THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 11, 2021
Security Threats on Australia’s Horizon
Enterprise server spending in Australia
Top 10 malware affecting Australians
Micro-Credentialling helps plug Australia’s cyber skills gap
Australian protective security renaissance Australians in lockdown are hit hard by identity theft
The seven authentication best practices that support zero trust Enrolments open for the 2022 ADF cyber gap program
PREPARING AUSTRALIAN BUSINESS AUSTRALIAN BUSINESS
MysecTV weekly episode highlights
App now available
on iTunes &
Elevated Intelligence For a Smarter, Changed World The world and the security industry have changed forever. Integrating physical security controls with advanced technology is top of mind worldwide.
Increased demand for video analytics, augmented reality, cyber security and robotics highlights just how important digital transformation and innovation is to the growth of the industry. So we’re transforming in 2021 to a virtual platform, to ensure these critical security conversations and connections continue. The new virtual Security Exhibition & Conference will showcase the development of new solutions to essential hardware and security needs; diving deeper into the technologies that are changing how we respond to and analyse future information with the latest industry insight and leadership. Security Virtual 2021 - Empowering industry for a smarter, changed world.
17–18 NOV 2021 VIRTUAL EVENT
REGISTER NOW securityexpo.com.au
Lead Industry Partner
TECH & SEC WEEKLY AEROSPACE, DEFENCE & SECURITY TRENDS
YOU’RE INVITED TO SPONSORED
Dr Alice Gorman
Senior Spacecraft Systems Engineer at Sitael Australia
WATCH WATCHHERE HERE
Dr Amy Parker
Chief Engineer - Military Satellite Communications at Lockheed Martin Australia
Satellite Operations & Data Manager at CSIRO
Director of the Defence Innovation Partnership
Helping Critical Infrastructure Secure their Assets The Role of Lock Systems in our Protecting Nations Critical Infrastructure Download our latest whitepaper
CONTACT US SYDNEY • MELBOURNE • BRISBANE • PERTH • ADELAIDE • AUCKLAND
1300 722 311
+64 (0) 9 368 4802 Australian Cyber Security Magazine WWW.EKACYBERLOCK.CO.NZ
Editor's Desk 7 Feedback loop - have your say! 10 Australia’s mobile wallet adoption surge creates new opportunities and challenges for merchants
Director & Executive Editor Chris Cubbage Director David Matrai
Enterprise server spending in Australia to increase at Organised cyber criminal syndicates a growing threat for businesses: AusCERT 2021
Art Director Stefan Babij
6.3% CAGR Over 2020-2025
Top 10 malware affecting Australians
Macquarie Telecom group reaches Milestone for Government security-cleared personnel
Enrolments open for the 2022 ADF cyber gap program
United We Stand – Divided We Fall - Security Threats on
MARKETING AND ADVERTISING firstname.lastname@example.org Copyright © 2020 - My Security Media Pty Ltd GPO Box 930 SYDNEY N.S.W 2001, AUSTRALIA E: email@example.com
Police chief defends accessing COVID tracing app aata
Australian protective security renaissance
Scams increase by more than 50% in August as Australians in lockdown are hit hard by identity theft
Fortinet invests in Federal Government integration and innovation centre
All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US
What changes to the critical infrastructure act will mean
Scams increase by more than 50% in August as Australians in lockdown are hit hard by identity theft
to industry – Cyber Risk Meetup Highlights
Preparing Australian business for a Cyber-Attack
Sharpening the cyber security axe in Australia to stay in the race
Micro-Credentialling helps plug Australia’s cyber skills gap
Future of Network Infrastructure - on Cloud
Mitigating controls for ineffective patching
The seven authentication best practices that support zero trust
Hikvision vulnerability leaves surveillance cameras open to cyberattacks
OMIGOD vulnerability risk for Microsoft Azure cloud customers
Preparing Australian business for a Cyber-Attack
Sharpening the cyber security axe in Australia to stay in the race
The seven authentication best practices that support zero trust
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors Andrew Curran* Sarah El-Moselhi* Ralph Kooi Steve Cropper Maksym Szewczuk Shantanu Bhattacharya
Louay Ghashash Geoff Schomburgk Fortinet Proofpoint Check Point Research
Editor's Desk "Our members share the Australian Government’s commitment to protecting Australians and Australia’s critical infrastructure against cyber threats [….] However, these two provisions would not accomplish that goal, would have significant unintended consequences that would decrease security in practice, and would set dangerous global precedents" - Letter to Minister for Home Affairs, The Hon. Karen Andrews MP from the Information Technology Industry Council (ITI), Cybersecurity Coalition, and the Australian Information Industry Association (AIIA), 14 October, 2021
elcome back to the Australian Cyber Security Magazine and the last issue for 2021. There continues to be much debate on the most appropriate legislative approach to take in response to a sustained cybersecurity threat landscape. Critics of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 argue it is an extension in the long line of security related acts that could potentially give more power to the executive and at the expense of individual freedoms of citizens. Despite years of warnings that legislation was needed but seemingly resisted, there is no doubt this is all being rushed through and with limited consultation with industry. As a cover feature in this edition, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will give the government power to defend networks of critical infrastructure providers under cyber-attack as a “last resort”. The Australian Federal Police and Australian Criminal Intelligence Commission will have the power to combat serious crime enabled by anonymising technology using three new warrants: network activity, data disruption and account takeover. The Federal Government has also announced new criminal offences, tougher penalties, and a mandatory reporting regime as part of a new Ransomware Action Plan. The Plan follows the establishment of a new Australian Federal Police-led multi-agency operation which targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore. Significant action is clearly needed. In another report, commissioned by Cisco and conducted by Dynata, as Australian SMBs continue to digitise, with 85% having a digitalisation roadmap in place, cyber threats are mirroring the pace of digitalisation, with 77% of Australian SMBs more worried about cybersecurity now than 12 months ago. The survey highlighted that SMBs saw a myriad of ways in which attackers tried to infiltrate their systems. Malware attacks, which affected 88% of Australian SMBs, topped the
charts, followed by Phishing, which affected 70% of Australian SMBs, and Denial of Service which affected 64% of Australian SMBs. The number one reason highlighted as the cause of these incidents was cybersecurity solutions not being adequate to detect or prevent the attack. More than a third (37%) of those that suffered incidents ranked this as the top factor. Meanwhile, 32% ranked not having cybersecurity solutions as the number one reason. These incidents are having a tangible impact on business. Of those that suffered cyber incidents in the past year, 1 in 3 Australian SMBs said these have cost their business more than $1.3 million. The ACSC Annual Cyber Threat Report 2020–21, released in mid September, the second unclassified annual cyber threat report since ASD became a statutory agency in July 2018, highlights the key cyber threats affecting Australian systems and networks. Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of cyber attack every 8 minutes compared to one every 10 minutes last financial year. Abigail Bradshaw, Head of the ACSC confirmed, “As Australia’s dependence on the internet for work, information, access to services, or even just to stay in communication has increased as a consequence of the pandemic and lockdowns, so too has the threat surface increased enormously.” In addition to the pandemic, the report identifies five other key cyber security threats and trends over the last year. They include the disruption of essential services and critical infrastructure, the rise of ransomware, rapid exploitation of security vulnerabilities, supply chain threats, and business email compromise incidents. Consider also our last edition which highlighted Australian and international partners calling out the malicious cyber activities by China’s Ministry of State Security. On the back of announcements such as AUKUS, actions by competitive and combative nation states, such as China, is a significant threat and the Australian Government is responding to a Cyber Cold War, or worse situation. Their intent is clearly seeking
to trigger business and industry to prepare themselves as we move further to a digital economy – including with the ability to force the 11 critical infrastructure sectors to take necessary measures for the sake of national security. Yet as the letter referred to above, the Morrison Government struggles with engagement. The Security 2025 Report, commissioned by Australian Security Industry Association Ltd (ASIAL) and conducted by the Australian Security Research Centre, found Australia will not be equipped to handle future security challenges unless governments, business and the Security Industry work as a team to bring about much needed reform, collaboration and planning. The report’s Head Researcher, Dr Gavriel Schneider said the key to Australia’s future security wellbeing is to move quickly to a more collaborative approach in which government, business and the Security Industry work together, instead of in isolation. In this edition, we partner with AustCyber to amplify #AUCyberWeek2021 and provide a broad set of articles and market updates. Maksym Szewczuk writes of the protective security culture in Australia undergoing a renaissance and we outline the proactive considerations being taken across multiple sectors and which confirms that the growth of cyber security in Australia lays in education. That is, in the education of ourselves but also the education of government, industry and businesses, large and small. Finally, we include links through to our many interviews conducted as part of our MySec.TV Tech & Sec Weekly Series and the latest Cyber Security Weekly Podcasts. As always, there is so much more to touch on and we trust you will enjoy this edition of Australian Cyber Security Magazine. Enjoy the reading, listening and viewing!
Chris Cubbage CPP, CISA, GAICD Executive Editor
LEADING IT FOR
TAKE YOUR CAREER TO THE NEXT LEVEL CISSP®, CISM®, CRISC®, SABSA®, CISA®, CCSP®, CIPM, CIPT, ISO 27001, CSF+P + MORE… World-class instructor led training keeping you at the forefront of Cyber Security alctraining.com.au
MY SECURITY MEMBERS SAVE 10% To redeem simply quote the following code: “ALCMYSEC10” & select the pay by invoice option.
NIST CYBERSECURITY FRAMEWORK PRACTITIONER ALC has recently introduced a new certification to its flagship line-up of courses, addressing the growing trend and need of practitioners in the region who either wish to use, or have been requested to use, the NIST Cybersecurity Framework. Emanating from Executive Order 13636 Improving Critical Infrastructure Cybersecurity signed by former President Barack Obama in February 2013, version 1 of the Framework was released one year later on 12 February 2014. Version 1.1, released in April 2018, added the supply chain or what we refer to as the Extended Enterprise. The benefit of using the Framework is that it provides guardrails and structure when assessing the activities and assets associated with the most critical parts of a business. As delegates discover, the Framework is not a standard, such as PCI DSS or ISO 27001, nor is it set in stone – it is extensible, allowing users to modify and adapt the Framework to the unique needs of their organisation, including the use of multiple protection profiles; adding, deleting, or customising categories and sub-categories; and adding in new informative references. ALC’s new course, NIST Cybersecurity Framework Practitioner, guides participants through the generic Framework, giving extensive in-depth examples of the theory. Even though NIST emanates from the US, the course does not have a US-centric orientation. Special effort has been made to ensure both a practical and a regional flavour by use of an extended case study throughout.
The case study and corresponding exams allow participants to better reflect on the virtues of the Framework, in that an organisation is part of what is referred to as critical infrastructure. Participants discover what sector the case study is set in, the reliance on other critical sectors, and where they are placed within their own sector. This allows a better understanding and a dialogue to be established for the cyber resilience functions used during and after an attack.
The first course ran 2-6 August 2021 using virtual, instructor-led training, and was enthusiastically received by delegates from Australia and Malaysia who were not only challenged with the theory and concepts, but performed well in the case study, mock exam and final exam. Well done to all of you! ALC looks forward to continuing on its journey from having successfully launched a new course to embedding it as part of the ongoing curriculum for meeting the needs of cyber security professionals. I look forward to the next course scheduled for November, 2021. Peter Nikitser Director, ALC Cyber
Celebrating 27 years of training excellence!
WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •
Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)
If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: firstname.lastname@example.org
Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 10 | Australian Cyber Security Magazine
professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : email@example.com
CYBER WARS COLLECTION An exclusive collection created for cybersecurity awareness
www.mysectv.shop Australian Cyber Security Magazine | 11
Australia’s mobile wallet adoption surge creates new opportunities and challenges for merchants By Ralph Kooi, Australia’s Country Manager at ClearSale
ustralia was already a leading market for cashless payments and digital wallets before the pandemic struck. Now, the need for contactless and convenient payments has accelerated the mobile wallet use trend dramatically. This shift in consumer behaviour creates new options for merchants to improve their customer experience, build loyalty and increase the average lifetime value of their customers. However, payments that go through a digital wallet provider also present a unique set of fraud-control challenges. Managing those risks will be the key to unlocking the most value from the opportunities that Australia’s mobile payments shift offers. What’s driving the shift to mobile wallets over cards? For in-person transactions, a digital wallet’s near-field communication (NFC) capabilities let users check out without having to touch a point-of-sale terminal—an appealing feature at a time when physical distancing and hygiene are crucial to safety. For online transactions, digital wallets’ stored payment and shipping information removes the need for shoppers to interrupt their browsing to find their credit card and key in their information online. That makes it easier for shoppers who are scrolling from their couch or their verandah to complete their purchases. AUSTRALIANS’ MOBILE WALLET USE, OPTIONS GROWING FAST For all these reasons, total digital wallet use increased by 90% between in the year after March 2020, according to
12 | Australian Cyber Security Magazine
a Commonwealth Bank (CBA) report. CBA also found that the total digital-wallet transaction value during that time more than doubled, increasing by 110%. Those findings are complemented by a global study showing that 24% of Australian ecommerce payments in 2020 were made with digital wallets. Worldpay/FIS now forecasts that digital wallets will be the market’s top payment method for online purchases by 2024. Consumers have a growing list of digital wallet options, as more technology and fintech companies enter the market. In addition to mobile wallet services by tech giants PayPal, Google, Apple and Samsung, there are also banksponsored wallets like CBA’s tap-and-pay, Visa Checkout and Mastercard Masterpass, as well as smartwatch- and wearable device-based digital wallet offerings from Garmin, Fitbit and Apple. CX IMPROVEMENT OPPORTUNITIES FOR MERCHANTS Findings from a 2021 ClearSale survey of more than 1,000 Australian online shoppers highlight the ways that adding digital payment methods can increase cart conversions and inspire customer loyalty. First, there’s the issue of customer habit and preference. More than three quarters of Australian shoppers are already using digital wallets. Thirty-six percent of Australian consumers say they always use a digital wallet to pay online when they have the option, and another 40% say they do so sometimes. By giving customers the payment methods that they already prefer, merchants can avoid losing customers
A total of 30% agreed that they “will post a negative comment” about the merchant on social media.
to competitors with more appealing checkout options. Digital wallet payments can also help merchants overcome three common causes of cart abandonment: customer worries about the security of their payment data, impatience with complex checkout processes, and prepurchase account-creation requirements that merchants impose to collect customer data. More than one-third of consumers surveyed said they’ve abandoned online purchases because they didn’t trust the merchant website with their credit card data and because the checkout process took too long or was too complex. Nearly one-third (32%) said they’ve ditched an online cart because the merchant wanted them to create an account. With a digital wallet option, merchants never see the data for the card or bank account the customer uses to fund the transaction. Because wallets also store the customer’s billing and shipping information, they can be configured to autofill that information into the store’s checkout forms. That speeds up the process and gives merchants the information they need without requiring customers to create an account with the store.
