Cybersecurity
Summer 2018
4
Contents
8
2
Advance shorts
4
The power of connections
New curriculum keeps
8
pace with change
12
12
C RaaSH picks up speed
16
Demystifying cyber risk
20
The future of cybersecurity
26
STRATUS: our heads in the clouds
16
Guest editor Christian Probst
26
Deputy editor Mary de Ruyter
20
Contributor Matt Crawford Photography Design Foundation Design Publisher Unitec Institute of Technology Private Bag 92025, Victoria Street West Auckland 1142, New Zealand ISSN 1176-7391 Phone 0800 10 95 10 www.unitec.ac.nz
Printed on recycled paper made from 100% FSCÂŽ certified post-consumer waste, using a chlorine-free process.
Cybersecurity
Pr ob
st
It’s hard to imagine the internet will turn a mere 50 years old in 2019, and that it originally only connected four computers. Today, the internet is everywhere, and most of us can’t imagine a life without instant access to online information and services.
tia
n
C
is hr
At the very core of the internet, there is an infrastructure
The stories in this magazine outline the achievements and
of hardware and software that must be built, programmed
excellent work since Unitec made a strong institutional
and maintained. This infrastructure is surprisingly resilient to
commitment to cybersecurity research and development
disruptions; few of us ever experience a complete breakdown
in 2012. Establishing our cybersecurity Strategic Research
of services or connections.
Focus led to our involvement in the MBIE-funded STRATUS recovery of data, for which we are developing the CRaaSH
become ever more mobile and innovative, so do attackers.
and LogSpider products.
INTRODUCTION
project. Unitec leads the research aim for resiliency and But as data, applications and computing infrastructure Researchers and practitioners around the world constantly work on developing techniques to maintain the resilience of
Our research-voucher collaboration with Delta Insurance
the internet and its services. If a major service is unavailable,
contributed to a popular white paper on the evolution of cyber
sure, it’s a nuisance for the individual user – but there can be
threats; extensive industry engagement while updating our
larger consequences to cybersecurity breaches and attacks.
computer science curriculum ensures we address the needs of
Personal and sensitive data might be leaked; service providers
New Zealand’s industry. In the future, we will further intensify
and companies can experience loss of revenue and reputation;
our community engagement, working with our industry and
in more extreme events, hackers put hospitals, banks and
tertiary education partners, to educate future talent and
governments at risk.
prepare them for an exciting career.
This issue of Advance celebrates the seventh anniversary of
Unitec’s unique contribution to research is our applied,
Unitec’s contribution to these global efforts. Efforts that only
transdisciplinary approach: we begin with a real-world
succeed because of close collaboration between stakeholders
problem and develop deployable solutions, all the time closely
on all levels. Efforts that require educating students, ongoing
working with relevant stakeholders. To further strengthen
learning for those in the workforce, and transdisciplinary
this approach, we’ve just announced a call for transdisciplinary
collaboration between academia, industry, society and
research projects to encourage our researchers and external
government agencies.
stakeholders to partner in solving the pressing problems of today and tomorrow. At the core of Unitec’s contributions to society is the commitment to engage as a partner in teaching, research,
If you have any questions about the research articles in this issue of Advance, please contact the Unitec Research and Enterprise Office. We’d love to hear from you.
learning and innovation. Together, we are in an excellent position to contribute to the future of cybersecurity, and make the internet more resilient and secure. Professor Christian Probst Director, High Tech Transdisciplinary Research Network Unitec Institute of Technology
research@unitec.ac.nz
Summer 2018
1
ADVANCE LogSpider weaves safe data streams When something goes wrong with your
cleverly discards the oldest parts of the
computer, network or server, your IT
least-important data streams,” explains
experts head straight to the log files
Zeidler.
to see what happened. But what if, as often happens, they can’t access the
Of course, privacy is crucial. “All data
information? The Unitec-developed
stored with LogSpider is encrypted,
program LogSpider aims to ensure that
even the metadata. Once it’s stored
never happens.
in the network, it can’t be modified,
customer claims, or as evidence for law
associate and doctoral student Denis
enforcement agencies,” he adds.
d le
– for insurance companies to validate
as log files or CCTV footage; research
Ze i
and data provenance are paramount
solution for infinite data streams, such
r
so it’s great whenever data integrity LogSpider is a novel distributed backup
n me Cl e
s
STRATUS (see story page 26). Unitec’s
Lavrov came up with the idea. Postdoctoral research fellow Clemens Zeidler,
“LogSpider also allows third parties to
STRATUS team aims to launch LogSpider
LogSpider’s lead developer, says the
access selected parts of the data stream
in 2019, and will ultimately release it as
program protects against data loss and
in a given time range without revealing
an open-source program.
local storage failures by replicating data
all stored data. It’s very suitable for small
blocks across a distributed network.
companies and individuals who don’t
“It’s important to develop apps where
have the facilities to do their own
security is built in by default, so users
proper backups.”
don’t have to think much about it. Yet
SHORTS
“Data can be fully recovered even when
it’s also important to make users aware
multiple storage nodes experience failures. Since an infinite stream of data
Zeidler joined Unitec in May to develop
of security and privacy issues, because
can’t be stored indefinitely, LogSpider
LogSpider as part of Unitec’s work for
many people are not aware of them.”
Summit showcases smart-tech future Smart technologies can and do change
Internet of Things, we need to ensure
to order taxis, so drivers can react
our lives, but are we prepared for all the
better security precautions and faster
accordingly. Another project is working
ways in which they could affect society?
infrastructure to get the most from our
on smart healthcare: building smart
Japanese and Kiwi experts discussed
smart devices.
technology that will support elderly people or people with special needs
projects and ideas across a wide range
living at home.
of disciplines at the first Japan-New
Another common point was that people
Zealand Summit on Smart Technologies
need to think about what the data
in October.
they’re collecting actually signifies.
Unitec industry cybersecurity research
Understanding what questions to
partner Delta Insurance sponsored the
The one-day summit, held in Auckland,
ask, and helping clients reach those
day, and talked about insurance solutions
was hosted by Unitec and took place
conclusions, means companies can
for protecting a company’s intellectual
straight after the three-day International
understand how people are behaving
property. An Auckland law firm posed
Conference on Mobile Computing and
and tailor devices and services
some thought-provoking questions:
Ubiquitous Networking, which was held
accordingly.
who actually owns the data that’s being collected, and how much control do we
in New Zealand for the first time, at Unitec’s Mt Albert campus.
