Australian Security Magazine, Aug/Sept 2018 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2018

Importance of soft skills in security

Review of PMC’s cabinet paper’s report

Australian Government – state of cyber

Is your VMS a digital fortress

Internet of things impacting facilities management

$8.95 INC. GST

Insider threats – operational, tactical & strategic insights

PLUS WIN A COPY OF 'THE FIVE ANCHORS OF CYBER RESILIENCE'

AUSTRALIAN SECURITY READERS SWITCH TODAY AND SAVE 20%* ON YOUR LIFE INSURANCE

NDING VA STA L UT

2016

CT IO N

EC DIR

No advisers fees No surprises at claim time Canstar award-winning insurance Customer satisfaction score of 95.8% # Tailored offer for Australian Security readers

E IN COME PROT

Call NobleOak for a quote:

1300 108 490 and mention ‘AUSTRALIAN SECURITY’ or search NobleOak Professionals to switch and save.

nobleoak.com.au/professionals *Important information. Please contact NobleOak to verify your actual premium and to apply for cover on 1300 108 490 which will take into account your age, occupation, sum insured, health and pastimes. The savings quoted are the average savings when comparing NobleOak’s premiums for its Term Life cover under NobleOak’s Premium Life Direct to the average cost of Term Life insurance products offered by other Life Insurance companies, including products available directly from the insurer (24 products from 12 insurers included in this comparison) and those available for purchase through a financial adviser or broker (10 products from 10 insurers included in this comparison). The premiums are based on a non-smoking Australian resident with a Life Insurance sum insured of $500,000 at 5 year age bands from age 30 to 65 for advised products and 30 to 50 for direct products. In many cases the saving for an individual is higher than the 20% average saving quoted. Life Insurance rates for insurers, including NobleOak, may change in the future and this could change the outcome. The premium comparison was undertaken in March 2018 based on published premium rates. Legal statements. Premium Life Direct is issued by NobleOak Life Limited ABN 85 087 648 708 AFSL No. 247302. Address: 66 Clarence Street, Sydney NSW 2000. Phone: 1300 108 490. Email: sales@nobleoak.com.au. Cover is available to Australian residents and is subject to acceptance of the application and the terms and conditions set out in the Premium Life Direct Product Disclosure Statement (PDS). This information is of a general nature only and does not take into consideration your individual objectives, financial situation or needs. Before you purchase an insurance product you should carefully consider the PDS to decide if it is right for you. The PDS is available by calling NobleOak on 1300 108 490 or from www.nobleoak.com.au. Clients should not cancel any existing Life insurance policy until they have been informed in writing that their replacement cover is in place. NobleOak cannot provide you with personal advice but our staff may provide general information about NobleOak Life insurance. By supplying your contact details, you are consenting to be contacted by NobleOak, in accordance with NobleOak’s Privacy Policy. #2018 client survey by Pureprofile.

2018 #SecurityAwards Call for Nominations g By

Anna Ho, Marketing and Communications Officer, Australian Security Industry Association Limited (ASIAL)

he vital role performed by Australia’s private security industry will be recognised later this year at a special awards ceremony in Sydney organised by ASIAL. The 2018 Australian Security Industry Awards for Excellence and Outstanding Security Performance Awards will recognise excellence in the security industry. Nominations are open to all and provide an opportunity to recognise individuals, including frontline security personnel who have gone beyond what could reasonably expected of them in providing a level of service that exceeds client’s expectations. Likewise, organisations and teams who have demonstrated leadership and innovation will also be recognised. Judging of the awards will be undertaken by an independent panel of judges, that includes Damian McMeekin, Managing Director of CT Intelligence & Insight; John Adams, Editor, Security Electronics and Networks Magazine; John Curtis, Director, IPP Consulting Pty Ltd; Michael Walker, Senior Manager, Security Services, Facilities Management, Reserve Bank of Australia; Rachell DeLuca, Senior Security Consultant, ARUP and Vlado

Damjanovski, CCTV Expert Specialist and MD, ViDi Labs. Nominations open 1 July and close 31 August. Winners will be presented at a special awards ceremony to be held at Sydney’s Doltone House Hyde Park on Thursday 18 October 2018.

2018 AWARD CATEGORIES INCLUDE: • Individual Achievement – General • Individual Achievement – Technical • Gender Diversity • Indigenous Employment • Special Security Event or Project – Under $500,000 – Over $500,000 • Integrated Security Solution – Under $500,000 – Over $500,000 • Product of the Year – Alarm – Access Control – CCTV – Camera – CCTV – IP System/Solution – Communication /Transmission System

– Physical security (bollard, gate, barrier, lock)

AWARD CATEGORIES INCLUDE: • Outstanding In-house Security Manager/ Director • Outstanding Contract Security Manager/ Director • Outstanding Security Team • Outstanding Security Training Initiative • Outstanding Security Partnership • Outstanding Security Officer • Outstanding Female Security Professional • Outstanding Guarding Company • Outstanding Security Consultant • Outstanding Security Installer • Outstanding Information Security Company For more detailed information on the award nomination criteria and process visit www.asial.com.au/ securityawards2018

RECOGNISING EXCELLENCE

#securityawards Organised by:

2018

AUSTRALIAN

Security Industry The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals. www.asial.com.au/securityawards2018 Date: Thursday 18 October 2018 | Venue: Sydneyâ&#x20AC;&#x2122;s Doltone House Hyde Park Entertainment Sponsor:

2018

Lead Dinner Sponsor:

Contents

7 8 12 14

Editor ASM Chris Cubbage

Editor ACSM Tony Campbell

The security implications of an aging population

18 20

Director & Executive Editor Chris Cubbage

Director David Matrai 7

Art Director Stefan Babij

MARKETING AND ADVERTISING

Reinventing the SOC

12 16

T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au

18 21

SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE

T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com

24 42 Bad things come in small packages

30 33

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Print Post

www.a ALS |

ustrali

ancyb

SSION

ITY PROFE

ZINE FOR

ALIAN

AUSTR

N SECUR

MATIO

INFOR

THE MAGA

see it, Now you don't now you

rityma

gazine

.com.a

Issue 5,

THE COUN

TRY’S

2018

G GOVER

NMEN

T AND

CORPO

RATE SECUR

ITY MAGA

ZINE

| www.a

ustrali

ansecu

rityma

gazine

.com.a

Aug/Sep

Austral state ofian Governmen cyber t–

2018

Is you digital r VMS a fortress

Insider threats – tacticaloperational, & strateg ic insight s

nting Reinve – the SOCalertcuring fatigue

$8.95 INC.

Review of PMC’s paper’scabinet report

Interne impacti t of things manageng facilities ment

gs Bad thin ll sma come in kages pac

www.facebook.com/apsmagazine

PP100003227

LEADIN

Importa in securitnce of soft skills y

Cognitive bias in Security

Approved

Mag

yberSec

@AustC

m cyber Quantu making y securit levant es irre breach

Stuff GDP ve Cogniti bias in y securit

CONNECT WITH US

ersecu

GST

PLUS OF COPY WIN A OF ANCHORS 'THE FIVE RESILIENCE' CYBER $8.95 INC.

