ChiefIT.me Magazine - Nov/Dec 2016 by MySecurity Marketplace

May/June 2016 Oct/Nov 2016

www.ChiefIT.me | Nov/Dec 2016

National Security & Legislative reform for IoT

AUSTRALIAN SECURITY MAGAZINE

Martin Place Siege Inquest

Digital technology versus national security threats

Stats man & the sea – professional profile

Deception detection Part 2

The great submarine leak China’s underwater great wall

Incident investigations PLUS $8.95 INC. GST

TechTime, Quick Q&A, Cyber Security and much more...

CYBer SecurITY

Do we have IT right?

25th November Crown Perth

Perth Conference 2016

From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI

Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.

LEARN MORE TODAY 1300 135 897 huntsmansecurity.com

Contents Editor's Desk 5 Quick Q @ A with Kevin Mitnik

Quick Q @ A with Bruce Schneier 8 Quick Q @ A with Alistair MacGibbon 10 Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Editor Tony Campbell Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

T | +61 8 6361 1786 subscriptions@mysecurity.com.au

Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Quick Q @ A with Rik Ferguson 11 Singapore Cyber Security Updates

International The economics of security

Combating financial fraud : How to save billions with a text

The non-nerd guide to Bitcoin and Blockchain

The great submarine leak

Completely at sea

Page 20 - The great submarine leak

Corporate Security What really happened

Digital technology vs national security threats

Worrying statistics - Inaugural cyber security survey for Australia

Cover Feature Artificial intelligence & cybersecurity

Without security the internet of things is doomed and could kill millions

National security reforms needed before the internet of things

Scalable optics - New lanes laid for the internet of things super highway

Cyber Security What's causing the cybersecurity skills gap?

India's cyber trauma

Fighting financial cybercrime with data

Page 24 - Digital technology vs national security threats

Women in Security Championing for open source collaboration

Advertorial Obstinatley clinging to iconic obsolescence

TechTime - the latest news and products

Editor's book review

CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Page 28 - Artificial intelligence & cybersecurity

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.asiapacificsecuritymagazine.com

Page 32 Cover feature - National security reforms needed before the

www.malaysiasecuritymagazine.com.au

www.drasticnews.com

James Wootton

Fraser Duff

Josh Kennedy

Steve Cotrell

Tony Campbell*

Adeline Teoh*

Sarosh Bana*

www.australiansecuritymagazine.com.au

www.youtube.com/user/ MySecurityAustralia

4 | Chief IT

Sophie Zadeh

www.cctvbuyersguide.com

internet of things

Editor's Desk IT executives take pause as technology vendors queue up outside your door

he global political stage is certainly an interesting spectacle for the rest of us to witness. With Trump and Clinton at each other’s throats, Putin posturing against what he claims are unfounded allegations of the Kremlin hacking of the U.S. democratic election process and a variety of news stories telling us that World War III is just around the corner, we are certainly living in a volatile time. The business of information technology is not much different. Cloud computing, big data, bring your own devices, mobility, cyber this, cyber that and, of course, those scary and sophisticated hacker organisations that appear to be more advanced and capable of launching an attack than the Mysterons, has IT executives often scratching their heads and wondering which way to turn. The complexity of the modern computing environment, especially when you scale up to look at enterprises, makes it hard to map capabilities back onto the business, since there is too much choice. How can IT executives make the best decisions for their organisation, given the amalgamation of media hype and continual bombardment of marketing advice from companies overselling their products’ capabilities based on their own skewed perspective of the business world? It’s time to stop opening the doors to vendors until you have properly assessed your own needs and built a model of your enterprise architecture that allows you to map true business requirements to technologies and processes. If you are truly looking for disruption in your own market, then look into your organisation, look at what you do today and ask yourself, what do you customers really want. Steve Jobs didn’t ask developers what cool technology they could develop for Apple, instead he looked at what people needed and pitched the capabilities to the business as a disruption to the world’s consumer technology market. Technology and services have their place in our businesses, that goes without doubt, but they need to be purchased and implemented against true requirements that align with your business strategy over the coming years. Many businesses today are jumping to the cloud in order to achieve a variety of short term wins, such as switching capital expenditure to operational expenditure, which in itself can be a useful thing to do, if that’s how you would rather account for your IT spend,

but have you properly weighed up the risk of relying on a third party to run all your technology? There are hundreds of new cloud services available globally, with a sliding scale of utility and warranty available to purchase, from the very basic to the highly advanced. However, the recent denial of service attacks on U.S. based DNS service providers, Dyn, shows that cloud service providers are still somewhat at the mercy of what is largely a weak, legacy technology solution that’s been in place for over 30 years. These denial of service attacks show us that we are at the mercy of the attackers who are exploiting ‘Internet of Things’ gadgets to target whomever they decide is a target. When Brian Krebs’ website was attacked with the largest DDoS attack in history, it showed the power cybercriminals can wield in terms of their ability to silence those that oppose them. In the hands of an oppressive government or in a war situation, this kind of denial of service attack could easily cripple the communications capabilities of the national critical infrastructure. IT executives need to take pause and remember that their business is what should drive their purchasing decisions and the business’s strategy is what they are there to support. Leave the vendors at the door and make sure you plan for the utility and

warranty of your own business’s objectives, before you consider the same value of the technology vendors queued up outside your door. Yours sincerely, Tony Campbell Executive Editor

Chief IT | 5

Quick Q&A

....with Kevin Mitnik

Internet hacker and cyber security expert Internet hacker and now Cyber security expert Kevin Mitnick is in Australia in November for a conference in Sydney and Melbourne with business leaders where Kevin will talk about security risks and issues in the modern day business environment and how to best manage and combat such risks. What is your view of Open Source and the development of open source white hat communities? Do you see the need for these to be developed better, faster or with higher reward components as we move towards the Internet of Things. Kevin Mitnik (KM) I do like Open Source and I do believe that these communities should be expanded, but there is no management of these things as they are run on a completely voluntary basis. As far as moving faster and increasing rewards on open source projects, no one is really getting paid per say, so the reward is really just being a contributor. Maybe by creating additional incentives, it might make that particular community grow faster. We’re not seeing the notoriety of black hat hackers as we once did, rather we see the rise of particular hacker groups, such as Anonymous – can you explain why this might be? Is it the complexity of systems limits, individual hacker capabilities or is the risk of capture greater? KM - We do actually hear stories about individual hackers in the press all the time, we may not necessarily know their names but we do see their actions, usually for fraud or theft for example. Individuals from Russia have recently been indicted in cases. Anonymous is really a kind of idea, rather than an organised group, and people will jump on the bandwagon because they believe in a particular cause, and I think because Anonymous have had a lot of press due to some of its stunts, like hacking into police stations and hacking some of its officers, they have done a lot of brazen type of attacks, so it garners a lot of press. I also see an equal amount of press on other types of hacking activity as well. What can law enforcement do to better prevent and detect cybercrime, rather than the traditional approach of waiting for a report to be made and responding to a cybercrime report? KM - The problem is it’s not that law enforcement can’t do anything, or if a government starts regulating private sector businesses and become the watchman so to speak, I really don’t see that

6 | Chief IT

happening. It is really just individual businesses that have to develop and mature their security programmes well enough, so that they become a difficult target, so that the attackers then go after the easier targets. The government could improve in their investigations by using different tools and techniques to track the perpetrators down. Nowadays attackers could use TOR, which is a system designed by the US Naval services to anonymise Internet searching to protect journalists and dissidents and that sort of thing. It is also used by hackers to mask their IP address. For example, what we call the ‘dark web’ and what exists on the dark web is a lot of criminal activity. The silk road site is an example of this, it was an online drug emporium, and eventually the FBI got its man, the details of how they did this has not been made public, but it could have been by a vulnerability in TOR. It is actually hard to track down the perpetrators if they really know what they are doing, if they are sloppy and unsophisticated then it is quite easy. Do you see law enforcement and government security services developing their cybersecurity skills at the necessary pace to stay ahead of the curve or do you think they will always be a few degrees (or more) behind the curve – how much of a gap to you currently see? KM - The problem is that the government and

public sector do not pay as well as the private sector, so it is difficult to attract talent into this area. This will only change if governments pay enough to attract the right people. How do you view the moral implications of your background, given your criminal activities have been turned towards making a profit and how do you think we can turn younger people to the white hat community before they start black hat activities? KM - Well, I do have a unique past. I am not profiting off my criminal activity now; I am profiting off all the good things I am doing today. I run a company that performs system vulnerabilities, before the bad guys do. I am also the owner of a company where we do security awareness training and automated phishing against our clients so that they can better protect their business against social engineering attacks. I did illegal stuff back 20 years ago, but now my notoriety is resulting from the good things that I am doing. Today it’s a lot different to back in the 80’s and 90’s, when I started. Now there is cyber security taught in schools and universities, so it’s a better environment now to teach and instruct students that will hopefully become cyber security professionals, nowadays there is coursework and available programmes to help those people do it in a moral and ethical way.

CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING • FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)

FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION

SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS

w w w. a m l e ch o u s e . co m

Quick Q&A

A I S A

N AT I O N A L

CO N F ER EN C E

....with Bruce Schneier Cybersecurity Guru Bruce Schneier

Cybersecurity Guru Bruce Schneier, author of ‘Data & Goliath’, a New York Times bestseller, discussed the Internet’s resiliency and China’s suspected cyberattacks against major US companies. NOTE: The day following this interview an attack occurred against Dyn, a domain name service provider, that disrupted access to high profile sites such as Twitter, Spotify and the New York Times. Attackers took over tens of millions of devices using malicious software called Mirai. Bruce Schneier, aged 53 years, is an American cryptographer, computer security, privacy specialist, and author. Having written several books on general security topics, computer security and cryptography his latest book, ‘Data & Goliath’

8 | Chief IT

is not only a best seller but a MUST read! Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO. He is also a contributing writer for The Guardian news organization. Editor - I read some of your comments recently about the DDOS attacks and there were questions around the testing and resilience of the Internet. So I’m seeking your thoughts on who may have been testing the Internet and its vulnerability?

Bruce - It was the first story that I have written that has a lot of unsubstantiated rumours and I was told these things by some companies and I wrote about them because nobody else had. These were about a particular style of DDOS attack against large infrastructure companies, that look like someone very much testing the defensive capabilities of these companies. Now I can’t name the companies, but there was this Verisign report on DDOS which confirmed that what they were experiencing had mirrored exactly what I was told. (Verisign Distributed Denial of Service Trends Report LINK) So that’s the public information. Since I wrote that article, I was approached by two other companies that said yes we are seeing this too.

A I S A

So this is pervasive. The companies, including Verisign thinks it comes from China. China is, for some reason, testing these DDOS capabilities. They are not taking down any of these sites. It’s hard to know why they are doing it, it’s hard to know how effective it could be and would be. Is it a diversion or is it simply some kind of cyber war unit just running tests? It reminded me very much of the US actions during the Cold War, of flying planes high over the Soviet Union, and watching their air defences turn on to learn about capabilities. It felt like that. Editor - Do you think it correlates to other military manoeuvres? Bruce - I don’t know any of that; I don’t know enough to make that connection. All I know is that for the past year and a half, this has been happening to these large Internet infrastructure companies. Editor - When you say it’s being sourced from China, there are other activities being sourced from Russia, according to the US. What do you think of that? Bruce - This is bigger than that. It’s longer term. This isn’t something happening this week or this month, this has been going on for a year and a half, off and on. Editor - Is the attack methodology the same? Is the Internet something they can actually break? Bruce - I don’t know. So far, the companies that have been victims, Verisign included, have adequate defences, to defend against these attacks. Could it work? I don’t know. Would you want to do it? I can’t tell! It wouldn’t be permanent. Editor - Is this the kind of thing nation states or terrorists might be preparing to use, such as during a 9/11 style attack? Bruce - When you think about nation states using DDOS, it has to be in conjunction with something else. So, you can easily imagine China using it on themselves when there is a Tiananmen Square level of political unrest. Like Turkey, lots of countries sensor themselves during times of political unrest. You can imagine a country like China doing this against Taiwan for some reason. My guess it is just done as some testing capability. The companies involved were US companies, so

N AT I O N A L

CO N F ER EN C E

I spend a lot of time with the Harvard Kennedy School and a lot of people there are working on cyber war, the Americans and occasionally the UK and other ‘five eyes’ countries, come in and test our cyber warfare readiness. That’s what military officers do, they plan for war and it’s my guess that it’s Chinese military officers that are doing this, like ours, like yours, like everybody’s, are planning for war. And this is one of the things that is being done in the eventuality. I think it is a risk! Editor - So you wouldn’t be surprised if you saw these attacks – or stress tests – as a component of major military exercises?

Quick Q&A

difference in the economics that means it’s not going to be like this [holding up his smartphone]. There is an entire team of security researchers that make sure this [smartphone] is secure. There is no such team for DVRs, and this thing gets patches every month, or every week! The DVR never gets patched and I throw this away every 18 months and buy a new one. Editor – Thanks Bruce. Can you please sign my copy of Data & Goliath? Get your copy at www.schneier.com/books/ data_and_goliath/

Bruce - No it probably wouldn’t be that correlated. No, it’s a separate unit. This is going to be the cyber unit, who is all the way off over there. They’re not the same unit that runs submarines or does tank manoeuvres, they are the cyber people. Editor - You don’t think they would be thinking at that scale? Bruce - They might be thinking like that but the tests wouldn’t be correlated, because why bother? Editor - Or it would be setting off too many red flags? Bruce - A lot of what I am saying here is pure speculation. I saw this pattern and I thought we should make this public. I have been trying to get these companies to talk on the record, there is no shame here, but with the exception of Verisign, they never talked to me, but they published that report and I link to that in my article. Editor - This leads me to the Internet of Things. What’s your view there? Bruce - That’s the Brian Krebs story. Brian Krebs was attacked by digital video recorders, CCTV cameras, vulnerabilities in random devices, not computers. Editor - That is something I was interested in. Princeton did some research on this, to find out how many devices are out there with just default, root passwords and there were about 13% of all devices on the Internet that were vulnerable. Bruce - It’s really bad. The article I wrote after the Krebs attack is worth reading. I talk about the

Chief IT | 9

Quick Q&A

A I S A

N AT I O N A L

CO N F ER EN C E

....with Alistair MacGibbon

Cybersecurity Advisor to the Prime Minister of Australia Alistair MacGibbon, Cyber Security Advisor to the Prime Minister of Australia speaks with Executive Editor Chris Cubbage at the Australian Information Security Association (AISA) National Conference 2016, Sydney. EDITOR (E) Are you getting good engagement with Prime Minister Turnbull and his office? Alistair MacGibbon (AM) Yes it’s great. The level of political interest in cyber security in my experience and I’ve been in this game since the 2000s, has significant up-tick. So I have regular involvement with senior politicians and senior bureaucrats and the level of interest is fantastic. E: Do you find the role frustrating at all, are they taking cyber security as seriously as they should? Yes, the launch of the Cyber Security Strategy in its own right by the Prime Minister and bringing the strategy into the Prime Minister’s own department are signs of how important it is being taken in Canberra. E: You’ve been in your role for only four months, what have been some of the key challenges for you? AM: Well I prefer to see it as what key opportunities there have been. I think what happened to the Census was actually an opportunity for the Government. It was a disappointment and frustration absolutely but also an opportunity to take something that was clearly very frustrating but not catastrophic in terms of what actually happened and parlay that into the thinking of government in the delivery of other government digital service delivery. So I look for opportunities out of what are otherwise unpleasant circumstances, and the Census was one of those unpleasant circumstances. So the opportunity is for a better dialogue around better digital service delivery from a Government perspective and indeed to engage the public as to what their expectations are of Government. E: Were you engaged at all for the Energy Security meeting held by Josh Frydenburg and do you see opportunity there because if they were to consider major power outages, these could also be instigated by cyber-attacks? AM: No but I would answer that by saying critical infrastructure of which the energy sector is a key

10 | Chief IT

part amongst the critical infrastructure sectors, it is vital. If we don’t get critical infrastructure protection right it is where the most catastrophic things can go wrong. There is a relationship between various critical infrastructure sectors because water is vital to power, power is vital to water, they all interlink. You take an all hazards approach, be it against fire, high wind or a cyber-attack that takes you off line, you are offline. Cyber is only a vector but I would say it’s a vector that has increased in importance across those various sectors and we need to increasingly turn our mind to how cyber based threat vectors will play across critical infrastructure. We shouldn’t lose sight that we should still take an all hazards approach for business continuity and cyber-ability. I still see our greatest risk as our greatest opportunity. E: Do you have much to do with the State Governments, rather than just the big beast of the Commonwealth Government? AM: My role is supposed to have a national capacity as opposed to just a federal government perspective. I’ve been in active discussions with a number of states bilaterally and all of the states at times in larger forums. There is huge opportunity there because the states are the main service delivery vehicles for the country.