Attendees also heard about several
have over it?
memorable projects. One speaker
2
Speakers explored a wide range of topics
discussed a taxi reservation system in
The future of smart technologies is
about what smart technology means
Japan where the telecommunications
exciting, and still somewhat unknown.
for society and individuals. Because
company uses data to predict where
Plenty of fodder for discussion at the
smart technologies rely so heavily on the
larger quantities of people are likely
next summit, then.
unitec.ac.nz
SHORTS Tech incubator supercharges research Technology plays a vital role in solving
technology from electrical engineering,
from an annual pool of $120,000.
New Zealand’s issues, today more than
programming and data analysis from
A transdisciplinary selection committee,
ever before. Unitec’s Whaingia te Toi
computer science, and the necessary
with members from Unitec and industry,
Huarewa, the High Tech Transdisciplinary
biological understanding, then put them
is reviewing applications for three more
Research Network (HTTRN), sits at that
together to form a solution,” he says.
grants, to be awarded in January 2019.
with technology to encourage and
As part of this initiative, Unitec recently
“Developing these great ideas often
support innovation.
implemented a new intellectual property
starts with an individual, but it takes a
(IP) policy that cedes the ownership
team to unlock an idea’s full potential,”
The internal incubator funds
of IP to the originator. The innovative
says Probst. “Many of the wider
transdisciplinary research projects
approach means Unitec no longer
challenges we face today can only be
across Unitec’s networks and pathways,
makes any claims on staff and students’
solved through collaboration across
for example, building construction,
intellectual property.
disciplines.”
cutting edge – linking various disciplines
business, and community development. Researchers can work on their idea with
“Instead, people can partner with Unitec
the goal of developing a project proposal
if they wish. We also offer guidelines
to submit to a funding agency, or to
and templates around lodging a patent,
establish a collaboration with a company.
proving a concept and identifying the novelty of an idea, which all take
Professor Christian Probst, HTTRN
considerable resources,” says Probst.
explains how this boundary-pushing
The incubator launched in July 2018
work might develop.
with three projects in data analysis,
SHORTS
director and collaboration enthusiast,
active noise cancellation, and intelligent “Take a problem with the state of the
solutions for forensics. The initial plan
environment, for instance. Take sensor
is to fund up to six projects per year
Creating cyber connections A chain is only as strong as its weakest
Authors in the industry are welcome to
Probst joined Unitec at the beginning of
link – and the new Unitec Cybersecurity
propose material to post about current
2018, and quickly identified the need to
Bulletin aims to create a tightly
cybersecurity issues in the New Zealand
foster community building in this sector.
knit community of cybersecurity
context. The bulletin will also feature
“Cybersecurity is a fast-developing
professionals, ready to tackle cyber
the notable recent work of innovative
area, technologically speaking, so it’s
criminals attacking New Zealand.
researchers.
vital professionals in Aotearoa are well connected and well informed,” he says.
Professor Christian Probst, director of
Early posts will address topics such as: “I want this bulletin to become a catalyst:
Unitec’s High Tech Transdisciplinary Research Network (HTTRN), recently
»» Recent cybersecurity issues.
to build relationships and encourage
launched the Unitec Cybersecurity
»» An overview of Unitec
communication, collaboration and
Bulletin as an open LinkedIn group. In it, Unitec posts new articles and reposts interesting material to generate discussion and develop connections between industry members.
cybersecurity work. »» Cybersecurity from an
innovation. The more we work together, the stronger we become as a country.”
insurance point of view. »» Unitec’s new cybersecurity curriculum.
Sign up to the Unitec Cybersecurity Bulletin at www.linkedin.com/groups/10403885/.
Summer 2018
3
The power of connections After seven years of building its cybersecurity capability, Unitec has become a valued partner in the battle against online crime – and its expert research will continue to influence students and industry.
OVERVIEW
You can sum up the core of Unitec’s approach to
Through industry engagement, events, initiatives,
cybersecurity in one word: connection. Ever since
and nurturing on-campus talent through Unitec’s
Unitec began developing its cybersecurity focus in
HTTRN (see story page 3), Probst and others at
2012, staff and students have built partnerships
Unitec are developing commercial solutions for
with tertiary institutes and industry, shared
real-world problems.
knowledge, and created cutting-edge ways to combat cyber crime.
“We try to be in steady contact with industry to understand what their pain points are. This helps
Each day, hundreds of thousands of cyber attacks
us direct where we put our resources, and teach
occur around our borderless, electronic world.
students what their work life will look like,” he
Professor Christian Probst, director of Unitec’s
says.
High Tech Transdisciplinary Research Network (HTTRN) and their cybersecurity research lead,
“Currently we’re redesigning our computer science
sees working with others as a crucial part of
curriculum [see story page 8], and setting up
strengthening Unitec’s cybersecurity offering –
special courses with a focus on cybersecurity.
and society’s defences. "Our new Cybersecurity Principles course is a very
4
“We rely more and more on having everything
topical introductory programme of study, and we
connected and online. Our society is very close
plan to open it up to the public and higher-level
to collapsing if the internet does collapse one
management. Boards are becoming aware of how
day! We need more defence mechanisms that are
scared they should be about the threats
adaptive and proactive.”
out there!”
unitec.ac.nz
Research a
do e and ssociat
al s ctor
tD en tud
en
v ro av L is OVERVIEW
"We love complex problems, but we also focus on building solutions that can be used.”
The curriculum redesign will make Unitec
offering opportunities for research, development
one of New Zealand’s premier providers of
and growth. That same month, after teaming up
cybersecurity education. It’s the latest in a series
with the universities of Waikato and Auckland,
of achievements that began with establishing one
Unitec became part of the STRATUS project
of New Zealand’s early dedicated cybersecurity
(see story page 26).
research centres, the Centre for Computational Intelligence and Cybersecurity, in 2012. The
One of Unitec’s contributions, named CRaaSH, will
ongoing collaboration with Japan’s National
help small and medium-sized enterprises recover
Institute of Information and Communications
services and infrastructure quickly after disaster
Technology (NICT) examines new methods of
strikes, and is currently undergoing testing with
data analysis to spot potential threats.
a commercialisation partner (see story page 12). Another project, LogSpider, will protect infinite
Another international agreement, this time with
data streams by replicating data blocks across a
Japan’s NARA Institute of Science and Technology
distributed network (see story page 2).
