Australian Security Magazine Aug/Sep 2014 by MySecurity Marketplace

Print Post Approved PP255003/10110

THE COUNTRYâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2014

The Rise of the Islamic State

China and Japan: Troubled waters

Drones and Video Surveillance: The respective security challenges

Are you prepared to manage a security incident?

Combatting Hunger in India

Thailand Human Trafficking

DRONES $8.95 INC. GST

PLUS

TechTime | Movers & Shakers | Women in Security and much more...

*VBH41 PTZ camera in beige or black *VBH41 PTZcamera camera silveravailable orblack blackavailable available from nationaldistributors distributors *VBH41 PTZ ininsilver or from national

• • • •

VB-M Series

VB-H Series

VB-S Series

HD Range

Full HD Range

Compact Full HD Range

VBM40 – PTZ w/ 20 X optical zoom VBM600VE – IP66 fixed dome w/ optical PTZ-R during setup VBM600D – Fixed dome w/ optical PTZ-R during setup VBM700F – Wide angle full body w/ optical zoom during setup

• • • •

VBH41 – PTZ w/ 20 X optical zoom VBH610VE – IP66 fixed dome w/ optical PTZ-R during setup VBH610D – Fixed dome w/ optical PTZ-R during setup VBH710F – Wide angle full body w/ optical zoom during setup

• • • •

VBS30D – Compact PTZ w/ 3.5 x optical zoom VBS31D – Compact PT dome VBS800D – Compact fixed dome VBS900F – Compact Full body

BECAUSE CLARITY MATTERS

The World’s smallest FULL HD PTZ (VB-S30D) & PT (VB-S31D) cameras. 1

CAPTURE EVERYTHING IN THE HIGHEST OF QUALITY Learning and listening to end users and integrators on what they want from an IP camera drives Canon’s innovation – And with over 75 years of imaging excellence our range encompass all of our expertise & knowledge in camera and lens design. When Clarity matters, choose the premium quality range you can rely on. As 2014 Asatat1 March June 2014

For more information visit canon.com.au/networkcameras call 1800 021 167 or email specialised.imaging@canon.com.au

Contents Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Marketing Manager Kathrine Pecotich Art Director Stefan Babij

Editor's Desk 3 Quick Q & A with Grant Lecky 4 Movers & Shakers 6 International China in troubled waters with Japan: Rising tensions in the East China Sea. Thailand downgraded to Tier3: Failing to take significant action. Give us this day our daily Bread Chinese bodyguards: Personal protection in the land of the Dragon – Part II The rise of the ‘Islamic state’ Education: An underused tool in managing organisational security risks

8 10 12 14 18 22

Page 8 - China in troubled waters with Japan - Rising tensions.

Correspondents Sarosh Bana Adeline Teoh

MARKETING AND ADVERTISING Kathrine Pecotich T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

T | +61 8 6361 1786 subscriptions@mysecurity.com.au Copyright © 2014 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au

Feature Article We can fly, we can spy and we can collide: Solving the RPAS security challenge

Women in Security Flash forward

Cyber Security Exposing the Luuuk banking fraud campaign The upside of heartbleed Are you prepared to manage a security incident How to be a prepper: Surviving a DDoS attack Time for open source intelligence and the deep web

30 31 32 34 37

TechTime - the latest news and products Bookshelf

43 48

Page 18 - Rise of the Islamic State

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Correspondents Page 25 - Drones - Solving the RPAS security challenge.

CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Sarosh Bana

Adeline Teoh

Contributors

www.youtube.com/user/MySecurityAustralia

www.asiapacificsecuritymagazine.com Paul Johnstone

www.drasticnews.com

Andy Davis

2 | Australian Security Magazine

Garry Sidaway

www.chiefit.me

Read Asia Pacific Security Magazine online!

www.youtube.com/user/ MySecurityAustralia

Derek Morwood

www.cctvbuyersguide.com

Mark Webb-Johnson Tyson Johnson

www.asiapacificsecuritymagazine.com/e-mag/

Editor's Desk “As the world goes, right is only in question between equals in power, while the strong do what they can and the weak suffer what they must.” - Thucydides, The Peloponnesian War, Book V, section 89

s we follow on from our last issue with a focus on the loss of MH370, still yet to be found, we write this issue with great sadness following the downing of MH17 and all 298 souls on board from an attack by Ukrainian Separatists using an alleged Russian supplied Surface to Air missile. These two aviation events are extraordinary in their singular occurrence. To occur within months of each other and to the same airline is yet again, in the context of our resilience, a stark reminder to expect the unexpected. The two events have taken the lives of 537 passengers and crew and unbelievably the majority are still yet to be returned home. This situation inspired the Australian government to launch Operation Bring Them Home. Six Australians were killed in MH370 and 38 in MH17, making the latter the largest loss of Australians since 88 were killed in the 2002 Bali Bombings. There is an intense set of circumstances around these events, the impacts of which are yet to fully play out. These events also have serious political ramifications as well as offering leadership opportunities. Australia’s Prime Minister Tony Abbott and Foreign Minister Julia Bishop were quick to take key response roles and to their credit provided a professional and highly appropriate, national response. Despite still taking the risk to make undertakings which as yet appear potentially out of their control. History continues to unfold and the consequences of Russia’s invasion of Ukraine and Israel’s military response in Gaza are two global situations to monitor for some time to come. Remaining with an aviation security theme, we have an in-depth analysis of lightweight remotely piloted aircraft systems (RPAS), already widely available as low cost commercial and hobbyist products, and the risk they pose as a major security challenge for Australian aviation and law enforcement policy makers. There is a darker side to the challenge of unregulated RPAS being fielded with specific intent to conduct illegal operations that range from outright acts of delinquency to criminality and terrorism. The three expert authors, Joe Urli, Brad Mason and Peter La Franchi include CASA certified commercial operators and an

internationally recognised unmanned systems business and policy analyst. As noted with surprise in my previous issue’s Editorial, the Government has since decided not to proceed with the budget measure to abolish the Office of the Independent National Security Legislation Monitor (INSLM). Given that there is extensive new legislation being introduced by the Government it was considered “a good idea” to retain the Office of the INSLM. ASIO’s DirectorGeneral of Security Mr. David Irvine stated on 16 July 2014 “There’s no doubt that Australia faces significant and continuing threats of politically motivated violence particularly of terrorism as well as all the other national security threats that are listed in the ASIO Act, espionage and other things, are alive and well….And what we’ve tried to do in looking at all of these [legislative] changes is to address two significant issues. One is the changing nature of the threat and the other is the changing nature of the technological environment in which we’re operating.” Importantly, we provide a briefing on the Islamic State and the allure of jihad being spread electronically, via YouTube videos, by western extremists who are themselves swelling ISIS ranks as also recruiting others for ‘holy war’. An estimated 2,000 such radicals from Europe and the US may have joined the combat and western governments are rightly fearful of the threats they may pose to their countries upon their return, indoctrinated, trained and geared for violence. Some 110 people from France are believed to be fighting alongside ISIS, apart from 210 from Germany, 200 from the UK, 45 from Denmark and 30 from Sweden. Indeed, a top Shia organisation in India, Anjuman-e-Haideri, has in turn called for thousands of volunteers to travel to Iraq to fight the “terrorism” of the Islamic State and to “protect Shia shrines” and “look after” the wounded. Numbers of Shia Muslims are believed to have registered for the mission. Australia has seen numbers of Islamic militants leaving for Iraq and Syria to join the combat there. Estimating some 100 such Australians to have joined the combat, Canberra too, clearly fears the threat these elements may

pose to the country upon their return. It is set to follow the measures adopted by Britain to tackle the threat of returning homegrown jihadis by revoking their dual citizenship on their Australian passports and intercepting electronic communication between suspected extremists and their handlers. In an effort to enhance regional counterterrorism cooperation to guard against any such threats, Australia is reaching out to neighbouring countries like Indonesia, Malaysia and the Philippines that have also seen radicalised elements heading out to the conflict. We have Part II of our insight into the bodyguard industry protecting China’s billionaires, the importance of Security Education, the strategic security challenge to the region’s stability from rising tensions in the East China Sea and a look at Distributed Denial of Service (DDOS) attacks amongst our cyber security focus. Some thought provoking material and so much more to touch on! Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Yours sincerely, Chris Cubbage

CPP, RSecP, GAICD

Executive Editor

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Australian Security Magazine | 3

....with Grant Lecky

Co-Founder, Security Partners’ Forum

What does it mean to you and what do you see as the key opportunity to be named by IFSEC Global to its international list of the Top 40 Most Influential People in Security for 2014? Well to start with it’s a great honour, and when I see past and present winners such as Jason Brown from Thales Australia, Bruce Schnier, Mike Howard from Microsoft, Richard Widup the current President of ASIS International, and prominent female security professionals such as Emma Shaw from the Security Institute – I feel humbled to be a part of such an esteemed list. Where do you see the industry heading? The security industry is adjusting to both internal developments and a shifting geopolitical landscape. The security profession has been developing and maturing. Particularly since 9/11, the security community across disciplines and domains, and including the public sector, private sector and NGO sector, has focused increasingly on resilience, both locally, at the enterprise level, and across jurisdictions. The drive among security professionals to augment capabilities and increase capacity has meant enhancing collaboration and information sharing, while maintaining diversity of professional expertise and deepening professional knowledge. The increasing complexity of threats, requiring closer collaboration and greater professionalism among security professionals and bodies, has led to both a broader network of information sharing and networking among professionals - the SPF is a champion of this – at the same time that the security community is increasing its standards and certifications. Meanwhile, the domains and disciplines of security recognized the need for increased cross-pollination, while maintaining professional expertise, depth of knowledge and specialisations. Professional security-related associations are likewise adjusting to the new geopolitical landscape, with some expanding internationally, and trying to bridge knowledge and experience globally. This is not without challenges given the more rigid, hierarchical structures that professional associations typically have, with membershipfocused mandates and objectives. The geopolitical landscape has shifted significantly. Since the end of the Cold War threats have globalised and have in some cases been able to operate with great fluidity and agility. Threats, such as organised crime, insurgents and terrorists operated and even collaborated across jurisdictions. Western states were unable

4 | Australian Security Magazine

to match the agile nature of how these threats operated, and struggled to counter threats headon under more rigid partnerships, alliances and coalition structures, such as NATO. The lessons learned from the wars on crime and terrorism, and in the conflicts in Iraq and Afghanistan, and globally, affirmed the necessity of information sharing and leveraging best practices and lessons learned among partners across domains and disciplines and across jurisdictions. They are also struggling to rebalance state sovereignty and alliance priorities, currently demonstrated in Ukraine and Russia, and complicated by international trade considerations. The security community had great incentive to collaborate and fewer hurdles to collaboration than militaries or private corporations. What became clear was that cooperation across states and in a complex theatre with state, military, private sector, and civilian actors, collaboration was possible and necessary, but that it was exceptionally difficult to operate in a strategically coherent way given the differences in capabilities and priorities of the individual entities. These individual entities also brought their own strengths. Again, this required breadth and depth. What are some of the challenges you think the industry is faced with? As resilience improves, funding is becoming harder to come across. The strategic surprise that spurred funding following attacks, is now not a first-reaction to events. Over time, the effect of strategic surprise following attacks, security breaches, and other attacks, lessened as security and communities became more resilient. The security community’s own success is becoming a hurdle in itself to sustaining momentum. Much discussion has come into play about arguing the case for security to the C-Suite, political decisionmakers and the public. A continued problem for the security community is at the operational level. The formula for information sharing and collaboration with different levels of government has been elusive. It is difficult to reconcile different capabilities and capacity among partners at different levels of government, with different resources, priorities, and with different amounts of focus on a specific project or effort. Building the relationships in advance to need is key, and the SPF is focused on doing just that. There is also a grey area concerning how much sharing is too much sharing. Particularly

since the Snowden leaks, liberal intelligence sharing among the Five Eyes has been a concern and much discussion is required, particularly as intelligence collection and sharing now includes more security partners than the traditional intelligence agencies, rather private sector and additional partners. Privacy concerns and public debate on security collaboration and sharing are being called for. What did you set out to achieve in founding the Security Partner’s Forum? My position as Co-Founder of the Security Partners’ Forum came as a result of need for greater collaboration within the Canadian (and later international) security industry. I had previously conducted research into the professionalisation of the security industry and found it was too siloed. I set out to create an entity that could break these silos and enhance the Canadian (and later international) security capacity. The SPF is at the front of the curve of where the security community is heading and affecting how the security community will operate in this new geopolitical landscape. As such it has the best view and ability to accelerate trends to help security – positioned well in front of the curve of change. It is the cutting edge of building an agile network from and of the security community globally that can challenge security threats head-on. What do you do when you’re not working? I’m an avid reader and I’m also a big fan of spontaneous road trips.

freedom of choice with regard to system selection and use of existing infrastructure. This is a critical requirement to meet security needs of today and to future proof the system so the investment continues to meet the security needs of tomorrow.

appointed the new Head of Secure Issuance for Asia Pacific, and Jordan Cullis has been promoted to the Head of Identity Assurance, Asia Pacific. “The new roles will work closely together to streamline our brand and continue to grow HID Global’s business in the region,” said Simon Siew, Managing Director of APAC. “Lee and Cullis bring deep expertise on Genuine HID products and solutions, as well as a wealth of industry experience to their new positions. We are excited and confident that we have a unified and extremely talented management team to take the business forward in Asia Pacific.”