GST

PLUS

n Cyber

Security

WIN A 'THE FIVE COPY ANCHORS OF CYBER OF RESILI ENCE'

Magazine

56 | Australia

@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia Applications of advanced data analytics

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.asiapacificsecuritymagazine.com

www.aseantechsec.com

Jane Lo*

Danielle Traino

www.chiefit.me

Milica D. Djekic Vikram Sharma Nigel Hedges James Jordan

www.youtube.com/user/ MySecurityAustralia

Elliot Dellys Also with

www.drasticnews.com

Lionel Snell

www.cctvbuyersguide.com

Jason Hilling 6 | Australian Security Magazine

Guillaume Noé

Federica Bisio

Kieth Suter

Shannon Sedgwick

Australian Security Magazine |

“This is dangerous territory. When politicians resort to using race in advancing their agendas, they inevitably excite racial anxiety and stir up social division. They end up damaging our racial tolerance and multicultural harmony.” - Departing race discrimination commissioner Tim Soutphommasane in his speech, delivered at the University of Western Sydney’s Whitlam Institute, Monday 6 August

e had the opportunity to facilitate a security consultant’s roundtable at the Security Expo 25 July in Melbourne, courtesy of HID Global. Amongst the discussion on smart buildings and mobility, the group also focused on the trends being seen when it comes to physical access control and the priorities for adding value to end-users, in the realm of physical access. Underlying the importance of physical access control, some recent research data highlights that the workplace is not just subject to nuisance or targeted crime, but also the phenomenon of domestic violence. In 2014–15, on average, almost 8 women and 2 men were hospitalised each day after being assaulted by their spouse or partner. Between 1 July 2010 and 30 June 2014 there were 152 intimate partner homicides in Australia. Almost half of the males who killed a former female partner killed that partner within three months of the relationship ending, almost a quarter were named as respondents in Domestic Violence Orders, half were using alcohol at the time of the homicide and over a third stalked the victim either during the relationship or after it had ended. And this is where the workplace comes in. Stalking behaviours can include the abuser following the victim, loitering near the victim’s home or work, and breaking into the victim’s house. Stalking also includes acts of technology facilitated abuse such as persistent text messaging; maintaining surveillance over the victim’s phone or email; covertly recording the victim’s activities; and engaging with the victim on social media/dating sites under a false identity. Of the 121 male offenders, 13 per cent of homicides occurred in public/open places and two male homicide offenders killed their female intimate partners at a workplace. The importance of workplace access control is underlined by wider societal behavious. Security systems are there not to just protect business assets but also personnel and visitors. The risk of domestic violence occurring in a workplace is a lot more so than any terrorist attack or violence caused by a Sudanese African gang. Worthy of note also is the release of Handbook 15 - Safe and Healthy Crowded Places as part of the Australian Disaster Resilience Handbook Collection. Unlike the previous

silo focus on terrorism in crowded places, this handbook can be more widely used to prepare plans before an incident or emergency in a crowded place arises, and to maximise the efficiency and effectiveness of any responsive and recovery action. It appropriately incorporates principles and guidelines for developing crowded place and site plans against a range of potential hazards that may have an impact on attendees, not solely a terrorist incident. We have to get out the silo approach often enforced on us by agenda driven government agencies and politicians. With this in mind, we continue to cover all aspects of the security domain. Interestingly, Dr. Keith Suter has raised the issue of aging and societal security implications. With increased life expectancy, increased health expectancy and the growth in human enhancement technology, society is heading for some major challenges which few policymakers are brave enough to address – much like Sudanese gangs are a convenient distraction to the more prevalent issue of domestic violence, so is race based immigration a distraction to that of an aging population and lack of action being taken. Shannon Sedgwick argues that a lack of budget allocation may be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s

Editor's Desk

Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts. When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient. Finally, Nigel Hedges, a 20-year veteran provides an excellent and always timely article on the importance of ‘soft skills’ in the security domain, and this applies to both physical and cyber security. “Some security professionals feel that they have lost a fight when the business will not agree to a security recommendation,” writes Nigel Hedges, but “ultimately, the business gets to decide and own any risk that they accept.” I suppose we can push this out to the general public to determine how much risk they are willing to accept from their preferred politicians. As we have seen in Australia in recent times, the quality of the political class could be perceived as a national security threat in themselves. My view is we should expect and get better! Our security may well depend on it. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices and enabling technologies

Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Australian Security Magazine | 7

Cyber Security

The importance of soft skills in security? By Nigel Hedges

s information technology professionals the majority of us have experienced or at least heard of the stereotypes of IT people. You need only watch a few episodes of The IT Crowd to get a sense of this. Even in current times, there is a continued perception of poor communication skills and business alignment. I’m sure we’ve all heard terms linked to information security personnel, such as “road blocker”, “corporate fun police” or “project inhibitors”. However, the information security industry as a whole has been quite proactive in wanting to change this view. Gartner’s Security and Risk summits has highlighted repetitively for years now the drive towards Information Security as a business aligned ‘enabler’.

and genuine part of gaining success and opportunity in your information security career. Ignore it no longer! Even experienced professionals can do with regular soft skills refreshers to shake off acquired bad habits. The good news is, that soft skills is not only the domain of people born with a natural gift or for regular presenters at Australian information security conference circuits. There are many things that can help you develop soft skills, but here are 7 introductory things you can do to start improving your own soft skills as you interact in the information security industry.

Why it is important?

It’s easy to be noble about being imperfect. It’s another thing to actually do something about it. Often, when we are provided constructive feedback about our flaws there is a possibility of taking this personally. Very few actively enter the uncomfortable personal zone of trying to change our negative behaviours. For such a long time, it was possible for technical people to succeed simply based on technical

No matter how much subject matter expertise or knowledge we gather, if we do not spend time on improving our ability to communicate, our value can be diminished. The ability to create a difference for yourself, team and organisation may be limited. Soft skills are going to be an important

8 | Australian Security Magazine

1. Be humble and aware of your personal flaws and strengths

Cyber Security

However, critical thinking is an often over utilized skill. Being ‘negative nelly’ to other suggestions and input can stifle creativity, innovation and openness. skills, this no longer the case. Getting constructive feedback (a.k.a. ‘areas for improvement) should not be seen as a personal failure. If you find yourself talking about blame or denying feedback, you will have to ask yourself – if I need someone to blame, am I ever truly in control of my situation? This ability to be self-aware is a critical and fundamental step to many other soft skills advancements. All feedbacks (even those that are delivered poorly) should be viewed as a platform to extract personal learnings, and if you develop an appreciation and gratitude for any and all feedback you get – it’ll make it easier to take.

2. Accept that you don’t have to be a carbon copy of someone in the industry There are great role models out there showcasing fantastic soft skills. They’re blogging, showing up on TV interviews, and seated at conference keynote discussion panels. These folks are to be commended for their contributions. You do not need to emulate their interests in order to be successful. Instead you should embrace your own passionate areas of cybersecurity, topics you are interested in. You will find that people will be drawn in and interested in something you can speak passionately about.