(NAIST), led to Unitec setting up a Centre for Computational Intelligence for Environmental
Research associate and doctoral student Denis
Engineering that uses data analysis to address
Lavrov works on CRaaSH and other projects.
environmental problems.
Cloud Extensions enables organisations to create a private cloud with IT resources they probably
In June 2015, cybersecurity became Unitec’s first
already possess – at virtually no extra cost and
Strategic Research Focus: a high-impact area
without privacy issues, he says.
Summer 2018
5
Fr om
lef
t: C
hri
s tia
rob s
t, De
nis L
avrov an
d Gregor Steinhorn
De
lt a
In s
ura
nce
OVERVIEW
nP
“Computers are so powerful today, and we
based resources,
aren’t using them to their full potential on a daily
becomes unscalable,
basis. Cloud Extensions allows you to build your
and is more expensive for
organisation’s workstations into a private cloud
the user.
platform,” Lavrov explains. “I’m trying to minimise the resource consumption Lavrov and fellow researcher Tony Shi came up
of replication, by getting rid of replication.
with the idea in early 2018, and already run a
This means no resources are consumed in the
private cloud within the cybersecurity research lab.
copying act, because we’re finding a way to write an application that has no ‘state’ internally,”
“Our work is in ensuring the cloud availability:
Lavrov says.
workstations can update, shut down or reboot, so this cloud service needs to be properly distributed.
Highly technical explanations aside, the end
It’s about giving organisations control over where
goal of FaaSTR is to make services – such as
their services lie. We see it developing to a point
disaster recovery, any technical services and
where organisations can share or trade their
cloud programs – available for low or zero cost
capacity,” says Lavrov.
associated with replication. This should translate into lower costs for the end user. The technology
6
FaaSTR turns disaster recovery technology
behind FaaSTR could also enable people to create
upside down. Replication is a standard practice for
a “distributed computing conglomerate, where
disaster recovery, yet this consumes more cloud-
the users are themselves the service providers”.
unitec.ac.nz
e C l ar
in ch Ki t
g,
OVERVIEW
Gregor Steinhorn, a research partner at Unitec’s
household cyber insurance product, “which is
Tūāpapa Rangahau: Partnering Research and
completely new for New Zealand and quite rare
Enterprise, says, “We love complex problems,
overseas”.
but we also focus on building solutions that can be used. Even with the strongly philosophical
Delta Insurance is also working with Unitec on
projects, such as FaaSTR, Denis is focusing on
a risk modelling project, she adds. “They will
how we can make it useful to the everyday
deliver tools and research to help us scientifically
person,” he says.
estimate the potential of our customers being affected by cyber risk – in particular, cyber crime –
Delta Insurance cyber consultant Clare Kitching
and help those customers protect themselves.”
says educating people on cybersecurity has become easier due to high-profile attacks, and
In cybersecurity, the future is truly unknown,
also the work of organisations such as Unitec.
Probst says, and that’s one of its attractions.
“Unitec’s good at talking to industry about what
“When I began studying computer science, I felt
they’re doing, and focusing on what we need,”
like Harry Potter – even though Harry Potter didn’t
she says.
exist then – because there were so many fantastic opportunities. And back then you didn’t even have
Delta Insurance is a locally owned and operated
a constant internet connection! It’s a cool field to
specialist underwriting agency, which
be in.”
underwrites niche insurance products such as cyber insurance for businesses. Next year, says Kitching, Delta will introduce a personal and
contact
Christian Probst cprobst@unitec.ac.nz
Summer 2018
7
Keeping pace with change An in-house Security Operations Centre and streamlined courses ensure Unitec’s computer science curriculum remains responsive to an ever-changing industry.
NEW CURRICULUM
8
unitec.ac.nz
Third-year students are helping to design an on-campus Security Operations Centre (SOC) as part of Unitec’s move towards a new computer science curriculum. This rare opportunity forms part of the cybersecurity elective, which is foreseen as one of at least three offered in the restructured curriculum (alongside business analytics and software development) from 2019. The overhaul is occurring because Unitec wants to ensure it offers clear pathways and a firm grounding in the skills industry requires.
High Tech Transdisciplinary Research Network, says, “The new Bachelor of Computing Systems will provide industry with the best graduates for the job, and further improve our students’ chances of success in whatever area of computer
NEW CURRICULUM
“We’re working closely with companies and students to set up an educational SOC, then we’ll train our students in this centre.”
Professor Christian Probst, director of Unitec’s
science they choose.” In particular, cybersecurity is full of job opportunities. “There is a huge demand for SOC analysts, especially among companies such as Vodafone, Datacom and Kordia, which provide services to others,” explains Probst. “We’re working closely with companies and students to set up an educational SOC, then we’ll train our students in this centre to teach them the skills they’ll need and what the real world looks like.” All third-year students in the 2018 cybersecurity elective chose to base their final project on designing a SOC. Final-year students in future years will build on those ideas, then work with the IT department and staff to establish the SOC on campus. “This project will really stretch students. They will learn how to analyse network traffic and identify attacks. We can evaluate them and repeat exercises. We want to establish something of similar value for the other specialisations,” says Probst.
Summer 2018
9
Bruce Cochrane works as the chief information security officer, and head of security design and operations, at Kordia. The state-owned enterprise provides technology solutions and managed security services to customers in fields such as health, construction, logistics, professional services and more. True to Unitec’s ethos of always working with
Di
la
Be
industry, Probst has consulted with Cochrane
ise
mb
about the new curriculum, as well as gathering
aye va
feedback from an industry security group Kordia belongs to.
NEW CURRICULUM
Cochrane says they’ve hosted Unitec students
Unitec is also creating short, practical
at their SOC, and recently employed a Unitec
cybersecurity courses. Dila Beisembayeva,
graduate who previously interned at Kordia’s
Unitec’s acting head of computer science, says
independent cybersecurity division, Aura
they’re currently running the first Cybersecurity
Information Security. “For that job, three of the
Principles course at Unitec’s summer school. This
final candidates were Unitec students in their
course sprang from Unitec’s ongoing training
third year.”
relationship with New Zealand Police.