E: Mandatory reporting was introduced to Federal Parliament on 19 October 2016, was there any particular hold up to this legislation and your views on the legislation? AM: It’s clearly a matter for the politicians but I’ve always been a supporter of mandatory data breach reporting and see advantages in it. It’s now up to parliament to look at what form that takes, if at all, but certainly in my experience what industry is after is just knowing what is the new level playing field going to be. E: Did you have much to do with the ACSC Threat Report 2016? AM: I’m certainly aware of it and did quite a bit of media associated with it. The report’s objective is to provide more information about the type of threats the Commonwealth is seeing by giving case studies and advice on remediation. I think it was a positive step in the increasingly transparent way the Commonwealth is doing its business. If we want industry to disclose then the Commonwealth needs to disclose. If we want industry to change the way it’s doing business then we need to show the Commonwealth is prepared too. E: Why then is the legislative process so slow and one of the areas we have been covering is national

A I S A

security, we mentioned a snap Minister’s meeting on Energy Security and we are still dealing with state based legislative models for physical security. Cyber security consultants are breaching state based legislation in the physical security realm when they look at access control or physical security, say under ISO 27000 Information Security Management Standards, and I’m wondering why we have two models of legislation still remaining? AM: That is an interesting question. So you’re really talking about the regulation and standardisation of advice. It is not an issue I’ve really thought of. I would say if it improves outcomes then you look at those things and if it doesn’t maybe it’s changing the old industries. E: This issue was raised with the Victorian Police Minister and she declined to change their legislation and openly admitted that regulating the information security industry in the same way they attempt to regulate the physical security industry would be overly burdensome. So my question is what about new technologies

N AT I O N A L

CO N F ER EN C E

emerging, will security robots be subject to any form of regulation and legislation? AM: No but these are very interesting questions. I’ve been a strong advocate for industry led improvements in the cyber security industry so whether it’s an association like AISA or whether its CREST for penetration testing and working out what the best practice is and buying services from people who are recognised as having certain skill sets. In what is otherwise a pretty unregulated space membership of professional bodies and the requirements by those bodies might be the better way of looking at this. E: Do you think the cyber security sector needs to be regulated? AM: Well, I’m neutral on it. I think that businesses will buy services from people who provide the right services and the market will sort itself out. Having said that, I used to run CREST in Australia as the Chief Executive Officer and it was a voluntary industry association that would test people’s skills and certify those skills. It would

Quick Q&A

also look into the companies that employed those people. There were national police clearances as part of the process and went to some way as providing a level of assurance to customers. E: I don’t understand why as a physical security consultant I’m restricted from operating nationally whilst an information security consultant is not, don’t you see the convergence of physical and cyber coming together? AM: They are inextricably linked. If your front door isn’t locked then someone can enter and plug into the backend of your network. I have nothing to do with the regulation or otherwise of physical security but I can only say in a cyber security sense I am all for the increase in professionalisation. The question I would ask the physical security world is does the current regulatory system actually improve the service delivery for customers who are buying those services. That is the question that should always be asked of any regulatory system. E: Thanks Mr. MacGibbon!

....with Rik Ferguson From Trend Micro Trend Micro’s Rik Ferguson discusses liaison with International Law Enforcement Agencies and the two leading online scams, CEO Fraud and Ransomware. E: Can you give us some insight into Trend Micro’s relationship with Europol and Interpol, and law enforcement in general? Rik - My work with Europol is part of an International cyber security advisory group. Europol and Interpol has reached out to the private sector and industry so they can expand their domain expertise and their reach. Obviously they’re very tightly involved with the European national law enforcement agencies (LEAs) and act as a coordinating body for the LEAs. They understand there is a wealth of intelligence and information that can be gleaned from the private industry to help out and they coordinate those relationships. Though organisations like Trend Micro do also have one to one relationships with pretty much every local law enforcement body

anyway, such as the National Crime Authority (UK) and Dutch High-Tech Crime Unit. Trend Micro also has one full time staff member at Interpol’s Cyber Innovation Centre in Singapore. While in Sydney for the AISA National Conference I was in a meeting with NSW Police but it is more our Australian Trend Micro personnel, such as John Oliver who will be liaising with Australian LEAs. John is part of the FTR (Forward Threat Research) teams and this team as a whole is responsible for managing the operation for LEAs. E: How does the relationship work, are you assisting with investigations and operations? Rik - The LEA relationship is a two way thing – so if we discover something in the course of our own research which we think may be useful or of interest to law enforcement we will reach out and by the same token law enforcement will contact us with enquiries as to what we may have in our holdings and to seeking information from us to

assist them. This may be about infrastructure or individuals and we also provide expert witness statements if matters are proceeding to court. The relationship is controlled under a Memorandum of Understanding and nondisclosure agreements and it’s not a paid operation. It is something Trend Micro does as part of being a security provider. The most effective way to keep our customer’s security is to help take the criminals out of business. E: How is Trend Micro structured and assisting police on the ground? Rik - Our research within Trend Micro is divided into two distinct teams. There is the Numerically Superior Team is called ‘Trend Labs’ with about 1,500 personnel globally and they’re responsible for sourcing and maintaining the bulk of the data that makes up the smart detection network, which is data about files, URLs, domains, IP addresses, emails which is the intelligence that makes up that backend database. Then there is a numerically

Chief IT | 11

A I S A

N AT I O N A L

CO N F ER EN C E

FERGUSON

Quick Q&A

smaller team called FTR, with about 40-50 people globally, and they are literally around the world and have linguistic skills and capabilities so they can tap into underground forums. This has allowed us to develop a series of white papers about the similarities and differences in the criminal underground community, be it from China, USA, Germany, France, Brazil, Russia and several others. FTR is divided into three main groups, which are law enforcement cooperation and they’re actively involved in research which goes into a couple of different directions, one will be building a better beast, such as better, faster back end tools, sourcing data, mining and correlating data, so a lot of tool building and then there’s research into criminal underground, SCADA and ICS, point of sale malware, ransomware – they will continually rotate on various research projects. E: The Asia Pacific is known to be prevalent in terms of cyberattacks and cybercrime – is this your understanding and what are the key trends you’re seeking?

12 | Chief IT

Rik - The two things I’m presenting on at AISA are definitely rife and that is ‘Ransomware’ and BECs or business email compromise. BECs, also known as CEO Fraud, on the face of it is a very simple fraud operation which compromises an email account or spoof of an account used by a senior company executive and then their account is used to compromise another senior executive email account, generally someone with access to the finance in the company. It is a simple form of social engineering attack where they submit invoices and say they have to be paid urgently and immediately and because it appears as a senior executive direction, the victim then by-passes any normal checks and balances and pays the invoice. According to the FBI, over the course of just the last two years, over US$3 billion has been paid as a result of the BEC fraud alone, affecting over 22,000 organisations globally and across over 100 countries. The top 5 includes Australia and is representative of English speaking countries, namely the US, UK, Canada, Australia and Belgium. Over 80 per cent of the email is from the General Manager and above, up to the CEO or

President and From the CEO and 40 per cent will go straight to the Chief Financial Officer (CFO) or to customers of the organisation or internally to the customer – the key aspect to this is the losses of this scale and businesses don’t get back the money from the banks yet consumers do. There has been only one arrest which was a Nigerian scammer called Mike who was identified by Interpol. His network included Nigeria, Malaysia and South Africa. BECs are an evolution of the 419 scam with a majority of the sources from Africa, such as Nigeria. Criminals are global and they have extensive networks and with multilinguistic skills also, including live chat windows in the language of your choice as they instruct victims to pay ransoms and the like, as well as distributing ransomware in different languages. It is something business and industry must get their head around and become aware that this is a significant and global issue.

A I S A

N A T IAustralian O N A LInformation C O N FSecurity ER EN C E Association (AISA) Quick Q&A Cyber Executive Enhancement

CYBER EXECUTIVE ENHANCEMENT ROUND-TABLE A special premier event designed for executives and board members alike. A closed room, vendor independent round-table discussion with Q&A, so come along and ask your questions.

Allan S Cabanlong, ASEAN Eng. Executive Director, Cybercrime Investigation and Coordination Center (CICC) Philippines

Dr. Amirudin Abdul Wahab, Chief Executive Officer, CyberSecurity Malaysia

Friday 25th November, 2016 8.00 am - 1.00 pm Invitation only, places are limited. RSVP no later than 5pm Friday 04th November Invitation extension After lunch you are welcome to attend the AISA Perth Conference 2016 running in parallel.

Phillip Russo, Cyber investigator and digital forensics Expert, CIA Solutions

Gary Hale, Director, Cyber Security & Innovation, Cisco

Venue: Crown Perth Cost: Nil AISA Perth Conference 2016 Registration & Enquires, please contact: Mourad Khalil +61(0) 403980718 | mouradswork@gmail.com Daisy Sinclair +61(0) 415780257 | daisyfrancissinclair@gmail.com

CYBER SECURITY - DO WE HAVE IT RIGHT? Why are organisations so scared? What should they be concerned about? Cloud? Data classification? Malware? Other threats? How is the rest of our region dealing with these issues? How should we manage or change?

Hear from four leading experts on this key topics and cut through some of what you need to know or do. A roundtable discussion and Q&A will be held so come along and ask questions. More about the event.

This event will help address fears, barriers, roadblocks and perceptions of organisations and individuals around cyber security - “the reality and the myths” - and to ultimately get to the bottom of what are the “real” things to worry about or manage.

AISA invites all individuals with an interest in information and cyber security to become members, see our new member’s link below. If on the other hand you or your organisation are keen on sponsoring the AISA Perth Conference 2016 event you may do so through the link.

BECOME A MEMBER

SPONSOR EVENTS

Chief IT | 13

Singapore Cyber Security

SINGAPORE CYBER UPDATES Highlights from the Singapore International Cyber Week 2016 (10th Oct 2016 – 12th Oct 2016, SunTec Singapore International Convention & Exhibition Centre), and the Cloud Expo Security 2016 (12th Oct -13th Oct 2016, Marina Bay Sands Expo and Convention Centre). When hackers broke into the computers of Bangladesh’s Central Bank in February of this year and committed one of the largest cyber heists ever in which $951million fake payments were ordered, $81million was already cleared and processed by the time the fraud was discovered. Details of the techniques and methods believed to be linked to the heist revealed by government and private investigation teams raised widespread concerns that these tools and techniques used may allow the same, if not other sophisticated international criminal syndicates to strike again. One consolation is that the losses could have been 10 times worse, with the attackers making off with nearly $1billion had all the fraudulent transactions been cleared. Cyber attacks such as the Bangladesh heist and the Carbanak attacks which targeted the ATMs and transaction systems take advantage of vulnerabilities of the global financial processing networks to successfully steal and move millions of dollars across borders.

14 | Chief IT

The significance of these attacks lie in their large-scale haul and sophisticated coordination: by adopting techniques which targeted different systems, processes, departments and countries; and the significant planning involved in deleting evidence of their activities and covering cyber tracks to remain undetected. Besides banks, transportation networks, hospitals and other essential services have also been subject to wide ranging cyber infiltrations, where the attackers seek to extract data and monetize the stolen data, compromise critical infrastructure, manipulate and influence public opinion. Cyber attacks are growing more sophisticated, frequent and impactful. According to the 2016 Cyberthreat Defense Report, 76 percent of responding organizations were affected by a successful cyberattack in 2015 – up from 70 percent in 2014 and 62 percent in 2013. Left unchecked, these attacks can create a hostile cyberspace, making it difficult to trust and perform basic online transactions and interactions.

For Singapore, setting out a Smart Nation vision – which centers on harnessing the power of technology – will make the nation more productive, but also at the same time pose significant challenges, as the increasing connectedness means a corresponding elevation of potential cybersecurity threats. The good news is that the Singapore Government has consistently taken cyberthreats seriously.

Singapore Cyber Security

Singapore International Cyber Week 2016 (SICW) Singapore’s cybersecurity journey started a decade ago with the first Infocomm Security Masterplan. Just a year and a half ago, the Cyber Security Agency (CSA), was formed to specifically address the cybersecurity threats, and to coordinate efforts across government and among the various other stakeholders. In the latest cybersecurity push, CSA held the inaugural Singapore International Cyber Week 2016 (SICW) to connect over 3,000 policy makers, industry players and innovators. The theme “Building a secure and resilient digital future through partnership” reflects Singapore’s desire to strengthen the nation’s digital future through building robust local and international partnerships. Opening the SICW, Singapore Prime Minister Mr Lee Hsien Loong launched the “Singapore’s National CyberSecurity Strategy”. “Our government networks are regularly probed and attacked. We have experienced phishing attacks, intrusions, malware. From time to time, Government systems have been compromised, websites have been defaced and also suffered concerted DDOS attacks that sought to bring our systems down. Our financial sector has suffered DDOS attacks, and leaks of data. Individuals too have been targeted”, he said. “Individuals too have been targeted. Fake websites masquerading as SPF, MOM, ICA, CPF pages, hosted in other countries, phish for personal information or scam people into sending money.” (SPF: Singapore Police Force; MOM: Ministry of Manpower; ICA: Immigration & Checkpoints Authority; CPF: Central Provident Fund) To coordinate efforts in cybersecurity, the National CyberSecurity Strategy will have four components: 1. 2. 3. 4.

Build a Resilient Infrastructure Create a Safer Cyberspace Develop a Vibrant Ecosystem Strengthen International Partnerships

Increasing inter-government collaboration and partnerships There are tangible examples to “Strengthen International Partnerships”, a key focus of the Cybersecurity Strategy. Opening ceremony key note speaker, Mr Christopher Painter, Coordinator for Cyber Issues, US Department of State, cited the Memorandum

Singapore Prime Minister Mr Lee Hsien Loong

of Understanding signed between United States and Singapore in August this year, which covered cooperation in areas such as regular CERTCERT information exchanges and sharing of best practices, coordination in cyber-incident response and sharing of best practices on critical information infrastructure protection. Mr Conrad Prince, UK CyberSecurity Ambassador, Defense and Security Organization, Department of International Trade, referred to the CREST Singapore Chapter - the first CREST Chapter in Asia established in partnership with the Cyber Security Agency of Singapore (CSA) and the Association of Information Security Professionals (AISP) - to introduce its penetration testing certifications and accreditations to Singapore. ASEAN Discussions and Dialogues To strengthen partnership within ASEAN (Association of South-East Asian Nations), a ASEAN Ministerial Conference on Cybersecurity at Shangri-La Hotel was convened as part of the SICW, bringing together the ASEAN Member States to facilitate discussion and share knowledge on cybersecurity issues and fighting cybercrime. Dr Yaacob Ibrahim, Minister for Communications and Information, Minister-In-Charge of Cybersecurity said “Countries today face a full spectrum of cyber threats- cybercrime, attacks,

espionage and other malicious activities. We in ASEAN have not been immune to this”. According to the Singtel FireEye Southeast Asia Cyber Threat Report, new findings have identified Southeast Asia as a region that is increasingly under cyber-attack. The joint SingtelFireEye report, “Southeast Asia: An Evolving Cyber Threat Landscape”, details how Advanced Persistent Threat (APT) actors and other cyberattack groups are among those keenly interested in targets located in Singapore, Philippines, Malaysia, Thailand, Vietnam, Indonesia and Brunei. Dr Yaacob Ibrahim proposed 3 areas that ASEAN could work on, to further efforts against the threat: Fostering ASEAN Cyber Capacity Building; Securing a Safer Common Cyberspace, Facilitating exchanges on Cyber Norms. “While staying plugged into the global conversations, we should also make sure that norms and behaviors are kept relevant and applicable to our unique ASEAN context and cultures”. He also announced the launch of a S$10million ASEAN Cyber Capacity Program (ACCP) to build cyber capacity in ASEAN Member States. Focus areas under the program includes cyber policy, legislation, strategy development as well as incident response; and Singapore’s sponsorship of the global initiative called Cyber Green (which aggregates global open source

Chief IT | 15

Singapore Cyber Security

Cyber security in a smart nation

YM Dato Paduka Awang Haji Hamdan bin Haji Abu Bakar

Deputy Minister at the Prime Minister’s Office and Director of the Internal Security Department

Brunei

H.E. KAN Channmeta

Secretary of State, Ministry of Post and Telecommunications

Cambodia

Dr. Basuki Yusuf Iskandar

Head of ICT Research and Human Resource Development Agency, Ministry of ICT of Indonesia

Indonesia

Air Rear Marshall Warsono

Deputy Coordinating Minister for Political, Legal and Security Affairs

Indonesia

H.E Dr. Thansamay Kommasith

Minister of Post and Telecommunications

Lao PDR

YB Datuk Seri Panglima Madius Tangau

Minister for Science, Technology and Innovation (MOSTI)

Malaysia

Dr Yaacob Ibrahim

Minister for Communications and Information and Minister-in-charge of Cybersecurity

Singapore

H.E. Le Luong Minh

ASEAN Secretary General

H.E. Lt-Gen Kyaw Swe

Union Minister for Home Affairs

Republic of the Union of Myanmar

H.E. U Kyaw Myo

Deputy Minister of the Ministry of Transportation and Communications

Myanmar

RAdm Rufino S Lopez Jr (Ret)

Deputy Director General, National Security Council

Philippines

H.E. Prajin Juntong

Deputy Prime Minister and Minister for Digital Economy and Society

Thailand

Mr. Nguyen Thanh Hai

Director General of Security Information Department, Ministry of Information and Communications

Vietnam

Senior Colonel Nguyen Van Thinh

Deputy Director-General of the Department of Cybersecurity

Vietnam

information in an index for cyber health) which will allow access for ASEAN members states to the data through Singapore. Industry Partnerships To make Singapore’s cyberspace safe for businesses, individuals and the society at large, strong partnerships with multiple stakeholders across the cybersecurity ecosystem is needed. During the SICW, CSA announced new agreements with top industry players – BAE Systems, (ISC)2 , Microsoft and Palo Alto Networks, to boost training in cybersecurity and raise cybersecurity capabilities. Mr David Koh, Chief Executive of CSA, said “Cybersecurity is a multidisciplinary issue and it

16 | Chief IT

is necessary to have all hands on deck to grow the capabilities for the sector.” These partnerships will see the industry players engage with local cybersecurity startups for research and development of cyber technologies, encouraging professionals to deepen their skills and enhancing security awareness, to share cyber threat analysis, and developing educational platforms for cybersecurity outreach. Developing skill set and supporting startups are also keys to “Develop a Vibrant Ecosystem”, one of the pillars underpinning the CyberSecurity Strategy.

