THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 9, 2019
Banking Trojan targets users of Australian government services
Cyber professionals and personal liability ’
Cyber-Attribution Does Not Matter
Financial industry security APRAisals
Making smart cities cyber Secure
Three things that will simplify and streamline PCI compliance
Human centric security Exploiting trust – the billion-dollar criminal industry
How can SMBs overcome cloud security fears and passivity?
CYBER CRISIS ATTACK ON PARLIAMENT, POLICY MAKERS AND SOVEREIGNTY PLUS Cyber security weekly podcasts highlights
NEW BOOK & REPORT REVIEW
RISK MANAGEMENT INSTITUTE OF AUSTRALASIA
THE NEW FRONTIER
RMIA ANNUAL CONFERENCE 2019
13 - 15 NOVEMBER
MELBOURNE, AUS RMIACONFERENCE.COM.AU
CYBER RISK LEADERS
IMMERSE YOURSELF IN THE WORLD OF A CISO (CHIEF INFORMATION SECURITY OFFICER)
“This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI San Francisco Cyber Branch
“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.”
“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC
CEO, Cyber Security Capital (UK)
ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.
GET YOUR COPY HERE! Proudly Published by
2 ANNUAL ND
FACIAL RECOGNITION SUMMIT Advancing face biometrics for improved performance, transparency, and trustworthiness 1 - 2 APRIL 2020 Hotel Fort Canning, Singapore ST
REGISTER YOUR INTEREST AT www.mysecuritymarketplace.com
Editor's Desk 7 Feedback loop - have your say! Editor Tony Campbell Director & Executive Editor Chris Cubbage
Cyber Attack on Australian Parliament, Policy Makers and Cyber Sovereignty
Director David Matrai Art Director Stefan Babij
MARKETING AND ADVERTISING email@example.com
We’re what westfield is for retail but we’re the westfield of it
Copyright © 2019 - My Security Media Pty Ltd GPO box 930 SYDNEY N.S.W 200, AUSTRALIA E: firstname.lastname@example.org All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Thwarting SOC challenges with automation orchestration
CONNECT WITH US
How can SMBs overcome cloud security fears and passivity?
Cyber Attack on Australian Parliament
Cyber-Attribution does not matter
Banking Trojan targets users of Australian government services
Editor's book review
Editor's report review
Net Events Global IT summit
We’re what westfield is for retail but we’re the westfield of it
Australia's northern Surveillance
Three things that will simplify and streamline PCI Compliance
Financial industry security APRAisals
Thwarting SOC challenges with automation orchestration
Making smart cities cyber secure
Human Centric Security
Exploiting trust – the billion-dollar criminal industry
Cyber professionals’ and personal liability
Selecting communications tools that enable remote work
Better security through collaboration and reuse
Dawn of CASB – The return!
www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Human Centric Security
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors www.cyberriskleaders.com
Rob van Es
Emily Major Goldsmith
t’s been an interesting few months for the Australian National University (ANU), especially in the wake of the massive data breach they reported back in June 2019. Vice Chancellor, Professor Brian P. Schmidt AC, committed to a making the full investigation public following this incident; a move that was incredibly brave and showed a level of integrity and honestly rarely seen in the wake of such a crippling cyberattack. In fact, Professor Schmidt, in his foreword to the report, states, “To my knowledge, this publicly available report is the first of its kind in Australia following a cyberattack on a public institution.” He goes on to explain his reasons, again showing a level of maturity that should be adopted as the defector approach for all Australian organisations. “I have made this report public because it contains valuable lessons not just for ANU, but for all Australian organisations who are increasingly likely to be the target of cyberattacks. It is confronting to say this, but we are certainly not alone, and many organisations will already have been hacked, perhaps without their knowledge. I hope this report will help them protect themselves, and their data and their communities.” The ANU investigation certainly makes for interesting reading and I’d urge all our readers to download and share it with their peers. However, it’s too broad to do justice to in a summary in this editorial, so rather than try, I wanted to focus on one aspect that stood out to me that I think is worth considering. The breach was discovered, not because ANU has the most advanced security analytics. Machine learning, SIEM systems, artificial intelligence or modern endpoint detection and response technology, rather early indications of the attack were discovered, “in April 2019 during a baseline threat hunting exercise.” Threat hunting may be considered by some as just the latest buzzword being used in the cybersecurity industry, and the reality is that it’s simply repacking an approach to cyber defence that’s been around for a while, albeit largely underutilised in most organisations (or not done at all). But what exactly is threat hunting and why is it important? Unlike the cyber technology fads that repackage older technologies as something new, threat hunting is an old approach to looking on systems for evidence of bad actors, built on a foundation of investigative rigour an
science. Threat hunters follow a systematic and repeatable process of digging through networks, systems and applications for digital evidence that indicates an attack is or has been present in their systems. In many cases, threat hunting is a precursor to incident response, while in others it follows incident response where the hunting team takes the response activities to the next level of analysis. Cyber incident responders will try to recover systems and return users to a functioning state, while expunging the threat actors from the network, however, the threat hunter will tenaciously keep looking, turning over every stone and digging through every wood pile, looking for the one scrap of evidence that shows the threat actors were up to more than initially expected, or uncovering a deeper or more evasive threat hidden behind the veil of the overt attack the response team dealt with. Cyberattacks are more complex than they have ever been, because there is an imperative for them to evade detection. With the added sophistication and widespread sale of wellsupported and adaptable crimeware on the digital underground, a greater number of attackers are compromising their targets using multiple exploits. Blended attacks are also not new, but integration between malware kits, with overt malware payloads deployed to cover the tracks of the real attack, which embeds itself in the network and remains undetected for weeks or even months before being activated, means the response team has done its job and moved on to the next issue, while the attacker sits back and bides their time until the initial heat dies down. The threat hunting team often begins its journey by mapping the threats their organisation might face, building profiles of who those actors are and why they are attacking them. They will also determine what the threat actor’s motivations would be and what information they might be after, or what kind of compromise they seek (integrity or availability attacks are as likely as confidentiality). In the planning stage, the team will also build a model of the tactics, techniques and procedures (TTPs) the threat actors use (based on what’s been seen elsewhere) to determine what evidence might be produced during such an attack. The hunting team then proceeds to build a hypothesis, much like the scientific community would build an experimental hypothesis; and then they begin testing to see if it stacks up
through each iteration of lab work and live trials. The hunters will seek evidence of the TTPs being used which can involve processing hundreds of gigabytes of logs, files, system images and data looking for specific indicators of compromise or attack that tell them something bad has happened (or is happening). It’s this threat hunting approach to systematically looking for evidence that ANU used to locate the attack that compromised their student database. Without it they may never have detected the compromise and all those students who are now at risk would be none the wiser. As it stands, while the data was still exposed, at least those affected know it happened and can put systems in place to defend themselves from identity theft and fraud. At least they are now aware. This issue covers a lot of ground. We look at some of the new technologies in the market, such as Cloud Access Security Brokers CASBs (Annu Singh) and look at education from the point of view of students coming into the security industry for their first gig after college (Emily Major-Goldsmith). We also have a short article that looks at how you should approach dealing with APRA’s new security guidelines (David Stafford-Gaffney), and an interesting article that asks how can SMBs overcome their cloud security fears, given many see the cloud as a means of losing control over their data (Amigorena). We have a selection of other articles that are worthy of mention, such as Samantha Humphries’ discussion on security orchestration and automation and Dan Lohrmann’s dive into the security issues with modern smart cities. We hope you enjoy this issue of the Australian Cyber Security Magazine and if you have questions, letters or want to see specific coverage about topics close to your own hearts, let us know and we’ll see what we can do. Until next time, stay safe and keep secure. Tony Campbell and the Editorial Team
WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •
Reac h over out to 10 indu ,000 profe stry s per msionals onth !
Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)
If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: email@example.com
Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 8 | Australian Cyber Security Magazine
professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : firstname.lastname@example.org
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 9
Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.
Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.
EXCLUSIVE MEDIA PARTNERS
A dedicated channel for Boards, C-Suite Executives and Cyber Risk Leaders to highlight cyber threats as a key business issue.
Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media. Visit www.cyberriskmeetup.com
The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.
The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations
My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.
Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications
Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies
MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.
The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.
email@example.com 10 | Australian Cyber Security Magazine
The ‘go-to’ tool for leading professionals
UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE
Australian Cyber Security Magazine | 11
How can SMBs overcome cloud security fears and passivity?
T By François Amigorena
he use of cloud storage has been increasing the past few years due to the huge benefits it brings to businesses. Not only does it increase flexibility within the business, it also greatly improves productivity. Nowadays, organizations can’t afford not to use the cloud. However, cloud storage can be risky. Some of these risks are technical and some are more human. In fact, 61% of small to medium sized businesses (SMBs) believe their data is not safe in the cloud for technical reasons. Furthermore, the current attitude towards cloud storage is driving bad security decisions and damaging data security.
SMBs are worried about their data in the cloud SMBs find it very hard to trust a third party with their valuable data for the simple reason that once it lives in the cloud, they lose complete visibility and control over it. Old fears are still very much present.
It is difficult to detect unauthorized access Nowadays, the detection of unauthorized access to sensitive data represents one of the biggest cloud security concerns. When files and folders are stored on premises file servers, data is pretty secure considering that you need to be physically present in the office to access this data. Even
12 | Australian Cyber Security Magazine
with remote employees or partners using VPNs, access can be restricted to specific devices only which keeps the data relatively secure. On the other hand, when files and folders are stored in the cloud, they can be accessed from anywhere in the world, using any device. This greatly increases the chance of unauthorized access leading to major security concerns for the IT teams who are having troubles detecting misuse. Businesses must have the right access controls in place because if an employee’s credentials were to be compromised, the attacker could possibly access sensitive data from wherever he wants and on whatever device he wants. 21% of SMBs said they keep their most sensitive data stored on on-premises infrastructure because they don’t trust its security in the cloud. Because of the lack of visibility of who is accessing these files and folders, they are worried that the data might end up in the wrong hands. It is easy for leaving employees to steal data before they go (and hard to stop) It’s not easy for security teams to spot and stop employees who are leaving the organization from stealing valuable files before they go. For the same reasons as above, this is much easier to spot when data is stored on a physical desktop computer. With data being accessible from anywhere, cloud storage makes it easy for outgoing employees to steal data before they leave.
It is tough to manage complex hybrid storage environments This worry is obviously linked to the other two and complex hybrid environments can actually make the other two issues much worse. Having a mix of cloud storage providers and a mix of on-premises servers helps a lot with productivity which is why many businesses have a hybrid environment these days. However, managing the security of data stored across multiple environments becomes much more challenging. Actually, 56% of SMBs said that managing the security of data living in hybrid infrastructures is difficult. It’s hard because each cloud provider manages security differently. If you don’t actively monitor access to each platform on an ongoing basis, you’ll have difficulties detecting any malicious activity and stopping data theft.
The current mentality towards cloud storage is damaging data security Cloud storage security is also affected by some human risks. The current mentality regarding cloud storage does not contribute to ensure security, quite the opposite actually.
“My data is more important than yours” Almost half of SMBs consider their own data to be more important than their clients’ data. What’s very worrying is that they’ve been asked what they considered to be “sensitive” and 74% said corporate credit card data, 71% said personal information about employees, yet only 62% said client contact information and 52% said client data in general. From the above answers, we can see a lack of concern for client data which is pretty disturbing. Organizations and supply chains are more and more collaborating which means that almost every business that is connected to the internet stores client data on their systems (whether it’s living on email servers or cloud storage providers). So, how would you feel knowing that the security of your data is managed by one of your suppliers who thinks it’s less sensitive than you do?
This mentality is leading to poor security decisions Like we said before, many SMBs consider cloud storage to be insecure and they think that they have to put up with it to benefit from better productivity and flexibility. 45% said that moving to the cloud has negatively affected their security. Knowing that, it’s not surprising that 49% believe that the native security of cloud storage providers is not strong enough to ensure data protection. So, what are businesses doing about it? Well, not much. 80% only rely on the native security of their cloud storage provider, despite thinking that its security isn’t strong enough. Only 10% are using a third-party cloud file monitoring tool to detect suspicious behavior and prevent unauthorized access.
And damaging data security! Data breach detection is a challenge for businesses but it is vital. 29% said that they suffered a breach of files or folders since they moved to the cloud for storage. Even more worrying, 15% said it would take several weeks before they would find out whether unauthorized access took place or not. This is pretty serious. The more time you give a hacker to look around your systems, the more leverage he can gain over your company. He can steal files and folders or move laterally across your systems to find a workstation with admin rights and then he can upload ransomware or shut down your network.