Unitec’s focus on applied learning is immensely
“NZQA has just published a new cybersecurity
valuable for employers, he adds.
diploma qualification, which was initially proposed by the IT industry. We looked at the draft
“It means we get knowledgable, enthusiastic
qualification details some time ago, and decided
people who want to have a career in security.
to use our industry and police connections to work
They come to us with a good base knowledge
on an introductory course while the diploma was
of security and network principles, which is
being approved,” says Beisembayeva.
very important, and we build on that to provide experience and specific training in the systems
A lecturer and former police officer talked with
and tools we use.”
Beisembayeva about an introductory course for police staff, “to give them a basic overview of
10
The streamlined curriculum gives students that
everything on cybersecurity and enable them to
strong foundation of practical computer science
think critically about evidence”, she adds. Unitec
skills in the first year, says Probst, then they
and the police developed the course, which is
can specialise in areas like business analytics,
open to students and police staff, and features
software development or cybersecurity.
guest lecturers from the police.
“In software development, we’re looking to teach
Detective Sergeant Conan Bradley is part of
techniques that are already gold standards in
a team that trains and mentors 380 aspiring
other countries, such as continuous testing
detectives in the North Island. As a member of
and deployment. With business analytics, we’re
Unitec’s computer science advisory panel, Bradley
focusing on machine learning, deep learning and
helped develop the introductory course and has
data analytics.”
“a huge passion for this specialised field”.
unitec.ac.nz
Bra
lice Po
NEW CURRICULUM
n Cona
, NZ d l ey
Br
“Criminals are using technology to their advantage, and we need to do the same by further enhancing
e uc
Co c
hr an e,
our capability and working with the community. Ko rd
In the future, there could be opportunities for
ia
civilian technical specialists to work within police, focusing on cyber crime-related IT components. That’s where building relationships with tertiary providers, and sharing skills and knowledge, is paramount.” “Cybersecurity is a critical area for police and
Unitec is now working on developing the newly
society. It requires a high degree of civilian
approved diploma. It’s intended to help meet the
expertise and continued education to assist
growing demand for staff skilled in cybersecurity,
with combating the global effects of cyber crime,”
and is another example of long-term partnerships
he says.
with industry.
Bradley mentions the FireEye Cyber Threat Map.
Beisembayeva says, “We’re finding more students
“By 8.30pm last night, FireEye had registered in
want to study cybersecurity. Our teachers have
excess of 630,000 cyber attacks worldwide, just
the fundamental knowledge and companies like
from that day, and this was only data obtained
Datacom and IBM have the latest technology,
from sensors managed by FireEye that registered
so we want to meld these resources together
known signatures. The true amount would likely
to create highly trained students and a better-
be more than that!
protected country.”
contact
Dila Beisembayeva dbeisembayeva@unitec.ac.nz
Summer 2018
11
CRaaSH picks up speed DISASTER RECOVERY
Commercial nous is helping Unitec refine and extend CRaaSH, an affordable solution that could revolutionise disaster recovery for NZ businesses.
CRaaSH, an affordable disaster-recovery solution
“If there’s a ransomware attack, natural disaster
for New Zealand businesses, is coming ever closer
or simple user misoperation, your service or
to reality thanks to feedback and testing from
website is down, customers can’t use it, and
Unitec’s industry contacts.
you lose money. Infrastructure isn’t backed up so much in New Zealand because current
The comprehensive trials, by commercialisation
solutions are expensive, and have high technical
partners NakiCloud and Integricity, are influencing
requirements,” he says.
important adaptations that better realise the invention’s potential for small and medium-sized
“CRaaSH allows New Zealand SMEs to use a
enterprises (SMEs) – and potentially all businesses.
secondary site of their own choice – be it a public cloud, branch office, or a laptop sitting at home
12
Unitec research associate and doctoral student
– to replace their backup software. It combines
Denis Lavrov is a key researcher on the CRaaSH
business continuity with backup, while giving
team. He intends CRaaSH to solve the problem
customers the option to remain independent of
of people not backing up their services and
large cloud-tech ecosystems, such as Microsoft or
infrastructure.
Amazon, which can be expensive and restrictive.”
unitec.ac.nz
DISASTER RECOVERY
CRaaSH uses asynchronous replication, and a
The work is part of Unitec’s participation in
patent-pending state-selection technique that
STRATUS, a six-year cybersecurity project funded
saves on replication bandwidth by replicating only
by the Ministry of Business, Innovation and
what is necessary.
Employment (for more about STRATUS, see page 26). Unitec leads the research aim focused on
“It uses one-tenth of what competitors for the
resiliency and data recovery.
higher-level market do, while being flexible enough to be utilised in any situation. This makes
Lavrov and his team handed over the first version
it ideal for the SME market in New Zealand and
of CRaaSH to NakiCloud in May 2018 for testing,
around the world.”
and the feedback they’re receiving is shaping their work on CRaaSH’s next iteration.
Summer 2018
13
DISASTER RECOVERY
Jek Tan, Integricity Technology's New Zealand CEO
“Originally it was developed for Linux, which is
NakiCloud operates Taranaki’s only commercially
not that commonplace in New Zealand, although
available data centre, and offers ultrafast fibre,
it’s dominant in other countries. Now we’re going
cloud solutions, disaster recovery and backup in
to develop CRaaSH for the Windows operating
Taranaki, Waikato and Whanganui. Co-founder and
system too,” says Lavrov.
director Ryan Eagar says, “When we got involved, CRaaSH was very raw and untested – true R&D
“We also saw the need to provide CRaaSH as
– but we saw if it was proven up and scalable, it
a service offering, rather than as software a
could be beneficial to our business and our clients.
customer would download and install on their own
We could see a real commercial end use, not just a
machines, because not every user has a back-up
technical end use, which is often the case.”
location that they can replicate their data to.” While Unitec retains the IP, NakiCloud owns the Although CRaaSH still focuses on SMEs, the
global rights to CRaaSH for 20 years and can
developers are also modifying the technology
sublicense it to other companies. But first, there’s
behind CRaaSH’s bandwidth efficiency so it can
more testing under load to be done.
work for replication between higher-end data centres, too.
Eagar encourages any business considering a similar partnership to give it a go, even though
“We’re evolving CRaaSH technology to be more
it means carving out time from NakiCloud’s
efficient and introduce synchronous replication,
regular work.
which is used for banks or online stores, where data consistency is critical.”