“Singapore aspires to be a Smart Nation. But to be one, we must also be a safe nation”, said Prime Minister Mr Lee Hsien Loong in his closing remarks. “Creating a Safer CyberSpace” is another key focus of the CyberSecurity Strategy. As Singapore is transforming to become a Smart Nation and adopting Internet of Things (IoT) technology - digital healthcare, smart watches, internet-enabled appliances, smart manufacturing and connecting devices, vehicles, buildings – significant volume of data will be generated, collected, stored and shared via the cloud. According to Gartner, it is forecast that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 11.4 billion by 2018. The volume of data will continue to grow as we get more digitally connected. Securing the data and ensuring the confidentiality, integrity and authenticity is critical to prevent, mitigate risks and minimize the financial, social, reputation and economic impacts of an attack. Weakest link Cyber attacks often arise from an exploitation of the weakest link in the IoT security chain. From a well-meaning employee sending work documents home to unpatched systems running home heating-cooling systems, physical vulnerabilities and human behaviors provide new attack vectors for cyber criminals. These challenges are addressed across various themes such as governance, threat landscape, detection and defense approaches at the 25th edition of GovWare (the region’s conference and exhibition on cybersecurity for cyber thought leaders, industry players and academia), and the Smart Nation IoT Security Conference, held in conjunction with the SICW. Speaking at GovWare, Professor Issac Ben-Israel, Chairman, Israel Space Agency & Chairman, Israel National Council for R&D, Director ICRC, Tel Aviv University said “Smart City” or “IoT”– smartness that come from computer chips to make our lives faster, easier – is the trend at present and “is not imagination” or “Science Fiction”, and we have “created dependency on these chips”. Cyber criminals will use “weak points” in this dependency to do damage. Attacks and preventive measures The declining costs of IoT technology makes it attractive for us to adopt, but Professor Yu Chien Siang, founder of GovWare, noted: “embedded devices are often low-cost, low power, restricted in both memory and computing power, and could be easily accessible by the adversaries. As such, many

Singapore Cyber Security physical attacks are possible including side-channel attacks (SCAs), which can be used to extract the secret key from electronic devices using power, electromagnetic (EM) emanations, timing analysis or acoustics. Such attacks have been shown against transit cards, car immobilizers, and Field Programmable Gate Array (FPGA) devices.” He also pointed out, the biggest threat may not necessarily be the deletion or the removal of data, but the modification of it, an example being the change of patient’s records such as blood type. He termed this as “Computer Torture”. Poor and diverse designs are other key challenges in IoT security highlighted by Dr Steven Wong, Associate Professor & Program Director, Singapore Institute of Technology, President of Association of Information Security Professionals and Co-chair of CREST Singapore Working Committee. “Many IoT systems are poorly designed and implemented, using diverse protocols and technologies that create complex configurations” he explained. There is also a “lack of mature IoT technologies and business processes”, and “limited guidance for lifecycle maintenance and management of IoT devices”. IoT privacy concerns are complex and not always readily evident, he added. To address these challenges, he suggested developing “a common set of standards and guidelines for IoT when there are so many parties and technologies involved”. But he also cautioned that “even with IoT standards and guidelines, who will really follow them?” One way is to strategically target critical areas/ groups to drive adoption. He also suggested the possibility of “Singapore’s smart nation as an international test-bed for standards and guidelines”. Be Prepared Risks will increase when we go IoT because of interconnectivity, as pointed out by John Lee, ISACA Singapore Chapter President, speaking at the Cloud Security Expo Asia 2016. And often, the cyber attack is not a matter of if, but when. He urged the need to “Prepare for Black Swan”. Financial services practitioners and observers would agree that banks have a history of dealing with unexpected financial market events that are difficult to predict, and which have widespread ramifications and contagion effects, termed the “Black Swan”. One clear example is the Great Financial Crisis that occurred during 2007- 2008. The potential for a Black Swan event in the digital world has yet to receive similar levels of attention, and failure to accept cyber risk as a core risk may prevent governments, businesses and individuals to develop fallback and containment plans to mitigate unexpected cyber attacks.

A resilient and trusted cyber environment

With a reputation as a "non-nonsense" and "business-friendly" financial center, Singapore is known for a trusted, sound and stable location to do business in. Recent examples included the Monetary Authority of Singapore (MAS) stripping Falcon Private Bank of its license for "serious failures in anti-money laundering (AML) controls", a development that followed the shuttering of the Singapore branch of Swiss bank BSI in May for "serious breaches of anti-money laundering requirements, poor management oversight of the bank’s operations, and gross misconduct by some of the bank’s staff ". The Bangladesh heist is a clear example where a cyber attack was launched to facilitate a financial criminal activity that spanned across several countries. Cyber criminals operating from one country attacking inter-bank payment systems can cause damages, from minor inconveniences to significant disruptions globally. Being connected to the global network of financial flows and playing host to hundreds of foreign financial institutions means that Singapore is not immune to this. Not only banking, but essential services such as energy, healthcare and transport are powered by infocomm technology. As an international financial, shipping and aviation hub, Singapore houses critical systems that transcend national borders, such as global

payment systems, port operations systems, and airtraffic control systems. Successful attacks on these supra-national Critical Information Infrastructures (CIIs) can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. “Building a Resilient Infrastructure” is a key focus of the CyberSecurity Strategy, to ensure that Singapore’s essential services are protected. A new Cybersecurity Act will also be introduced in 2017, to provide a comprehensive legal framework for national cybersecurity. Cybersecurity, beyond a necessity to defend and protect, is also an enable for the economy and society. Singapore's CyberSecurity Strategy sets out the vision, goals and priorities and outlines the country’s commitment to build a resilient and trusted cyber environment. It aims to catalyze participation by all stakeholders – government agencies, the cyber industry, professionals and students, academia and researchers, and providers of essential services. It also signals Singapore’s willingness to forge strong partnerships with the international community to combat the transnational nature of cyber threats. Jane Lo has more than 15 years of experience in enterprise-wide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.

Chief IT | 17

Cyber Security

The economics of security CThe Network Effect

By Bruce Schneier

You’ve all heard of Moore’s Law: but there’s a lesser known law called Metcalf ’s Law and that is, “The value of a network equals the square of the number of users.” Take, one phone – it’s useless; two phones are at least useful; a thousand phones is a network; a million phones are suddenly essential. So, is this true for real networks? A network of cell phone users, email users, SMS, Skype, and Facebook, and is it also true of a virtual network? The network of window versus mac users or IOS versus Android users. The more people use a thing, the more valuable it is for each one of us that uses it. This notion of network effect lends itself to a single dominant player in the marketplace. Think of Facebook. There was a time when you were not on Facebook because it was too small; now it seems to be the time when you have no choice but to be on Facebook because you would never speak to your friends otherwise. That’s the network effect. It’s true for Skype. It’s true for any application, the more people on it, the more likely you are to be on it. So a single player wins, because that’s what makes sense. Fixed Cost versus Marginal Cost The second piece of IT economics is fixed cost versus marginal cost. In any product, there are two sets of costs. There is the cost to develop the product, and the cost to create the one of it that you’re buying, so a normal product like a chair, someone designed it and they were paid, then the company made a lot of chairs, and that development cost was amortised into the per unit cost that, say a hotel, purchased when they bought the chairs. In IT, pretty much all the cost is in development. The first copy of Microsoft Windows, for example, cost $20 million (I’m making this up), the second copy is free. So, what this means is stealing the results of development is a very powerful attack, this is true for not just software, it’s true for movies, for music, for pharmaceuticals, and this is why you see so much effort going in to protecting the development costs. In other cases, the high fixed cost becomes a barrier to competition. Once Google maps the world, it’s hard for someone else to come in. A company like Google can further cut the costs to zero to prevent further competition coming in. Switching Costs The 3rd piece of IT economics is the notification of switching costs. The switching cost is the cost for you as a consumer

18 | Chief IT

to switch to a competing product. Normally switching costs are low. Think about Coke versus Pepsi. You drink a Coke and you don’t like it, you drink a Pepsi tomorrow. That means that Coke better taste good. Compare to that the switching costs are high, so I have a cell phone, I use AT & T. If I don’t like AT & T’s service I am kind of likely to use it tomorrow, because the cost of switching cell phone providers is pretty high. I don’t like my operating system, it’s really hard for me to switch. In IT, switching from one product to another can be really expensive, it is retraining of staff, rewriting of applications, it is converting data. So, here is the thing of it: the higher the switching costs, the more a company can piss you off before you switch. They can provide you with a less quality service because they know that switching is hard, and companies do all they can to keep switching costs high. This is why you see proprietary file formats, non compatible accessories, programmes that won’t let you take your data with you when you leave, it is all designed to keep switching costs high, because that basically allows them to keep customer service low and that is cheaper. The Lemons Market The fourth and last piece of IT economics is the notion of a lemons market. This actually came from an economist who won a Nobel Prize called George Akerlof, he studied markets with a symmetry of information he thought of by himself. Basically, markets where the seller knows a lot more about the products than the buyer. So think of the used car market, the seller knows a lot about the cars he sells, you as the buyer pretty much knows nothing. In those markets, I will spare you the economic math, in products where the seller knows more than the buyer, bad products drive good products out of the market. This is true for a used car market, and it’s true for IT security. This is why in the 1990s the best firewalls didn’t survive. This is why in the 2000s the best IDS programmes didn’t survive. Because we live in a Lemons market. And in a Lemons markets buyers tend to rely on economist pulled signals. So different signals are warranties – the used car market is full of warranties, take a car home drive it for a month and you don’t like it, you bring it back. Certifications, awards… have you ever wondered why our industry chases those dumb awards all the time? They’re signals. Awards, reviews, certifications, anything a buyer can jump on, and say I’m going to do that! I don’t know how to choose but this one won an award and this one is certified to ‘this’ standard.

Cyber Security

Combating financial fraud: How to save billions with a text

ighting fraud is an ever escalating arms race, with criminals working to exploit the next loophole as soon as the financial services industry closes the last one. Your customers are an important ally in this fight, with mobile messaging giving you the tools to act responsively to threats as well as build your relationship with them. Fraud is an increasing problem, with the annual global losses generated by credit, debit and other cards alone totalling $US16 billion and predicted to grow to $35.5 billion by 2020, according to The Nilson Report. Essentially, for every $US100 spent on cards, just over $US5 will be fraudulent. Protecting yourself from losses needs to be balanced with minimising the disruption for your customers. Even though customers want to know their money is secure, there’s still nothing more frustrating than having to phone a call center to discover the reason they couldn’t pay for groceries is because their card has been frozen due to suspicious activity. Mobile messaging finds the union between security and customer experience, with an SMS the ideal way to beef up security on your offerings, from delivering a one-time password for an extra layer of authentication in online backing, to alerting customers to suspicious activity on their card, without introducing inconvenient roadblocks. Here’s why mobile messaging will help you fight fraud: Customer Reach The easiest way to hit the mark is to make the target really big and it’s harder to think of anything bigger than the cell phone. Most people have one and the majority of them are smartphones. More than half of smartphone owners have used their handset for online banking in the past year, according to the Pew Research Center, so it’s an environment they’re comfortable using for financial transactions. It’s not just that people have phones, either, it’s that they use them a lot. The University of Nottingham Trent suggest that people check their phones 85 times a day (double what they self-report), while others have found that 90 per cent of text messages are read within three minutes. Further, text messaging is platform agnostic, so you don’t have to worry about compatibility with different operating systems or older models.

customers, and have them confirm or deny a transaction, means you can quickly deal with issues and reduce the scale of losses. One study by FICO found that 30 per cent of alerts were confirmed as fraud within 10 minutes. Even if it’s a false alarm, customers are unlikely to mind if it avoids the inconvenience of purchases being incorrectly declined. One US bank reduced net fraud losses by 75 per cent after it implemented an auto-resolution system. This triggered a text to customers when there was a suspicious transaction or an additional name was added to an account.

By Jonathan Morgan Vice President, Corporate Development Asia and Pacific, OpenMarket

Reduce Costs Stopping criminals from siphoning off large sums of money is the most immediate cost reduction, but it’s far from the only one. In the past, banks have been reluctant to act on borderline suspicious activity for fear of inconveniencing customers if everything is above board. Mobile messaging reduces the consequences of false positives, allowing them to cast the net wider to stop more cases of fraud. By creating a two-way communications channel, customers can resolve the issue without having to talk to a customer service representative, reducing the demands on your call center and decreasing the time your organization spends on each fraud case. With faster turnaround of each case, it’s also easier to recognise a change in criminal methods and implement responses faster. Build Loyalty One in three customers who are the victim of fraud attacks will either close the account, stop using it or use it less, according to research by Ovum/Datamonitor. Mobile messaging can help stem the loss of customers, since 89 per cent of respondents to the FICO survey have said auto-alerts increased their confidence in using their card. Even if it turns out to be a false alarm, the customer is reassured that you’re looking out for them. Fraud is growing by the year. Being able to communicate with customers quickly when you need it most is an important weapon in the fight against financial crime. Find out how else mobile messaging can help your financial services business by downloading our free e-book.

React Faster The faster you confirm fraud, the quicker you can react to it. The ability to text details of a suspicious activity to your

Chief IT | 19

Cyber Security

The Non-nerd’s guide to Bitcoin and Blockchain By Annu Singh

t’s 11:30 p.m., and I am trying hard to understand a jargon-filled article about Bitcoin. The TV in the background plays a repeat of “The Big Bang Theory,” an American sitcom about a group of genius physicists who often befuddle their beautiful waitress friend, Penny. I try hard to concentrate and make sense of what I’m reading. I find myself identifying with Penny, and what she might feel when trying to understand the nerdy world of Sheldon, Leonard, Howard and Raj. I decide there has to be something simpler out there to help break down the basics of Bitcoin for the Pennys of the world. From the “Big Bang Theory” episode The Luminous Fish Effect Sheldon: The thing about tomatoes, I think you will really enjoy this, is that they are shelved with the vegetables but they are technically a fruit. Penny: Interesting. Sheldon: Isn't it! Penny: No, I mean what you find enjoyable.

Bitcoin for Pennys Imagine you can transfer money or the equivalent of

20 | Chief IT

money like an email over the Internet with no approvals or authorization needed from any third-party authority. That concept was proposed in a white paper, published in 2008, by Satoshi Nakamato – and the term Internet currency was born. Nakamato proposed a digital distributed ledger transaction system for an online cash exchange. The exchange would not be subject to fees or institutional control, or bound by any one nation’s regulations. The technology to run the ledger is blockchain, which acts as a public database permanently recording transactions. It is highly secure. When a transaction occurs, the details immediately appear on a vast network of computers rather than being confined to a single centralized system. The system may be public, but access requires a specific key. When accessed, users leave a unique, indisputable trail of data, eliminating the need for a trusted third party to authorize the transaction or verify that a transaction has taken place. As Bitcoin transactions require no third-party authority, they can and are used for illicit purposes – buying and selling drugs on the Dark web, IT ransom extortion, etc. Bitcoin funded support for Edward Snowden after his WikiLeaks revelations. Increasingly, governments expect users to report and file the Bitcoin gains of their transactions in the same way that users report stock gains in their tax returns.

Cyber Cover Security Feature

From “The Big Bang Theory” episode The Prestidigitation Approximation. Penny: Oh, big deal. Not knowing is part of the fun. Sheldon: "Not knowing is part of the fun." Was that the motto of your community college?

Understanding the Marketplace The Bitcoin marketplace simulates the gold exchange. Like gold, bitcoins are scarce. (Perhaps even more scarce than originally thought, as Nakamato designed only 21 million Bitcoins.) New Bitcoins are released every 10 minutes into the system as a “reward” to Miners – computers or machines that use power to process the Bitcoin “blocks.” Blocks are a collection of transactions waiting to be verified and confirmed. Every four years, the number of new Bitcoins gets cut in half. In 2008, 50 bitcoins were released every 10 minutes; in 2012, the number was reduced to 25. In July 2016, 12.5. This will continue until all bitcoins (in theory) are released, which is expected to be in 2140. Bitcoins work on deflationary principles. Mining bitcoin becomes costlier as the supply diminishes and value increases. Bitcoin value does not decrease with time, and hence hedges investors against inflation in the same way gold does. Getting Started with Bitcoin Just as an email an account is needed to send an email, a “wallet” is needed to transfer Bitcoins. These Bitcoin wallets, created at bitcoin.org, generate two keys: a public key and a private key. The public key is transmitted on the Internet and published on all distributed networks. The private key authorizes a transfer or accepts a transfer, and must be kept secure by the account holder at all times. Users get Bitcoins by buying them from Bitcoin exchanges or by receiving a transfer from someone else. Bitcoins can be traded at a Bitcoin exchange, and there are many: Zaif; Japenese Cryptocurrency exchange, Unocoin; BuyUCoin in India etc. The monetary value of a Bitcoin has skyrocketed. It started trading at a few pennies and had crossed $1,000 in 2013. At Bitcoin Price Index, one Bitcoin now trades between $500 to $600 USD.

industries, the Internet of Things (IoT) and artificial intelligence (AI). In a report titled “Wealth & Asset Management 2021 – Preparing for transformative change,” the Roubini Thought Lab identifies the smart technologies of AI, virtual reality, blockchain and robotic process automation as fields targeted for growth, with blockchain expected to grow by 43 percent over the next five years. Blockchain transactions cut out the middleman and provide faster settlements at lower costs. Deutsche Bank, UBS and Nasdaq and many other companies have jumped on the bandwagon. IT giants like Microsoft and IBM are investing in the space, and IBM Blue Mix now provides blockchain services. Financial services, supply chain, IoT, risk management, digital rights management, healthcare, public sector, even the art world will likely see disruption due to blockchain technology. But I’ve had enough disruption for the night. It’s 1 a.m., and my mind is giving up, playing Sheldon’s soothing lullaby, “Soft Kitty, Warm Kitty.” To sum up what I can understand from all of this, Bitcoin is a completely global, borderless, decentralized, open form of money that cannot be frozen or seized by any government or financial institution. And it can be transacted completely securely over Internet IP. Coupled with blockchain technology, it’s already leading to disruption spheres all around us in ways that will affect the Sheldons and Leonards and, eventually, the Pennys of the world. If you can’t beat them, join them. “Soft kitty, warm kitty, little ball of fur … Happy kitty, sleepy kitty … zzz ….”