How to overcome cloud security fears and passivity This mentality towards cloud storage, the reliance on the native security of cloud storage providers and the amount of time it takes to detect a breach need to change. Supply chain attacks are increasing, so it only takes one mistake or accident from one supplier to compromise your data. And what’s worse is that you might not even know about it. More and more, organizations consider the cybersecurity of their partners before working with them. It is therefore essential that organizations can demonstrate they’re looking after their clients’ data to keep them safe. But how can they do that? They have to monitor access to files and folders stored on premise and in the cloud. However, doing that manually is extremely time-consuming and expensive. Also, it is very difficult to detect unauthorized access when a hacker is using compromised credentials. This is why you need to invest in technology. You need a solution in place that will constantly monitor access to files and folders across all of your servers (whether in the cloud or on-premise) and alert the IT team if any kind of suspicious behavior happens. Visibility is the key. And the best way to get visibility is to have a unique and consistent view of your files activity whether stored on premise or in the cloud. This will drastically reduce the risk of leaking data (whether it’s yours or your clients’). About the Author François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for useraccess control, file auditing, server and desktop reporting, and remote installations. Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department. Australian Cyber Security Magazine | 13
Cover Feature Cyber Security
Cyber Attack on Australian Parliament, Policy Makers and Cyber Sovereignty
I By Mohiuddin Ahmed PhD, Academic Centre of Cyber Security Excellence, School of Science, Edith Cowan University, Australia
t has been said to be a job done by a state actor, considering its scale. Yet the purpose of the recent cyber-attack on the server of Australian Parliament, that affected personal data of several MPs from Labor, Liberal and National parties, is still indeterminate. Despite Prime Minister Scott Morrisonâ€™s public announcement of the attack on 08 February 2019 not being on an assault on the elections, the spectre of a threat to Australian sovereignty still looms around. The cyber security pundits have already given their verdicts about the scale of the attack. But what seems to be confusing is its nature. As has been mentioned by both technological and policy experts, no data has gone lost. Nothing has been taken. But the absence of any takeaway might be even more alarming. This could imply a larger objective of getting the blueprint of the whole cyber structure of Australia. Statistically speaking, the Parliament is one of the best samples in the nationâ€™s cyber infrastructure population. Not only the parliament, but also private sectors such as Australian businesses are not off the hook. It has been reported by the IBM Security Cost of a Data Breach Report
14 | Australian Cyber Security Magazine
2019, the Australian businesses are unable to retain three million dollars only in last year and took 281 days to recover from data breaches. Especially the banks are the prime targets for the hackers. The recent attacks on Australian education sector is also alarming as highlighted by recent data breaches at ANU and Australian Catholic University. The personal details of students and staffs such as names, addresses, dates of birth, phone numbers, personal e-mail addresses and emergency contact details, tax file numbers, payroll information, bank account details and passport details have been accessed by the hackers. Any combination of these details can be used to jeopardise the lives of individuals. For example, the hackers can go to any of the physical addresses and can hack into the Wi-Fi network to harvest the credentials used by the residents. Therefore, it is not only the individual at the organization under cyber-attack but also the friends and families. The passport details could be used to masquerade and in worst case scenario, temporary residents could be in danger followed by mayhem in international affairs and trade. But what does it mean for policymakers? Chinese
Ministry of Foreign Affairs has already denounced the hint of accusation towards them. Well, authentic or not, a cyber-attack of such a scale is another strong testimony that the rules of geopolitics and nation state dynamics has already transformed. As geographic borders need defending, so does the digital border, may be even more so. The rubric of sovereignty now beholds another parameter, named technology and cyberspace, which has its own rules. An attack of such a scale is hence a wake-up call for policymakers to become more tech-educated and inject more investment in attaining excellence in the same at national level. A chronic skill shortage in the area of cyber security amplifies the risks and potential cost of future data breaches. Australia needs 100K ICT skilled personnel by 2024 according to Australian Computer Society president. The argument of the passage above might sound trivial, but the fact is due to process inertia, lack of understanding and a little bit of information asymmetry has resulted in a governance void in the cyber-superstructure. The good news, most of the nation states are catching up, the bad news, some are being faster in doing so. The obvious
question then is what possible value a policy intervention could add to the amazing works of experts in the field. Well, the answer surely doesnâ€™t lie in the â€˜Cold Warâ€™ model. Geopolitics and technological advancement now have shred off its high-flying exclusivity and gained enhanced pace in mass usage. As it connects through porous boundaries on the one hand, it reduces predictability at the other, making the human-machine quantum dynamics more chaotic. This has happened due to lack of clear policy objective from the political leadership. Again, this in no way implies and calls for seizure of freedom to innovate and propagate technology for humanity. Therefore, the question is, where does Australia stand in this spectrum of cyber capacity. As day-to -day state affairs start utilizing more of the gifts of fourth industrial revolutions, the more threat of exposure it faces. Hence, rather than bickering about the good old James Bond days, greater investment in tech-education at all levels and more realistic projects through policy and technology collaboration and coordination would help Australia to curve out the optimal and coherent national strategy in foreseeing and preventing such crisis in the future. The recent investments and renewed interests from policy makers are good gestures, however, the influx of cyber security graduates also needs to be contained strategically. From the strategic and sustainable growth points of view, the 2019 version of the Australian international cyber engagement strategy is commendable, however, the impact is yet to be tangible due to numerous incidents in the same year as discussed earlier. The strategies adapted by other nations such as India, China, Russia are already reflecting how crucial the cyber issue is and impacting the national security. India is enforcing all foreign organizations to store data locally. This is not only ensuring national security but also invoking sovereignty in cyber space. China is undoubtedly the forerunner in global supremacy in artificial intelligence and cyber security. According to international affairs Beijing, with its new cybersecurity law and its overall push towards global supremacy in artificial intelligence, might seem like a rogue actor on the international scene. All foreign business needs to be conducted using local data server providers to maintain the security and sovereignty in cyber space. Russia planned to produce locally produced software and mobile phones to be used by public servants which reflects the need to create cyber boundary and air gapping to prevent external cyber threats. About the Author Mohiuddin Ahmed attained his PhD in Computer Science from UNSW Australia. In PhD, he has made practical and theoretical contributions in big data analytics (summarization) for a number of application domains. He is currently exploring blockchain for ensuring security of healthcare devices securing the prestigious ECU Early Career Researcher Grant. Currently, Mohiuddin is editorial advisory board member of Cambridge Scholars Publishing Group in UK and Associate Editor of the International Journal of Computers and Applications (Taylor & Francis Group).
Australian Cyber Security Magazine | 15
REPORT REVIEW SPECIAL REPORT HIGHLIGHT
Cyber Incident Categorisation Matrix Includes number of incidents between 1 July 2018 and 30 June 2019.
Australia's first national cyber crisis: Malicious intrusion into the Australian Parliament House computer network: ASD Annual Report 2018 - 2019
R ANNUAL REPORT 2018–19
16 | Australian Cyber Security Magazine
eference to the ASD Annual Report, dated 10 October 2019, and the opening summary by Lieutenant-General John Frewen, Acting Director-General, “throughout 2018–19, Australia was targeted by a range of actors who conducted persistent cyber operations that posed significant threats to Australia's national security and economic prosperity. The most concerning activity was the deliberate targeting of private and public sector organisations for valuable intellectual property, the personal information of Australians, and Australian Government and Defence information…There were significant phishing campaigns, business email compromises, cryptocurrency mining, credential harvesting and the use of ransomware. It is clear that ASD's operating environment will remain complex and challenging. We are mindful of major shifts in the strategic landscape, including security and stability across the Indo-Pacific. We face a rising threat to our national security, economic prosperity and social wellbeing from foreign interference, espionage and cybercrime. During 2018–19, the ACSC responded to 2164 incidents of varying significance, including
Australia's first national cyber crisis (C1). The C1 incident saw the ACSC operate at a heightened state of activity to provide advice and assistance to Australia's major political parties and government agencies after they were targeted by a sophisticated state-sponsored actor. see Case study 1: Malicious intrusion into the Australian Parliament House computer network. Of the other incidents reported to the ACSC, 40 per cent were for low-level malicious attacks, including targeted reconnaissance, phishing emails and nonsensitive data loss. Members of the public reported the highest number of incidents, making up approximately one quarter of all reports received.
ISACA' S S HE L EA DSTECH PR OG R AM SEEK S TO I N C R EAS E T H E R EPR ESEN TATION OF WOME N I N T E C H N O LO GY LEA D ER SHIP R OLES AN D THE T EC H WOR K FOR CE. sh e le a d stec h. isac a.o r g
RAISING AWARENESS We will work to educate employees, allies, and engaged professionals so that we can overcome unconscious bias.
PREPARING TO LEAD Our training and skills development programs will prepare current and upcoming female leaders for the digital future.
BUILDING GLOBAL ALLIANCES Through strategic partnerships, we will amplify our impact beyond the ISACA network and support our chapters as they tackle the unique challenges in their region.
Australian Cyber Security Magazine | 17
Cyber-Attribution does not matter
A By Daniel Marsh
ttribution is the action of ascribing an event or task to a subject. *yawn* I prefer to describe attribution as pointing fingers and laying blame when and where it is undue. Often talked up as a critical aspect of cybersecurity, where identifying how is as important as identifying the who, which theoretically allows for the identification of the perpetrator, permitting for justice to be served. I pose a couple questions which I will explore in my musings below: • Is attribution worth the time and effort and can we get it right? • Is it possible to be certain beyond a reasonable doubt with attribution in the digital world? TL; DR? Skip to the nest page ‘Where does attribution fit into the value chain?’
So, you got compromised? Let’s set up a hypothetical and completely theoretical scenario. A service is exposed to the Internet, perhaps SSH or HTTP, web application or database, and it gets compromised. Malware is loaded, runs successfully and spreads laterally resulting in the organisation’s systems becoming members of a massive botnet. The threat actor uses the botnet as a backdoor to the environment and obtains critical data regarding the victim. The threat actor
18 | Australian Cyber Security Magazine
also damages the core business platform (energy, financial, safety, etc…), which results in catastrophic failure and the inability of the business to deliver reliable and functional resources (and therefore profit). Loot (intellectual property) is taken and sold on the dark web. Some months pass, the organisation has recovered (mostly), the loot is leaked, and the victim company no longer has any private intellectual property… they’ve lost competitive advantage and probably have not removed the bots from their environment.
Detection and Response We carry from that scenario, in a reasonably secured network the attack was identified, and detection systems alerted key personnel who would act to contain the threat and then eradicate the threat. Working against them was the automatic propagation of the malware and protection systems that were not configured in such a way that would prevent the attack. This included misconfigured antimalware with incomplete endpoint protection deployments, IPS was still in learning mode and the firewalls were not strategically placed. Now, everything above is just boring guff to get you in the right headspace. We have an active threat actor in the environment, and we work through the phases of incident response to contain, respond, recover, and learn. 1. The threat was successfully identified. 2. Personnel responded in accordance to the incident management procedure.
A person dropped a USB key, and someone picked up that key and inserted it into a computer. A person crafted the phishing e-mails and hit “send” and someone opened that phishing e-mail and accessed the malware. A person identified an exploit and a person executed an exploit against a vulnerable system.
Identifying who that person is might be very difficult requiring cooperation and coordination between multiple parties, some of which may not be interested in the investigation and unwilling to assist (there’s no reason why they should unless you are the law).
On USB keys Obtaining CCTV footage of people in a car park where the USB keys were dropped might show a face, and unless known to the viewers, how useful is it? Do you have a facial recognition database? Unless you are law enforcement, probably not. Even if the USB key dropper is identified, they may not be responsible for loading the keys with malware ($50 can persuade many people). So who gave them the money, how many times did that occur, and where?
The threat was, ultimately, contained. Irreversible damage was done through the leak of the organisation’s intellectual property.
Attribution And there is where attribution fits in… right? The organisation wants justice (vengeance?) and possibly compensation for the damages done, or perhaps they are being good citizens and trying to stop the threat actor. Why they want attribution is not a question, so we are not delving into this here. Attribution requires analysis of all data that is, directly and indirectly, related to the event. Key to this is identifying patient zero (the subject that first showed symptoms) and the root cause (why was the attack successful). Breaking this down, we have the following subjects (not a complete list): • Who reported the event; • Where the event was detected; • Determination of patient-zero; • Remote hosts that communicated with patient zero; • Devices connected to patient zero; • Local hosts that communicated with patient zero; and • Corporate hosts that communicated with patient zero. If we take some common scenarios, a USB key drop, a successful phishing campaign and exploitation of a vulnerability (0-day or not). Each one of these has a human component:
You have tracked the “Received-by” headers outside of your organisation, through several relays and finally, identify one in a foreign country. Chasing down the admins of the originating mail server, hoping they store logs and will give you access takes time and patience but were the e-mail headers forged? What if one of the relays was also malicious and rewrote all previous Received-By headers? What if they just pointed to a completely legitimate mail provider (Gmail, Outlook, Yahoo) who may act on your behalf to shut down the account but will not release information to you? How can you be so certain that the phish is providing you with good information to use as intelligence in your investigation?
On exploits Just secure your systems and hope for the best. If there is a 0-day for your specific system and the security stack in place does not have controls to prevent the 0-day then you’re just shit out of luck. However, attribution is identifying who exploited you… and where do you start? If you have any system on the Internet, hundreds of hosts are actively scanning it on a daily basis (Shodan, Censys, University research projects, bored people, malicious actors), so you have to filter out that noise to start… but what if they did not scan you at all and were in constant interaction under normal behaviours prior to them attacking? Perhaps an online shop and they bought items regularly, and one day they got bored and hacked you. Almost everything above points back to an IP address (not a person holding a bloodied knife), an IP address and hopefully a NAT’d IP address, such as an internal mail
Australian Cyber Security Magazine | 19
relay. Everything requires cooperation with external parties and obtaining the additional information you do not have readily available. Further, once you have an IP address, how do you evidence that it was not a compromised machine itself, perhaps as part of a botnet or simply someone forgot to log out? So, a really basic example, and what actually spurred me to write my musings: 1. Agency A has a compliant and peaceful relationship with Agency B 2. Agency C has a compliant and peaceful relationship with Agency A but also dislikes Agency B. 3. Agency C finds out that Agency B is working on a super awesome device and want to build one themselves, but cannot work with Agency B. 4. Agency C decides to compromise Agency A through any number of methods (cracking/hacking, malware, social engineering, blackmail, bribery, etc…). 5. Agency C, through Agency A systems, compromises Agency B and obtains the secret data. 6. Agency A is unaware of the intent of the compromise, if aware at all. 7. Agency B identifies the compromise coming from Agency A (attribution). 8. Agency A denies the claims but has no evidence to support it (only logs showing Agency A accessing Agency B exists). 9. Agency A and Agency B form a tense and potentially hostile relationship. 10. Agency C profits (wine and beer for all).