14
unitec.ac.nz
“When we got involved, CRaaSH was very raw and untested – true R&D – but we saw it could be beneficial to our business and clients.” E Ryan
ag a o r, c
-fo
er ,N
ak i
Clo
ud
“It’s pretty cutting-edge technology the team
“A lot of times, the academic world sees
has come up with, we’re very excited. But you’ve
opportunities while at the forefront of
got to go in with an open mind, and work through
researching something, but the rubber hasn’t
different expectations – such as for rollout timing
quite hit the road yet for commercial application.
and return on investment,” he says.
If we can bridge that gap, we can give real-world
DISASTER RECOVERY
u
nd
input on the product, and also test something that This year NakiCloud teamed up with Integricity
might be ground-breaking.”
Technology, a managed services provider originating in Malaysia, to further put CRaaSH
And of course, revolutionary products usually
through its paces; their office in Malaysia has
create a business advantage, too.
more Linux clients than the New Zealand business. New Zealand CEO Jek Tan says the
Unitec has filed a patent for CRaaSH that’s in the
company wants to expand into security, as it’s
process of being finalised, and Lavrov hopes the
becoming a bigger concern every day.
second prototype will be ready for testing by the end of 2018.
“In the near future, people won’t call us to say ‘My printer isn’t working anymore,’ they will contact
“In this testing phase, we want as many people as
us to say ‘How do I keep my business safe?’”
possible to test CRaaSH. People can use it for no charge until they realise its value. Contact Unitec
Tan says there are competitors to CRaaSH
if you’d like to give CRaaSH a go.”
currently on the market, but what Unitec’s doing is different, and cost-effective. He’s delighted to be involved in the project, for CRaaSH’s potential and also the opportunity of future collaborations. “If you get involved in the brainstorming process, influencing the trajectory of where researchers are going with projects, there’s a possibility that it may become revolutionary,” he says.
contact
Gregor Steinhorn gsteinhorn@unitec.ac.nz
Summer 2018
15
Demystifying cyber risk CYBER RISK AWARENESS
A research voucher collaboration between Unitec and Delta Insurance produced a valuable cybersecurity resource for New Zealand businesses – and an unexpected future for one student.
As the digital world evolves, the chance of a
According to CERT (Computer Emergency
New Zealand business experiencing a cyber
Response Team) NZ, almost one in five Kiwi
incident is no longer a matter of if, but when.
small and medium-sized businesses can expect
Most Kiwi companies also fail to appreciate the
to experience a cyberattack this year. That could
potential severity of a cyber attack.
be anything from data breaches or phishing to worldwide ransomware – think WannaCry or
That’s why Delta Insurance collaborated with
NotPetya.
Unitec, through the ITP Research and Enterprise
16
Voucher Scheme (which offers subsidised research
CERT NZ also found last year, cyber attacks
to industry), to produce an up-to-date white
caused more than $5.3 million in direct financial
paper on the cyber threats businesses face. The
losses for Kiwi businesses. And that’s just the
company released The Evolution of Cyber Threats:
cyber crimes that were reported; currently it
Embracing Cyber Risk Management in March this
isn’t compulsory in New Zealand to report
year, and it’s been a winner for all concerned.
these incidents.
unitec.ac.nz
Summer 2018
17 CYBER RISK AWARENESS
M e ga
ola nW k,
De
In
lt
a
su
ran
ce
Greg
n tei or S ho
rn
Unitec communication studies graduate Megan
“The voucher scheme was valuable because it was co-funded. It also made sense, given Unitec is quite strong in cybersecurity and technology.”
CYBER RISK AWARENESS
Wolak researched and wrote the cybersecurity paper over the summer of 2017-18, during a paid internship initiated by Gregor Steinhorn, a research partner at Unitec’s Tūāpapa Rangahau: Partnering Research & Enterprise. Steinhorn says Unitec already works with Delta Insurance through the MBIE-funded STRATUS cybersecurity project. Since ITPs (Institutes of Technology and Polytechnics) focus on practical, real-world learning, he says, they are the perfect partners to provide research and strategic advice. “Research vouchers are flexible; they can be used for any topic. Often, they involve things that have to happen quickly. They’re great if you have a good idea you want to experiment with, or you want to do some research on a topical issue,” says Steinhorn. Unitec offers the expertise of its skilled graduates win-win situation: organisations can outsource
learning opportunities while contributing to New Zealand’s productivity and economic growth.
18
unitec.ac.nz
o ec nc
where it is most needed; students gain invaluable
ura
match an agreed level of funding; research occurs
Ins
their research requirements, provided they
Del t a
and lecturers through the voucher scheme. It’s a
-f ou
nd
er
Ian
Polla rd
Delta Insurance is a locally owned and operated
“We are all aware the digital world carries risk, but
specialist underwriting agency, which sells cyber
the market generally has a shallow and disjointed
insurance among other products. Co-founder
understanding of the issues,” Wilson says.
and managing director Ian Pollard says the white paper, updated from a 2015 edition, reflects the
For the report, Wolak consulted closely with
company’s passion for thought leadership.
experts in law, technology and insurance. The experience was invaluable.
“We want to simplify and reintroduce some of the concepts that organisations should be
“I looked at a lot of global statistics and drew
aware of for risk management, and highlight
conclusions about how that might affect New
the part insurance can play in being part of an
Zealand. I took the lead on the project, and others
organisation’s arsenal,” says Pollard.
supported me. I felt like I was treated like an equal,” she says.
“The voucher scheme was valuable because it was co-funded. It also made sense, given Unitec is
Wolak now works as a trainee graduate
quite strong in cybersecurity and technology, and
underwriter at Delta Insurance. “This isn’t where I
is a good, applied educational establishment.”
saw myself going, but I’m really happy in the role. I like the company ethic and the people, and I’m
Although the white paper was aimed primarily
involved in marketing as well,” she says.
relevant to all New Zealand businesses. The paper
“The internship gave Delta an opportunity to see
covers growing cyber risks in the New Zealand
who I am and how I work. I recommend internships
workplace, the effect of the Internet of Things,
to everyone. I did a PR internship too, and I
blockchain and Artificial Intelligence, and suggests
realised it’s a good industry but it’s not for me.
risk management strategies. It also explains how
So internships are beneficial for employers and
EU privacy reforms affect Kiwi businesses.
employees.”
Kiwi SMEs tend to be uninformed about the real
Steinhorn adds the report attracted positive
costs of data breaches, the report adds, so case
comments from within the STRATUS research
studies highlight the breadth of costs that a cyber
community.