3. Don’t forget what you’re here to do Information Security is now recognized as such a vital and important part of the success of the organisation. However, and I hope this doesn’t come as a surprise, it is not the most important thing – the business is. This is not the time to get complacent. Stay focused on being business aligned and seek collaboration opportunities with the business when you can. We should be humble in the face of the growing importance for our expertise by not forgetting the adjacent importance of being business centric.

4. Be open to thinking differently Critical thinking has served us since our ancestors were dwelling in caves and avoiding being eaten by large, clever animals. However, critical thinking is an often over utilized skill. Being ‘negative nelly’ to other suggestions and input can stifle creativity, innovation and openness. A well-known educator Edward De Bono called this ‘black hat’ thinking. In his book Six Thinking Hats he describes a mental framework (using 6 different coloured hats) for processing information

in different ways. This includes optimism, gut-feel reactions, listing facts, creativity and of course critical thinking. It is an example of something that can teach us to not always interpret information in a one-dimensional way.

5. You can’t do this alone. Work better with other people Stephen Covey in his book 7 Habits of Highly Effective People wrote that humans follow a path of maturity: - Dependence (infancy) - Independence (adolescence and early adulthood) - Inter-dependence. Relying on peers and work colleagues is a great way to get complex things done.

6. Things aren’t always going to go according to plan Not all communication exchanges go the way we want them to. You’ll aim to make more positive exchanges than negative ones and learn from the ones that didn’t go so well. Ask yourself, do you contribute to constructive, positive meetings? Do you get worked up when your ideas get shot down? Do you feel your recommendation to use a particular technology was shot down by the team? It’s important to become self-aware of these things, as a first step to doing something about it. Some security professionals feel that they have lost a fight when the business will not agree to a security recommendation. Ultimately, the business gets to decide and own any risk that they accept. It is important that no one leaves a meeting where ownership for a decision is in doubt. If you leave a meeting without ownership, it means there has been a lack of accountability on all parts. It can be frustrating when your plans do not get accepted by peers. It’s important to note that conflict is a natural part of our work environment and is healthy, so long as messages are sent and received in an assertive manner. Complaining to sympathetic peers to blow off steam in the background, is passive aggressive and not too helpful. Blowing up in a meeting and storming out is aggressive. When decisions do not go our preferred way, there is nothing wrong with letting people know – provided it’s done respectfully.

7. Let Management / Promotion / Opportunity come to you An incentive for developing soft skills is that it leads to career progression and opportunity. Be careful not to adopt a ‘fake front’, such as putting on an act. This is ultimately not going to work. It’s also very draining when you’re spending energy to put on a personal front. By setting out to make small, incremental improvements in soft skills, those opportunities will naturally come when you’re ready. Some people get complacent once they get promoted to managerial positions in information security, and this can be very risky. Personal Leadership is about knowing when to lead, and when to follow. You should continue to

Australian Security Magazine | 9

Cyber Security

learn from anyone you come in contact with. Managers today are leading less and less through hierarchical power positions, and more as colleagues. Being willing to follow your peers regardless of their position is a strong reflection of leadership.

Where to next? Attending information security conferences and watching panels and presentations is a good way to see how people apply soft skills. These are people in our industry who have already set themselves a personal challenge to improve their ability to communicate their ideas and opinions. It also gives an opportunity to network and meet people outside our work place. Make a pact with yourself to say hello to at least one new person and engage in conversation about why they are there, what they do, and what they intend to get out of the conference. One other advantage is conferences give you lots of interesting material to go back and share with your immediate peers and other colleagues. Another suggestion can be to see if your information security management will encourage meeting with peer organisations and meeting other people in similar roles. It often provides a great way to compare notes in a nonthreatening way, while practicing your communication skills. Here’s a list of skills you can research on google, and if you are really keen you can drop the article an author a line

for a list of amazon kindle books that are worth looking into. List of Skills to research: - Emotional Intelligence Skills - Cultural Awareness Skills - Customer Service Skills - Lateral Thinking - Interpersonal Skills (MBTI, DISC) - Teamwork Skills - Meeting Skills - Communication Skills - Presentation Skills - Negotiation Skills - Conflict Management Skills - Personal Leadership About the Author Nigel Hedges is a 20-year veteran in the information security industry. He has spent a number of years on both sides of vendors and end-user organisations. In most recent years he serves as the Senior Security Architect at a large national retailer. He has a number of industry certifications including CISA, CISM, CISSP, CGEIT, CRISC, CCSK, ISO27001 Lead Auditor & Lead Implementer, SABSA Foundations. Nigel also holds a Master of Business Administration from La Trobe University, and is midway through a Masters of Cybersecurity. He can be reached at: nigel.hedges@reece.com.au

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Venture capital funds

• Scale-ups

• Government agencies

• Corporates

• Research organisations • Educational institutions.

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com

10 | Australian Security Magazine

info@austcyber.com

+612 9239 3250

@AustCyber

New South Wales, Australia Chapter

harbour cruise

“Do you have 20/20 Security Vision”? ASIS National Conference 17th & 18th October 2018

DANIEL LEWKOVITZ

RACHELL DELUCA

David Harding Prof. Martin Gill Dr Kira Harris 17th & 18th October 2018 Sheraton On The Park

161 Elizabeth Street, Sydney NSW 2000 www.ASISNSW.ORG.AU

CHRIS CUBBAGE

CODEE LUDBEY

Early Bird = $750 for Members Early Bird = $900 for Non-Members Ticket Includes: • 2 Day conference ticket • Morning and afternoon tea for both days • Buffet lunch in Feast restaurant both days • Networking Cruise on Sydney Harbour

http://www.asisnsw.org.au/NSW/NSW_Events.html

Cyber Security

Australian Government The state of cyber “Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

A By Shannon Sedgwick

12 | Australian Security Magazine

mongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016). The 2016 Australian Cyber Security Strategy addressed five key goals; 1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,

2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks, 3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence, 4 – Australian businesses grow and prosper through cyber security innovation, and 5 – Australians have the cyber security skills and knowledge to thrive in the digital age. These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals. Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will

Cyber Security

soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are: 1. Application Whitelisting 2. Restrict administrative privileges 3. Patch Application 4. Patch Operating Systems 5. Disable untrusted Microsoft Office macro 6. Multi-factor authentication 7. User application hardening 8. Daily backup of important data The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too. Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyberresilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018) One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on. Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards. A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts. When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient. It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for

the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018) The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage. Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016) A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry. Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference. About the Author Shannon is a Senior Manager in Deloitte’s Cyber Risk Advisory in Canberra and has had extensive experience providing consulting and cyber risk services to a range of both private and public clients from ASX 100 corporations to Defence. With a unique background in international risk management in non-permissive environments, Shannon is regarded as an industry SME in “holistic security”. Shannon regularly appears on national and international news programs, expert panels, industry publications, conferences, and radio networks discussing national security, cyber security, counter-terrorism, and breaking news events.

Australian Security Magazine | 13

Cover Feature

The security implications of an aging population A By Dr. Keith Suter

ging is the new frontier. The components are: increased life expectancy, increased health expectancy and the growth in human enhancement technology. The bottom line is that society is heading for some major challenges which few policymakers are brave enough to address because they are far too focussed on short-term issues. This article will examine the “new frontier” and then examine three security implications: the cost of paying for older people, the tensions arising from pension/ superannuation adequacy, and labour shortages. This article is encouragement to think about the unthinkable.

