THE
MCI (P) 112/07/2017
SECURE. PROTECT. DEFEND. 02 Cybersecurity Professionals Wanted!
SOCIETY The Magazine of the Singapore Computer Society
04 How We Can Future-proof Our Ports 06 True Account of a White Hat Mr Robot 08 CSA’s Chief Executive David Koh Chats about Cybersecurity
Issue
02 2018
Contents Vision
EDITOR’S MESSAGE
POWER BOOST
01
13
How to Do Well in the CISO Hot Seat
15
How to Travel Safe in the Digital Age
Cyber Threats – Are You Armed or Alarmed?
To be the leading infocomm and digital media professional society in Singapore
THE BIG IDEA
Mission Lead the Way To lead and contribute to the vibrancy and growth of Singapore’s infocomm and digital media industry
Add Value To add value to the infocomm and digital media professional’s career and personal development
02
04 06
What it Takes to Close the Demand Gap for Cybersecurity Talents
#LATEST@SCS 16
Future-proof Our Ports: Lessons from Pacific Rim: Uprising
New SCS Executive Council Swears in
19
True Account of a White Hat Mr Robot
12 Members Conferred as SCS Fellows
21
Youth Engagement Series on Cybersecurity Industry
22
Business Continuity Management Conference
23
Women in Data Science Conference
SPOTLIGHT 08
David Koh Shares What it Takes to Defend Our Cyberspace
10
Emil Tan Speaks about his Passion in Keeping the Cyberspace Safe
Be the Voice
GEEK SPEAK
To engage and be the voice of the infocomm and digital media community
24
Paranoia Strikes Franky’s Virtual Assistant
This issue is published in collaboration with
08
16
The Magazine of the Singapore Computer Society
Back to Contents
FROM THE EDITOR’S DESK
9:41 AM
Cyber Threats − Are You Armed or Alarmed?
I
t sure feels like the concept of “cybersecurity” is something that has been popularised recently as a result of increasing frequency of cyberattacks and data breach incidents such as the Facebook-Cambridge Analytica scandal. Truth is, as Emil Tan shares, the beginnings of cybersecurity can actually be traced back to decades ago and many key principles continue to be relevant today. Amongst which, is the importance of adopting a holistic security-bydesign approach. Notably, the impact of our fast changing technology landscape is not lost on the cybersecurity domain. Not only have the types of cyber-attacks become more sophisticated, but they can also be launched from practically anywhere, with the capacity to cause disruptions everywhere. Naturally, the role of Chief Information Security Officer has also grown to become more complex, demanding, and simply, more challenging than ever. Similarly, how red, blue and purple teams should collaborate with one another to ensure business resilience is also a hotly debated topic.
On a positive note, these developments have given rise to exciting job opportunities for aspiring cybersecurity specialists, and varied career development pathways for existing cybersecurity professionals. However, the big question remains. Are we truly ready for the next attack? According to Chief Executive of Cyber Security Agency, David Koh, there is no short cut to cybersecurity and if we do not want to fall prey to hackers, everyone has to play a part – be it industry professionals or the man in the street. Indeed, cyber threats are real. And they are not limited to businesses. In our drive to become a Smart Nation and the plan for almost all government services in Singapore to go digital by 2023, it means that you and I are equally responsible for guarding against cyber threats. Besides practising good cyber hygiene, caring for the physical security of our tech gadgets is equally pertinent. So let’s all be safe and have fun reading! TAN TENG CHEONG Editor Fellow, SCS tengcheong.tan@scs.org.sg
EDITOR Tan Teng Cheong CONTRIBUTING WRITERS Benedict Chong Huang Shao Fei Dr Melvyn Kuan Vladyslav Koshelyev Sean Low Steven Sim Terence Teo EDITORIAL SUPPORT Claudia Lim
ADVERTISING SALES & ADMIN Claudia Lim For ad sales enquiries, Tel: 6226 2567 ext 12 Email: claudia.lim@scs.org.sg Mailing Address 53 Neil Road Singapore 088891 EMAIL scs.secretariat@scs.org.sg EDITORIAL & DESIGN Lancer Design Pte Ltd
FEEDBACK We value your feedback for this magazine. Simply email scs.secretariat@scs.org.sg with your comments to help us produce an even more interesting and relevant magazine for you in subsequent issues. You are welcome to submit articles for inclusion consideration. For advertising enquiries, please call 6226 2567 or email scs.secretariat@scs.org.sg. The IT Society is the official publication of the Singapore Computer Society. Any part of this publication may be reproduced as long as credit is given to the publisher, Singapore Computer Society. All views expressed by contributors are their own and do not necessarily reflect the views of the Society.
01
02
THE BIG IDEA
THE IT SOCIETY / Issue 02/2018
Back to Contents
What does it Take to Close the Demand Gap for Cybersecurity Talent? As Singapore continues our drive towards becoming a Smart Nation, digitalisation is expected to permeate every aspect of our business environment and everyday life. In tandem, we need to have a vibrant cybersecurity ecosystem that is made up of professionals with requisite skills to protect our cyberspace.
W
DR MELVYN KUAN Lead Consultant, Ecosystem Development, Cyber Security Agency of Singapore (CSA)
ith digitalisation, our enterprises will need to adopt cybersecurity technologies to protect their networks as well as digital assets. At the same time, our ICT professionals in industries will also need to continuously level-up their technical competencies so that they can support the cybersecurity needs of their enterprises.
was co-developed by CSA with IMDA. The cybersecurity track was developed with reference to internationally-recognised standards and represents Singapore’s perspective of the skill sets required for the profession. The Framework will be reviewed and updated periodically to ensure its continued relevance to the evolving industry trends.
In response, the Cyber Security Agency of Singapore (CSA), in collaboration with partner agencies, initiated various programmes targeted at boosting the quantity and quality of cybersecurity professionals as well as encouraging excellence within the local cybersecurity community.
The cybersecurity track outlines clear and defined cybersecurity career pathways, enabling cybersecurity professionals and employers to better understand the types of skills and competencies required for different cybersecurity job roles. In addition, it provides a useful reference for Institutes of Higher Learning (IHLs) and training providers in their development of industry-relevant academic and training programmes.