Where does attribution fit into the value chain? Magically you gained support and cooperation from all involved parties, it took a lot of time, effort and resources in both technical and legal capacity. Lawyers were consulted, law enforcement engaged, and the malicious actor was found, tried and hung (or fined and jailed). Your organisation is now out of pocket for all expenses relating to the investigation (the perpetrator was just a kid in Denver with $20 to his name). Law enforcement spent hundreds of hours across multiple divisions helping in the investigation. Lawyers took your money because they decided they need it more than you and you are in a generous mood. The successful prosecution resulted in zero profit, bad publicity, and ruining a person’s life. Where is the value? There is none. That moment you were compromised, data stolen, sold, leaked… invoke your incident management plan, respond, contain, recover and learn. BUT THEN STOP, take a breath and assess your current situation. Will attribution results in a better security posture for the organisation or generate profit and enable the business to achieve its goals? Almost certainly it will not (unless that is of course what your business does). Finally, consider what third parties you must and should engage with for successful attribution and determine if the event is worth the publicity (going to law enforcement generally means it will be made a public
20 | Australian Cyber Security Magazine
record at some point) and if your goal is aligned with those of the third party. At best, attribution will tell you that some elite squad of hackers hacked your systems and there was nothing you could have done about it, but a sound security and risk management program could tell you this as well. At worst, attribution will be unachievable and only result in time spent on an impossible goal.
Attribution is harmful Attribution is harmful, on a global scale it escalates hostilities between organisations, it can damage individuals well-being and state of mind, and it can be devastating to the research and cyber security industry by dissuading research and release of data and publications. Stop attributing your failures to protect your organisation from cyber-attack on someone or something else and build safe, secure, resilient and reliable systems that can be exposed in hostile environments and not be compromised. Just figure out how you were compromised and fix it, and while you’re at it, figure out how to plug all the other gaping security holes. P.S. It was probably an opportunistic hack anyway…
Banking Trojan targets users of Australian government services
ecent statistics from Kaspersky Botnet Tracking system showed that Trojan-Banker.AndroidOS. Gustuff is actively spreading in Australia adopting unusual techniques. We have detected an SMS campaign at the Australian user with messages containing texts like 'Jassica shared an album with you hxxp://instagram-shared. pw/SexyJassica on Instagram Shared'. Once opened on a device with Australian IP the URL will redirect a user to the malware site and download a sample of Trojan-Banker. AndroidOS.Gustuff. Besides common technique of monitoring installed applications and overlaying them with a WebView, TrojanBanker.AndroidOS.Gustuff now checks for URLs opened in browser and is able to open a WebView with a fake site overlaying the original web page. This method is currently used by Gustuff to steal users' credentials for Australian Government service "MyGov" (https://my.gov.au/) and National Australian Bank Internet Banking service (https:// ib.nab.com.au/) An extended list of banking applications, payment applications, crypto-wallets is also targeted by the Trojan attempting to steal users' credentials. This could be done by either downloading a phishing web page from the C&C or by loading a web page from the local archive (see "Credentials stealing" tab in the file attached) on the device saved earlier by Gustuff and overlaying the original app interface. Please, see the IoC and configurations for TrojanBanker.AndroidOS.Gustuff, observed by Kaspersky Botnet Tracking system in the file attached. About Kaspersky Kaspersky is a global cybersecurity company founded in 1997. Kasperskyâ€™s deep threat intelligence and security
22 | Australian Cyber Security Magazine
expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The companyâ€™s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.au.
BOOK REVIEW by Chris Cubbage DOUBLE DOWN FOR DIGITAL TRANSFORMATION
‘Match Fit for Transformation’ by Nigel Adams ISBN: 978-0-6486578-0-4 Publisher: Hetton Advisory www.hettonadvisory.com
his is somewhat of an unorthodox ‘double’ book review – but these two books, each focused on digital transformation, arrived one after the other, courtesy of Quikmark Media. Reading them together was a win-win, though more by chance than by intention. Essentially, we are all going through a period of transformation and those in the cyber and digital realm, more so than most. Here at MySecurity Media we are experiencing this like any other media business. With the growing capability of cloud based platforms, such as SaaS, we’re also naturally looking to transform from a media to a knowledge platform, one with a global audience. As each of the two authors highlight, digital disruption needs to be seen as a digital transformation opportunity. ‘Match Fit for Transformation’ by Nigel Adams landed first. Nigel Adams sets out a four-part, thirteen chapter ‘how to - get to doing’ handbook on the steps, structure, strategy and challenges of digital transformation. Now based in Melbourne, Nigel writes with an informative perspective and insights based on years of executive experience in the UK and Australia. The models provided are invaluable, the tables very helpful and the overall structure and readability, transforms one into an appropriate ‘pace of change’, likely to also inherently tap into any interested reader. Then arrived David Banger’s ‘Digital is Everyone’s Business - a guide to transition’. Set out in five parts to address: mindset, technology, relevance, innovation and digital, this book established the framework for executives to
manage the people and business transformation, in a rather simplistic (yet breaking down the complex) and adaptable step-by-step approach. Part 2 on Technology is invaluable in addressing costs, capability, criticality, and communicating context, in addition to a number of critical assessment models, with an ultimate focus being on the ‘customer’. Part 3 on Relevance address the risk management approach, not just strategically and for the organisation, but also for career and professional development. Doing so is a natural segway to ‘rightsizing’ and analysing the roles and leaderships skill sets. Part 4 and 5 address innovation and digital. David writes, “Strategic technical innovation will require investment prior to mass market penetration. The identification and agreement of milestones for this innovation approach are important as the return on the investment could potentially be delayed.” The importance of PreDigital Assessments (PDAs) and Responsibilities, Activities and Initiatives (RAI) is explained and need to be considered at the outset. For digital potential, the three key areas to consider is timing, clarity and duration. Organisations that have achieved successful digital business models have outperformed the industry average of profitability by 25 per cent. A great digital business is one with customer intimacy and global scale. What was striking in both books, was that each identified that digital transformation is not about technology – its about change!
UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE ‘Digital is Everyone’s Business a guide to transition’ by David Banger
The ‘go-to’ tool for leading professionals
ISBN: 978-0-6486968-0-3 Publisher: BookPod www.davidbanger.com
e | firstname.lastname@example.org
Australian Cyber Security Magazine | 23
NETEVENTS – GLOBAL IT SUMMIT, SAN JOSE USA The NetEvents Global IT Summit provided a stimulating and topical two-day conference program of hot debates, head-to-heads and presentations by visionaries and industry analysts. By Chris Cubbage HOW LONG IS THE ROAD TO AI? PANEL SESSION (LISTEN NOW) A high-level discussion on the development of Artificial Intelligence (AI) and both advances and vulnerabilities of the technology and human interactions. Facilitated by Jeremiah Caron, Global Head of Research & Analysis, GlobalData and joined by Professor David Cheriton, Stanford University, Nick McMenemy, CEO of RenewTrak and Ravi Chandrasekaran, Senior VP, Enterprise Networking Business, Cisco. Jeremiah Caron opened with reference to recent research on AI which showed only 47 per cent of business see AI in the future of their companies. Caron asked if AI was a matter of definitions? Stanford University’s Professor David Cheriton pronounced himself as an AI sceptic, he said, “I’ve seen over the years a bunch of AI / ML intelligence cycles, expert systems and neural networks. Nick McMenemy agreed it is a catch-all term: “I’m also a bit of a sceptic but it can free up humans to do what we prefer to do, what we’re better at.” Cisco’s Chandrasekaran said: “AI is a tool to do things we can’t otherwise do – we do applied AI, it’s a tool.” Cheriton said: “we need to ask whether AI is the relevant tool for the job.
24 | Australian Cyber Security Magazine
Also it’s not as smart as people think – it can be very easily fooled.” Caron asked what AI does for the army of Cisco specialists out there? Chandrasekaran said “they can be freed to do less routine jobs – right now they can’t keep up, so it’s not about replacing people.” Caron asked whether customers understand value of AI. McMenemy said customers were 100 per cent sceptical but didn’t understand it fully – but now know they have to predict what IT systems will do. As for AI’s limitations? Cheriton said, “we don’t need more regulation but need to be reminded that we can’t just have a magic black box and defer decisions to that. Examples include AI analysis which found that an AI system recognised wolves from dogs because the wolves were photographed in snow, while dogs had grass behind them. “We’re not as far along as we think,” Cheriton said. Chandrasekaran concluded, “AI has interesting side-effects – it needs to defer to a higher intelligence.”
DISCUSSION WRAP-UP: Rapidly Evolving Trends in Cloud Networking Security and Cloud-Native Security
To hear the full panel session, Episode 175 – Cyber Security Weekly Podcast
Deierling said two of our major customers put encryption into their datacentre so everything is encrypted. But how much is and should be encrypted?
Chaired by Scott Raynovich, Principal Analyst, Futuriom and accompanied by MK Palmore, Field Chief Security Officer, Palo Alto Networks, Kelly Ahuja, CEO, Versa Networks and Kevin Deierling, Chief Marketing Officer, Mellanox Technologies. Raynovich talked about the landscape from the network manager’s point of view: changes brought by the cloud growth, increased WAN bandwidth, greater demand for security flexibility, network appliance sprawl, need for orchestration, visibility and automation from the cloud. Security needs to be everywhere but there are hundreds, if not thousands of vendors and technologies. So, it’s a management not a technology issue, with most breaches attributable to human error – eg patching. Can networks keep up with the processing demands of encryption?
L-R Professor David Cheriton, Ravi Chandrasekaran, Nick McMenemy
Netevents Global IT Summit, San Jose CA
Palmore responded to confirm that best practice means encryption should be adopted for data at rest and in transit. Ahuja said our job is to provide the ability to encrypt wherever a customer needs it. At high speed networking – eg 200Gbit – hardware assist is essential. Future WiFi standards will include an encryption option. Deierling responded, saying, hardware assist is not sufficient. With VMs and overlay networks, NICs (Network Interface Card) are doing all that work. If you use software to encrypt, all that
breaks – because the NIC never knows what’s in the packets. We think encryption needs to be inline in the NIC. Shouldn’t SD-WAN vendors and firewalls merge as they’re doing the same thing? Palmore said a firewall is a specialist technology. Ahuja said this is a new space with innovation – we give the customer the option to do firewalling wherever they prefer using any vendor. It’s about solving the customer’s problem. NetEvents Innovation Awards 2019 – Cloud/ Datacenter, IoT & CyberSecurity The winners of the Hot Start-Up Awards (innovative pre-IPO) were: • Cloud/Datacenter Category: NetFoundry with its ‘Connectivity as Code’ developer platform was chosen to receive the award. • Hot Start-Up – IoT Category: Everactive,
pioneers in wireless and battery-less IoT was the award winner. Hot Start Up – Cybersecurity Category: Odo Security took the Award with its ‘zero trust access solution’: In addition, Odo Security won the overall vote from the VC’s as top choice of the three Hot Star-Up category winners for investment.
The winners of the Innovation Leaders Awards were: • Innovation Leader – IoT Award – Darktrace. • Innovation Leader – Cloud/Datacentre Award – Apstra. • Innovation Leader – Cybersecurity Award – Guardicore. MySecurity Media attended the Global IT Summit, courtesy of NetEvents, along with media and analysts from over 30 countries.
L-R Professor David Cheriton, Ravi Chandrasekaran, Nick McMenemy, Jeremiah Caron
Australian Cyber Security Magazine | 25
We’re what Westfield is for retail but we’re the Westfield of IT Genetec & NEXTDC Partner on Data Centre Security
A By Chris Cubbage Executive Editor
s the world transitions to 5G networks and will continue on to 6G by around 2030, the role of data centres as part of national critical infrastructure will remain embedded. The business of building and delivering this infrastructure is a key challenge in terms of location, scale, installation, maintenance, competitive pricing and importantly, ensuring it is future proofed for the rapid advances in technology. Technology and its connectivity require hyperscale, second generation data centres, built much like multitenanted warehouses, serving as data storage and distribution hubs. As David Dzienciol, NEXTDC’s Chief Customer Officer described, “We’re what Westfield is for retail but we’re the Westfield of IT - providing the environment for IT trade”. During a facility site visit to NEXTDC’s Melbourne, M2 Phase 1 Data Centre, a short drive from Tullamarine airport, we got insight to how a modern, co-location data centre is being planned in phases, built in operational stages and
then designed to function day-to-day, with a co-working, datacentre environment for hundreds of customers. David Dzienciol highlighted, “Each hall contains 50 to 60 customers and in a multi-tiered relationship with complexity, created by multi cloud and hybrid environments, we may not know who the end customer is via third party relationships.” The NEXTDC value proposition, and indeed the requirement for each of the company’s nine facilities across Australia is; power, connectivity and security. With a measured capacity target of 300mW, the company has amassed a current status of 50mW, with completion of Phase 2 of the M2 to take the facility to 40mW. As at 30 June 2019, NEXTDC reported a financial year increase in contracted utilisations by over 30 percent to 52.5MW, customers increased over 20 per cent to 1,184 and interconnections were up over 25 per cent to just under 11,000 (10,972). NEXTDC’s motto, ‘where the cloud lives’, adopts an
inherent requirement to meet the Tier IV status set by the UTI Certification body, with a guarantee of 100 per cent uptime. The DCâ€™s high-voltage power, received from the grid, is backed by Penske diesel engine generators for disaster recovery, capable of running for at least 48 hours onsite. NEXTDC provides connectivity with a Layer 2 portal, Axon Cloud, which on-ramps for performance, scaling and security, with inter-site connectivity, is carrier neutral and DC neutral. Tier IV site infrastructure, building on Tier III, adds the concept of Fault Tolerance to the site infrastructure topology, meaning when individual equipment failures or distribution path interruptions occur, the effects are stopped short of IT operations.