The Three Components of the New Frontier First: there has been an increase in life expectancy. We have gained as much life expectancy in the last century as in the previous 5,000 years; this an increase of about 25 years. About 5,100 years ago, people lived on average for 25 years. In 1900 the figure had crept up to 50. Therefore giving people in western countries an old age pension was not a big burden on government because most people

14 | Australian Security Magazine

never lived long enough to collect it. Now life expectancy is around at least 75 years and there are concerns about the sustainability of pension schemes. This change can be seen in the various phases of aging. Traditionally a person had three stages: young, middle aged and then getting to ready to die. Now there are four stages: (i) childhood (ii) maturity (iii) well aged (the new “third age” with perhaps one third of a life spent in retirement) and (iv) the compression of morbidity (whereby a person’s body declines quickly). Never before has any society had so many older people; there are no precedents to guide us. The first Australian to live to 120 is already alive and she is probably currently in her 60s (unfortunately we do not know who she is and so we cannot warn her). Second: there is increased health expectancy. Growing older does not necessarily mean feeling older (“60 is the new 50”). Average incapacity-free life expectancy is rising faster than average life expectancy overall, and so people are not only living longer but they are also living more healthily. Many people are taking better care of their health and so reducing lifestyle risks (such as smoking). There is also

Cover Feature

About 5,100 years ago, people lived on average for 25 years. In 1900 the figure had crept up to 50. Therefore giving people in western countries an old age pension was not a big burden on government because most people never lived long enough to collect it. Now life expectancy is around at least 75 years and there are concerns about the sustainability of pension schemes. far attracted too little attention. “National security” is too often perceived to be a military matter. This article argues that “the social security of aging” is also a national security matter. Here are three challenges.

The Economics of Aging

the rise of the “counter-aging society”: older people refuse to act as though they are “old”. This means that today’s older people are much “younger” than their parents were when their parents were at their age (assuming the parents managed to live that long). There is a growing market for information on how to remain young. Finally: there is the growth in human enhancement technology. Human enhancement technology as such is not completely new, for example the invention of spectacles and hearing aids. Now far more technological progress is underway either (i) restore an impaired function (such as eyesight) or (ii) to raise the function to a level considered to be “beyond the norm” for humans. Examples include the use of cognitive enhancing drugs to improve memory and concentration; use of hearing aids and retinal implants to improve sensory perception, and the use of bionic limbs to restore mobility. These developments will, among other things, enable older workers and people with disabilities to stay in the workforce for longer and broaden their potential opportunities for work. To sum up so far, these are signs of a successful society. But they present major challenges that have so

Can we afford the elderly? This question is asked in two contexts. First, there is the increased cost of caring for an aging population: hospital/ aged care facilities. Aged care centres are a comparatively new idea. Traditionally old people stayed in the family home and helped out, such as looking after the grandchildren. Only some military veterans received the sovereign’s special attention of having their own aged care facility, such as London’s Chelsea Pensioners, which began in 1682. In Australia the move began in the 1920s and 1930s when churches converted spare land into facilities to take care of older Australians. The Menzies Government in the 1950s introduced commonwealth government funding to the not-for-providers of aged care. This has now become a multi-billion dollar industry and it is a major financial burden on government budgets (and a major media nightmare when scandals take place). As people live longer so there will be additional costs on aged and healthcare budgets. The second context is the “global pension time bomb”, as it is called by the Switzerland-based World Economic Forum (WEF). In 2017 WEF reported that the world’s six largest pension saving schemes (US, UK, Japan, Netherlands, Canada and Australia) are expected to reach a US$224 trillion gap by 2050. WEF calls this the “financial equivalent of climate change”. The situation becomes even more dire when China and India are also included in the calculations. Australia is seen as being at the least risk (thanks to superannuation reform beginning two decades ago). The US is at the most risk. The US state of Illinois is already teetering towards bankruptcy with pension benefit growth overwhelming the state’s economy. The bottom line of both contexts is that there will be an extra burden on government budgets. There may be some offsets (such as the reduced expenditure for child care

Australian Security Magazine | 15

Cover Feature

and schooling). But the long-term view is that of increased pressure on government budgets, and so less available funding for other matters, such as defence.

Erosion of Social Cohesion “My doctor says I can live for another 30 years but my accountant says that I can only afford to live for another 20 years”. Another set of challenges is at the level of individual psychological impact and the damage to national morale. A current example is the research by Princeton University’s Angus Deaton and Anne Case. Almost all Americans are living longer, including Afro-Americans and Hispanics. But Deaton and Case have found an anomaly: middle aged white male and female Americans in economically depressed areas (captured by Trump in the 2016 presidential election). These Americans are dying prematurely through depression and opioid addiction. Will this type of crisis become more widespread? Social cohesion is based on a society getting richer and happier (however that is measured). Economic growth and psychological well-being are the glue that hold a society together. Some of the stereotypical Trump voters have shown how prolonged unemployment (such as in the West Virginia’s coal mining areas) can have a social cost. Here are two warning signs of threats to social cohesion. First, some pension schemes (such as Australia’s national superannuation one) are based on personal investment in the market (rather than a guaranteed regular payment from the state). This investment is a volatile source of income. Stock markets are currently doing well. But “corrections” take place every few years. A person can be unfortunate to retire at the time of a market downturn and so lose some of the investment. Looking to the longer-term, superannuation projections can only be based on the “known knowns” of today’s economy. However some commentators have raised concerns about the “known unknowns” which represent a threat to the continuation of today’s wealth. These “known unknowns” include climate change, resource scarcity, large numbers of asylum seekers and “climate refugees”, growing gap between rich and poor, and block chain technology (which could undermine banks, which represent over 30 per cent of the total value of the Australian Stock Exchange). In short there will be increasing anxiety over the adequacy of superannuation arrangements. Second, the children and grandchildren of the aging “baby boomers” (people born between 1946 and 1966) are suffering from “inheritance impatience”. These young people see their older relatives living in large homes with generous superannuation arrangements. They would like access to that wealth. A new branch of law has been developed to deal with this problem: elder abuse. Elder abuse has occurred throughout history but now it is becoming far more common. About five per cent of Australia’s older people experience abuse. Financial abuse is the most common form of elder abuse. Most of this abuse comes from adult

16 | Australian Security Magazine

children anxious to get the wealth of their parents. To sum up, the prevailing view in most of western societies is that life will continue to get better. But that may not be the case. In the future, older people may have little incentive to continue the daily struggle of staying alive.