CYBER RISK AWARENESS
at the insurance broking market, Pollard says it’s
attack can create. These range from immediate costs (such as legal fees, customer notification,
“It addresses a real industry need and a real
public relations and forensic investigation) to
societal need. Many directors of company boards
longer-term or ‘slow burn’ costs (share price
are quite worried about cybersecurity. Educating
decline, loss of revenue, reputational damage).
users is a growing issue: you can have a supercomplex computer system with lots of security
Pollard also cites a recent claim in which a Delta
features, but if someone can get a person to give
Insurance client suffered a hack that exposed
up their password, the whole system is broken,”
hundreds of thousands of individuals. The client
he says.
had to prepare a lengthy report for relevant authorities to reduce the impact of a potential
“This is also a great example of how a relatively
fine, incurring around $100,000 of professional
small-scale project can create a really important
costs in the process.
outcome for industry, and for a student.”
The white paper is generating positive feedback from industry. Brett Wilson, co-founder of digital insurer Cove, says it “does an excellent job” of demystifying cyber risk.
contact
Gregor Steinhorn gsteinhorn@unitec.ac.nz
Summer 2018
19
FUTURE OF CYBERSECURITY
The cost of worldwide cyber crime will grow to $6 trillion per year by 2021, double what it was in 2015. 2017 Official Annual Cybercrime Report, Cybersecurity Ventures
20
unitec.ac.nz
Sizing up our cyber safety landscape No-one can predict the future, but some people certainly know where the crystal ball is kept. Advance asked five people working in New Zealand’s cybersecurity industry for their views on how this ever-changing landscape might evolve, and affect us all, in the next few years. THE PANEL
Colin James, global head of security strategy, Vodafone David Eaton, associate director of cybersecurity NZ, Datacom Kendra Ross, CEO, Duo NZ FUTURE OF CYBERSECURITY
Paula Gair, founder of deriskme, Master of Technological Futures graduate Ryan Eagar, co-founder/director, NakiCloud
Advance: The growth of the Internet of Things
home routers are given default ‘admin/admin’
has led to concerns about device security and
passwords and many are never updated (patched)
cyber risk. What are IoT’s risks and opportunities?
after being connected. Users don’t change these settings because they don’t know the risks, don’t
David Eaton: It is predicted we will have more
know how and no-one tells them they should.
than 2 billion IoT devices by 2025. They pose increasing risks because many IoT devices have
Colin James: The greatest concern around IoT
poor security implementation, and users often
devices is how they are secured during
do not understand the risks. This greatly
manufacturing, and how we can potentially keep
enhances cyber attacks that use hacked IoT
them secured once they are deployed into home
devices, such as the Mirai botnet; the first of its
networks and the like. Vulnerabilities can be
attacks enslaved more than 600,000 IoT devices,
discovered and exploited at an astounding rate,
a scale previously unheard of. The industry
as we saw with the 2016 Mirai botnet, so how do
is working towards better IoT and security
we offer a level of protection for these devices,
standards, although many manufacturers are
given many of them will potentially have no way
just focusing on getting things working.
of being patched?
Paula Gair: Virtual assistants and smart home
Kendra Ross: Here’s the opportunity: to build
technology can make life easier and more fun.
a standards framework in New Zealand that
But the opportunities are moving faster than our
manufacturers and importers must adhere to.
ability to respond. We need to improve device
We do this for electrical devices because of
security, as device and app manufacturers often
safety, and this is no different, particularly as
default to the most open, insecure settings. ISPs
more lifestyle and medical devices go online.
need to secure the networks our IoT devices use:
Summer 2018
21
How prepared is New Zealand for cyber attacks?
“Companies need to think more about what data they’re capturing, for what purpose, and how to secure it. After all, if you don’t capture the data, it can’t be leaked or stolen.” Paula Gair deriskme
Ryan Eagar: Some organisations are very well prepared, especially those using New ZealandFUTURE OF CYBERSECURITY
domiciled data centres. Many organisations,
What can the ICT industry
however, are woefully unprepared.
do to help New Zealand become better prepared for attacks, and what opportunities
CJ New Zealand has been lucky so far in that
do public-private partnerships present?
it hasn’t experienced a major cyber attack. Most large-scale organisations have plans for
KR Industry is working hard to build awareness,
managing a cyber attack, but smaller business
particularly in the SME space. The government
in NZ are not so prepared: many adopt an
established CERT NZ, an organisation where
attitude of ‘Why would I be a target?’
Kiwis can report cybersecurity attacks and to get advice and help, whether you are a major
KR I don’t think any nation is truly prepared.
organisation, a small company or my mother.
As we saw when NotPetya swept the globe
This is a great example of a public-private
in June 2017, no-one is immune. That attack is
partnership, because reporting and intelligence
estimated to have cost the world US$10 billion.
sharing helps us get a clear understanding of
Companies need to think through what will
New Zealand’s risk landscape. Other initiatives are
happen if there is no internet, power or banking
in the pipeline around workforce development
system available. The other consideration is the
and a SME cybersecurity credentials scheme,
less-seen, lesser-known issue of intellectual
but this is something we need to get better at.
property theft. How do you know if someone is on your system, what safeguards do you have around
PG Some existing initiatives could be
your data? This is still a threat for New Zealand, as
implemented now to make a significant difference.
the loss of IP and ideas undermines our economy.
The not-for-profit Global Cyber Alliance promotes two fantastic tools that would help create a ‘safer
22
PG New Zealand is significantly unprepared,
default mode’: DMARC, which prevents spoofing
and our strategy and approaches are still in their
of the ‘from’ address, and Quad 9, which helps
infancy. When CERT NZ was created last year,
protect users against malicious and phishing
for the first time we had centralised reporting of
websites. Beyond this, I’d like to see companies
cyber incidents, which is a positive development.
that are producing enterprise-level cybersecurity
Many parts of government are working on aspects
Software as a Service solutions think about how
of cybersecurity for critical infrastructure,
they can make some of the key features available
government and defence. While that is essential,
to SMEs and home users, in a cost-effective and
we need to create change from the bottom up too.
technically straightforward way.
unitec.ac.nz
What educational and political measures will help strengthen our cybersecurity response? KR Politically we need more leadership,
particularly from Cabinet. The World Economic Forum said this year cyber attacks are now the third most likely global risk, yet cybersecurity has little or no investment, support or visibility in New Zealand’s government. This will begin to affect us around export conversations, Five Eyes, and investment in New Zealand. We urgently need a skilled workforce to deal with this growing area. Micro-courses are
Du
oN
Z
important: three years in cybersecurity is a long
o ra R Kend
, ss
O, CE
time, and although some degree-based courses are relevant, many skills are actually learned on the job. We also need NZQA to move faster on certifying courses. RE Politicians can help by putting cybersecurity FUTURE OF CYBERSECURITY
on the agenda so it gets more airtime in the media. Education should be compulsory subject matter in schools and tertiary institutes each year, as part of a general tech curriculum, just like maths and English.