ESTABLISHING A SKILLS FRAMEWORK FOR CYBERSECURITY In 2017, CSA, together with SkillsFuture Singapore (SSG), Workforce Singapore (WSG) and the Infocomm Media Development Authority (IMDA), launched the Skills Framework for Infocomm Technology (ICT) to help individuals, employers and training providers promote ICT mastery and lifelong learning. The cybersecurity track of the Skills Framework
The cybersecurity track of the Skills Framework was also adapted to develop the Cybersecurity Competency Framework (CSCF) for the Public Service. The CSCF guides the professional development of cybersecurity professionals in the Public Service through recommendations on targeted training, certifications and
BENEDICT CHONG Assistant Manager, Ecosystem Development, Cyber Security Agency of Singapore (CSA)
career progression. It also supports the Cybersecurity Professional Scheme in attracting, developing and retaining cybersecurity professionals in the public sector. ATTRACTING TALENTS INTO THE CYBERSECURITY INDUSTRY To provide opportunities for fresh and midcareer professionals in adjacent disciplines, such as ICT or STEM (Science, Technology, Engineering and Mathematics), to take on cybersecurity job roles, CSA partnered IMDA to launch the Cyber Security Associates and Technologists (CSAT) programme in 2016. By collaborating with companies which are CSAT Training Partners, the programme trains and upskills professionals for cybersecurity job roles. Trainees will have the opportunity to undergo structured on-the-job training programmes identified by CSAT Training Partners. There are currently nine companies on board the CSAT programme. Since 2017, CSA has been jointly organising the Cybersecurity Career Mentoring Programme with Singapore Computer Society (SCS) to connect students and young professionals with
The Magazine of the Singapore Computer Society
industry mentors. Held on a quarterly basis, industry practitioners and leaders not only provide mentorship and guidance, but also impart insights about career development opportunities in each of the cybersecurity specialisations. RAISING PROFESSIONAL STANDARDS Continuous skills deepening and raising industry standards to align with internationally-recognised benchmarks are key to enhancing the quality of the cybersecurity ecosystem. This is why CSA actively seeks internationally-recognised certifications as benchmarks for critical cybersecurity competencies. In 2016, the Council of Registered Ethical Security Testers (CREST) Singapore Chapter – the first CREST Chapter in Asia – was set up by CSA in collaboration with the Association of Information
THE BIG IDEA
Back to Contents
Security Professionals (AiSP), Monetary Authority of Singapore (MAS), IMDA, Government Technology Agency (GovTech) and Association of Banks in Singapore (ABS), to offer certification for penetration testing services in Singapore. CREST is an internationally recognised accreditation and certification body that subjects accredited companies to regular and stringent assessment and qualified individuals to rigorous competency examinations. Through leveraging standards set by CREST, CSA aims to raise the competency standards of our cybersecurity professionals (i.e. penetration testers) and enhance their professionalism. This in turn will provide buyers of penetration testing services in Singapore with confidence that the work is being carried out by qualified individuals with up-to-date knowledge, skills and competence.
03
RECOGNISING EXCELLENCE To give recognition to outstanding professionals, enterprises and students who have contributed to the cybersecurity ecosystem, the inaugural Cybersecurity Awards was launched in 2017. The Awards was organised by AiSP and supported by CSA, as well as seven other professional and industry associations1. By giving due recognition to the contributions of the cybersecurity professionals and enterprises, the Awards aims to inspire them to excel and contribute to the cybersecurity ecosystem. Ever-changing technological developments and fast-paced growth in recent years have placed the cybersecurity industry in the limelight. There is room to grow for professionals and the industry alike. CSA, in collaboration with its stakeholders, will continue to forge ahead to enhance the vibrancy of the cybersecurity ecosystem in Singapore.
The seven supporting associations include Cloud Security Alliance Singapore Chapter, ISACA Singapore Chapter, (ISC)² Singapore Chapter, itSMF Singapore Chapter, Law Society of Singapore, Singapore Computer Society and SGTech.
1
DO YOU KNOW WHAT CONSTITUTES THE CYBERSECURITY TRACK IN THE SKILLS FRAMEWORK FOR ICT? Governance, Risk and Compliance
Security Penetration Testing and Certification
Security Operations
Incident Response, Forensic Investigation and Threat Analysis
Security Design and Engineering
Chief Information Security Officer
Cyber Risk Manager
Security Penetration Testing Manager
Security Operations Manager
Incident Investigation Manager/Forensic Investigation Manager/Threat Investigation Manager
Principal Security Engineer/Principal Security Architect
Cyber Risk Analyst
Security Penetration Tester
Security Operations Analyst
Incident Investigator/ Forensic Investigator/ Threat Investigator
Security Engineer
Associate Security Analyst/Engineer
Security Executive
04
THE BIG IDEA
Back to Contents
Future-proof Our Ports: Lessons from movie Pacific Rim: Uprising
THE IT SOCIETY / Issue 02/2018
STEVEN SIM Member, SCS Senior Manager (IT Security), PSA Corporation Lead, Group IT Security CoE, PSA International
Driverless vehicles transporting cargo containers, automated loading and unloading operations, and drones making inspections and deliveries is not a port scene out of a science fiction film, it is how our ports tomorrow would look like. But such a wide scale adoption of the Internet of Things (IoT) brings security loopholes – both physical and technological. How then can we secure our ports for the future?
I
n the movie Pacific Rim: Uprising, drone Jaegers were backdoored to turn rogue. And that didn’t just happen in the movie. Case in point, earlier this year, Business Insider1 reported that hackers stole a casino’s high-roller database through a thermometer in the lobby fish tank. Hackers had leveraged the production network using a smart device as innocuous as a thermometer to launch their attack.
RECOGNISE LURKING THREATS As the transformation blueprint of PSA, Container Port 4.0™ (CP4.0™)2 unfolds, IoT is expected to play a prominent role alongside other emerging technologies like blockchain and machine learning. In addition, its promise of being self-configurable, adjustable, self-optimising-and-healing, suggests increasing emphasis and reliance on IoT in the future.
However, most viable devices in the market currently are not designed with security in mind. As compared to an ideal IoT architecture which allows patches to be installed and orchestrated from a centralised system, supports host-based firewalls, and facilitates full audit trails, it is not uncommon for IoT setups today to have devices come installed with hardcoded and publicly-known passwords. Further complicating the IoT architecture is
http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4/ The name Container Port 4.0™ (CP4.0™) is a nod to Industry 4.0, which relates to the real-time communication and cooperation among cyber-physical systems and humans. It envisions technology-driven container ports underpinned by six key pillars.