CHALLENGES OF ACCEPTING DIGITAL WALLET PAYMENTS With innovation come new challenges, and mobile wallets are no different. Online fraud has increased since the start of the pandemic, and FinTech Magazine reports that mobile payments have seen an increase in friendly fraud— customers making purchases, receiving their items and then
claiming that the goods were damaged or never arrived, so they get a refund. The same report found that merchants are less successful at contesting chargebacks on digital wallet payments. Merchants who accept digital wallet payments need to be aware of this issue and address it proactively by adding end-to-end package tracking as well as another layer of fraud detection, rather than relying on the digital wallet provider to vet those transactions. By pulling in customer behaviour and purchase history data to evaluate orders, AIdriven fraud protection can help detect serial fraudsters and block their orders. However, tightening fraud controls can also raise the risk of more false declines, which can drive away customers and cost merchants’ revenue, from the rejected order as well as any future orders that customer would have placed. The Australian consumer survey found that 17% of shoppers strongly agree that they will “never place an order with the same merchant” after a decline, and another 26% moderately agree with that statement. A total of 30% agreed that they “will post a negative comment” about the merchant on social media. To balance the need for more order screening with the need to avoid declining good customers, merchants need to add a manual review layer, so that experts review flagged orders before a decision, rather than letting the AI system reject suspicious orders automatically. Mobile wallets are fast becoming the future of online payments in Australia, and merchants who want meet customer expectations will offer digital wallet options. A combination of delivery tracking, nuanced order screening and manual review can help merchants get the benefits of digital wallet payments while minimising the risks. About the author Ralph Kooi is the Country Manager Australia at ClearSale, a full-service cloud based platform that automates Fraud Prevention, allowing businesses to increase sales while reducing risk. ClearSale is the only company that never automatically declines an order before a manual review process, which allows us to achieve industry-high approval rates while eliminating false declines and brings in additional revenue for our customers. Ralph Kooi has previously worked for several International SaaS businesses while based in Australia.
Australian Cyber Security Magazine | 13
Enterprise server spending in Australia to increase at 6.3% CAGR Over 2020-2025 By MySecurity Media Courtesy of Global Data
he total addressable market size of enterprise servers in Australia, in terms of spending opportunity, is poised grow at a compound annual growth rate (CAGR) of 6.3% to reach US$1.3bn in 2025, led by the ongoing enterprise digital transformation initiatives and IT modernization efforts, says GlobalData. The report, GlobalData Market Opportunity Forecasts to 2025: ICT in Australia, reveals that Australian enterprises are increasingly adopting cloud-based IT infrastructure to support their ongoing digital transformation initiatives. This includes remote working enablement, and adoption of online/ecommerce services, which will also help drive the demand for servers not just for public cloud services but also for private cloud and traditional IT deployments. “Growing adoption of disruptive technologies such as AI, IoT and big data and analytics by enterprises to improve their operational efficiency and enhance their digital services will necessitate investments in robust compute infrastructure that can support such workloads between 2020 and 2025” said Saurabh Daga, Technology Analyst at GlobalData. Data center capacity expansions seen in recent times will additionally support the country’s servers market. In May 2021, DCI Data Centres announced plans for setting up of a new facility in South Australia. Similarly, in July 2021, Macquarie Telecom announced a new data center in New South Wales, serving corporate as well as government customers. Australia’s focus on digital technologies as key enablers of post-COVID-19 economic recovery also augurs well for the server market in the country. In September 2020, Australia announced AUD1.2bn (US$868m) Digital Economy Strategy, aimed at making Australia a leading digital economy by 2020. The ‘Digital Economy Strategy’ will not
14 | Australian Cyber Security Magazine
only boost the adoption of digital technologies such as cloud, 5G, blockchain etc. in the country but also stimulate the demand for key IT infrastructure components such as servers and storage. Among the enterprise server segments comprising hardware, and managed server services, enterprise spending on managed server services is set to grow at a faster CAGR of 8.4% over 2020-2025. “While most enterprises in Australia have come out of the COVID-19 induced slowdown, the need to keep their IT spending in check will prompt them to consider third-party management of their server environment. Additionally, growing complexity of deploying and managing advanced server infrastructure in-house is also likely to encourage enterprises to choose managed service providers” said Mr Daga. Server hardware will account for the largest share of the overall enterprise server spending opportunity through the forecast period. Within the hardware segment, low-end servers will contribute largest share of the total market value followed by mid-range and high-end servers respectively. “While the large enterprise segment (1,001+ employees) will account for largest share of the total enterprise server spending in Australia through the forecast period, the combined spending of micro (1-50 employees), small (51-250 employees) and medium (251-1,000 employees) enterprises will increase at a marginally faster CAGR of 6.4% over the forecast period. The federal budget’s provisions for setting up of National AI Center and 4 AI and Digital Capability Centers to accelerate the adoption of transformative digital technologies among SMEs will be the key driver for growth of server spending in this segment” concluded Mr Daga.
Cyber Risk Management Made More Efficient & Agile Powered By Artificial Intelligence
Uplift Your Cyber Security Maturity in Just Hours! Bespoke assessments to meet your needs
Connect your relevant standards, laws and regulations
Conduct cyber security risk assessments with ease
And for Australian Government Departments & Agencies...
Use 6clicks for Government
Securely & More Efficiently Meet Your Australian Government Information Security Requirements In line with the information protection standards and requirements of the ASD
Aligns with federated model for complete supply chain risk management
IRAP Assessed against the ISM at the PROTECTED level
Runs on Microsoft’s Azure Australia Central (Canberra) trusted cloud infrastructure
Australian Cyber Security Magazine | 15
Top 10 malware affecting Australians Courtesy of Check Point Research
heck Point Research (CPR has published its latest Global Threat Index for August 2021 and identified the top 10 malware affecting Australians in August. Concerningly, FluBot has re-entered the list, impacting 1.48% of Australian cyber security cases. The Android malware easily accessible, and is distributed via phishing SMS messages, often impersonating logistics delivery brands such as voicemail notifications. Formbook has jumped from third position up to the top spot within the last month, impacting 2.96% of Australians. Known for its strong evasion techniques and relatively low price, FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
threat actors behind this malware, utilise this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organisation itself, prior to delivering a company-wide targeted ransomware attack. 2.
Formbook, ↓ 2.41% (percentage of Australian cyber incident cases impacted by this specific malware) First detected in 2016, FormBook is an InfoStealer that targets the Windows OS. It is marketed as MaaS in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
Cosmu, ↑ 1.57% (percentage of Australian cyber incident cases impacted by this specific malware) Cosmu is a PC Trojan that tries to put a computer at risk of having additional malware downloaded without notice to the computer user. The malware would try to communicate with a remote server where it can download malware files and further infect the system.
Tofsee, ↑ 1.33% (percentage of Australian cyber incident cases impacted by this specific malware. Tofsee is a backdoor Trojan, operating since at least
Top 10 Malware in Australia for August: 1.
16 | Australian Cyber Security Magazine
Trickbot, ↑ 3.26% (percentage of Australian cyber incident cases impacted by this specific malware) Trickbot is a modular Botnet and Banking Trojan that targets the Windows platform, mostly delivered via spam campaigns or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules: from a VNC module for remote control, to an SMB module for spreading within a compromised network. Once a machine is infected, the Trickbot gang, the
2013. Tofsee serves as a multipurpose tool that can conduct DDoS attacks, send spam emails, mine cryptocurrencies, and more. 5.
Ursnif, ↑ 1.33% (percentage of Australian cyber incident cases impacted by this specific malware) Ursnif is a Trojan that targets the Windows platform. It is usually spread through Exploit Kits, including Angler and Rig in their day. Ursnif steals information related to the Verifone Point-of-Sale (POS) payment software. It contacts a remote server to upload collected information and receive instructions. Moreover, it downloads and executes files on the infected system. Dridex, ↑ 1.21% (percentage of Australian cyber incident cases impacted by this specific malware). Dridex is a Banking Trojan that targets the Windows platform, observed delivered by spam campaigns and Exploit Kits, which relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control. Remcos, ↑ 1.09% (percentage of Australian cyber incident cases impacted by this specific malware) Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft
Office documents which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges. 8.
Flubot, ↓ 1.09% (percentage of Australian cyber incident cases impacted by this specific malware) FluBot is an Android malware distributed via phishing SMS messages, most often impersonating logistics delivery brands. Once the user clicks the link inside the message, FluBot is installed and gets access to all sensitive information on the phone.
Glupteba, ↑ 0.84% (percentage of Australian cyber incident cases impacted by this specific malware) Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
10. Yakes, ↑ 0.84% (percentage of Australian cyber incident cases impacted by this specific malware) Yakes is a Trickler that targets the Windows platform. This malware creates a new process of svchost and injects malicious code into it. The malicious code is responsible for contacting a remote server, expecting to receive base64 encoded data. This data represents an URL to download malware on the infected system.
Cyber Security ACSM
Macquarie Telecom group reaches Milestone for Government securitycleared personnel By MySecurity Media Courtesy of Macquarie Telecom Group
acquarie Telecom Group has announced it has surpassed 200 government-cleared security staff, with plans to continue to grow that number, as it continues to invest in local skills and capability to protect Australia’s sensitive government and citizen data. Surpassing 200 security-cleared staff is double the number Macquarie had only a year ago. The milestone means Macquarie has the largest cohort of security cleared staff of any Australian data centre and cloud service provider. The clearances are Australian Government security accreditations governed by the Department of Defence. They require rigorous background assessments of individuals, security training, and certification to receive them, and permit access to classified information and resources up to and including the SECRET level. The milestone comes as Australia continues to battle the war on cyberattacks on two fronts – skills shortages and rising cybercrime. AustCyber, the Australian Cyber Security Growth Network, predicted in its 2021 Annual Report that Australia will need over 10,000 additional cyber security specialists by 2025 in order to mitigate threats and protect our sovereign data. The prediction comes as Australian Cyber Security Centre (ACSC) data shows about one cybercrime is reported every 10 minutes. Macquarie Government Managing Director Aidan Tudehope says the impact of cyberattacks against government are far more serious than those against private enterprises, due to the nature of the data in play. “Attack attempts on government data and departments
18 | Australian Cyber Security Magazine
are far more frequent than what we see in enterprise settings,” said Tudehope. “Government holds the nation’s data crown jewels. It belongs to all of us, every single person in Australia in some way or another. Our government is entrusted to secure that data on behalf of every Australian. On the other hand, as individual citizens, we make the choice to share – or not – our personal data with private enterprises. These decisions are ours to make. With government data the decisions on where and how sovereign data is stored and protected is the responsibility of government. This also highlights the importance of the supply chain that is engaged to assist government with the storage and protection of that data. As one of those trusted suppliers, we see it as our responsibility to invest in the sovereign skills and security clearances needed to provide the Commonwealth with the level of capability that is required to support this vital national asset.” At the state level, the company is also building a Sovereign Cyber Security Centre of Excellence (CSCOE) in partnership with the New South Wales Government. This will be housed in the company’s new Intellicentre 3 (IC3) Super West data centre in Sydney. “At Macquarie we are – and have always been – committed to developing sovereign capability to support data storage and processing,” added Tudehope. “At Macquarie Telecom Group we are blessed to have hundreds of talented people who deliver the most dynamic cyber security capabilities in the country, supporting a prolific, ‘always-on’ and in-demand industry.
6clicks achieves IRAP assessment Interview with
Jenai Marinkovic cVTO/CISO, Emerging Trends Working Group
Jonathan Brandt CISM, CDPSE, CCISO, CISSP, CySA+. CPI, PMP
Findings from the global State of Cybersecurity 2021, Part 2 survey report from ISACA in partnership with HCL Technologies, not only shows 41% of Australian and New Zealand respondents report an increase in cyberattacks on their organisation during the last year, but 62% expect that their organisation will experience a cyber-attack in the twelve months ahead. This second part to ISACA’s annual State of Cybersecurity 2021 survey report examines cyber threat landscape trends worldwide, including frequency and type of attacks, confidence in cybersecurity teams and cybersecurity awareness initiatives, nuances related to security operations and reporting structure, and cybermaturity as a business imperative. We’re joined again from the USA by ISACA’s Jenai Marinkovic and Jonathan Brandt to discuss the reports and implications for the State of Cyber Security.