Labour Shortages Finally, an aging population will mean shortages of labour. This is a byproduct of the demographic transformation: falling fertility and rising longevity. This is already being seen in trades and professions which particularly recruit young people, such as nursing, teaching and military service. There are two potential solutions – both politically controversial. First, more immigration should be permitted. Africa has a rapidly growing population. Perhaps more African workers should be allowed into western developed countries which are running out of young workers. There is also a surplus of young people in many Islamic societies, such as the Middle East and North Africa (MENA) and Indonesia. However, given the rising anti-immigration political movements, this may not be possible. Second, more should be done by government to encourage people to have children. The kindergarten (“garden for children”) movement began in Germany and other parts of western Europe over a century ago to encourage both parents to go to work. This saw a reversal of the then stagnant population growth (in an era when governments decided there was a need for larger populations to provide large armies). Making day care available is no longer enough. South Korea, for example, which has one of the world’s lowest fertility rates, is trying to find ways of guaranteeing women that have careers that they will be able to resume their careers after their babies are born. Unfortunately, the South Korean attempts have generated public anger, with women resenting being treated as breeding farm animals. It also means that a workaholic South Korean business community will need to develop more family-friendly business practices. Thus, we have some major social challenges in all western societies: changing the attitude of employers to retain older employees and not pension them off, and to reassure women that their careers will be safe once their children are born. To conclude, global society is now where it has never been before: grappling with the challenges of an aging population. Unfortunately, not enough attention is being given to these challenges.

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au

Catching drug traffickers and illegal aliens with Artificial Intelligence and Machine Learning The innovative approach that helped US Border Patrol seize two million pounds of cannabis and apprehend one million illegal aliens

A Assistant Chief Patrick Stewart – United States Border Patrol, US

ustralia’s federal, state and local law enforcement and border patrol agencies are facing unprecedented challenges in their fight to secure the nation’s borders and stay a step ahead of criminals. Advancement in technology – such as biometrics, automation and Artificial Intelligence – offer opportunities to improve capabilities – however, as the technology used by national security agencies becomes more sophisticated, so too does the approach of the criminals they are working to apprehend. So how can we effectively plan, prepare and respond to outpace the would-be perpetrators? Washington-based Assistant Chief Patrick Stewart – Branch Chief of the Geospatial Information Systems (GIS) program for the United States Border Patrol and the program lead for U.S Customs and Border Protection – believes the answer lies with geospatial technology. Assistant Chief Stewart and his team have set global benchmarks in developing innovative Geographic Information System (GIS) technology solutions that support risk-informed, intelligencedriven operations. This has enabled the US Border Patrol (USBP) to significantly strengthen its operations, including apprehending nearly a million illegal aliens and seizing more than two million pounds of cannabis since 2016.

The Role of GIS Technology Our enterprise geospatial solution is called ‘eGIS’ – a portal that consolidates all our data and enforcement information on apprehensions, seizures, significant incidents, intelligence reports and realtime detection activity. The system is built on the ArcGIS platform and allows us to visualise critical information and insights on a map as it unfolds, so we can make decisions based off the most complete view of a situation possible. It has been a game changer for border protection and is a solution we 18 | Australian Security Magazine

continue to invest in and evolve with. It underpins most of our operations at USBP and we’re increasingly opening access to the solution to other government departments and agencies – to share data and insights that may be valuable to their operations or jointmissions. We use GIS technology in almost every aspect of our border security – and I can confidently say our operations are faster and better all-around with GIS. One of the most important things we can do with the technology is look at a problem area and understand our challenges and deficiencies in border protection. GIS has allowed us to better assess the areas in which people are getting away from us, and scrutinise the ‘why’ so we can plan a better response in future. With GIS, we begin to understand the total flow of traffic getting into the US – and see how or why some suspects may be evading enforcement. Previously, without GIS technology we were limited to tracking suspects based on wide areas using landmarks. For example, we may have recorded that we saw three people at a particular area on our border – and we would go back over our records and see that collectively we’ve had 20 people who had escaped via this window. Because it was so large – let’s just say an area with a one-mile radius – suspects could have got away from us from anywhere in this window. Now with GIS technology, we can provide and record the exact coordination of the location where people got away from us. We can very clearly identify traffic patterns of where suspects are coming from or going. We can fuse that information up with the location of known established trails, stash houses and the highway system, to get an accurate understanding of where suspects are likely heading. Essentially, we can create a real-time map of each movement they have made. With this insight, we can effectively track these people down. We know they’re going two miles up the interstate highway to a stash house, and we can find them and catch them. As a result, we have significantly less people getting away from us now –

and for those who do get away, we can deduce where they’re likely going and record that too. To give you some perspective, we went from having nearly 600,000 suspects evading us in 2006, down to around 180,000 a year, thanks in-part to the insights provided from our GIS technology. As GIS continues to complement our use of new technology and enable a growing work force, we believe we will continue to see this number decrease. GIS technology is pivotal in helping us catch smugglers, drug traffickers, criminal organisations or illegal aliens before they enter the country. Our regional command centres store and share data on where we’ve seen signs of foot traffic, or other evidence of people crossing, like abandoned vehicles, trash and left behind clothing and supplies. This data is visually represented on a map so command can do a quick eyeball analysis in real-time, to provide directions to agents in the field. The system is also then accessed by our analysts who can compare reported sightings with known local activity – allowing us to filter out tourist traffic areas and narrow down our search. Pictured below Officers using geospatial mobile devices to add real-time data to their shared mapping interface.

We also use our GIS to analyse imagery-based maps to track drug mules. Using ground based imagery to identify large bundles and oversize backpacks, we track and monitor their activity from the first sign of their presence, such as footprints, until we apprehend them and make the seizure. GIS is a major contributor to our ability to track them so quickly and effectively. This becomes critically important when we’re dealing with suspects in dire conditions. In the United States we find many of the areas they’re trying to cross are barren, hot and treacherous – a lot of people are in danger and putting themselves in harms’ way by trying to cross. We want to ensure we can apprehend these people quickly to ensure the security of the border, but also to show compassion and ensure their safety. We get lots of calls for rescue tracking – last seen foot sign, known trails, or evidence of people crossing are critical in ensuring a timely response. We have started thinking of GIS as the “Science of Where” and through this use of GIS, we have caused a paradigm shift in how we view enforcement – and that has been humbling. Starting this process, I didn’t expect it would be so profound. The difference is that the agency now understands that no matter where you are, you are “somewhere”. Our suspects are “somewhere”. Thinking of this as the “Science

of Where” is understanding that location is what ties everything together. It seems simple, but by embracing that, we’ve been able to create a more efficient operational environment.

The value of IoT IoT (Internet of things) is something that within the USBP, we’ve been doing for years but no one has called it that until just recently. An example of how we are using IoT is the National Intrusion Sensor Infrastructure (NiSI). This program leverages thousands of IoT devices to detect seismic, magnetic and infrared activity as it occurs, allowing us to detect and track the locations of suspects, agents, and dangerous wildlife. Some IoT feeds are associated with producing photos or video clips; but some are as simple as weather data – providing us with windspeed and temperature – which is critical as it helps us understand the potential speed of travel when people are on foot. Obviously if it is really hot, someone will travel at a slower speed than if it’s cold. We use that to determine where we should intercept them to help ensure our agents and the suspects themselves are safe. In the cases of a drug mule trekking through the dessert, we want to apprehend them quickly and efficiently to ensure public safety. In the case of human trafficking suspects and immigrant family units, we also want to locate and apprehend them quickly to minimise their risk of suffering in treacherous conditions. By using GIS to optimise the data collected through IoT devices, we’ve been able to improve our agent dispatch, blueforce tracking and situational awareness processes.

