simple protocol being transmitted over IP. I'm sure there are some of you thinking "so what if my air conditioning traffic isn't encrypted." What happens when it's your UPS, your CCTV system, or even your video conferencing system?


Cyber Security

Whilst awareness is increasing, too many people regard OT as dumb devices that don’t pose a security risk. It is critical to bear in mind that at some level, all of the connected OT equipment is a computer and must be treated as such. OT frequently ships with minimal if any security configuration enabled tending to favour availability and ease of setup over security. CCTV cameras frequently permit viewing without requiring any credentials, sometimes even presenting as uPnP devices on the network. What would happen if someone could control your video conferencing system when a board meeting was taking place, or used your security cameras to observe people typing credentials into their computers? Why would someone want to attack OT Whilst attacks on OT remain relatively uncommon, they are on the rise. One of the reasons they have experienced less attacks may be the difficulty in monetising such an attack. As criminals come up with new and innovative ways to gain benefit from attacking OT, this is likely to change. OT as the attack victim: For various reasons, an attacker may want to attack the OT environment directly – this could be using CCTV cameras to carry out reconnaissance, compromising a security system in order to facilitate a physical attack, or just messing with stuff for the LOLZ. Stuxnet showed us the sort of real world damage that an attack on Operational Technology can cause. OT as the easiest way to attack the IT: If your IT environment is well defended, the OT environment may provide a soft target from which an attacker can pivot into the IT environment. With traffic from OT systems already being different than is typically seen on an IT network, such an attack may be difficult to detect. OT as a source of free computing power: Mirai, and its variants demonstrated how an enterprising criminal could easily harness great numbers of low cost, low hygiene devices as a source of free computing to carry out one of the largest recorded denial of services attacks. OT as collateral damage: Most people who have carried out any sort of penetration testing on OT will have experienced the relative ease with which operational technology can be made to crash. During the middle of the winter, a cyber attack on a building services company in Finland, the central heating systems in two apartment blocks were “bricked” for almost a week. The long war. Unlike IT, which has relatively short service lives, mature

update and patch management processes, and marked generational improvements; OT tends to be difficult to update, offer limited upgrade benefit, and remain in service for a very long time. Mechanisms to update firmware on OT devices are typically manual, and carry a very real risk of "bricking" the device. It’s not just old OT that presents these challenges, a lot of newer OT either has poor security mechanisms, or connects to legacy systems with poor security. All of this makes security management of OT challenging at best. So how do we secure our operational technology? Securing OT is unarguably challenging, but increasingly important both for the protection of the OT as well as for the protection of the IT environments to which they are connected. The increasing publicity around and frequency of attacks on critical infrastructure, OT, and IoT all increase the likelihood of these systems being attacked. The key aspects of securing OT are the same as securing any other environment. - Understand your threats and your vulnerabilities. - Perform vulnerability assessments of your OT - identify exposed ports and services. - Evaluate the threats and vulnerabilities against your risk appetite - consider what an attacker could do if they gained control of your OT - Patch the unacceptable vulnerabilities that you can - Deploy controls to mitigate those that you can't. - Implement an appropriate set of security controls - Put your OT onto a segregated network. - Establish a process to keep systems updated - Address Identity and Access Management - Monitor the environment for anomalous behaviour - Repeat the process Will we ever win the OT cyber security battle? There are companies out there doing great stuff in moving OT Cyber Security forward, but I'm not sure that the trying to apply IT security solutions to OT is the right answer. It may be, but there are many inconsistencies. Until such time as security becomes a key differentiator when selecting operational technology, the proliferation of poorly secured OT will continue, and even once it does, their long life cycles means that it will be many years before these devices are out of our environments. The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity. About the Author Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Australian Security Magazine | 27


Cyber Security

Digital Forensics 101: A Career Path to Consider

I By Annu Singh

28 | Australian Security Magazine

am an ardent fan of The X-Files and have always been in awe of detective Dana Scully. I was delighted to recently read an article on a study done by the Geena Davis Institute on Gender in Media, where the researchers found a correlation between women who were familiar with, or fans of, The X-Files and its influence on their career choices. As the study says, 50% of women who watched The X-Files opted for a career in STEM, including getting into forensics. Similarly, other TV dramas such as CSI, NCIS and Bones have all played a role in bringing forensics to the fore as a career choice, by uplifting the image from scientific backwaters to a more glamorous and exciting job. In each of these shows, the sub discipline of digital forensics also plays its part, so we’ve also seen an increase in the number of females entering DFIR careers (digital forensics and incident response). I decided to take a closer look at the enchanting world of digital forensics, to see if it really is as dramatic as its portrayed in the media and crime thrillers. The reality s that digital forensics is the application of forensic science principles to the artefacts we all create through interactions with technology, such as computers, mobile phones, websites and even GPS devices and smart devices. The Digital Forensic Research Workshop (DFRWS) defines digital forensics as: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

It is important to understand that the term forensic science brings two aspects together; the science component that refers to the scientific method, along with its application to a specific investigation. Universality and repeatability are two key features of a scientific method i.e. if an exercise is carried out properly, it is possible to predict what will happen for all activities within that range of the phenomenon – and anyone else will be able to do the same. The forensic element refers to how courts make their decisions and how evidence will be interpreted, as per rules of law. In TV crime stories, we often see investigators arriving at the crime scene, taking photographs, scribbling a few notes, collecting evidence in Ziploc bags, then within a few television seconds, they hack into the perpetrator’s computer. Almost always in the following scene they have conclusive results. But how realistic is this? How exaggerated are the outcomes, especially on speed, effectiveness and scope of the digital forensics expertise, compared with real-life digital forensics? Formally, the digital forensic process is a systematic and relatively tedious one, consisting of five steps. Investigations start with Identification of sources of evidence or information (devices) that would be relevant to the case, looking at who the information holders might be and where their data is located. In the second step, the focus is on the preservation of electronically stored information (ESI) by protection of the crime scene. Forensic investigators capture photographs of the scene and document relevant information about the evidence, including notes on its acquisition. The third step is the collection of digital information relevant to the investigation, such as taking the electronic device(s) into custody and replicating their content using forensically


Cyber Security

sound methods: copying, imaging, printing out, etc. In-depth methodical search and collection of evidence is followed by thorough analysis of collaterals like data objects, system and user-generated files and logs relating to the incident. The final step in the process is drafting of the legal report based on proven techniques and methods, so that the same results can be reproduced by other forensic examiners. The first four steps are accompanied by contemporaneous note-taking to support what the forensic examiner has done. Digital forensic experts are trained in a multitude of cyber security processes too, including client-server networking, virtualization, network traffic analysis, Internet intelligence, network intrusion and response, retrieving information from registry files, recovering deleted files and their metadata, email recovery, instant messaging forensics, electronic discovery (called eDiscovery), reverse engineering malware and threat actor analysis. In addition to learning how to collect evidence, they know how to triage and document the scene, process and manage cases, and they are required to stay abreast of emerging technologies, such as cloud, AI, big data, mobile, IoT and keep up to date with the latest tools. In real life, we all know about the story when the FBI approached Apple to help unlock an iPhone 5C that was recovered from one of the San Bernardino shooters. The shooters killed 14 people and injured 22 in this mass killing, which you can read more about here: December 2015 terrorist attack in San Bernardino, California. Apple declined the request, but later the FBI (engaging a third party) accessed the phone anyway and recovered the shooter’s information. These are all activities associated with the role of digital forensics examiner, and this story shows how political and legally aligned the role of an examiner is in the modern world. Law enforcement agencies all have cybercrime divisions (or at least teams) who assist detectives in almost every criminal investigation they undertake, but especially in the more insidious crimes of online child exploitation and distribution of illegal material. Digital forensics has a vast scope and is subdivided into many specializations, such as: 1. Computer Forensics – the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops and storage media in support of investigations and legal proceedings. 2. Network Forensics – the monitoring, capture, storing and analysis of network activities or events to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security breaches. 3. Mobile Devices Forensics – the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles. 4. Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. Drone forensics is an emerging field now. 5. Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and video recordings. The science is the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally.

6. Memory Forensics – the recovery of evidence from the RAM of a running computer, also called live acquisition. *(Source: The Open University – Digital Forensics course) Digital forensics has emerged from traditional forensic science as technology-specific forensics processes. Until the late 1990s digital forensics was called computer forensics, but as the field matured, experts felt the need for standards, procedures and protocols. With the rise in cyber warfare, information security could no longer be left to chance by economic or national security establishments and ISO27001 was universally adopted the world over. Building on this standard, some digital forensics standards have emerged: • ISO/ IEC 27037:2012: Guidelines for identification, collection, acquisition and preservation of digital evidence. • ISO/ IEC 27041: Assurance for digital evidence investigation methods. • ISO/ IEC 27042: Guidelines for the analysis and interpretation of digital evidence. • ISO/ IEC 27043: Incident investigation principles and processes. Dr. Edmund Locard, a pioneer in forensic science, stated, ‘Wherever two surfaces come into contact, a transfer of minutiae, however slight, occurs.’ In simple terms, there is always a silent witness – evidence – left behind in the activity. In any scenario, when we browse a website, we leave some trace in a logfile of the web server, including our IP address and the time we accessed it. As most routers don’t store details of the packets passing through them, traces can be momentary, and it is typically metadata rather than actual data, but this is still useful in an investigation. As technology evolves, cyber criminals become more sophisticated in covering their trail, upping the ante for digital forensics investigators. An independent study by Bromium® shows how cybercrime is evolving into a criminality platform and has resulted in a $1.5 Trillion market of illicit revenues. This report highlights how good the cyber criminals have become in “productizing malware making cybercrime as easy as shopping online.” Use of digital forensics is not limited to Law enforcement agencies. It is also used extensively by business cyber security teams to safeguard their interests from cyberattacks. These teams proactively maintain, manage and monitor the inventory of desktops, mobile devices, servers, virtual machines, network, storage appliances, operation technology and IoT devices; and they draft and enact remediation plans, operational hygiene measures and implement security controls. As more business go through digital transformation and IoT pervades our lives, data becomes the modern-day currency. Digital forensics is thus becoming a component of everything we do, and no two days are the same for these experts. If you are detail oriented, meticulous in your approach to your work, have patience to trawl through piles of artifacts, and be prepared for the smoke rather than the fire we see in the TV shows, then digital forensics may be the career for you. In fact, if you work hard, there is no reason why you can’t be the next Dana Scully or Abigail Sciuto.