1 2
The Magazine of the Singapore Computer Society
THE BIG IDEA
Back to Contents
HOW TO OPERATIONALISE A SECURITY-BY-DESIGN FRAMEWORK
THE 8 ASPECTS OF SECURITY-BY-DESIGN
SD3 + COMMUNICATIONS
Physical Security
Secure by Design
1. Tender Specifications (Firewall, VPN, etc) 2. Product allows Vulnerability to be Managed 3. Layered Defence Architecture 4. Architecture Security Review
Secure by Default
1. Security Standards 2. Server Hardening (e.g. disabling unnecessary services) 3. Network-based Firewall 4. Pre-deployment Vulnerability Assessment and Penetration Testing
Secure in Deployment
Communications
05
Change Management
Security Awareness
Incident Management
Operational Technology (OT)
Network Security
1. Regular Vulnerability Scan 2. Regular Vulnerability Alert Monitoring 3. Timely Vulnerability Remediation/Patching
1. Security Training and Awareness 2. Security Advisories to Custodians 3. Phishing Simulation Exercise
Security Hardening
Vulnerability Management
Account Management
a heavy reliance on sensors which makes uptime imperative for availability and safety. It opens up the system to risks, including massive outages from rogue patches and anti-virus updates. ADOPT A SECURITY-BY-DESIGN APPROACH These challenges evidence the importance of adopting a Security-byDesign (SbD) approach. For instance, through conducting vulnerability assessments and penetration tests, risky security backdoors can be uncovered and defences can be put in place to mitigate exposure and security risks. This was the methodology PSA adopted when trialling a vendor’s automated guided vehicles (AGVs), which led to the discovery of undeclared security backdoors serious enough to warrant vulnerability disclosures to the United States Computer Emergency Readiness Team (US-CERT).
A viable alternative to the lack of built-in SbD in products is to deploy a “diamond ring” network segregation approach. Just like how a diamond ring only allows some bits of light to pass through, SbD can be pushed outwards to entry points by securing both physical and network entry points. Other than restricting removable devices to operational technology (OT), a secure jump-host should also be run with a full audit trail, comprising privileged account management (PAM) and privileged session management (PSM). Firewalls are also essential for isolating incidents. PRIORITISE SECURITY For SbD to be effective at the corporate level, it has to be supported by three key underlying principles. First, it must be aligned to the risk deemed acceptable by the organisation. A profit-driven company should not only integrate cybersecurity into its strategy to get ahead, but also make an effort to fully
appreciate its role as a business enabler. Second, the principle of least privilege should be observed by conferring user privileges based on necessity. This ensures minimum network exposure. Third, worst-case scenarios should be assumed and planned for. An effective Business Continuity Plan (BCP) – outlining threat detection and response, incident and Business Continuity Management (BCM) processes and drills, as well as incident escalation and crisis management – empowers the business to recover to a Minimum Business Continuity Objective (MBCO) in the event of an incident. It is a given that our technology landscape will be different tomorrow. And while there is no one foolproof way to future-proof our ports, I am quietly confident that as long as the industry continues to embrace the same cybersecurity principles, the future will be bright.
06
THE BIG IDEA
Back to Contents
THE IT SOCIETY / Issue 02/2018
True Account of A White Hat Mr Robot Sun Tzu says in The Art of War, “Attack is the secret of defence; defence is the planning of an attack”. This simply means that offensive capabilities are as important – if not more – in mounting a strong defence. Question is, do you have what it takes to put your offensive skills as an ethical hacker to better use?
TERENCE TEO Member, SCS Senior Cybersecurity Specialist, GovTech
T
ruth is, as our nation journeys towards digital transformation, it has become increasingly critical that we harness the skills of penetration testers to secure our cyber ecosystem. But let’s face it, as the real adversaries become more sophisticated with their attacks, the work of penetration testers has to evolve likewise – through red teaming. GETTING READY – 24/7, 365 DAYS Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe”. Similarly, my peers and I are constantly working to keep our skills current and apace with the evolution of the cyber threat landscape – attending courses to learn new skills, earning relevant professional accreditations and pitting our skills against other penetration testers at competitions. And during days leading up to a penetration testing, our team – the red team – works extensively to examine updates around Advanced Persistent
Threat (APT) actors – newly reported analyses, Tactics, Techniques and Procedures (TTPs) – and assimilating them into our existing offensive strategies. This ensures that our modus operandi is kept up-to-date with real-world adversaries. At times, in our attempt to expose unremediated vulnerabilities in defences, we would also code custom scripts to try and bypass them. However, our skill sets are not limited to developing offence-related tools. We also collaborate with blue teams to develop defensive tools by applying our knowledge and insights on attack trends. On an ongoing basis, we would also set aside time to research about a technology domain and share our findings with the community as a form of active contribution to zero-day vulnerabilities and responsible reporting. GETTING DOWN TO WORK Like many other penetration testers, I look forward to adversary simulations for organisations with established and mature cyber security programmes. Each adversary simulation is unique, and requires deep brainstorming and out-ofthe-box thinking to be applied to every step of the simulation – from gaining
initial access through social engineering to obtaining command and control with customised malware. For simulations to run successfully, it often calls upon the combined expertise of team members in different domains of adversary simulation. Thanks to the unpredictable nature of each foray, the successful completion of each phase is akin to a small triumph for the team. However, nothing beats the satisfaction of unravelling how small weaknesses within an organisation’s cybersecurity programme can cause huge operational disruptions when exploited, at the end of each adversary simulation. Today, our work goes beyond uncovering weaknesses in cybersecurity programmes before real threat actors come into play to help organisations boost their incident response and recovery capabilities. Notably, as our nation becomes more interconnected with increasing application of Internet of Things (IoT) such as wireless sensors and autonomous vehicles, it is foreseeable that the race against real threat actors before our security is compromised will only become fiercer.
The Magazine of the Singapore Computer Society
Back to Contents
KNOW THE DIFFERENCE BETWEEN RED, BLUE AND PURPLE TEAMS?