Australian Cyber Security Magazine | 19
Enrolments open for the 2022 ADF cyber gap program By MySecurity Media Courtesy of ADF
nrolments are now open for the 2022 Australian Defence Force (ADF) Cyber Gap Program, which will support students studying a cyber-qualification. Assistant Minister for Defence, the Hon Andrew Hastie MP, said the ADF Cyber Gap Program, run in partnership with the Digital Transformation Agency, would continue to boost Australia’s sovereign cyber workforce capability. “Cyber is the new battleground, and the important mission our service men and women undertake in cyberspace will be vital to keeping Australians safe and secure.” Assistant Minister Hastie said. “The ADF is looking for a diverse group of applicants who are passionate about cyber and interested in a career with Defence,
20 | Australian Cyber Security Magazine
“The ADF Cyber Gap Program will expose you to the critical mission Defence personnel carry out in cyberspace and I encourage young Australians to take up this exciting career opportunity with the ADF. “This program plays an important part in building the strong, diverse cyber workforce that is essential to our national security.” The program is open to Australian citizens who are already enrolled in, or about to commence cyber-related studies. Applications for the program are open from 1 September to 31 October 2021 and can be made online on the Digital Transformation Agency website.
The Forrester New Wave™:
Cybersecurity Risk Rating Platforms, Q1 2021 report has recognized SecurityScorecard as a leader in cybersecurity risk ratings. SecurityScorecard earned a differentiated rating (the highest rating possible) in the following evaluation criteria:
Breadth of use case
Download your report now to see the new
Cybersecurity Risk Rating Landscape and how each provider measures up.
United We Stand – Divided We Fall Security Threats on Australia’s Horizon By Steve Cropper, Industry Affairs Officer of the Australian Security Industry Association Ltd (ASIAL)
hese days the country is focussed on COVID-19, the looming threat of China and climate change but they are not the only security challenges the nation will confront in coming years. Cyber attacks, terrorism and civil unrest could rattle our world at any moment. Australia will not be equipped to handle future security challenges unless governments, business and the Security Industry work as a team to bring about much needed reform, collaboration and planning. That’s the frank warning in the Security 2025 Report, released on September 23, commissioned by ASIAL and conducted by the Australian Security Research Centre. The report examines where Australia’s Security Industry is today and identifies where gaps will have to be filled if we are to keep pace with the emerging challenges and threats in the near future. The report’s Head Researcher, Dr Gavriel Schneider said the key to Australia’s future security wellbeing is to move quickly to a more collaborative approach in which government, business and the Security Industry work together instead of in isolation. “Emerging technologies used by independent and state-sponsored cyber criminals increase the threat profile of key Australian private sector institutions including banks and key infrastructure but too many end-users of security are choosing to ignore the threat,” said Dr Schneider. “What is often referred to as Australia’s soft corporate underbelly has to be better secured if the nation as a whole is to maintain existing security levels and that requires a coordinated and well-planned effort by government, business and the security industry,” he said.
22 | Australian Cyber Security Magazine
To that end, Security 2025 recommends the creation of a Security Industry Coordination Office within the Home Affairs Ministry to facilitate rather than direct achieving national regulatory uniformity. Nicholas Martin is aware of what it takes to manage security threats. As well as being head of property and security at AGL Energy Services, he is chair of the Forum of Australasian Security Executives (FASE), a professional affiliation of chief security officers from major companies across fields including finance, aviation, energy and food distribution. He lists five big threats that businesses currently face: customer aggression, activism and extremism, digital disruption (including cyber security threats ¬– enhanced by COVID and the working-from-home dynamic), weather events, and internal threats (for example, from employees or contractors). How do businesses manage all that? Generally, it’s a three-pronged approach: internal management, relationships with government, and the employment of private security. “Most businesses rely very heavily on contracted security companies to provide essential frontline services,” Mr Martin said. And with so much at stake, it’s vital they make good choices. “Some companies just want the cheapest ...” Mr Martin said. “You want to do due diligence so you know who is protecting your assets.” Bryan de Caires, CEO of the Australian Security Industry Association Ltd (ASIAL), the peak body for Australia’s $11 billion private security industry agrees.
“I think the future is going to be more disrupted ...” said Mr Martin. “Whether it’s on a geopolitical level ... whether it’s the impact of conflict or weather events, whether it’s the ability for cyber to reach across boundaries ... I think that’s only going to increase.”
“Quality security comes at a premium,” he said. “Users of security services need to clearly understand the value of good security.” Mr de Caires believes security companies deserve greater credit for the role they play in keeping Australia safe. “Providing recognition of the unseen security workforce that plays a critical frontline role in protecting people, places and property is long overdue,” Mr de Caires said. ASIAL’s Security 2025 Report is a roadmap for the industry’s future. It proposes that the Security Industry needs to make security a career of choice, upskill and cross-skill its workforce and embrace technological innovation. Mr de Caires said businesses engaging security can help by insisting on high standards. But government needs to step up to the plate too.
The Riddle of Regulation Although the private Security Industry outnumbers law enforcement and the Australian Defence Forces combined – and is invariably the first responder at events or emergencies – it is regulated by a patchwork quilt of stateby-state regulations that vary significantly. Bryan de Caires said this imposes significant cost and unnecessary bureaucratic red tape on the Security Industry but more importantly, it deprives the nation of a uniformly high standard of security services. “The current head-in-the-sand approach is a formula for disaster and this is precisely what is wrong with Australia’s security arrangements today – each state and territory
pursues its own narrow self-interest at the cost of Australia’s security wellbeing,” said Mr de Caires. Cameron Smith is the director of the Security Licensing & Enforcement Directorate (SLED), the regulatory body for security businesses in NSW. “These security operatives perform roles whose purpose is the deterrence of crime, the protection of persons and property, the maintenance of public order and safety ...” said Mr Smith. “Australia’s Strategy for Protecting Crowded Places from Terrorism notes the ‘central role’ played by the Security Industry in protecting crowded places. Effective regulation of the Security Industry ensures that it is fit for purpose to fulfil these important roles.” Smith acknowledged that “…there are a number of key differences in jurisdictional approaches to the regulation of the Security Industry”. State regulations on security licences vary when it comes to criminal checks, the regulation of training, and which types of visa holder are allowed to apply. This can be a source of great frustration for the industry and for business. Bryan de Caires said that ASIAL’s calls for nationally consistent industry standards over the past 25 years, “…have largely fallen on deaf ears ... if Australia is to have the capability to meet key security threats in coming years, government must act now to bring about crucial reforms.”
Meeting the Challenge FASE Chairman Nicholas Martin is hopeful that Australia can meet the challenges. He approves of government initiatives to help businesses defend against cyberattacks and supports ASIAL leading the debate. “They’re trying to raise their profile, and they’re trying to educate both governments and business on the need to have a really well trained and capable Security Industry,” he said. And that’s going to be necessary, because the future is a dangerous place. “I think the future is going to be more disrupted ...” said Mr Martin. “Whether it’s on a geopolitical level ... whether it’s the impact of conflict or weather events, whether it’s the ability for cyber to reach across boundaries ... I think that’s only going to increase.” About the Author Steve Cropper is the Industry Affairs Officer of the Australian Security Industry Association Ltd (ASIAL) and an Officer in the Royal Australian Navy.
Australian Cyber Security Magazine | 23
Australian protective security renaissance By Maksym Szewczuk
rotective security culture in Australia is undergoing a renaissance of proactive consideration across multiple dimensions and sectors. In the shadow of the 20th anniversary of the September 11 attacks of 2001, and in the absence of any similar cataclysmic triggers, Australian companies, critical infrastructure owners/operators and government entities are experiencing a revitalised appetite for proactive and practical approaches. Particularly in, capital investment in protective security, crime prevention, security risk management and intelligence collection. Such levels of collective investment in protective security have not been observed since the September 11th attacks, forced a global re-assessment of protective security arrangements by all levels of organisations and government.
STATE OF PROTECTIVE SECURITY ARRANGEMENTS A large proportion of the commentary and analysis has focused on the strategic policy aspects of national security, counter terrorism, and policing. But seldom has the lens of analysis fallen on the current state of protective security arrangements within Australia. As state and federal intelligence agencies continue outstanding work in detecting and preventing terrorist attacks, the onus of protecting assets remain with the owners and operators of infrastructure and public spaces. And it appears that these owners and operators are taking this responsibility seriously, with realistic risk. That is, risk based on preventative approaches and not relying solely on policing and intelligence agencies for prevention of terrorism and serious crime.
PROTECTIVE SECURITY GROWTH An increasingly large host of Australian multidisciplinary consulting firms have commenced security consulting offerings. This is in response to demand from government and private enterprise. These bodies are requesting more and more the need for knowledgeable advice in the realms of protective security, crime prevention and security risk management. Judging by the number of security consulting and corporate security management roles being advertised or remaining unfilled in the market, there appears to be a significant uptake in security risk management related capability. This does display a commitment to security assurance, resilience, and client value creation through provision of sound safety and security strategies for the benefit of clients or visitors. However, it also displays a proactive approach to protection of national critical infrastructure, public and crowded places. This is occurring in the absence of regulatory requirements or single critical event to warrant such an approach.
PROTECTIVE SECURITY DEMAND In response to renewed interest, a similar trend has emerged in the higher education sector as greater numbers of universities commence national security, terrorism, intelligence related streams. Australian National University is now adding an International Security Studies program, joining the likes of Edith Cowen, Sydney, Macquarie, Charles Sturt and Murdoch Universities, to name but a few. The University of Technology Sydney has also invested Continued next page >>
24 | Australian Cyber Security Magazine
Dual Lock Lever Handle - Narrow Style DLLH 54 T 1st lever lock combination designed for a swing bolt to work on narrow style aluminium frames.
AMS AUSTRALIA PTY LTD 6/13 Brookes Street, Mitchell ACT 2911 T: +61 2 6262 2100 E: firstname.lastname@example.org
The global standard in security hardware solutions www.amsaustralia.com.au
in a Designing Out Crime Research Centre, which is a partnership between the NSW Government, Department of Attorney General & Justice and UTS. It aims to develop innovative design-led approaches to complex crime problems.
DOWNSTREAM CONSIDERATIONS On the face of it, counter IED transparent bins or impact rated bollards may not garner the same level of importance as counter terrorism financing, but it is these downstream considerations which are now the focus of asset owners and operators looking to protect themselves against future security threats. Our national (homeland) security and intelligence spending remains high, buoyed by large capital spending on new platforms such as the F35 fighter, and now US sourced nuclear submarines. This however shifts our defence posture to an offensive capability, and a commensurate shifting of positions is occurring within the national protective security apparatus.
THE SHIFT The nation’s collective protective security culture appears to have shifted from one of reaction or compliance to a proactive value and assurance lead approach. This ultimately places safety and security of the asset and its users as a core value. Additionally, this is further evidenced by the empirical research and industry development of integrated protective security. That is, one designed to seamlessly blend protective security treatments with building architecture. Moreover, it seeks to heighten the level of protective security maturity, which aims to keep buildings and spaces publicly accessible in the context of counter-terrorism guidelines.
SECURITY LEGISLATION AMENDMENT In addition to existing and enhanced cyber security, countering violent extremism, money laundering and terrorism financing requirements, is the development of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. It requires greater provisions for security assurance by owners and operators of critical infrastructure. But it also seeks to strengthen Australia’s infrastructure resilience. While this legislation provides a focus on cyber security assurance, it does touch on risk management requirements and expands the categories of that which is considered Critical Infrastructure. Without solely relying on the state intelligence apparatus to prevent terrorism or serious security incidents, owners and operations of the nation’s critical infrastructure and public crowded spaces appear to be proactively applying deterrents. That is, preventative mitigation protective security measures in the absence of any forced shifting of security culture, such as was experienced after September 11th.
26 | Australian Cyber Security Magazine
'The Australian government and its law enforcement agencies, state authorities and owners/operators of critical infrastructure, are shifting the collective approach to protective security, risk management and crime prevention.' A handful of lone wolf style attacks have been perpetrated via unsophisticated methods with vehicles as weapons, edged weapons, and in the case of the Lindt Siege and attack on Parramatta Police Headquarters. However, stolen or illegal guns, the screening of personnel and goods along with access control to sensitive or crowded areas remain prevalent within the community.
MATURING OF SECURITY CULTURE In conjunction with protective security and counter-terrorism advise provided by ASIO and state police, this approach by policing and intelligence authorities demonstrates a positive approach to assisting the up scaling of protective security arrangements within Australia. The Australian government and its law enforcement agencies, state authorities and owners/operators of critical infrastructure, are shifting the collective approach to protective security, risk management and crime prevention. This is by moving away from a reactionary approaches to yesterday’s attacks while proactively moving to mitigate against tomorrow’s attacks. This maturing of security culture which emphasises the value of security, safety and infrastructure resilience is a positive step by all. And moreover, it compliments state-based crime prevention and counter terrorism approaches. About the Author Maksym Szewczuk is a security advisor with 15 years’ experience in critical infrastructure protection and is currently a member of the NSW Police Security Industry Advisory Council.
RANSOMWARE ACTION PLAN RELEASED Interview with
Ian Yip CEO, Avertro
Head of Government Affairs and Public Policy
Under the Ransomware Action Plan the Government will: Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals; Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians; Criminalise the act of dealing with stolen data knowingly obtained in the
Founder, Phronesis Security
course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties; Read more >>
Australian Cyber Security Magazine | 27
RANSOMWARE – IT’S JUST GETTING WORSE Interview with
Tony Anscombe Chief Security Evangelist for ESET
and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit (CIS). He is regularly quoted in cybersecurity, technology and business media, including BBC, Dark Reading, the Guardian, the New York Times and USA Today, with
This presentation covers how ransomware techniques and attacks have changed, the business model behind the attacks, and how they are impacting all sectors and industries around the world, including Australia. ESET Australia monitors the latest ransomware techniques and attacks seen around the world. Payment of ransoms internationally is driving an increase in cybercrime and giving resources to cybercriminals that will fuel further attacks on companies and governments alike. Tony Anscombe is the Chief Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger
28 | Australian Cyber Security Magazine
broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS. Anscombe is a current board member of the NCSA and FOSI. Tony discusses why paying a ransom is not the right course of action, and the need to regulate cryptocurrency on a global basis.