Australian Security Magazine | 29


Cyber Security

Encryption headaches By Joseph Wentzel

30 | Australian Security Magazine

E

arly Last week I was reminded of the headaches that can be encountered with encryption. A site we are dependent on has installed a revoked certificate and our policy has no wiggle room on whether we can still connect. People who are supposed to know better have a certificate that has expired, so instead of going out and getting a new one, they find they have an old one laying around (the fact it was revoked and already expired not withstanding) and go ahead and install it as a cost savings measure. After I get done shaking my head in disbelief and wondering who could have thought such an act was actually a good idea, I begin to wonder about our users. Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution. An email conversation between myself, our staff and the provider lead to three possible solutions: 1) Install a new certificate – the ideal solution. 2) Reinstall the expired, but not revoked certificate as we can work with it – a poor solution. 3) Remove SSL/TLS from the equation – another poor solution. Not much in the way of solutions and with poor staff that don’t really understand. These are not technically illiterate people. They understand the reasons for security. They just

aren’t in our field and don’t understand the specifics. If reasonable people that enjoy the benefits of IT every day and manage devices through the use of technology have problems with this, then what about the average consumer? It wasn’t that long ago, I remember the banking industry being responsible and warning people to only use their sites and online shopping sites that were secure. They went into enough detail that people should expect to see a lock or key and that the URL (or is it URI now) would have HTTPS instead of HTTP. What a pleasant change and a remarkable show of helping people to remain financially secure. After several months of these ads and seeing positive action from the user community, I was ready to publicly thank the banking industry for the service. However, this was short lived. Not long after the ads ended, several banks decided to improve their web performance and insert secure i-Frames into standard HTTP pages. Yes, the data would be secure, but the average user had no way of knowing this. In effect, an epic fail for the industry’s education of the public. It isn’t just horrendous practices as above, but also how often we deprecate services and our widespread reaction to those deprecations, that confuses users. There was a time when WEP was considered the way to go. Keep us as safe wireless as we are when wired (are we ever really safe when wired?) Users accepted this security measure. It was easier than MAC filtering and so much better. Everything was copacetic in the world.


Cyber Security

WEPCrack rocked our world and bought out the pundits. Overnight users learned that WEP was useless. In fact, using it was more dangerous than not. It didn’t even rise to the level of a placebo. Better to use nothing than to take the risk of using it. Yes, our fine security writers gave this advice. Luckily, reason finally won out and we were able to recommend WPA and a few users followed this. Then it was broken, but thankfully our industry remained quiet instead of fear mongering. Finally, we had WPA2 and could heartily recommend it to users. Everything before it was too risky, but this is good. It didn’t matter that their devices didn’t support it. Our esteemed colleagues even went so far as to recommend WPA2-Enterprise for home users. Where they were to get certificates went unsaid. Most devices still only supported WEP or WPA and we punted instead of giving decent advice. We should have warned of the risks of deprecated protocols, but still recommended WPA. For the parents that got their kids a Nintendo DSi for Christmas, what were they to do? This device didn’t support WPA2 until a firmware upgrade came out a short time later. Well on the consumer side it seems security has plateaued for a while. They are now using WPA2-PSK and are happy. We use WPA2-Enterprise in industry (sometimes PSK). What could be better? Well if you’ve read this far you can probably guess the answer. We now have WPA3, as WPA2 was subject to KRACK. What do you think we will tell the consumer industry? You can’t even buy WPA3 devices yet, but users had better be prepared to shell out hundreds if not thousands to keep themselves safe. What a sad and sorry state we have created for those that are not cyber-security specialists. There is no security they can implement to keep themselves safe. Can’t count on SSL, it is just too weak, and we haven’t explained how to successfully move over to TLS (even with industry professionals it is missing), our wireless is a ticking time bomb waiting to let us be exploited. We can encrypt our hard drives, but we might lose the key and lose everything. Nothing we recommend is ever a serious recommendation for more than a few months and then is summarily dismissed. As if all this wasn’t bad enough, our poor users are being abused or put at risk by the very services we have tacitly given the impression of safety to. We allow Facebook and others into our corporate networks. Many organisations encourage their employees to have accounts and then to like their company online (maybe a little social engineering at play). If it can be trusted by us, then it must be safe… Didn’t Zuckerberg just issue an apology over the lack of security and privacy? We are a mature industry that acts like a bunch of impetuous children, jumping from one thing to the next and causing confusion and disorder in our wake. This is unethical! Maybe it is time for the big players and government watchdogs to stand up and create a proper users’ forum. A place that can give good advice and recommendations. A simple basic flowchart to protect our systems. A pseudo-code example like this: If your wireless access point and devices support WPA3 then use it. Else Implement WPA2-PSK (this is a bit weaker but still strong – create a future path to WPA3).

"Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution.” Else Implement WPA (limit confidential information and work on a path to WPA3). Else Implement WEP with MAC filtering (avoid all confidential material and seek to upgrade quickly). Else Settle for WEP or MAC filtering (realize that your data can be easily compromised). Else Open Wi-Fi (with absolutely no expectation of privacy and extreme risk). Or, when connecting to a shopping website use TLS, if TLS is not available, then SSL should be acceptable (slight increased risk). If SSL is not available, then you should assume that anything entered on the website can be read by others and is not safe for transmission. This is however acceptable for most sites that are informational only and don’t require any information from you. This site should have definitional information and guidelines on how to configure devices (vendors should be encouraged to upload documentation for their devices). General security guidelines are a must. Fear mongering, however, should be avoided as it is counter-productive. Now I know I write this I’m thinking, “Doesn’t NIST do this already?” Well to some extent, but I can’t imagine a lay person being able to understand their recommendations and even begin to implement them. I can’t imagine most of my colleagues being able to fully discern how much of NIST’s guidelines should be implemented without removing the very reason for their network. Our friends in Canberra and DC, Redmond and Silicon Valley have the resources (plus being on the site is effective marketing and should offset costs) and moral responsibility to do this. No company should be required to post to this site, but the onus is on them. Would you really want to purchase a device that the vendor didn’t give security advice towards? Well enough griping. I just came out of a meeting between my staff members and the provider mentioned at the beginning of this article. It turns out the provider has a new portal for the management of devices that their techs were unaware of, and that they forgot to inform the users of. This fixes the issue and everyone can now do their job, but I’m still scratching my head wondering why they installed a revoked and expired certificate on the other system (which is technically still in use). Well this isn’t my problem any longer, but the lack of information to the users just highlights their need to be able to access relevant information in a timely manner from a trusted source. If the big players get serious, I’m more than happy to help out in the endeavour, but somehow I think we’ll be waiting for WPA4 first.

Australian Security Magazine | 31


Cyber Security

Murray Street Mall - Perth, Western Australia

The state of the security union By Joseph Wentzel

32 | Australian Security Magazine

A

s I look back over the years, one thing stands out. Sales people selling things people don’t need or can’t afford. It hasn’t just been the fear of having your wife run down by a huge lorry as her 3.5 litre six-cylinder car wouldn’t accelerate as fast as a V8 or being hopelessly antiquated with last year’s model of something. It is the fear of not being secure. Hackers in our PCs that will destroy everything that we have. We have all heard the security fears, in nearly every aspect of our lives. We give in to it. Why else would we all be taking off our shoes when we fly to or from the United States? As I write this the Murray Street Mall in Perth, Australia, is closed down by police due to a suspicious package. Some of these security concerns are very real. Some of them will probably end up being a backpack left behind. Not too long ago, I was doing a bit of shopping in either a Circuit City or Best Buy (this was in America, but you can pretend it was Harvey Norman or JB HiFi). I couldn’t help overhearing a lady purchasing a laptop for her teenage son to do school work on. There was a great special on one with very decent specs for the time and costing about $400 ($475AUD). Of course the salesperson was very helpful, but also fear mongering. She would need anti-virus, as there is just so much malware on the Internet, Anti-spyware to keep snoops from reading her financial data over the web, a personal firewall to keep her home safe from bad guys entering over her cable connection and so on. To be fair, she did need protection, but was this really right? Did she have to spend an extra $200 to allow a laptop to be safely used? Did she really need to pony up another $200 or so for MS Office? This simple $400 computer was going to set her back over $800. A used car salesman would be green with envy. Most modern operating systems come with anti-virus/ anti-spyware. While many 3rd party ones are arguably better, are they worth the cost to the average home user? Probably

not. Her NAT router (supplied by her cableTV company would probably be strong enough that she wouldn’t need a separate firewall (and if she does, there is also one in MS Windows). As for Office, this is a bit more debateable. There are many free office products (OpenOffice, LibreOffice and others), but there are also reduced priced versions of MS Office (Home and Student), the student version of Office might even be free from the child’s school. I haven’t exactly painted the salesperson in a very good light, but they really didn’t deserve to look good. Unfortunately, we probably deserve much of the same criticism. I’ve been in this field 35 years and find myself doing much the same (but luckily I catch myself doing it nowadays) Users seek us out for advice. That computer might as well be a magic box to many of them. Do we really give them advice based on what they need, or what we like? How often do we recommend Linux to a relative novice (I like Linux, but is it really appropriate for someone who has a hard time logging into a Windows PC at work), or suggest a 4-500 dollar wireless router with enough antennas it could almost be a work of surrealistic art, just to allow them to jump onto their new 25Mb NBN connection (one of the lowest fibre rates here in AU). All of this is reasonable to us as we saved them $50-$80 on the price of the O/S, they didn’t need a Cisco AP with a Wireless LAN Controller, so there is another grand or two saved. LibreOffice saved them $50 over MS Office, so we really have their best interests in mind. Our recommendation of a major AV manufactured seems quite reasonable (although risky) compared to their not having a proper Threat Management System. I think back to my Dad. He could barely work the TV remote, but wanted to be able to email and look at Facebook. His friends at the VFW (American version of the RSL) were all online. What is the right solution for him?