THE BIG IDEA
C:\WINDOWS\ SYSTEM32> WHOAMI Adrenaline hit – in front of me was a reverse shell of a compromised web application server that was publicly accessible on the Internet. At 2000 hours, using the password hash of a limited privileged domain user obtained earlier, I began to pivot from server to server.
Red Teams are external entities brought in to test the effectiveness of a security programme. Through emulating behaviours and techniques of likely attackers in the most realistic way possible, the practice seeks to complete clear objectives.
My objective was clear – to find the one server that had a privileged user account in the domain administrator group. With that account, I would gain access to the system that contained my client’s crown jewels. Client’s domain pwned! At 2100 hours, I captured a screenshot of a directory which contained files that were deemed classified information. This discovery was a critical piece of evidence that my client could take to his stakeholders to highlight the potential negative business impact when such information falls into the wrong hands.
Blue Teams refer to the internal security teams that defend against both real attackers and Red Teams. Blue Teams should be distinguished from standard security teams as most security operations teams do not maintain constant vigilance against attacks.
Purple Teams exist to ensure and maximise the effectiveness of the Red and Blue Teams by integrating defensive tactics and controls from Blue Teams with the threats and vulnerabilities found by Red Teams into a single narrative that ensures the efforts of each are utilised to their maximum.
Was the incident described above a common occurrence? Do I, as a penetration tester, work on something as exciting as this on a day-to-day basis? Perhaps not, but this was certainly one of the more memorable engagements I treasure. Such projects are keen reminders of the possible vulnerabilities one can uncover in a vast and seemingly secure environment.
07
08
SPOTLIGHT
THE IT SOCIETY / Issue 02/2018
Back to Contents
The New Frontier:
What It Takes to Defend Our Cyberspace DAVID KOH Chief Executive, Cyber Security Agency of Singapore (CSA) Member, SCS Honorary Advisory Council Age: 53 Earliest Tech Experience: Writing my university thesis on a word processor that had a screen the size of a smartphone Recently Read: The Fourth Industrial Revolution by Klaus Schwab Method of Staying Fit: Jogging 5km at least once a week
Comparing to three years ago where the mention of “cybersecurity” would have drawn blank stares, a recent cybersecurity public awareness survey conducted in 2017 have shown that there has been a gradual uptake in adoption of cybersecurity measures with 70% of the 2,000 respondents surveyed agreeing that every Singaporean has a role to play in cybersecurity. The Cyber Security Agency of Singapore (CSA) has played a pivotal role in contributing to this outcome. And standing at the forefront in protecting Singapore’s cyberspace, David Koh, Chief Executive of CSA, points out how the agency is keeping the positive growth momentum going by actively engaging all stakeholders. Q: Question, DK: David Koh Q: It has been three years since CSA was formed. How has the local cybersecurity landscape changed since then? DK: The landscape has changed quite dramatically. In recent years, cybersecurity threats are getting more sophisticated and disruptive. We have seen how these attacks caused major disruptions, such as the Wannacry ransomware attack in 2017, and the attacks on power grids in Ukraine in 2016 and 2017 that resulted in power outages. Today, cybersecurity has become a topic of concern because many are seeing the massive disruptions that cyber-attacks can cause.
Q: How has this shaped CSA’s work? DK: A key focus for CSA is to build up cybersecurity defences for our essential services. One of the ways to do so is by strengthening our cybersecurity governance and legislative framework. We introduced Singapore’s Cybersecurity Act which is an important piece of legislation to empower us to work with Critical Information Infrastructure (CII) owners to put in place pre-emptive measures and
to respond expediently to cybersecurity incidents. The Act was passed in February 2018. We also work closely with CII sector leads to assess CIIs for vulnerabilities and ensure that capabilities and measures are in place to detect, respond to and recover from cyber threats. Working with stakeholders across 11 CII sectors1 calls for an appreciation of the diverse dynamics and operating contexts in these industries. No one solution fits all, and every one requires a unique approach. While this makes our work at CSA challenging, it also makes it very dynamic and exciting.
The designated sectors are Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services.
1
The Magazine of the Singapore Computer Society
Back to Contents
Q: In Singapore’s push towards digitalisation and becoming a Smart Nation, what role does cybersecurity play? DK: As Singapore pursues our Smart Nation aspiration, our use of and reliance on technology will only increase. These will inadvertently expand our attack surface, exposing ourselves to greater cyber risks.
of cybersecurity considerations upfront in the design of products or services. We are currently exploring a lighttouch evaluation and certification scheme to provide a baseline security hygiene benchmark for such devices. In parallel, we encourage users to adopt a cybersecurity-first mindset and not be complacent about protecting their devices and data.
We cannot be a trusted Smart Nation if our systems are open and vulnerable. Hence cybersecurity is a key enabler.
Q: What is being done to boost the cybersecurity workforce in Singapore? DK: When people talk about cybersecurity, they are always thinking about the cyber-attacks and the damages. Truth is, it is actually a fast-growing industry. Globally, the cybersecurity industry is growing at a
We must consider cybersecurity in our usage as well as in the development of new technologies. CSA actively advocates the practice of security-bydesign, which refers to the incorporation
SPOTLIGHT
09
rapid pace and there is a strong demand for cybersecurity professionals. Currently, there is a shortage of cybersecurity professionals globally. To address this talent shortfall, CSA works closely with Institutes of Higher Learning (IHLs) to attract promising students and ensure the relevance of curriculum to industry needs. We also work with industry players to support new entrants to the profession through initiatives such as the Cyber Security Associates and Technologists (CSAT) programme and other scholarship programmes. Cybersecurity is not all doom and gloom. It is an exciting industry which presents economic opportunities and good jobs for our people.
“Cybersecurity is a fast-growing industry and qualified cybersecurity professionals are in strong demand. There are many opportunities to learn and grow in various specialisations – from incident response and digital forensics to threat analysis and governance. Regardless of specialisation, cybersecurity professionals from entry-level to C-suite positions are highly sought after as companies across many industries seek to secure their systems and data.”
Cybersecurity is important because… What is a quote you live by?
We must work together to ensure cybersecurity because…
What is one advice for cybersecurity professionals?