The MySecurity Marketplace gives you the tools you need to grow as a security professional. Join our growing member base today.
EV EN TS Access to events, locally and globally
E D U CAT I ON Access certified courses, webinars and labs
SOLUTIONS Access an eco-system of security and technology services, software, trials and demos
P R OF E S S I ONA L D E V E LOP M E NT Join a growing hub of security professionals.
OUR CHANNELS PREPARING AUSTRALIAN BUSINESS FOR A
T H E
A U S T R A L I A N
S P A C E
Scams increase by more than 50% in August as Australians in lockdown are hit hard by identity theft By MySecurity Media Courtesy of Proofpoint
ustralians reported 40,891 scams to the Australian Competition & Consumer Commission’s (ACCC) Scamwatch in August 2021, a significant increase of more than 50% compared to the previous month, and nearly double the amount reported in August 2020. Australians lost a combined $26.5 million to all types of scams last month, more than double the amount lost the same month a year ago. Australians have now lost more money to scams in the first eight months of the year than in the entire 12 months last year – $192 million year-to-date vs $175 million lost in 2020.
IDENTITY THEFT SCAMS SOAR Identity theft scams saw Australians lose more than $2.2 million in August, a staggering increase of more than 500% over the $352,590 lost in July, and over 700% compared to the $251,750 lost in August 2020 to this type of scam. Australians aged 45 to 54 were most financially impacted by these scams, losing more than half a million dollars, followed by Australians aged 25 to 34. Consistent with previous months, investment scams continue to be the most financially damaging type of scam,
30 | Australian Cyber Security Magazine
with Australians reporting losses of more than $12.3 million. Dating and romance scams followed, amassing losses of more than $4.3 million in August. Notably, the amount lost to health and medical product scams increased by 15 times over from July as the national COVID-19 vaccine roll out continued. Phishing scams again accounted for the greatest number of reports at 11,060, a significant increase of 162% compared to August 2020 and up 75% from July. Text messaging was the most popular delivery method for phishing scams, accounting for half of all reports. Scams relating to threats to life or arrest also rose by 29% while ransomware and malware scams were up more than 200% compared to July.
AUSTRALIANS IN LOCKDOWN HIT HARDEST NSW residents continue to be the most financially impacted by scams as COVID-19 lockdowns continue. NSW residents suffered financial losses of almost $11 million, while the number of scams reported to the ACCC increased by 52% compared to July. Meanwhile Victorians reported a 65% spike in scams compared to the previous month and suffered losses of more than $6 million.
This was likely due to the widespread prevalence of Flubot malware scams targeting Australians with fake missed call texts including a link designed to steal personal information. Social networking scams were the second most profitable, costing Australians $5.4 million, up 180% compared to August 2020. The amount lost to email scams also increased by 17% compared to July with classified scams and false billing the scams among the highest financial losses for this delivery method.
PROOFPOINT ANZ AREA VICE-PRESIDENT CRISPIN KERR, SAID:
Men continued to be disproportionately impacted by scams across Australia, accounting for $16 million of the total money lost compared to $9 million for women, despite both reporting a similar number of scams. Men were most impacted by betting and sporting investment scams which jumped by 977% from July, accounting for 99% of all financial losses. Men were also exceedingly impacted by identity theft scams, accounting for 91% of all money lost at just over $2 million. Women accounted for 77% of money lost to online shopping scams at more than $3 million and 90% of money lost to health and medical product scams. In August, Gen Z and millennials overtook older Australians as the nation’s most financially impacted age demographic. Australians aged 35 to 44 lost more than $7 million and reported the highest number of scams at 6,484 reports, an increase of 64% compared to July.
DELIVERY METHOD In August, phone call scams were both the most popular and profitable form of delivery, with more than 19,000 reports and $6 million lost. The number of reports for text message scams rose by more than 300% compared to July.
“The latest statistics from the ACCC demonstrate how scammers are staying active and diligent in their tactics especially as many Australians remain in lockdown. In August, Australians lost a total of $26.5 million to scams, a devastating blow during what is already a very difficult time for many. Concerningly, the number of scams reported increased significantly and almost doubled compared to the same time last year. While it is good to see Australians reporting scams to the ACCC, the sheer volume of scam activity is alarming. Scammers are continuing to capitalise on the pandemic such as the ongoing vaccine rollout. This month, the amount lost to health and medical product scams increased by 15 times over the amount lost to these type of scams in July, suggesting scammers are very much leveraging current events to steal from Australians. Understandably, many Australians are in difficult financial situations and may be looking to grow or supplement their income through investments. Investment scams remain the most profitable and common type of scam, and in August Australians lost more than $12 million to these scams. Cybercriminals can easily falsify information to make it look legitimate and lull people into a false sense of trust to get them to part with their hard-earned money. With technology integrated into almost every aspect of our daily life, it’s important to remember that even the most tech-literate people are not immune to scams. We urge younger Australians especially, to refresh their knowledge and awareness around scams and remain diligent. We are witnessing an increase in scams targeting younger Australians with a high success rate, and during August Australians aged 35 to 44 were the most financially impacted at a cost of $7 million. Revisiting the basics and knowing how scammers behave can help you protect yourself and loved ones. Never click-through links or open attachments from unknown senders or share personal information with anyone you don’t know, especially banking and credit card information. Don’t save your card details into websites and be wary of any new website you plan to shop from. We’ve seen the number of online shopping scams rise by 38% in August, with younger Australians especially impacted. It’s important Australians don’t become too comfortable with technology and forget to exercise basic common sense. The current level of scam activity suggests no one is immune. We urge Australians to be careful and remember if something doesn’t look or feel right it is most likely a scam.”
Australian Cyber Security Magazine | 31
Fortinet invests in Federal Government integration and innovation centre By MySecurity Media Courtesy of Fortinet
ortinet has significantly invested in its recently completed Federal Government Integration and Innovation Centre (FGIIC) in Canberra, which is due to open in the fourth quarter of 2021. The FGIIC data centre is housed within a certified Zone 5 facility in accordance with the Security Construction and Equipment Committee (SCEC) requirements, providing businesses and government agencies assurance that it is a sovereign and secure facility, rated to top secret, for integration testing and evaluation. The Fortinet FGIIC gives enterprises and government agencies access to Fortinet equipment so they can securely evaluate and develop network security solutions and de-risk project objectives. Partners looking to develop solutions can also use the data centre to innovate and get solutions to market sooner. Based in Canberra, it houses both virtual and physical security to protect Australian innovation. Jon McGettigan, regional director, Australia, New Zealand, and the Pacific Islands, Fortinet, said, “Fortinet’s investment in the FGIIC demonstrates a commitment to secure and sovereign solutions within Australia and the Five Eyes community. It’s just the first step of investment as Fortinet continues to ramp up support for the federal government sector by expanding Platform-as-a-Service and Software-as-a-Service offerings. The FGIIC supports local industry and provides rapid access to enterprise cybersecurity technologies so organisations can design, develop, and deliver innovative solutions for government and supporting industries.” Among the FGIIC’s capabilities is the ability to conduct high-throughput data network testing including cyberattack testing at up to 100GBps. Tom Scully, federal government enterprise solution architect manager, Fortinet, said, “The Fortinet FGIIC is built to the highest physical and electronic security standards with access only granted to authorised and verified users. It
32 | Australian Cyber Security Magazine
provides an exciting opportunity for customers and partners alike to research and trial solutions and ideas in a secure and sovereign manner with reduced time to market.” The FGIIC features approximately 2TB of RAM virtual compute capability, 100Gbps throughput testing capability including breach attack simulation, and dual redundant 100Mbps internet connections. It offers up to 12kW of redundant power and 84 RU of rack space with the ability to support additional chassis, leveraging Fortinet’s systems technology to provide additional capacity for partners. The FGIIC also includes a virtual lab and customer experience centre. There is additional rack space available to support future FortiGuard services or proofs-of-concept that require Fortinet or third-party equipment including chassis-based carrier grade systems. Tom Scully said, “Over the past 24 months, Fortinet has seen significant demand for the development of secure and sovereign solutions that can be deployed in closed network scenarios. Locally, Fortinet has invested heavily in its product development teams to ensure its products can meet these requirements. “The FGIIC helps to further demonstrate Fortinet’s commitment to federal government locally. Organisations can use the FGIIC customer experience centre, in close collaboration with Fortinet, to develop solutions at a greater speed than ever before. For example, an organisation wanting a secure email gateway to meet federal government requirements can securely access the environment and build, break, or destroy the solution to ensure it is safe and fit for purpose. This capability can host up to 100 customers at a time.” Accenture recently reported Australia was the third most targeted country in the world by cyberattackers in the first six months of 2021. According to Accenture’s report, the volume of cyber intrusion activity globally jumped 125 per cent in the first half of 2021 compared to the same period last year.
ACSC ANNUAL CYBER SECURITY THREAT REPORT 20 -2021 – INDUSTRY SECTOR REVIEW
The ACSC Annual Cyber Threat Report 2020–21, the second unclassified annual cyber threat report since ASD became a statutory agency in July 2018, highlights the key cyber threats affecting Australian systems and networks, and uses strategic assessments, statistics, trends analysis, and
NSW Cyber Security Ambassador
case studies to describe the nature, scale, scope and impact of malicious
Australian individuals and organisations on what they can do to protect
Cyber Security Advisor
cyber activity affecting Australian networks. It also provides advice to their networks from cyber threats. Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of cyber
Founder, Phronesis Security
attack every 8 minutes compared to one every 10 minutes last financial year. As part of an Industry Sector Review and recognition of the report, we speak with Amit Chaubey, NSW Cyber Security Ambassador, Virginia Calegare, Cyber Security Advisor and Elliot Dellys, Cyber Security Advisor. Thanks for tuning in and stay tuned for more…
Australian Cyber Security Magazine | 33
What changes to the critical infrastructure act will mean to industry – Cyber Risk Meetup Highlights By Sarah El-Moselhi MySecurity Media
ith the ever-changing landscape of our digital world, it is crucial we as a networked society are continually in the know as well as equipped with the various challenges we face from the cyber world. Tackling this issue face to face, more than 120 Cyber Professionals gathered at WeWork, Central Park, in Perth for the Cyber Risk Insights Sundowner. The first in-person gathering since 2019 due to lockdowns, was a huge success with an incredible energy and buzz in the room, as key speakers addressed the challenges we face in today’s digital sphere. Organised by Perth’s Chapter Lead, Farrell Tirtadinata, and David Matrai from MySecurity Media, the knowledge rich event picked the minds of key industry figures. “The Perth cyber-community has brought it on again last night” reflected an energetic Chapter Lead and Business Solutions Director of Avertro, Farrell Tirtadinata. The panel (pictured) gained insights from Madeleine Trezise, Specialist Cyber Security Risk, South32, Alice White, Security Training Manager, Atlassian & AWSN Perth Chapter Lead and Hannah McKelvie, Cyber Development Principal, Telstra. “It was a great night with some interesting discussion and audience questions!” said a pleased Madeleine Trezise, Specialist Cyber Security Risk at South 32. The focus was primarily on the changes to the Critical Infrastructure Act and How it Relates to Our Industry. This also included critical discussions around the impact of the Act on other industries, with a further 11 to be added as part of the reform.
34 | Australian Cyber Security Magazine
CYBER RISK INSIGHTS SUNDOWNER | KEY LEARNINGS Perth’s Chapter Lead, Farrell Tirtadinata, and David Matrai from MySecurity Media opening presentation The event highlighted the associated risks to cyber security as a result of the latest reform to the Critical Infrastructure Act. The Cyber Risk Insights Sundowner raised three critical areas of concern: • How are the cyber leaders and executives approaching this? • What are some of the best practices that they can share? • And how will the rest of the industry respond to this?
SECURITY LEGISLATION AMENDMENT | (Critical Infrastructure) Bill 2020 On 10 December 2020, the Minister for Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 to Parliament. The Department of Home Affairs (the Department) is progressing the Protecting Critical Infrastructure and Systems of National Significance reforms, a key initiative of Australia’s Cyber Security Strategy 2020. As the majority of Australia’s critical infrastructure is owned and operated by private industry or state and
territory governments it is vital that our approach to ensuring the resilience of Australia’s critical infrastructure is clear, effective, consistent, and proportionate.
COVERAGE OF THE REFORMS The Bill seeks to amend the Security of Critical Infrastructure Act 2018 and expands its coverage from four sectors (electricity, gas, water, and ports) to the following eleven critical infrastructure sectors: • Communications • Financial Services and Markets • Data Storage or Processing • Defence Industry • Higher Education and Research • Energy • Food and Grocery • Health Care and Medical • Space Technology • Transport • Water and Sewerage
BENEFITS OF THE REFORMS Develop requirements that strike a balance between uplifting security and ensuring critical infrastructure operators remain viable and their services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean
that all businesses benefit from strengthened protections to the networks, systems and services they rely on.