Dimension Data Announces MacGibbon as Security Business Unit General Manager Dimension Data, the USD 6 billion ICT solutions and services provider, has announced the appointment of Alastair MacGibbon as the Security Business Unit General Manager for Australia. A former agent with the Australian Federal Police, MacGibbon brings a wealth of experience to the role, having served in the force for 15 years. Notably, MacGibbon was the founding director of the Australian High Tech Crime Centre. Rodd Cunico, Dimension Data Australia CEO, said MacGibbon’s experience on the front lines of cyber security made him a perfect fit for the company. “We pride ourselves on having the best talent available and having Alastair on board is another example of the calibre of our team,” Cunico said.

Juniper Networks Appoints New Senior Leaders in Asia-Pacific Juniper Networks, the industry leader in network innovation, recently announced a series of senior appointments in Asia-Pacific (APAC). The new appointments, which span sales, systems engineering, marketing and partners, help position the company to capitalize on the highest growth opportunities in APAC as customers migrate to High-IQ Networks and best-in-class cloud environments. Wendy Koh has been promoted to senior vice president (SVP) of APAC Sales. Based in Singapore, Koh will be responsible for Juniper Networks’ sales and operations across the region including customer engagement, sales development, training and enablement, strategic planning and revenue growth. An 11-year Juniper veteran, Koh has held several senior leadership roles across the company including VP of APAC Service Provider and, immediately prior to this role, VP of Asia Sales. Koh reports to Vince Molinaro, Juniper Networks’ chief customer officer.

6 | Australian Security Magazine

A Canberra-based global software company that is revolutionising business processes and competing with some of the biggest names in IT was recently named the 2014 Telstra Australian Capital Territory Business of the Year. Founded by Australian National University science graduates Phillip Williamson and Michelle Melbourne in 1992, Intelledox has attracted more than one million worldwide users to its software product, Infiniti. The flagship product helps organisations to digitise and streamline paper-based information processes, mitigate risk and improve customer communication. The business has experienced rapid international expansion from its small base in Fyshwick, with 35 staff now based in offices in Singapore, Toronto and last year opened offices in New York and London.

Eacom announces acquisition of Riverina Alarm Systems

Saab Expands to Cater for Customer Demand Emanuel Stafilidis joins Saab Australia as Business Development Manager to continue to grow and develop Saab’s presence in the Critical Infrastructure Security space. Emanuel is a security professional with over 25 years’ experience in securing critical infrastructure and major facilities in Australia and throughout the Asia Pacific region. He brings a wealth of experience in designing electronic security and in particular the integration of systems to achieve enhanced control room operations. Emanuel has a strong background in Open Architecture systems that provides end users with complete

Software innovator named ACT Business of the Year

HID Global Announces New Senior Appointments in the Asia Pacific Region HID Global®, a worldwide leader in secure identity solutions, today announced new senior appointments in the Asia Pacific region to drive profitability and growth. Lee Wei Jin has been

Director of Eacom, Tim Andrighetto has announced the firm’s recent acquisition of reputable Wagga security business Riverina Alarm Systems. Mr Andrighetto said Riverina Alarm Systems has been servicing Domestic, Commercial and Industrial clients throughout the Riverina for the past 25 years and has an outstanding reputation for professionalism, unparalleled service and high quality. If you have an entry for Movers & Shakers please email details and photo to editor@australiansecuritymagazinecom.au

The annual SIG Conference and Exhibition, hosted by the Attorney-Generalâ&#x20AC;&#x2122;s Department, is the largest gathering of government and private sector protective security practitioners in one conference. The theme for the SIG 2014 Conference program is Mitigating the trusted insider threat. The conference program will focus on: â&#x20AC;˘

nderstanding and identifying the risk u from trusted insiders; and

â&#x20AC;˘

xamining current and emerging e policies, plans and business frameworks available to mitigate the risk.

Senator the Hon George Brandis QC, Attorney-General, will give the opening address at SIG 2014.

International

China in troubled waters with Japan: Rising tensions in the East China Sea By Amrita Jash

8 | Australian Security Magazine

he Asia-Pacific region is witnessing a strategic shift with the changing regional power dynamics. This shift is witnessed in the rise of China as a powerful actor with its ambitious foreign policy posture, while United States is perceived to experience a decline of power in its zone of influence. With its geography predominantly maritime and strategically being the most economically viable region, the Asia-Pacific has become the new battleground of competitive interests, thereby, posing a severe challenge to the security and stability of the region. One such strategic security challenge to the region’s stability is the rising tensions in the East China Sea. Here, China is involved in a severe maritime dispute with Japan over a few islets of rocks in the East China Sea, making it a potential hotspot of tensions in the Asia-Pacific region. This flaring tension over the sovereignty claims has de-stabilized the status-quo both regionally and globally. Hence, the Asia-Pacific seems to be in great crisis with the heightened security dilemma between China and Japan, where in their efforts of reaffirming their sovereign positions, the diplomatic stand-off is drifting in the direction

of a military conflict. The trouble in the waters is reflected in the two countries varied positions, where for China, the continental shelf in the East China Sea, which ‘stretches from China’s coasts right up to Japan, should be regarded as the natural prolongation of the continental territory of China and therefore belongs to it’. While for Japan, the continental shelf should be divided along the median line between the baselines for measuring the territorial seas of the two countries. The core factor that makes East China Sea a security concern for Asia-Pacific is understood in the overlapping interests of the two East Asia nation-states. Whereby, the realist calculations of the unresolved and indisputable sovereignty claims over the islands, known as Diaoyu in China and Senkaku in Japan, is further compounded with the crucial flashpoints of being the sea lanes of communication (SLOCs) and a giant energy reservoir of minerals, oil and natural gas, thereby, making it a core national interest for both China and Japan. For China, the concerns are intensified in two-folds: first, economically- as six of its ten largest commercial ports

International

can be accessed only via the East China Sea; and second, strategically, where China’s concerns are centered on Japan’s military and surveillance posture, putting China under its radar. For Beijing, the ‘Diaoyu Island dispute’ has become China’s core national interest, which is seen by China as an “issue about China’s territory and sovereignty, and therefore, a matter of ‘core interest’.” These concerns have therefore, elevated China’s East China Sea dispute with Japan to that of geopolitical and geostrategic importance, to which China sees as a severe challenge to its national defence and security in the region. Until recently, the maritime tension had been just a minor irritant between China and Japan. But the dispute escalated into a serious international crisis since 2010, when Japan’s strategic moves were met with China’s reactive assertiveness, resulting it to take a strong defensive posture. The conflict was sparked when a Chinese fishing trawler rammed two Japan Coast Guard ( JCG) vessels in waters near the Diaoyu/Senkaku Islands and Japan detained the captain. And further exacerbated with Japan’s detention of seven Chinese nationals on the islands on March 24, 2012. But the conflict hit the high with the Japanese purchase and nationalization of three out of the five islands on September 11, 2012 from Kunioko Kurihara who claimed to be the private owner of the islands. Thereby, with this causal anxiety over insecurity, China has adopted a strong military and surveillance posture in the Asia-Pacific to avert any Japanese security threat. The tension in the waters took a new form with China’s unilateral revisionist move of establishing an Air Defense Identification Zone (ADIZ- areas where states ask aircraft to identify themselves and provide flight plans) on November 23, 2013, which overlaps with Japan’s ADIZ including the air space over the Senkakus. This overlapping of ADIZ creates a potential one of collision between the two, where a surveillance aircraft from either country would trigger the other to launch fighter jets to intercept and identify the aircraft flying in the overlapping ADIZ. While the dangers of escalation to armed conflict has increased with the two militaries becoming directly involved. As recently, on May 24, 2014 a potential collision between China and Japan was on the brink. As amid the Russia-China ‘Joint Sea-2014’ military exercise, Chinese Su-27 jet fighters were reported to have flown within 100 feet of a P-3C Japanese reconnaissance plane, similarly a Japanese YS-11 reconnaissance plane entered in China’s ADIZ. These incidents are reflective of the growing provocative attitude of China and Japan in the East China Sea, resulting into a tit-for-tat behaviour- which calls for severe consequences. With this context, the rising tensions between China and Japan in the East China Sea therefore, seems to be multifaceted- where the security challenges can be understood in a continuum of strategic rivalry, territorial disputes, maritime resources, international law, and historical animosities. Apart from these rational motives, the crisis in the East China Sea is also factored by the dynamics of the shifting balance of power in the Asia-Pacific region- China posing a challenge to United States regional hegemony. Here, China’s strategic aim is preserve the East China Sea within Beijing’s orbit of influence by keeping the United States at bay, which has an intrinsic security linkage with Japan and

‘Until recently, the maritime tension had been just a minor irritant between China and Japan. But the dispute escalated into a serious international crisis since 2010, when Japan’s strategic moves were met with China’s reactive assertiveness, resulting it to take a strong defensive posture. Taiwan. This is reflected in China’s growing muscle power and its strong maritime push in order to match the economic goals with that of strong military might. While the East China Sea conflict is no more just relegated to China and Japan. It is now characterised by a new dimension- defined by United States act of ‘re-balancing Asia’ or ‘pivot to Asia’ in order to maintain the status-quo in the Asia-Pacific. This growing US strategic involvement in the East China Sea is characterised by the deepening of the US-Japan alliance, building stable political and security ties with Beijing, the U.S.-Japan cooperation and coordination on economic affairs and, in particular, the Trans-Pacific Partnership (TPP) and most importantly, the revision of US military posture in the region. Thereby, the maritime dispute has become a contested ground of strategic interests between China, Japan and United States. Therefore, the rising tensions between China and Japan in the East China Sea seems to pose a long standing challenge to Asia-Pacific’s regional stability which is exacerbated by the growing US involvement as a ‘pivot to Asia’. Though it is unlikely at the present time, for either China or Japan to take a military action in order to assert their sovereignty claims over the Diaoyu/Senkaku Island dispute but the rising cold economics between is scaling down the interdependence between the two. This is thereby, fostering a much colder politics in the East China Sea, making the chances of collision all too possible between China and Japan in the 21st Century. Hence, the SinoJapanese relations in the current phase is engulfed in a danger zone where they can encounter a sudden accidental catastrophe if both sides do not make an immediate call for conflict management and prevention. About the Author: Amrita Jash is a Doctoral Research Scholar at the Centre for East Asian Studies, School of International Studies, Jawaharlal Nehru University, New Delhi-India. Her research interests are: international politics, Chinese foreign and security policy, China’s politics and economics, India-China relations, strategic and security issues. She can be reached at: ajash108@gmail.com.

Australian Security Magazine | 9

International

Thailand downgraded to Tier 3: Failing to take significant action to improve its record on human trafficking The Environmental Justice Foundation (EJF)* is a UK- based non-profit organisation working internationally to protect the environment and defend human rights. EJF hopes that in the aftermath of this decision, all stakeholders will come together to undertake a focussed and coordinated programme of action to not only eradicate human rights abuses from Thailand’s seafood industry but also protect the region’s overexploited marine environment.

nvironmental degradation, brought on by catastrophic failures to manage Thailand’s fisheries, has had a vital part to play in driving an appalling modern slave trade in the Thai seafood sector. After four years on the Tier 2 “Watchlist” of the US Department of State’s Trafficking in Persons (TIP) report, Thailand has been downgraded to Tier 3 for failing to take significant action to improve its record on human trafficking. This decision places Thailand among the worst performing countries like Iran and North Korea. It also heralds an opportunity to redouble efforts to address an environmental and human rights crisis. Thailand’s downgrade in this year’s TIP report will act as a watershed for Government and industry. Hopefully, it

10 | Australian Security Magazine

will mark a step-change in public and private efforts and see all stakeholders come together to make genuine efforts to eliminate the modern-day slavery that pervades the Thai seafood industry and taints international supply chains. The outcome of the 2014 TIP report could have even wider implications for Thailand. Those working on the issue of slavery in Thailand’s fishing industry have recognised for some time now the links between Illegal, Unregulated and Unreported (IUU) fishing, the demands of a changing labour market and the occurrence of human trafficking and forced labour aboard Thai fishing vessels. In the early 1960s, when trawlers were first introduced to the region, fishing boats in the Gulf of Thailand netted around 297 kilograms an hour. Fast forward to 2011 and

International

the same fishing grounds provide just 25 kilograms an hour. On average, the productivity of Thailand’s fisheries has plummeted by an incredible 92.7 percent over the last 40 years. In 2014, EJF witnessed a trawler - owned by a company which has used slave labour - haul in a catch that wouldn’t even cover the operating costs of the vessel. In short, the decimation of Thailand’s marine fisheries is one of the principal reasons that employers and brokers are increasingly willing to resort to deception, corruption and violence in order to meet labour shortfalls. As Ambassador Luis CdeBaca, who heads the State Department’s TIP office, observed, Thailand is “a perfect storm of slavery and environmental degradation.” The Thai fishing industry suffers from a chronic labour shortage, with dangerous and arduous conditions making employment in this sector amongst the least desirable jobs in the country. This labour shortage is exacerbated by the fact that over four decades of appalling mismanagement has left Thailand’s fisheries decimated, meaning boats are forced to stay longer at sea for less catch. In order to reduce costs, wages and working conditions have suffered, making fishing even less attractive to Thai citizens and migrants alike. To fill this shortfall employers turn to smuggling networks run by brokers who often resort to deception, coercion and violence to supply labour for an industry characterised by abuse. During his speech announcing the release of the TIP report, US Secretary of State John Kerry highlighted how unsustainable business models were driving environmental degradation and human trafficking across the world. An environmental and social tragedy is at the heart of the reason Thailand has been downgraded today. *EJF charitable trust became a registered charity in England and Wales, charity no. 1088128 (2001); EJF Ltd is an associated non-profit company.