Security is a key element Alongside the power and connectivity, security is a key element of each facility. Security is not just at a data level but holistically includes physical access layers, with
Australian Cyber Security Magazine | 27
perimeter security and access controls applied in a ‘defence in depth’ approach, from the front gate, through to who has access to the individual racks in each of the halls. Physical security, video surveillance, access control, biometrics and visitor management all form a primary aspect of any DC. At scale, NEXTDC manages over 2,400 video cameras across its nine sites, operating on Genetec’s Security Centre platform. Wrapped around a long term, strategic partnership with Genetec, video data storage is distributed across the network, with up to 519TB per site and cameras operating at resolutions up to 5 megapixels with all cameras recording continuously at 15 frames per second (FPS) for a minimum of 90 days. Launched in 2010, with the balance of experience and security, Genetec, HID, Gunnebo and Salesforce were selected to integrate to the Genetec Security Centre, powered by a scalable architecture that synchronises cameras, doors, access points and other managed hardware. The first install in 2011 progressed to working more collaboratively, and since 2014, NEXTDC operates Genetec as a client and partner, leveraging the Security Center Federation feature which allows for centralised monitoring, reporting and alarm management across all sites. This approach offers security and customer service employees appropriate access to the video surveillance system, video analytics and reporting, access control, two factor authentication systems and intercoms, built on role-based protocols, as determined by NEXTDC. The applications include Omnicast video management, Synergis access control, plus API integration to intercoms and licence plate recognition testing. Each DC wants to improve on the last one and the focus remains on integrated security technology delivery. George Dionisopoulos, NEXTDC’s Head of Security and Customer Service said, “The Federation feature links our entire national footprint, and means our team has
28 | Australian Cyber Security Magazine
“Our customers’ needs continue to evolve, so it’s important we move with them. When it comes to access control in line with security standards, our customers are looking for auto approval and self-service. With the level of intelligence built into our security posture through the help of Genetec solutions" the visibility and control we need to monitor our facilities effectively right across the country, protect against and prevent security breaches and ensure a secure environment. We can operate a streamlined team, yet provide assistance as required at any of our data centres, servicing our customers exceptionally, every time.” According to David Dzienciol, “Our customers’ needs continue to evolve, so it’s important we move with them. When it comes to access control in line with security standards, our customers are looking for auto approval and self-service. With the level of intelligence built into our security posture through the help of Genetec solutions, we have been able to reduce the number of ‘front of house’ and security staff that customers need to engage with each time they visit. This enables us to help our customers get to where they need to be, quickly and efficiently. With the support of Genetec, we can offer a frictionless experience that does not compromise on security.” “NEXTDC is very forward-thinking, taking a broader view of physical security to derive additional return on its original security infrastructure investment,” confirmed Philippe Ouimette, Director of Strategic Partnerships, Genetec. “As an organisation, it understands the potential for leveraging its physical security systems and the Genetec Security Center platform. Not only to deliver on the promise of security to its customers, but importantly, to better its business operations and the overall customer experience.” “Security should be driven more by intelligence and operations. The old way of thinking about security is outdated. NEXTDC views security not as a cost centre but as an enabler for the entire business. This creates a balance between a very high level of security for customer assurance but also for a customer wellbeing environment. Genetec looks at security as a method of providing a flow of people through a facility and NEXTDC seeks a frictionless customer experience and hence why our approach aligns.” With three core pillars designed to uphold the Genetec portfolio, being operations efficiency, making sense of sensors and security of the security system, the Genetec
platform allows open access to an ecosystem. Providing end to end encryption and advanced authentication, it operates as a unified, single platform, with a consistent user experience and federated multi-site and multi-system monitoring and reporting. This allows NEXTDC clients multi-site consistency, with many DC clients operating in different states. The recent release in the USA of Genetec ClearID will allow for a visitor management system for physical identify and access management. ClearID is designed as a selfservice physical identity and access management (PIAM) system that standardises and enforces security policies, to be made available globally in early 2020. ClearID enables employees to login to an online portal and make access requests directly to the area owner or supervisor. Employees control their own access requests which ClearID automatically approves, denies, or routes on to an operator to review, based on corporate policies and automated workflows. Using a web portal, the employee (host) creates a profile for the visitor including the meeting details. The visitor in turn receives a confirmation email with a QR code that can be used to sign in once on site, print a badge and automatically advise the host of their arrival. Other key functionality supports organisations in industries where they need to comply with strict access requirements. ClearID will simplify the auditing process by providing area owners with an instant view of who has access to their areas. This will allow them to revoke access, as well as simplify manual processes that can be time and resource intensive and prone to human error. In future releases of ClearID, contractor management features will ensure that when access requests are initiated, approvals or denials are made prior to the contractor’s arrival based on the necessary qualifications, tests and steps of identity authentication required to grant access. This will support additional compliance with standards, and minimise costs associated with contractor wait times. Additional Genetec products include Streamvault, regionalised for Australia, with a pre-installer and configured server and the Genetec Synergis IP controller for ACS and IDS. Plus, a suite of intelligence products designed for applications in retail, airports, traffic control and across cities. Airport Sense provides intelligence reports and visualisation from airport systems such as parking, check-ins, retail outlets and baggage screening for an airport security and situational awareness dashboard. Another example is Citi-Graf, used by the City of Chicago, the second largest police district in the USA to improve response and crime prevention strategies and thereby contributing to a reduction in crime statistics. NEXTDC reported 30 June 2019 revenue up 15 per cent to $179.3 million and underlying EBITDA up 13 per cent to $85.1 million. Strategic partnerships for the essential services around power, connectivity and security are clearly needed and in this case, working. In the ever-important pillar of security, Genetec is obviously proud of working with NEXTDC. in a cutting-edge environment, and each set to continue into the future. MySecurity Media travelled to the NEXTDC M2 facility courtesy of Genetec.
Australian Cyber Security Magazine | 29
Australia’s northern surveillance
A By Dr John Coyne
Episode 163 - INTERPOL World 2019 Series - Dr. John Coyne, Australian Strategic Policy Institute Policing & Innovation LISTEN NOW
ustralia’s Department of Home Affairs recently started a once-in-50-years shake-up of its civil maritime surveillance capabilities: currently valued at over $AUD 100 million a year. The ‘future maritime surveillance capability’ project is to ‘provide the next generation maritime surveillance capability to counter current and emerging civil maritime threats to Australia … [and] provide surveillance capabilities that enable timely and effective deterrence, prevention and response operations to protect Australia’s borders and exercise sovereign rights’. Australia’s maritime jurisdiction covers about 14 million square kilometres, including an exclusive economic zone (EEZ) of over 10 million square kilometres. At the best of times maintaining an awareness of this maritime territory is no easy task. Protecting the sovereignty of our maritime borders has never been more difficult than it is today. Australia’s current maritime surveillance arrangements are a product of slow evolution over five decades. Australia’s maritime surveillance began in the late 1960s, using Royal Australian Air Force and Royal Australian Navy aircraft to patrol its newly declared 12-nautical-mile territorial sea. In August 1977, the Australian government announced its intention to declare a 200-nautical-mile exclusive economic zone around the continent. With a growing need for aerial surveillance, the combined military and civil surveillance commitment was boosted to 27,000 flight hours per year. A substantial part of the increase came from the
30 | Australian Cyber Security Magazine
use of chartered civilian aircraft. By the late 1990s, the contracted civil maritime surveillance effort had progressed from a group of binocular-armed observers to encompass a cohesive fleet of contractor-supplied and -operated, purpose-modified aircraft, using modern search radar and communications systems and mature procedures originally adapted from the military maritime surveillance world. Since then, civil contractors have provided around 95% of our civil maritime surveillance. Over the past four years, Australia’s border security framework has been subject to ongoing landmark overhauls. On 1 July 2015, the Department of Immigration and Border Protection and the Australian Customs and Border Protection Service were officially amalgamated into a single agency. At the same time, the Australian Border Force (ABF) was stood up within the new department. On 20 December 2017, with the ABF reforms still in progress, the Home Affairs portfolio and the Department of Home Affairs were established. Along with further professionalisation of the ABF, Home Affairs continued to innovate and introduce new technologies focused on maintaining the integrity of Australia’s borders. Since 2016, the ABF, through its Maritime Border Command, has created a ‘ring of steel’ around Australia’s northern waters. Primarily focused on blocking people smugglers, the command’s officers, supported by military
and civil maritime-surveillance capabilities, have made a substantial contribution to thwarting other maritime crimes like illegal, unregulated and unreported fishing. As Australia develops the future maritime surveillance capability it needs to consider the concepts of depth, integration, cooperation, and technology and the surveillance spectrum. In mid-August last year, a fishing trawler carrying 17 Vietnamese asylum seekers successfully penetrated Australia’s ‘ring of steel’ maritime border arrangements undetected. As the vessel continued its course down Australia’s treacherous northern coastal waters mother nature struck. On the 26th of August the vessel ran aground near the mouth of the Daintree River, stranding the asylum seekers and crew in Northern Australia’s remote and crocodile infested waters. In a stroke of luck, for both Home Affairs and the asylum seekers, two local fishermen found the stranded group. All the asylum seekers were quickly returned to Vietnam. In early September two foreign nationals, French and English citizens, accidently hit a reef and ran aground in the Abrolhos islands off the Western Australian coast. The stricken yacht was later found by fisherman and air and sea search was launched. After the men were located over a thousand kilograms of cocaine and ecstasy--with a street value of $1 billion—was discover. Both incidents highlight the importance of ‘depth’ in our border management strategies. They also clearly illustrate the importance of the Australian public to border security and their willingness to do their bit. As our national maritime domain awareness (MDA) and response capabilities have improved, the onshore and nearshore eyes, ears and muscle in Australia’s north have been wasting away. Both the Australian Federal Police (AFP) and the ABF have modest offices in Cairns and Darwin. While their officers are highly trained, there aren’t many and yet they are responsible for some of the world’s largest law enforcement operating areas. Northern Australia’s vastness creates three problems for ABF and AFP decision-makers. First, they need eyes and ears in communities spread across Western Australian, the Northern Territory and Queensland. These eyes and ears need to include citizens who are ready and willing to report unusual behaviour. And they need a mechanism for reporting their observations. Second, both organisations need an enhanced capability in northern Australia to undertake covert surveillance of suspicious activity on and near the coast. Over the last decade alone, there have been dramatic developments in maritime surveillance technologies and their affordability. From small cube satellites and unmanned aerial vehicles to artificial intelligence and swarm technology, the options for Australia are almost limitless. Integrating these new capabilities with Home Affairs’ legacy systems to develop a single maritime domain interface will be complex endeavour. Further integration of that interface with Defence’s capabilities to create a single civil/military MDA window seems a long way off. Since federation the prevailing national security thinking
has been underpinned by a concept of defending Australis from the region. Given the transnational nature of organised crime and terrorism we need to revisit this concept. In today’s threat environment Australia is defending with the region. Understandably then, as ASEAN continues its slow journey towards economic and security integration policy makers will need to consider how Australia will cooperate with the region in terms of MDA and civil maritime security. In considering our future surveillance technologies, Australia ought to be mindful that a comprehensive maritime border security strategy depends as much on a multi-stage process as on technology. The surveillance process starts with detecting potential threats and finishes with disruption operations. Just as importantly, every surveillance capability has strengths and weaknesses that vary depending on the specific surveillance stage. Searching involves surveying an area using active or passive technical or non-technical means. The aim is to identify anomalous behaviour in Australian waters. Effective searching involves using a mix of sensor types across the search area and integrating the different data feeds to produce a comprehensive picture of the situation so that other surveillance or response assets can be cued effectively. Detection is the moment when an object or vessel is discovered. It’s achieved through one or more technical (active radar or satellite) sensors, visual detection or selfreporting. The level of security risk assigned to a detected vessel depends on several factors. Obtaining information about a vessel, such as its country of origin and any previous offences, assists border protection authorities to make further judgements and determine the level of urgency of the case. The capability to track a vessel has several applications. Accurate tracking enables authorities to determine the vessel’s direction and possible destination, which may further elucidate the threat posed. If necessary, it also informs the planning of an interception at sea or on land. Each step of the process contributes to assessing whether a vessel needs to be intercepted, disrupted, or both, by a navy vessel or an ABF patrol boat. If the vessel is involved in an illegal activity, the interception or interdiction itself may disrupt that activity. This process requires a manned patrol boat so that authorised personnel can board and inspect a vessel. Ultimately, the aim of all this activity is to increase decision-makers’ understanding of maritime risks and threats by layering information and intelligence collected from space, air, surface and subsurface assets to provide a rich picture of activity at sea that can be further analysed to identify threats. Home Affairs will need to be careful that the allure of technology doesn’t get in the way of getting the capability mix for the surveillance spectrum right. The development of Australia’s future maritime surveillance capability is going to be a complex intellectual and financial challenge for the Australian government. In a time of increased strategic uncertainty and broadening of non-traditional national security threats there is little tolerance for failure nor time to delay. Australian Cyber Security Magazine | 31
E TUN IN ! NOW
32 | Australian Cyber Security Magazine
PODCAST HIGHLIGHT EPISODES
Episode 174 - Unified Threat Management - Insights into Red Piranha's 'Crystal Eye' with Tarek Chaalan
Episode 170 - Dr Magda Chelly on Cybersecurity, Career Transition & Women in Cyber
Interview with Tarek Chaalan, Security Engineer with Red Piranha, based in Sydney and discussion about Crystal Eye Version 2.0 and 2.5. Yet before we had time to produce, Red Piranha have just announced the release of Crystal Eye 3.0.
Interview with Dr. Magda Chelly, CEO of Responsible Cyber based in Singapore. We cover Magda’s background and her transition from a technology career into cybersecurity and she is a strong advocate for attracting women into the cybersecurity industry. Magda founded Women of Security (WoSEC) and launched a WoSEC CTF For Girls Competition Day
Despite the technical skip - get some deeper insight into the Cyrstal Eye functionality and into a key member of the development team. If you're into Unified Threat Management and all that is offers, you'll enjoy this podcast!
Episode 173 - When and how organisations should come to understand Micro-Segmentation - Insights with Illumio
Episode 169 - Briefing with ISACA on the CYBERSECURITY NEXUS™ (CSX) TRAINING PLATFORM LABS
Interview with Andrew Kay, Systems Engineer with Illumio. The Illumio Adaptive Security Platform® (ASP) secures the inside of any data centre and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps.
Interview with Brian Page, Global Account Executive with ISACA, attending RSA APJ Confernece from Chicago, USA. Founded in 1960 and previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, and has grown to have over 140,000 members and 190 worldwide chapters.