Quote from the episode The Boyfriend Complexity Leonard: You'll never guess what just happened. Sheldon: You went out in the hallway, stumbled into an interdimensional portal, which brought you 5,000 years into the future, where you took advantage of the advanced technology to build a time machine, and now you're back, to bring us all with you to the year 7010, where we are transported to work at the think-a-torium by telepathically controlled flying dolphins? Leonard: Penny kissed me. Sheldon: Who would have guessed!

Where is it Heading … Perhaps more important than Bitcoin is the blockchain technology that has the potential to be applied to various

Chief IT | 21

International

The great submarine leak

T By Sarosh Bana APSM Correspondent

22 | Chief ChiefITIT

he wide-ranging data leak on India’s French-origin Scorpene submarines hosted on its website recently by the daily broadsheet, The Australian, on two consecutive days clearly undermines New Delhi’s sensitive submarine construction programme. The 22,400 leaked pages detailed the combat capabilities of the 1,565-tonne 61.7-metre Scorpene 2000 SSKs (dieselelectric hunter/killer submarines). Six of these submarines are being built under the Indian Navy’s Project-75 (P-75) under a Transfer of Technology (ToT) agreement between DCNS, the European leader in naval defence, and the Mumbai-based state-owned shipyard, Mazagon Dock Limited (MDL). The first of this series, construction on which began at the MDL yards in December 2006, is being launched in September, its commissioning scheduled a year thereafter, with subsequent boats delivered at intervals of nine months. The programme is running four years behind schedule, its original contract cost of US$2.63 billion in 2010 having spiralled to US$3.8 billion. The cost includes a US$1 billion Technical Data Package for MDL to gain competence in submarine construction, especially in the field of hull fabrication, outfitting, and system integration. While the question is whether India’s security is under threat as a result of the data leak, another question concerns

the motive of the morninger, owned by Rupert Murdoch’s News Corp Australia and published out of New South Wales, in exposing a friendly nation’s defence agenda. The paper has been described as one that acts more like a propaganda sheet for the rightwing of Australia’s Liberal party than a broadbased sounding board for big ideas and public policy. Canberra in April awarded the same French defence contractor, DCNS, an A$50 billion (US$38 billion) contract to design and build 12 next generation submarines. It is speculated that the expose could have been the consequence of corporate espionage, as competition is fierce in the global military sweepstakes. Variants of the DCNS Scorpene operate with the Malaysian and Chilean navies and will soon also be deployed by Brazil from 2018. The uploaded sets of documents contained the entire design plans, specifications and stealth capabilities of the Scorpene, as also detailed operating instructions for its underwater warfare system and revealed too was the range of technical specifications of the sonars and at what degrees and frequencies they would function. Almost the entire Operating Instruction Manual has been detailed, with explanations on target selection for weapon configuration and firing, among a host of critical minutiae. Of the leaked information, 6,841 pages elaborated on

International

the submarine’s communications system, 4,457 pages on its underwater sensors, 4,209 on its above water sensors, 4,301 on its combat management system, and 493 on its torpedo system. Bared also were the diving depth ranges, magnetic, electromagnetic and infrared data, frequencies at which the submarine gathers intelligence, requisite speeds and conditions for use of the periscope, noise specifications of the propellers, radiated noise levels that occur when submarines surface, levels of noise at various speeds, and the locations where the crew can speak to avoid sonar detection. The Australian reported it had been informed that the secret data were stealthily drawn from DCNS by a former sub-contractor in 2011 and taken to a private company in Southeast Asia before being passed on to a branch of that company in a second Southeast Asian nation. A compact disk containing the data was then posted in regular mail to a company in Australia. Evidently taken aback, Indian authorities downplayed the incident, affirming it did not compromise national security, as such information was available on “many naval defence websites”, and The Australian blacked out vital factors, and besides numerous parameters have been modified since 2011 in the submarines under construction. While it is not unusual for parameters to be altered at the behest of the customers, at

times within a series production, with follow on vessels being finer tuned and more streamlined, a comprehensive disclosure as by The Australian’s undoubtedly conveys confidential information and cannot be belittled. Such sensitive data would not only be unobtainable in the public domain, they would not be publicised by any credible websites guided by professional ethics. Much similar information very likely vests with various media agencies worldwide, but they would be circumspect in revealing it. There is also the question as to what Canberra’s reaction would have been if an Indian paper had carried detailed descriptions of Australia’s own submarine programme or its two 27,800 tonne Canberra-class Landing Helicopter Docks (LHDs), also known as amphibious assault ships. The two LHDs, HMAS Canberra and HMAS Adelaide, were commissioned in November 2014 and December 2015 and were constructed for the Australian Defence Force (ADF) at a cost of $2.9 billion. To be jointly crewed by personnel from the three services, they will provide one of the most capable and sophisticated air-land-sea amphibious deployment systems in the world, each being able to land a force of over 2,000 personnel by helicopter and water craft, along with all their weapons, ammunition, vehicles and stores. Design and construction

Chief ChiefITIT | 23

were by Spain’s Navantia, while BAE Systems Australia, a subsidiary of BAE Systems plc and the largest defence contractor in Australia, was the prime contractor. Navantia’s Ferrol-Fene shipyard in north-west Spain constructed the hulls to the level of the flight decks, including the majority of fitting out, and the island structures were installed at BAES’s Williamstown shipyard in Victoria. Though he said that the leakage was “of concern”, Australian Prime Minister Malcolm Turnbull specified that the Indian Scorpene was a model different from the one Australia was buying. “The submarine we are building or will be building with the French is called the Barracuda, quite completely different submarine to the Scorpene they are building for India,” he told Channel Seven. “We have the highest security protections on all of our defence information, whether it is in partnership with other countries or entirely within Australia.” According to DCNS, the 97-metre 4,000-tonne Shortfin Barracuda Block 1A, designed specifically for the Royal Australian Navy, is “the world’s most advanced conventionally-powered submarine”, with state-ofthe-art signature reduction technology, pumpjet propulsion replacing ‘obsolete’ propeller technology, retractable hydroplanes minimising drag and noise, and outfitted with the most powerful sonar ever produced for a conventional submarine. Quick access tech insert hatches moreover allow upgrades to be carried out easily. As with issues of this nature, India’s Defence Minister Manohar Parrikar asked the Chief of Naval Staff (CNS), Admiral Sunil Lanba, to have the extent of the leak examined. Maintaining that any information lapse is viewed very seriously by the Indian Navy, the CNS pointed out that DCNS had been asked to launch an urgent investigation into this. “Detailed assessment of the potential impact is being undertaken at Integrated Headquarters, Ministry of Defence (Navy), an analysis is being carried out by concerned specialists, and an internal audit of procedures is also being undertaken to mitigate any probable security compromise,” he indicated. India has also taken up this matter with the Director General of Armament of the French government, with the request to investigate with urgency and share its findings with India. “It is not a leak, it is theft,” a naval official affirmed. “We

24 | Chief IT

have not found any DCNS negligence, but we have identified some dishonesty by an individual.” The matter is also being pursued with other concerned foreign governments through diplomatic channels to verify the authenticity of the reports. DCNS took the issue to the Supreme Court of the State of New South Wales that directed The Australian to withdraw the documents published on its website, to provide DCNS with all related documents in its possession and to desist from publishing any additional documents. “Confidentiality of information and communication is a matter of utmost importance and DCNS welcomes this decision of the court,” a DCNS statement mentioned. “In parallel to this action, DCNS filed a complaint against unknown persons for breach of trust, receiving the proceeds of an offence and aiding and abetting before the Paris Public Prosecutor.” The French contractor is understandably worried. Apart from having set up its subsidiary, DCNS India Pvt. Ltd, in Mumbai for the Scorpene construction, it is now establishing another fully-owned subsidiary to produce air independent propulsion (AIP) technology for its submarines. It has submitted its proposal for this to India’s Foreign Investment Promotion Board (FIPB). DCNS, after all, is seeking to bid for the lucrative $8.06 billion – possibly $12 billion - Project-75(I) contract for the construction of six new generation stealth diesel-electric submarines that is eliciting wide interest among shipyards both at home and abroad. Defence-oriented enterprises, which have invested heavily in creating and expanding their warship building facilities and competencies, are preening themselves for the competitive bidding for the tender that requires the submarines to be built in India at an identified shipyard, within the public and private sectors assessed to have the potential to build modern conventional submarines. It remains to be seen whether DCNS will be countenanced for the tender by the Indian authorities following this disastrous leak. The Indian Navy has already scotched all previous speculation of construction of three more Scorpenes being contracted out to DCNS.

I N V I T A T I O NCyber Security

EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR

5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com

MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors

Some of the main topics:

PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:

Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting

• • • • • • •

IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition

• Forensics

“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK

news.com

Express interest in joining us at this exclusive event interpol_world2017@mysecuritymedia.com Chief IT | 25

International

Shipping companies are under attack! In the new era of cybersecurity and cyberwarfare, many shipping companies fare poorly when it comes to taking on cyber warriors. Laxity is no excuse. It causes huge financial losses and shipping companies do not know what they are up against. Jaya Prakash files this story from Singapore. By Jaya Prakash

26 | Chief IT

new threat is confronting the globe's shipping industry and it is not piracy anymore. Just when everybody thought that piracy was gone for good, what the world's leading shipowners least anticipated was the danger that could arise from the very Information technology (IT) systems that had kept them connected to their customers and agents. Ignorance is no longer bliss. Shipping companies, port operators, ship managers and shipping agencies better know what the digital age of computer networks, IPhones, IPADS and smartphones have wrought and the havoc they can wreak. Devices purportedly invented to make life better for all of humankind is perhaps, an 'enemy' far more sinister that anything the shipping fraternity have been used to. Not even the Somali pirates who once terrorised commercial shipping have come close to what the double-edged sword in the Internet now threatens and presents. "Digital technology has unleashed some bewildering crime", exclaimed Vincent J Loy, a partner in Financial Crime & Cyber & Data Analytics Leader, in PwC Singapore to MySecurity.com With the globe ever more interconnected than before,

what is now somebody else's problem is no longer the way it was and is. Now it is everybody's concern because what the Internet has now done is to connect us all to criminals, terrorists and stalkers in the far-flung regions of the globe, and the security we once took for granted in our own homes and backyard will now have to be traded for the uncertainty the age of the Internet now brings. As more and more devices and a rising number of companies get online, they become ripe tempting targets for attacks and coercion and maritime companies better know they have a weaknesses hackers can easily exploit with impunity. To be sure hackers have without doubt been rife. Just ask Google of its experiences in China and the answers will come thick and fast. Not only did hackers once compromise the safety of a floating rig by tilting it off the coast of West Africa but, what happened in the Belgian port of Antwerp for it to be reported widely in newspapers with hackers, filching containers takes the whole scheme of hacking and phishing, to an entirely new level and new plane. And if that was not enough, hackers have also assisted Somali pirates choose their targets. They did this by

International

"...cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually." compelling ships to resort to faking their navigational data thus throwing the crucial spotting mechanisms of the sophisticated AIS tracking device shipping companies designed to locate ships on the open oceans, completely off the rails. If such a measure is taken to extreme lengths, hacker activity can plausibly even allow for the free and unhindered transport of contraband cargo like nuclear material - a prospect the likes of Iran and rogue nations like North Korea would relish because for once there is a new-found way to circumvent sanctions. It Is An Interconnected World "Cyber is connected to the world and we are highly dependent on the Internet", exclaimed a panelist over Singapore's Channel News Asia (CNA) during a prime time talk-show, televised on 14th September. That dependence has come with a double-edged sword as it now appears. Cyber criminals it has been learned, rake in some US$150billion annually CNA heard on the day of its television talk show, thus lending why cyber crime continues adlib with little or no known ways to tackle it resolutely. Encryption may be an option but, just how viable an option it is has never been distilled enough. Globally, Reuters wire service estimates cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually. Still if there is something deadpan worrying about it all, is the size of vessels shipowners have assigned themselves which far being from a commercial imperative, is fraught with security implications. With a growing tendency to build larger than usual vessels to save on fuel consumption and operating costs what the global shipping industry is hurling itself into is the creation of a new set of problems whilst resolving yet another. By having smaller crews with a heavier than usual reliance on software for navigation and operational needs, the risk and indeed the unmitigated risk only just escalates to the degree of a vessel's software being left unsecured and relied upon heavily by its crew. As matters stand, with technology running every mite of a ship operation from the loading of a cargo, to plotting its

navigation across oceans, nothing perhaps is left to chance. To compound an already tenuous situation is the tendency shipowners exhibit in wanting to report against security lapses, either out of adverse publicity or, of raising alarm amongst their stakeholders. What is worse than imagined is that software weaknesses in the maritime universe could be used to cause ships to malfunction or even run aground, according to research from the global information assurance firm, NCC Group. They have revealed security vulnerabilities in ECDIS (Electronic Chart Display and Information Systems), information technology product used by the shipping industry. These systems are usually installed on ships and used by navigation officers. And the real danger of increased usage of computer systems for navigation, container inspection, rapid unloading, distribution of goods and handling goods at ports can be easily exposed to cyber threats, if no proper security controls are implemented. No solution for now... There are just two kinds of scenarios confronting those living the cyber sword of Damocles: one is the nagging perception of threat estimates and the other is how to stave off that threat and remain safe as one could. Because security and attack scenarios against technologies and protocols have been ignored for too long in the maritime industry, the problem has just persisted that long. Windward, an Israeli firm that analyses AIS data found a rising number of ships 'afflicted' either for security, financial reasons, smuggling or plain pirate attacks. A particular U.N. report was specially scathing. It alleged efforts by North Korea to procure nuclear weapons were commited with the aegis of compromised AIS data. And that investigators on one ship carrying concealed cargo turned off its AIS signals, to disguise and conceal its trip to Cuba. If ever there is something to be done and done urgently, it ought to begin with a revolutionary change in mindset and training priorities in all shipowning companies; not just in the big ones. More investment has to to assigned to block hackers by denying them access however, ubiquitous they maybe. And these can range from having continuous cyber security assessments to evaluate incident response capabilities, detect if an active breach is in progress or to keep the company security conscious. Perhaps an ideal recommendation is to borrow a leaf from the hacker himself and be deceptive than predictable. The mere fact that most organisations look to automation to help assist in their cyber security defences give hackers valuable leads on when they can raid the networks of a company. Having scans at the same time every week or patches once per month and assessments once per quarter or per year, is just what a hacker needs to raid a company. The idea therefore, is to keep changing the routine of such housekeeping measures and keep a hacker guessing and thereby forcing him somewhat to give his vile life, up. Jaya Prakash can be reached at prakruby@hotmail.com

Chief IT | 27

Corporate Security

What really happened? Why it’s so hard to get the truth when investigating an incident

S By Tony Campbell ASM Correspondent

omething that all incident responders need to be reminded of is that people lie. When you start to look into the root cause of a security breach, there will almost certainly be times when you ask questions of certain users, administrators and even external agents, where the answers are often intentionally not as accurate as they could be. Let’s take a look at a few of the reasons why this can happen and ways you can cut through the lies and get to the truth of the matter. Start with the Helicopter View… When the red lights start flashing and the warning claxon sounds, the incident manager sweeps in and starts gathering information about what happened, who it happened to and what’s been affected by the ‘event’. They would start by figuring out who was doing what when the problem was first detected, usually by asking simple questions like who was accessing the account that’s been compromised or finding out whether any new software (changes) had been rolled out to the affected systems. The details that the incident manager gets in these very early stages of the process are then used to

28 | Asia ChiefPacific IT Security Magazine

frame and characterise the attack, which can then be used to find further clues that may lead to solving the case. This is where the problems can start. If a priority 1 incident has kicked off as a result of an administrator not doing something they should have done, or because a user has plugged in that USB thumb drive they found in the car park, their first reaction will be to lie to protect themselves. “Have you plugged anything foreign into that PC?” you say. “Ummmm, nope,” they reply, casually glancing at the door and scratching their nose. To try and coax people into telling the truth, try a different line of questioning, maybe starting with some irrefutable evidence from the systems that they won’t be able to deny. So, instead of saying, “Who’s put a dodgy USB drive in our computer system?” you could instead find out who was logged in at the time when the incident kicked off and tell them that attackers have been targeting businesses with USB disk drops, and we’re looking for that user to help in the investigation and to assist in determining how the attackers are targeting the business. This makes them feel part of the solution, thus instead of feeling guilty they feel empowered to help fix the problem and ensure others don’t end up in the

Corporate Security

Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel.