Australian Security Magazine | 11

International

Give us this day our daily bread

By Sarosh Bana Correspondent

12 | Australian Security Magazine

n what is the world’s biggest plan for combating hunger, the Indian Government has launched a US$14.3 billion programme for providing cheap foodgrains to two-thirds of the country’s population of 1.25 billion India’s National Food Security Act, 2013, that guarantees grossly subsidised foodgrain to two-thirds, or 837.5 million, of the country’s population of 1.25 billion, came into being September 2013. But within weeks of its enactment, the legislation is encountering huge problems. The yearly financial burden in implementing this world’s biggest programme of combating hunger is just one of them. Of the Rs1.16 trillion (US$18.7 billion) allocated in the Union budget of last week to the Food and Consumer Affairs Ministry for fiscal year 2014-15, as much as Rs885 billion (US$14.3 billion) – or 76.4 percent – will go towards implementation of the food security law. This will include Rs265 billion (US$4.27 billion) for managing the costs and losses of the entire public distribution system. India’s fiscal year is from 1 April to 31 March. The food subsidy is expected to climb rapidly every year, considering that the 2014-15 allocation for it almost equals the entire funding of Rs920 billion (US$14.84 billion) for the Food and Consumer Affairs Ministry last year (2013-14). The ambitious food delivery scheme entitles 5 kilograms of rice, wheat and coarse cereals per individual, per month, at a fixed price of Rs3 (US cents 4.84), Rs2 (US cents 3.23) and Re1 (US cents 1.61) a kilo respectively – at the current rate of Rs62 to a US dollar – for the next three years, after which the prices may be revised. It targets 75 percent of the rural and 50 percent of the urban population. One would imagine that the introduction of a hugely

subsidised food programme for a starving population would be widely welcomed. But this landmark scheme has been greeted with high scepticism, not without reason. For one, it has been brandished at a time the once vaulting Indian economy is in crisis, the budgetary and current account deficits are wide and it is yet unclear how this massive scheme will be funded, and sustained. For another, it is widely perceived to of been a measure of political opportunism, with elections recently held in April-May. While the Congress-led coalition Government claims its decision will provide a safety net to India’s poorest, it is a tacit admission that 67 years after the country’s Independence from Britain, the majority of the population is yet in a predicament that compels such assistance. India has been ruled by the Congress party for 54 of the last 67 years. Sure, it is an arduous task to expand the bread basket in a manner commensurate with the surge in numbers. It is nonetheless disturbing that the country has around the same proportion – 24 percent – of undernourished people as it did two decades ago. The fundamental argument against the food delivery scheme is that it reduces the population to dole and perpetuates the problem, when the Congress Government could instead have used its subsidy funding towards structural reforms during the nine years of its current reign. The additional burden it will impose on the exchequer will drive inflation even higher, hitting hardest the poor it seeks to serve. Indeed, in its report titled National Food Security Bill – Challenges and Options, the Agriculture ministry’s Commission for Agricultural Costs and Prices (CACP) puts the cost of the food security scheme over a three year period

International

Of the Rs1.16 trillion (US$18.7 billion) allocated in the Union budget of last week to the Food and Consumer Affairs Ministry for fiscal year 2014-15, as much as Rs885 billion (US$14.3 billion) – or 76.4 percent – will go towards implementation of the food security law. at Rs6.82 trillion (US$110 billion). It points out that this is because the Government has not accounted for additional expenditure needed for the envisaged administrative setup, scaling up of operations, augmenting production, and investments for storage, transportation, handling and market infrastructure. The Government has calculated that the coverage and entitlement it has proposed will require 61.23 million tonnes (MT) of foodgrains annually. While foodgrain production had totalled 255.36 MT in 2012-13, the yield estimated for the current fiscal 2013-14 is 263 MT, including 105 MT of rice, 92.5 MT of wheat and 42.5 MT of coarse cereal. This will entail the diversion of 25.5 percent towards the subsidised food programme. India’s food subsidy plan had rankled the World Trade Organisation (WTO), which had feared that subsidy levels would rise globally as a result and the programme would affect global stocks and commodity prices. When the issue was debated at the 9th WTO Ministerial Conference held in Bali December 2103, India contended that its food inventories were not for trading or for finding markets, but for the safety and security of its people. It pointed to a G-33 proposal that allowed countries with food security laws to procure goods for ensuring food security for their people. WTO eventually relented, agreeing it would not penalise countries like India for providing subsidy on staple food crops. Nations such as India are now allowed to fix a Minimum Support Price (MSP) for farm produce, sell staple grains to the poor at subsidised rates and store foodgrains to meet contingency requirements. Curiously, the food subsidy programme will hurt India’s agriculture sector the most as the Government attempts to garner maximum foodgrain through MSP to the farmer. Indeed, the farmer will see more worth in receiving food doles himself than in toiling in the fields. Agriculture is clearly one sector to have fared poorly owing to political neglect, though India is predominantly agrarian and one of the world’s largest agrarian economies. Though its role remains critical as 65 percent of the population has farming as the principal source of work and income security, agriculture has seen its share in GDP decline over the years – from 29.76 percent between 1994 and 1996, 23.15 percent between 2002 and 2003, and 13.7 percent at present. Malnutrition accounts for nearly half the child deaths

in India. Calorie deprivation is widespread, the country’s undernourished subsisting on 260 kilocalories per day, when the minimum dietary energy requirement is for 1,770 and the global average, 2,240. The situation had been better two decades ago, when the daily intake had been 290 kcal per person. Besides, net per capita per day availability of foodgrain has risen only feebly from 394.9 grams in 1951 to 436 grams today. A weak purchasing power denies nutrition to the masses. While China’s per capita income was US$69 in 1962 compared to India’s US$58, at US$6,091 today, it is four times that of India’s US$1,489. This was primarily owing to heightened attention to agriculture where poverty was located. Thus, while average per hectare yield for cereals in China was 1,500 kg in 1962 compared to 965 kg/ha in India, the respective tallies are 5,705 kg/ha and 2,800 kg/ha today. Beijing thereafter invested in infrastructure for the shift from farm to factory, thereby vitalising manufacturing to improve employment and purchasing power. India lost out on both farming and manufacture. Compounding India’s problem is poor handling of produce that causes phenomenal post-harvest losses. As much as 10 percent of foodgrains and 25 to 30 percent of perishables rot away owing to primitive harvesting, prolonged transportation and inadequate storage. Besides, nearly 18,000 MT of foodgrain were damaged between 2009 and 2012 in Food Corporation of India godowns. Agriculture Minister Sharad Pawar says insufficient storage infrastructure is leading to losses of fruits, grains and vegetables worth Rs440 billion (US$7.1 billion) every year. Yet, compared to the Rs885 billion (US$14.3 billion) allocated for the food subsidy, there is an outlay of just Rs300 billion (US$4.84 billion) for the Agriculture Ministry for 2014-15. Similarly, Health and Family Welfare has been allotted Rs384 billion (US$6.19 billion), and Human Resource Development, Rs811 billion (US$13 billion). Global ratings agency Moody’s assesses the Food Security measure as credit negative as it will weaken Government finances and deteriorate the macro-economic situation. A collateral damage to the economy from the new legislation will be a reduced supply of foodgrains to the open market, leading to a further rise in prices. This will clearly hurt the flow of bank credit to the private sector.

Australian Security Magazine | 13

International

Chinese bodyguards: Personal protection in the land of the Dragon

This issue we bring you Part II of how being

is another reason why private bodyguard

rich in China can be dangerous â&#x20AC;&#x201C; unless you

services have surfaced and are increasing

have a bodyguard. The security business in

each year.

China is booming. Itâ&#x20AC;&#x2122;s a special time in the history of China

Like their western counterparts, many Chinese performers and business executives

and the country has been in an economic

employ bodyguards as a symbol of their

transition. As such, China is no different to

status and prestige. However; aside from

many other countries and crimes towards

prestige, another reason for the increase in

rich people are inevitable. Furthermore, a

popularity of having a bodyguard is the crime

widening rich-poor gap, the 2008 Olympic

rate. Whilst serious crimes such as robbery,

Games and the global market are raising

theft and murder are still less frequent then in

safety concerns among the nationâ&#x20AC;&#x2122;s elite

western society, they are becoming more and

and leaving many of them vulnerable. This

more common in China than ever before.

14 | Australian Security Magazine

International

hinese criminal gangs are also now renowned for carrying weapons including firearms, allegedly bought illegally from corrupt police or military personnel. Furthermore, there have been a number of major incidents during the last several years including the countdown to the Summer Olympic Games in Beijing. Some of those included the March 2008 hijack of a bus in Xian which was carrying Australian passengers and was hijacked by a Chinese man wearing explosives and threatening to blow it up. Furthermore, there was an alleged attempt by Uighur minorities in China to hijack a plane traveling to Beijing in the same year. Many Chinese are rushing to join the ranks of one of China’s newest and best paid professions and Chinese bodyguards can look forward to salaries of about $200 USD - $5,000 a month depending on their military/ police background, formal bodyguard training, education, appearance, knowledge of martial arts and foreign languages. However, whilst many sign up to a world of glamour there are many underlying problems including exploitation of female bodyguards as nothing more than an attractive fashion accessory or for ‘ornamental reasons’. And there are those companies that also require a secretary, public relations officer and a bodyguard, so with some females, they can fulfill them all in one role. The director of a firm that Watson and his team has previously trained, stated that he dresses his bodyguards in matching designer suits and long black coats as symbol of status and as far as he is concerned, if people see this in conjunction with his latest European designer car, then it means success and that they will want to do business with him. In 2008, Watson was invited to train students undertaking specialist bodyguard training in the lead up to the Beijing Olympic Games. He also oversees several Chinese bodyguard teams for visiting movie stars and celebrities as well as company directors and banking executives. A client of Watsons, who asked not to be identified, said he had decided to get protection after a close friend was abducted and killed when the ransom exchanged was compromised. He now employs 15 bodyguards and pays approximately 400,000 Yuan (68,800 AUD) for each bodyguard. Watson states that the Chinese Bodyguards rely too much on traditional and outdated martial skills which are not relevant to the modern bodyguard. Whilst having these skills is an advantage they are not suited to the close quarter and dynamic situations of the modern era. Instead, systems such as Israeli Special Forces Krav Maga and Bujinkan Ninjutsu are much more suited to the Bodyguard/High Risk Protection industry due to its close quarter effectiveness. Watson said that like Australia and the western world, there are some schools which are professional and understand the complexities of what constitutes the role of a bodyguard whilst there are many other courses that run their course from an outdated training manual without any formal experience or training. During the last several years there have been prominent media reports throughout China which have shown young female students at a bodyguard training school having bottles smashed over their heads. Watson said it’s designed to prepare them in the event they may encounter this type

There are unconfirmed reports that there may be more than 20,000 companies throughout China who are involved in security, body guarding and private investigation work. of attack when they are a bodyguard. He states that this type of training is more for show then having any real learning outcomes for the students. Students can expect to pay up to 12,000 Yuan ($2,100 AUD) for a three or four week course which results in little more than the students ability to crawl through mud, dive through fire, immerse themselves in freezing water and use nunchucks. Furthermore, he said that students were often subjected to physical abuse from instructors and that undertaking training with replica Chinese 95 semi-automatic rifles and pistols was counterproductive as the law prohibits private security guards from carrying guns, and there are also very strict laws in relation to carrying knives. In theory, Chinese bodyguards do not have any special privileges and they have the same rights and responsibilities as civilians including they have no right or entitlement to carry firearms, however, it is often the case that many do carry weapons in complete violation of the law and are often ‘protected’ by corrupt Government officials or because they ‘know someone’. There are unconfirmed reports that there may be more than 20,000 companies throughout China who are involved in security, body guarding and private investigation work. Although there are some that are licensed by the State Public Security Bureau (PSB), Watson believes that there are many firms operating underground or in a gray area with little regulation or by paying bribes to local Government officials to turn the other way. With the increase of crime in China including murder, assassination, kidnapping, corporate and financial crime the Government is not in a position to be sending police and

Australian Security Magazine | 15

International

the United States. Although the Chinese Government is moving aggressively to punish kidnappers, often by the death penalty, the threat of the kidnapping boom continues to grow. As too, does the increase of incidents involving less well-off people attacking luxury cars and causing accidents or personal attacks from employees. Watson states that the gap between rich and poor is getting spread further and there will be ongoing problems in Chinese society. He said that there is a saying in China: You will laugh at those poorer than you and hate those richer than you. In a country where the Forbesâ&#x20AC;&#x2122; China Rich List estimates there are 168 billionaires, the bodyguard and security industry has broken from the shadows of the Dragon and is now in high demand. About the Author Paul Johnstone is a former Federal Agent with the Australian Federal Police and a former Soldier with the Australian Army. Paul has performed a number of specialist protective security intelligence and counter-terrorism roles during his combined 25 years of service and is a Government accredited Instructor in a number of specialist fields. Paul has been formally recognised by the Governments of the United Kingdom, Bosnia and Herzegovina for outstanding police investigations pertaining to complex fraud and war crimes and he has lectured and trained law enforcement, security and military personnel throughout Australia, Peoples Republic of China, Afghanistan and the Pacific Rim. Johnstone is the founder and principal director of Defensive Measures International which is a consultancy firm offering specialist services throughout Australia, Peoples Republic of China, India and the Asia Pacific region.

troops to provide personal protection to private entrepreneurs, local and foreign business executives and for those that require around the clock safety measures. Furthermore, there are an increasing number of foreign executives, entertainment and corporate businesses conducting business in China and many of these expect the same type of private security found in their native countries. During the last decade and in particular since China became a member of the WTO, Watson has noticed a trend in Chinese bodyguard firms seeking formal educational accreditation for their bodyguards and security specialist. As China continues to open up to the modern international world, education and formal qualifications in specialist fields such as personal protection is being sought from renowned â&#x20AC;&#x2DC;subject matter expertâ&#x20AC;&#x2122; countries such as Australia, Israel and

16 | Australian Security Magazine

International

www.cctvbuyersguide.com

For all the latest in CCTV products and news. www.cctvbuyersguide.com

Australian Security Magazine | 17

International

The rise of the ‘Islamic State’ As the world was a mute witness to the horrifying abductions and brutalities wrought by the Islamist terrorists, Boko Haram, in Nigeria, a greater menace emerged with the rise of the alQaeda offshoot, Islamic State of Iraq and Syria (ISIS), now renamed simply ‘Islamic State’.