E Ryan
PG Privacy Act mandatory data breach reporting
will be a very positive step – the legislation is
ag a
currently with Parliament – as we will gain a
o r, c
better understanding of the breadth and depth of breaches. Companies will become more
-fo
u
nd
er
/d
conscious of the reputational and financial risks. ire
cto
r, Na k
DE We tell our kids to wash their hands before
iCloud
eating – that’s common sense – yet we do not RE Education of business owners, schoolkids and
teach our digital natives about basic cyber
parents is the key. The ICT industry can help by
hygiene. Most of the general public may not be
being more proactive, running competitions, doing
equipped with such knowledge. It’s time we
more public speaking and generally making more
ensure this is part of earlier education.
noise about risks and management approaches. CJ Public awareness is hard to do for security. CJ The private sector has a large role to play in
Most people are aware of the issues but not
protecting New Zealand from these attacks,
equipped with the basics on how to protect
particularly in the telco space, where we have
themselves properly. In some ways the security
the greatest level of visibility of ‘bad’ traffic
industry is at fault here, sometimes using fear
and sometimes can prevent such traffic even
tactics to force behaviours, but also making it
reaching our shores. Public-sector agencies should
complicated for people to understand simple
collaborate more frequently with private-sector
ways to stay safe online. We need to look at the
counterparts to ensure sharing threat intelligence
messaging communicated during National Cyber
is both timely and accurate, to enable a unified
Safety Week and make sure it targets the right
response.
at-risk groups in a clear way.
Summer 2018
23
“A number of high-profile attacks used access granted to third-party support organisations, like the casino that was breached through a fish-tank thermometer.” Colin James Vodafone
State-sponsored hackers are becoming more prominent; New Zealand has responded with Cortex, developed by the GCSB. What do you think FUTURE OF CYBERSECURITY
of the programme? CJ Cortex is a step in the right direction in trying
to detect the activity of these nation-state activities. However it doesn’t address the whole problem, and there needs to be more emphasis on response, as with the Malware-Free Networks
data; we need more companies to look at
pilot. Agencies should share more threat
this as a security tool, not just something for
intelligence with the private sector, which will
cryptocurrencies. AI can help us automate in
enable a quicker response to attacks.
security operations centres, which we need to do due to the workforce shortage.
KR I think the GCSB has shown great initiative
with Cortex. Our economy is built not just on
CJ Machine learning/AI is currently being explored
primary industries; technology is now New
in security solutions, particularly around user
Zealand’s third biggest export sector. We need
behavioural analysis, and also for automating
to do more to disrupt attacks on us at the ISP
simple response activities. But AI could also be
level, and attribution really helps in this. Because
used for events such as the ‘Microsoft call centre’
these are borderless attacks, we need to be
attacks, or to automate vulnerability analysis and
collaborating more with our allies, whether this is
exploitation.
through intelligence sharing or policy. Quantum computing and IoT are predicted growth areas. Quantum computing will affect existing cryptographic algorithms in operation today, and What do you see as the emerging threats and
already organisations like NIST (US Department
possible responses, such as blockchain and AI, in
of Commerce’s National Institute of Standards
cybersecurity?
and Technology) are publishing guidelines for encryption in an age of quantum computing.
24
KR Criminals and nation-states are better funded
It’s predicted IoT will create a trillion-sensor
than we are, and AI can help them scale to a level
economy by 2025, so protecting all that personal
we probably haven’t seen before. We can use
information will be a big job if attackers can focus
technology such as blockchain to secure our
on where this data aggregates.
unitec.ac.nz
“Educate children young, to protect them and to help protect their parents and grandparents.”
What should the biggest priorities be in
Second, 80% of cyber attacks are run by highly
cybersecurity defence over the next few years?
organised crime rings, so industries and service
FUTURE OF CYBERSECURITY
David Eaton Datacom
providers need to form better alliances, such as PG Securing our citizens in their homes by
the Cybersecurity Tech Accord, and provide more
providing safer defaults, and by nudging and
secure, privacy-focused services.
rewarding improved behaviours such as CERT NZ’s recommendations from Cyber Smart Week 2018. People think they don’t have anything of value to steal, but identities are extremely valuable. If we
Any final thoughts?
do a better job of protecting privacy, we will make significant strides in reducing cybersecurity risk.
KR Companies need to see their data as a financial
asset on their balance sheet, then they will start CJ There is still a lot of work to be done to get the
thinking more strategically about securing it.
basics right in organisations. A key focus is the
Cybersecurity has zero unemployment: there is
number of breaches that are traced back to simple
so much opportunity, so I encourage people to
flaws such as unpatched internet-facing systems,
consider it as a career, whether in a technical role,
people clicking on links in emails, and organisations
marketing or training.
not securing their remote-access methods. Securing the supply chain is another priority.
RE In the trade-off between convenience and
privacy, it seems most of the world’s population DE First, focus on people: they are often the
is choosing convenience, while privacy and data
weakest link. Australia recently enforced a
protection are typically sold to a smaller group of
mandatory notifiable data breach scheme, and
tech-savvy consumers. As people become more
their first report showed 51% of data breaches
aware of the risks, their buying behaviour will
were due to human error. Even if technology is
change and commercial organisations will respond
impeccable, things can still go wrong. We need
with new offerings that are more understandable
to teach cyber hygiene to youngsters, and basic
for the non-technical public.
cybersecurity awareness to the general public.
Summer 2018
25
Our heads in the cloud Unitec is part of STRATUS, a multi-million-dollar Kiwi research project that’s creating ways to give control back to users of their cloud-stored data, and invigorate our cloud security industry.