of incident management time before it’s called out as a red herring. Incident managers must always distinguish between first-person observations, like, “I read the log file and found…” and hearsay “Eric said he discovered … in the log file”. Don’t trust anything passed to you that might be hearsay: track down the source and check it. Spot the Difference: Observation or Hypothesis

same situation. Getting the widest possible viewpoint of the situation, taking that helicopter view, will help you look at the problem from another perspective, which in itself can help lead to the root cause. Call in a variety of subject matter experts to look at problems from different perspectives, since each of those viewpoints will yield its own special kind of intelligence for your investigation. A typical scenario might be that an administrator sees an unexpected spike of network traffic from a soon-to-be-retired server. If you know this, you can then go and grab the logs from that server and get one of your analysts to start looking for more clues. Generally, you should try and have a subject matter expert on the incident management team explore each of the viewpoints relating to the incident (network, servers, firewalls and other security systems, etc.), keeping their investigation as broad as possible at first rather than jumping down the rabbit holes they discover. Spot the Difference: Observation or Assumption The incident manager has to be able to distinguish between facts and assumptions. Assumptions are ideas or conjectures that are often stated as fact, rather than corroborated truths with proofs. If a lazy administrator says, “The attacker has clearly exploited a vulnerability in the firewall,” then by committing this to the incident management team, it becomes a fact. However, as a conjecture, this profoundly distorts the investigation, focusing team effort into the investigating the wrong vector of the attack. If you hear certain facts like that being stated by engineers and subject matter experts in certain applications or systems, dig into the proofs each time to see why they are stating this as a fact. Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel. Spot the Difference: Observation or Hearsay Have you heard of Chinese whispers? Most of us have at one point in our lives played the kids’ game where a sentence is whispered to the next person in a row and when the message gets to the end of the row that kid states what they thought was passed on. It’s often an extremely distorted version of what was originally said, especially as the chain gets longer and longer as more kids join in. This also happens in businesses. If a couple of engineers get together, let’s say, for example, a desktop engineer and an IPS manager, what the IPS manager tells the desktop engineer may sound like a load of nonsensical security speak. However, an incident has just kicked off across the desktop fleet and the desktop engineer repeats to the incident manager some of the misunderstood nonsense he picked up from IPS guy. This could turn an innocent false positive event he was investigating into what the desktop engineer might consider the root cause of the issues, which will invariably waste a lot

Sometimes when people are careless or untrained in certain situations, they find it hard to distinguish between what they saw and a conceptual construction of what they think they saw. In the example about the desktop engineer and the IPS guys, the desktop engineer has now taken what he thought he understood and rationally, in his mind at least, deduced that he now knows what the problem is. But that's an assumption. This can also occur when someone thinks that maybe there’s a flaw in the desktop and then proceeds as if that were true without testing their hypothesis. “So, this desktop vulnerability can be exploited by this kind of magic packet attack, which the IPS guys have already seen today, so we need to quickly patch all these right now to fix the problem.” This is, of course, a ridiculous example, but you see the importance of cutting through the assumptions, instead looking for real eyes-on observations of fact. Observation wins every time over a pseudo-expert’s hypothesis, especially as these engineering types can be so convincing. Maybe it’s a good thing to patch the desktop later anyway, but it doesn’t follow that it’s the priority you need to consider right now in the middle of managing this incident. Use a Hypothesis, Challenge it and keep Challenging it People often think in absolutes, with their perception of the facts being somewhat bounded by their own limited knowledge. Furthermore, people are often willing to accept the null hypothesis, being happy that there’s nothing there, without knowing for sure. Rejecting the null hypothesis does not prove that a specific alternate hypothesis is necessarily correct. The evidence instead is restricting the full range of reasonable hypotheses that we could use to dig further into the case. Instead, we like to come up with explanation after explanation until what’s left is just a smaller set of explanations – but that does not mean that one of them needs to be right. Scientists will tell you that they can never prove an absolute truth but that they currently, within the boundaries of what they know, have no evidence to the contrary. Conclusion Incident management is hard. But the job is often made harder by facts being skewed by conjecture, people’s unwillingness to admit when they did something stupid or when they don’t want to look like they don’t know what they are talking about. You need to find ways to cut through the hearsay, conjecture and lies if you are going to resolve an incident in a timely manner. Sometimes in cybersecurity, it’s more about the people than it is the technology.

Chief IT | 29

Corporate Security

Digital technology vs national security threats

I By Josh Kennedy

t’s no secret digital technologies have changed everything. These were once just predictions of the future. Now their rapid emergence onto the market means that governments, businesses and citizens expect high speed, secure access to the Internet, 24x7 online services, and near-instant global sharing of information is the norm. It’s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly oneand-a-half billion Facebook accounts, but also offers a new route to exploitation by threat groups. From extremism, to foreign state espionage, cyber threats, or proliferation activities, the use of online means to recruit and task vulnerable citizens is adding an unwelcome burden on the high-pressure workload of national security agencies. This is why it is more vital than ever to stay one step ahead of security threats through a paradigm shift in the core operating model of these government agencies. Traditionally, national security agencies knew what data they needed and where to find it. Today, gaining real-time insights from a large, fragmented and ever-changing pool of data is like looking for a needle in a haystack—one that is expanding at an ever-increasing pace. Current approaches to the collection, analysis, development and use of intelligence from opensource information (including social media, websites, blogs, online news, Web fora, and similar) are quickly becoming outdated as technology evolves at break neck speed. What’s changing? Today, national security agencies’ operational advantages are at

30 | Chief IT

risk from rapid advances in technology. Further, the maturity of opponents’ technical security tradecraft, and the struggle to keep up with these advancements is omnipresent across all regions of the world. Violent extremists have operational security (OPSEC) manuals and even a 24-hour help desk to aid in the worldwide recruitment and conduct of terror, an unprecedented and frightening prospect. Following the San Bernardino attacks that left 14 people dead, it was reported that authorities had failed to detect social media posts sympathetic to violent jihad on one of the killer's accounts during the immigration screening processes. Whilst a task such as immigration screening may seem instinctive for officers in such a role, without the time or resources for deep and accurate analysis of every case that arises, the ability to use advanced analytics to integrate covertly-acquired intelligence with open-source information becomes a highly limited proposition for national security agencies. Governments are slowly but surely becoming aware of the increasing difficulty in combating digital threats, and recognise a cross-agency picture is required. The Australian Strategic Policy Institute (ASPI) has echoed this and recommended the harnessing of communication, marketing and social media experts to fight new propaganda challenges. They’re also investing AUD $21 million to build a stronger social media counter-narrative capability. But where the disruption to market is so high and the outcome of not acting can be so devastating, the call to action must go beyond recognition and awareness alone. Governments need to enhance their capability to tackle traditional threats

Corporate Security

through smart investment in digital technologies to develop rapid response to either prevent future incidents or more effectively respond to those already underway. What can be done about it? Step 1. Use digital technologies to enhance informationsharing and collaboration Public safety technology can supplement existing approaches to information-sharing and collaboration to accelerate and enhance intelligence. Advanced digital and collaborative tools enable national security agencies to preempt threats, target violent extremists, and counter-extremist narratives online. The ability to collect, analyse and develop actionable intelligence from data shared between multiple agencies significantly increases capabilities without the need for additional resources. Using digital tools to share such data can elicit a response more effortlessly, securely and effectively than by sending and receiving unstructured text requests. Matching data models, ontologies and taxonomies, as well as the auto-processing of data and use of joint analytical tools can greatly increase the speed and scope of information-sharing. Taking advantage of secure, private cloud solutions can enable national security agencies to benefit from a larger, consolidated pool of data (as appropriate under law) to identify threats or avenues of enquiry. Step 2. Seize digital transformation opportunities There is no single solution to combat existing and emerging

threats, but by using the same emerging technologies that opponents are using, national security agencies can enhance operational effectiveness. Islamic State are currently using social media to reach out virtually to promote and recruit nationally and internationally and collaborate with potential future members. With 46 per cent of social media users actively discussing news items online, it is easy to see why digital makes an attractive radicalisation platform. But this vast data pool can be exploited by national security agencies, too. Historically, no-one questioned the effective analysis of call data records; today, social media and other digital and online sources of information are being assessed as ways to affect predictive policing or intelligence activities in the future. Applying public safety technologies that make use of a wide range of content analytics (including sentiment analysis, word analysis, opinion mining and natural language processing) to open-source information can help prevent and detect threats. National security agencies operate in a digital world where vast amounts of relevant information reside in the public domain. It is not a case of whether to use any or all of a range of public safety technologiesâ&#x20AC;&#x201D;but rather how to employ them in the right way to manage the growing diversity of both threats and data. By being pro-active and innovative in their usage of data and by adopting new digital technologies government leaders can support safe and secure nations and enhance national prosperity for the benefit of all. Joshua Kennedy White is Accenture Australiaâ&#x20AC;&#x2122;s Intelligence & Homeland Security Lead.

"Itâ&#x20AC;&#x2122;s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly one-and-a-half billion Facebook accounts"

Chief IT | 31

Corporate Security

Worrying statistics Inaugural cyber security survey for Australia

hile it’s natural to assume large companies with large revenue streams would have the right measures in place to protect their assets, preliminary results from BDO Australia’s inaugural cyber security survey prove otherwise. In a first for the industry, BDO has teamed up with AusCERT, the Australian cyber emergency response team to conduct an in-depth industry cyber security survey – the outcome of which will help the market understand the challenges businesses and organisations face in the online world. Following some recent high-profile cyber-attacks, more and more companies are now being urged to be extra diligent with their cyber security and put the right measures in place to protect their intellectual property and assets. However, what was most astounding from the recent survey results was the number of Australian businesses that aren’t protected, with nearly 85% of companies with a gross revenue greater than $1 billion fully exposed to cyber-risk. These are worrying statistics given cyber-attacks and data breaches are a very real concern and the implications for businesses of this scale can be catastrophic. It also shows that cyber security insurance is very much still on the agenda. The good news is, protecting your business is certainly not an unmanageable process and those businesses that are prepared are the ones that will prevail should a cyber-attack ever occur. Preparedness comes in a range of forms, and when protecting assets, insurance is the logical fall back. While purchasing insurance could act as a security blanket for your board and executive, it’s imperative to determine to what extent cyber insurance is required for your business.

32 | Chief IT

With that in mind, here are six simple steps you should take to better understand your cyber risks and determine whether you need cyber insurance for your business. 1.Perform a risk assessment of your environment to understand your current cyber risks The first thing decision makers need to be clear on is identifying the company’s critical systems and data information assets and understanding who—in terms of cyber criminals or hackers—would be interested in them. You cannot be expected to understand what level of protection you need if you are not clear about which assets may be vulnerable. 2.Quantify these risks and model the potential impact this will have on your business. For instance, what is the financial impact to your business if you experience a cyberattack you can’t defend? Once you have completed the first step, you should then start to consider real implications. Ask yourself what the implications would be if the information in those systems were under the control of cyber criminals. Once you understand the implications it gives you a much clearer picture as to what the risks associated with those assets are. You then need to assess the cyber security controls for your critical assets and determine whether these are working effectively. This will highlight the risk exposure you have for those assets. Using risk modelling techniques, such as Monte Carlo simulations, you can then model and quantify the financial impact this will have on your business if not remediated.

Corporate Security

3.Evaluate risk exposures and assess whether you are comfortable with the level of risk to your business. Or, do you need to get cyber insurance to cover this? For example, are you comfortable with the financial impact to your business or do you need insurance to cover this risk? Here is the real pinch point to decide whether cyber insurance is the right thing for your business; you are now at a point where you can evaluate the risk exposure. For example, what will the costs be to respond and recover from a data breach in one of your critical systems versus remediating or implementing stronger security controls to better protect the asset and the data records? This cost-benefit analysis needs to be repeated for all those risks and assets where there is a risk exposure to understand whether implementing stronger cyber security defences outweighs the cost of insurance to cover the risk. So, once you understand the cost to remediate versus insurance costs, your key decision makers need to assess the level of risk against the investment required to manage the risk exposure. 4.Implement a security risk remediation program to address the gaps you want to address Remediating the risk exposure is highly recommended, as this will allow you to establish better defences against cyber attacks, as opposed to only getting cyber insurance. This approach will allow you to be better prepared in the long run. Some of the key activities in a remediation program should include: • Implementing stronger security controls and defences for your critical assets, e.g. applying the latest security patches, enforcing stronger passwords, and implementing web application firewalls • Implementing security monitoring to detect security incidents on your critical assets early • Establishing a cyber incident response capability to allow you to rapidly respond to, and recover from, cyber incidents • Providing targeted cyber security awareness and education to your staff.

•

limited to Australia only? Incident response and remediation costs. Does it cover the costs of getting external assistance to respond to the incident, your legal costs, or regulatory penalties or fines? All special conditions and exclusions included in the policy statement.

It is also important to look at a number of cyber attack scenarios to see how the insurance policy will respond, e.g. will the policy provide you the required cover for data breaches at your cloud provider? Will the policy provide cover for a Denial of Service attack? Will the policy provide you cover for a Ransomware attack? Looking at all the cyber-attack scenarios that will be applicable to your organisation in relation to the policy will allow you to validate that the policy and cover is appropriate for your business. 6.Implement and validate your cyber incident detection and response processes to allow you to respond to cyber incidents when they happen As a final step, it is important that you have appropriate cyber incident detection and response processes in place. This extends further than just having an incident response plan in place, but testing and rehearsing your incident response plan across the organisation. This will ensure everyone in the organisation knows there role and responsibilities in detecting and responding to a cyber incident. It is recommended that this is done at least on an annual basis or whenever a new or critical system or business is added to your environment to make sure the process is current and effective. If you’re interested in understanding more about cyber insurance and some of the trends we see in the industry, stay tuned for more survey results, which will be released soon.

5.Evaluate cyber insurance policies for those risks that you cannot remediate and select an appropriate policy to provide the cover you need For those risks that are difficult to remediate, or where you want to include additional risk management strategies, you can meet with your insurance broker or insurance provider to understand the level of cyber insurance cover you need. It is important to evaluate and conduct proper due diligence on the insurance policy to ensure it provides the cover you need. This evaluation should, as a minimum, include reviewing: • Entities covered, especially if you are a large corporate group. Does it cover only the group or all of its subsidiaries? • Types and breadth of the cover offered. Does it cover both first and third party breaches? • Cover provided. Does it provide worldwide cover or is it

Chief IT | 33

Cover Feature

Artificial Intelligence & Cybersecurity: Scaling up for the Internet of Things

T By Chris Cubbage Executive Editor

34 | Chief IT

he world may only get one chance at making IoT, the Internet of Things, actually work. No one knows where this technology is ultimately headed. Had the Internet’s originators in the early 1960’s taken a glimpse into the year 2016 and attended the NetEvents IoT and Cloud Innovation Global Summit at Saratoga’s Mountain Winery, a relatively short drive from the Stanford Research Institute (SRI) where the first Network Working Group meeting was held in 1968, I wonder how different the Internet may have been or how shocked they would be at the machine they have unleashed. We know that the Internet lacks ‘security by design’ and hence why security remains the fundamental element of how we safely enable the unfolding IoT revolution. According to Dr. Glenn Ricart of USIgnite, a not for profit organisation born from the White House Office of Science and Technology Policy and the National Science Foundation, “we are entering the time when we take the Internet away from humans and hand it over to machine controlled ‘things’.” The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job. Kathryn Hume heads up Fast Forward Labs, a specialist advisory firm operating across a range of industries including insurance, publishing, finance, media, and government on data product development, technology, and culture. Kathryn opened the two-day program by walking through the work they’ve done in natural language generation and deep learning in image analysis and text summarisation. As Katheryn impressively noted – the real impact of today’s technology lies in ‘making complex data simple’ and how the focus needs to extend beyond just the hype and find true, but often hidden value. There is a long way to go.

One shining light being shone on the security dilemma though is the application of Artificial Intelligence (AI) and how it is applied to solving the security challenges of today, and hopefully tomorrow. There are between 5 to 10 startup companies being created each week in Silicon Valley, California within the domain of AI and each focusing on the almost limitless applications across every industry. Stuart McClure, founder and CEO of Cylance, has moved security applications to beyond programming and in what is hyped to be a game changer, is teaching security systems to predict, prevent and detect cyber threats. Similar somewhat to the early application of actuarial science, Cylance is applying AI in the form of pre-execution algorithms to prevent, detect and respond to malicious code and anomalous online behaviour. As McClure points out, “if it’s blocked we don’t care and if it’s not blocked we want to understand why it wasn’t blocked.” Then Cylance sets to replicate and improve, training itself to look automatically and instantaneously for features that are going to be indicative of being good, bad and in between, and using millions of signatures, features and behaviours to initiate unsupervised learning and then move to supervised learning of all known clusters of bad profiles and continue to extract features and classify between good and bad. The approach is to build security systems to achieve prevention to 99% and the 1% they can’t prevent they want to detect 99% of the 1% and then develop the response to 99% of that 1% - and so on. Sounds straight forward and as this approach is applied on a massive scale, it is understandable why Cylance has emerged as one of the most effective cyber security companies on the internet. “Without AI, we can’t possibly scale to meet the demand” McClure asserts. But even at full scale in the Internet of Things – is 0.0001% risk, or an adversary’s opportunity, enough to cause a major catastrophe? To understand how AI is being applied, anyone who has raised children or trained a dog to fetch a ball will understand the concept. Kathryn and Stuart’s opening

Cover Feature

discussion helped simplify the requirements. “An average person will need to see three cats and be told each time it’s a cat before they will recognise a fourth cat, but for AI, the computer needs 50,000 cats to start to recognise a cat. But accessing the data, CPU power and bandwidth is getting better and therefore so will AI.” When Cylance is applied to 100,000 node networks the system immediately starts detecting and then reverse engineering existing malware attacks. Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear. Despite my initial hesitations to the application’s market take up, Cylance is making rapid and significant inroads, with Series D funding raising around $100M, taking it to a total of $177M. Current valuation is believed to be at US$1.2B – putting Cylance into the unique ‘Unicorn’ category. The most recent announcement has been from Wedge Networks, and the newly released Wedge Advanced Malware Blocker, or WedgeAMB, the first product in the Wedge Absolute Real-time Protection (WedgeARP) series of enterprise solutions. The WedgeARP series provides fully self-contained, security platforms in the form of virtual machines that orchestrate real-time hyper-inspection engines. WedgeAMB applies Cylance’s AI technology to detect and block viruses and advanced malware, such as ransomware, at the network level, preventing them from entering enterprise networks. The combination of Wedge’s hyper-inspection with Cylance’s machine-learning engine and WedgeIQ threat analytics, WedgeAMB promises to be a break-through in malware prevention. According to the Federal Bureau of Investigation, ransomware is on the rise in 2016, with one group estimated to have been paid over US$120M in just 6 months. Ransomware-as-a-service is now also available. Advanced malware and ransomware attacks also account for millions of dollars in lost productivity and theft by cybercriminals

"Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear." operating on a global scale to exploit endpoint devices with increasing levels of sophistication. Unless solved, this malicious activity will put IoT at serious jeopardy of being hijacked before it begins. With millions of cyber-attacks occurring daily on networks around the world, cybersecurity seems the perfect area to apply AI. There remains just three key methods to a cyber-attack - denial of service to cause failure, execution based attacks and authentication based attacks. “AI can be applied to all three in a very meaningful and effective way”, but as McClure notes further, “you just need the data and we are a long way from automatic classification in AI”. As we come to understand where this technology will take us, the battles will continue, as the IoT revolution unfolds alongside the growing sophistication of attackers. We are yet to see where this all takes us but it will be an exciting journey nonetheless.