GOING FORWARD The Department will work with industry peak bodies, existing regulators, state and territory governments, and critical infrastructure entities from January 2021 to bring the reforms to life through a comprehensive consultation process. Home Affairs will undertake a staged, sector-by-sector approach to co-designing relevant requirements to reduce regulatory burden and minimise duplication with existing regulatory frameworks. The success of this year’s event highlighted the growing interest in the area across multiple sectors, “We are so glad that we were part of organising such a successful event and already have discussions for the next one – stay tuned!” said David Matrai. To ensure your knowledge bank stays rich, keep up to date with upcoming Cyber Risk Insights Sundowner events and learning opportunities. Cyber Risk Insights Sundowner was proudly sponsored by: Claroty, HyprFire, Avertro and MySecurity Marketplace in addition to Community Partners, WA AustCyber Innovation Hub and Privasec.
Australian Cyber Security Magazine | 35
AUCYBERWEEK21 WITH MICHELLE PRICE Interview with
Today, we’re joined by Michelle Price, CEO of AustCyber to discuss the return
of the annual Australian Cyber Week, a week-long series of events and
CEO of AustCyber
The week combines virtual and in-person sessions to generate awareness
activities, this year to be held from 25-29 October 2021.
about the Australian cyber security industry and showcase local innovation. It will also support increased understanding of cyber security by debating topical issues, risks and solutions, and facilitate national and global networking.
36 | Australian Cyber Security Magazine
20+ online and (COVID-safe) in-person events and activities 20+ special guest speakers and presenters 45+ cyber perks and deals 60+ videos and webinars on demand All things cyber security.
25–29 October GET TICKETS Events and activities spanning the full breadth of the cyber security landscape – for those within the sector, but also well beyond.
Brought to you by
Australian Cyber Security Magazine | 37
Preparing Australian business for a Cyber-Attack By MySecurity Media Staff Writer ©
ith the rise in cybercrime in Australia, this is a challenge that will face many businesses across a wide range of industries. Last year, the government introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Federal Parliament to improve security and resilience across the country’s critical infrastructure sectors. The new legislation sets to amend the Security of Critical Infrastructure Act 2018 and includes: • Broadening the definition of Critical Infrastructure from four to eleven sectors. • Enhancing security obligations via sector-specific rules across cyber, supply chains, physical and personnel security; and • Establishing government assistance powers. In late September, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) made 14 recommendations in relation to the Bill, including proposing a split in the current proposed framework into two amended Bills. One Bill for rapid passage aims to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios as well as mandatory reporting obligations. The second for further consultation includes declarations of systems of national significance and introducing positive security obligations which are to be
38 | Australian Cyber Security Magazine
defined in delegated legislation. Australian organisations are not immune to malware attacks, with 12% of small businesses experiencing a cyber event. As part of AustCyber launching Australian Cyber Week later this month, the not-for-profit body is examining the increasing number of Australian small businesses faced with an alarming rise in the volume and variety of malicious cyber-attacks.
What does the Bill mean to Businesses? Sarah Sloan, Head of Government Affairs and Public Policy, ANZ, Palo Alto Networks joins the brains trust presenting during Australian Cyber Week 2021. Sarah explains why support for the Critical Infrastructure Bill is so vital in the current climate of heightened hostilities. “We’re supportive of the Critical Infrastructure Bill’s and understand the government’s objectives of trying to secure critical infrastructure, which is increasingly important to our national and economic security. We’ve been actively engaged with the government for well over a year, in the process [of developing the Bill], responding to discussion papers, and trying to work with government around what that framework will really look like.” “Nothing in this world is 100% secure. It is all about making sure you’re taking preventative measures, and you’re preparing for an attack. Furthermore, it is important that businesses are also well across how you respond to
incidents, and that they’ve got an understanding of how the company is going to step through the cyber incident response requirements, if and when that happens.” Sarah says the Critical Infrastructure Bill holds key components in addressing the risk management plans businesses need to implement. “Under the positive security obligations, they’re [the Government is]pushing organisations to turn their minds to cybersecurity risks, as well as supply chain risks, physical and personnel risks, and how they’re measuring up on international standards.” Critics of the Security Legislation Amendment argue it is an extension in the long line of security related acts that could potentially give more power to the executive and at the expense of individual freedoms of citizens. The Security Legislation Amendment will give the government power to defend networks of critical infrastructure providers under cyber-attack as a “last resort”. The Australian Federal Police and Australian Criminal Intelligence Commission will have the power to combat serious crime enabled by anonymising technology using three new warrants: network activity, data disruption and account takeover. Sarah is hoping to work with industry to raise awareness of the Bill and its measures which will hopefully minimize the need for those powers from being executed. “Our understanding from government is that they will act as our measure of last resort, they’re only going to use these powers in particular circumstances of cyber incidents..” said Sarah.
Clean Pipes When we think of our critical infrastructure and the need to protect it from cyber-attacks, Sarah emphasises there is another way to stop cyber threats before they hit our businesses. She talks of clean pipes, in which, she says it “refers to the ability of internet service providers (ISPs) to have constant real-time visibility across traffic passing through their networks and being able to detect and stop in real time cybersecurity threats within that traffic.” Sarah says while clean pipes is not a silver bullet, it is important to start the discussion of it as an option to reducing the volume of threats hitting organisations, especially small businesses. “In the context of even ransomware and critical infrastructure threats – all these cyber threats are putting strain and compromising Australian organisations – and they all traverse over our telecommunication internet providers infrastructure. We’re really keen to have a conversation about how we can adopt measures to detect and block this traffic as it traverses the network in real time,
so that it is stopped before hitting those end users.” The Bill and the flow on of effect of education AustCyber believes the way forward in protecting our critical infrastructure lays in education. That is, in the education of the masses at all levels. A notion Sarah says is greatly supported by the Critical Infrastructure Bill. “I think the really interesting point about the Critical Infrastructure Bill is its flow on effects across industries. So, although it is targeting these 11 sectors, there are requirements in the Bill to look at supply chain risks and supply chain measures. What that might mean is these larger companies will turn their minds to outward, ‘we contract with a range of smaller companies, what is their cybersecurity risk profile?’. “We know that attackers understand that some of these smaller companies may not have the cyber defenses of larger organisations with more resources, they can be softer targets for entry. We’ve seen that cybercriminals can penetrate these smaller companies with the intention of getting into larger organisations.” Harm prevention begins with effective communication At the core of intuitive understanding is effective communication. For Australia to stay ahead of the cyberwarfare on our digital doorstep, the conversations need to be widespread and they should have begun happening yesterday. Sarah echoes this need for education through communication, placing particular emphasis on just starting the conversation. “Have the conversation within the companies, communication is key.” But Sarah also stresses, the importance of established communication and real-time threat sharing between government and industry. “If we are to see an attack at scale in Australia, established communication channels between government and private sector as well as critical infrastructure entities would be really important. Additionally, the sharing of threat intelligence between private sector and government will also be very important because each have a unique perspective and see different things. The cybersecurity community has access to this plethora of data and threat Intel visibility that the government may or may not have.” AustCyber is providing that platform of effective communication at its Australian Cyber Week 2021 event. MySecurity Media is an official partner of the virtual conference to be held between 25-29 October.
Australian Cyber Security Magazine | 39
Sharpening the cyber security axe in Australia to stay in the race By MySecurity Media Staff Writer ©
he future of cyber security growth in Australia lays in education. That is, in the education of ourselves but also the education of government, industry and businesses, large and small. In line with AustCyber launching Australian Cyber Week 2021 between 25-29 October, the future of cyber security in Australia will be placed under the microscope. Particularly, in the last 12 months of unprecedented cyber activity and the impact it has had on the Australian and global economy.
AUSTRALIAN CYBER SECURITY AND THE PANDEMIC The COVID-19 pandemic continues to define where and how many of us work, and the speed of change has exposed new vulnerabilities in critical infrastructure and business IT systems. With Australia named as the sixth most hacked country in the world, it is integral the nation’s cyber maturity and resilience is assessed and examined. Crucially, the question now is, have our actions of the past 12 months provided the
40 | Australian Cyber Security Magazine
foundations for successful economic recovery and the ability to learn lessons to continue to protect our digital borders?
EDUCATION AND THE GROWTH OF CYBER SECURITY The deepening and broadening of the Australian digital economy and digital communications has highlighted the need for deeper education into cyber security. Those in the know and entrenched in the world of digital protection must seek to upskill their knowledge bank, sharpen their cyber security axe and polish the shield. And for those not so cyber aware, it is time right now to educate them, but equally as important, listen to them, gain insight into the gaps, and challenges we may have overlooked in the rush of the last 12 months to stay above water. Shedding some light on this very matter is Sarah Bailey, CFO at Penten. Sarah is an accomplished finance and business executive with more than 20 years’ experience in finance, strategy, and governance. Cyber security is not on Sarah’s name badge as such,
“We’re going to need to keep thinking about this, thinking quite creatively and broadly, we are going to think about the skills needed to get into this space, that might not necessarily be the skills you would have expected five years ago, even two years ago. We need to be at this because this is the way of the future.”
THE RACE IS ON
but her insights into it will have you sit up and fall in love with the art that is cyber security and where it is heading. “I think we, Australia, is extremely well positioned, we’ve got good cybersecurity maturity, we’ve got good understanding. But the thing that it actually shows me is, are we ready for the next thing?” That next thing meaning, Sarah says is not necessarily another pandemic (although anything is possible we’ve seen), but rather, what is coming next in relation to our digital landscape and our capabilities in the face of vulnerabilities? “What are the things we need to be thinking about today in preparation for what’s coming next? How do we continue to build up on the deep foundations that we have in terms of our cyber resilience? But what’s next and how do we make sure we’re building actually for the long term the skills and the experience we need in this space, to help protect us for what’s coming next.” What is already here is the threat landscape we are currently in, and what it means for the next 12 months. “I see it personally with the number of phishing emails and texts as I’m sure many people do. But the threat landscape has shifted quite dramatically over the last 20 months, and whilst that’s COVID related, it does also point to a broader trend, just the way in which we are communicating. Although I believe Australia is extremely well positioned, I believe as a leader globally, I also think it’s not going to be enough.” And it is here where education comes in and its importance on the cyber security stage.
At the core of cyber security in Australia is how do we respond to this ever-changing landscape, and can this nation keep up in the marathon that is cyber security? This month, industry figurehead and CyberCX chief strategy officer Alastair MacGibbon warned “Australia is ‘a decade behind’ in the cyber security race”. And while it may appear to be a disheartening statement, Sarah says it serves as great reminder to step up the pace and charge ahead on the cyber security platform in this country. “I actually think the point that he’s trying to make there has some validity to it, I think it actually speaks to the speed at which we’re seeing others really advanced their own cyber technologies, be them for good or for or for bad. I actually do think that what he is point to there is around the speed at which we need to actually continue to innovate and create in this space, because what is good today just might not be good tomorrow”. “I think actually from an Australian perspective if I look across the ecosystem that we have, in particular from an AustCyber perspective, we have an absolutely brilliant ecosystem that has been created. We have great skills, great experience great businesses, great people thinking about this. But again it does point to the fact that there is so much more coming that we don’t even know about yet.”
FAIL FAST TO LAST THE DISTANCE Part of cyber security education means leaning forward into innovation as well as building critical infrastructure now rather than later. “I personally would love to see all of the infrastructure of Australia, and by that I mean government all the way down to all different aspects of society, really supporting innovation in this space and really supporting the speed at which we need that innovation. One of the things that we often hear about, particularly in startups and it’s not about startups per say, but that fail-fast mentality I do think that this is one of these spaces – where we’re going to have to try things – they may not work but we’re going to have to keep trying and trying and progressing at pace.” That progression in the cyber security space can only be achieved with support from all levels of governance. “There needs to be some agility there in relation to all types of government support, be it federal, state and territory, even sort of local community support as well, it’s for the thinking and self-belief in the industry itself and when it comes in things like RND tax incentives and various things that then promote the ability for organisations to keep on creating, keep on innovating. There are some really good foundations but again if we think about the speed at which the landscape is changing, then the ecosystem needs to
Australian Cyber Security Magazine | 41
be responding at that speed, and also comes with that the need for government to also be as agile as it as it can be.”
MARATHON NOT A SPRINT The speed of which Sarah talks about is evident in the growth of Penten. The company went from three employees in its founding year in 2014 to now 138 staff members in 2021. And in 2020, Penten launched a new business unit: Tactical Communications Security. This capability adapts Penten’s high assurance secure mobility solutions to create highly complex, but simple to use secure communications technology for the tactical environment. An environment in which will continue to change. “I say every week I’m surprised with the new things that we’re doing in the growth that we undertake. I do think Penten’s growth is in some respects a marker of the growth that we’re seeing more broadly across the industry, we just happened to be in this industry at this particular time. For businesses like Penten, and this goes across the entire ecosystem, it’s about sustainable growth and we work really hard to do that. The work we do is really important, primarily for governments, and so therefore it’s really important that we get our business growth absolutely in a sustainable way. And yeah I do think it’s a marker, it’s it is absolutely an indicator of how quickly the market itself is going. But then also when you think about the breadth and depth of the landscape and the threats in that landscape absolutely you know in some respects Penten’s growth is a is a reflection of that.”