STRATUS
Marc us
Wi
lli a m
s(
le ft
)a
nd
Chr
istia
n Probst
When you back up your precious files to the cloud,
Funding for this cutting-edge work comes from
do you really know where they go, or whether
MBIE (Ministry of Business, Innovation and
they’re safe? STRATUS, a six-year cybersecurity
Employment), which reflects the project’s other
project aiming to return data control to Kiwi
goal: to create a thriving cloud-security industry,
businesses and individuals – and Unitec is proud
by developing products and services for Kiwi
to be part of this high-tech, applied research
companies to sell.
endeavour. Jonathan Miller works as Callaghan Innovation’s STRATUS (Security Technologies Returning
group manager – future insights, and also chairs
Accountability, Trust and User-centric Services
the STRATUS industry advisory group. He says
in the Cloud) is led by the University of Waikato,
most international research tackles cloud security
working with Unitec, the University of Auckland
from the perspective of cloud providers and big
and the Cloud Security Alliance. Four years in,
corporations.
they’re well on the way to creating user-centric cloud security tools and techniques.
26
unitec.ac.nz
STRATUS
Jonathan Miller, Callaghan Innovation
STRATUS: THE RESEARCH AIMS “When you look at cloud security from the user’s
Each of STRATUS’s four research aims is led by a participating
point of view, as STRATUS is, you have to develop
tertiary institution:
new technology to provide data control to the user. Because that’s such a different approach, these people are developing some pretty unique
• Transparency and Auditability of Data Activities in Clouds (University of Waikato)
IP. This is one of the biggest science projects funded by MBIE in the ICT arena.”
• Protection of Privacy of Data During Processing and Storing (University of Auckland)
Unitec leads the fourth research aim (see box, right), and works on rapid disaster-recovery infrastructure. Professor Christian Probst, Unitec’s
• Awareness and Response to Anomalous Data Activities (University of Waikato)
research lead for STRATUS, says the team led by research associate and doctoral student Denis Lavrov has developed a program called CRaaSH to
• Resiliency and Recovery of Data (Unitec)
help small and medium-sized enterprises (SMEs) recover services and infrastructure quickly after
The Cloud Security Alliance, an international industry
disaster strikes. (Read more about CRaaSH on
organisation, provides input across all research aims.
page 12.)
Summer 2018
27
“An essential part of the project is to engage with industry and identify their pain points.”
“We’ve filed a patent for CRaaSH that’s being
Happily, STRATUS is on track for
finalised, and we’ve also deployed the platform
success. In 2017, the STRATUS team
to our commercialisation partner, NakiCloud.”
received the highest possible rating – gold – for its mid-project report to MBIE. Patents are being
Another project Lavrov devised, LogSpider,
filed; commercialisation projects are under way.
protects infinite data streams by replicating STRATUS
data blocks across a distributed network. (Read
University of Waikato Associate Professor Ryan
more about LogSpider on page 2.) Unitec plans to
Ko leads STRATUS, alongside working as the
explore other possibilities in the final two years
director of the New Zealand Institute for Security
of STRATUS.
and Crime Science, and head of the University of Waikato’s Cybersecurity Lab. Ko has worked
The focus on commercialisation sets STRATUS
overseas as a lead computer scientist for HP Labs,
apart, adds Probst. “Often research projects have
among other high-profile jobs.
industry partners, but here an essential aspect is to engage with industry and identify their pain
His team is influential through their work on
points, then develop tools that can help them and
ISO standards around virtualised servers and
be commercialised.”
provenance.
Professors Hossein Sarrafzadeh and Paul Pang
“The ISO standardisation plays an important role
led the original bid for Unitec’s participation in
in establishing baseline security requirements
STRATUS. This bolstered Unitec’s overarching
for most international businesses. We’ve gone
research activity, says Unitec’s dean of research
regularly to meetings to incorporate some of the
and enterprise, Marcus Williams. Several of their
STRATUS work into standards being championed
computer science students, either at Master or
by New Zealand or other countries, and we
PhD level, are working on STRATUS research.
contribute as experts to those standards. A typical ISO standard takes 4-6 years to
“STRATUS became a catalyst for creating our
get to the final draft!” Ko explains.
cybersecurity Strategic Research Focus, which is part of our mission-led research strategy. We
Probst praises Ko and his team for these efforts.
want to become a go-to partner in the computer
“The relationship they’re building with ISO will
sector for cybersecurity research and training.”
benefit other researchers, and influence how future products are developed. It’s an excellent
The project’s commercial emphasis creates
way to ensure there will be a legacy for STRATUS.”
“wonderful challenges” for everyone, Williams adds. Industry and academia work at markedly
28
“It’s relatively unusual for government research
different paces, laughs Ko, comparing them to
funding to have required outcomes that include
land animals and sea animals. “So we learn how
commercialisation and export sales.”
to be amphibious, understanding industry’s
unitec.ac.nz
de
rR ya n
Ko
"STRATUS researchers are influencing some of the important regulations being developed around the world regarding cloud security."
l
ea
S
STRATUS
ST
TU RA
requirements while being mindful of the longer-
“STRATUS is also a globally significant project.
term vision of researchers.”
Through working closely with the Cloud Security Alliance, STRATUS researchers are influencing
Ko believes Unitec’s ‘amphibious’ nature is one
some of the important regulations being
of its core strengths. “The way Unitec engaged
developed around the world regarding
industry to set up licensing partnerships is a very
cloud security.”
good example for other tertiary institutions to follow,” he explains.
There are many ways industry can get involved, Miller adds: hiring “bright young students”
Williams says it takes time and commitment to
with STRATUS experience, co-developing IP, or
properly work with industry. Unitec’s focus on that
exploring strategic partnerships.
reflects its aspiration “to be the most partnered tertiary institution in New Zealand, teaming
“For companies that are interested in the cloud,
up with industry as well as institutions such as
have a cloud presence or product or service, it’s
Waikato University”.
worth getting in contact with people listed on the STRATUS website to start a conversation.”
At STRATUS industry advisory group meetings, Miller greatly enjoys seeing entrepreneurs, large corporates and leading cloud security experts throwing around ideas. “When these worlds come together, they can create very inspiring ideas. STRATUS can deliver exciting commercial opportunities for the benefit of New Zealand,” Miller explains.
contact
Christian Probst cprobst@unitec.ac.nz
Summer 2018
29
phone 0800 10 95 10 web www.unitec.ac.nz Mt Albert campus 139 Carrington Rd Mt Albert Auckland 1025 WaitÄ kere campus 5-7 Ratanui St Henderson Auckland 0612