NetEvents 2016 opening panel discussion - Kathryn Hume, Stuart McClure and Ovum's Paul Jackson

Chief IT | 35

Cover Feature

SMART DEVICES

NETWORK CONNECTED DEVICES

INFRASTRUCTURE DEVICES

Without security the Internet of Things is doomed and could kill millions!

By Chris Cubbage Executive Editor

36 | Australian Chief IT Security Magazine

re we setting up the Internet of Things to fail, and potentially with a massive and catastrophic consequences? Cybersecurity researchers Charlie Miller and Chris Valasek caused the recall of 1.4 million vehicles after hijacking the Chrysler Jeep’s digital systems over the Internet. The pair remotely hacked into the car and paralysed it on a highway whilst in traffic. They were able to disable the brakes, cause unintended acceleration and turn the vehicle’s steering wheel at any speed. Other vulnerabilities have been discovered in Tesla vehicles and more is reportedly yet to come. In late September 2016, Pharmaceutical firm Johnson & Johnson wrote to diabetic patients using one its insulin pumps advising that it was at risk of being hacked, after Jay Radcliffe, a researcher (and diabetic) with cybersecurity firm Rapid7 discovered he could access the communications between the pump and the RF frequency remote – in theory allowing a hacker to administer unauthorised injections. This follows rising concern on connected medical devices, with Kaspersky Labs revealing in February it had hacked into a hospital’s IT infrastructure and was able to access a MRI device. These selective examples in the automotive and healthcare sectors highlight the biggest focus areas in Information Technology (IT) coming together with Operational Technology (OT) and how security will remain the key to enabling or disabling the industrial tsunami unfolding in the form of the Internet of Things (IoT). When you consider the IT space, a majority of hacks are often abstract in their affect, such as lost or compromised data. But like the examples above, when you consider the type of industrial assets that you see in the OT space, they will invariably have a physical impact were they to be hacked. The impact of attacks against connected OT equipment

has the potential to impact on human safety, environmental damage and cause massive disruption in a way that we aren’t necessarily seeing on the IT side. OT security has a much different priority when you look at what we need to safeguard, as opposed to IT. According to Tom Le from GE Digital WurldTech, speaking at Structure Security in San Francisco, we can look at the entire universe of connected devices in the form of a pyramid. At the top of the pyramid is the typical end point devices that we all use, such as laptops, smart phones, with the security on these devices being ‘pretty good’, as long as the operating systems are regularly patched. In the middle of the pyramid we have the devices we may only use occasionally, such as the HVAC (heating, ventilation, air conditioning), smart lighting in the home, increasingly smart refrigerators and televisions, and connected cars. Then beneath these two layers, we have a wide array of devices that we don’t even notice but are everywhere because we tend not to interact with them, such as CCTV cameras, transport system nodes, power generation stations and manufacturing equipment. At this lower level, although we don’t see them, they will impact us should they be successfully attacked or compromised. The primary concern is that the devices at the top of the pyramid has good security but the other two areas have much less integrated security and as of today, the integrated security design reduces as you move down the pyramid. Air gapping between the operating system and the Internet has been touted as a workable solution but as Tom Le asserted, “this is potentially a myth and is certainly not the ‘holy-grail’ solution.” There have been reports that aviation Wi-Fi systems could be hacked via the entertainment Wi-Fi systems and the FBI has begun investigating these claims. Any industrial facility, be it a power plant, manufacturing

Cover Feature

facility or city management system, even if it was to ‘air-gap’ them off and say none of these assets are going to be allowed to be connected to the Internet, there will still be indirect connections. There are contractors coming in to the facility with transient assets such as their own mobile devices, laptops and a common vulnerability is a USB key, now a common attack vector. A recent highlight of this is Victoria Police are investigating malware infected USB devices being left in residential letterboxes. So even if we have assets that we don’t believe are connected to the Internet, they are very likely to remain exposed because of the indirect connectivity. Taking it one step further, the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet. Now we’re saying that even if you’re not currently connected or indirectly connected, the Internet of Things is going to seek to bring many millions of these industrial OT assets online so we can experience the benefits of innovation, efficiencies and analytic tools – but that’s a huge swing from where operators think they’re safe today to approaching the reality of the short-term future where we are going to see more and more connected assets that are being brought online. Even after 20 to 30 years of IT security, we are still trying to get it right and are still experiencing breaches on a regular basis. There is something in the news every day, every week and the breaches aren’t getting any smaller, from the Sony hacks (2011, 2014, 2016) to the Yahoo hack discovered last week, with up to 500 million accounts compromised – since as far back as 2012! We are still not getting it right. Ducks & Swans: IT Security does not apply to OT Security There are significant and fundamental differences between IT and OT assets, with the IT assets tending to have a very short life span, be it like the iPhone where every couple of years you change and get a new one. Or your laptop computer than needs software patches or even a whole new OS installed and upgraded. We’re willing to disrupt these small device operations and go through a full system reboot, patching process or a complete OS upgrade, including multiple system reboots and take the risk of experiencing annoying system bugs, yet to be fully ironed out. In stark contrast, OT assets have much greater operational life cycles, many around 15-20 years, with some traditional systems even being as long as 40 years. Likewise, the maintenance and upgrade times is not just a matter of minutes, hours or even days, sometimes it will be a four to five year process. So the concept of applying an IT security patch system or end point security applications to the OT asset infrastructure environment is very difficult to apply, if not completely irrelevant and misleading. The other critical aspect is that some of the systems in operation within our critical infrastructure, particularly for our power generation and transport systems are no longer able to be updated and a majority are obsolete. As an example, thousands of industrial facilities still operate on Windows XP hosts that are the basis of software management systems for these facilities and it has been sometime now that Windows

“...the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet." XP is even being supported. Patches are needed to be paid for out of the normal band and subject to individual commercial agreements. Some companies may choose not to pay. Many of these systems are now starting to experience malware type attacks that have been eradicated some time ago on the IT side but are being re-propagated on the OT side. And even amongst the many factories and plants that are in operation, it isn’t possible to apply many of the patches that are potentially available because the threat of system change is greater than the threat of a cyber-attack, in that any change or upgrading patch may not actually work and could bring down or compromise that critical asset or piece of critical infrastructure. So the strategy around the OT side needs to be around the containment and mitigation more so than remediation. It becomes that operational safety is of paramount importance and human safety and operational availability are the two primary missions on the industrial side. The challenge is now that it’s not just about cyber-attacks, in fact nearly 80 per cent of the issues caused in the industrial assets are misconfigurations more so than a targeted attack. Thereby the priorities that we are accustomed to on the IT side, like confidentiality, integrity and availability are completely different on the OT side. The question is not if and how the two technical disciplines of IT and OT are to be melded, the reality is when will this actually occur. These two areas continue to converge and already we have 6.5 billion to 8 billion devices connected to the Internet, and a majority of these are the higher end of the pyramid. But the fastest growing area of connecting devices will be the industrial assets. A recent study out of Princeton university, cited by Le, identified 13 per cent of imbedded devices that were directly connected to the Internet had retained the default root password, so that number was calculated to be 540,000 devices across 144 countries. The study had focused on only subsets of devices across subsets of the entire Internet’s connected devices connected today. To scale this up to the predictions of between 20 – 50 billion devices by 2020, if we remain anywhere close to 10 – 13 per cent of default accessibility to the devices then just this one vulnerability alone, let alone the wide ranging of other configurable or inherent vulnerabilities will inevitably exist. We are going to be a long way away from a safely converged IT and OT environment. In a follow-up study, it was found as much as 60 percent of Internet connected imbedded devices that had any kind of user interface were vulnerable to attack – in simple terms, sixty per cent of these devices would fail a routine penetration test. When we appreciate the scale of vulnerabilities today, then scale this up between 2 to 3 times by 2020 - 2025, we are literally setting up the Internet of Things to fail, and potentially with massive and catastrophic consequences.

Chief IT | 37

Cover Feature

National Security reforms needed before the Internet of things The half way approach putting all Australian’s at risk: Why it’s time to decide if security technology should or shouldn’t be regulated by Police and Fair Trading Departments

T By Chris Cubbage Executive Editor

38 | Chief IT

his article concerns the inadequate and unworkable legislation affecting the physical and cyber security sectors in Australia, with State based legislation being applied when a national approach is required and urgent reform needed as the convergence of physical and cyber security systems continue rapidly towards the Internet of Things. In early October, the US government formally accused Russia of hacking the Democratic party’s computer networks and said that Moscow was attempting to “interfere” with the US presidential election. The accusation marks a new escalation of tensions with Russia and came shortly after the US secretary of state, John Kerry, called for Russia to be investigated for war crimes in Syria. Then there is Ukraine. The December 2015 Ukraine power outages, referred to in the ACSC Threat Report 2016, highlight the “vulnerabilities of critical infrastructure to sophisticated adversaries. In a well planned and highly coordinated operation, an adversary successfully compromised and affected the systems supporting three power control centres, taking down 30 substations and leaving over 225,000 Ukrainians without power for several hours. The adversary also delayed restoration efforts by disabling control systems,

disrupting communications and preventing automated system recovery. These effects were the result of over six months of planning and involved a range of activities, including compromise through spear phishing, the theft of user credentials through key loggers, and data exfiltration.” In late September, security researcher Brian Krebs' site KrebsOnSecurity got knocked offline by one of the biggest DDOS attacks ever recorded, which peaked at 620 Gbps. But the most crucial distinction from a normal DDOS strike: These bots were mostly IoT devices. The majority of the estimated 145,000 devices were CCTV cameras and DVRs. Many of these were using either default passwords or easilyguessed ones ("1234," "password," "admin"). In the ACSC Threat Report 2016 a case study described how the ACSC was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The report informed that “CERT Australia led the ACSC’s incident response, working alongside the AFP and ASD to determine the extent of the compromise and the identity of the responsible actor. Working onsite with the victim, the AFP identified a significant amount of data had been stolen from the network, including sensitive information relating to the organisation’s

Cover Feature

physical security and layout. The ACSC’s investigation revealed the actor used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise. The actor was able to escalate their privilege to administrator level, enabling further compromise.” Physical access to information processing and storage areas and supporting infrastructure must be controlled to prevent, detect, and minimise the effects of unintended access. Buildings containing a designated data centre for example, will necessarily employ stricter access controls than those that do not. There are also minimum physical access controls, which should be practiced to govern access to all buildings in an effort to protect information resources. So it forms that any Information Security Consultant designing, auditing or reviewing a corporate information system, such as to ISO 27000 standards, is going to advise on the physical security components of that system. But by doing so these consultants are breaching their respective State Government’s Security and Related Activities Acts. These legislative breaches are occurring across the country. When this was raised during the review of the legislation in Victoria, the Victorian Police Minister responded to decline any attempt to reform the legislation yet confirmed enforcing the legislation would be

overly burdensome and police will continue to ignore the breaches. The question is why not remove security technology from attempts of legislation and focus on the intention of these laws to control the public interface between security officers, crowd controllers and bodyguards. Why are police trying to continue to regulate security technology such as CCTV, access control and intruder detection systems in a physical environment when these systems are now controlled in an IP network environment? The convergence of IP based systems is effectively complete, despite legacy systems still around. We are now seeing the emergence of security robots and artificial intelligence in security systems – is this technology subject to legislation? By 2020-2025 the Internet of Things will be too big for police (or anyone) to control or regulate from a technology perspective. Otherwise police should start requiring Information Security Consultants to get licensed, fingerprinted and audited in each of their respective state operations. Welcome to my world! So should the cyber security profession be regulated? In a the study, Tackling Cyber Crime: The Role of Private Security - A Security Research Initiative Report by Professor Martin Gill and Charlotte Howell ( June 2016) the research addressed four key areas – the current approach to managing

Chief IT | 39

“a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. cyber security, the relevance of convergence between physical and cyber security, perspectives on law enforcement, and the potential role of private security in responding to cyber crime. There is now a wealth of information on the scale of cyber crime, including on the so called Dark Web, and there are a host of authorities confirming that the costs are astronomical, not least the cost of protection, that the impact can be significant, affect many, and appear to be increasing. In addition, there is evidence that the response is inadequate, and often under resourced, leaving businesses searching for the right solutions. Eric Hansleman speaking at IFSEC 2015 highlighted the current problematic position, ‘In the last year, businesses spent $70bn on cyber security. Meanwhile criminals will have made 10-20 times that amount’. The threat is international and just by way of example, the ACSC Threat Report 2015 summarised ‘the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of iceberg’. So what are our police and government regulators doing about this whilst stilling trying to regulate the physical security sector? Not much other than effectively restricting physical and cyber security professionals from cooperating and working together at a national level. To highlight continued breaches of state security legislation, most commonly around the element of security technology, a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. The Fund guidelines stipulate compliance to the Security and Related Activities Act. The Project Management company does not hold a security agent or security consulting licence. In WA, the security industry is bound by a WA Police Code of Conduct formulated under the provisions of Section 94 of the Security and Related Activities (Control) Act 1996. The Code of Conduct requires to follow all the parameters to be professional, truthful, ethical and with the public interest in mind and Part 8 places the obligation on the licence holder to inform the Regulator of non-compliance with the Act. Having raised this breach with WA Police licencing, the confusing and wilfully inaccurate interpretation from the Officer in Charge read as follows: “The State CCTV Strategy has been developed following analysis of crime trends involving offences against the person, not property. I have been advised the main purpose of the Strategy is to provide a surveillance role to protect against offences against the person, to create a safer community. The future positioning of cameras is based around this goal. The Security & Related Activities Act (the Act) requires an installer to be licensed to install CCTV equipment for a security purpose.

40 | Chief IT

While a ‘security purpose’ is not individually defined in the Act, a security officer and a security consultant is defined as a person who for remuneration watches, guards or protects property, or advises on such matters. To this end, I have interpreted a security purpose as watching guarding or protecting property, not persons. Watching persons could be described as surveillance, which is not covered by the Act. The WA Police have drafted amendments to the legislation to make the Act clearer and remove such ‘loopholes’. The drafts are not expected to be introduced before parliament until well after the State election next year, and it is intended the industry will be consulted about the amendments before that occurs in any event. While the Strategy is structured toward a surveillance purpose, they recognise the knowledge and experience of the security industry and as such have included requirements for suppliers of services to be licensed, notwithstanding the surveillance purpose rather than a security purpose. As a result, I believe no offence has been committed.” This interpretation is intentionally confusing, wilfully inaccurate or otherwise shows police don’t understand the very legislation they are duty bound to enforce. Reports from ASQA earlier in the year on the security training sector confirmed that licensing was “a mess”. In Queensland last month the state government directed its interim training ombudsman to review security training following the deregistration of a security training organisation and advising 236 former students that their qualifications were no longer valid. ASQA had found the RTO was essentially handing out certificates without providing any training. The industry called for the inquiry to be extended to licensing and for the federal government also take a “serious look” at the mutual recognition law, and give states more power over licensing. The frustrating aspect to this is the Federal Government was willing to call a snap meeting of state and federal energy ministers following the South Australian statewide blackout, which prompted calls from the Coalition for a nationally consistent approach to energy security and was seen as a ‘wake up call’. Regrettably this meeting only resulted in another review but the point here is those conducting this work should have the wisdom to link energy security to public safety in the full context that ‘security’ deserves. The security sector does deserve and should continue to demand this attention and having asked for reform now for the last ten years, continuing to ignore it for the next ten will only result in the formation of other crises events and yet other ‘wake up calls’. As regional and military tensions rise along with the risk of war, Australia’s national security is interdependent and requires a holistic approach – there is no point regulating a security officer at the front door but letting an information security consultant enter without probity and vice-versa. Nor is there any point in regulating the installation of the physical intruder detection system and ignoring regulation of the network’s IDS – doing so makes the entire approach a halfhearted farce. The responsibility rests with our legislators to adopt a national approach to Australia’s security, that includes energy as well as social, physical and cyber security. Anything less is clearly inadequate and derelict of the government’s duty of care to all Australians.