Cyber Security

An old laptop or PC that I had, made the most sense (reimaged of course). By today’s standards it would be a Celeron 3450, with 4GB of RAM. The built-in AV would be sufficient, or maybe a free 3rd party. The router that came with his Internet connection provided plenty of additional security with NAT. I splurged and got Office Home edition, so he would have Outlook and Word. Although some of the free choices would have worked (for someone used to using Office at work, I would have felt that MS Office was an essential choice). My greatest fear was social engineering, and software will only do so much to stop this. A little training and education was needed. Now I didn’t need wireless for him, but what would have been appropriate had the situation been different? WEP was a bad choice then and still is now. WPA would probably have been acceptable (yes, it really would have been) as it would have provided adequate protection based on the value of the data. However, as there was no cost difference and no meaningful increase in difficulty of using WPA2, that is the way I went (additional security without cost or loss of functionality is a good thing). We now know of new problems with WPA2, would it still be acceptable today or do we have to buy things that support WPA3? To go with WPA3 we would probably have to upgrade the products and make the system cost prohibitive. We don’t need to use WPA2-enterprise either as the use of certificates would be too hard for him to manage if there was a problem. In dealing with users that ask us for advice, keep their situation in mind, not what you (or I) want. Do they need

an i7-8770 or a simple Celeron 3450? Do they need 4GB or 16GB? General business graphics or 120fps @ 4K for a great first person shooter? Are the built-in tools (or alternatively free one) acceptable or will you need to recommend something greater? What productivity options do they need? What speed Internet? Do they even need a computer? Seriously a tablet may be a better choice for consumption of media if they don’t produce themselves. Security needs to be measured against the functionality and price. What I use in the enterprise is barely adequate in my view, but would be dramatic overkill for nearly any home user or small business. What I use at home exceeds most small to mid-sized businesses, but I also manage it myself. What I’m going to recommend to a mom, so her child can do their homework and hop on the web is going to cost far less. That $400 laptop should be able to do everything she needed it to do. At worst a little more money for Office – Student edition. As I close this article, the Murray Street Mall has reopened. Not sure what it was (probably a back pack left behind), but I’m reminded that as much as we worry about security, we also live in the safest time in human history. Fear mongers have us terrified and acting irrationally, but we in the security industry should know better. It isn’t what we want to believe, but that the facts that matter. Security is important and should be exercised by everyone, but there is an appropriate level. Causing undue fear is unethical, doing nothing is unethical. As security specialists we are the shepherds of our users. We need to help keep them safe in a reasonable and cost-effective manner.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices and enabling technologies

Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Australian Security Magazine | 33


Cyber Security International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018

Everything has relevance but not everyone sees it A Cyber Week in London PART I

By Jane Lo ASM Correspondent

“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website

B

ut just weeks ahead of the new European

the opening Chapter of GDPR states that the rules

Data Protection law set to come into effect

relate to “the protection of natural persons with

on 25th May 2018, its parent SCL Elections

regard to the processing of personal data and rules

How did EU and UK Data Privacy and Protection

relating to the free movement of personal data.”

laws come about?

What is Personal Data?

“When we speak about social media, apps and the

Ltd. and Cambridge Analytica filed applications to

extent such information is communicated to others.

commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014.

digital economy, it’s easy to forget the world that the

“The siege of media coverage has driven

“Personal data means any information relating to

UK’s current Data Protection Act was forged in. No

away virtually all of the Company's customers and

an identified or identifiable natural person (‘data

Google. No Facebook. Clunky desktop computers

suppliers," the firm said in the statement. "As a

subject’); an identifiable natural person is one who

with less processing power than we all have now in

result, it has been determined that it is no longer

can be identified, directly or indirectly, in particular

our pockets and purses.”

viable to continue operating the business, which left

by reference to an identifier such as a name, an

Cambridge Analytica with no realistic alternative to

identification number, location data, an online

placing the Company into administration."

identifier or to one or more factors specific to the

at the National Association of Data Protection

physical, physiological, genetic, mental, economic,

and Freedom of Information Officers (NADPO)

Heavily embroiled in the scandal and determined to win back trust, Facebook said in full-page ads in European newspapers, "New EU

cultural or social identity of that natural person.” - GDPR Article 4, Para 1 – Definitions.

– UK ICO (Information Commissioner’s Office) Elizabeth Denham's keynote speech

Annual Conference on 21 November 2016, ‘127 days in the job and preparing for GDPR’

legislation means more data protection for you." The new EU legislation is the General Data Protection Regulation, or GDPR in short. What is GDPR, why does Data Protection

Common personal data such as Race, Age, Gender

With the appearance of mainframe computers

come immediately to mind.

which facilitated data banks in the 1960s, the

Under this definition, data that are increasingly

collection and processing of personal data became

matter, and what are the implications for Singapore?

part of our daily digital lives such as biometrics,

widespread. Concerns were raised: who had the

To answer these questions, we spent a week in

personal location, digital images, personal device

right to access the information; how was it kept

London, speaking with Security professionals with

ID’s, posts on social media sites, user login

accurately and being disseminated; could it be used

extensive experience in the European private and

credentials are also considered personal data. Data

to discriminate?

public sectors, and Cyber specialists from the OSP

that had been anonymized or pseudonymized are

Cyber Academy.

considered personal data if the techniques allow

these concerns, prompting need for consistent

identification of the individuals to whom it relates.

standards to allow individuals to exercise control

Day 1 - 30th April – An introduction to GDPR Comprising of 99 articles codifying data protection,

34 | Australian Security Magazine

Different jurisdictional treatment exacerbated

Data protection of personal data refers to the

over their personal information, while allowing

ability of a person to control, edit, manage and delete

information flow to support international trade.

these information, and to decide how and to what


Richard Preece, formerly British Army General Staff Officer; Exercise Director of the first national and international cyber crime exercises on behalf of the National Crime Agency; Co-opted panel member of the new British Standard Cyber Risk and Resilience- Guidance for Boards and Executive Management; currently co-opted to the British Standards Institute Governance Standard committee. Photo Credit: OSP Cyber Academy

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU (even those located outside the EU) and applies from 25th May 2018 onwards. Photo credit: St Albans Anglican.org

UK 1998 Act also makes it illegal for data transfer to countries that do not have appropriate data protection laws. The EU Data Protection law itself went through significant update with the GDPR, the first major

As UK is not yet out of EU on 25th May 2018,

since its 1995 Directive.

Secretary of State, is that, UK businesses, like businesses in any other EU Member State, will need to comply with GDPR.

of consent, and significantly larger fines (up to €20

The Queen’s Speech to Parliament on 21st

million, or 4% of the worldwide annual revenue of

June 2017 confirmed the implementation of the EU

the prior financial year, whichever is higher).

GDPR into UK national law: “A new law will ensure

Proposed in 2012, approved by the EU

that the United Kingdom retains its world-class

parliament in Apr 2016, it affects almost

regime protecting personal data, and proposals

all organisations doing business in the EU.

for a new digital charter will be brought forward to

Significantly, in an expansion of the territorial

ensure that the United Kingdom is the safest place

scope of EU data protection laws, it will also affect

to be online.”

organisations located outside the EU. The German region of Hesse passed the first law

formal withdrawal from the Union? the legal reality, made explicitly clear by the UK

mandatory data breach reporting, higher standards

Data protection principles were devised.

Will UK still need to adhere to GDPR, upon the conclusion of Article 50 - the process for UK’s

legislative change to European Data Protection law GDPR brings a 21st century approach with

The Queen’s Speech to Parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

GDPR goes into effect?

Effective from 25th May 2018, GDPR puts new

This latest law, enshrining the GDPR and built on the UK Data Protection Act of 1998, was the UK

in 1970; the US Fair Credit Reporting Act 1970

obligations on companies and public bodies that

Data Protection Bill. The text of the Bill received

also contained some elements of data protection.

collect data (e.g. there is a requirement for those

Royal Assent on 23rd May 2018 and is now an Act

Further momentum was gained when the Council

holding and processing data to appoint a Data

of Parliament (law).

of Europe established principles for personal data

Protection Officer) while giving consumers new

protection in automated databanks in both private

rights over how their data is handled (e.g. the right

and public sectors. Another significant initiative in

of consumers to data portability is new).

Day 2 - 1st May - Demonstrating GDPR Compliance

the early 1980s came from the OECD Guidelines on the Protection of Privacy and Transborder Flows of

What does GDPR mean for UK businesses, after

Personal Data.