Following Episode 141 where we discussed how Illumio ASP delivers microsegmentation by combining vulnerability data with real-time traffic visibility. This discussion dives into when and how organisations come to understand how their applications work, see where they are most vulnerable, and use that visibility to create and enforce micro-segmentation policies.
Episode 172 - Privileged Access Management (PAM) with BeyondTrust CISO & CTO, Morey Haber Interview with Mr. Morey Haber, Chief Technology Officer & Chief Information Security Officer, BeyondTrust, USA and co-author with Brad Hibbert of Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations, published by Apress. Recorded as part of the 'Privileged Access Forum: Defending Against Targeted Attacks', held in Singapore and Melbourne in August 2019. Morey Haber presented on 'Building Effective Cyber-Defense Strategies to Protect Organisations' and 'Just-in-Time (JIT) Privileged Access – Why It Is The Next Big Step In Risk Reduction & How To Implement It'.
Episode 171 - Interview with SheLeadsTech founding ISACA Director, Jo Stewart-Rattray Interview with Jo Stewart-Rattray, founding ISACA Director for SheLeadsTech and former Chair of COBIT 2019. Having spent 7 years on the ISACA Board, we discuss Jo's background and recent history with ISACA over the last 10 years and her recent attendance to the 63rd United Nations Commission on the Status of Women. Jo provides her observations over the last 10 years on the status of women in the tech industry and the importance of advocating for women to enter the cybersecurity and technology sector.
Brian provides insight into the ISACA CYBERSECURITY NEXUS™ (CSX) TRAINING PLATFORM LABS: A performance based, live lab environment, where anyone can obtain cutting edge cybersecurity training. Students gain access to relevant labs in live environments without the use of emulation. Labs are hosted in the cloud, so students may access them from anywhere in the world so long as they have a web browser and internet connection.
Episode 167 - The New Why of Cybersecurity - Rohit Ghai, President, RSA and Grant Geyer, Senior VP for RSA Products Interview with Rohit Ghai, President, RSA and Grant Geyer, Senior Vice President for RSA Products discussing the ‘New Why of Cybersecurity’. Digital investment accelerates business velocity, transforms constituent experiences and spawns new opportunities. But this formidable force for human progress also magnifies risk. We discuss digital risk management and associated transformation and change in the digital environment and how RSA has set out to address the management of digital risk as the new ‘why’ for cybersecurity.
Episode 168 - Blackberry launches 'Intelligent Security' for mobile endpoint security in zero trust environments Interview with David Nicol, Managing Director, BlackBerry Australia & New Zealand and Jonathan Jackson, Director, Engineering Solutions, APJ. BlackBerry® Intelligent Security uses a combination of contextual and behavioural factors to dynamically adapt security requirements and calculate a unique risk score for each interaction. Using this unique risk score, a mobile user can be granted access to specific device applications and services, as defined by IT administrators. This provides granular control and delivers a better, more productive end user experience – all without sacrificing an organisation’s regulatory and security policies.
w w w . a u s t r a l i a n c y b e r s e c u r i t y m a g a z i n e . cAustralian o m .Cyber a uSecurity Magazine | 33
Cover Feature Cyber Security
Three things that will simplify and streamline PCI Compliance… and those dreaded audits
O By Rob van Es
ver the past 15 years, the Payment Card Industry Data Security Standard (PCI DSS) has evolved, grown, and put forth increasingly high standards for every company involved in payments. PCI DSS is a global standard and requirement designed to ensure that all companies maintain a secure environment when accepting, processing, storing, or transmitting credit card information. When we work with enterprises in the financial industry to identify their high-value assets (their ‘crown jewels), PCI compliance factors in highly and is always a top priority. But like all rules, regulations, and compliance, it needs to be enforced to be effective. Enforcing PCI compliance falls to a few different parties, namely credit card brands, associated banks, as well as retailers.
PCI compliance around the globe However, on a global scale, we’ve seen different reactions and adoption rates depending on the country in question. When we look at the US, for example, companies there have been subject to rigid enforcement of PCI DSS so have been quick to adopt while here in Australia, organisations are finding it ‘too hard’ and are also failing to maintain compliance once it’s achieved. This has implications for those Australian companies exchanging financial data with American-based companies as they have some catching up to do before they can migrate or expand their business operations. It also means that from time to time, those responsible for enforcing compliance have no choice but to come down hard on organisations that are found to be non-compliant – in a
34 | Australian Cyber Security Magazine
show of force, but also out of practicality. Australian cybersecurity professionals are all too familiar with this inconsistent approach and it has left many scrambling to achieve – and maintain – compliance. Falling behind could mean that a credit card company could issue warnings to local Australian banking and financial institutions, which would have to be taken very seriously. So what are we waiting for? Where do we start?
Tick these three boxes to get you on your way Well, for those who are finding themselves suddenly more focused on PCI and associated audits (through changing or expanding business plans, increased enforcement from regulators, and the like), one of the first things to do is to look at what is being done elsewhere and adopt those best practices. At a high-level, these three things are needed for a quick, streamlined, and inexpensive audit:
1.Scoping and mapping out your data is crucial Protecting cardholder data in today's dynamic data environments is difficult given the interconnectedness of flat networks and the sharing of data – both internally and externally. The first step is to scope – or what I refer to as ‘right scoping’ – which simply means you need to identify where this cardholder data is stored and processed (i.e. the cardholder data environment or CDE). This first step is fundamental, but it can also be difficult
'An auditor will expect you to validate the scope but then also prove that it’s correctly enforced (i.e. that the boundary is protected). It’s also important to note that auditors are human beings and they don’t have an infinite amount of time to do their jobs' to get right. The reason is that an organisation can’t scope what it can’t see, so (visually) mapping out applications and how they are connected within the network, as well as what they interact with outside of the network, is imperative and the necessary foundation to move forward. However, once you have that map, you can easily run into a classic “Goldilocks dilemma” – is it not enough or perhaps too much? On the one hand, if you put the scope too broad, it will increase audit obligations as well as overhead. For large organisations with complex environments, this can become incredibly burdensome in terms of time, resources, and manpower. On the other hand, if the scope is too narrow, an auditor will start asking difficult questions to prove that your environment is compliant and properly protected. This is also a situation that no organisation wants to be in so how can you get it ‘just right’?
to connect, and enacting firewalls to ensure that what shouldn’t connect never does.
3.Providing visibility and transparency makes everyone’s life easier Most PCI audits begin with the auditor trying to understand the data flow. Where is PCI data held and how does it move within the environment from application to application? What about from workload to workload? This is what dictates the “scope” referred to above. An auditor will expect you to validate the scope but then also prove that it’s correctly enforced (i.e. that the boundary is protected). It’s also important to note that auditors are human beings and they don’t have an infinite amount of time to do their jobs so if you hand over a subpar map or scope, it won’t make their job any easier – in fact, it’ll make the whole process harder for all parties involved. Visualisations and logs of traffic that was permitted or denied will go a long way to not just prove compliance, but to do so in a way that requires very little investigation from the auditors. It’s a win-win for everyone.
Further reading to guide you For more information on PCI Compliance in Australia, its benefits, key requirements, and who must comply, visit the Australian government’s website here. And if you’re interested in reading more about decoupling security segmentation from the network, check out this white paper my colleagues recently published. About the author Rob van Es is Vice President of Asia Pacific at Illumio, where he leads regional business development. Rob has over two decades of experience managing sales for high-tech startups and later-stage companies. Connect on LinkedIn.
2.Enforcing the boundary with segmentation is key Once the map of your CDE and its boundaries have been established, it’s absolutely critical that you enforce it and segmentation has become one of best ways to do so (when done right!). Traditional approaches focus on segmenting the network, but this approach is difficult, error-prone, and expensive. Why? Because networks are about reliably connecting things – whereas segmentation is about reliably isolating things. Just because the network can deliver a packet (a formatted unit of data) doesn’t mean it should. From my perspective, the answer is to decouple security segmentation from the network, which frees security from the limitations of the underlying infrastructure (i.e. the network) to enforce security policies closest to what is being secured (i.e. the application). It enables you to protect applications wherever they run because they do not live exclusively on networks anymore, and enforcement must go wherever they do. So, when you decouple in this fashion, you’re mitigating the spread of a breach by enforcing policies that make a clear distinction between what should be allowed
Australian Cyber Security Magazine | 35
Financial industry security APRAisals
J By David Stafford-Gaffney
uly 2020 looms, and like impending doom, the pressure keeps mounting while no solution seems viable. As an organisation in the financial sector, you have been advised that you need to demonstrate awareness of and alignment to the Australian Prudential Regulation Authorityâ€™s (APRA) CPS 234 Standard. You struggled to manage GS007 financial regulation, and now you need to also comply with CPS 234, not to mention all this new Privacy legislation. What are you to do? This article follows on from last one when I looked at how to select the best framework to use as your primary control set, and how to baseline and manage your security environment (using both NIST and ISO 27001). Baselining the security environment against a single standard is the easiest way to start and quickly make some real progress, developing an Information Security Management System (ISMS) as the documentation set that can be evidenced by an auditor.
36 | Australian Cyber Security Magazine
Getting started with CPS 234 Back to the story. With a reasonable grasp of information security and working with other standards such as ISO 27001, you ask yourself the most fundamental question: which of these financial standards should you start with and which should be drawn upon as additional requirements you need to meet at some point later. Finding a suitable answer can get complicated, especially is you try to map all the necessary elements in each standard that must be addressed. Iâ€™ve found the best way to do this is to put the controls (all of them) in a spreadsheet and map each one from the first standard (the primary standard) to new columns for the second standard. Where there is an exact match, the primary standard is the one that delivers it, and where there is a gap, it falls to the second standard to pick up the slack. This process works for two, three and even four standards or frameworks, but be warned compliance against more than two separate
'Remember, there are many tools available to help do the job of a security manager, such as the ISMS and SoA, and that statement of applicability will capture all your security requirements and helps to track each in terms of its maturity'
standards can get complicated, especially when changes are required, so keep good notes as you go and document every decision. Compliance with all relevant elements is a core requirement in cybersecurity. In fact, ISMSs need to clearly articulate all the numerous legal, regulatory, and selfimposed (often risk-based) security requirements to various internal and external stakeholders. And this is where a Statement of Applicability (SoA) is used.
SoA, the process can be straightforward. Organisations that are required to get certified against ISO 27001 must produce an SoA as a mandatory compliance artefact. However, I would not get too hung up on achieving certification, rather focus on the value the ISMS and the SoA brings to your organisation and how you will use it as a tool to help you manage security for the organisation. Depending on your level of cybersecurity knowledge, it may be wise to get an external organisation to assist with the baseline security assessment, along with the basic construction of the ISMS (including the SoA), then handing it over to your team to finish implementation and running it from thereon. You might consider engaging that same organisation on audit you each year to see how development of your ISMS is tracking and whether all of the controls are still maintaining compliance with the SoA. Thereâ€™s really no need to feel overwhelmed by CPS 234 or other regulatory requirement, including the management of the security obligations associated with them. Remember, there are many tools available to help do the job of a security manager, such as the ISMS and SoA, and that statement of applicability will capture all your security requirements and helps to track each in terms of its maturity. This one tool will help reduce your stress levels and lift that feeling of dread you might otherwise have been feeling.
Statements of Applicability An SoA is a core element of an ISMS and records which controls, or element of the framework are applicable to your organisation, why they are applicable, the evidence of how you comply with them, and when the control was last reviewed. This might sound onerous, however, once you get used to the flow and interpreting statements from regulatory frameworks like the GS007 or CPS 234 standards into the
Australian Cyber Security Magazine | 37
Cover Feature Story
Thwarting SOC challenges with automation orchestration
F By Samantha Humphries
or fans of The Rocky Horror Picture Show, the phrase ‘time is fleeting’ can forever only be heard in the dulcet tones of Richard O’Brien. And as one such fan, as I started to write this article, it immediately stuck as today’s earworm (if this is also now you, you’re welcome). Time is something we talk about a lot in the security industry - dwell time, time to detect, time to investigate, time to respond, where on earth did the time go? Time is our most valued commodity, and yet we never seem to have enough of it. Where we spend our time matters a great deal, and we are constantly being measured against the clock. Throughout this article, time will certainly feature a good amount, with the goal to help your organisation find ways of clawing back those precious hours so that your security operations team can better focus their expertise.
The enemy of the SOC: ghost chasing False positives have been the bane of the security industry since, well, the beginning of the security industry. Something that looks, smells, and even tastes bad can result in being benign. Whether caused by some messy code, incomplete threat intelligence information, or a misdetection by a security vendor, false positives can be incredibly timeconsuming, not to mention costly. SOC (Security Operations Centre) analysts know this only too well. Hours and even days can be lost chasing such ghosts, whilst alerts and investigations continue to
38 | Australian Cyber Security Magazine
grow in the seemingly endless work queue. A single overenthusiastic anti-virus detection or a loose SIEM correlation rule alert requires the same due diligence as a real attack, and in some cases can be harder to prove. Ruling out such an event as being a misfire requires a high level of certainty, and arguably bravery, on the part of the analyst. Should it be found to be a true positive later, the outcomes are often not bright. There are never enough hours in the SOC day to get to everything, and ensuring analysts focus on the right things is vital to an organisation’s security posture. I would hang my proverbial hat on the fact that there is no SOC on the planet where analysts of any level of seniority are sitting around waiting for something to happen. In a recent SIEM productivity research report by the Ponemon Institute, performed on behalf of Exabeam, respondents stated that on average their security operations teams spent 25% of their time investigating false positives. With an eight-person SOC team (which is below the average size reported in the SANS Institute “Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey”) that’s the equivalent of two fulltime employees. Highly skilled full-time employees, who don’t grow on trees….