By Sarosh Bana Correspondent

18 | Australian Security Magazine

he ISIS insurgency in Iraq - OPEC’s second largest oil producer, with a daily production of 3.5 million barrels - took control of key cities and oilfields, and plundered banks, treasuries and armouries at will. Some 10,000 Indians live in Iraq, most of them providentially away from the strife-torn areas. But 40 Indian construction workers were kidnapped by the Islamic State

militants from projects they were engaged on near Iraq’s second largest city of Mosul. They were abducted as they were being evacuated from the area ravaged by the war between these Sunni jihadis (religious warriors) and the government in Baghdad dominated by the rival Shia sect. One of the workers subsequently managed to escape and another is feared to have been shot dead, but the fate of the

International

others is yet unknown, though the Iraqi government and the Indian embassy there maintain they are alive and safe. In sharp contrast to their predicament, Indian diplomacy triumphed decisively in securing the release of 46 Indian female nurses who were holed up for nearly a month in their hospital in the northern Iraqi city of Tikrit, the hometown of the fallen Iraqi president Saddam Hussein who was hanged in December 2006. As Iraqi government forces battled to retake the city from the ISIS rebels, the young women took refuge in the hospital’s basement, surviving on biscuits and bread. New Delhi is believed to have managed their release with help from liberal Kurdish intermediaries who presumably have some leverage over the Islamic State outfit. While in Iraq, most of these nurses, however, had desired to stay put, as they had taken huge loans to fund their shift there and had not received their salaries for the past four months. But once back in India, they vowed never to return to the strife-torn nation. While the militants did not harm them in any way, some of them sustained injuries when hit by shrapnel from their hospital that was blown up by the rebels moments after they were evacuated. The Indian government’s focus is now on getting the sequestered construction workers back home. But it appears that ISIS commanders would want to use them as human shields against any Iraqi military assault, or even as a bargaining chip to extract a safe passage for themselves in the event of an Iraqi siege. Military Ramifications At the beginning of their insurgency, ISIS had traumatised the world by releasing pictures of its fighters shooting unarmed Iraqi soldiers in cold blood. ISIS is bolstered by military officers from Hussein’s Ba’ath faction that had ruled over Shia-majority Iraq from 1968 to 2003. Over 60 per cent of Iraq’s population is Shi’ite Muslim, the country also being the site of their holy pilgrimage cities of Samarra, Najaf and Karbala. ISIS is reported to have slain Iraqi judge Raouf Abdul Rahman for having sentenced to death Saddam Hussein, a Sunni, whom they regard as a martyr. The aggression ironically almost brought the two adversaries, the United States and Iran, to contemplate a joint military initiative to counter the Islamic State. Shiadominated Iran is anxious to protect the Shi’ite population in Iraq as well as their holy sites. Washington and other Western powers are alarmed by the support the fighting is evoking within the Muslim world, with hardliners from many of these countries converging on Iraq to join the ISIS militia there. Saudi Arabia, the cradle of Islam that judges itself as the rightful potentate of the Muslim world, has been unnerved by the ISIS belligerence, but in an oblique message to Tehran, has warned that foreign countries should stay out of Iraq. Indian security is attempting to track 18 Indian citizens who have travelled to Iraq to fight as jihadis. Many other countries too are trying to track and prevent their citizens from joining this war. It is learnt that these aspiring jihadis from India are not from any extremist group, but have been individually radicalised. Of the 18 under the scanner, the jihadi zeal of six of them has apparently waned after they were mistreated by their leaders, causing them to leave the

zone of conflict for other Gulf nations. The allure of jihad is being spread electronically, via YouTube videos, by western extremists who are themselves swelling ISIS ranks as also recruiting others for the ‘holy war’. An estimated 2,000 such radicals from Europe and the US may have joined the combat and these western governments are fearful of the threats they may pose to their countries upon their return, indoctrinated, trained and geared for violence. This aspect was also discussed by visiting French foreign minister Laurent Fabius with Indian Prime Minister Narendra Modi. Some 110 people from France are believed to be fighting alongside ISIS, apart from 210 from Germany, 200 from the UK, 45 from Denmark and 30 from Sweden. Indeed, a top Shia organisation in India, Anjuman-e-Haideri, has in turn called for thousands of volunteers to travel to Iraq to fight the “terrorism” of the Islamic State and to “protect Shia shrines” and “look after” the wounded. Numbers of Shia Muslims are believed to have registered for the mission. Implications For Australia Australia has seen numbers of Islamic militants leaving for Iraq and Syria to join the combat there. Estimating some 100 such Australians to have joined the combat, Canberra too fears the threat these elements may pose to the country upon their return. It may follow the measures adopted by Britain to tackle the threat of returning homegrown jihadis by revoking their dual citizenship on their Australian passports and intercepting electronic communication between suspected extremists and their handlers. In an effort to enhance regional counterterrorism cooperation to guard against any such threats, Australia is reaching out to neighbouring countries like Indonesia, Malaysia and the Philippines that have also seen radicalised elements heading out to the conflict. Though Australia has never seen a terrorist attack on its territory, it is one of the biggest per capita source nations of extremists in the current conflict in Iraq and Syria. Australians have, however, borne the brunt of some deadly terrorist attacks, as the truck bombing of the embassy in Jakarta by the Indonesia-based terrorist network, Jemaah Islamiah ( JI), that killed 11 in 2004, as also the 2005 attack, also by JI, on a Balinese nightclub in which 202 people perished, 88 of them Australians. Impacts in India and military response With a fifth of its population of 1.25 billion being Muslim, largely Sunni, India has deemed it expedient to pursue cordial ties with the Arab world and other Islamic countries, which also harbour large numbers of Indian expatriates. In a complete change from the pussyfooting the previous Congress party-led government was notorious for, the newlyinstalled Bharatiya Janata Party-led regime in India lost no time in getting in touch with the authorities in Baghdad. External Affairs minister Sushma Swaraj also capitalised on India’s good bilateral relations to secure permission from Turkey, Jordan and Syria to carry out operations to rescue and evacuate the Indian nationals stranded in Iraq from their soil.

Australian Security Magazine | 19

International

The Iraqi government has also marshalled Sukhoi Su-25 ground attack aircraft delivered by Russia and helicopter gunships in its offensive to retake Tikrit and other large parts of northern Iraq from the ISIS rebels. These three Islamic countries that adjoin Iraq have agreed to allow safe passage to the rescued Indians from two locations in each of them. India has readied plans for one of its biggest and most elaborate rescue manoeuvres in recent times, using sea, air and land routes. Teams of security and defence experts have been dispatched to the three countries to work out the logistics of the rescue efforts. Apart from land corridors identified to shepherd those rescued out of Iraq, New Delhi has deployed two warships - a destroyer and a frigate - in the region and is keeping on standby three Air-India civilian airliners as also Indian Air Force transport aircraft like the Boeing C-17 Globemaster and the Lockheed Martin C-130J Super Hercules to ferry them out at short notice from any of the three neighbouring countries. Camp offices have also been set up in Basra, Najaf and Karbala to identify the evacuees and process their documentation without delay. The Iraqi government has also marshalled Sukhoi Su-25 ground attack aircraft delivered by Russia and helicopter gunships in its offensive to retake Tikrit and other large parts of northern Iraq from the ISIS rebels. Its ground forces are launching offensives with tanks and armoured vehicles. It is likely that the Sukhois are being manned by Russian fighterpilots and the United States too is aiding the effort by having sent 300 advisors, mostly special forces, as well as drones. The ISIS jihadis are, however, entrenched in their northcentral Syria headquarters of Raqqa, and in areas on both sides of the border of Syria and Iraq running from north to south. Heady with their newly-gained powers, they have rechristened themselves as “Islamic State” and declared their captured territories as the Islamic “caliphate”, calling on their community worldwide to pledge allegiance and uphold the jihad. They have also incriminated Shi’ite Muslims as heretics who deserve death. More daringly, they have anointed their leader, Abu Bakr al-Baghdadi, as the ‘Caliph’, or sovereign of their Islamic state, and have asked all Muslims to acknowledge him as their supreme leader. “He is the imam and khalifa (Caliph) for Muslims everywhere,” proclaimed the group’s spokesman, Abu Muhammad al-Adnani, in an Arabic audio speech that was translated into several languages. The ultimate aim is to re-create a typically mediaeval caliphate obliterating borders from the Mediterranean to the Gulf. Indeed, the last ‘S’ in ISIS may alternatively stem from the Arabic “al-Sham” that can mean the Levant. The term stands for the cultural and geographic sweep of the Eastern Mediterranean spanning from Anatolia to Egypt, including present-day Israel. “We are fighting to make the word of Allah the highest,” announces the spokesman. These developments pose a direct challenge not only to

20 | Australian Security Magazine

the primacy in the global jihad of al-Qaeda, the two-decadeold terrorist grouping that has already disavowed ISIS as upstarts, but to the conservative Arab states as well. Formed in April 2013 as an offshoot of al-Qaeda in Iraq (AQI), ISIS has sworn the expansion of its rebellion, threatening to “break other borders” as well, namely, of Iraq, Jordan and Lebanon, and has vowed to “free” Palestine. Where to from here? The militant group’s exact size is unclear, but its ranks are swelling as greater numbers of radical jihadis, especially the youth, get drawn by its hegemonistic ideals and by its shadowy leader al-Baghdadi, known to have been born in Samarra, north of Baghdad, in 1971. He was a tactician and strategist in al-Qaeda and had joined the insurgency engendered in Iraq soon after the 2003 US-led invasion. The new entrants are finding greater inspiration from a field commander like al-Baghdadi than from al-Qaeda whose leader Ayman al-Zawahri is an Islamic theologian and a qualified surgeon. Hindu-majority India – that is neither an Arab nor an Islamic republic - faces the biggest threat from the fact that the Islamic State aims to create an “Islamic World Dominion” that is designed to include India. A recently released “world dominion map” by ISIS had parts of north-west India shown as part of the Islamic State of Khorasan, a caliphate that the outfit aims to achieve. Recently, it also released a video calling on Muslims in India’s embattled northern state of Kashmir, that borders adversary Pakistan, to follow the example of their ‘brothers’ in Syria and Iraq and wage a violent jihad against the Indian authorities. The video speaks of a “caravan of heroic martyrs” coming from Afghanistan to “liberate Kashmir”. The Sunni Arab countries are averse to interceding in Iraq till so long as it is ruled by the Shi’ite Nouri al-Maliki who has been Prime Minister for the past eight years and is eyeing a third term. He has rebuffed intense international and domestic pressure to form a national unity government, with the minority Kurdish and Sunni sects in his country accusing him of marginalising them during his rule. Though the Obama administration is not overtly seeking al-Maliki’s ouster, it will consider an aerial campaign against the insurgents only once a new government is formed. While Sunni Muslims regard themselves as the orthodox and traditionalist branch of Islam - the word Sunni derived from Ahl al-Sunna, the people of the tradition – and pledge allegiance to Prophet Mohammad and those close to him, the Shias are a political faction called Shiat Ali, or the party of Ali, as they are adherents of Ali, the Prophet’s son-in-law. Ali, as also his sons Hussein and Hassan, were killed in power struggles over who should be the Caliph. Shia Muslims are in the majority in Iran, Iraq, Bahrain and Azerbaijan, with a large presence also in Yemen, Afghanistan, India, Kuwait, Lebanon, Pakistan, Qatar, Syria, Turkey, Saudi Arabia and the UAE. There is little doubt that the emergence of the Islamic State will widen the reach of radicalism and create turmoil the world can ill afford and may not be prepared for.