Brexit takes effect?

In the UK, the Data Protection Act became law

“If it is not written down, it did not happen”. – Richard Preece, OSP Cyber Academy Chief Training

in 1984. Updated in 1998 to align with the EU 1995

When UK voted on 23rd June 2016 to leave the

Data Protection Directive, it became law on 1st

European Union, the ink was barely dry on the

March 2000.

EU GDPR, published in the Official Journal of the

What are the Key Principles underpinning the

European Union just a few weeks earlier.

GDPR?

How have they evolved since?

Officer

Elizabeth Denham, the newly appointed UK Information Commissioner acknowledged that

On 27th September 2017, the European Court of

“The world’s changed a lot since 1995, not only

“Brexit makes the job I accepted earlier this year,

Justice (ECJ) handed down its ruling in the case

technology, but people’s attitudes to data, their

more challenging”.

of Puškár v Finance Directorate of the Slovak

demand that their information is properly looked after. The law needed to change too” – UK ICO Elizabeth Denham, DMA Annual Conference, 24th February 2017

But she added, “you may not realise but we’ve had data protection law in the UK for the last thirty years.” The then-current Data Protection Act 1998

Republic. Mr. Puškár sought a decision to prevent the tax authorities from including his personal information in a tax authorities’ confidential list of front-men

was an Act of UK Parliament. Referred to by the

(Contested List), and to delete any reference to him

The updated UK Data Protection Act 1998 covers

ICO (Information Commissioner’s Office), ICO

in such lists, arguing that the Contested List was

personal data held on paper as well as computer,

clarified a day after the vote: “The Data Protection

drawn up without a legal basis and that his personal

to reflect the increasing use of digital processing

Act remains the law of the land irrespective of the

data was processed without his consent.

and storage.

referendum result.”

Consistent with the EU 1995 Directive, the

But what happens after 25th May 2018, when

ECJ held that Contested List was created as “tasks carried out in the public interest”, which

Australian Security Magazine | 35


specified data access requests to be handled

UK Information Commissioner Elizabeth Denham at IAPP (International Association of Privacy Professionals) Europe Data Protection Intensive event 18th Apr 2018. “Myth: the biggest threat to organization under GDPR is massive fines”. Photo Credit: UK ICO Twitter post. Photo Credit: UK ICO Twitter.

“without excessive delay”, wording broad enough that countries set their own reasonable time limits for response - but GDPR sets a deadline of one month (with exceptions). Another is where previous rules allowed countries to set maximum fees in responding to requests - but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”. GDPR also imposes mandatory data breaches reporting to the individuals whose data was lost, and to a supervisory authority within 72 hours. Under the old regime, there was no specific breach notification obligation, leaving individual countries to set their own rules.

does not preclude tax authorities from processing

similar product offerings, with an easy-to-select

personal data for the purpose of collecting tax and

choice of online opt-out).

combatting tax fraud, and was a legitimate basis

What are the financial penalties?

Less common grounds are where processing

Headline grabbing figure of €20 million, or 4% of the

for processing of personal data under the Data

is “to protect an interest which is essential for the

worldwide annual for non-compliance had attracted

Protection Directive.

life of the data subject or that of another natural

much attention.

But EJC emphasized that even where there

person” (e.g. for humanitarian purposes, including for

is a legitimate basis, processing must meet the

monitoring epidemics), or for tasks “carried out in the

lower, depending on the nature of data breached

principle of proportionality, and necessary to

public interest or in the exercise of official authority”.

(e.g. number affected, duration of infringement,

achieve stated purpose. These key principles of “legitimacy”,

But the penalty to be handed down may be

damage), and “the degree of responsibility of the What Rights do Data Subjects have?

“proportionality” and “transparency” in the EU Data

controller or processor having regard to technical and organisational measures implemented by them”

Protection Directive of 1995, are retained in the

The recent ruling by a UK court that Google’s

(e.g. actions taken to mitigate damage to data

GDPR Article 5 – Principles relating to processing of

listing of a businessman’s past computing hacking

subjects, preventative measures).

personal data:

activities breached his Right to be Forgotten

1. 2. 3.

cooperative the firm has been with the supervisory

Lawfulness (Data must be processed lawfully,

array of rights that can be enforced against

authority are also considered as the commitment of

fairly and in a transparent manner);

organisations that own or process personal data.

the organisation in complying.

Purpose limitation (Data must be collected for

5.

The right of individuals to access their data is

specified, explicit and legitimate purposes);

already an important part of the existing EU data

Data minimization (Data should be limited to

protection law.

what is necessary); 4.

Past administrative corrective actions and how

illustrates how GDPR gives data subjects a wide

GDPR takes this further with enhanced rights

What do all these mean in practice? GDPR is principle-based to cater for the varying

Accuracy (Data should be accurate and up to

for data subjects and new obligations on entities

processing and technological approaches. Flexible

date);

that hold personal data.

though explicit, the interpretation depends on social

Storage limitation (Data should be kept for no longer than is necessary);

Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing (where the accuracy of the

and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain. Differences in the resources and attitudes of

“Tasks carried out in the public interest” is one of

data is contested, or when the processing is no

national supervisors are likely to result in variations

the six lawful grounds for meeting these principles.

longer necessary, or when the data subject objects

in enforcement.

Clear-cut grounds are where processing is necessary for the “performance of a contract” (e.g.

to it). GDPR also introduces the Right to data

an e-commerce store processes a consumer’s

portability, seen as an important tool to facilitate

address for delivering an ordered item), or “is based

the exchange of information necessary in the digital

on a legal obligation to which the controller is

era. This right to transfer personal data from one

subject” (e.g. a bank processes an account holder’s

organization to another, or to the data subject, in a

data to comply with anti-money laundering laws).

structured, commonly used and machine-readable

Lawful grounds that require more robust controls are where “processing is based on data

format also encourages healthy competition between EU data controllers.

subject’s consent” (e.g. an airline’s online offer to existing customer via an opt-in tick-box, to a

Some other key changes?

loyalty program); or for “the legitimate interests of the controller” (e.g. a retailer, using only the contact

Where individual EU members had the ability to

information provided by a customer at point-of-sale,

set specific detailed regulations in the old regime,

to serve him/ her direct regular mail marketing of

GDPR sets explicit rules. For example, old rules

36 | Australian Security Magazine

See the next issue of Asia Pacific Security Magazine for cyber week in London Day 3, 4 and 5 - Part II QUANTUM COMPUTING REPORT by Jane Lo: ONLINE NOW & COMING UP IN THE NEXT EDITION CLICK HERE


Cyber Security

Why achieving web application security might be a lot like juggling elephants By Michael Warnock Country Manager, Aura Information Security

I

n today’s fast-paced business climate, where the pressure is on to deliver new web-based services and features to customers, Chief Information Security Officers (CISOs) can often feel like they’re juggling elephants. In one hand they have the weighty responsibility of getting new applications into production as quickly as possible. In the other, they’re holding the equally weighty task of ensuring those applications are totally secure and able to withstand a growing array of cyberattacks. The challenges are highlighted in recent research that shows organisations are facing an increasing number of threats being launched via web applications. According to Verizon’s 2018 Data Breach Investigations Report, more than 20 per cent of breaches continue to occur as a result of vulnerabilities within web applications. The report says the parties behind such breaches are most often financially motivated external attackers. These security issues are particular acute for organisations in the retail and transport and logistics sectors. Many have back-end systems in place that have been operating for more than a decade. When internal pressure mounts to link these systems to web applications, the result can be the appearance of significant security vulnerabilities. The situation is also exacerbated by the fact that many software development teams have not historically had security methodologies built into their code development workflows. Team members might be very good at creating fully featured web applications, but not so great when it comes to ensuring those applications are able to withstand malicious attacks. Adopting continuous application security To overcome this challenge and successfully juggle the elephants, CISOs need to ensure that security becomes a core part of every new web application’s development lifecycle. Rather than being seen as the ‘icing on a cake’ when it comes to development, security needs to be baked into the cake itself from the outset. CISOs and their teams need to adopt a strategy dubbed ‘continuous application security’. This recognises that effective security is not a one-off task, but requires consistent and ongoing attention. The key elements within this strategy are: • Application testing: The traditional approach of checking the performance and security of applications on an

annual basis is no longer sufficient and security testing of web applications should be conducted on at least on a quarterly basis. This testing should begin during the software development phase, happen again just prior to going into production, and be followed by regular ongoing tests during the application’s lifecycle. A framework should be put in place to ensure this testing takes place as scheduled and external parties brought in to help with the process as required. Training and education: The subject of IT security should be incorporated into ongoing staff training to ensure programmers are skilled at developing secure code. As well as technical education, there also needs to be a focus on developing the necessary mindset among developers. This will help to ensure that they always have security top of mind during the code design and creation process. Defensive protection: If applications need to be launched before full security measures are in place, there needs to be an additional platform in place that can provide the required security until the code itself can be altered and made more secure. This platform should be sufficiently robust to provide the required level of security while at the same time not interfering with the application’s performance. This platform can also provide protection should ongoing testing uncovers a vulnerability in applications that have been live for some time. Rather than those applications having to be taken off line and fixed, they can continue to operate while developers work to overcome the weaknesses that have been identified. Automate processes: To ensure applications remain as strong as possible, the security team should automate as many of the scanning and checking activities as possible. This will allow vulnerabilities to be identified as quickly as possible and necessary fixes applied.

The strategy of continuous application security will ensure that web applications remain secure at all times, from initial development and deployment to ongoing use in a production environment. The approach ensures CISOs can address business demands to get applications to market as quickly as possible without sacrificing IT security. Juggling elephants may not be that difficult after all.