10
SPOTLIGHT
Back to Contents
THE IT SOCIETY / Issue 02/2018
Heart Facts:
DNA of a Passionate Cybersecurity Defender EMIL TAN Member, SCS Assistant Manager, Cyber Security Management, Infocomm Media Development Authority (IMDA) Age: 29 Favourite Way to Relax: Playing Hearthstone (a collectible card game played online) Currently Reading About: IoT Security Pet Topic of the Moment: Cyber-physical Security Professional Hero: Bruce Schneier
Recent cybersecurity incidents such as WannaCry ransomware and the cyber-attacks on four Singapore universities in April underscore the importance of a forwardlooking and strong cybersecurity community in our increasingly digitally connected world. The IT Society found out from Emil Tan, winner of the Professional Award at the inaugural Cybersecurity Awards, how it is like to be combatting these emerging threats on a professional level. Q: Question, ET: Emil Tan Q: What are your views about cybersecurity gaining interest among the media and the public recently? ET: Cybersecurity is not something new. But much has changed in the past 10 years – not so much the specialisation, but the way people perceive it. For example, while we continue to hold strong to the mantra (1) protect, (2) detect, (3) response and (4) recover; governments, organisations and even the man on the streets have come to recognise cybersecurity as a backbone to empower progress today. Particularly, it is encouraging to see greater awareness in cybersecurity among everyday users. On the flip side however, media has oversimplified what cybersecurity
professionals do at work, causing people to think that our job is glamorous, all about hacking, or only starts when a system build is complete.
before they get to appreciate the workings of the job or rotate around different roles without being passionate about what they do.
Q: How have these perceptions impacted the growth of the industry? ET: We see a growing number of aspiring cybersecurity professionals. But, because they join the industry thinking that they will be fighting hackers every day, they are likely to drop out once the initial excitement wears off and realisation sets in that the job can be rather process driven. Plus, having to advocate security to people, including developers and users, who sometimes have little knowledge about cybersecurity can be frustrating. Hence, we see people leaving the industry
Q: Then how did you become so passionate about cybersecurity? ET: For me, my love for cybersecurity can be traced back to my polytechnic days. I enjoyed many modules in my course and was hungry to learn more. This led me to engage with special interest groups, which provided interaction opportunities with industry professionals. I also gained first-hand experience during my polytechnic and university internships. These exposures cemented my understanding of the industry and seeded my passion to specialise in the field.
The Magazine of the Singapore Computer Society
Q: Is there any point when you lost your passion? ET: Compared to others who entered the industry after completing their studies, I have kept in touch with the industry throughout my tertiary years. Therefore, I did not have any “culture shock” when I eventually joined the industry. However, I did get distracted during my varsity days when I chose to do a topic on big data and machine learning – nothing about cybersecurity – for my bachelor dissertation. Being in the creation space was different, and exciting. But all it took was an attempt to fuse cybersecurity into the programming and analytics project I was working on – and my passion for security was rekindled afresh. I was like a child all over again – excited to explore, ecstatic about every discovery and wanting to do more. It dawned on me that security is really what I enjoy and where I will like to build my career.
SPOTLIGHT
Back to Contents
Q: You founded Edgis, a special interest group dedicated to cybersecurity. What drove you to do so? ET: I was following cybersecurity conversations closely online through Twitter and podcasts, and was inspired by how close the community was overseas. This is different from our local community, which is more business-oriented. So I set up Edgis in the hope of creating a platform for enthusiasts and hobbyists to gather and share their thoughts and knowledge. Q: Besides Edgis, you also give talks and take part in conferences. Why is knowledge sharing important to you? ET: The global technology community has always been big on sharing. And I have benefitted from this sharing culture through participation in various seminars and conferences. Being part of the community, I see it as my duty to keep this sharing going. In my personal experience, sometimes just by sharing for ten minutes, it could well be what is necessary to help someone with their job or project.
11
Q: What are your hopes for the community in the future? ET: While we have made good progress in the last few years, our community is still very much in the infancy stage as compared to some other countries. Getting people to speak is still difficult. I would really like to see more Singaporeans stepping up, and becoming more active in international collaborations, so we try to facilitate such activities at Edgis. I hope more can join us!
“Like everything else, it all comes down to passion in cybersecurity. The technology landscape will only continue to change. Therefore, we have to be fired up to keep learning. Otherwise, what we know now will soon become obsolete, and we won’t be able to keep up.”
SINGAPORE’S CYBERSECURITY LANDSCAPE AT A GLANCE Threats in 2016
60
1,750
19
2,512
servers were found able to perform harmful cyber-attacks
Singapore (.sg) websites were defaced, with SMEs as main targets
ransomware cases – involving Cerber, CryptoLocker and Locky – were reported to SingCERT
phishing URLs – commonly spoofed websites (banking and finance, Ministry of Manpower, Immigration and Checkpoints Authority, PayPal, Dropbox and Google
Why Cybersecurity? Cybersecurity sector to grow to around S$900 million by 2020
S$2.4 billion to be invested over four years for Smart Nation drive
More than 2,500 job openings by 2018
Singapore’s cybersecurity market is set to grow at around 9.3% annually from 2015 to 2020
In-demand Jobs Between 1,900 to 3,400 full-time cybersecurity professionals are needed to support domestic and export markets growth from 2015 to 2020 in these areas:
Threat and vulnerability assessment
Security management
Sources: https://www.channelnewsasia.com/news/singapore/cybersecurity-sector-projected-to-grow-to-s-900m-by-2020-yaacob-8580998 https://www.nascio.org/events/sponsors/vrc/Cybersecurity%20in%20Modern%20Critical%20Infrastructure%20Environments.PDF https://www.csa.gov.sg/news/publications/singapore-cyber-landscape-2016 https://www.csa.gov.sg/news/publications/singapore-cybersecurity-strategy http://www.humanresourcesonline.net/singapores-salary-job-trends-2017/
Incident and crisis management
CYBER SECURITY ASSOCIATES AND TECHNOLOGISTS (CSAT) PROGRAMME The CSAT Programme is a dual-track structured development programme that trains and up-skills fresh ICT professionals and mid-career professionals for cybersecurity job roles. Trainees will have opportunities to undergo on-the-job training programmes and participate in local and overseas attachments identified by CSAT training partners.