International

Education â&#x20AC;&#x201C; An underused tool in managing organisational security risks. Organisations are failing to train their employees to help protect themselves and the organisation from potential risks that they might face. By Andy Davis

or the past 12 years I have travelled the world managing security risks and implementing risk reduction strategies for a wide range of organisations. During all of this time one aspect of security risk management that is constantly overlooked; or at best played lip service to is the education of staff about security risks that they, or the organisation face. Some organisations are prepared to spend millions of dollars on technical security systems but fail to deploy sufficient operators to use them effectively or explain what the system is intended to do. Whilst other organisations will send employees and their families half way around the world in search of increased profits but fail to brief them about the potential security risk. Most importantly, organisations are failing to train their employees to help protect themselves and the organisation from potential safety or security risks that they might face. What is Security Education? Many confuse the terms security education and security training. Whilst both are representative of â&#x20AC;&#x153;learningâ&#x20AC;?, there is a clear distinction between them. Security training provides the skills needed to conduct a primary security function or role, i.e. how to operate search equipment or control access into a building. Security education provides the information, advice and guidance needed to help make informed choices to avoid or reduce the risk to the organisation or individuals

22 | Australian Security Magazine

from likely or possible security threats. Security education influences, empowers and enables a proactive risk mitigation approach to be taken that helps employees and organisations operate safely and securely at work, home or during travel. There may be times when the advice and guidance given in a security education programme is formalised into security training sessions. However, this is normally based on a change in the situational risks that are faced, i.e. operating in a hostile environment such as Iraq or Pakistan. Why should Organisations Invest in Security Education? 1. Protection of Assets. Most organisations recognise that their employees are one, if not the most important asset that they have and without which they would find it difficult to operate or function. Therefore by default the protection of staff from risks should be one of the highest organisational priorities. By knowing and understanding what threats exist enables staff to take steps to avoid or reduce their adverse impact; thereby enabling the employee and assets to remain safe and functionable. 2. Value for Money. Investing time, effort and money in the provision of security advice and guidance in a workforce should reduce workplace abstractions. A security educational programme should provide the guidance needed for when faced with pre-determined situations or incidents that reduce

International

the impact or loss to an organisation. A technical security system might cost millions of dollars but will be limited in scope and normally only cover certain areas or vulnerabilities. A security education programme is a fraction of the cost and protects not only the organisation but also the employee, whether at work, travelling or home; something a technical system cannot achieve. 3. Duty of Care. A security education programme helps an organisation address duty of care issues by working proactively to identify security threats that could adversely impact employees and provides them with information to avoid or mitigate them. This is especially important when sending employees on overseas assignments. Any organisation operating an effective security education programme demonstrates social responsibility to its employees and families and is able to extend a duty of care beyond just the workplace. Whilst the question of whether an organisation has acted responsibly will normally be for a court to decide, any failure to readily identify a likelihood of a security risk will most likely result in a conviction or adverse ruling against the organisation. 4. Improved Security. Employees that are aware of the security risks that they or the organisation face are better able to support the organisational security efforts and help reduce loss or harm to assets. Instead of the organisational security management being left solely in the hands of the security department/team the workforce can be empowered through a security education programme to play a proactive part in protecting the organisational assets. For example, a thousand pairs of eyes observing a building is better than one pair of eyes looking at a thousand CCTV cameras, also an access control system will not identify somebody ‘tailgating’ an employee into a building; but a security educated employee knows they are able to challenge somebody not wearing a pass. Is security education only suitable for war and conflict zones? Not at all, although not having an educational programme in these areas could result in criminal negligence on behalf of an organisation. A security education programme is usable anywhere and by any sized organisation. The only real changes are the levels of security education needed to meet the security challenges that exist. As with most security measures the organisational risks need to be understood so that effort at the development stage is not wasted and is being correctly channelled. In many cases the “what and where” factors; what the organisation does and where it does it are cornerstones of understanding the threats faced by an organisation and its employees. Security threats such as burglary or fraud in the United Kingdom can be just as crucial to an organisation’s survivability as a terrorist attack in Peshawar. Educating employees about the threats enables individual and organisational steps to be taken to avoid, reduce or take a positive action (i.e. closing a window before going home) irrespective of where it is located.

You said that security education programmes can help families; how? Any advice or guidance that you give an employee about how to avoid being the victim of crime is transferrable from the employee to their family. Telling the employee not to walk by themselves at night in a dangerous part of a town is equally as applicable to other members of their family as it is to the employee. Likewise advising an employee that there has been a spate of armed robberies in a certain part of the city allows them and their families to avoid the area; thereby reducing the security risk. Where families accompany employees on overseas assignments it is vital that they are included in any security education programme. Indeed, the organisation has a legal responsibility to ensure that steps are taken to protect cotravelling family members from security threats. One of the easiest ways to achieve this is through security education. In this context security education can take many forms including briefings, explaining known or suspected risks, any protective security measures that are in place to protect them, i.e. burglar alarms, the provision of a driver or even a security information booklet. One of the main benefits of including families in security education programmes prior to and during overseas assignments is that they are able to arrive having been empowered with sufficient information to avoid or mitigate identified threats. For the organisation this normally has an added benefit in that the employee is able to concentrate of the reason for the assignment; their work. Finally… Security education programmes are a cost effective security measure that are easy to implement by any organisation and provide the biggest ‘bang for the buck’ of any security programme; and they do work! I have established security education programmes from Colombia to Kazakhstan and have repeatedly seen the benefits in reducing the organisational and individual security risks whether from loss, harm or damage. I have witnessed the effectiveness of security education programmes in saving lives, avoiding conflicts and protecting buildings from protesters. So next time you are reviewing your security strategy, take a second to think about the benefits outlined here, it does make sense. About the Author Andy is an international security, risk and crisis management advisor to a wide range of clients. Prior to this Andy was the Corporate Head of Security for a multi billion dollar developer in the Middle East and a former diplomat having looked after British governmental interests in Colombia, Saudi Arabia and Pakistan. He holds a Masters of Science degree (MSc.), is a Chartered Security Professional (CSyP) and a Fellow of the Security Institute (FSyI). Andy is presently developing security awareness and vigilance programs for multi-national corporations in Central Asia. He can be contacted via email at: andy.davis@tridentmanor.com

Australian Security Magazine | 23

Drones Robotics Automation Security Technology Information Communications

www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews 24 | Australian Security Magazine

Feature Article

We can fly, we can spy and we can collide: Solving the RPAS security challenge Lightweight remotely piloted aircraft systems (RPAS), already widely available as low cost commercial and hobbyist products, are posing a major security challenge for Australian aviation and law enforcement policy makers. By Joe Urli, Brad Mason and Peter La Franchi

he capacity of remotely piloted aircraft systems (RPAS) to support domestic law enforcement and security applications is widely recognised as an important emerging focal point for capability planners in Australia as well as internationally. There is a darker side to that outlook however, the rising domestic security challenge of unregulated RPAS being fielded the specific intent to conduct illegal operations that range from outright acts of delinquency to criminality and terrorism. Lest the use of RPAS in such dark ways be considered speculative, consider this: There is already legislation in place in Queensland banning the use of RPAS and hobbyist radio control model aircraft in the designated security zones being established for the conduct of the Group of Twenty (G20) summit in Brisbane in mid-November this year. The basis for that ban is obvious if the parameters of RPAS technology are understood: a proficient operator fielding an $800, fourrotor multicopter with a video camera could track a given diplomatic official from his hotel to the conference venue with the imagery helping perfect an assassination attempt. Another proficient operator, using an $8,000, eight-rotor commercially available RPAS could carry a small improvised explosive device and fly it into a selected diplomatâ&#x20AC;&#x2122;s car even as it sped down a Brisbane motorway.

Nor is the capacity to use commercially available UAS as a threat system restricted in any sense just to high profile diplomatic gatherings. These readily available commercial products are in fact already a very real problem from a variety of perspectives. At the end of June this year, security guards in Dublin, Ireland, discovered a crashed hobbyist-grade RPAS in a prison exercise yard; the user is believed to have been attempting to deliver contraband. Three months earlier, Victorian police arrested a man flying a hobbyist RPAS near the Melbourne metropolitan remand centre, with charges including possession of a drug of dependence. In October 2013 a visitor from the United Kingdom flew his hobbyist grade system, brought into the country in his suitcase, around the Sydney Harbour Bridge under the cover of darkness. The RPAS crashed onto the railway lines on the Western side of the bridge deck and briefly sparked a reaction from Sydney-based counter terrorism unit. The RPAS operator was later fined by the Australian Civil Aviation Safety Authority (CASA), one of the few instances of prosecution that has occurred in Australia despite the regulator frequently acknowledging it does not have the resources to effectively monitor and oversee the breadth of this important and rapidly growing segment of aviation. CASAâ&#x20AC;&#x2122;s solution, made public in May this year in

Australian Security Magazine | 25

Feature Article

‘... ingestion of the system into an aircraft engine at a critical phase of flight could cause a major crisis, and a $500 hobbyist RPAS can easily fly to altitudes of several thousand feet for tens of minutes.’

the form of a proposed change to Australian aviation regulations, is the complete removal of regulatory oversight of RPAS below 2kg in weight unless they are being used for commercial purposes. Such small systems, CASA argues, are unlikely to be capable of causing harm or incidents and should therefore be treated as an evolved form of model aircraft. The proposal has generated widespread concern within the Australian aviation community, linking organisations ranging from the Australian Certified UAV Operators Association, the Australian Airports Association and the Aerial Agricultural Association of Australia in a common position of opposition.

Small Things, Big Impacts The need for effective and common security structures as part of ensuring the safety of the global air navigation has been an essential feature of national and international air law since the 1944 Chicago Convention. The place of all forms of RPAS in that global regulatory structure is still in a state of flux, however CASA’s proposed deregulation is unique in global terms. There is no other national aviation regulatory authority in the world seeking to remove an entire class of aircraft from its oversight and indeed, if the example of the United States is considered, the Federal Aviation Administration (FAA) is seeking to expand and enhance its controls over the small RPAS segment at a broad level, even as it also moves to facilitate commercial applications. Can lightweight and hobbyist grade RPAS pose a specific and credible threat to aviation safety? In November 2013, a hobbyist flew a small RPAS over the final approach flight path into Vancouver International airport, filmed a commercial airliner flying just beneath it, and then posted the video to YouTube. In May this year a commercial airliner

26 | Australian Security Magazine

landing at Perth airport in Western Australia had to take evasive action at 3800ft altitude because an RPAS was flying in its path. On 30 June 2014, Canadian police launched an investigation of yet another incident involving yet another RPAS incursion at Vancouver International. In the United States, the FAA is investigating a series of critical incidents involving near misses near airports, the most recent being an American Airlines flight almost colliding with a RPAS on final approach in regional Florida. While the RPAS in each case were small, ingestion of the system into an aircraft engine at a critical phase of flight could cause a major crisis, and a $500 hobbyist RPAS can easily fly to altitudes of several thousand feet for tens of minutes. CASA itself released a study in early June 2014 which assessed the potential damage that a small RPAS could cause to an airliner, with this acknowledging significant damage could result in an engine ingestion scenario. The study also cautioned the regulator that more research, including trials looking at issues such as the likely consequences of a lightweight RPAS striking the windshield of a general aviation aircraft were required before any definitive safety decisions could be made. CASA has not actioned that recommendation despite its deregulation push. While these near airport safety incidents appear largely to be the result of hobbyists flying in ignorance of aviation regulations and with common sense set aside, they flag the possibility of a more significant problem, with security at its core. Consider a scenario where multiple small systems are intentionally placed in the flight path of an airliner. To bring down a passenger flight as it closes in to land at Brisbane International, imagine a swarm of 50 modified hobbyistcategory RPAS, each no more than 2kg in weight and launched from multiple park and backyards under the primary south-southwest approach. Each RPAS is programmed to fly by different routes to arrive at the same time at a single waiting point directly inside that main flight path, perhaps 8-10km from the start of the runway. At this point a descending airliner is flying at speeds of around 170kt and is at an altitude of below 3000ft. The actual skills necessary to coordinate multiple systems to a single point in the sky is well within the grasp of most recreational RPAS flyers today. Optimising the timing for the launch of the swarm could be as simple as using a live flight tracking program from the internet, these using aircraft ADS-B transmissions to provide highly accurate positional data for individual commercial aircraft. Terminal phase precision aiming of the swarm could be achieved by using commercially available ‘First Person View (FPV) flying modes for designated ‘leader’ RPAS modified

Feature Article

‘the total cost of equipment needed to mount such a terrorist action could be as low as $100,000 using nothing more than adapted existing commercial products. ’ to act as a virtual homing beacon for other units. One leader RPAS is flown in FPV directly towards an airliner engine intake, and half the swarm follows in milliseconds. A second operator uses another leader RPAS to take out a second engine with the remainder of the swarm. Would such a strike be detectable in its critical convergence phase by extant sensors aboard an aircraft or by air traffic control radar? For a commercial airliner the answer is clearly no, nor would air traffic control likely detect the converging RPAS because of their small size as well as their separation during all but the final seconds of flight. For a military or modified state aircraft, nose mounted radar or an imaging sensor may provide some warning but only in the final seconds of swarm convergence, directly before the commencement of impacts. The total cost of equipment needed to mount such a terrorist action could be as low as $100,000 using nothing more than adapted

existing commercial products. The lead time for a technically proficient, hostile actor to create and ready such a swarm can be reasonably estimated at less than tens of weeks. This is not an argument for outright banning of all forms of RPAS, which would be a retrograde and economically harmful step, but rather a clear pointer towards an intelligent regulatory structure of far greater sophistication than we see today. About the Authors Joe Urli is the President of the Australian Association of Commercial UAV Operators (ACUO). He is a CASA certified commercial operator and heads the Brisbane-based UAV Systems company. Brad Mason is the Secretary of ACUO and was the first CASA certified commercial RPAS operator in Australia. Peter La Franchi is an internationally recognised unmanned systems business and policy analyst.