New Technology Trends Artificial intelligence (AI) and machine learning (ML) have seen great advancements recently and are the newest areas we have started to push forward in throughout all aspects of border patrol. For example, in terms of AI, we have started using GIS to map and analyse IoT sensor information to determine travel patterns, smuggling patterns and examples of narcotic traffic. From there, we can better position these IoT devices to feed an AI computer vision system. This system automatically detects whether people have weapons, are hauling oversized backpacks or drug bundles, if children are present, or even if there are dangerous animals or endangered species in the area. With this machine learning and AI capability, we have been able to transform a previously labourintensive task that required us to inspect every visual, into a situation where we can now assess thousands of images a day. This means we can quickly identify threats and trafficking activity and intercept large narcotics loads. To access the key material including Assistant Chief Patrick Stewart’s keynote presentation slides from the recent Australian Security Summit visit: esriaustralia.com.au/acpstew Australian Security Magazine | 19

TechTime - Movers & Shakers The Internet of Things is turning Facilities Management on its head A

ustralia’s army of tradespeople who monitor, maintain and fix the billions of dollars of

equipment that keeps offices, factories and shops open have become the new frontline in the advance of the Internet of Things (IoT). As the internet and smartphones become primary necessities over paper and landlines, trade services must embrace the next phase of business evolution in order to remain relevant in the market and to appear dependable, effective and cutting-edge for the modern customer. Though not a brand new concept, IoT has become the herald of this new chapter, facilitating unique connections with the latest job management and service technology and forever changing the way trade service facilities and professionals operate. The Internet of Things (IoT) IoT, has been defined as the concept of connecting any electronic device to the internet and to other connected devices. It works an application or service that uses information collected from sensors – or the “things” – and then analyses the data from the sensor to perform a specific function. Through IoT a giant online network is created which allows previously unrelated technology to speak to each other and combine forces to create new functions that generate new levels of convenience for the user. Many tech experts have used smart TVs or fitness watches that generate a tailored exercise plan as examples of IoT.

could take vibration readings, log them to your

business productivity and efficiency in real time, giving

database, and alert you when the vibrations fall out of

businesses the potential to grow, meet and exceed

a range.

their goals.

“Or, you have sensors in the fire detection or

New Zealand, and the United Kingdom, simPRO

reporting back the current state of the equipment they

provides global leadership for trade and specialty

are tasked to keep an eye on.

contractors worldwide.

“Then, when an event occurs that falls outside

growth capital as part of an aggressive product

notification is raised, a job is created to investigate, or

innovation and expansion strategy that has seen the

an alert is sent to your customer.

company enter the United States and the United

“How could this impact your SLAs, or your costs, for that matter? What will your customers think potential defects before they even can tell something is

from small contracting operations through to corporate

wrong, and in between maintenance cycles?”

enterprises with thousands of staff.

Thomson’s insight into the future of the trade service industry is why companies like simPRO are determined to add IoT to their repertoire. In June this year, simPRO introduced its new IoT solution which will be available to its 100,000 + users in Australia, New Zealand, the United States and the UK across 2018. simPRO IoT takes hardware, software and data from businesses in the trade and field service industries and integrates them into one platform, allowing previously separate programs and machines

and manufacturers. For these companies, however, it’s not about programming driverless cars or automatic toasters and coffee machines for the break room. Trade service companies are eager to get in on the IoT action because when their systems are all connected and talking to each other, they have the potential to improve their service delivery, considerably cut costs, and deliver an improved customer experience. “Think about the IoT in terms of field service applications,” Thomson said. “Say, for example, you have an accelerometer fitted to the cooling tower on top of a building that

20 | Australian Cyber Security Magazine

Hills appoints new Head of Security, Surveillance, IT and ATV business

to talk to each other and provide automated solutions ordinarily requiring extensive manual effort. simPRO’s IoT solution also includes machine learning, proactive action triggering and automation of field service activities, which significantly reduces the complexity of administrative tasks like selection, installation, integration and management, and can trigger field service activities for businesses in near real time. The company has already begun working with airport lounge operator Swissport and facilities (building plant and equipment) management group Thermacell to keep guests at Luton Airport in the UK warm in winter and cool in summer. IoT represents significant opportunity in the trade services market, with the number of connected IoT devices worldwide expected to jump 12 percent on average annually, from nearly 31 billion in 2018 to 125 billion in 2030, according to analysis from IHS

interact with one another goes far beyond allowing the

being actively rolled out by leading service companies

At the end of 2017, simPRO had more than 4,000 clients and 100,000 users globally, with clients ranging

According to Curtis Thomson, simPRO director, one

the initial trials and high-end proof of concepts and are

Kingdom over the last two years.

about this – your ability to log, report and respond to

Markit (Nasdaq: INFO).

companies, IoT projects have now moved well beyond

In 2016, simPRO secured AUD$40 million in

of a tolerable range for that piece of equipment, a

Why should trade services care?

of the world’s leading job management software

With customers in the United States, Australia,

sprinkler systems all constantly monitoring and

The ability for machines and data to connect and human race to live like the Jetsons. The trade service industry’s IoT-laden future signals effectiveness, efficiency, profitability and all-around satisfaction for everyone involved.

About simPRO simPRO provides business management cloud solutions for the trade and specialty contracting industries; including security professionals, plumbers, electricians, HVAC, solar, data networking, and others. simPRO eliminates the hassle of field service management, reduces paperwork, refines office processes, streamlines field operations, increases profit, maximises your workforce, and enables more business growth. As it is cloud-based, it can be used anywhere, anytime to help improve streamlined

ills has announced the appointment of Roger Edgar as Head of Sales, Security, Surveillance, IT

and ATV across Australia and New Zealand (ANZ). Based in Sydney, Edgar will be responsible for leading Hills’ security, surveillance, IT, antenna and communication sales teams, and delivering on sales priorities across the region. He is also tasked with improving the customer experience across Hills’ network of branches, with a focus on end to end service delivery. Edgar brings over 30 years of sales and management experience to the role, having held senior positions in the wholesale electrical distribution sector in Australia, New Zealand and USA. He joins Hills after three and a half years as General Manager

for CNW Electrical NSW/VIC/TAS and prior to that, his

iCetana is a successful global organisation with

180-degree panoramic view and a higher vertical field

distribution expertise was developed through senior

office locations across 3 regions including EMEA,

of view. This enables greater coverage not only on the

management roles with Rexel in New Zealand the

The Americas and APAC. iCetana has developed an

horizontal, but also on the vertical plane, capturing an

USA and Australia.

advanced AI-computer vision and machine learning

even greater field of view below the point of camera

solution for security and beyond security, to see

installation. Moreover, the internal tilt adjustment of the

that Edgar’s appointment was key to Hills’ strategy to

through the chaos and highlight abnormal events when

lenses of the MS9390-HV has been upgraded to 20°,

increase growth in its SMB business across ANZ.

they happen. iCetana’s software learns daily, allowing

allowing users to achieve the precise angle desired.

it to constantly adapt to new environmental and

Furthermore, the multi-sensor camera employs H.265

behavioural conditions.

compression and Smart Stream III technology to create

CEO and Managing Director, David Lenz, said

“Roger will be play a key role as we look to increase the accessibility of Hills’ offering across the region and continue to accelerate our sales momentum with our key brands,” Lenz said. “The consolidation of the antenna business under

“iCetana is exceptionally fortunate to welcome

the most efficient system, and resulting in remarkable

Mark Potts onto the Board. His vast experience and

savings in storage and bandwidth consumption while

knowledge within enterprise corporate strategy will

at the same time providing complete video security.