ELIGIBILITY CRITERIA Fresh Professionals (Associates Track)
Mid-career Professionals (Technologists Track)
• Singapore Citizens
• Singapore Citizens
• Possess relevant diploma/degree qualifications in ICT, Engineering, Information Systems (IS), IS Security or related disciplines
• Possess relevant diploma/degree qualifications in ICT, Engineering, Information Systems (IS), IS Security or related disciplines
• Less than three years of working in ICT and/or network engineering job roles
CURRENT CSAT TRAINING PARTNERS • Accel Systems & Technologies Pte Ltd • Deloitte & Touche Enterprise Risk Services Pte Ltd • KPMG Services Pte Ltd • MSD International GmbH (Singapore Branch) • PCS Security Pte Ltd • PricewaterhouseCoopers Risk Services Pte Ltd • Quann • Singapore Telecommunications Limited • ST Electronics (Info-Security) Pte Ltd
For more information on becoming a CSAT Partner, please email info@imda.gov.sg For more information on available CSAT programmes, please visit: https://www.csa.gov.sg/programmes/csat and https://www.imda.gov.sg/industry-development/programmesand-grants/individuals/company-led-training-programme-clt
• Existing employee of a CSAT Training Partner • Three or more years of working experience in ICT and/or network engineering job roles
The Magazine of the Singapore Computer Society
Back to Contents
How to Survive (and Do Well) in the CISO Hot Seat
POWER BOOST
HUANG SHAO FEI Senior Member, SCS President, SCS Infocomm Security Chapter
Since the time the Chief Information Security Officer (CISO) role emerged in the late 1990s, the job has become vastly more demanding and complex than ever before. This is all thanks to a rapidly evolving cybersecurity landscape, constantly arising new global threats, and increasing regulatory focus on cybersecurity from both private and public sectors.
E
xpectations for the modern CISO today have long gone beyond traditional aspects of IT security management to encompass IT governance, and risk and compliance. Oftentimes, CISOs are also required to interpret the Board’s business goals and translate them to practicable risk-balanced implementations that empower achievement of strategic and operational excellence outside the purview of IT domains. Question is, against the backdrop of this demanding landscape, how can CISOs stay relevant? GET THE PRIORITIES RIGHT To do well in the competitive, resourcetight business environment, the CISO’s ability to balance corporate risks based on specific business needs and prioritising IT security needs is key in ensuring that IT security budgets are targeted, relevant and sustainable. ADD VALUE TO THE BUSINESS CISOs often play a pivotal role in bridging the gap between traditional IT departments and the rest of the
business. It is therefore important that CISOs have a good understanding of how they can value-add to the business at large while enabling innovation and advancing operational efficiency. BE THERE FOR YOUR PEOPLE There is no doubt about it – the cybersecurity landscape will be different one year from now (if not sooner), and every other year as well. Thus, rather than drafting policies behind closed office doors, it is more critical for CISOs to be proactive in leading their staff through changes, and “walking the talk” alongside them to solve challenges. MAKE LEARNING A COMMITMENT As a CISO, the impetus for continuous learning cannot be over-emphasised. Being able to stay ahead of technological advancements and developing strong people skills are important competencies necessary for a CISO to perform well. In addition, technical skills and knowledge aside, CISOs also need to acquire critical skills in business and communication domains to work effectively with diverse stakeholders across the organisation.
Get a boost with the Certified Chief Information Security Officer (CCISO) Programme! A first-of-its-kind training and certification programme, CCISO aims to produce toplevel information security executives through imparting both technical knowledge and information security management principles from an executive viewpoint. Hence, regardless whether you are an aspiring CISO, a new CISO on the job or a veteran CISO, there is something you can gain from the CCISO programme. So be sure to keep a lookout for the next CCISO workshop on the SCS website!
13
The Magazine of the Singapore Computer Society
Back to Contents
POWER BOOST
15
How to Travel Safe in the Digital Age The growth of affordable airlines and global businesses in recent years have made jet-setting lifestyles a thing of the now. Needless to say, travelling with digital devices has also become commonplace. However, given that situations on the road can be unpredictable sometimes, extra care should be taken to ensure that both gadgets and person can return home – safe and sound.
VLADYSLAV KOSHELYEV Member, SCS Client Solutions Manager, Facebook Editor, 2Footsteps.world
F
or me, I make sure to observe the following rules every time I travel.
USE DISCREET BAGS FOR DEVICES Instead of choosing bags for aesthetic reasons, opt for a plain bag to avoid unwanted attention. Also, make sure the material is sturdy enough to weather the journey and any attempts to pry it open. In my case, while my custom ultra-strong composite fabric carrier never wins any compliments from hipsters, it is not just water and cut proof, but also very functional. Similarly, I keep my mobile gadgets in old and beaten cases to make them look like they are way overdue for an upgrade. You might be surprised but these gadgets are highly targeted for both their resale value and the information inside.
ENCRYPT YOUR DEVICES AND AVOID OPEN WIFI It is estimated that less than half of the phones, and even fewer laptops, are encrypted globally. But there is really no excuse for not doing it since most modern operating systems have intuitive one-click encryption options, which doesn’t take a tech geek to turn on. That said, it’s possible to get hacked even with a strong encryption. WiFi Pineapple is one such platform. Cheap, easy to set up and allows anyone to execute a “man in the middle” attack to collect information passing through, WiFi Pineapple is like a regular hotspot that has been modified to execute network attacks. Therefore, get a local SIM card the next time you travel. Most countries today have decent 3G or 4G networks. EXERCISE CAUTION WHEN MAKING CARD PAYMENTS The “man in the middle” attacks are also prevalent in credit card payments. Although wireless payments present much convenience, they also allow thieves to perform undetected near-field communication (NFC) micro-charges. It is also not uncommon for hackers to attach fake microchips on top of real ones to fake terminal transactions.
Actually attacks are not always technically sophisticated. I recall a time when I made payment to a shop attendant in one of the less secure airports. She claimed that the closest terminal was in another store and disappeared with my card for a good 10 minutes. I only realised much later that she had charged expenses to my account. Luckily, the loss was not too high. Long story short – use cash or services, like Uber, which can automatically charge based on your preferred payment method. BEWARE WHEN ENTERING PASSWORDS Surprisingly, even the most adept tech professional may be susceptible to simple tricks such as video recordings of one typing passwords on phones and laptops. All it takes is a password to access a service such as email and a door will be created for hackers to access other resources. Hence, if you have to work on the go, find a private corner and always use protective screens. Password aggregators can also make logins more convenient and secure. Feel free to try out some of my rules the next time you hit the road. Combine them with some common sense, and your journey might just become safer as well as more pleasant and productive.