LAYERED LEARNING AND EDUCATION The only way Australia can keep up with the rapid growth in cyber security globally, is in education and recruitment here on home soil. Sarah says it’s not a simple learn a course and move on type of education, rather it is about serious investment in layered learning and sustainable growth. “We need many layers to education, and if I talk specifically about Penten we try really hard to cultivate and share knowledge such that we’re building really specialist skills and experience in that space. We found it most effectively comes from most that do have really deep experience, coupled with those that you know learning the newest the newest innovations and thoughts coming out of particular universities.” “If you couple those types of deep experience and deep knowledge, we’ve found that really cultivates skills experience in that space. But we also need to think more broadly about it. That is from an educational perspective. Coming through schools and through universities – how do we make sure that those formal courses, which many of us still absolutely subscribe in, are an appropriate way to continue learning? How do we make sure that those courses are completely up to date? How do we make sure that the newest and most innovative thinking is incorporated into those university courses?” The growth of cyber security education in Australia does indeed require a multi-pronged approach. Sarah, a finance and business executive who is now entrenched in
42 | Australian Cyber Security Magazine
the world of cyber security, emphasises that education of any industry succeeds when it stems from a diversity of learnings and skillsets. “Having people that have had different sorts of experiences come into this space is absolutely a value. We need to be really thoughtful around how we cultivate and create really great strength in the skills and experience in this space. We’re really good at the moment, but there’s opportunities for us to be really world leading in the way in which we’re creating skills.”
THE SKILLS SHORTAGE IN AUSTRALIAN CYBER SECURITY It is not about a shortage of people, but more a problem with a shortage of experienced experts that can do the job needed in today’s threat landscape. At the moment there’s a wide margin of difference between cyber security professionals with a great resume and cyber security professionals that can actually be productive in a modernday security operation. “We know that there’s a huge skills shortage generically in cyber. We know as an industry it’s not going away, we absolutely need to do more so that we’re always at the cutting edge. We’ve been excited to partner with government in that regard and also partner with universities in that regard so that we’re always at that leading edge of new thinking. Just the way in which we need to be creative about and thinking about the industry and what is fit for purpose today versus tomorrow we also need to think about it too in terms of skills and experience.” “Look for me personally, and it’s taking me a little while to probably get here, I do know that my skills and experience, and my diversity in thought absolutely contributes to the industry. I’m not a technologist, I’m not an engineer, and I have absolute deep admiration for all of my colleagues, particularly those that are deep technologists, but part of the need for not only Penten but the industry, is to have people like me that then don’t necessarily have that depth, but when someone describes something in a way I and helps me understand what that means in layman’s terms, so I can describe it to someone else. As in, how do I explain to my mum what we do and what the ecosystem is and I don’t mean that in any disrespect to my mum. But it is an example that diversity in thought and diversity in experience is absolutely will help make us all better and that is absolutely the case for this industry as well.”
CYBER SECURITY IS ACTUALLY SEXY While cyber security has not been Sarah’s bread and butter vocation in the past, the Commerce and Psychology graduate believes the skills shortage in cyber security is not because of lack of industry-appeal, but more is at play. “I don’t think it lacks sexiness personally, I actually think it’s actually an entirely sexy area. It’s a few things. Firstly, the speed at which things are changing mean that quite quickly organisations have to tap into resources quite quickly – which means that the time it might take someone who’s transitioning from a completely different industry, to
build up their skills and experience, sometimes the timing hasn’t been supported just by virtue of how quickly we have got to respond to things.” “I think the more that people are aware of all of the different elements of cyber, the more that there’s awareness and understanding of what that entails, what that means actually means also from a job perspective. I mean I’m a finance person, I’ve come into this industry from banking and logistics and a whole bunch of things, so I’m very new in theory to this space when I look at my peers who have worked in this space for actually 25 years in some instances. I’m an example of where there’s a really great opportunity for people to come into this industry and spend time learning but actually applying a different sort of set of skills that are equally as important from that sustainability point.” “So for me personally, I mean I love it. It’s so interesting. How can you not be completely fascinated with the environment that were in, and the fact that then my personal contribution on a daily basis to Penten there for our customers, that’s massively rewarding I mean genuinely is the most rewarding job I’ve ever had I don’t think of it as a job, it’s just a brilliant opportunity, very lucky.”
CASE STUDY OF SUCCESS | AUSTCYBER AND PENTEN PARTNERSHIP Penten has a solid partnership with AustCyber, the Australian Cyber Security Growth Network. One of which is to provide secure network access to a pilot group of regional SMEs and academia. The partnership provides Australian SMEs with means to bid for, win and work on Government defence classified projects in a secure and protected environment from any location. Matthew Wilson, CEO, Penten believes the benefits to Australia are twofold. “SMEs are the future growth and innovation engine of the Australian cyber economy. These businesses provide invaluable opportunities for defence to gain advantage. Without them, we are missing out. Australia is missing out.” Michelle Price, CEO, AustCyber said, “This project brings together Australian SMEs to better support and protect themselves, defence and national security information; as well as Australia’s emerging place in the global defence and cyber market. AustCyber sees this project as a true game changer for the Australian economy and it shows a better way for economies globally.” And it is this game changer partnership that cyber security in Australia needs to adopt fast. “We have partnered with AustCyber for many years now, we are absolutely excited and incredibly supportive of everything that AustCyber is doing. And not only because of the organisation itself, but because of the ecosystem it’s just incredibly important, and the more in which we can play a part in that understanding broadly around the industry – bringing thought leadership to that space where we can – that’s a better thing for Australian and in fact arguably, the world. We have a genuine drive to do more, I know AustCyber definitely does and of course the industry does. So hence why we love being part of
“We have partnered with AustCyber for many years now, we are absolutely excited and incredibly supportive of everything that AustCyber is doing. And not only because of the organisation itself, but because of the ecosystem it’s just incredibly important, something like Cyber Week.”
BUILD THE PATHWAYS AND THEY WILL COME The need for a diversity of skillsets in the cyber security space is evident for the industry to continue to stay on its solid growth path in Australia. But for that to be sustainable, clear and well-established pathways need to be put in place almost immediately. “We need to show people pathways. We need to show really practical pathways coming in formal learning pathways as well and making sure that they’re really agile as what we need them to be. And then actually a broadening of awareness of the of the industry. I do, as I said, I think it’s a really sexy industry it is so exciting, I mean there is new pieces of information every day to help us learn more around the industry. It’s certainly not static by any stretch of the imagination, which for me means it’s extremely exciting.”
HOW DO WE SHAKE OFF THE 6th MOST HACKED COUNTRY IN THE WORLD TITLE? Improving cybersecurity capabilities through upskilling and a layered education setup will indeed help Australia to better calculate cyber risk as well as respond quickly to threats. However, as with the nature of the industry, it demands considerable time and resources, and can it be done? Will Australia be able to climb back from its startling global ranking and shake off its sixth most hacked country in the world title? “Absolutely shake that off. I think we will continue to come under a whole range of threats from people that want to do us harm, us being Australia. I do think that we absolutely have the skills and experience and the desire together – this isn’t just a Penten thing this is the industry, with government, with individuals, with companies – we absolutely have a desire together to make sure that we are protecting our digital borders, our digital borders are going to be the most important thing in years to come, as opposed to our physical borders. We need to think about that in the way it requires and it requires us all together to band together to make sure that we can continue to protect the nation.” MySecurity Media is an official partner with AustCyber’s Australian Cyber Week 2021 Virtual Conference between 25-29 October.
Australian Cyber Security Magazine | 43
Micro-Credentialling helps plug Australia’s cyber skills gap By MySecurity Media Staff Writer ©
n the back of continued attacks and growing cybersecurity awareness, the cybersecurity industry is expanding fast. But the industry’s capacity to meet the demand for its services is constrained by a severe shortage of skilled workers. The cybersecurity industry in Australia directly employed approximately 26,500 people in 2020. That’s tipped to grow by 7,000 by 2024. The Australian Government has nominated the skills shortage as a potential barrier to shoring up the country’s cybersecurity defences. Australia’s 2020 Cyber Security Strategy flagged the problem, with the Government committing millions of dollars via the Cyber Security National Workforce Growth Program to address the skills shortage. But medium to long term strategies do little to address the skills shortage now. The lack of clarity around pathways to a career in cybersecurity exacerbates the issue. However, micro-credentialing, short upskilling courses, and remote
44 | Australian Cyber Security Magazine
learning could provide a solution or stopgap. “We have a huge demand in Australia for cybersecurity professionals,” says Dr Rebecca Vivian from the University of Adelaide’s School of Computer Science. “Cybersecurity roles are so diverse. You don’t necessarily need a technical background to work in the field. You could have a marketing background, or a law background, and add that layer of a cybersecurity micro-course, online course, or some sort of training, to add strength to what you are doing.” While many cybersecurity short courses are free, and the knowledge learnt can be useful, payment of a fee usually results in a verifiable credential. “It’s a nice way to demonstrate to employers you’ve been learning in the area,” said Dr Vivian. “You are seeing that demand creeping into businesses and all kinds of industries. Everyone needs to know about cybersecurity now, and education can play that critical role.” Dr Vivian also sees short courses as a backdoor into the cybersecurity industry, particularly for professionals working
in other industries. She says they can also be pathways into a formal diploma or degree. A six-week self-paced course at home also offers a potential cybersecurity industry employee a handy taster of what the industry is really like. “There are a number of courses on cybersecurity; we call them MOOCs – massive open online courses, anyone can go and enrol and learn about cybersecurity.” The Australian Signals Directorate (ASD) needs cybersecurity workers with specific skills. They have six grades of cybersecurity knowledge; a learner who has some knowledge, the novice who understands cybersecurity requirements, the practitioner who can apply the knowledge and requirements, the senior practitioner who can enable, the principal practitioner who can advise on cybersecurity, and the expert practitioner who can do all of the above as well as initiate cybersecurity procedures. The ASD’s grades may be more than the average business or organisation needs, but it provides a valuable framework for cybersecurity roles in an industry that largely lacks frameworks and clear pathways to entry. Adding a layer of complexity to workforce shortages and the growing cybersecurity threat is the rise of remote working. An Australian Government Institute of Family Studies survey conducted in June found 67% of respondents now worked remotely some or all of the time. It is a catch-22 for the industry because remote working raises cybersecurity risks in most businesses and
organisations. But remote working makes cybersecurity industry recruitment and formal learning harder and more challenging to manage. However, remote working can slot in nicely with short online learning, especially if it is self-directed and selfpaced. Remote working often allows for more flexibility than working in the office, making education a more viable option. It potentially elevates the role of micro-courses within the cybersecurity industry. Dr Vivian says the demand is there for cybersecurity short courses, and there’s a growing number on offer. “It’s a nice way to have a short, more informal style of course,” she says. “But you are also building the skills you can apply in any sort of professional context. She argues the cybersecurity industry is far broader than many assume. It goes beyond the technical and analytical roles. Consequently, there are many ways to enter the industry, and sometimes people need to think outside the box. And that may be worth doing. The cybersecurity industry generated approximately $5.6 billion in Australia last year and is expected to grow to $7.6 billion by 2024. The average salary in the industry is around $90,000. “There are a lot of different roles,” said Dr Vivian. “You could be combining your law hat, your policy hat, your medical hat… but by upskilling in cybersecurity, you’ll have the language to participate and inject diverse perspectives.” Not-for-profit body AustCyber identified a critical shortage of nearly 18,000 people cybersecurity specialists in 2020. They also argue education and training is the answer. Like the ASD, AustCyber has also documented a framework that describes and classifies the cybersecurity industry and its workers, attempting to bring some order to a young and untidy industry. AustCyber groups cybersecurity work functions into seven categories. They further break down specialist functions into 33 types and work roles into 52 types. Each role has specific tasks and skills. These frameworks provide, to say, a budding exploitation analyst, some sort of formal guidance in terms of the training and education required. The previous lack of documented guidance and framework is arguably one reason why the current skills shortage exists. Dr Vivian thinks Australia’s cybersecurity workforce numbers will catch up, but it needs to be addressed through various pathways. She thinks upskilling the existing workforce through micro-courses and in-house training is one of those pathways. But Rebecca Vivian also has an ace up her sleeve. Among other things, she is heavily involved in educating primary school-aged kids and their teachers about IT. Down the track, a whole generation of cyber-savvy school kids will enter the workforce. They’ll have grown up as cybersecurity natives. For them, cybersecurity will be just another end of school option. Worse comes to the worse; they’ll sort everything out when they grow up. MySecurity Media is an official partner with AustCyber’s Australian Cyber Week 2021 Virtual Conference between 25-29 October.
Australian Cyber Security Magazine | 45
Join us for the ASITII Festival of Space that will take place
Satellite Manufacture, Space Launch Environmental Standards,
and Investing in Space.
Throughout the festival you’ll get to hear from incredible
Build your network, gain knowledge and meet like-minded
speakers on the most intriguing topics in Space, including
people, business and policy experts, academic researchers
National Space Update, Space Licensing, Rocket Technology,
and students interested in the growing Space industry both in
Spaceport Australia, Space Tracking and Mission Control,
Australia and Internationally.