On Terminology The terms ‘Unmanned Aerial Vehicle’ (UAV), ‘Unmanned Aircraft System’ (UAS), ‘Remotely Piloted Aircraft System’ (RPAS) and ‘Drone’ are, in the broad, all references to one and the same thing, this being: “An aircraft (or aircraft-system) that is flown from a remote location without a pilot located in the aircraft itself.

Security on the move

SRI SecuRIty congReSS, 1-3 DecembeR 2014 Over three days ECU’s SRI Security Congress will bring together all areas of security professions and disciplines as part of a holistic engagement with the wider security community. Scholars of the following disciplines are encouraged to participate: strategic studies, public affairs, communication studies, international politics, criminology, business and management, information and computer science, political science, social science, psychology and cognitive science, and security studies. All submissions will be subject to a double blind peer review process and best papers will be considered for publication in selected journals. The 2014 SRI Security Congress will host 5 security based conferences over 3 days 15th Australian Information Warfare Conference 12th Australian Digital Forensics Conference

12th Australian Information Security Management Conference 7th Australian Security and Intelligence Conference 3rd Australian eHealth Informatics and Security Conference

Venue

Contact details

Key dates

Edith Cowan University 270 Joondalup Drive, Joondalup WA 6000 Tel: +61 8 6304 5176

Congress Coordinator – Emma Burke Tel: +61 8 6304 5176 E: sri@ecu.edu.au W: http://conferences.secau.org/venue.php

Paper Submission Deadline – 30 June 2014 Acceptance Notification – 15 August 2014 Camera Ready Papers – 10 October 2014 Early Bird Registration – 2 November 2014

TEACHING QUALITY ★★★★★ ★★★★★ TEACHING TEACHING QUALITY QUALITY Tel: 134 ECU (134Tel: Tel: 328) 134 134 ECU ECU★★★★★ (134 (134 328) 328) ★★★★★ GRADUATE SATISFACTION ★★★★★ ★★★★★ GRADUATE GRADUATE SATISFACTION SATISFACTION E: futurestudy@ecu.edu.au E: E: futurestudy@ecu.edu.au futurestudy@ecu.edu.au the Good universities Guide the the Good 2014 Good universities universities Guide Guide 2014 2014

reachyourpotential.com.au reachyourpotential.com.au

ECUSRI Edith Cowan University Security Research Institute

303LOWE ECU10745 A CRICOS IPC 00279B

Australian Security Magazine | 27

Women in Security

Flash forward A flash flood changed Kate Fitzgerald’s career direction and now the emergency management professional is looking at how we can mitigate future risks.

W By Adeline Teoh Correspondent

hen Kate Fitzgerald left school she enrolled in veterinary science. It was a flash flood— not quite a sea change—in her Wollongong neighbourhood that took her on a completely different career path. “I remember walking around the area seeing houses destroyed. That event made me really interested in natural disasters and emergency management, even though I didn’t know it was called that.” The spark of interest turned into a volunteer stint at the NSW State Emergency Service (SES) where she met a commander who was completing a degree in emergency management at Charles Sturt University. Fascinated, Fitzgerald inquired about enrolling, then changed her degree. Now she works in Relief and Recovery Operations at Emergency Management Australia (EMA), a division of the Attorney-General’s Department, looking after the Natural Disaster Relief and Recovery Arrangements program, which assists with recovery efforts. Summer is understandably the organisation’s busiest time with a range of possible disasters on the radar: from bushfires to cyclones and floods. The team needs to be ready to activate response and recovery support as well as deal with the political aspects that accompany a major incident. The organisation’s scope also covers terrorist events. In winter it’s about ensuring recovery efforts stay on track and reflecting on the effectiveness of the previous season’s work practices. “We work primarily in the recovery space. Some of the work we do within the recovery space may then flow into a community becoming more resilient or more prepared for the season ahead,” says Fitzgerald. A global calling But Fitzgerald’s career was not always Canberra-based. In her early 20s she lived and travelled around Europe for four years while undertaking her degree by distance education. After the traditional rite of passage working in bars, she landed

28 | Australian Security Magazine

Kate Fitzgerald

an administration role in the emergency department at Dublin’s St Vincent’s Hospital, which evolved into Fitzgerald contributing to its evacuation and crisis planning, bringing her education to life. When she returned to Australia in 2008 she took on a three-month contract role with EMA to deliver a conference. In 2009, the Victorian bushfires turned that conference producer role into a substantive longer-term position helping to coordinate the offers of international assistance. Meanwhile, she had begun studying her Master of Emergency Management by distance, again through Charles Sturt University. For two years, Fitzgerald worked in the EMA office before the department was restructured, then moved into the National Security Capability Development Division. “I worked in a range of roles there. I was still in the emergency management sector, but managing mitigation, funding programs, and things like that.” That led to a yearlong stint in Prime Minister and Cabinet (PM&C) as an emergency management adviser within the National Security Division. “We had a number of significant disasters while I was at PM&C, the Queensland floods and so on. I was involved in providing advice to the Prime Minister and to the government on the emergency management implications of those disasters,” says Fitzgerald. She returned to EMA as an executive officer to a Division Head for a period of time before being offered a scholarship through the US Congress-funded Asia-Pacific Leadership Program at the University of Hawaii. “It was a 12-month program and I lived in Hawaii for six or seven months. While I was there I focused on emergency management and worked with people from around the AsiaPacific area. There were about 30 of us from 20 countries. It was pretty diverse both participant-wise and also what we focused on, which was part of the attraction for me.” Fitzgerald chose risk management, sifting through research conducted by the World Economic Forum on the impacts of

Frontline

the interconnectedness of global risks. During the program, Hurricane Sandy hit the east coast of the USA and Fitzgerald was deployed with the American Red Cross to assist. Practical in an emergency It wasn’t the first time Fitzgerald had lent a hand to a recovery effort. Her volunteer work with the SES in Wollongong involved repairing roofs and heading out in a boat to provide assistance. Since then, she’s been doing practical training alongside study. “I got that ethos from my family, just going out and helping my community. I got a lot of great training experiences, learnt a lot about team management and leadership.” It served her well, too. After her undergraduate degree she realised the qualification wasn’t enough on its own. “What I underestimated was the importance of both experience and practical application,” says Fitzgerald. “I wouldn’t have got to where I am today without having volunteered, and I also feel that I wouldn’t be as effective at my job without my volunteering experience, without keeping a finger on the pulse about the real concerns and issues of people that are impacted by disasters.” Even in Ireland she volunteered with Civil Defence, an organisation like the SES, then when she settled in Canberra she joined the ACT Rural Fire Service and the Australian Red Cross Emergency Service, which she’s served for more than five years. “I was a bit nervous about joining the Rural Fire Service because I thought it was a macho environment, but it has been one of the most welcoming environments I’ve ever volunteered or worked in,” she describes. “It has been nothing but supportive about more women coming in.” The operational sector is male-dominated, she admits, but the emergency management industry as a whole, including research, mitigation and planning, policy and administration governance, has a roughly 50/50 gender split. “AIIMS [Australasian Inter-Service Incident Management System] has a military command-and-control structure, so that tends to be a masculine leadership style,” Fitzgerald explains. “When you move into the recovery space you’re dealing with complex, long-term problems which are centred primarily around providing social support to the community. You tend to find women working in those community service roles, traditionally.” The macho stigma simply comes from the media attention, which is usually focused on the more newsworthy ‘response’ part of an incident. Fitzgerald says emergency management is actually quite an equitable environment. “My very early experience was my SES unit, which was about 50% women, 50% men. The fact that I was a woman was never really an issue. I think that’s just something I’ve been particularly blind to for most of my career.” Modern risks Volunteering has also informed her studies. Her researchbased master’s focused on volunteering within the emergency management sector, which helped her develop a national risk framework for Australia based on comparable frameworks

I was a bit nervous about joining the Rural Fire Service because I thought it was a macho environment, but it has been one of the most welcoming environments I’ve ever volunteered or worked in,” from the USA, New Zealand and the UK. Fitzgerald says it was a catalyst for the leadership positions she then secured. “It really made me think strategically about how issues within emergency management are connected and addressed and moved my career direction away from that operational focus to a broader strategic focus across the PPRR [prevention, preparedness, response and recovery] spectrum of emergency management.” This all funnelled into the Asia-Pacific Leadership Program where the threefold benefits were building her leadership skills, reaffirming her passion and direction within the emergency management sector and networking across different countries and cultures. “I got fantastic exposure to some of the work that’s going on, in both a regional and international sense, on risk management,” she says. “I was lucky to do the work with the World Economic Forum looking at global risks and developing methodologies for workshops within the region on future thinking: identifying and mapping those futures and then identifying the risks within those environments and how countries and governments can prepare for those future risks.” One future risk she’s particularly interested in is the risk of modernity, which she covered in a presentation at the Australia and New Zealand Disaster and Emergency Management Conference earlier this year. Using Ulrich Beck’s World at Risk as a starting point, Fitzgerald spoke about how society’s over-reliance on technology—such as electricity and telecommunications—can exacerbate the effects of an incident. Hurricane Sandy showed Fitzgerald what the risks of modernity looked like. Response issues quickly transitioned from providing basic needs, such as food and accommodation, to the consequences of modern society, she reports. “The American Red Cross personnel weren’t able to communicate with each other. They had no radio infrastructure, as they were entirely dependent on being able to communicate by mobile phone. They hadn’t prepared for or anticipated the complete failure of the telecommunications system.” It’s not all disaster and firefighting for Fitzgerald, however. In between her day job, volunteering and other roles, including lecturing on decision-making as part of the CSU course, she keeps active with sport, playing tennis and netball, and travels to see family members who live on the coast, as well as those in Ireland. But even she admits she can’t get enough of emergency management, with plenty of passion left in the tank. “I can’t ever imagine working in another sector, so I don’t have a lot of spare time. I’m either volunteering or reading something about it. You really do get to see on a very tangible level your ability to be able to assist following a disaster.”

Cyber Security

Exposing the Luuuk banking fraud campaign

xperts at Kaspersky Lab’s Global Research and Analysis Team have discovered evidence of a targeted attack against clients of a large European bank. According to logs found in the server used by the attackers, cybercriminals stole more than half a million Euros from individual accounts in the space of just one week. The first sign of this campaign, dubbed the Luuuk, was discovered on 20th January this year when experts detected a C&C server and an accompanying control panel which indicated evidence of a Trojan program being used to steal money from clients’ bank accounts.

“Soon after we detected this C&C server, we contacted the bank’s security service and law enforcement agencies, and submitted all our evidence to them,” Vicente Diaz, Principal Security Researcher at Kaspersky Lab, said. Overall, more than 190 victims were identified, most of them located in Italy and Turkey. According to transaction logs detected on the server, the sums stolen from each bank account ranged from between 1,700 to 39,000 Euros. The campaign was at least one week old when the C&C was discovered, having started no later than January 13, 2014. Two days following Kaspersky Lab’s discovery, the criminals removed all traceable evidence that might be used to locate them. However, experts suggest this was probably linked to changes in the technical infrastructure used in the malicious campaign, rather than spelling the end of The Luuuk campaign. Malicious tools used In the Luuuk case, experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts. “On the C&C server we detected, there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations, including Citadel, SpyEye, and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” Diaz added. Money divestment schemes Kaspersky Lab’s experts noticed a distinctive approach in the organisation of the so-called ‘drops’ - or money-mules - where participants in the scam receive some of the stolen money in specially created bank accounts. There was evidence of several different ‘drop’ groups, each assigned with different sums of money. One group was responsible for transferring sums of 40-50,000 Euros; another with 15-20,000; and the third with no more than 2,000 Euros. “These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust; the more money a ‘drop’ is asked to handle, the more he is trusted,” Diaz explains. The C&C server related to the Luuuk was shut down shortly after the investigation started. However, the complexity level of the Man-in-the-Browser operation suggests that the attackers will continue to look for new victims. Kaspersky Lab’s experts are engaged in an on-going investigation into the Luuuk’s activities.