The magical highly-skilled analyst tree Oh, if only such a thing existed. Unfortunately,
horticulturalists have yet to provide us with this wondrous plant, but we can indeed dream. Meanwhile, back in the real world, the skills gap is a problem facing the entire security industry. Yet all too often, the skilled expertise we do have is being wasted on tasks that are seen as necessary evils. Beyond the realm of false positives, manual processes are also killing the scene. Lengthy manual investigations, whether they result in false or true positives, can pass from shift to shift in a SOC, or result in significant overtime situations. Overtime can quickly spiral into analyst burnout, which negatively impacts security operations, can have potentially long-term effects on the employee themselves, and often leads to a high staff churn rate. The heady combination of a lack of skilled people, too many manual processes, and inaccurate technology creating noise and ghosts is essentially the security triangle of doom.
It’s time to take stock Solving these challenges requires taking a long hard look at the three pillars of people, process, and technology. If you are responsible for security operations in your organisation, ask yourself these three questions: 1) Are our people unable to use their skills and expertise to the best of their ability? 2) Are our processes overly manual? 3) Is my security technology stack creating a high level of false positives?
automation process candidates for consideration are the lowest hanging fruit - phishing alert and malware alert triage as two common examples. Well-trodden processes, which may only take 30 minutes to an hour for each one, but when you add them all up over a month that’s a whole bunch of saved time and can quickly rule out some of the dreaded false positive results. Let’s do the investigation time warp.... again? Another area where some of your more seasoned analysts are likely spending a lot of time is crawling logs and performing searches with your log management or SIEM tool. Needle hunting across a myriad of haystacks, manually piecing together snippets to create a timeline of events. Correlating user details, IP addresses, devices, alerts with attacker tactics, techniques and procedures (TTPs) can be excruciatingly painful and hideously time consuming. Also, dependent on the analyst’s personal experience, navigating this data maze can mean multiple dead ends before hitting the jackpot and being able to decide on next steps. But the clock continues to tick all the while… fortunately there are solutions available that can help automate this work, building out the complex investigation jigsaw automatically to allow the analyst to make accurate decisions in a considerably timelier manner. Call me biased if you will, but I would strongly recommend taking a look at Exabeam’s Advanced Analytics if this sounds like a challenge your SOC team are facing.
In summary If you’re unsure of the answers, talk to the team. Think about why you hired them in the first place, and whether that matches up to the work they are doing. Ask them what they think they should be focusing on in an ideal world. Ask them about the work they could be doing but never have time for. Count the steps in the processes, even the mouse clicks involved. Look at the operational reports to see both how long investigations take, and how many times an incident is closed as ‘false positive’. Evaluate which of your security solutions are common culprits and review your commonly triggered SIEM correlation rules to see what’s misfiring. Once you’ve taken stock if you’ve found that the answer to any one of these questions is yes, consider automation and orchestration as a path forward.
Automation and orchestration for the modern SOC Security automation orchestration and response (SOAR) is helping SOCs level up their operations to meet the demand of today’s threat landscape, whilst driving down the number of manual processes, and giving analysts more time to focus on the juicier investigations. Having a solid plan in place to decide what you should automate, how you will automate, and how you measure success is key to getting this right. SOAR comes in many flavours, from standalone tools to features within SIEM solutions, to API coding. Your available skill set will certainly play a part in deciding which path works best for your organisation. However, it is important to first understand where the gaps, challenges, and opportunities lie before embarking on change. Some good
Automation and orchestration are key success factors in the modern SOC. Driving efficiencies in triage and investigation go beyond just closing more cases or alerts - they allow SOC teams to do more interesting work, such as proactive threat hunting, forensics, and spend time on more strategic initiatives to better protect and defend. Automation and orchestration can significantly reduce risk in manual repetitive processes, improve accuracy of results, and derive additional value from current security investments. Ultimately, time savings driven from utilising automation and orchestration will result in a better overall security posture for your organisation. It is time to make your SOC SOAR. About the Author Samantha has 20 years of experience in infosec, holding multiple positions including: Senior Product Manager, Global Threat Response Manager, and Incident Response Manager. She’s helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks. Her life in IT started much earlier, at age 6, when she had twice as many computers than her school had (a ZX Spectrum 48K and a BBC Master), and was QAing educational games on 5¼ inch floppy disks. Sam trains anyone who’ll listen on security concepts and solutions. In her current regeneration, she’s thoroughly enjoying being a part of the global product marketing team at Exabeam. Sam’s a go-to person for data compliance related questions, and has to regularly remind people that she isn’t a lawyer, although if she had a time machine she probably would be.
Australian Cyber Security Magazine | 39
Making smart cities cyber secure
A By Dan Lohrmann
s cities grow smarter and more connected, what implications does this have for cybersecurity? Many people are questioning what it even means to be a smart city in the coming decade, since all over the world even mundane aspects of city living are becoming digitised. Take, for example, the implementation of smart trash cans. What used to be a recurring service of 14 trash collections per week, has now reduced to just three pickups utilising smart compactors. In Philadelphia they have installed more than 1,100 smart trash cans city wide and saved over $1 million. To curb gun violence, Boston has deployed a sensorbased gunfire detection system that can alert officers to precise crime scenes within seconds. These are two examples of how technology is helping remove waste, reduce costs and keep citizen safe. But what about downsides and risks relating to cyber security? Whatâ€™s common in these smart city examples? Governments rely on constant connectivity to volumes of data from stationary and moving sensors. This data is transformed into useful information using data analytics to provide better overall business value, effective customer service and better quality of life. And exponentially more data is coming soon via Internet of Things (IoT) advances with smart lighting, building automation, emergency management systems, security and
40 | Australian Cyber Security Magazine
access control systems, intelligent grids, renewable power, connected water treatment and supply, transportation sensors, and many other smart sensors in every area of life. Put simply, global governments foresee a new information renaissance transforming public services. How big is this effort? Experts at the SmartAmerica Challenge predict that approximately $41 trillion will be spent on smart cities over the next 20 years to upgrade infrastructure to benefit from IoT advances.
A SMART STEP BACK What could derail these efforts? Iâ€™ve seen two smart city camps emerge. On one side, smart city planners share thousands of stories, conferences and case studies advocating smart cities in various channels. But within the cybersecurity community, the messages are much more negative. In fact, some are saying the sky is already falling. In this debate, like so many others, both sides passionately believe what they are saying. However, there isnâ€™t much listening to the other side to reach a workable middle ground. I raise these security questions as an advocate who believes smart cities projects can solve problems like overcrowded cities, lack of resources, insufficient
'Experts at the SmartAmerica Challenge predict that approximately $41 trillion will be spent on smart cities over the next 20 years ' report software failures to the manufacturer?
RESOURCES TO HELP
transportation choices and more. At the same time, I’ve also seen cybersecurity ignored for decades when new government strategies are announced — until a major incident occurs or it’s too late. So, can these two sides find common ground? What are the right questions that need to be answered? Microsoft has published an excellent paper on securing the IoT, which includes seven properties of highly secure devices. Here’s a condensed view of IoT security topics, and the cybersecurity questions that should be asked for smart city project implementations. • The hardware-based root of trust: Does each device have a unique identity that’s inseparable from the hardware? • Small, trusted computing base: Is most of the device’s software outside its trusted computing base? • Defence in depth: Does your device software have multiple layers of protection built in? • Compartmentalization: Are you using hardwareenforced barriers to stop failures from propagating to other components? • Certificate-based authentication: Do your devices use certificates rather than passwords? • Renewable security: Can the device’s software be updated automatically to a more secure state? • Failure reporting: Do you have a solution in place to
The challenge of bridging the smart cities security divide won’t be easy. But there are organizations trying to help, such as Securingsmartcities.org. Its mission is to “help the world build smart cities with cybersecurity in mind.” The National Institute of Standards and Technology (NIST) kicked off a Global City Teams Challenge (GCTC) in February 2018, with the goal of encouraging participating teams to have additional primary focus on cybersecurity and privacy, in addition to existing GCTC goals like replicability, scalability and sustainability. Finally, many individual companies such as Deloitte, Cisco, IBM, Schneider Electric, Siemens, Microsoft and others have smart cities efforts. The difficulty will be to overcome proprietary solutions that may not work well together. Vince Lombardi once said, “Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” Let’s apply that commitment to smart cities. About the Author Dan Lohrmann is the Chief Strategist & Chief Security Officer at Security Mentor, while previously spending 17 years at the State of Michigan, where he finished up as their CSO. Dan is also a prolific author, blogger and conference speaker.
Australian Cyber Security Magazine | 41
Human Centric Security
I By Emily Major-Goldsmith
feel so passionately about what I am about to ask you as the reader to consider in my article below. I feel passionately because it is my premise that the educational context provided for cyber security students here in Australia is compromising the opportunities of the very same students it openly wants to encourage into the industry. As a child you are told to 'dream big' when it comes to everything you do! The intent is to help support the idea that someone can achieve anything if they put their mind to it. Most adolescents become more aware of the limitations and restrictions that compromise this notion. And so, in our childhood years the wish to become a hotdog or a unicorn is soon replaced with more realistic longer-term career options such as doctor, teacher, chef and so on. As a young adult you decide on a pathway post tertiary education, whether that be to attend university, TAFE or the workforce. Regardless of what you decide, you are choosing a direction, a subject area, a way of life, a career pathway. If you decide University is for you, your first decision is to choose a subject area. For most degrees, you are generally presented with a few options. Perhaps to focus on a core subject area or maybe certain electives or major and minor study preferences. Sadly, this option to specialise within a particular domain within a certain field isnâ€™t necessarily available for all areas of study. The beauty of offering Major's, Minor's and even elective units, is that you allow the student to specialise in a particular part of a subject area. It allows students to take interest in smaller more niche subjects, within their learning area and can enhance opportunities to attract a more diverse range of
42 | Australian Cyber Security Magazine
students to a career pathway. When a student is studying at university to become a doctor, they often begin their first few years learning some core, fundamental subjects. Thereafter, once base knowledge is embedded, the student is then able to specialise and make selections such as paediatrics, oncology, cardiology and so on. When a student is studying at university to become a teacher, again they have to complete base knowledge education units. However, alongside these units they can choose a major and a minor - two subjects that they wish to specialise in, such as Mathematics, English, Humanities or the Sciences. When a student is studying at university to become an engineer, they too complete base knowledge education units. After this they can specialise as a chemical engineer, mechanical engineer or computer engineer. But decide to study cyber security and interestingly this educational format is not the same. Cyber students, certainly at my university donâ€™t get that same option to specialise. A cyber degree is focused on a very technicallyoriented curriculum, throughout the course. Of course, the technical elements are an important part of a cyber security education, but they are not the only part. For some students this is very challenging, as the technical aspects are not necessarily aligned to their skill set and certainly does little to support an ongoing enjoyment of the subject area for many. The net result of this is that many just donâ€™t make it to the end of the university degree. Subjects such as ethical hacking, various forms of programming
and software reverse-engineering are useful in becoming efficient in cyber security, but so are psychology, education, social engineering. This entirely tech-driven pathway seems paradoxical, given the technology industry is screaming out for diversity and trying to encourage a plethora of people to join its ranks. If, as an industry we understand the importance of attracting people from varying backgrounds, ethnicities, religions, why are we not providing diverse curricula that would support a range of different people? Our education system is simply not supporting the development of a range of cyber skills. Ultimately this will impact on the type of students entering this sphere and potentially have a detrimental impact on the quality and diversity of people entering the industry. Right now, as an industry, in the most part, we are churning out a future workforce with the same knowledge, the same gender, the same background. If we are lucky, a few students slip through the cracks, but they are few and far between. So, what is the best way to encourage a variety of people into the Cyber Security field? Specialisation and the ability to specialise on university degree subject matter would be a great start. Specialisation at its core breeds diversity. It allows for participants of any industry to branch out to new areas of focus, or, to zero in on a niche topic. Without specialisation, our doctors couldn’t aid the sick as effectively as they do today. A doctor that specialises in oncology may not be of much help to the patient that requires brain surgery or amputation. Specialisation should be used to encourage diversity, expansion and innovation. Aside from encouraging growth within the industry through the opportunity for diversification, and specialisation this approach would allow individuals to gain specific and valuable expertise knowledge and expertise as subject matter experts. If our industry is going to grow its talent, this is the only way forward. Like other degrees this opportunity needs to be available within the core of learning. We do not need a course for pen-testers and programmers, one for those that wish to do digital forensics and one for those that wish to teach Cyber. Instead, we simply require a choice of two options – to choose a technology centric major, or, human centric major within a cyber security degree. or me a better approach would be if the cyber security degree would follow a pattern, by which there are core units that must be taught to all students, no matter the major they choose to take. These units would take place in the first year and provide students with basic computer and cyber knowledge, such as programming, computer security, operating systems and such. Once year one was completed, students would branch out into their majors and begin to study their specialisation, along with a few other core units. In terms of the technology centric major, students would study subjects such as various programming languages, software reverse engineering, ethical hacking and more. While the human centric major would focus on information security, information warfare, psychology and others. Each major has its importance within the industry. All students despite their chosen focus need knowledge of
technology, so that they understand the methods used to create malicious attacks, the aims of the attacker and as a result understand and have the ability to establish methods of defence. While, it is all well and good understanding the technology that underpins the industry, it would also serve well consider some important questions….: Who creates technology? People. Who creates malware and malicious attacks? People. Who fall victim to attacks? People. People are the root of cyber security. People are the cause. People are the reason it exists. People are the victims. Regardless of our knowledge of technology and our ability to create defence, it is only through the understanding of people - how they act and react, why they do what they do, how best to educate them – that we will truly aid the cyber security industry. I believe that through the implementation of ‘major’s’, as options into our cyber security degrees, the industry will gain an opportunity to increase the diversity of not only people into this area, but more diversification in student backgrounds, knowledge and skills; encouraging a variety of new comers which would ultimately work for the betterment and growth of this field. For me, this is a relatively simple first step, which would not only support the growth and nourishment I have mentioned but would also but provide a greater insight and ability to deal with current issues and defend against future ones. Of course, this is the first step and certainly not the end game. I would call to the academics to think carefully about this. Right now, the field of education is limiting its own enrichment, as well as the opportunity for a range of students to succeed; including those that don’t for the current profile for the ‘industry type’. Do not limit our progression as a community, by choosing the option not to consider a change to our education structure. Do not limit our capabilities, but rather choose to widen the catchment and embrace the change. Teach our students to ‘dream big’. Teach our educators to ‘dream big’. Teach our employers to ‘dream big’……. teach the industry as a whole to ‘dream big’ Change is inevitable; diversity breeds innovation… Remember cyber is the new space for hotdogs and unicorns…. If only we let it…. Nothing bad can come from learning to ‘dream big’. About the Author Emily Major-Goldsmith is a third year Cyber Security student at Edith Cowan University. Along with her studies, Emily is the Vice President of CoSIM - a student organisation aimed at connecting students with industry mentors. Emily also works under Edith Cowan University teaching High School Students a variety of Computer Science subjects. Emily is a keen supporter and advocate of anything to do with Women in STEM. As a cross-over student from the arts, Emily enjoys encouraging others - women and young people into the science and mathematics arena and takes part in groups such as Kinetic IT women in IT events and Women in Cyber Security.