40+ Speakers 4 Countries 17+ Sessions R UNNI NG T HROU GHOU T NOVEM B ER
46 | Australian Cyber Security Magazine
w w w. a s i t i i . s p a c e
w w w . a s i t i i . s p a c e Cyber Security ACSM
AG EN DA TOPIC
SPEAKERS WEDNESDAY 6TH OCTOBER
Women in Space WATCH SESSION
Sumen Rai, Director of the Defence Innovation Partnership Julia Mitchell, SITAEL Australia
12pm – 1pm AEDT
Dr Alice Gorman, Flinders University Dr Amy Parker, Centre for Earth Observation CSIRO Julia Dickinson, Lockheed Martin
MONDAY 1 NOVEMBER ST
Dr Malcolm Davis, Strategic Policy Institute
National Space Capabilities
Dr Catherine Grace, Assistant Director, South Australian Space Industry Centre
10am – 11am AEDT
Andy Koronios, CEO, SmartSat Todd McDonel, President, Global Government, Inmarsat Moderator: Chris Cubbage, Director & Executive Editor, MySecurity Media
WEDNESDAY 3RD NOVEMBER
AI and Space Robotics
12pm – 1pm AEDT
7pm – 8pm AEDT
Dr Benjamin Kaebe, Space Industries Paul Williams, Black Arrow Space Technologies
NOVEMBER Marta Yebra, Mission Specialist, ANU Institute of Space
Dr Cassandra Steer, Mission Specialist, ANU Institute of Space
12pm – 1pm AEDT
Dr Francis Bennet, Mission Specialist, ANU Institute of Space Moderator: Catherine Ball, Associate Professor of Practice: Engineering, The Australian National University
WEDNESDAY 10TH NOVEMBER
The Future of Work: YOUR Role in the Space Sector
Bidushi Bhattacharya, AstroHub
9am – 10am AEDT
Rob Kremer, Kinexus Dr Carl Seubert, Chief Research Officer, SmartSat CRC
Space Innovation for Defence and National Security
Dr Peter Kerr, Coordinator, Defence and National Security, SmartSat CRC
12pm – 1pm AEDT
Dr Nick Stacy, Senior Principal Scientist, Space, Defence Science and Technology Group Professor Michelle Gee, Director, Sir Lawrence Wackett Defence & Aerospace Centre – Royal Melbourne Institute for Technology
6pm – 7pm AEDT
Dr Gordon Roesler, Robots in Space
Investing in Space
12pm – 1pm AEDT
Mike Kalms, KPMG
The Value of Data from Space
9am – 10am AEDT
Southern Launch Update
12pm – 1pm AEDT
NOVEMBER Andy Bowyer, Kleos Space
Lloyd Damp, Southern Launch
Mental Health & Humans in Space
12pm – 1pm AEDT
Mark O’hare, Positive Place
Space Innovation and Getting the Most Out of R&D Tax Concessions
2pm – 3pm AEDT
Stephen Carroll, Evolv3
FRIDAY 26TH NOVEMBER
Cloud Powered Space Missions
w w w. a s i t i i . s p a c e
Mani Thiru, Amazon Web Services
Australian Cyber Security Magazine | 47
Future of Network Infrastructure on Cloud By Shantanu Bhattacharya
History and market pressures Some time ago, the primitive concept of Software Defined Networks (SDN) was brought to the fore. Proponents of SDN claimed that network device vendors were not equipped to handle the changing speed demanded by the industry. Programming the devices was only possible through the CLI or using the Simple Network Protocol; neither met the evolving requirements for easily accessible, flexible, and application-friendly interfaces. That led a few Stanford University engineers to create OpenFlow protocol, enabling an architecture comprised of a number of devices containing only data planes to respond to commands sent to them from a logically centralized controller that held the control plane. The controller was responsible for keeping track of all the network paths, as well as configuring all the network devices it controlled. These communications were the essence of the OpenFlow protocol. OpenFlow helped in conceptualising the SDN. OpenFlow could “transmogrify” these platforms to be any network device. E.g., firewalls or NAT. This dramatic shift in the networking industry was well documented. Network Functions Virtualization (NFV), a related concept, has allowed commodity servers to accomplish the roles of the network devices. That significantly reduced cost and speed of service deployment. In an NFV, the virtualization layer operating system coordinates the compute and store. Further, it connects resources shared among the Virtual Network Functions (VNFs) that could then execute on the
48 | Australian Cyber Security Magazine
same physical server. The Management and Orchestration (MANO) component orchestrates and administers the VNFs. With ever-increasing demand for network bandwidth and services, virtual functions can be deployed on demand.
NFV and its evolution Network Function Virtualization (NFV) could be used for some basic and prime concepts of SDN. That included control/data plane separation, logical centralization, controllers, network virtualization (logical overlays), application awareness, application intent control, and many more on easily available (Commercial Off-The-Shelf (COTS)) hardware platforms. NFV has enhanced the conceptualisation of new methods in support of service element interconnectivity, and techniques that can cope with its dynamic requirements and their upscaling and downscaling. The market pressure on network operators increased in 2013 and real challenges were posing their businesses. • What started as an Over-The-Top (OTT) video and social media into their broadband customer base, grew into OTT service offerings. The outsourcing of organisations’ IT to cloud providers turned these new competitors as more relevant IT partners. • Wireline operators, faced large and long-delayed transitions in copper-based services. • On another front, virtualization concepts evolved out of enterprise-centric virtual machine operations, to more composable and scalable components like containers
in public and private clouds. Virtualization infrastructure performance optimisation started receiving a massive adoption through efforts like Intel’s Dataplane Development Kit (DPDK)enabled version of Open vSwitch (OVS)— resulting in throughput increase of virtualized network functions more easily achievable. Cloud computing attracted more and more enterprise customers. In addition to COTS costs reduction, this also created an environment for more service outsourcing.
While virtualization is critical for NFV, the orchestration and integration required, needs a scope that includes present and future fully integrated service platforms. In that regard, SDN can provide a “glue” for enabling middleware. of traditional and virtual infrastructure is required.
Virtualization does not work for all service deployment problems and actually introduces new reliability issues that a service orchestration needs to mitigate. Virtualization, like any tool, deployed wantonly, can lead to disastrous consequences. While virtualization is critical for NFV, the orchestration and integration required, needs a scope that includes present and future fully integrated service platforms. In that regard, SDN can provide a “glue” for enabling middleware. Even though SDN is universally accepted in the control of service virtualization, the type of control point or points are still debated. For NFV, the debate manifests around stateless and proxy control points, or when inline or imputed metadata is employed.
Good or bad fit? NFV merits There are many benefits of implementing NFV as an alternative to standard architecture. Some of them are discussed below: • Reduced CAPEX and OPEX • Flexibility of scaling the network up and down • Enhanced service agility to support faster service rollouts • Increased operational simplicity • Speedier innovation leading to eliminating hardware change • NFV can be a viable revenue generator. • “While challenges in using NFV to impact service velocity remain, the technology can enable a new range of service features that can produce revenue,” Tom Nolle of CIMI Corporation opined. • Increased data collection, analysis and business decision-making processes. NFV demerits NFV is based on SDN and thus has the same limitations. Like SDN, NFV needs to evolve and become reliable in enterprise level deployments. However, it is close enough. Some specific challenges facing NFV going forward include: • Manage both cloud-integrated hybrid environment and physical devices • Differs from conventional IT environments in that NFV requires abstract IT management • NFV needs to be more dynamic than traditional environment for it to be useful • Process realignment for the simultaneous management
Approach for mitigating challenges Wide adoption of NFV will eventually happen. It would be adopted for some use cases due to it being the need of the hour. Legacy networks will remain for some more time. Meeting the requirements of a transition towards virtualization, requires the architecture to allow: • Supporting dynamic, real-time network and service changes required by network events • Separating network configuration and management of network state • Supporting a modelling approach to network services • Interworking with network orchestration platforms and SDN controllers It’s important thoroughly plan the migration strategy before one begins deploying network virtualization. It might be more relevant for large enterprise networks. Replacing existing infrastructure can be much more complex in these cases. Adopting hybrid environment where the virtual networking capabilities are deployed in the areas where they offer the most perceived value while allowing legacy in others might be the way forward. NFV is new and is in vogue. It provides the promise to handle many of the challenges of current and future networks. But, like all innovations, scrutiny is suggested along with incremental take up to verify provided value before deploying widely. About the Author Shantanu Bhattacharya is a software professional with around 25 years of diversified experience. Proactive leader, known for steering multi-million dollar endeavours to deliver cost savings and extensive profits by impressing stakeholders and on-boarding them. A professional with global experience in large multi-national enterprises, specialising in harmonising human capital by stimulating innovation. Has brought about organisational change and large transformations in trying circumstances to boost profitability. Have extensively designed and created architecture for application software for retail, system integration, and healthcare; networking software that's SNMP-based, and TCP/IP stack; security software; a file system for India's first supercomputer; and Real Time Software for the Indian Missile Program. Has published papers (external and internal) in various forums and has been a reviewer for ACM Computing Surveys.
Australian Cyber Security Magazine | 49
Mitigating controls for ineffective patching By Louay Ghashash
PATCH MANAGEMENT PROCESS
PROBLEMS STOPPING EFFECTIVE PATCHING
It is well known and understood in the industry that patch management is a fundamental corner stone of any security program. It has become well known and understood that without effective patch management, businesses will open their systems to myriad of attacks and data breaches. Majority of today’s attack and data breaches could have been avoided with patch management. Despite that, and while business understand the benefit; running smooth patch management is easier said than done; we often see issues and problems complicating that process and hindering its smooth operation.
Patch Management process is often over simplified, however if we look under the hood, we found many intricacies and complexities hidden within that process.
BEST PRACTICES OF PATCH MANAGEMENT Many security standards and best practices mandate or recommend that critical patches should be installed within less than 2-4 weeks from vendor release, high severity patches should be installed within less than 4 weeks and medium patches to be installed as soon as possible. Running an effective patch management requires that all the following areas and systems must be included in the process: - Firmware and BIOS - Hypervisors - Operating Systems - Application - Libraries and applets - 3rd party systems - IoT devices Focusing Patching efforts on Operating Systems only is not considered a good patch management practice.
50 | Australian Cyber Security Magazine
Legacy systems Legacy systems have to be a biggest roadblock in the road of patch management. Nowadays, there are many legacy systems, including Windows 2008, applications built on Java Run time environment that are >15 years old, Windows XP and even Windows NT4 still running around. Chances are that these legacy systems will stick around for many more years to come. Systems Testing Running an effective patch management goes well beyond getting latest Microsoft patches and apply them, therefore Business requires testing to be completed before approving patches. An effective testing has to be a massive task delaying businesses from rolling patches in time. Systems need to undergo thorough testing before the patches can be installed. Time and efforts required for testing are not small, vendors nowadays are releasing new patches and updates faster than ever, putting a lot of constrains on business’s resources and teams. Non-Production Systems The lack of available non-production systems made testing patches before rolling them out another challenge added to this problem. Systems complexity means that full thorough testing plan must be put in place and in some instances, full regression testing may be needed before approving any
patches to production Patches Frequency The number of disclosed critical and high patches and updates have significantly increased in the past decades. We are regularly seen on monthly basis vendors like Microsoft releasing critical and high severity patches. Just check how many critical system patches vendors like Microsoft or Apple have released in the past 6 months. While it is great that we know there is a solution out there, this however, doesn’t make the job of IT department any easier. Backward Compatibility Some of the patches have known backward compatibility issues, e.g., some Java libraries updates cause many issues and problems to systems relying on them. jQuery, a popular library used in modern web application is a nightmare to update; some of the major versions of jQuery are not backward compatible; developers may have in some instances to rewrite large amount of code to cater for the new version changes. Business Resistance Many businesses have unrealistic high expectations on system availability and as a result, they demand that all outages kept to minimum. This put a lot of pressure and constrains on IT departments to bring down systems during patch cycle. Cost All the previous factors contributed to making combined cost of resources, systems, afterhours rates and 3rd party major hurdles that complicate this problem even further. Many IT departments haven’t factored these costs in their security program.
These controls should be considered as a last resort under your arsenal. In fact, all of these controls should already exist and operational in IT departments. Network Segmentation You have a vulnerable system you can’t patch? Segment it. One of the effective mitigating controls is segmenting the system(s) from the rest of your network. This includes: - Blocking all inbound and outbound access to these systems. This will significantly reduce any exposure of these systems to the attacks from the internet. - Isolating these systems in their own subnet and heavily restricting inbound/outbound traffic from the rest of the network will also need to be considered. - Removing these systems from your Domain/Active Directory will reduce any chance of attackers abusing domain trust relationship The above controls should be part of your Zero trust strategy anyway. Endpoint Detection and Response If you still running traditional Antivirus, invest in Endpoint Detection and Response (EDR). Keep in mind that not all
EDRs are created equal; some of EDR vendors do a fantastic job of blocking attacks on vulnerable unpatched system, others, not that much. Having EDR doesn’t give any green light for not patching, but it should give business some ease of mind. Systems Hardening Hardening unpatched and vulnerable systems as much as possible is also a good practice you should consider. This includes reviewing any default accounts, systems, uninstall and remove application and services, and stopping any unnecessary services on these systems. CIS and Microsoft amongst others publish regularly good hardening standards for various systems. Security Event Monitoring Solutions If you can’t fix the problem, monitor it. At least you can detect when something wrong is happening. All systems must be regularly monitored and assessed for any indicators of attacks and compromises. You should to invest additional time and efforts to ensure that events on unpatched and legacy systems are monitored and alerts are actioned promptly. Validate with your Security Event vendor and add some additional monitoring, if possible, for these systems. IT Risk Management Process When patching is not working well, legacy systems exist these are all risks that IT must ensure that businesses are aware of. The vehicle of that awareness is an effective Information Security Risk Management Process that is aligned with the corporate risk framework. Without it, business maybe under the illusion that technology risks are managed by IT; IT don’t have the required budget and resources to manage it, and it becomes a disaster waiting to happen. Conclusion While running an effective and a well-oiled patch management process is complex and require a lot of energy and resources from IT; the above recommendations and controls could help reducing the impact or likelihood of not running patches. Nonetheless these should not be used or considered as excuse for not patching. Finally, IT should plan and consider existing some of its legacy systems as soon as possible or leverage some of the serverless cloud-based technology that alleviate the need of patching. About the Author Louay is a founder and Director of SpartansSec with over 22 years’ experience in Information security across number of industries and verticals. He has also acted as Chief Information Security Officer (CISO) across number of customer engagements including Non-for-Profit Retails and FSI. Louay holds a Bachelor Degree in Electrical Engineering and a Master Degree in Networking Systems Engineering. He also holds the following industry certifications: CISA, CISM, CRISC, QSA and ISO27001LA
Australian Cyber Security Magazine | 51
The seven authentication best practices that support zero trust By Geoff Schomburgk, Vice President for Australia and New Zealand at Yubico
n 2020, Zero Trust was introduced as a mainstream approach to improve security environments and has continued to be a priority in 2021. Almost all security vendors have been espousing their own alignment with this simple idea, which can at times be complex to implement. Simply put, Zero Trust means no one from inside or outside the network is trusted. The Zero Trust approach demands every person and device provide strict identity verification to access network resources, whether or not they are inside the network perimeters. That said, the first step is to establish a user trust framework and the following seven best practices, if applied, will ensure the protection of a user’s access as a foundational element of building a Zero Trust architecture. 1. Deploy strong phishing resistant authentication Since March 2020, the Australian Cyber Security Centre (ACSC) has seen an increase in a range of different COVID-19 themed scams, online frauds and phishing campaigns. As Australians continue working remotely, organisations recognise the need to bolster security for user authentication with multi-factor authentication (MFA), but need to consider the following: Security: Is it a purpose-built security-focused device or one built primarily for communication (a smartphone) and does it provide 100% protection against phishing? Standardised access: Is the authenticator based on open standards, meaning it will automatically authenticate in a secure fashion across a range of platforms and services?