30 | Australian Security Magazine

Cyber Security

The Upside of Heartbleed

By Derek Morwood, Regional Sales Manager for Centrify

he Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7. ‘Catastrophic’ is the right word,” wrote Internet security expert Bruce Schneier on his blog. “On the scale of 1 to 10, this is an 11.” That intensity of reaction is not surprising given estimates that around half a million of the Internet’s secure web servers (some 17 per cent) were believed to be vulnerable to attack due to Heartbleed, in addition to countless embedded devices such as firewalls and routers. An avalanche of media coverage means anyone affected has likely heard of the problem. Does that mean Heartbleed is yesterday’s story? Absolutely not. Heartbleed remains very much a live issue and one that will not be fixed quickly. The great challenge of addressing the Heartbleed vulnerability is that it requires a three-fold fix. First; organisations that have deployed the flawed version of OpenSSL must replace it with the revised version; then revoke and re-issue their SSL Certificate ; and thirdly,, notify customers to change their passwords. Any users who changed their password before step two occurred must do it again. With all this however there is an upside to Heartbleed. It has shone a spotlight on the dirty secret of Internet security – the impoverished state of password management. We use passwords to secure every aspect of our online lives. The problem is that for a password to stay effective, it must pass three simple tests: They must be unique, longer than eight characters (combing letters, numbers, symbols and CAPITALS); and changed regularly. Password generators do a great job of this – but they create passwords that are so random they can be impossible to remember. Password Managers in web browsers or third party tools like KeePas, LastPass, 1Password and Apple’s Keychain help, but they do not get around the problem that the owner of 100 web accounts should change each one four times a year – that’s more than one a day – never using the same one twice. Who has time for that? Clearly, one password per website is simply not feasible no matter which managers, generators or “shock horror” plain text word documents people might employ. The only obvious solution is to get rid of most passwords. And the fact is that

we’ve known how to do this for a long time. Using Single Sign-On type technologies such as SAML, openId or oAuth enables users to vastly reduce the number of passwords they need to manage. SAML (Security Assertion Markup Language) is an XML-based open standard data format for exchanging authentication and authorisation data between parties, in particular, between an identity provider and a service provider. Secure SAML-based Single Sign-On means users enter passwords less frequently – perhaps just once a day – so keyboard loggers and other forms of attack, both on the client as well as server end, (namely Heartbleed) become less effective – or at least vastly more difficult to exploit on a large scale. Products such as Centrify User Suite – SaaS Edition provide Single Sign-On identity management for web applications for a large range of devices and operating systems, from desktop and notebooks computers to smartphones and tablets. Centrify’s approach allows you to leverage your on-premise Active Directory (or a Cloud directory) to provide Single Sign-On to enterprise cloudbased applications. It also provides a password vault for those recalcitrant sites that have not yet implemented SAML or similar technologies. Users then need to recall only one password to access almost all online resources – with two-factor authentication for those sites where one needs extra security. In addition, by combining what you know (your password) with what you have (your registered device), these federated services can use device-attestation to provide more flexible and stronger authentication. The upside of Heartbleed is that it has hurt users and enterprises enough that they will actively consider password alternatives. Also, they will no longer accept out-dated security mantras such as “just pick a safe password and change it frequently” when it clearly does not work or scale. Users and enterprises should no longer regard SAML as just a nice to have feature – but as a business critical requirement for any website they intend staff to interact with. The websites of the world have been put on notice. Get behind certificate-based authentication, or you will risk losing your customers – with extreme prejudice! If the enduring impact of Heartbleed is to prioritise the widespread adoption of SAML-based authentication, then the payoff will be worth the pain.

Australian Security Magazine | 31

Cyber Security

Are you prepared to manage a security incident? By Garry Sidaway Global Director of Security Strategy, NTT Com Security

t’s the year of the breach. Adobe, Target and eBay fell victim to cyber-attacks and 2014 has already seen the Heartbleed bug impact the majority of organisations across the globe. With attacks getting more advanced and hackers getting smarter, businesses across all sectors are potential targets. It’s a case of when, not if, your company will be hit. Appropriate incident response is therefore critical for minimising the impact of a breach, yet 77% of organisations do not have an incident response plan at all according to a recent NTT Group report. This raises the question: are you prepared to manage a security incident? A change of plan With incidents increasing in frequency, businesses are spending more time and money on remediation – often working in the eye of a corporate storm to resolve issues at the same time as trying to maintain business as usual. Complex threats such as APT (Advanced Persistent Threats) are difficult and time-consuming to unpick and may require specialist knowledge and resources to comprehensively resolve. The problem is that businesses are turning a blind eye to the importance of defining and testing an incidence response plan. It’s time for businesses to treat information security breaches as part of their business continuity planning, which means confidently managing incidents in an efficient, low noise, repeatable manner. By having a well-defined

32 | Australian Security Magazine

plan, and recognising that security incidents will happen, organisations will be better prepared to handle incidents effectively and consistently. Any company that suffers a breach certainly would not want to repeat the experience and, by improving the maturity of its incident response plan, it will reduce the risk of future incidents as well as reduce the financial and reputational impact on the business. What does an incident response plan look like? An incident response plan is a formal process that defines what constitutes an incident and provides step-by-step guidance on how to handle a future attack. In order to limit damage and reduce recovery time and cost, it needs to be kept up-to-date and then socialised among all of the involved parties. Furthermore, tests should be carried out regularly so that people understand their roles and responsibilities. Good incident response starts with good risk insight and understanding of information assets. Not all incidents are of equal impact so every business must be able to classify an incident that occurs. This can be done by establishing a comprehensive and real-time view of network activity, which will enable an IT team to quickly recognise that its company is under attack – and then consequently implement a clear plan for appropriate remedial action. Incident response must be designed with an organisation’s

Cyber Security

goals and compliance requirements at the forefront. The right intelligence on the impact of any incident will drive a proportionate response and focus resources to minimise damage and disruption. This way, those affected will be able to resume business as quickly and smoothly as possible. Ultimately, the route to better preparation is to build a structured plan that clearly articulates the approach, benefits and measures for application risk reduction. With a clear understanding of the business and technology infrastructure, an IT team can perform network and host based forensic investigation into incident, provide incident management capability and deliver summary post incident report and recommendations.

risks and make informed decisions. If a business with no in-house capability suffers an incident, a trusted provider that is deployed would be instrumental in developing its incident response plan. The consultancy might involve: •

•

The role of compliance It is vital to understand where compliance fits into a company’s incident response process and put in place a clear procedure to meet the specific obligations for reporting incidents. This means knowing when and how to notify law enforcement or specific industry regulators and, for multinational companies, navigating through the regional variations, complex privacy laws and notification requirements. Establishing policies to share with other parts of the business affected by a breach – whether PR, business continuity, risk or customer services teams – is therefore crucial. Although it is not always essential to share information about a breach with a company’s customers and partners, it will be necessary to define and communicate a policy internally. It all depends on the nature of the incident and how early the IT team can understand and communicate what it is and what remedial action is being taken. As security breaches naturally result in some finger pointing, organisations should take advantage of internal collaboration to nurture the incident response process. There is real value in using high visibility exercises such as rapid response communication drills and tabletop exercises, which involves simulating potential incidents to improve awareness and define roles and responsibilities beyond the information security teams. As a result, organisations will often see a heightened sense of joint responsibility for effective resolution.

• •

Establishing incident management capability – incident handlers and technical analysts determine the process structure to handle the incident on the client’s behalf. Analysing forensics and containing the incident – analysts investigate, identify, analyse and contain the cause of the incident. Providing incident resolution – rapid response team provides support and guidance to the client to resolve the incident. Wrapping up the incident – trusted provider closes the incident and wraps up affected on-site activities. Delivering incident report and roadmap – support team supplied report, post incident, along with a tactical roadmap of recommendations to reduce future risk.

Moving from reactive to proactive It’s evident that faster, more efficient incident response will minimise the impact and cost of an incident and protect a company’s data. By enforcing a dedicated response team, and maximising the value of existing technology investments, every business can plan and execute a mature incident response strategy well. After all, if it is your company that is targeted, you will want to see the fastest and most efficient return to business as usual.

Don’t do it alone Mature incident response does not necessarily mean spending more on technology. Most organisations already have in place the technology they need and this includes data loss prevention, perimeter defences, and log management. What is often required is a trusted provider to help them implement an incident response plan by developing the process and people to effectively respond to an incident. This might involve working with customers to establish what skills they already have, what they would need if they were breached, and where they would go for help. The beauty of outsourcing is that it provides and augments the in-house skills of an organisation and enables that organisation to focus on building and developing its business, while the outsourcer provides the information on risks to enable the board to understand, prioritise and manage

Australian Security Magazine | 33

Cyber Security

How to be a Prepper: Surviving a DDoS Attack By Mark Webb-Johnson

Distributed Denial of Service (DDoS): The unthinkable. The thing that puts terror into the heart of an IT administrator. Preppers: Survivalists. Individuals or groups who are actively preparing for emergencies. When asked about DDoS attacks and how we can better help our customers, we always reply in the same way – “how prepared are you?” With DDoS, as with most emergency situations (such as a successful hack attack, or web site defacement), the best thing you can do is to be prepared. To think through the possibilities of such an attack, put a written plan in place as to how to respond to such an attack, and then file it away for when the unthinkable actually happens. So, here we have “how to be a prepper” (aka How to survive a DDoS attack). Source of the Attack Most DDoS attacks are external to your network. The internal ones are relatively easy to handle (find the culprit and shut him down), but the external ones are harder to stop (because you can’t easily find the culprit, and it is very hard to shut him down when his attack is using 10,000 different machines across 100 countries). For an external attack, all you can really hope to do is (a) mitigate it (reducing the impact on the services your network provides), and (b) provide clues to identify the source to your upstream providers and (optionally) law enforcement. External attacks can generally be divided into two classes: 1. Those that spoof the sender source addresses and try to overwhelm your incoming bandwidth or resources.

34 | Australian Security Magazine

2. Those that do not attempt to spoof the sender source addresses and generally try to overwhelm your outgoing bandwidth or resources. While the technology to defend against each type is very different, the general approach to plan for such attacks is similar. Denial of Service by your ISP The first step in any plan for DDoS mitigation is to talk to your Internet Service Providers (ISPs). The attack is coming in over their network on its way to attack you, and some ISPs are more concerned about their own networks than helping you. It is not unheard of for an ISP to implement upstream blocks (at their borders) for traffic destined to your network (effectively cutting you off from the Internet). If your ISP behaves like that, it does not matter what you do in your own network, your ISP is going to DoS you no matter what protections you put in place. As an example, one popular ISP has the following stated policy: – For a first-time DDoS, the attacked IP address will be blocked for a minimum of 1 day. – For any subsequent DDoS, within 3 months from the date of first DDoS, the attacked IP address will be blocked for a minimum of 4 days (even if the attack has ceased). This is the attacked IP address (ie; the victim - you), not the attacker. If you used that ISP, the first time you were the victim of a DDoS attack, you would be cut-off for 1 day. If you got attacked again within 3 months, you would be cutoff for 4 days.

Cyber Security

Resource Planning While being happy that your web server or firewall can cope with normal traffic with only 50% utilization, that 50% free capacity is likely to disappear very quickly when under DDoS attack. You need to put in sufficient equipment to deal with attack-level requests, not day-to-day level ones. This can be expensive, so do the calculations to determine what is a reasonable level of incoming requests, and outgoing replies, to plan for. Base that on the bandwidth you have available and the complexity of the services you expose. Then, work back from those calculations to determine what resources you need to be able to serve that amount of requests. It is not just about the box Planning for a DDoS attack is not just about the DDoS protection box you put in front of your network. Even the best DDoS mitigation appliances will be no good if your ISP cuts you off, or your upstream bandwidth is saturated. The military has an adage called the 7 Ps – Proper Planning and Preparation Prevents Piss Poor Performance – adhering to such advice may just save you one day. Once you have your plan in place, communicate it to your partners (ISPs, security and other service providers) as well as internally. Then, file it away in a place you can get to should the unthinkable happen. So, the first step in planning for DDoS is to talk to your ISPs and find out their policies surrounding DDoS attacks. Find the ISPs that explicitly state they will work with you in resolving the situation and will not block your IP address without express permission from you. IP Addresses – the more the merrier The next step is to look at the IP addresses you have been assigned (or own yourself, if large enough), and what public services you offer on those addresses. Try to keep a large pool of addresses free, and keep the DNS TTL (time-tolive, expiry) records short for those services (to allow you to quickly switch IPs if necessary). Often, DDoS botnets don’t correctly follow the Internet standards for caching of DNS records – they’ll continue to attack the same IP address long after you’ve switched to a different one.

About the Author Mark Webb-Johnson is the co-founder and Chief Technology Officer of Network Box. It is Mark’s technical genius that drives the innovation at Network Box. He and his team constantly develop solutions that keep the company ahead of the game. Over the years, Mark has taken on numerous projects and always come up with an ingenious solution to complex technology problems. It is hardly any wonder he won the Lord Hailsham Prize for Computer Science. Mark can be contacted at mark.johnson@network-box.com

Distribution of Services Next, try to distribute your services. Decide those which you must keep in-house and those which can be offloaded to a different network (or hopefully multiple different networks). By spreading your services across different data centres, you can increase the likelihood that you will have some availability when under attack. Simple services such as DNS are good candidates for distribution (and being UDP based, are very susceptible to spoofed source or reflection attacks).

Australian Security Magazine | 35

Cyber Security

Time for Open Source Intelligence and the ‘Deep Web’ By Tyson Johnson Vice President of Business Development, BrightPlanet

Introduction “Deep Web” is a vague description of the Internet not typically accessible by search engines. The Deep Web is often misinterpreted as the “Dark Web” and the two terms get frequently interchanged in media. While browsing the Internet, the Deep Web is usually right in front of you, you may just not notice it yet. Whether you are looking through thousands of unstructured Web pages or trying to answer narrowly targeted questions, the Deep Web and Surface Web co-exist and can help you answer some of your toughest security questions from, “Where is the next protest taking place?” to “Whose selling my companies goods online fraudulently?”. To understand how to leverage Open Source Intelligence (OSINT) from both the Surface Web and the Deep Web, it’s important to understand first where they are and what you can find there. Deep Web vs Surface Web: The difference The Deep Web is a part of the Internet not accessible to link-crawling search engines like Google. The only way a

36 | Australian Security Magazine

user can access this portion of the Internet is by typing a query into a Web search form, thereby retrieving content within a database that is not linked by standard Web pages. In layman’s terms, the only way to access the Deep Web is by conducting a search within a particular website. The Surface Web is the portion of the Internet that can be found via link-crawling techniques. Link-crawling means connecting via an HTML hyperlink from one page to another. Google can find this Surface Web data very easily. Surface Web search engines (Google/Bing/Yahoo!) can lead you to websites that have unstructured Deep Web content. Think of searching for Government Court Cases at the Common Wealth Courts Portal (https://www.comcourts. gov.au/public/esearch). Google can take you to the portal page, but it can’t find the results of your searches within the Courts Portal. By entering a search query into this database, you are completing a Deep Web search and finding Deep Web content. There are millions of disparate sources online today that contain Deep Web information; anything from government databases, travel sites, Web pages requiring logins, and even some social media pages.