Australian Cyber Security Magazine | 43
Exploiting trust – the billiondollar criminal industry
I By Elliot Dellys
t has been almost two years since your last message to each other when an old friend emails you out of the blue. They are stuck in an airport on the other side of the world with no cash, no reception, and no-one else is responding. If you could send through $50 to cover an immigration fee, they will tell you all about it when they are back home. Despite some initial scepticism, you know they have been overseas from the endless stream of holiday snaps, so you decide to help them out and wire them the cash. The only problem is that instead of helping a friend in need, you have just put $50 into the pocket of a cybercriminal. It may sound absurdly simple, but social engineering scams just like this cost Australians $489 million in 2018 while globally, losses from scams exceeded an eye-watering US$2.7 billion in 2018 . The number and types of scams doing the rounds at any given time to steal money or sensitive data are sobering. Some are highly sophisticated; others are less
44 | Australian Cyber Security Magazine
advanced. Some are mass-market scams. Others, like our stranded friend example, rely on knowing a little about whom we are, picking an opportune moment, and exploiting our trust. The first part is easy. By leveraging information that people post publicly about themselves online (think Facebook, Instagram, LinkedIn, and Twitter), cybercriminals can put together a convincing story in no time. Take ACME Corporations’ CFO, Jane Doe, who is about to go on leave and posts on LinkedIn: “Off to Thailand next week, looking forward to some relaxation!” A cybercriminal takes note. Finding the opportune moment more closely resembles a magician’s sleight of hand than a technological attack. Since Ms Doe’s post, our cybercriminal has done their homework. They have set up an email address that looks very similar to Ms Doe’s and have kept track of the tone and content of her social media feeds. When Ms Doe posts “Time to board!”, our attacker springs into action.
While human trust will always remain a vulnerability to be exploited by enterprising criminals, a little bit of education can go a long way towards keeping you – and your funds – safe in cyberspace. a senior executive allows an attacker to bypass controls that would otherwise prevent such an attack. Timing, as we’ve seen, is also key which is why, for example, ATO scams can be so prevalent around tax-time. So, what can be done to defeat these types of attacks? Like spotting a three cup monte, half the battle is recognising the scam when you see it. For the individual, understanding your ‘online footprint’ is critical. If a long-lost friend writes to you about that fun run you did together in 2009 and your university graduation ceremony, you are likely to believe they are whom they say they are. If, however, you know those two events happen to be the first two results from a Google search of your name, the approach begins to look a lot more suspicious. From a company perspective, awareness is also vital. By educating staff on the predictable nature of business email compromise scams, organisations can drastically reduce the likelihood of falling victim. A hasty request sent during a busy period, or when the requestor is known to be on leave, should be instant red flags. So too should any deviation from standard operating procedures, such as a change of account details or being unable to confirm the request via phone. While human trust will always remain a vulnerability to be exploited by enterprising criminals, a little bit of education can go a long way towards keeping you – and your funds – safe in cyberspace. Moments later, in this business email compromise scam, a mid-level finance officer receives a frantic email, apparently from Ms Doe: “Why has this invoice not been paid? My flight leaves in 10 minutes, sort this out now, or there will be hell to pay! Here’s the account number.” A call is made to validate the request, but by then her phone is already in flight-mode. It may not be standard procedure, but when the CFO asks for something, it gets done. A few quick phone calls later, they pay the invoice and our cybercriminal is $240,000 richer. Business email compromise scams, in particular, have grown in popularity over the last few years, costing Australian businesses over $60 million – a 170 per cent increase over the $22.1 million reported in 2017. This form of attack is so effective because it requires very little technical expertise and exploits the most persistent of all vulnerabilities: human trust. Like our desire to help our friend out of a tricky situation, masquerading as
About the Author Elliot Dellys is a Principal Security Advisor at Hivint (a Trustwave company), with extensive experience delivering complex technical projects, teaching international audiences, and providing risk management and compliance advice across Government and Industry. Elliot is a firm believer that strong relationships and a collaborative culture are the keys to achieving meaningful security maturity and enjoys writing on the more general applications of cybersecurity in the fields of politics and ethics.
Australian Cyber Security Magazine | 45
Cyber professionals and personal liability How to avoid being the scapegoat when things go wrong
A By Jen Tan
s security professionals, we focus on minimising risk and liability flowing from a security incident. And rightly so – after all, that is our job. However, in a crisis, it is human nature to find someone else to blame since we work based on “when, not if” a cyber incident occurs, it is only a matter of time before the focus will shift to you. Have you stopped to consider your liability and risk? You will find that most of us fall into one of the following categories: 1. C-Suite security executives – such as CISO, CIO, CSO and CTO; 2. Internal security staff – such as managers, advisors, architects, consultants, and specialists; 3. External security providers.
C-Suite Security Executives and Senior Managers This role is one of the positions that is most held
46 | Australian Cyber Security Magazine
accountable when a security incident occurs. In the US, security breaches often drag executives into litigation, and it won’t be long before we see this trend in Australia. If you are a senior manager, and your title does not include the word “chief” and “officer”, you could still be treated as an “officer” depending on your level of involvement and control, and be made personally liable. Your high level of responsibility increases the potential exposure and risk to your reputation, brand, remuneration, job security, and most importantly, personal liability. Sure, the Privacy Act, which introduced the notifiable data breach regime last year, imposes significant fines on companies only if they fail to comply with those requirements. However, recently, regulators have successfully used a “stepping stone” approach to allocate personal liability by first bringing an action against the company for an alleged contravention, then pursuing an individual for personal liability for breach of duties, which resulted in the company not complying with their legal obligations.
with third parties and other stakeholders, and be involved in the preparation of external communications plan for data breaches, including: a. Understanding what defines a data breach under the Privacy Act, and when you need to notify; b. Implementing reasonable measures to determine when you must notify on a data breach; c. Having a legal section in your incident response management plan for personnel to determine when it is necessary to notify, and which process you should follow. It would help if you also planned how to deal with contractual obligations with third parties if required. 2. Understand that your company’s in-house legal team and external lawyers work for the company, not you, and would not advise you on how to protect yourself from personal liability. Directors often seek independent legal advice, and you should do the same. 3. Understand your employment contract to determine where liability/responsibility lies. Some executives have gone to lengths to ensure their contract places full responsibility for security decisions with the CEO. Know your obligations and exposure, and negotiate if you can. 4. Obtain a deed of access, indemnity and insurance from the company. Deeds are entered between a company and its directors/executives and can benefit you by: a. Providing you with indemnity; the company would be responsible for your liabilities to third parties (for example, shareholders and other stakeholders) provided you acted in good faith; b. Extending rights of access to the company’s books (to defend yourself in litigation when you have ceased to work for the company); c. Requiring the company to provide you with adequate insurance.
It is not just directors who can be personally liable. There have been cases showing that personal liability can flow down to executives and senior managers who are found to be “officers”. You can be found to be an “officer” if you make or participate in making decisions that affect a substantial part of the business, or have the capacity to compromise the company’s financial standing, or if the directors are accustomed to act under your instructions or wishes. It is easy to overlook the fact that officers have duties imposed on them, as do directors, such as the duty of care and diligence, and the duty of good faith. So how can you protect yourself, as a security professional? Here are a few ways: Given that breach of the Privacy Act could lead to personal liability, you should: 1. Familiarise yourself with legal matters with which you have never previously dealt. Understand the legal obligations under the Privacy Act, notification obligations under other legislation and third party contracts, understand the communication procedure
As this deed gives you additional rights and protection, companies may not be forthcoming in offering this. It is up to you to raise it, and if the company doesn’t have one, you may have to prepare one to present to the company. Don’t worry; it is not a complicated document and won’t cost a fortune to develop. 5.
Check whether you are covered by Directors’ & Officers’ Insurance and get help to review the terms to see if you are adequately covered and to understand the exclusions. Record everything in writing, including discussions with your board and other executives such as your CEO, COO and CFO. Record all of your recommendations, the board’s responses, and the decisions made (particularly where they deviate from your recommendations, and who made those decisions). This record can help you to establish a defence if the spotlight is on you on whether you have adequately discharged your duties. Create an interdisciplinary team which includes inhouse technical, business and legal teams, and external technical and legal experts in your cybersecurity strategy. This team spreads the risk and responsibility across multiple units and fosters accountability and
Australian Cyber Security Magazine | 47
collaboration with experts with appropriate skills and expertise. When there is a security incident, involve lawyers early on and include them in communications. By adding legal stakeholders, you establish legal professional privilege and protects relevant communication from disclosure in court.
Internal Security Staff You do your job well, think outside the box, and you’re possibly encouraged to think like a hacker in uncovering potential security exposures, before coming up with innovative solutions. You’re an employee, so you consider your company liable for everything that you do. Yet, as an employee, you are still exposed to personal liability in certain situations (although this is rare). This could be liability to your company, for example, by accessing, copying, using or disclosing information without the company’s consent, as this could lead to you breaching your duty of confidentiality under your employment contract, infringing intellectual property rights, or misusing your position or information obtained by reason of holding your position. You may also be liable to third parties if lines are blurred and you end up going beyond the scope of your instructions, are negligent and that negligence is the result of severe or wilful misconduct which causes damage, or if your actions did not occur in the course of your employment. Your best course of action is to understand your employment contract and obligations, and also to record and follow your instructions carefully (particularly in situations where you are asked to find your company’s security exposures).
External Security Product and Service Providers We are all working on a customer’s cybersecurity to protect them from threats. However, when customers suffer security incidents, they will not just look internally at their staff, but will also look at external providers to share in their liability. We know that customers look to us for our expertise and products, but did you know that this is part of their risk allocation strategy to spread the risk and liability to their external providers? It is common for potential liabilities in service agreements to be tens of millions of dollars. Having reviewed numerous external security providers’ terms and conditions (including those in Defence), it is alarming how exposed providers are from a risk and liability perspective. If you are a service provider who also undertakes red teaming and penetration testing, then you should be aware that you need unambiguous and express consent, authorisation and approval for you to undertake such activity; otherwise your actions are likely to be illegal and could expose you to a range of criminal charges and penalties. You need to review your T&Cs and see whether it deals with these problematic areas, which can lead to significant liability:
48 | Australian Cyber Security Magazine
The parameters around the information and access granted to you; 2. How the information that a customer provides to you can alter the service/advice you give; 3. The extent of the customer’s reliance on your services, products and deliverables; 4. What representations and warranties you are required to provide; 5. Whether you have restricted the use of your deliverables and the reliance by third parties; 6. Whether you have been given express consent, authorisation and approval for the activities you undertake; 7. What your obligations are with accessing confidential information and what are the limitations on disclosure; 8. How you have limited or restricted the use of any of your intellectual property rights in the services, products and deliverables you provide; 9. The consequences of any variations to your engagement or scope of services; 10. The extent of any limitations and exclusion of your liability; 11. The extent of any indemnities that you are required to provide to cover your customers’ liabilities (which can be significant). You’re busy growing your business and managing your customers’ cybersecurity risks and liabilities, and that’s great. But it would help if you focused on your liability. You do so by having comprehensive and detailed T&Cs that have been properly drafted and reviewed, and by having specific instructions and scope of work which is appropriately updated to accommodate variations. You also need to ensure that your business insurance policies adequately cover you for all of the work that you undertake, and the potential liabilities that you can incur. About the Author Jen is a recognised senior cyber security lawyer who has spoken on numerous panels and presented on key legal issues in cyber security around Australia. She assists security providers with their legal needs at every stage of their business (from capital raising, structuring, contracts, to risk management and insurance policy review), and also collaborates with them in providing a comprehensive service to customers by combining the technical and legal aspects of cyber security (such as in incident response management plans). She also acts for senior executives in managing their personal liability, and regularly advises ASX listed public and private companies with their legal obligations under the Privacy Act, the GDPR and on their contractual cyber risks and liabilities.