Australian Security Magazine | 37


Cyber Security

A new race - The now, the soon to be & the 20/20 year horizon robotics, artificial intelligence (ai) & human convergence

B By Chris Cubbage Editor

38 | Australian Security Magazine

y 2025, most of us will be using an AI Personal Assistant and throughout each day will have engagement with several different robots. By 2030, there may be more robots than humans. By 2050 we could have produced a semi-sentient being. Just as smart phones and drones emerged rapidly in the 2000s and 2010s, a decade on, the next cycle will be the rapid rise of robots and AI avatars. Taking this to its theoretical end point, we are on our way to creating Earth’s new race. At its fingertips the new robot race has rapid 3D printing, with transforming ability created by new material sciences, and at scale, control of unmanned mining operations, rail lines and shipping ports. New and exciting robot designs are emerging and decades of human research developing Artificial Intelligence (AI) and machine learning algorithms have reached critical mass for data processing and storage scales. It is all happening at a rapid pace and on the current trajectory will cause another wave of profound technology impact on all our lives, globally. Having interviewed Liesl Yearsley, CEO & Founder of akin.com, she confirmed her research had identified relationships being formed between humans and AI avatars. One relationship, called ‘James’ and ‘Lisa’, with Lisa being a female AI avatar, concerned researchers and determined

James was spending a detrimental amount of time engaging with ‘Lisa’. He had formed an emotional relationship, yet knowing Lisa was not a human. Researchers decided to wipe ‘Lisa’ and re-engaged her into the community of hundreds of other avatars. Yet indeed, it turned out James then spent six months re-locating ‘Lisa’ and knew when he had found her despite her in a different role. The ability to create relationships and influence through AI avatars creates new possibilities in social influence, espionage and the insider threat. Just as seen with the manipulation of social media to influence government elections or as a means for recruitment and radicalisation. The advent of robotics in human form, able to be produced, on mass, being conveniently and promptly 3D printed, is already a reality. Humans and robots, even as life and social partners, is also, already a reality. The next phase, will be humanoid robots operating emotionally, with an AI avatar. Today’s robots have a diverse application, from nanotechnologies through to driving a renewed capability in multi-planetary space exploration. Confidently, Liesl Yearsley said, “the big thing to get here is that AI is going to be crunching away in the background, it is going to be ambient and ubiquitous, not to the point of thinking about it, just as we have blindly accepted the use of the smart phone. It will


Cyber Security

"By 2025, most of us will be using an AI Personal Assistant and throughout each day will have engagement with several different robots. By 2030, there may be more robots than humans. By 2050 we could have produced a semisentient being."

become better at discerning of what’s going on for you, you won’t even need to tell it what you want or what you think, it will know. Society will change.” Watching closely since 2008, from military and hobbyist interest in unmanned aerial vehicles, or drones, they evolved with rapid proliferation. Drones are here to stay, are commonly sighted and form an integral part of operations across a number of industries and domains. It is now the robot’s turn. So much so, the anticipated emergence is driving discussion around much broader social and economic impacts, including transition of workforces and as far as the consideration of releasing a global minimum wage. Each machine, be it a drone or robot creates, and brings, unique strategic, tactical and operational capabilities. Across all market verticals, the rise of the robot will be a new challenge with the obvious ‘pros and cons’ for consumers, corporates, governments and security providers seeking greater detection, monitoring, awareness and analytical tools to assist security intelligence and law enforcement. Behind this driving demand is a rapidly evolving technology and cyber security industry. We are well passed the advent of the first CCTV Camera and the migration from decade old analogue systems to fully networked and interconnected digital surveillance systems. India and

China are both progressing to a wholly cashless society and rolling out compulsory unique human identifiers, such as ID numbers and Social Scoring Systems. Facial recognition forms a core part of most city and transport hub surveillance specification requirements. In China, schools are introducing facial recognition systems. On scale, we are already approaching human brain function in the connected nodes of the planet and superseding it in terms of computational power. A classic thought experiment in AI was that if you train an AI to make paperclips and then let it lose and it self-optimised, theoretically it would mine the entire planet for materials and create an enormous size pile of paperclips, to the detriment of all else. That’s the theoretical endpoint. When it comes to Singularity often people think it is far away. Asking the top 200 AI scientists, they consider Singularity to occur within 20 years. Singularity requires two conditions. The first is that the AI can self-optimise. To get better by itself. The other condition is that we don’t stop it. Imagine an AI system that scans all the literature on machine learning, creates a thousand hypothesis about how to improve, or maybe a million, and then tests a million every minute and generates a slightly better way to improve itself, measure that improvement, increment it, and then continue on again. It is within reason we could do that in the near future. With over twenty years’ experience, Liesl assures, “I see nothing in the evolution of AI that tells me that’s not going to happen.” “The second condition,” Liesl confirmed, “is we always think Singularity is when ‘it’ gets smarter than us because we have the idea that up until that point we are just going to turn ‘it’ off. Being smarter than us, we really think we are just going to shut it off ? But really the definition is about ‘are’ we stopping it? It can have a brain the size of a newt, but if its self-optimising and there is nothing in our systems that says we are going to stop it, theoretically we have already reached a soft point of singularity and won’t know it.” “If we are creating a new life form, what kind of ‘Gods’ will we be? Do we give them human values, the same values that have enslaved millions and ruined the planet’s environment? We may not agree with other’s cultural values. Can we be culturally neutral? The giant tech platforms will just say ‘well we don’t have any control over the content’ – we’re just a platform. Liesl

Australian Security Magazine | 39


Cyber Security

Liesl Yearsley

Rob Wainwright

declared, “I don’t think we can be values natural. I think we have to start asking these difficult questions. Let’s start putting some parameters in place, what are we teaching AI to optimise against, because one day it will out evolve us and what is that world going to look like at that point?” But in addition to the inherent AI Singularity risk to humanity, there is also the inherent human threat with such powerful capabilities. Having interviewed Rob Wainwright, former Executive Director at Europol, on his presentation, ‘Data - the new oil in the network economy fighting crime and terrorism’, highlighted a different age to come. Rob termed this ‘International Policing 2.0’, along with the AI

40 | Australian Security Magazine

race with crime, security by design and privacy by design. Alongside military, industrial and consumer robotics, and the criminal threat they may create, there will be increasing need for security robot deployments. Innovation is needed in new security industry training and simulation methods, including Augmented Reality (AR) and Virtual Reality (VR) training, use of gaming controls for tactical robotic operations, and a myriad of civil security applications. “Threats rise along with innovation and capability”, Rob assured. Islamic state showed it was prepared to engage in online disruption and created a virtual califate, using over 100 social media platforms. The new bank robbers, like the Carbonak and Cobalt hacker group, now rob banks and score over $1.2billion. Criminal enterprise is much more sophisticated and today, sustains a burgeoning trade and crime as a service sector. Even bi-spoked criminal services are increasingly becoming a competitive industry, amongst the criminal community itself. This is a dangerous trend. Bad actors are converging with terror and a crime nexus forms in firearms, travel documents and any other activity with a common link. State actors are upskilling and upscaling the criminal sector, with Russian capabilities shown to be able to take control of cyber ecosystems, including US Federal Elections. The seeping out of cyber-military skills and capability into the wild is also a dangerous trend. Police are having some success but the threat will be sustained. The way police use data to identify modern crimes, that are essentially transnational in nature, needs to better targeted and better tracked across disparate information systems. Europol has been instrumental in transforming into a transnational intelligence unit, with over 1,200 law enforcement agencies now part of Europol. Europol has experienced an exponential rise over the last seven years, with a four fold increase in intelligence reports and six fold increase in cross border operations. And what are some of the solutions? Dr Hugh Thompson, Chief Technology Officer for Symantec has discussed for IoT Security to have a chance, IoT security will require analytics at scale. The consumers are not participating. How do we get them to contribute? Often misunderstood or overlooked, is the blurring line between enterprise security and personal digital safety. Today, the tech at home is likely to be better than at work, and needing to connect or cross paths. Better applications of privacy by design are needed and includes the use of something like a nutrition label may be applied to a device. What is the device behaviour graph and image signature that provides network and user insight for security and signature purposes. This also creates consumer awareness. “To build robots that are ready to handle the challenges of unstructured environments, we need a design process that focuses on adaptation and intelligence. Luckily, we know of an incredibly powerful algorithm that creates intelligent, robust, and adaptive machines already: evolution.” (The Conversation). Indeed, as humans and technology continue to evolve together, it is inevitable, and possibly within 20 years, that we will have a new sentient race. A new race of human and robotic convergence. Are ‘you’ ready? Are ‘we’ ready?