Cover Feature

Scalable optics: New lanes laid for the 'Internet of Things' super-highway

S By Chris Cubbage Executive Editor

ince I can remember, the digital world has always needed, or better, wanted more bandwidth. For the Internet of Things (IoT) to scale to two to three times the current size of connected devices over the next four to five years as forecast, major leaps in bandwidth will be needed. These leaps forward are indeed being taken – and they’re big! Thanks to the NetEvents IoT and Cloud Innovation Summit held in Saratoga, in late September, I visited the only company dedicated to designing and manufacturing large scale IP photonic integrated circuits (PICs), Infinera, based in the heart of Silicon Valley’s Sunnyvale, California USA. Infinera has taken a US$300 million stake in the game, having amassed over 500 patents since 2004. “We don’t sell hardware or software - we sell networks” says David Welch, PhD, President and Founder. “This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. I expect that instead of holding up two of our PICs

that are doing 2.4TB, I expect in 10 years we will be doing 50TB coming out of something on the same size. In that sense, Moore’s law in optics is alive and well!” Listening to David Welch, it’s easy to succumb to the charm of a technical genius. Welch simplifies the complex down to this, “Consider you have two axis to watch in driving more bandwidth onto an element and thereby drive cost structures down. You can put more wavelengths on, which is what we do, or you can drive your electronics faster. But if you drive your electronics faster you make it harder to take advantage of less efficient modulation architectures. Right now, the subsea bandwidth is being increased by deploying more new fibres in the trans-Atlantic to trans-Pacific architecture than has been in the last several decades. So a lot of the growth has been driven by the Googles and Facebooks and Internet content providers. Typically, however, they share that bandwidth with regular service providers, so the sign on the door may be Facebook but they may only have a fraction of the fibre being deployed and the rest of the bandwidth may

Australian Security Magazine Chief IT | 41

Cover Feature

“This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. be owned by other service providers, mainly because their business traffic is driving that demand. The space is too big and the application space for the range of customers is too vast for it to be controlled by just a few providers.” Cloudification is the biggest area of network growth and datacentre interconnect (DCI). We are in a rapid upward trend of new datacentres, with mega datacentres being built and now more metro datacentres are being driven by position applications and getting content closer to consumers – server to server (East-West) traffic – data centre to data centre (north south) traffic – need to be positioned to follow the user around the globe. Google has said their datacentre to datacentre traffic is increasing significantly and consumer traffic is also increasing. Amazon’s growth and most of their profits and business is coming from their cloud infrastructure with an incredible amount of video being uploaded. This is driving more and more demand on networks. Infinera operates across three key markets, long haul and subsea communications, being number one in North America, datacentre interconnect, being number one for ICP/ CNP (Internet Content Providers/Carrier Neutral Providers) and Metro datacentres, being number three in 100G Ports with their XTM series. Within these markets the company endeavours to build intelligent networks which are scalable, flexible and high performance, which are also faster to deploy, highly reliable and combine unified management and application-optimised design. The 5G network will be deployed in 2019/2020 and will drive 100G off a cell tower and when the edge of the network is 100G the centre of the network will be in Terabytes (TBs). Trends in the optical networking market have two basic drivers. The metro to metro datacentres, with the number of disbursed datacentres rapidly increasing in order to reduce latency in communications between humans and machines. Then the real multiplier is the machine to machine traffic, which is about 1,000x multiplier than what you will see on a screen, as seen by an individual. The amount of traffic wanting to come online with operational technology (OT) can be seen with driverless cars alone, with between 10GB – 25GB per car needing to be uploaded per hour. These trends also include distributed buildings with more and more capacity going to be leaving the building back to the network. Infinera’s senior management team were given the opportunity to brief global media, including MySecurity Media, on their announcement of the Cloud Xpress 2, a second generation purpose built DCI optical link. It became increasingly clear that Infinera is set to achieve their vision

42 | Chief IT

Cover Feature

“We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement to “enable an infinite pool of intelligent bandwidth”. Optics has become a true enabler of the foreseeable future and all the growth of the Internet will ride upon optics – and the optics in the ground is insufficient. For the Internet of Things to become a reality, we need to put more in. Here comes the next generation of super highways! The new Cloud Xpress 2 delivers a 1.2 terabit per second (Tb/s) channel in only one rack unit while enabling a fibre capacity with up to 27.6 Tb/s on a single fibre pair. The Infinite Capacity Engine is powered by Infinera’s next generation FlexCoherent® Processor and the cutting-edge photonics of Infinera’s fourth-generation PIC. Cloud Xpress 2 incorporates software-activated bandwidth delivery technology that is configured to lower operational costs. In addition, the Infinite Capacity Engine supports low power consumption and security is designed in with in-flight wirespeed data encryption. Encryption is a critical requirement for network operators and Infinera was the first to deliver a compact DCI solution with built-in encryption on the Cloud Xpress. The Cloud Xpress 2 now extends the same encryption solution and scales it to a new level of capacity. Like the previous Cloud Xpress products, the Cloud Xpress 2 is designed for plug-and-play with simplified provisioning and support for data centre automation. With built-in optical amplification the Cloud Xpress can transmit 1.2 Tb/s up to 130 kilometres using a single fibre pair without

an external multiplexer or external amplifier, resulting in fewer fibres and less space. Alternative solutions will require at least six fibre pairs fed into an external multiplexer daisy chained into an external amplifier which results in more complex configuration and maintenance. Infinera continues to innovate with the Cloud Xpress 2 enables automation and scale to data centres, delivering topology auto-discovery, zero-touch provisioning support, standard application programming interfaces for programmability and streaming telemetry, and stackability with multiple chassis to be managed as a single system. By minimizing the number of components in the system and using PIC technology, Cloud Xpress 2 delivering DCI with high reliability. According to Welch, “We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement in the optics and it’s the start of the advancement of that optical engine as it proliferates across all the networks. This is the biggest, fastest growing metro application on the market and its enabled by the vast majority of the market share based on photonic integration technology, which has transferred the whole concept of datacentres. Why? Because it takes 15 minutes to deploy a box, plug it in, establish the bandwidth, get the software to roll up to the interface and when you’re making a mega datacentre, that’s what you like to hear.” In early October, Infinera announced it has joined the Optical Internetworking Forum (OIF) and the Open Networking Foundation (ONF) to demonstrate multi-vendor, multi-layer software defined networking (SDN) Transport Application Programming Interface (T-API) interoperability with the Infinera Xceed Software Suite and the DTN-X Family of packet optical transport platforms. Global carrier participants hosting the interoperability testing include China Telecom, China Unicom, SK Telecom, Telefonica and Verizon.

Chief IT | 43

Cover Feature

44 | Chief IT

Presents

2ND BIG DATA & CEM WORLD SHOW 1-2 MARCH 2017 | JAKARTA, INDONESIA #BIGITIDN17

www.bigittechnology.com/indonesia2016 enquiry@bigittechnology.com

+603 2261 4227

FEATURED SPEAKERS

Fandhy Siregar

SVP Head of IT Governance & Risk Management Bank Commonwealth

Komang Aryasa

Big Data Project Director Telkom Indonesia

Alan Jiang

GM Uber Indonesia

Kristiono Setyadi CTO Jakarta Post Digital

EVENT SPONSORS GOLD SPONSOR

Muhammad Neil El Himam

Director of ICT Infrastructure Indonesian Agency for Creative Economy (BEKRAF)

SILVER SPONSOR

Organiser :

OfďŹ cial Media Partners :

Cover Feature

What’s causing the cybersecurity skills gap? How the Industry is Strangling Cybersecurity Career Development

I By Steve Cottrell

46 | Chief IT

t seems that not a day goes by without another news article cropping up bemoaning the global cyber security skills shortage, but very few cut to the root of the issue. Part of the problem relates to the term ‘cyber’ and the mystique associated it. All but the security industry seems to hold a widespread view that ‘cyber’ is a new term, and the issues of computer security have only manifested within the last five years. In reality, security (or a lack thereof ) has existed for as long as we have had computers, networks and the Internet; we’ve simply rebranded what was once computer and network security to its more media friendly new name of cybersecurity. In looking at the large talent pool of information and network security specialists out there, it seems strange that there is a cybersecurity skills shortage, but the issues lies in the fact that our industry is not doing a great job in attracting, harnessing and nurturing new talent – i.e. building tomorrow’s cybersecurity workforce. Many companies don’t seem to understand how to align their security functions with the rest of the organisation. The responsibility for security often gets rotated around the business like a never-ending game of pass the parcel, in an attempt to find an executive willing to take ownership of the problem (which often is seen as the proverbial hot potato). Without wishing to get into an ideological debate relating to

the optimal reporting line for the cybersecurity function and where the CISO should sit within the executive team, the skills issue has disrupted the development and maturation of cybersecurity career paths. We see organisations attempting to align cybersecurity professionals’ careers to existing IT architecture or IT/network support disciplines (or sometimes Enterprise Risk or General Compliance), which simply doesn't work. The attributes and experience needed to develop and grow a cybersecurity career are markedly different from those required to be successful within a general technology function. Adding to the problem, pay scales are often benchmarked and aligned to existing technology careers, making ill-founded assumptions that roles such as IT architect are analogous to a security architect. If you consider this point along with the fact that many of these benchmarking exercises ignore the law of 'supply and demand', factoring in the number of suitably experienced and skilled professionals available within the market, then it’s a wonder why organisations are surprised that cybersecurity vacancies go unfilled for months, or even years, on end. Businesses are obviously in the market to make money and, ultimately, compensation packages are set at a level to keep the bottom line healthy and profitable. This is prudent

Cover Feature

"I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains" and makes perfect sense, but as organisations consider cyber and information security to be a generic IT discipline, this is partially contributing to the skills shortage. Step outside of the IT department into Legal, Regulatory, HR etc. and different frameworks apply, recognising the unique functions being performed and the market rates of those areas. The niche and currently scarce nature of the cybersecurity skill set needs to be recognised and salaries need to rise in line with the specialist status. This will help attract new talent to the discipline, by encouraging existing experienced IT and network professionals to cross-skill and specialise in cybersecurity, as well as encouraging highcalibre school leavers to enrol in cybersecurity courses at university (as they can see an exciting and lucrative career ahead). This point is crucial in helping address the skills shortage over the short to medium term, while ensuring that organisations attract the calibre of individuals needed to be successful in these roles. How often do you see an advertisement on a job board that reads, “High calibre Senior Cybersecurity Manager required. Must have extensive proven experience, ideally will have CISSP, CISM, BSc/ MSc. Fantastic package on offer - $120k base plus exceptional benefits” - clearly the company won't find anyone for this kind of salary, or they'll have to compromise and ultimately take the first person with some of the skills they need to deliver what should really be a role delivered only by absolutely suitable candidates. I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains. Looking ahead over the next few years, there are undoubtedly strategic initiatives that need to be undertaken where we begin to 'grow our own' security professionals within our organisations rather than demanding the finished product from the job seekers market. I would like to see the broader information security and cybersecurity industry (and especially the numerous professional bodies) coming together to agree a multiyear professional development curriculum, building experience in general security risk, cybersecurity operations, security architecture and risk management. All with a view to delivering a 'well rounded' security practitioner who can then ultimately specialise in different areas, as their career progresses. This works in other industries, such as medicine. Medical doctors are required to build a firm foundation of knowledge in numerous physiological disciplines, gaining a level of practical post-graduate experience before ultimately specialising in one area. This represents a different approach from the norm (and often abused) 'badge of honour' certifications prevalent within the technology and security industries today, the ones that are typically one-off

exams to be passed, sometimes backed up by a level of formally validated or self-certified demonstrable practical experience. There are now some fantastic degree and Masters’ courses being offered by universities all around the world, specialising in all aspects of cyber and information security, but they can't provide 'on the job' practical experience, which is often what’s really required to truly excel and deliver real security value and risk reduction in the real world. The two to four years following graduation are perhaps the most critical for a professional cybersecurity career, which is where our industry should be looking to nurture and develop the skillset by providing a structured modular career framework, which is recognised across the industry and around the world. Too many recent graduates become disillusioned early on, so we need to keep their motivation high by providing plenty of variety and structure whilst making it easy for them to gain the valuable business context and skills they need to carve out a successful career as a professional. Providing clear attainable short and long-term goals and the ability to switch between multiple cyber career tracks is really important. As with all ‘supply and demand’ equations, as supply increases I would expect to see a levelling or braking effect in terms of the compensation packages required to attract top cybersecurity talent, but if we add in the modular career framework, it will be simple to gauge appropriate remuneration levels with regards to experience, rewarding truly niche high-end skills as appropriate. As we all know, it is not as easy as saying ‘I need a cyber security professional’; it’s often more a case of ‘I need a cyber security professional with an operational background who understands risk in a business context’. We cannot afford to be complacent, assuming that the large number of cyber and information security university courses now available will ultimately solve the longerterm skills issue. As an example, looking at engineering (mechanical, electrical, civil etc.) graduates in the UK from the 1990s, what is the percentage of graduates that are actually ending up pursuing careers related to their degree versus moving to an industry sector which was perceived to be more lucrative with better career opportunities? I don’t know the answer to this question, but by the volume of graduates I interview with qualifications in these areas, and also by the people I meet across the broader industry qualified in these areas, I would say the percentage is likely high. Let’s not allow history to repeat itself within the cybersecurity industry. About the Author Steve is the regional Chief Information Security Officer / Security Director role at Aviva has end-to-end accountability for security risk management, incident response, compliance, and cyber security transformation across all UK & Ireland regulated businesses (Life, GI, Health, AGC, Investors).

Chief IT | 47

Cyber Feature Cover Security

India’s cyber trauma

R By Sarosh Bana APSM Correspondent

48 | Chief IT

ecently, India’s Defence and other ministries were placed on high alert following concerted cyber attacks on the country’s government and commercial organisations by the Chinese People’s Liberation Army’s (PLA’s) Western Theatre Command that faces India all along its northern Himalayan borders. The Ministry of Defence (MoD) issued an alert to the army, navy and air force that a Chinese Advanced Persistent Threat (APT) group called Suckfly, based in Chengdu region where the Command is located, is targeting Indian agencies, with the defence establishment as its prime target. Suckfly, which carries out cyber espionage through a malware called Nidiran, camouflaged its attacks with certificates stolen from legitimate software developing firms in South Korea. “This cyber espionage was undertaken by infecting computers of both government and commercial houses involved in e-commerce, finance, healthcare, shipping and technology,” the MoD alert cautioned. “Sensitive information from targeted computers and networks is being used to undermine national security and economic capabilities.” An APT is a network attack in which someone gains unauthorised access and stays there undetected for long, the intention being to steal data instead of causing damage to the network or organisation.

These mounting cyber onslaughts against India’s defence establishments have reaffirmed a proposal for the setting up of a dedicated tri-services command for cyber security. A proposal for such a command had indeed been drafted following a 2012 cyber attack by Chinese hackers, who managed to penetrate the commuter systems of the Indian Navy’s Eastern Command, where the country’s first indigenous nuclear submarine was constructed and is based. More recently, a strange email was received by senior executives of the Mumbai-headquartered Tata Group (US$103 billion revenue last year) from chairman Cyrus Mistry asking them to transfer US$4,500 to a specified bank account. “We are coming up with a project of Tata Group; kindly deposit US$4,500 in a/c no. xxxx,” the email mentioned. “This project should not get stopped due to financial crunch.” Appropriately, it was the Group’s chief ethics officer, Dr Mukund Rajan, who caught the lie, recognising the hoax. He informed Mistry of the online impersonation, and a police inquiry is now under way to identify the perpetrator. A similarly fake email ID of Mistry had been created last year by a former Tata employee, subsequently arrested, who had sent emails from this account to officials of the Group company of Jaguar Land Rover ( JLR), asking them to

Cyber Security

consider his curriculum vitae for a position in the purchase department. Numerous corporates, including multinationals, across the country are being defrauded by online pranksters and fraudsters. Many of the cases have a similarity with that of Tata’s, where emails are sent to the finance departments through spoofed email IDs of the company heads with instructions to deposit funds in specified bank accounts. Cyber police maintain that an email can be ascertained to be fraudulent only after going through the full-header or logs of the suspected email address. “In most cases, while the spoofed emails are of different managing directors and directors of companies, full-header analyses reveal that they were sent from one exec.m@exces. com,” says an official. “Earlier, cyber fraudsters used to make minor alterations while spoofing email IDs, but now they hack the complete corporate email IDs of the promoters and use them to communicate with the finance officers.” In one instance, a finance officer received an email from his managing director asking for Rs600,000 (A$11,869) to be deposited, but the fraud came to light when the MD called him in the nick of time for some other reason. India is clearly one of the most cyber attacked countries in the world, a recent study estimating a 350 per cent surge in cyber crime cases registered under the country’s Information Technology (IT) Act, 2000, between 2011 and 2014. Indian authorities have been alarmed by the growing number of attacks on cyber networks that are posing a huge risk and severe threat to the nation’s, and individual Indian’s, financial and security interests. Criminals are exploiting cyberspace for their own ends as it touches nearly every part of our daily lives through broadband networks, wireless signals, local networks, and the massive grids that power the nation. “More than 8,000 Indian websites were hacked in the first three months of 2016,” Communications and IT Minister Ravi Shankar Prasad informed Parliament recently. “While 28,481 websites were hacked into in 2013, 32,323 sites were attacked in 2014, 27,205 in 2015, and 8,056 until March this year.” Cyber crime and security were a major enough issue for Indian Prime Minister Narendra Modi to discuss with U.S. President Barack Obama during his visit to the U.S. in June. “The entire world is concerned about cyber security, and Indian IT professionals can do a lot for cyber safety of digital assets across the world,” said Modi. “Can we secure the world from this bloodless war? India must take the lead in cyber security through innovation; I dream of Digital India where cyber security becomes an integral part of national security.” Both leaders felt that defending against, and defeating, cyber attacks will require the combined efforts of both the public and private sectors, working to develop new technologies and new approaches for maintaining real-time protection of their individual networks. The recent study, “Protecting interconnected systems in the cyber era”, conducted by ASSOCHAM (Associated Chambers of Commerce and Industry of India) and business consultancy PwC India (PricewaterhouseCoopers India) notes that operational systems are increasingly subject to cyber attacks, as many are built around legacy technologies with weaker protocols that are inherently more vulnerable.