Selecting communications tools that enable remote work but also ensure security By Rob Malkin ,VP of APAC Sales, Lifesize
s trends surrounding remote work and flexible schedules proliferate, so too does the multitude of tools that enable teams to connect and collaborate wherever they are. Video conferencing, which has been around in some (now seemingly archaic) form or fashion for the majority of the current generation’s professional careers, plays an increasingly pivotal role in making those connections more personal and that collaboration more productive. In fact, according to a recent survey we conducted of more than 1300 full-time professionals, 43% use video conferencing to work remotely or from home and an equivalent 43% use video to improve team productivity when in different locations. Those numbers will only increase as more remote and flexible work occurs. In parallel, another trend that will see rapid acceleration is the use of personal mobile devices for remote participation in that video communication. All those employees, devices and communication tools radiating out to all corners of the globe may be a boon for the workers themselves, but it can produce a nightmare management scenario for IT organizations. Especially when distributed teams are left to their own devices (figuratively, this time) to figure out the best way to meet and collaborate, they end up making decisions and procuring tools that are well outside of IT’s field of view, potentially opening up the organization to a host of security implications, uncertainties and concerns. As my colleague Michael Helmbrecht astutely observed, “In many respects, communication services represent the ‘last mile’ in information security.” In this freemium “land-and-expand” era, where employees download or purchase their own communications tools, it’s rare that IT teams still have the opportunity evaluate, approve and manage every single communications service, app or SaaS tool that makes its way into the business. Still, they should be able to have the same peace of mind when it comes to the security layer underpinning those tools as they do when deciding on a more traditional front-door IT purchase. The list of security requirements should not change just because an individual, team or line of business decides
to subscribe to, provision and pay for a service using a credit card that keeps the communication tool off of IT’s management radar. Here are some simple questions anyone (not just IT) can and should consider when acquiring the communication tools that enable remote work and distributed teams: • Where do the solution’s security mechanisms end and where is our company expected (or obligated) to pick up and provide our own mitigation of security threats? • Are security best practices like two-factor authentication, integrations with single sign-on (SSO) platforms and keeping services behind established firewalls being followed or circumvented? • Is all media, signaling and stored content within my communications encrypted? Is that automatic or is it left to us to discover and enable manually? • Is the product or service built on top of WebRTC so it can run natively in popular browsers –both on mobile and desktop devices – and does it adhere to those browsers’ security controls? • How does the provider of this tool ensure that bugs and vulnerabilities are addressed through software updates? Are apps updated automatically to be sure that they’re on the latest version, or do we have to discover that an update is available and install it ourselves? • If the latter, can it be deployed centrally (aka should we engage IT for air cover) or are we expected to manually update apps ourselves? To be clear, enabling remote and flexible work arrangements is a good thing – it’s one of the chief ways that companies are effectively attracting talent from the younger generations now driving our workforce. The communication tools that underpin that future of work by making connection and collaboration more seamless are fundamentally good as well. However, we can’t afford to be lulled into a false sense of security and not take a critical eye toward the secure foundation, features and functionality that ought to be protecting us as we use them.
Australian Cyber Security Magazine | 49
Better security through collaboration and reuse
T By Vaughan Castine
o misquote William Gibson - security is already here it is just not evenly distributed. This is a great way to sum up my viewpoint over the last few months, culminating in my impressions from the Perth BSides security conference in September. During the BSides talks I was pleased to hear about the great initiatives happening locally to strengthen governance, risk and compliance. We’re not just talking about initiatives such as policy adoption, attribute profiling, threat modelling and escalating risks to the board (not to diminish the value of any of these – in fact if you aren’t tackling these make sure you add them to your to-do list) but there are great strides happening with CI/CD pipelines, continuous testing and real-world incident response testing. (Note: torturing your work colleagues by running an unannounced red team disruption makes for a great talk but might find you drinking alone at the next work social event). Our industry has come a long way over the last couple of years, and that transformation journey is being lived and reflected by the people on the frontlines. I spoke with many security professionals who are supporting their
50 | Australian Cyber Security Magazine
business and working with business leaders to identify the assets, the potential risks and the protection requirements. There are less murmurs from security professionals complaining that "the business doesn't get it", and "it's all the fault of the end user." It is refreshing to see this change. Thankfully, focus hasn't just shifted to the latest shiny new tools that vendors promise will fix the business issues and sort out world hunger at the same time. The best initiatives I’m seeing are not attempting to reinvent the wheel. They are adopting, tailoring, and building on top of industry recognised standards and frameworks. Whether we are taking the lead from NIST, CIS, SANS, ISO, OWASP, ASD, Mitre, SABSA, Lockheed Martin, AWS, Microsoft or others (there are plenty to choose from - I won’t start a religious war by trying to pick a favourite). We must recognise that all of these can uplift the posture a typical enterprise is starting from. All these frameworks and approaches have more rigour applied to them than the processes most individuals dream up, especially based upon personal experiences. By starting with these strong foundations, it creates an opportunity to use our experience to build something greater, and to
refine the industry knowledge by tailoring how we apply this in our work. Having said that, there are still pockets where I find people trying to carve out security architecture in isolation. Or worse, implementing products without consideration of what value they bring and how they fit into the broader picture. Rather than acting as part of the whole enterprise, these people work within isolated bubbles that are drifting further and further from relevance. This desire to treat their role as separate from the entire organisation ecosystem misses the point. The aspiration to be entirely interchangeable between companies does little to address the nuanced differences between organisations, little to deliver on the possibilities available today, and will be counter to the careers of the individuals pursuing this path. Thankfully, this attitude isn't pervasive. Sidebar: In case you missed the point from the last paragraph, I'm strongly in favour of security practitioners understanding the business that they work within, engaging with people that work outside of information technology, and taking a holistic business view that becomes an enabler rather than a blocker. Within business
there are always priorities and trade-offs that get made, but if you are pragmatic in your approach, have done the work to understand the different viewpoints, identify risks and keep stakeholders informed, then while you might not win all battles, your win rate will improve. It would be remiss of me not to mention the BSides Capture the Flag competition. It has been nearly 10 years since I was employed to do commercial penetration testing work within a software development company. Now my day to day activities keep my focus within the strategic and design space. So, the CTF is a bit of nostalgia, allowing me to act as a hobbyist, see what I can remember, and marvel at the speed that some of the teams knock over the challenges. As a team of one I thoroughly enjoyed tackling this at a tourist pace (in fact I would forego my weekend newspaper sudoku ritual if I could keep plugging away at the challenges after the competition closed) and I am happy enough to admit I competed without my result being embarrassing. Give it a few more years until my daughters are competing and I might be a proud team member… or avoid talking about how they are showing me up. For all the recent commentary on skills shortage, the BSides weekend reminded me again that we have a strong vibrant community here in Perth. We have great people with a desire to learn, who want to do more and do it better. I see this across the numerous industry events and meetups that I attend each month. We have the capability, it’s just a matter of whether we can stretch that to meet the capacity demands. Your participation in events like this help spread that knowledge and can increase your ability to get more done. I know that many people in my network are not getting out there and discovering what they can learn or sharing their wealth of knowledge - all it takes is the time to get involved and to realise these are friendly people with goals like yours. By now you’ve pushed on through an article that has meandered across so many topics, each of which could have spawned its own article with an actionable followup list. You can probably unpick and identify a number of those and make your workplace better if you do. However, the challenge I want you to focus on is - think bigger, get involved, share and learn. If we all do this, we can improve our workplace, our industry and the world. If you disagree with me then get involved in the discussion, provide a better path, and in doing so you’ll still prove me right. The worst thing you can do is to try and do it alone. About the Author Vaughan Castine has over 25 years commercial experience in Information Technology and Security across sectors including financial services, insurance, education, mining, retail and government. His career has straddled product development and penetration testing within a software development house, through to infrastructure planning, operations and risk management for large enterprises. Vaughan thrives on the challenge of improving businesses through secure use of technology and enabling other professionals to do the same. His certifications include CISSP, CCSP, SABSA CF, and TOGAF.
Australian Cyber Security Magazine | 51
Dawn of CASB – The return!
C By Annu Singh
loud Services are at the core of IT infrastructure fueling the digital strategy of enterprises today. A look at the statistics below highlights the rapid rate of adoption of cloud services:• The public cloud service market is expected to reach $206.2 billion in 2019 worldwide. (source: Forbes) • 83% of enterprise workloads will be in the cloud by 2020. (source: Forbes) • 94% of enterprises already use a cloud service. (source: flexera) But concerns of security and compliance, coupled with BYOD and mobile that provides anytime, anywhere accessibility to your organisation’s data continues to dampen the euphoria of cloud adoption. Both cloud service providers and consumers are jointly responsible for security in the cloud. While the cloud service provider focuses on securing the data in the cloud and enterprise on the premises, user behavior and shadow IT leaves in-transit data vulnerable. There is a gap to secure the data which flows to and fro, from enterprise and the cloud service provider environment. This gap is addressed by security tools collectively termed as Cloud Based Access Security Brokers which extend the cover of an organisation's security policies, by acting as a proxy between cloud apps and users.
What is CASB? The term Cloud based access security broker (CASB) was coined by Gartner in 2012. In simple terms CASB represent an emerging market of products and services that provide cloud security solutions between cloud solution providers and enterprise on premise security policy perimeters. Gartner defines CASB as ‘on- premise’ or ‘cloud-based’ security policy enforcement points, placed between cloud service consumers and cloud service providers to combine
52 | Australian Cyber Security Magazine
and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorisation, credential mapping, device profiling, encryption, tokenisation, logging, alerting, malware detection/ prevention and so on’.
Key Aspects of CASB CASB operates on four pillars: Visibility, compliance, data security and threat protection. CASB provides visibility into user behavior by giving valuable insights into details like users access to authorised and unauthorised applications, devices used, their locations/departments, data accessed, frequency and time of access, actions etc. Key compliance requirements to ensure internal and external security in the cloud by regulatory governance frameworks like SOX, HIPAA, NIST, ISO27001, GDPR, PCI compliance are more comprehensively addressed via CASB cover. When data is stored in the cloud, the cloud service provider has access to the encryption key. With CASB the enterprise manages the access to the key while implementing data protection measures like encryption, tokenisation, and data loss prevention to bolster data security efforts. According to a study conducted by Kaspersky Lab and B2B International, 52% of businesses admit that employees are their biggest weakness in IT security. • Most worry about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%). • Employee carelessness contributed directly to 48% of cyber security incidents, accounting for even more incidents than the theft of devices, which only
contributed towards a third (37%) of incidents. CASB provide user behavior analytics and entity behavioral analytics capability to detect suspicious vs. normal behavior, identify malware and develop threat intelligence. They also provide controls to prohibit unauthorised users and applications access to cloud services.
Types of CASB Deployments: CASBâ€™s can be deployed in three ways :Reverse Proxy: No special configuration or certificate installation is required in this type of deployment. CASB replaces the Identity and Access Management (IAM) services as a first source of authentication. Cloud URL is owned and authenticated by CASB and then sent to IAM Forward proxy is an intrusive deployment method, where the end users are forced to route the traffic to the CASB through their devices or network. The users here need to install self-signed certificates on the devices from which they are accessing the proxy. It can be used for all application types, including client-server apps with hardcoded hostnames, but is difficult to deploy in a distributed environment with a mobile workforce. API Centric - can be directly connected to the cloud service APIâ€™s . They allow enterprise to monitor the usage irrespective of how and where the cloud services are accessed. This also spans across the tracking of the usage out of the organisational network in unmanaged devices.
Major players in CASB There are several players in the CASB market nowadays, but three major CASB independent vendors are CipherCloud, Netskope and Bitglass. Both Forrester and Gartner in their latest comparison reports named McAfee, Symantec and Netskope as CASB market leaders. CASB vendors offer different features and solutions and need to be analysed carefully to understand and match the enterprise needs.
What to look for in CASB solutions? A comprehensive CASB solution should provide security for the enterprise data throughout the various stages of its lifecycleâ€”in the cloud, at access, on the device, and on the enterprise network. While CASB, as highlighted above, gives enterprise control of their encryption key for data on cloud making unauthorised access harder, it can also limit the ability to search the encrypted texts. While selecting the CASB solution provider resiliency becomes vital, in the face of rapidly changing cloud apps. A good CASB solution should address visibility, identity, access control and data protection. It should be able to give detailed insights into user behavior, audit logs, analytics capabilities, authenticate users directly through a single identity store, like corporate directory or a third-party identity provider and eliminate redundant records while effectively enforcing password policies. Furthermore, a good CASB solution should allow enterprises to define
their security policies, based on the function of applications specifying parameters like group or role within the organisation, device type or operating system, geography to restrict unauthorised access from certain regions or locations to protect sensitive data. CASBs should help classify data as per risks and the sensitivity attached to be able to identify personally identifiable information and protect it, as per regulatory information. Policies should be defined to take a range of measures to protect enterprise data. These measures can span from encrypting sensitive data, denying unauthorised access, blocking downloads, redacting sensitive data, to even deleting it from unauthorised devices, if required. On Device: Organisations often pay attention to protect data at rest in the cloud or access to the cloud, but equal risks emerge from the devices that employees use to access and download this data from the cloud. A good CASB should be able to enforce basic security policies like password and encryption on devices accessing authorised data, allow client-side file encryption, identify source of data leakage and unauthorised access through proper data tracking processes, raise warnings, alerts and alarms when compromised or in the case of a potential threat. CASB should also have the capability to delete data from devices in scenarios of device loss or employee resignations etc. On the network: Every organisation has a defined set of IT systems, software, applications explicitly approved by their IT Department for use. But with the rise of open source and cloud apps, instances where employees use unapproved software and apps is on rise. This exposes enterprises to risks associated with Shadow IT like data leakage, malware threats and compliance issues. BYOD and SaaS make restricting access to cloud apps even more difficult for enterprises. A good CASB should help discover, categorise and identify enterprise cloud apps along with monitoring capabilities. It should be able to aggregate the firewall and proxy logs across enterprise to get a list of all apps in use within the enterprise.
Future CASB boosts the security stance of an organisation by helping app discovery, implementing robust risk governance, defining proper mitigation and geo-fencing policies. They facilitate audits and compliance through automatic enforcement of the security polices, flanked with analytical & monitoring capabilities to safeguard against subversive insider attacks and identity/credential misuse. CASB efficiently addresses the visibility and data security gaps left by the cloud app vendors for the enterprises to address. CASB have come a long way in the last decade and are now considered as important as firewalls. Gartner predicts that by 2022, 60% of large enterprises will use CASBs, up from the 20% that used them at the end of 2018. As Forrester predicts that cloud security will become a $112.7B market by 2023, it is safe to say CASB in their new evolved and mature avatar are here to stay and grow as an integral part of the cloud security fabric of the digital enterprises of tomorrow.
Australian Cyber Security Magazine | 53
Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups
• Government agencies
• Research organisations
• Educational institutions.
• Venture capital funds
AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitableglobalsupplychainsandgrowthmarkets.
The first step is to connect with us: www.austcyber.com
+612 9239 3250