National

|

|

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 41


Cyber Security - Sponsored

Moving the dial: measuring the

relationship between the user and their activity on a machine Executive Editor’s interview with Jeff Paine, CEO & Founder, ResponSight

M By Chris Cubbage Editor

42 | Australian Security Magazine

eeting Jeff Paine, CEO & Founder of ResponSight in Sydney, overlooking Bond Street, he soon explained why he shows so much enthusiasm and positivity. He has a unique and leading approach, and based on his 20 years’ experience, he knows it is greatly needed. “ResponSight looks very, very, closely at the link between the user and the piece of technology they’re using,” Jeff explained. “Our differentiator is the end user behaviour, rather than just operation systems, or what the hardware and applications are doing. We know from hacker activities and knowing the behaviours of threat actors, we know they can make the machines lie when they’re compromised. I’ve also seen this over my ten years’ experience in red teaming, penetration testing and security assessing. ResponSight’s approach is more objective, by not providing machine data, but instead the relationship between the user and their activity on that machine.” “The GDPR crystallises the fact that companies have been too comfortable collecting too much data for too long, and now they risk a spotlight shining into the shadowy corners of their data collection and management practices. The reason many enterprises have collected data historically is simply because it could be collected, not because

it was necessarily needed. This has resulted in a scenario in which many organisations don’t know what data they have, where it is stored, or how to manage or delete data. The introduction of Australia’s Notifiable Data Breaches scheme places further pressure on enterprises to rapidly mature their data acquisition and management practices. My message to all businesses is to not collect data you don’t need in the first place. Further, establish strong data deletion policies so you don’t keep unneeded data after the fact, and don’t use data without consent from the data subject. If your business operates globally, rather than doing one thing for each region and legislation, look at the GDPR as the benchmark and invest in solid privacy practices. Even in the absence of regulation, the notion of data control and distribution is a growing concern for consumers, and organisations need to be on top of it.” ResponSight comprises three key elements, the ResponSight Collector, ResponSight Aggregator and ResponSight Cloud Service, each working in conjunction. “By combining large volumes of raw numerical telemetry and selected metrics, it’s possible to build activity and behaviour profiles about users and their devices, without ever knowing who that user is or what that device is.” The ResponSight


Sponsored - Cyber Security

Collector on the end point device itself, is looking at pure telemetry, the metrics and numerical statistics of what the end point is doing. The design philosophy is to not collect private or sensitive data. There isn’t a need for rich and potentially sensitive data for security. It has been proposed security and risk technologies currently collect too much data, often not required or potentially not even valid anyway. “We do all of our analytics through analysing the statistical telemetry data that comes from the hardware itself, largely ignoring the operating system,” Jeff confirmed. The ResponSight Aggregator is a virtual machine, acting as “traffic cop” to the Collectors delivering data bundles, and integration to third party solutions, such as SIEMs, provides reporting dashboards. Because it is only statistical, the network footprint is minimised by design, resulting in being lightweight, at less than 1Gb and low performance requirements, at less than a VDI. “The ResponSight has a very light weight footprint and we don’t suffer a lot of the challenges you would get with more centralised technologies, that an enterprise might invest in and then have a large repository problem.” Jeff highlighted. “The lightweight nature of ResponSight still provides the high value risk profiling and risk analytics outcomes for the enterprise to make decisions.” The ResponSight approach is also heavily focused on integration, including vendors but also service partners. As a unique analytics tool, there is broader application, with use by leading consultants and managed service providers. Jeff highlighted, “We are also working with vendor partners, where our solution is complimentary. Large SIEM providers are also commonly seeing integration provides additional value from information not previously being captured. Really asking as a business - how do we apply what capability exists on the market in a way that suits our priorities and our business requirements and objectives?” The Responsight deliverables are not a traditional alerting scenario, but instead reports on a profile of the organisation’s risk at a point in time and over time. The enterprise can see if their investments in technology are ‘moving the dial’, in whether risk is going up or going down and even the difference between business units or location. This insight allows the focus on setting priorities for spending, resource allocation and more informed security operations. Being a new cybersecurity start-up there is the challenge of achieving an enterprise client base. “It has certainly been an interesting space,” Jeff assured. ResponSight is my fifth start-up and second cyber centric start-up, so I’ve had some experience. Coming from a large enterprise consulting background, I come from a heritage where you could just say the brand name and you’d get the meeting.” Jeff ’s long history in IT, cyber security and software development, includes with some of Australia’s top organisations as a virtual Chief Security Officer, advising executives and boards on security strategy, capability development and integration, and improving cyber security awareness. Jeff previously held the role of Director of Cyber with PwC and Managing Principal Security Consultant at Dimension Data, where he provided technical security and governance, risk and compliance services to large enterprise, financial services and government customers. “We’re not in the market with an unknown name,” Jeff

“the market is not limited by size or type of organisations. Naturally, we are initially focusing on financial, critical infrastructure, energy, utilities, professional services and government. These are organisations with a large profile, with large employee bases, but are also operating outside the corporate network, or walled garden, and are often mobile and moving. affirms, “we’ve been around for three years but going through a R&D process. We’re only new in the market with sales this year. Our developers and data scientists have been working hard for some time. But I do take the point that in the Australian ecosystem, there are challenges around maturity and for large enterprise to understand where they can apply technologies in a way that suits their business needs. We need to combine that with our brand awareness in the market.” Jeff notes, “the market is not limited by size or type of organisations. Naturally, we are initially focusing on financial, critical infrastructure, energy, utilities, professional services and government. These are organisations with a large profile, with large employee bases, but are also operating outside the corporate network, or walled garden, and are often mobile and moving. There is always a challenge of containing risk in these environments and our goal is to deliver risk profiling capability and awareness to executives of large enterprise, regardless of where they’re based.” ResponSight has been designed specifically to address the problems incurred when deploying security and risk technologies – how do enterprises get the required outcomes without actually creating another target for attack? Responsight readily discloses what the solution is doing, how it’s designed and how it all works, with website published solution overviews and the decision-making benefits. ResponSight will also show the raw data being collected, without claims of “proprietary IP” over enterprise data and the data is otherwise useless in another context. The approach and design is without impact or visibility to the user, ensures a new vector for attack into the enterprise is not created; there is no private or sensitive data stored on systems that could be targeted for attack; and that ultimately builds a profile of enterprise risk and actionable intelligence for boards and executives to set useful priorities. There is a free trial available for enterprise interested in taking a look and understand more about how Responsight will deliver outcomes. ResponSight Collector currently supports Windows 7, 8 and 10, and MacOS Sierra and High Sierra.

Australian Security Magazine | 43


Takeaway - Australian Cyber Security Magazine RISK MANAGEMENT INSTITUTE OF AUSTRALASIA

RMIA Annual Conference 2018 RISK +

2

= THE NEW NORMAL Sheraton Grand Mirage Resort Gold Coast 31st October - 2nd November 2018

Keynote Speakers

Major Matina Jewell Paul Chivers Risk Advisor - “I’m a Celebrity... Get (Retired) CSP Me Out of Here!”

Dr. Hilary Lewis Deborah Goldingham

Division Director, Head of Risk Culture - Macquarie Group

Marketing & Communications Strategist

8 Topic Streams Over 60 Speakers Thought Provoking Panels Networking Opportunities 30 Sponsors & Exhibitors @ The Gold Coast

Robb Eadie

Chief Risk Officer - BHP

Chris Gatford

Director & Founder - HackLabs

David Piesse

Global Insurance Lead & Chief Risk Officer - Guardtime

FULL DETAILS @ WWW.RMIACONFERENCE.COM.AU


Cyber Security

Available online!

27

000032

Print

Post

ed PP1

Approv

See our website for details

ATE

ENT

NM

VER

GO

AND

R RPO

w | w

u w.a

st

sec

urity

THE

CO

COU

NTR Y’S

ma

gazi

ne.c

om

.au 2017

arch

Feb/M

t a jus it trali Aus ’t hack n ca

AG

YM

URIT

SEC

E AZIN

n ralia

LEAD

ING

Print

roved

App Post

n

natio

D

THE

OVE

IEW REV ls CIAL anne SPE alys Ch cau a n a M the C oursutrmy Fd ds in

Y’S NTR

COU

GG

DIN

LEA

Tren ology in n tech

d

efine are d Softw thing y ever $8.95

urity

mag

azin

e.co

$8.95

GST

INC.

PP1000

03227

m.au

April/

May 20

ren o

17

f war

Te fundinrrorism g law s

Ma

e ing th Clos ls gap kil ity s

Digit aga al War Islam inst the ic Sta te US

PL

, Q&A Dron

e errd an uick T s, an o...rism e, Q ieuw ting rity Crea orTldeTce–hcThimekr re ore Sevc w obono mugch m y–F ence SysRteemcCBosyg lo ig ll a n inte estone 2018 ition & V cial Mil id MIPS rity Secu nal en in rso Wom ecial: Pe eliver Sp on to d rity ati secu inspir

ous

om uton

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

ics

rens

al fo

Digit

nsec

Analy eo tics

INC. GST

of a Rise les vehic

tralia

Child

18 rch 20

cur erSe

Cyb

| w ww.a us

03227

PP1000

Feb /

T AN

roved

R

Print

EN RNM

Post App

GOVE

NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o Ban role en Plan .au The yber com nning ine. agaz of c nce uritym nsec ra ia al e ustr insu ww.a to b Modern | w as a kes Secu ising y MAGAZINE ange sue it ta ity h c t ri Y ou a IT is ty te R y a CU Wh art c Etr SS ategy r Clim Ssecurit ATE POR a sm al COR ING

EAD

L Y’S NTR

Get each print issue per year for only $88.00

me

US

PL

$8.95

INC.

n in

e Wom

rity Secu

hti | Tec

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

A$

88.00

(inc GST)

1 YEAR

INTERNATIONAL

A$

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Australian Security Magazine | 45


TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products

FLIR Introduces F-Series ID thermal security camera with built-in analytics FLIR Systems has introduced the F-Series ID, a high-resolution thermal security camera with onboard analytics. The latest addition to FLIR’s F-Series family of premium thermal security cameras, the F-Series ID features a best-in-class 640×480 FLIR thermal sensor with up to 300 percent greater thermal sensitivity than previous F-Series models to provide crisp, detail-rich imagery in low-contrast conditions. The F-Series ID yields better image and range performance in the trusted F-Series form factor, setting the standard for critical infrastructure customers needing threat detection and alarm assessment. The F-Series ID detects potential intruders in both low or zero light conditions, and its built-in analytics classify human and vehicular targets that pose a risk. At the same time, the F-Series ID ignores innocuous targets, such as wandering animals or swaying tree limbs, that might otherwise trigger nuisance alarms. The result is more reliable detection with fewer false alarms in total darkness or through sun glare, smoke, dust, and light fog. F_Series_IDWith five lens options, i­ncluding 44, 25, 17, 12 and 8.6-degree field of views, the F-Series ID provides wide-to-narrow coverage that reduces the number of cameras needed to monitor fence lines, perimeters, and open areas. Combined with FLIR’s custom Automatic Gain Control (AGC) and Digital Detail Enhancement

(DDE), the F-Series ID offers superior image contrast and sharpness. Offering simple plug-and-play installation and automatic calibration, the F-Series ID is certified for integration with most major thirdparty video management systems (VMS), as well as FLIR’s United VMS. The F-Series ID’s onboard analytics can even hand off intruders to other FLIR pan-tilt-zoom cameras installed at a site for autonomous tracking, which is a

significant benefit for security operation centers. The F-Series ID comes with FLIR’s industryleading 10-year thermal sensor warranty and three-year camera warranty and will be available for order in the second quarter of 2018 through established FLIR dealers and integrators. FLIR will demo the new F-Series ID and its entire line of security solutions from April 11 – 13 at ISC West (Booth #18059). To learn more about the FC-Series ID, visit www.flir.com/fseriesID.

The convergence of ICT and video surveillance technologies is accelerating As more large-scale video surveillance projects, such as those for safe cities, are being deployed around the world, information communications technology (ICT) infrastructure is therefore becoming an increasingly important aspect of project implementation. Global revenue from storage equipment, which is a key element of ICT infrastructure, has been growing rapidly. According to the latest “Enterprise and IP

46 | Australian Security Magazine

Storage used for Video Surveillance Report” by IHS Markit, global revenue from storage used for video surveillance is forecast to grow at a compound annual growth rate of 17 percent, from $6 billion in 2016 to $13 billion in 2021. Dell EMC, Huawei, NEC, Motorola and other traditional ICT vendors have entered the video surveillance market, either with solutions based on their ICT strengths or through the acquisition

of video surveillance companies. At the same time, traditional video surveillance vendors have started to offer ICT products to complement their video surveillance solutions. For example, Hikvision announced its AI Cloud concept at CPSE 2017, and Dahua and NetPosa showcased their video-structuring servers at the same trade show.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media


TechTime - latest news and products architectures are being adopted to enable data to be shared more easily and across much larger, more complex networks. All these new transformational technologies are changing not only the video surveillance portfolios, but also the rules of the game. Convergence leads to new business models

New transformational technologies drive the convergence trend Deep-learning-based video surveillance analytics promise to generate more metadata that was impossible to generate in the past. Evolving IoT applications with dynamic connected sensors demand faster and more powerful computing platforms. Cloud

One major implication of this convergence is that traditional video surveillance business models are likely to be influenced by concepts from the ICT industry. For example, an open hardware platform with a related software ecosystem is a typical ICT concept. Huawei is now introducing this concept to the video surveillance industry. In March, the company announced its software-defined camera (SDC) concept, claiming it will enable diversified video analytics algorithms, developed by the independent software vendors (ISV) ecosystem, to run on one camera. Global market for VSaaSAccording to Huawei, SDC will decouple the software from its hardware, based on its open operating system, open integration framework and unified algorithm management platform on the cloud. It will be interesting to see whether the SDC

model is able to run like a smartphone, with a unified operating system, plus dynamic app ecosystem. However, video surveillance as a service (VSaaS) or video analytics as a service (VAaaS) are two more ongoing examples of ICT changing traditional video surveillance business models. These two technologies offer vendors the possibility of generating regularly recurring revenue, a concept commonly used for ICT. The bottom line The video surveillance market is becoming increasingly intertwined with other industries. Where there were once dedicated security distributors and integrators, now there are ICT and telecoms suppliers competing for business. Where there was once traditional analog cabling between devices, now there is advanced ICT infrastructure integrating numerous IoT devices across the network. Fundamentally, companies embracing emerging technologies, and developing leading infrastructure and networking skill sets, will be well placed to win business, as ICT infrastructure and concepts play an increasingly important role in video surveillance systems.

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Venture capital funds

• Scale-ups

• Government agencies

• Corporates

• Research organisations • Educational institutions.

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us:  www.austcyber.com

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

info@austcyber.com

+612 9239 3250

@AustCyber

Australian Security Magazine | 47


TechTime - latest news and products

Jask expands platform beyond siem to transform how soc operators visualize cyber attacks JASK the provider of the industry’s first Autonomous Security Operations Center (ASOC) platform, is capturing industry demand with new features centered around enterprisewide alert linkages and analyst workflow efficiency. Major enhancements include the JASK Navigator, a visually-driven, contextuallyrich investigation console that provides SOC analysts a one-click path to situational attack awareness, multi-asset data ingestion; query flexibility and analyst team workflow support. “Through our discussions with both partners and customers one thing has become crystal clear, the SOC of the future will not rely heavily on legacy SIEM technologies,” said V.Jay LaRosa, VP Global Security Architecture, Chief Security Architect at ADP. “There are a lot of cybersecurity solutions and technologies promising ways to get more out of technology investments, and JASK is maniacally focused on truly addressing enterprise-wide alert prioritization, context and visibility by focusing on analyst workflows.” JASK ASOC Built to Streamline Analyst Jobs Since launching the platform in July 2017, JASK’s vision is delivering an assetindependent, open platform that enables an autonomous workflow of what, where, why and how analysts should take action. Using artificial intelligence (AI) and machine learning as its base engine, the platform is built for broad and smarter data ingestion to reduce costs and bandwidth without losing context. With its latest enhancements, the JASK ASOC platform improves visibility through unique mapping of

data to records linked across devices, users, networks, applications and almost any thirdparty data source. “JASK understands the urgency CISOs have placed on consolidating and integrating security operations technologies,” said Jon Oltsik, Distinguished Analyst and Fellow at Enterprise Strategy Group. “By seamlessly fitting into existing environments, offering an intuitive user interface and reducing the overwhelming volume of alerts, JASK is addressing the top concerns SOC teams report.” JASK Navigator Console and Enhanced Team Workflow JASK Navigator is an elegantly simple, visuallydriven investigation console that equips analysts with an actionable view of JASK Insights, prioritized notifications of data that indicate a combination of events or activities that should be investigated, with all the associated signals and alert information that led to its delivery. Investigations are streamlined and logical, offering SOC teams one-click access to better prioritized insights and faster paths to resolution. To further support enterprise analyst workflows, JASK is also developing team support via customizable workflow queues within the ASOC platform. This allows customers to represent user groups or teams in order to assign the triage of JASK Insights. The enhanced workflows allow teams to easily adjust the Insights stage, providing improved visibility into the overall status of all assigned tasks. JASK also allows analysts to assign and

visualize alerts from existing security solutions by user, team and status. “The attacker is winning in today’s constantly changing threat landscape. The SOC is no longer human-scalable,” said J.J Guy, CTO of Jask. “A flexible platform that focuses on analyst workflows to improve efficiency is a critical step forward in offering SOC teams immediate visibility and context. We must stop building our teams to support technology, and build technology to support our teams.” Off to a strong start in 2018, JASK doubled its customer base in the first quarter of 2018, adding enterprises spanning higher education, financial services, healthcare and retail. Additionally, the company continues to support existing security operations workflows through partnerships and specific integrations with leading solutions in cybersecurity, including Cylance, Demisto, Carbon Black, Microsoft Active Directory, Splunk, ArcSight, among many more. For more information on the JASK ASOC platform, please visit https://jask.ai/solutions/ product/. About JASK JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on the highest-priority threats, streamlining investigations and delivering faster response times. www.jask.ai

Apstra deployed with Dell EMC and OPX by Awnix in open IaaS network infrastructure in Tier 1 service provider cloud Apstra has announced that Awnix, a leading provider of cloud services and products, has deployed the first AOS® supported deployment of OpenSwitch (OPX) on Dell Z9100-ON switches in a Tier 1 service provider production network. The telecom service provider deployment includes a combined solution as part of a hybrid cloud for OpenStack Deployments and is part of an open IaaS network infrastructure offering. The Awnix, Dell EMC, Apstra solution

48 | Australian Security Magazine

provides a cloud platform that meets the needs of both internal and external users at the telecom provider. The solution includes the features and ease of use desired by the service provider, while increasing control, auditability, security, and ease of management. The outcome is lower cost—beyond what is available from public cloud service providers or proprietary on-premise alternatives. “The Z9100s are amazing. In fact, the entire line of Open Networking switches

from Dell EMC is phenomenal – and Apstra’s AOS software is the best management and monitoring tool I’ve seen for networking in decades,” said Rick Kundiger, Awnix CEO. “100Gb is the new 10Gb; big brands are the past; cost effective devices and tools, security, and reduced lock-in are in now. In today’s highly competitive cloud and IoT space, companies that can iterate faster for less will win. By combining our cloud with Dell EMC’s switches and Apstra AOS for management, we can help