Cyber Security

Dark Web and Deep Web - Not the Same Thing

OSINT and Brand Protection

The Dark Web refers to any Web page that has been intentionally concealed to hide in plain sight or reside within a separate, but public layer of the standard Internet. The Internet is built around Web pages that reference other Web pages; if you have a destination Web page which has no inbound links you have concealed that page and it cannot be found by users or search engines. One example of this would be a blog posting that has not been published yet. The blog post may exist on the public Internet, but unless you know the exact URL, it will never be found. Other examples of Dark Web content and techniques include:

A Fortune 100 company in a high-margin industry was hemorrhaging potential profits to overseas counterfeiters. These counterfeiters advertised brand name products at a fraction of the retail price on trade boards, fly-by-night websites, message boards, and social media. The company’s traditional strategy included hiring an external brand protection firm; however this solution wasn’t scalable to the wide scope of the Internet, where not only legitimate profits were being siphoned off by fraudulent websites, but also customers were using fake and illegitimate products that could cause physical harm or even death. A scalable process was developed to monitor key areas of the Internet for any mention of the company’s brand name products. Websites, message boards, trade boards, and social media were automatically monitored and collected. Websites were then flagged for counterfeit activity, accumulated and delivered to the Fortune 100 company via customized weekly reports. The reports also contained competitor’s product information, contact information, e-commerce data, and WhoIS data to help create targets of websites for fraudulent goods. Automated monitoring and collection at scale revealed a whole new level of consciousness towards illegal online markets, which could now be targeted more accurately and thoroughly.

•

• • • •

Search boxes that will reveal a Web page or answer if a special keyword is searched. Try this by searching “distance from Sioux Falls to New York” on Google. Sub-domain names that are never linked to; for example, “internal.brightplanet.com” Relying on special HTTP headers to show a different version of a Web page Images that are published but never actually referenced, for example “/image/logo_back.gif ” Virtual private networks that exist within the public Internet, which often require additional software to access.

A specific (and the most famous) example of Dark Web content is the TOR (The Onion Router) Network. Hidden within the public Web is an entire network of different content which can only be accessed through a special Web browser called the TOR browser. The TOR browser and TOR network give users a completely anonymous browsing experience through the use of dedicated proxy servers worldwide to reroute traffic through different servers. Unlike a traditional Web exchange, which finds the fastest direct route to get data from the request Web page, TOR users are anonymized by routing all data through a random route and encrypting the final destination and source address of the request many layers within (similar to an onion with multiple layers). While personal freedom and privacy are admirable goals of the TOR network, the ability to traverse the Internet with complete anonymity nurtures a platform ripe for what is considered illegal activity in some countries, including: • Controlled substance marketplaces • Armories selling all kinds of weapons • Unauthorized leaks of sensitive information • Money laundering • Copyright infringement • Credit Card fraud and identity theft Who can use Web data or OSINT There are certainly no exclusions when it comes to sectors that can benefit from gathering and analyzing data from the different areas on the Web. In the following two case studies, we’ll analyze two industries where pioneering companies have already realized the potential of Web data at scale.

OSINT and Law Enforcement Utilizing OSINT and Web data can be the missing piece to crack a different case, identify new threats, and monitor communication that may be vital in keeping communities safe. Criminals exploit whatever technology is available; therefore it becomes necessary for law enforcement to monitor the same technology. Pattern and trend analysis derived from OSINT can paint a virtual picture of a criminal’s pattern of life. For example, if an individual uses a social network to advertise illegal drugs at the same time every day, it’s likely that person will continue advertising drugs within the same time-frame until that person is caught. OSINT can be used to track threats and potential attacks by monitoring online communication against violent terms and conversations among individuals of interest. Between all of the social media outlets, message boards, and forums, monitoring what is being said and who is saying it is extremely difficult. Embracing OSINT and Deep Web It is time for security risk management practitioners to embrace and utilize OSINT data, whether it is improving the insights into ongoing Threat Risk Vulnerability Assessments, monitoring real-time for security threats during events, or monitoring for threats to their physical assets. A security professional’s goal is not only to reduce the likelihood and impact of a threat event, but to also show the return on investment to internal stakeholders creating efficiencies and reduce exposures. Leveraging open sources is no longer simply the domain of sales and marketing – it’s time for security leadership to get engaged. Australian Security Magazine | 37

2014 ICS CYBER DEFENSE FOR ENERGY & UTILITIES CAXTON INTERACTIVE TECHNOLOGY WORKSHOP

22 - 24 September 2014 Abu Dhabi, UAE CAXTONGROUP.COM

SECURING THE FUTURE OF THE ENERGY AND UTILITIES INDUSTRY: THREAT DETECTION IS THE KEY TO CYBER PROTECTION

+971 4 884 1110 or caxton@caxtongroup.com 38 | Australian Security Magazine

Available online! See our website for details

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

6 print issues per year for only $88.00 SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, 6 issues (1 year). ☐ ☐

AUSTRALIA INTERNATIONAL

A$ A$

88.00

(inc GST)

1 YEAR

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag), 6 issues (1 year).

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

MY DETAILS

PAYMENT

Salutation: __________First Name: __________________________________________

Please find enclosed my cheque/postal order (made payable to MySecurity Media )

Surname:______________________________________________________________

for $ __________________ or debit my:

Job Title: ______________________________________________________________ Company: _____________________________________________________________ Postal Address:__________________________________________________________ Suburb: _____________________State: _________ Postcode: ____________________ Country: ______________________________________________________________ Email: ________________________________________________________________

Card Holders Name: __________________________________________ Signature: _________________________________________________

Interested in our e-news service? Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

Expiry Date:________________ Todays Date: ______________________

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Australian Security Magazine | 39

Honeywell Building Solutions Feature

Managing identity credentials throughout the enterprise: How does integration solve this challenge? By Michael Brookes Honeywell Building Solutions

fficiently managing the security credentials of your staff and contractors throughout the enterprise can be challenging, but as physical security and information security continue to form a synergistic and symbiotic relationship, technology integration can help solve this problem. An identity management platform ensures that only appropriate users have access to corporate resources, and by integrating into systems such as HR as an authoritative source, minimise the risk of stale user accounts as a result of staff changes. As identity management systems are role based, that is functional roles within the organisation have pre-defined levels of access, changes to staff positions result in changes to permissions. These systems have the ability to audit and track users accounts, and automatically revoke access. They provide a centralised point of control for security and audit processes, and are an effective means of evaluating

regulatory compliance. Another significant reason for merging physical and IT security systems is cost reduction. By providing users with the convenience of a single enterprise-wide credential for both physical and online access, organisations have the ability to centrally provision and administer user identities and authentication. Information is entered once into a source of trust such as the HR system, which through integration into the identity management solution, automates the activation of user privileges. These solutions typically utilise a form of single-sign-on technology that removes the need for users to remember multiple passwords. This reduces the number of calls to the help-desk for forgotten passwords, hence reducing the associated support costs. Some areas that may be addressed in a consolidated security infrastructure can include:

New EBI R430

Engage with

For current EBI customers, this is more than just an upgrade, itâ&#x20AC;&#x2122;s power in your hands.â&#x20AC;&#x2039; For more information visit www.ebi.honeywell.com/en-US/Pages/homepage.aspx

www.australiansecuritymagazine.com.au/hub/honeywell

Honeywell Building Solutions Feature

Access control

Forensic analysis

A single system, utilising distributed architecture can be deployed, integrating multiple building systems into one “data management layer”. This allows for a common time and attendance and access control system to be used across all buildings, identifying who is at each building and their location, making sure that people are restricted to the areas to which they are authorised. Digital CCTV can be integrated with building events, allowing for attempts at unauthorised access to be captured for forensic analysis. Advanced video processing systems can also be used for non-motion and object size detection to identify objects left in clearways, fire exits, etc. (bomb risk). By using a common management application that allows the systems to communicate or share information, efficiency is dramatically improved, both in the way the data is managed, and how it is accessed. If these systems are built on a common backbone infrastructure, then there is a greater increase in asset utilisation. This creates consistency in the way the buildings are operated, and greater access to information, in turn reducing the overall operational costs.

Real-time behavioural analysis and forensics is achievable through the consolidation of physical and IT security audit data. By collecting and correlating security related data from across the enterprise and analysing it on a 24 x 7 basis, detailed forensic analysis can be performed in the event of a security breech. This enables organisations to quickly and automatically detect suspicious behaviours and establish accountability in case of a security incident. Deviations to common access paths can generate alerts and logical access can be matched to physical access for user authentication. The convergence of physical security and information security is not without its challenges. Creating a culture in which physical security and IT personnel work well together can be difficult; these staff often have different perspectives, priorities and reporting relationships. This factor alone suggests that a culture of corporate security management needs to be driven from the highest levels within the organisation, ideally with visibility and representation at board level. There needs to be a demonstrable return on investment (ROI) and an alignment with the overall business objectives; all initiatives should be part of a longer term strategy to decrease the level of security risk and exposure. This strategy needs to cascade down through the organisation to match business unit goals, and needs to have similar levels of priority as the business initiatives. The process for successfully implementing a converged security infrastructure requires focus in a number of areas.

Single credential Providing a single smart card platform allows for efficient physical and logical access control across multiple sites. This allows for the protection of company data, enabling secure logon, data access and data transmission within sites, between sites and via remote access. Smart cards can be combined with a biometric platform for high security areas such as computer rooms and laboratories/research areas. Asset control Using a consolidated security infrastructure allows organisations to match people and assets (eg laptops) for security and asset management. Implementing a real time asset location system allows for assets to be classified and for access and/or removal of assets to be restricted to the nominated asset owners. Integration of these systems with digital CCTV allows for attempts at unlawful access or removal of assets to be captured. Real time asset location can reduce the costs associated with lost or stolen assets, as well as assist in identifying the true utilisation of selected assets. Decisions can then be made based on factual data as to the level of inventory to be held and maintenance requirements, as well as being able to recall assets in line with any leasing arrangements.

Organisational alignment By obtaining a thorough understanding of the organisational tolerance to risk, the depth of security requirements can be ascertained. This needs to take into account the security requirements at a business unit level. Roles and responsibilities for security need to be defined throughout the organisation with involvement from physical security personnel, IT, business units and vendors. Process alignment The security requirements of business processes and operations should be defined, with enterprise-wide security solutions being integrated into processes and applications. Process owners and users need to be made aware of the importance of security. Strategies and architectures Security strategies and architectures need to be clear and

Honeywell EBI

Why Integration Matters

S trategic control and optimized performance with Honeywell Enterprise Buildings Integrator. For more information visit www.ebi.honeywell. com/en-US/Pages/ homepage.aspx

L earn how integration enables positive business outcomes.

For more information visit www.ebi.honeywell.com/en-US/Pages/homepage.aspx

www.australiansecuritymagazine.com.au/hub/honeywell

Honeywell Building Solutions Feature

actionable, with a level of flexibility to address potential changes to the organisation or technology. Technology integration It is important to be involved in selecting the technology solutions to ensure that organisational requirements are met. It is wise to pilot selected technology to validate the solution. Once validated, the solution should be implemented in phases, allowing for the highest priority areas to be dealt with first, with ongoing testing of performance and functionality. Roll-out A roll-out strategy should be developed that allows for the solution to be deployed in phases. It is vital to ensure that all of the stakeholders are adequately trained in order to gain their continued buy-in. Once rolled out, ownership should be transferred to the appropriate business units or functions. Maintenance Ongoing maintenance of corporate security management requires adherence to the initial business policies and procedures. Regular audits should be performed to confirm that policies and rules are being abided by, and the solutions modified in line with changes to the business.

There are clear benefits to be derived from an active, strategic approach to corporate security management and the implementation of a converged security infrastructure. Organisations can take a holistic view towards risk management and compliance whilst reaping the rewards of systems that have lower costs of administration and support. Organisations seeking to embark on such a strategy need to be clear on the outcomes expected, and ensure that buy-in is gained at all levels; these strategies need to be closely aligned with business objectives, and not be viewed as simply an IT security project. A phased approach should be taken and appropriate time allocated to the process. Key objectives should be set to measure the benefits of each stage as it is rolled out. It is important to work with organisations capable of delivering comprehensive and best-of-breed security solutions. This provides the benefits of accountability, risk mitigation and knowledge transfer not typically available from a multi-vendor approach. Finally, it is vital to implement auditing, monitoring and reporting processes to ensure on an ongoing basis that requirements are being met, and adjust the systems according to changes in the business or risk profile.

The Honeywell HUB is now LIVE! Learn more about what Honeywell can do for your organisation. Includes videos and case studies.

www.australiansecuritymagazine.com.au/hub/honeywell

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

The new P39-R Network Camera