Roger’s leadership acknowledges his considerable

be a valuable asset as iCetana continues to solidify

experience in the electrical distribution space and aligns

its position as world leaders in AI-assisted video

robust IP66 and IK10-rated housing, enabling it to

will Hills’ strategy to offer integrated technology solutions.

monitoring software” – iCetana CEO, Chris Farquhar.

withstand rain and dust, as well as to protect against

“He brings extensive industry expertise and proven leadership abilities to Hills and will be invaluable as we build our sales team across ANZ,” Lenz added. Edgar said he was excited to join Hills as it continues its evolution. “I want to build a team that can operate in an agile way and think ‘customer first’. Delivering ongoing benefits to the customer and seeing the differences you make is highly rewarding and motivating for everyone.”

Former HP fellow, CTO & VP corporate strategy joins the iCetana board i Cetana has announced that Mark Potts, former HP Fellow, CTO & VP Corporate Strategy at Hewlett

Packard Enterprises (HPE), has joined the iCetana Board.

During his time at HPE, a multi-billion-dollar global leader in technology solutions, Mark successfully drove the technology and business strategy. Mark holds a Bachelor of Science degree in Computer Science from Brookes University in Oxford, UK. Prior to HPE, Mark founded several successful, venture backed start-ups that have driven technology disruption and business innovation across numerous industries. One such venture was his successful web services management company, Talking Blocks, which was acquired by HPE. Mark Potts said that “The application of AI and machine learning to video analysis and event recognition is going to change the way we proactively manage security, health and safety, production processes and transportation. The business value iCetana have already proven with customers worldwide, across diverse industries, and the technology and innovation underpinning the offerings, made the opportunity to join and help grow the company to an industry leader, exciting and too compelling to miss”.

The new MS9390-HV is further armed with a

vandalism or tampering in outdoor surveillance

VIVOTEK introduces new multi-sensor panoramic camera with superior image quality, the MS9390-HV

applications. In addition, its wall mounted design

Following the success of previous 180° panoramic

global IP surveillance industry. Its comprehensive

network cameras, VIVOTEK has launched a brand new and even more efficient multi-sensor camera. The MS9390-HV, with its dual 4-megapixel wide-angle lens design, is unlike most traditional multi-sensor panoramic cameras which rely on 4 sensors. This newly released multi-sensor dome camera is also equipped with SNV (Supreme Night Visibility), WDR Pro technology, 180° IR illuminators effective up to 20 meters and delivers full resolution imagery at 30 fps (frames per second), making it the ideal camera to provide excellent panoramic image quality for both day and night surveillance. VIVOTEK introduces the brand new MS9390-HV under the strategy of its “See More in Smarter Ways” campaign. With its unique dual-sensor design, the camera is equipped with a video alignment feature, providing users both a detailed and yet seamless

ensures simple and quick installation, with an included sunshield to eliminate interference caused by direct sunlight. The panoramic camera was given an early test at the 2018 Taiwan Lantern Festival, one of the great events in Taiwan, that attracted over 10 million visitors. The MS9390-HV provided clear and full coverage throughout the day and night to secure the safety of visitors to the festival. For more information about VIVOTEK and its comprehensive product line, please visit www.vivotek.com.

About VIVOTEK VIVOTEK Inc. (TAIEX: 3454) was founded in Taiwan in 2000. The Company markets VIVOTEK solutions worldwide, and has become a leading brand in the solutions include network cameras, video servers, network video recorders, PoE solutions, and video management software. Through the growing proliferation of IoT, VIVOTEK aspires to become the Eye in IoT by drawing on its expansive technological capabilities in image and audio. The Company has established offices and subsidiaries in the United States (California), Europe (Netherlands), India (Delhi), Middle East (Dubai), Latin America (Mexico), and Japan (Tokyo) in 2008, 2013, 2014, 2015, 2016, and 2017 respectively. To create a sound industrial ecosystem, VIVOTEK has expanded strategic alliances with leading international software and hardware partners and works with over 183 authorized distributors across 116 countries. For more information, please visit www. vivotek.com

DroneZone D O W N U&N Unmanned D E R A N D D RSystems ASTICNEWS . COM

DRONE ZON E

CONFERENCE & SEMINAR PROGRAM FRIDAY 1 â&#x20AC;&#x201C; SUNDAY 3 MARCH Friday 1 March

DroneZone RPAS Conference

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Industry (Mining, Resources & Construction) Drones in Agriculture (Heavy Lift Drones & Precision Farming) Drones for Local Government (Parks, Property & Maintenance Inspection)

0930 - 1130

Drones in Search & Rescue (Oceans, Mountains & Beaches)

Room 4

Friday 1 March

Responsive Drones & Robotics Conference

Room 6

0930 - 1130 1200 - 1300 1330 - 1500

Robotics 2025 and Beyond (Whatâ&#x20AC;&#x2122;s the future) Responsive Drones (For a secure workplace & society) Robotics, Artificial Intelligence & Human Convergence (+ VR- AR)

Saturday 2 March DroneZone RPAS Conference

Room 5

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drones in Agriculture (Field Mapping & Harvest yield) Drone Pilot Training (CASA Licensing & Registration)

0930 - 1130

MRO for Drones (Safety & Repairs)

Room 4

1200 - 1300

Starting your Drone Business (Tips for entering the industry)

Room 4

The Responsive Drones & Robotics Conference is a joint initiative of Room 6 DRASTICnews.com and the DroneZone DownUnder Showcase.

Saturday 2 March Robotics & Robots at Home & School 1000 - 1100 1130 - 1230 This is 1300 - 1400

Buying a Robot (What and where to buy) Study Robotics (TAFE & Universities) opportunity to be part of a special exhibition Play with Robots (Science & Games clubs)

an and distribution of a cobranded print and digital edition for primary online websites and media centres RPAS Conference Room 5 Sunday 3 March DroneZone across the Avalon International Airshow 2019 0930 - 1130 1200 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drone Pilot Training (CASA Licensing & Registration) TheDrones Responsive Drones & Robotics Conference and&DRASTICnews.com for Sport & Recreation (Drone Racing Sports Entertainment) will receive additional promotional and marketing exposure via Sunday 3 March Robotics & Robots at Home & School Seminars 1000 - 1100 1130 - 1230 1300 - 1400

Room 6

www.airshow.com.au Buying a Robot (What and where to buy) Study Robotics (Secondary, TAFE & Universities) www.dronezonedownunder.com.au Play with Robots (Science & Game clubs)

& channels of www.mysecuritymedia.com

For more information visit our website: www.dronezonedownunder.com.au or contact Rodd Craig - M: 0457 848 104 E: rcraig@amda.com.au

www.airshow.com.au

019 is organised by Aerospace Australia Limited (ABN 63 091 147 787). A not-for-profit corporation limited by guarantee and registered as a charity, its mission is to aviation and the development of Australia's industrial, manufacturing and information/communications technology resources in aviation, aerospace and defence. 22 | Australian Cyber Security Magazine

D R ON E ZON E

DOW N UND ER

AND

D RASTICNEWS . COM

Trade promotions, started with Farnborough UK Airshow followed by: Aviation AIA Conference, 30 -31 July D & I Conference & Dinner, 1 -3 August Land Forces Expo & Conference, 4- 6 September IAC, 1- 5 October AUSA, 8- 10 October Euronaval, 22-26 October UK Security Expo, 28-29 November

Nelson New Zealand Canberra Adelaide Bremen, Germany Washington USA Paris London

Receive exposure across 160,000+ visitors to the show and the 10,000+ visitors through the DroneZone including industry, federal and state governments and international buyers.