52 | Australian Cyber Security Magazine
Deployability: Can the authenticator provide security across multiple devices and work offline across mobile in remote locations, or across shared workstations? 2. Adopt Attestation With Zero Trust, there is no implicit trust in the authenticator. Strong authentication is important but the hardware device itself still needs to be validated to ensure it is not compromised. Endpoint management is an important component of Zero Trust as phones and computers are susceptible to malware. Attestation enables validation that the authenticator hardware is from a trusted manufacturer and that credentials generated on devices are not cloned. There are platform authenticators built into devices such as laptops and mobiles, and portable authenticators that are external and carried by users. The best practice is to ensure that the attestation is built-in and certified to the FIDO standard. 3. Integrate authentication policies anywhere a user has to enter their credentials. Most organisations are using Identity and Access Management (IAM) platforms as core components of Zero Trust, which if done right, can deliver a frictionless and secure authentication experience for every user, asset and data interaction providing a foundation for a Zero Trust strategy. These solutions can grant access rights, provide single sign-on from any device, enhance security with MFA, enable
5. Sign to prove that it is you over time Strong authentication is critical to a Zero Trust approach but how does an organisation know that an authenticated person did the work and that that work can be attested to over time? In the physical world, a person would sign a document with their signature to approve a contract or legal document. In the digital world, it has been possible for quite some time to digitally sign email and electronic documents. This has been a somewhat cumbersome process in the past, but now with personal authenticators and inexpensive HSMs, signing electronically has become much easier and stronger. 6. Implement risk-based authentication The Zero Trust framework involves implementing realtime risk-based access policies based on signals and risk scores. This framework should allow automated controls and decision-makers ready access to application information, knowledge of where users are coming from, allowing for easy differentiation between types of accounts and device fingerprints. A strong authentication solution that is hardware-based and highly trusted can elicit a high trust score, allowing for higher privileged access. A trusted strong authentication approach allows for step-up authentication based on risk, thus protecting the user and the organisation while increasing productivity.
Zero Trust means no one from inside or outside the network is trusted. The Zero Trust approach demands every person and device provide strict identity verification to access network resources user lifecycle management and protect privileged accounts. 4. Implement strong authentication for non-user accounts Non-user accounts that are used to run web-connected devices are vulnerable to compromise as they are often protected with static passwords and have limitations on authentication options. Just as for user accounts, service accounts need to be heavily protected, monitored and properly scoped. Cryptographic certificate-based authentication provides strong authentication stored in hardware security modules (HSMs) without passwords that can be stolen. The industry best practice is to use security hardware that comes in different sizes from large physical appliances to small USB devices.
7. Plan for a passwordless future Over the past few years, the term “passwordless” has gained momentum and now it is used by many security, authentication and identity solution providers, each with its own unique nuance. For clarity, it is best to use a broader definition such as: “Passwordless authentication is any form of authentication that doesn't require the user to provide a password at login.” Achieving secure passwordless login across desktop and mobile and into a wide array of services requires a rich ecosystem and a consistent framework for authentication. Specifically, it takes a rich open standards ecosystem built to achieve security and usability, while also satisfying the need for portability, compatibility and interoperability to scale to the masses. Organisations in our region can embrace all the roads to passwordless by following a smart card passwordless, FIDO2/WebAuthn passwordless or a hybrid passwordless approach that uses the combination of smart card and FIDO2 passwordless, depending on their business scenarios and their internal infrastructure environment. When to start the journey Implementing a Zero Trust framework is a journey, a mindset, supported by a mix of integrated technologies. The transition does not affect the user experience or the business operations when implementing the right tools. As long as organisations ensure the protection of a user’s access is at the centre of developing their Zero Trust architecture.
Australian Cyber Security Magazine | 53
Hikvision vulnerability leaves surveillance cameras open to cyberattacks By MySecurity Media Staff Writer ©
ikvision has identified a critical vulnerability in certain internet protocol cameras produced by the video surveillance company, leaving multiple models of Hikvision cameras vulnerable to a remote takeover. In an advisory issued on September 19, Hikvision confirms the vulnerability, tagged CVE-2021-36260, is a command injection vulnerability in the web server of multiple Hikvision cameras. “Due to insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands,” the advisory reads. The vulnerability is rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS). Headquartered in Hangzhou, China, Hikvision manufactures and supplies video surveillance equipment. Hikvision is majority-owned by the Chinese Government via majority shareholder China Electronics Technology HIK Group. Despite the US Government blacklisting Hikvision in 2019, it is estimated Hikvision has a 40% global surveillance camera market share. In addition to Hikvision branded cameras, other businesses buy Hikvision cameras and rebrand them. Hikvision’s vulnerability advisory lists scores of vulnerable models. But because of the rebranding practice, many more rebranded camera models are also potentially at risk. Video surveillance research company IPVM says 100 million-plus cameras worldwide are at risk. An Australian Cyber Security Centre (ACSC) alert issued on Wednesday says the vulnerability could allow a cyber actor to take full control of the cameras, saying; “The cyber actor could then access device functionality or target other devices on the same network in order to
54 | Australian Cyber Security Magazine
steal information or install malware.” A security researcher called Watchful_IP identified the vulnerability in June and notified Hikvision. A patch was issued simultaneously with this week’s security advisory. Watchful_IP notes this is a critical vulnerability, calling it “a zero click unauthenticated remote code execution vulnerability affecting a large number of cameras.” “This permits an attacker to gain full control of a device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.” Watchful_IP notes, in addition to complete compromise of the camera, internal networks can then be accessed and attacked. “Only access to the http(s) server port (typically 80/443) is needed. No username or password is needed, nor do any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself,” Watchful_IP adds. Hikvision cameras and rebranded Hikvision cameras are used at sensitive and critical infrastructure sites worldwide. The security researcher stresses the vulnerability is not a Chinese Government-mandated backdoor cyberattack. However, IPVM calls the vulnerability a “powerful way” for bad actors, including governments, to access surveillance networks that would be undetectable by the Hikvision device’s own logging. Hikvision has updated firmware available on its official website that protects against the CVE-2021-36260 vulnerability. The ASCS advises as part of cyber security best practice, Australian owners should, if possible, prevent such devices from being accessed from anywhere on the internet.
RESOURCES - PRODUCTS - EVENTS
EXCLUSIVE SECURITY & TECHNOLOGY OFFERINGS register as an industry professional to gain access to our exclusive content or promote your brand to feature your content to a global market across all our channels. REGISTER FOR ACCESS PROMOTE YOUR BRAND
www. myse cu r itym ar ke tp lace . co m
OMIGOD vulnerability risk for Microsoft Azure cloud customers By MySecurity Media Staff Writer ©
ritical vulnerabilities within a Microsoft open-source management tool called Open Management Infrastructure (OMI) are seeing bad actors attack some Microsoft Azure Cloud customers. The core critical remote code execution vulnerability, CVE-2021-38647, could allow cyber-attackers to take control of the vulnerable host. Certain Linux-based services within Microsoft Azure use OMI. The other vulnerabilities; CVE-2021-38648, CVE-202138645 and CVE-2021-38649, are privilege escalation vulnerabilities. Collectively, the vulnerabilities are tagged OMIGOD. At risk are Microsoft customers using Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights. OMI is also used in on-site data centres utilising Microsoft’s System Center for Linux. Microsoft has identified multiple exploitation attempts. These range from basic host enumeration, attempts to install a cryptocurrency miner or file share, and attempted installations of the Mirai botnet. “Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc),” reads a Microsoft OMIGOD advisory. Saying most Azure services that use OMI do so without exposing the HTTP/S port, some Azure products, such as Configuration Management, does expose an HTTP/S port listening to OMI (typically port 5986). The configuration where the HTTP/S listener is enabled could allow remote code execution. In particular, anyone with access to an endpoint running a vulnerable version (less than 22.214.171.124) of the OMI agent can
56 | Australian Cyber Security Magazine
execute arbitrary commands over an HTTP request without an authorisation header. This configuration facilitates the vulnerability CVE-2021-38647. Cloud security company Wiz uncovered the OMIGOD vulnerabilities last week. Wiz says over 65% of sampled Azure customers were exposed, and almost all unknowingly. “Although widely used, OMI’s functions within Azure VMs are almost completely undocumented, and there are no clear guidelines for customers regarding how to check and/or upgrade existing OMI versions,” said Wiz’s Nir Ohfeld. Wiz says an exposed HTTP/S port is the “holy grail” for cyber-attackers. While Microsoft publicised the OMIGOD vulnerabilities a week ago, the background nature of OMI in Azure means many clients are not aware of the risks or even that it exists. Further, OMI runs within a client’s virtual infrastructure. As a rule, Microsoft does not consider itself responsible for the security within that infrastructure. Lydia Leong, Distinguished VP and Analyst at consultancy Gartner, says it has been a bad week for Azure and Microsoft. “Cloud requires customers to trust what they cannot control,” she says. The security analyst argues while publicity about vulnerabilities like OMIGOD may draw in further bad actors, the need for transparency from providers like Microsoft is critical. “Cloud, especially at a massive scale, is a highly complex software system. As humans, we are really bad at figuring out the risk of complex systems. And each time there’s a failure, a thousand outraged voices cry out, ‘How could they let this happen?’” Microsoft has made a patch available for OMI to mitigate the current vulnerability.
The MySecurity Marketplace gives you the tools you need to grow as a security professional. Join our growing member base today.
EV EN TS Access to events, locally and globally
E D U CAT I ON Access certified courses, webinars and labs
SOLUTIONS Access an eco-system of security and technology services, software, trials and demos
P R OF E S S I ONA L D E V E LOP M E NT Join a growing hub of security professionals.
OUR CHANNELS PREPARING AUSTRALIAN BUSINESS FOR A
T H E
A U S T R A L I A N
S P A C E
CANBERRA’S HACKERSPACE – ANALYSIS OF INFOSECT Interview with
Kylie McDevitt Technical Director in the Australian Government
Silvio Cesare formerly Director of Education at the University of NSW Cyber Security Centre
58 | Australian Cyber Security Magazine
At the start of 2021 Kylie McDevitt left her role as Technical Director in the Australian Government and with her husband Silvio Cesare, formerly Director of Education at the University of NSW Cyber Security Centre, have transformed a warehouse in Canberra and started a hackerspace called InfoSect. Inspired by groups like the L0pht in the USA, they have left their career roles and set out full time on their own to build a place to hangout with other hackers and do cool research. This is their story…so far!
VIRSEC ENTERS ANZ CYBERSECURITY MARKET Interview with
Regional Sales Director with Virsec.
We speak with Rob Nobilo, Regional Sales Director with Virsec. Virsec is a San Jose, USA based company which provides an applicationaware workload protection platform. Virsec is gearing up for rapid growth in the ANZ region with Rob recently joining the team.
Australian Cyber Security Magazine | 59
Regional Director, Australia and New Zealand, at D2L
Tony Maguire is a veteran of the education and technology industries with more than 20 years’ experience in consulting and collaborating with local and internationally-recognised educators, government ministers, and industry leaders. Having joined D2L in July 2020, Maguire is responsible for leading the company’s Australia and New Zealand team as it helps schools, universities, and businesses adapt to the changing societal and economic needs that require students and employees to learn remotely – changes that have been rapidly accelerated by the COVID-19 pandemic. After 15 years as a teacher in several public and independent schools, Maguire elected to expand and deepen his skillsets with a move to the corporate sector. The shift saw him take on senior roles with EdTech vendors including Apple’s K-12 business in Queensland, Northern Territory, Victoria and Tasmania, and Oracle’s A/NZ higher education consulting services arm. During his time as an independent EdTech consultant, Maguire worked with local and international institutions including RMIT, UTS, University of Sydney, Western Sydney University, Arizona State, and University of Pennsylvania on their migration journeys to software-as-a-service (SaaS) platforms.
60 | Australian Cyber Security Magazine
CYBER RISK LEADERS “This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI San Francisco Cyber Branch
“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.” CEO, Cyber Security Capital (UK)
“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC
ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.
GET YOUR COPY HERE! Proudly Published by
Australian Cyber Security Magazine | 61
ENGAGE WITH LEADING INDUSTRY BRANDS
Access exclusive and curated content from the startups to the top brands: Products, resources, events, webinars, updates, interviews & podcasts. REGISTER FOR ACCESS PROMOTE YOUR BRAND
Everything about your favorite companies in one convenient place. OUT CK ST CHEE LATE TS TH ODUC PR
www. m y se cu r itym ar ke tp lace . co m