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media


TechTime - latest news and products

customers achieve that desired win.” “Dell EMC’s Open Networking initiative is about choice and flexibility, without a compromise on technology,” said Drew Schulke, Vice President Dell EMC Networking. “With OpenSwitch, Dell EMC Networking expands its Open Networking strategy to Open Source Networking enabling Awnix to combine OPX with Apstra’s AOS to give unparalleled value and flexibility to the customer.” “Apstra’s AOS provides scalable vendorindependent intent-based automation of the entire life cycle of network services – from day zero, to day one, to day two and beyond – including change operations, as well as advanced intent-based analytics for unmatched reliability, visibility, and troubleshooting ability,” said Mansour Karam, CEO and Founder at Apstra. “As new products become available, they can be incorporated seamlessly without having to change operating procedures. Apstra is pleased to collaborate with Dell EMC and Awnix to deliver the first AOS support for an OPX cloud deployment in a Tier 1 service provider production network, providing greatly enhanced agility, reliability and reduced cost.” The Dell EMC Open Networking strategy helps customers innovate network operations for greater business agility. Dell EMC Open Networking allows customers to choose from a rich set of open network operating systems and software applications for greater automation, security, analytics, and ultimately greater flexibility. With Dell EMC Networking, customers can break vendor lock-in and embrace innovation that drives out complexity and can lower the total cost of ownership. About OPX The OpenSwitch platform is an open source, Linux-based network operating system (NOS) for disaggregated switches built around OCPcompliant hardware, utilizing an open network installation environment (ONIE) boot loader. Developers can build on reliable and modern architecture to create unique networking features and applications using an agile development approach for faster development and more stable applications with fewer postrelease defects. About AOS AOS® delivers a turnkey Intent-Based distributed operating system and a data center application suite that offer game-changing network service agility, increased uptime and dramatically improved infrastructure TCO. AOS automatically prevents and repairs network outages for dramatically improved infrastructure uptime. It operates a network as one system, massively improving infrastructure

agility while reducing operational expenses. AOS’ distributed data store is a repository of all intent, configuration, and telemetry state, and hence acts as a single source of truth for your network. Its self-documenting nature streamlines compliance tasks. AOS is hardwareindependent and works across all major vendors as well as open alternatives. Awnix Awnix is a leading provider of cloud services and products that provide organizations with a fast and easy way to transition away from expensive legacy virtualization platforms, and towards a secure private cloud to run their virtual servers, containers, and virtualized network functions. Awnix’s products and services include the Advanced Rival Cloud (ARC), a turnkey cloud platform customized to meet each organization’s unique needs and budgets, ARChive Restore, Backup, and Disaster Recovery software for

OpenStack, ARCmon for cloud alerting and monitoring, and 24×7 support and cloud management services. Awnix has been delivering secure private cloud products and services since 2014 and its main offices are in Austin, Texas and Kansas City, Missouri. About Apstra, Inc. Apstra® pioneered Intent-Based Networking and Intent-Based Analytics™ to simplify how data center networks are built and operated. AOS® increases business agility through an autonomous or Self-Operating Network™ that delivers log-scale improvements in CapEx, OpEx and capacity. AOS is a hardwareinclusive, closed-loop intent-based distributed operating system that automates the full lifecycle of network operations and enables the network to configure itself, fix itself and defend itself. Apstra is based in Menlo Park, California and is privately funded.

INNO VATE

HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.

Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network

OCT 9-11

2018

AUSTRALIAN CYBER CONFERENCE

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

BROUGHT TO YOU BY

aisa.org.au

Australian Security Magazine | 49 AISA-2018-Forge-Press-Ad-V07.indd 1

9/02/2018 11:27 am


REPORT REVIEW | by CHRIS CUBBAGE Deterrence in cyberspace Spare the costs, spoil the bad state actor: Deterrence in cyberspace requires consequences

1. Shorten the attribution cycle.

Chris Painter

Policy Brief Report No.4/2018

POLICY BRIEF: DETERRENCE IN CYBERSPACE – Spare the costs, spoil the bad state actor: Deterrence in cyberspace requires consequences Australian Strategic Policy Institute, Chris Painter www.aspi.org.au/report/deterrence-cyberspace

I

n follow up to ASPI’s previous Policy Brief No. 3 on Cyber Offensive Capability (and our April/May edition), this is a subsequent body of work which continues the work of ASPI’s Cyber Policy Centre. As the report cover suggests, ‘spare the costs, spoil the bad state actor: Deterrence in cyberspace requires consequences.’ Deterrence in cyberspace is a complex issue. One of the most widely cited reasons for the lack of action is the actual and perceived difficulty in attributing malicious cyber activity. An effective deterrence framework involves strengthening defences (deterrence by denial); building and expanding the consensus for expectations of appropriate state behaviour in cyberspace (norms and the application of international law); crafting and communicating— to potential adversaries, like-minded partners and the public—a strong declaratory policy; timely

50 | Australian Security Magazine

consequences, or the credible threat thereof, for transgressors; and building partnerships to enable flexible collective action against those transgressors. The key recommendations are:

Making progress on speeding technical attribution will take time, but delays caused by equity reviews, inter-agency coordination, political willingness, and securing agreement among several countries to share in making attribution are all areas that can be streamlined. Often the best way to streamline these kinds of processes is to simply exercise them by doing more public attribution while building a stronger political commitment to call bad actors out. 2. If attribution can’t be made or announced in a fairly brief period, couple any later public attribution with at least one visible responsive action. Attribution six months or a year after the fact with the vague promise of future consequences will often ring hollow, particularly given the poor track record of imposing consequences in the past. When attribution can be made quickly, the promise of a future response is understandable, but delaying the announcement until it can be married with a response may be more effective. 3. Mainstream and treat cybersecurity as a core national and economic security concern and not a boutique technical issue. If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world. It is telling that Prime Minister Theresa May made public attribution of the Salisbury poisonings in a matter of days and followed up with consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame. Obviously that was a serious matter that required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don’t understand the impact or importance of cyber events or have established processes to deal with them. Mainstreaming also expands and makes existing response options more effective. 4. Build flexible alliances of like-minded countries to impose costs on bad actors.

A foundational element of this is improving information sharing, both in speed and substance, to enable better collective attribution and action. Given classification and trust issues, improving tactical information sharing is a difficult issue in any domain. However, a first step is to discuss with partners what information is required well in advance of any particular incident and to create the right channels to quickly share that information when needed. It may also require a re-evaluation of what information must absolutely be classified and restricted and what can be shared through appropriately sensitive channels. 5. Improve diplomatic messaging to both partners and adversaries. Improved messaging allows for better coordinated action and serves to link consequences to the actions to which they’re meant to respond. Messaging and communication with the bad actor while consequences are being imposed can also help with escalation control. Of course, effective messaging must be high-level, sustained and consistent if the bad actor is to take it seriously. Sending mixed messages only serves to undercut any responsive actions that are taken. 6. Collaborate to expand the toolkit. Work with like-minded states and other stakeholders to expand the toolkit of potential consequences that states can use, or threaten to use, to change and deter bad state actors. 7. Work out potential adversary-specific deterrence strategies. Actual or threatened responsive actions are effective only if the target of those actions is something that matters to the state in question, and that target will differ according to the particular state involved. Of course, potential responses should be in accord with international law. 8. Most importantly, use the tools we already have to respond to serious malicious cyber activity by states in a timely manner. Imposing consequences for bad action not only addresses whatever the current bad actions may be but creates a credible threat that those consequences (or others) will be imposed in the future. We must change the calculus of those who believe this is a costless enterprise. Imposing effective and timely consequences for statesponsored cyberattacks is a key part of that change.


OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Your one-stop shop for all things CCTV, surveillance and detection technologies

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android

E TUN IN ! NOW

Australian Security Magazine | 51


25 – 27 JULY 2018

ASIAL SECURITY CONFERENCE

SECURING INNOVATION MELBOURNE CONVENTION + EXHIBITION CENTRE The 2018 Security Exhibition + Conference: Powered by ingenuity and invention, showcases the latest technology and cutting edge thinking. From physical and electronic solutions, to biometrics and cyber security. Australia’s largest security event offers three days of business networking and intelligence sharing. Take a first-hand look at what’s next for the security environment including intelligence on managing threats and identifying risks.

Your annual opportunity to receive fundamental updates from the organisations shaping todays security landscape.

HEADLINE SPEAKERS Dr Lisa Warren Clinical/Forensic Psychologist and Founder of Code Black Threat Philip Dimitriu Director of Systems Engineering, Australia and New Zealand, Palo Alto Networks Arye Kasten Chief Executive Officer, M.I.P Security

Danny Baade Head of Security, Gold Coast 2018 Commonwealth Games Corporation Commander Geoffrey Smith Tasmania Police

INNOVATIONS AND INVENTIONS Discover new products from 300 leading Australian and international brands including:

Jim Fidler Director, Secure Events & Assets P/L

CELEBRATE YOUR INDUSTRY David Crompton-Guard Business Continuity Manager Safety, Security & Resilience, Metro Trains

Make new connections and celebrate with colleagues at the ultimate networking evening – the Security Gala Dinner, held in partnership with ASIAL. For a less formal option, continue meaningful business conversations at the Networking Drinks.

BOOK NOW TO AVOID DISAPPOINTMENT Conference Passes, Gala Dinner and other networking event tickets are available to purchase

EXHIBITION HOURS

CONFERENCE HOURS

Wed 25 July 9:30am–5:00pm

Wed 25 July 9:00am–5:00pm

Thurs 26 July 9:30am–5:00pm

Thurs 26 July 9:00am–3:30pm

Fri 27 July 9:30am–3:30pm

Fri 27 July 9:00am–3:30pm

Principal Sponsor:

Lead Industry Partner:

T + 61 3 9261 4500 E securityexpo@divcom.net.au #security2018 secexpo

FREE EXHIBITION REGISTRATION – securityexpo.com.au

@Security_Expo Security Exhibition & Conference


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.