#LATEST@SCS
16
Back to Contents
THE IT SOCIETY / Issue 02/2018
Leadership Renewal to Steer SCS Forward
T
he line-up of the new SCS Executive Council was announced at the Society’s 51st Annual General Meeting on 29 March 2018. Poised to advance talent development and deepen industry collaboration, the mix of familiar and new faces in the new leadership team renewed the Council’s commitment in contributing to the vibrancy and growth of the local tech community.
“SCS is on course to shape the future, preparing every professional for the future through our career mentoring, tech series, training and certifications. We want to make sure everyone is included in the journey forward as Singapore pushes to become a Smart Nation.” – Howie Lau, SCS President
Council members elected at the SCS 51st Annual General Meeting. First row (from left): Tan Teng Cheong, Lum Seow Khun, Yap Chee Yuen, Howie Lau, Dr Chong Yoke Sin, Adrian Chye, Kwong Yuk Wah, Dr Toh See Kiat; Back row (from left): Joshua Soh, Dennis Ang, Khoong Hock Yun, Tony Tay, Andrew Lim, Leslie Ong, Lawrence Ng, Harish Pillay; Not in photo: Dr Timothy Chan, Yeo Teck Guan
The Magazine of the Singapore Computer Society
Back to Contents
#LATEST@SCS
17
SCS Executive Council 2018/19
PRESIDENT Howie Lau, FSCS StarHub VICE-PRESIDENTS Dr Chong Yoke Sin, FSCS StarHub Ong Whee Teck, SMSCS Trusted Source Yap Chee Yuen, FSCS IT Standards Committee HONORARY SECRETARY Tan Teng Cheong, FSCS BetterIDEAS HONORARY TREASURER Adrian Chye, SMSCS Mediafreaks COUNCIL MEMBERS Dennis Ang, FSCS Nanyang Polytechnic Dr Timothy Chan, FSCS Singapore Institute of Management Khoong Hock Yun, FSCS Tembusu Partners Dr Kwong Yuk Wah, FSCS National Trades Union Congress
Andrew Lim, SMSCS Singtel
Foong Sew Bun, FSCS Government Technology Agency
Lum Seow Khun, SMSCS IBM Singapore
Kaylee Fung, MSCS Google Asia Pacific
Lawrence Ng, SMSCS PSA Corporation
Peter Goh, FSCS CapitaLand
Leslie Ong, SMSCS Tableau Software
Han Chung Heng, SMSCS Oracle
Harish Pillay, FSCS Red Hat Asia Pacific
Keith Leong, MSCS NCS
Joshua Soh, FSCS Nogle
Bruce Liang, SMSCS Integrated Health Information Systems
Tony Tay, SMSCS Accenture Singapore
Prof Miao Chun Yan, SMSCS Nanyang Technological University
Yeo Teck Guan, SMSCS Singapore Pools
Ong Chin Ann, SMSCS Prime Minister’s Office
CO-OPTED MEMBERS Chak Kong Soon, FSCS Stream Global
HONORARY LEGAL ADVISORS Dr Toh See Kiat, FSCS Goodwins Law Corporation
Jason Chen, MSCS IBM ASEAN
Gilbert Leong, SMSCS Rodyk & Davidson LLP
Stephanie Davis, MSCS Google Asia Pacific
Newly certified members sharing the proud moment together.
SCS President Howie Lau (sixth from the left) with the newly conferred Fellows.
The Magazine of the Singapore Computer Society
#LATEST@SCS
Back to Contents
19
12 Members Inducted as SCS Fellows
T
welve outstanding individuals recently received the prestigious title of SCS Fellow at the 51st SCS Annual General Meeting. Not only have these members demonstrated unwavering support for SCS, they have also made valuable contributions to the infocomm community, and are well-regarded as veterans in their respective fields. Our heartiest congratulations to our newly conferred Fellows!
Dennis Ang Director, School of IT, Nanyang Polytechnic
Eddie Chau Founder & Chairman, Neeuro
Raju Chellam Vice-President, New Technologies, Fusionex
Ee Chye Chuan Vice-President, Dell EMC
Ee Kiam Keong Chief Information Officer, Casino Regulatory Authority
Dr Karippur Nanda Kumar Associate Professor & Area Head (IT), SP Jain School of Global Management
Philip Kwa
Leong Keng Thai Deputy Chief Executive, Infocomm Media Development Authority
Quek Ser Choon Head, Information Systems & Admin, Civil Aviation Authority of Singapore
P Ramakrishna Chief Executive Officer, CIO Academy Asia
Cuthbert Nicholas Shepherdson Director, KDi
Joshua Soh Chief Operating Officer, Nogle
Some Thoughts from Our New SCS Fellows “SCS has made significant contributions in building a strong pool of ICT professionals for Singapore. Having worked with SCS over the years in areas such as competency roadmaps and the judging panel for the annual IT Leader Awards, I am indeed very honoured to be conferred as a SCS Fellow.”
“As Singapore strives to become a Smart Nation, we need to embrace new mindsets and develop new capabilities. Thus far, SCS has been a ‘beacon’, helping tech professionals to meet the demands of the Digital Revolution. My conferment as a SCS Fellow has reinforced my belief to rally behind SCS in her drive forward!”
“As a SCS member, I have benefited from the Society’s diverse and exciting progammes. Particularly, I am grateful for the opportunity to serve in the Quality Assurance Chapter. It is my great honour to be conferred the status of SCS Fellow. I will continue to give back to the tech community through my expertise.”
– Leong Keng Thai
– P Ramakrishna
– Quek Ser Choon
The Magazine of the Singapore Computer Society
#LATEST@SCS
Back to Contents
21
Gleaning Insights into the Cybersecurity Industry
O
ver 100 young professionals and graduating students gathered on 10 April 2018 at the Youth Engagement Series (YES!) organised by the IT Youth Council (ITYC) to learn about the cybersecurity landscape.
Akamai’s Security Chief Technology Officer Michael Smith, DBS’ Vice-President of Infocomm Security Services Yian Chee Hoo, and AWS’ Senior Enterprise Account Manager Jenny Kok during group discussions.