“The continued and regular sharing of cyber security intelligence and insights are essential to improving the resilience of these systems and processes from emerging cyber risks,” it mentions. It adds that the Computer Emergency Response Team-India (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents recorded in 2015. Pointing out that cyber attacks are occurring around the world at a greater frequency and intensity, the study indicates that the profile and motivation of cyber attackers are fast changing. A new breed of cyber criminals has emerged whose main aim is not just financial gains, but also causing disruption and chaos in businesses in particular and in the nation at large. “The importance of cyber security in India has increased exponentially over the last few years, with an emphasis on Digital India and e-commerce and many government services now being delivered online,” explains Sivarama Krishnan, Leader, Cyber Security, PwC India. “The new breed of hackers understands cyber vulnerabilities and how to exploit them and they play by a new set of rules, the ‘bare minimum’ being ineffective against increasingly adept assaults.” He advises businesses to rethink their cyber security practices and focus on innovative technologies that can help reduce risks, seeing advantage in having the right data, understanding data and knowing how to take active steps in putting information to good use. Pratyush Kumar, who chairs ASSOCHAM’s National Council on Cyber Security and is also Vice President, Boeing International, and President, Boeing India, says the worldwide threat of terrorism, turmoil in the South China Sea, Brexit, the state of transition in the Middle East, the coup attempt in Turkey, etc. are all factors adding to uncertainty and volatility in the world. “Concurrently, we are being deeply impacted by the furious pace of technological evolution, especially the explosion of Big Data, mobility, the Cloud, Internet of Things (IoT), machine learning and analytics,” he observes. “If properly managed, these technologies can transform our society, but on the other hand, an uncertain and volatile world also puts this very technology in the hands of operators anywhere in the world for causing tremendous damage, given the growing linkages between cyberspace and physical systems.” U.K.’s Sophos Group plc, a global leader in endpoint, encryption and network security, lists India among five countries with the highest percentage of endpoints exposed to a malware attack and thus more prone to cyber attacks. Research by the company’s SophosLabs division on such incidence in the first months of 2016 discovered a growing trend among cyber criminals to target and even filter out specific countries when designing ransomware and other malicious cyber attacks. Apart from India, the countries with the highest so-called Threat Exposure Rates (TER) were Algeria, Bolivia, Pakistan and China. The research gleaned millions of endpoints worldwide that were analysed by a SophosLabs team. To ensnare more victims, cyber criminals are now devising customised spam in regional vernacular, and touting brands and payment methods that appear culturally compatibile. To beguile the recipients, they make their scam emails

Chief IT | 49

Cyber Security

impersonate local postal companies, tax and law enforcement agencies, and utility firms, including fraudulent shipping notices, refunds, speeding tickets and electricity bills. On 5 October, while releasing in India a report on internet governance as head of the Global Commission for Internet Governance (GCIG), former Swedish Prime Minister Carl Bildt mentioned that as an emerging cyber power, India needed to engage seriously on issues of internet governance. He deemed it necessary for India to address over-the-horizon threats like cyber attacks, cyber spying and cyber crime. One of the conclusions of the report was that surveillance was an important part of cyber governance, “because in its absence, people tend to lose trust in the internet”. “The purpose of the report is mainly to bring to the attention of policymakers across the world the significance of the challenges we are facing and of the potential that exists,” said Bildt. “Too much of this has been debated among technical people, while policymakers haven’t addressed the issue sufficiently.” He found that for policymakers, safeguarding freedom of expression and of information on the internet is under increasing challenge. “The world is entering the Internet of Things (IoT) and everything will be connected with everything, everything will have an IP address,” he remarked. “Everything can potentially be turned into a weapon in the cyber world, and this brings the requirement for cyber security, stability and governance to a very different level.” The report found only

50 | Chief IT

three governments, of the United States, Estonia and China, addressing this issue. Whereas the economic contribution of the internet is as high as US$4.2 trillion in 2016, the IoT could result in upwards of US$11.1 trillion in economic growth and efficiency gains by 2025. Bildt deemed Beijing’s level of attention notable, saying, “The Chinese do it slightly differently, to put it mildly; they do both offensive and defensive because it has to do with the stability of the regime, and the future of the Chinese economy - for them it’s a high priority issue.” According to him, the world is slowly initiating conversation on cyber behaviour, with elements coming out of the U.S.-China agreement, and India being on the United Nations’ Group of Governmental Experts on Information Security. “These are important as the top countries are beginning to set rules for the internet,” he notes. “It is important that India is part of this conversation as it is the second largest in the world in terms of connected people, as well as largest in terms of unconnected people, and hence has an important voice both in the connected world and the unconnected world.” The number of internet users in the world has increased threefold in the last 10 years, but during the same period, their number has multiplied nearly 15 times in India. As per Connecticut-based IT research and advisory firm Gartner, Inc., the number of devices connected to the internet will reach 27 billion globally by 2020, with a total revenue of around US$300 billion. India will have an around five to six per cent share of the global IoT industry.

INSIGHTS TO ENHANCE ORGANISATIONAL STRENGTH

Crisis & emergency management conference Pan Pacific, Perth | 24 November 2016

The Resilience Conference 2016 will cover topics such as security, technological emergencies and how to handle a digital crisis, featuring:

• Chris Cubbage - Executive Editor of the Australian Security Magazine • Jamie Wilkinson - Head of Digital for Cannings Purple • Frazer Holmes - Regional Director of InTec1 Keynote speakers include: • Mohammad Fuad Sharuji - Crisis Director for MH370 & MH17 Malaysian Airlines PROUDLY SPONSORED BY

• Stuart Ellis - CEO for Australasian Fire and Emergency Service Authorities Council • Paul McGill - Deputy National Commander for New Zealand Fire Services (NZFS)

What is in it for you and your organisation? – Learnings from recent world events and how to apply these into your organisation’s emergency management capability. EVENT PARTNER

+61 8 9388 2222 resilience@ifap.asn.au www.ifap.asn.au/resilience

Cyber Security

Fighting financial cybercrime with data

C By Carlo Lacota Assistant Vice President, Banking and Financial Services, Cognizant &

Dushyant Kapoor Director of Consulting, Banking and Financial Services, Cognizant

52 | Chief IT

ybercrime is a serious threat to anyone and everyone online. However, in the digitally connected world with online transactions far outnumbering those in hard cash, the threat couldn’t be higher for financial services and banking firms. For established brands, even the smallest data leak or security breach could rapidly balloon into a front page news story, costing more than just the loss of their data to cybercriminals: It could also lead to a loss of customers’ trust in the financial institution, ultimately leading to irreparable business loss and significant financial costs. Banks are having to deal with a new generation of customers who expect to be offered a plethora of personalised banking services and would switch banks easily if they thought their data was not being used well or was being compromised.

Banks and other service organisations understand that collecting client and industry-related data is the key to successfully digitising and retaining a tech-savvy customer base. However, it also makes them an ideal target for hackers who are using more and more aggressive and sophisticated techniques — including ransomware and mobile phone hacks — to get access to customer and financial transaction data. Devising the right privacy and protection policies for the goldmine of customer data is critical for the banks to, on the one hand, deter potential hackers from getting unauthorised access to that data and, on the other hand, allow customers to transact effortlessly whilst allowing internal staff appropriate access to that data in order for them to provide customised experiences and relevant offers to the customers.

Data: A path to customer centricity

Understand, research, and then plan

In the digital world, customers are generating increasingly vast amounts of data through every online transaction and touch point. While on the one hand, protecting this customer data is a challenge for the banks, it is being used by the banks to better understand their customers and develop customised offers for them.

The first step in implementing adequate controls is to understand the risks and their business impact. Banks need to invest time in properly assessing the risks they might have to confront. To be relevant and give banks enough information to future-proof their business, this assessment should be based on the organisation’s size, channels, geographies, customer types,

Cyber Cover Security Feature

as well as product and service complexity. By mapping these risks against internal policies, procedures and controls, banks can assess their effectiveness in mitigating risks and fine-tune them accordingly. Ownership of data within a bank or a financial services organisation is critical to clarify responsibilities for implementing controls and assessing their effectiveness on an ongoing basis. Preventing before fighting Implementing information security controls is necessary, but far from being enough. Ongoing risk assessments can help banks get ready in case of an attack — and banks should assume they will be attacked. More importantly, ongoing risk assessment and mitigation needs to be undertaken proactively by the banks to effectively prepare for situations when risks eventuate. Once a bank’s system is hacked, the damage is done, and it can only try to control the damage, financial as well as reputational. Proactive security is not just about securing systems and reacting to attacks, but also about anticipating future attacks at every step of the way. In an age where hackers are using ever smarter tools and techniques to gain unauthorised access to organisations’ data sources, the key objective of organisations should be to build a resilient system that can be restored and brought back online quickly in the event of a security breach. While data is a part of the cybersecurity problem, it is also a part of the solution. Combining data management with advanced analytics can be effective in detecting and preventing growing threats. By collecting and analysing massive volumes of current and historic data within the organisation, as well as from external agencies providing financial crime data, banks can gain a comprehensive view of customers and transactions, as well as insights into hitherto unnoticed relationships between various entities. Forensic data analytics can help banks identify and predict

risk patterns and issues in advance, enabling them to pre-empt criminal activity, particularly insider threats and data breaches that involve gaining unauthorised access to sensitive data. Working with the right data, and the right architecture The key to integrating multiple risk strategies lie in the banks’ ability to get high-quality and consistent data from across the organisation. This is no easy task for large banks, many of which have accumulated multiple systems and technologies over the years as a result of mergers and acquisitions. If banks and financial services organisations want to have an efficient and proactive information security strategy, it is key that they work towards standardising the large volumes of customer, transaction, crime and other unstructured and semi-structured data they own. By using best-in-class architecture and investing in the right data analytics platforms, organisations can significantly improve the overall data quality and accuracy needed to support real-time monitoring and data-driven decision-making. Proactive prevention is the best weapon against cybercrime.

Chief IT | 53

Women in Security

Championing for open source collaboration

H By Chris Cubbage Executive Editor

54 | Chief IT

aving been fortunate to be in California’s Silicon Valley courtesy of NetEvents Global IoT and Cloud Innovation Global Summit, I took the added opportunity to stay on for a few extra days and catch up with our June/July 2015 ‘Women in Security’ series participant, Prima Virani who was scheduled to speak at the Structure Security Conference in San Francisco. When we first me this 25 year old Security Engineer graduate at an Australian Information Security Association meeting in Perth, Western Australia, in 2014, she was just 23 years old and starting out her cybersecurity career having graduated from Murdoch University and with the aspiration to head off to San Francisco. Within just two years, Prima has not only found herself on a small security team for a major American brand in Pandora Media, a music analysis application that personalises music according to the listener’s taste, but alas we find her speaking on stage being interviewed Bob McMillan, computer technology reporter with the Wall Street Journal and fellow security engineers Nick Anderson of Facebook, Hudson Thrift of Uber and Leigh Honeywell, security lead with the collaboration tool, Slack. Open source software and security collaborations are being increasingly advocated for small to medium sized

companies that are essentially growing so fast and at such a speed that their focus is on developng their product and they primarily also have to be working on product security. As Prima elaborated, “they have to protect their infrastructure but with a small team that don’t have expertise or resources in all areas, and so there is a need for more support and this is where open source can contribute a great deal for fast developing commercial products.” This thinking is supported by the likes of Facebook’s Nick Anderson who has also seen the advantages of open source, highlighting that “with the build up of open source communities, there are bonds being built, with problems being solved and often with the common intent of improving a product so it works better for them, just as much as for you.” As Prima also asserted, “one of the biggest advantages of open source communities is giving the capability of scaling. It doesn’t come with a hefty price tag and it makes the company better prepared if the product takes off quickly.” One of the key outcomes of the Structure Security event was to highlight that there has never been a greater liberation of information and a greater variety of choice for infosec workers and this is in contrast to the traditional ‘lock it down’ and ‘restrict access’ approach. Some of the favourite open source tools being touted included OSQuery, touted as

Women in Security

'Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie'

having a Swiss army knife capability, while others included Box and BlastAlert. Aside from the championing for open source adoption, the panel also showed that Women in Security is a little more balanced in the US than possibly Australia – we still see industry panels made up on only men. Having spent a couple of years in the USA now, Prima has found there is really a different attitude to security engineering in the US than in Australia. She points out that a lot of the companies in the US are ‘huge’ brands and super resourceful in terms of the kind of people they hire and the creativity they are prepared to try. “There is a younger workforce and the transition out of college and university into the industry is quite straight forward. Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie.” The approach taken in the USA is likely to be different to that to the company next door and there is greater diversity in thinking and openness to different forms of thinking. Despite that, being in America you do need to be careful of group think and ‘over’ Americanisation. With Prima’s current role on a five member security team, her tasks include infrastructure security, incident management, endpoint and network security and information security program management. For a young adventurist and an average Aussie who wanted to head out and see the world, it hasn’t been that much of a challenge. “My move to the USA wasn’t so much about the job, it was more about the lifestyle and the experience as a whole. I travelled to San Francisco about six months before moving here and stayed for a week, which was enough time to fall in love with the place. When I got here I stayed in a hostel for a week and then a friend’s place before I set myself up in a studio apartment.” “After I had made up my mind that this is where I wanted to come to, it took about four months before I got a positive interview. Most of the companies weren’t even considering my resume because they didn’t understand the

visa requirements and the ‘Valley’ has enough engineers being developed that they don’t really have to be looking outside of the country, unless the company is being very particular about who they’re looking for. Despite a lot of talk about the cybersecurity skills gap, there is still limited risk being taken to employ from outside the country and how immigration and work visas can be in America. I was fortunate to get an E3 Visa for Australians living and working in the US.” Prima highlights the importance of developing a local network, having had a friend in San Francisco through whom she was able to connect with more friends and by keeping in touch, this network continued to grow and become a support and friend based network. One channel that proved most useful was ‘Meet-up.com’ which connects industry professionals and special interest groups. Prima took a focused approach, “I like to attend events that are of interest and meet people that way, rather than randomly showing up and meeting people at random.” Importantly, Prima confirms her education in Australia grounded her very well and established her with the required skills to at least 70 per cent in some areas but like any graduate, achieved only 50/50 in some other areas. “I was fortunate to have had some experience first in Perth where I laid my foundation. Had I been thrown into this pool at the outset then I may have not had the perspective as I do now, as I now have a wider perspective and it helps to a degree with a global brand like Pandora. But the relevance is subtler than a direct skill base.” Parts of San Francisco can be intimidating and took a while to get acclimatised. “The gun situation in the US still frightens me to a degree and in that sense Australia is so much better. But that aside there is so many more opportunities here outside of work in technology.” Prima has an active and expanding interest in Art, poetry and performance dancing and she is multi lingual in English, Hindi and Gujarati. Despite being young, she has taken on coordination roles, including for an industry group called ‘Ladies who Linux’. “There is a great sisterhood building here and a key mentor for me as been a fellow Aussie, Tammy, and I find my interests and work feed off each other and supports each other.” With this type of dedication, participation and skills development, we’re proud to have an opportunity to follow up on Prima’s progress and success. We hope this inspires other Australian women and cyber security professionals to get active and seek out their aspirations, be they local or overseas. The opportunities abound!

Chief IT | 55

Cyber Security

Obstinately clinging to iconic obsolescence

A By James Wootton Director, Protega Technologies Information Security Consulting www.protegatech.com

56 | Chief IT

s those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case! I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’. It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection! But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism. I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security. Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy.

A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us. Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap): • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good? • Working Fire alarm? • Working Smoke alarms? • Secure safe for high value assets? • Secure Doors? • Secure Windows? • Secure garage door? • Adequate and appropriate Insurance? Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking,

Cyber Security

I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security. ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one! So, why do we cling to broken technologies that are woefully inadequate in cyberspace?

of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’. From an organisational standpoint, consider elements of the following, balancing bang for buck: • Policy overhaul and possibly security accreditations to focus your efforts; • User awareness training; • Sandboxing and content analysis technologies; • Much as I hate the phrase, application aware, next generation firewalls; • User and Networking behavioural analytics. And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust.

Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them if they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!) Enough rhetoric, present me with a solution already! Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and

Chief IT | 57

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

.a www

ustr

alia

Post

000032

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1

Approve

ine.

com

.au

te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia

nsec

uritym

agaz

ep 20

Aug/S

RNM

OVE

DIN

LEA

.au

ov 20

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

N COU

ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95

INC.

ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech

GST

Time Tech

erl Cyb

1 YEAR SUBSCRIPTION

city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr

TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00

A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

58 | Chief IT

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.

Seagate Backup plus HUB

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au