Australian Cyber Security Magazine | 23

REPORT REVIEW | by James Jordan

Review of the Department of the Prime Minister and Cabinet’s Security Procedures, Practices and Culture

March 2018

REVIEW OF THE DEPARTMENT OF THE PRIME MINISTER AND CABINET'S SECURITY PROCEDURES, PRACTICES AND CULTURE www.pmc.gov.au/resource-centre/pmc/reviewdepartment-prime-minister-and-cabinetssecurity-procedures-practices-and-culture

The missed opportunity that is the report into PM&C security procedures, practices, and culture

s many of you are aware the long-awaited report into the circumstances behind the loss of many Security Containers that were subsequently found at an auction site and when opened were found to contain a range of sensitive and classified material. If you are not aware of the full story the report handily provides a summary in the first chapter, which in my opinion reads like a ‘Fawlty Towers’ episode. While I am sure there is more to this report that has not been released and has led to the sanctioning of members of the APS there are a significant number of lessons that can be taken from this report. As someone who has spent the better part of 20 years working in Government Security I see this report as a mixed bag of both good, bad, and stupid and as a result see it as a missed opportunity. The biggest concern that I see from the report is in the recommendations which in many cases

24 | Australian Cyber Security Magazine

BSc (Security); DipGov (Security); MEmergMgt | Protective Security and Resilience Consultant Integrity2Resilience Services Pty Ltd

seem to make great motherhood statements, that all make very good common sense, which makes you wonder why they were not in place to begin with. Interestingly there are a number that contradict elements elsewhere in the report that indicates everything was found to be in order. Such as the very first recommendation regarding PM&C needing to consider its ‘complex operation environment’ (the way they are not all that unique, nearly every other department is in multiple buildings and has lots of structural changes) and the related vulnerabilities within its risk management. Interesting that in Chapter 2 it goes on to say that there was an external audit of PSPF compliance was undertaken and found that they were compliant with all but 5 elements of which they were partially compliant. The foundation of the PSPF is based around an effective risk management process to drive the performance standards which shows that the audit was compliance and not performance based. This critical issue seems to have been missed across the report, even though it’s in plain sight, in that recommendation after recommendation indicates that while policy and procedures were in place there had been no performance measuring to confirm that risk mitigation were achieving the levels of reduction that you expected. How can you base a Protective Security environment on risk if you don’t know if your controls are effective? The next area of concern is the use of the term 'culture'. This buzzword gets thrown around in government circles, especially when it comes to Protective Security, and to be honest I don’t think the majority have any idea what it means. My favourite in this case is the term ‘Security Champion’, what is meant by this term is a left up to the imagination of the reader as it’s not explained in the report. From experience I have a fair idea what will occur during implementation, each area will find some poor EL1 or 2 whom will get the tag either because they were too slow to run or because they have some belief that they know what security is and will put up a bunch of signs and it all make everyone uncomfortable for a short period before it all gets all but forgotten. I would also like to point out that you will NOT achieve an effective culture based upon fear, which is exactly what you will get from a focus on ‘breaches’ as a performance metric coupled with a policy that tells everyone that every time you get one you will have to front Senior Leadership and may lose your job. What you do get is a culture of avoidance where no one will own up to anything, incidents that hidden till they fester and explode. There is a great emphasis in the report on the need to do training and quite few recommendations about how more was needed and how the methodology of delivery needs to change but nothing regarding what that ‘training’ was meant to achieve. You do not just get effective training, regardless of the method, if you don’t have a goal that you want to achieve and then measure performance against that goal. In this they at least got the former aspect right.

As a final comment I would like to point out a couple of gems that I found in Chapter 5 which talked about what the whole of the APS could take from the report. The comment around Attorney Generals Department (AGD) providing benchmarking against compliance reports to share ‘best practice’. Which is great but to do this the self-reporting that agency perform every year needs to stop going into the ‘black hole’ into the PSPF policy area within AGD. In all the years that the PSPF has been in existence I have never seen any feedback or comment on a departments submission. I suspect that’s because as was noted at the last Security in Government conference by a representative from AGD that they could not compile anything from the reports as most provided no value due to a lack of consistency in the responses. I would also note that self-reporting only works if there is a process by which the confidence in the value of information can be confirmed. In the immortal words of Ronald Reagan in December 1987 after the signing of the INF Treaty with Mikhail Gorbachev ‘Trust but verify’. AGD has lots of trust in in departments because they have never verified. My concern is that this report missed linking the fundamental problem within Protective Security, even though it talked about it in the recommendations in the final chapter. The level of capability development in those responsible for the development of effective risk analysis, policies and procedures does not exist and has only been lessened since the closure of the PSTC. While what it provided was useful in the development of the effective controls it was never encouraged to do more. The current PSPF only recommends a Diploma level qualification for an ASA, name one other EL position in department with the same level of responsibility that is currently placed on an ASA that is only expected to have a vocational level qualification. One last thought for everyone out there, why did the report never discuss whether the Security unit of PM&C had sufficient manpower resources to achieve all the tasks that it was asked to undertake? James is a recognised leader in the Protective Security Profession as a deliverer of governance and practical solutions and as a leading educator and mentor. His experience has been gained over 13 years specifically providing effective and deliverable solutions in the governance aspects of protective security guidance to all levels of government. James has specialises in managing the relationships in developing resilience and its relationship with emergency/crisis and business continuity management. James has a Masters of Emergency Management, Bachelor of Science (Security); Diploma of Government (Security); Certificate IV in Training and Assessment and a Certificate IV in Government (Personnel Security) and is a research associate with the Australian Security Research Centre.

> Australia | Sydney

Free

qualifi ed end-u ser pa availa sses ble

THE FUTURE OF DATA CENTER, CLOUD AND EDGE IN AUSTRALIA August 23-24 2018 // International Convention Centre For more information visit www.DCD.events #DCDAustralia 26 | Australian Cyber Security Magazine

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 5, 2018

Now you see it, now you don't

Cognitive bias in security

Quantum cyber security making breaches irrelevant

Stuff GDPR!

he ine t g in z d a a g e a r m n i y g t i e b ur o c t e Reinventing Bad things S K C r I be CL the SOC â&#x20AC;&#x201C; come in small y C n a curing alertpackages i l a r t fatigue Aus

$8.95 INC. GST

56 | Australian Cyber Security Magazine

PLUS WIN A COPY OF 'THE FIVE ANCHORS OF CYBER RESILIENCE'