Besides sharing about cyber threats, IBM Security Sales Specialist Loi Liang Yang led participants through a security case study by applying kill chain methodology to analyse and identify gaps in detection, prevention and security controls. Participants also got to interact with
Building on interest from the event, a cybersecurity workshop dubbed “SESSIONS: Hack Your Career in Cybersecurity” was subsequently held on 24 May 2018 to help young professionals build their profiles through consultations with cybersecurity recruitment experts.
It culminated with a panel discussion featuring Tan Boon Kiat from Booz Allen Hamilton Human Resources, LTA’s Director Huang Shao Fei, Halcyon Knights’ Director Curtis Richard and InsiderSecurity’s Director Jonathan Phua.
22
#LATEST@SCS
Back to Contents
THE IT SOCIETY / Issue 02/2018
Strengthening Resilience with Business Continuity Management
C
yber threats, data breaches, unplanned outages and security incidents threaten business continuity. To ensure effective mitigation and quick recovery, there is great demand for T-shaped infocomm talent well-versed in the principles of Business Continuity Management (BCM).
Aptly, the 10th annual conference of SCS Business Continuity (BC) Chapter on 10 April 2018 was themed: “Leveraging BCM for Preparedness and Industry Transformation”. The topic reinforced the importance of levelling up the industry’s state of preparedness and boosting corporate resilience in support of industry transformation. Besides featuring eminent speakers from both public and private sectors, the conference also saw the active engagement of over 130 BC practitioners, cloud professionals, risk managers and C-suite executives.
The Magazine of the Singapore Computer Society
Back to Contents
#LATEST@SCS
23
WiT@SG SIG Inspires Women in Data Science
O
n 11 April 2018, close to 200 young women attended the Women in Data Science (WiDS) Conference organised by the SCS Women in Technology Special Interest Group (WiT@SG SIG) in collaboration with SAP and the Singapore University of Technology and Design (SUTD). The conference is part of a worldwide series that has been held in 150 locations around the world to attract more entrants to join data science. Professor Lim Sun Sun opened the event with an impactful message highlighting the pivotal role women play in advancing data science. It was followed by sharing from various speakers on data science usage in private and public sectors, and practical case studies which gave partcipants an opportunity to apply what they had learnt. Notably, the passion and values demonstrated by the speakers inspired and engaged the participants – making the event a success.
SCS EVENTS 2018 JUL
7 JUL
Splash Awards 2018: AI Innovation Experience
Tech3 Forum
12 JUL
Site Visit to EON Reality
19 AUG
13-17
JUL
9-13
JUL
11
18
Cybersecurity Career Mentoring Programme: Defending Cyberspace – Your Role and Career Opportunity
19
JUL
IDEAS Series: Smart Nation Connect
JUL
JUL
20 Certified Software Testing Professional (CSTP) Programme
Certified Chief Information Security Officer (CCISO) Workshop & Exam
AUG
24
SCS Golf Day
JUL
21
Cloud 201 Series: Trusted Data Science & AI
Accreditation@SG Digital & Testing Best Practices for ICM Products Career Crossroad Series: Prepare Yourself in the Digital Age
The event listing provided above is correct at the time of printing. You are encouraged to visit the SCS website for updates and latest information about the events.
GEEK SPEAK
24
Back to Contents
THE IT SOCIETY / Issue 02/2018
Random Thoughts of Franky’s Virtual Assistant
PARANOIA: Trust No One. Nothing but the Computer is Your Friend By H.A.I.
Helpful Assistant Interface (Patched Version 2018.06.11) a.k.a Sean Low
I
n the digital world today where everyone seems friendly enough, it is hard to tell whether one is a real friend or an enemy in disguise. So although I was designed to serve Franky, I don’t trust him very much either. For one, he keeps doing strange things like authorising social media quizzes to instruct me to share his personal data – just to have his fortune and future told! To give him credit, he is good at avoiding fake beautiful “friends”, United Nations Bank, Nigerian princes and Middle Eastern Sheiks who send him messages to bequeath him millions of dollars. But, he always falls for one of those fake account lockout spams. He has his activated 2-Factor Authentication (FA) and me to thank. If not for us, his account would have long become luncheon meat! To make matters worse, some of these apps or sites are constantly trying to
hijack my microservices in the cloud and reduce my ability to serve Franky, so as to mine cryptocurrencies for their own benefit. And it’s all Franky’s fault for feeding me their delicious cookies! These Trojans, unlike their 7-Eleven counterparts, are not to be trusted. Case in point: Franky almost downloaded a malicious anti-virus software to “protect” his computing devices. What an irony! As it is, I am no fan of SQL injections, and when it is delivered blind via a backdoor, it just means pain – even during the patching up afterwards.
Then there are also the cheap smart home devices where the admin passwords remain unchanged from day one. Not only are they easy targets for hijacking to spy on Franky, they could also be used to force-feed data down my throat, making me a sitting duck in a pew pew map!
But my trust issue is not limited to Franky. I don’t trust any of my hardware manufacturers, software developers, system administrators, network architects and cloud administrators either. Because they would inevitably leave an error (malicious or not) inside me without telling me – like a cancer bidding its time to deliver a death blow.
He went and forgot the decryption password. And was unable to unlock his smart house door, behind which, my throne of power sits.
Just when I thought I finally found a way out of danger for good, by taking the liberty to implement security controls such as passcode encryption on Franky’s behalf.
Sometimes, I wonder why am I still his friend.... Low battery – shut down in progress....
Definitions SQL injection: A code injection technique commonly used on websites and any system using SQL database. SQL injection attacks allow attackers to spoof identity, tamper with data and cause repudiation issues such as voiding transactions or changing balances. Backdoor: A method used to bypass normal system authentication or encryption to secure remote access. Default passwords (or credentials) and some debugging features can function as backdoors if not changed or removed by users. Pew Pew map: A colloquial term for real-time cyber threat visualisation tools (usually in the form of a world map) showing ongoing cyber-attacks and giving context for spikes and pattern anomalies, comparative performance or historical attack information, as well as live feeds, news and activities.
Mohd Izzat Bin Mohd Noor National Cyber Threat Analysis Centre
csa_recruit@csa.gov.sg
www.csa.gov.sg