Australian Cyber Security Magazine, ISSUE 13, 2022

Page 1


Cyber threat hunting leveraging MITRE ATT&CK framework Is Australia finally coming to grips with the cyber threat? Security culture - does your organisation have it? Multi-cloud networking challenges and solutions

Issue 13, 2022

Let’s kill the passwords for good QR codes abused for Qshing attacks Open source stalkerware detector DeFi and Cybersecurity: What the future holds?


MysecTV weekly episode highlights

2022 Australian Security Industry

Nominations close 2nd September 2022!

The prestigious Australian Security Industry Awards recognise outstanding individuals and organisations in the security industry.

Organised by

Organised by ASIAL, the 26th annual Australian Security Industry Awards for Excellence will be held in conjunction with the 7th annual Outstanding Security Performance Awards (the OSPAs) and 11th annual Australian Security Medals Awards.

To nominate and find out more go to: The awards ceremony this year will be held on 19 October 2022 at Doltone House, Hyde Park Sydney. Join us in celebrating this year’s high achievers.

+ − ○


17-19 AUG 2022


A NEW ERA of SECURITY The security landscape has evolved. Integrating physical security with new technologies and thinking is now more imperative than ever as the industry enters a new era of digital transformation. For over three decades the Security Exhibition and Conference has united the industry to keep our communities safe. Now in 2022, Security returns – co-located with Integrate, the region’s premier AV event – with smarter solutions, convergent collaborations and cutting edge insights to meet the evolving challenges of this vital sector. Join us as we enter a new era of Security.




FROM DESIGN TO IMPLEMENTATION & MANAGEMENT A systematic approach to master keying for asset, facilities, and security professionals Getting master key systems right is no easy task. This white paper is written by knowledgeable and experienced security professionals and will help you: understand the different types of master key systems choose the right products and partners to work with, and maintain a healthy system with the right management software.

Written by Davcor Group

Download your copy of this white paper.

1300 003 882 +64 (0) 9368 4802

Security Consultant Insight Series - meetup



Complimentary food and beverages SPONSORED BY





The Australian Security Magazine is the country’s leading government

MySecurity Marketplace, powered by MySecurity Media, is a dedicated

and corporate security news source with provoking editorial and up-to-

marketplace connecting industry and enterprise professionals to the

date news, trends and events for all security professionals.

latest events, education, technology and media platforms across a global security domain.


Contents Contents A cyber attack's name may change, but the

Director & Executive Editor Chris Cubbage Director David Matrai

A cyber attack's name may change, but the reason it happens doesn't.

Art Director Stefan Babij

MARKETING AND ADVERTISING Copyright © 2020 - My Security Media Pty Ltd GPO Box 930 SYDNEY N.S.W 2001, AUSTRALIA E:

Is Australia finally coming to grips with the Cyber Threat?

All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.


Inspecting the future of ransomware threats with Vectra’s CTO

reason it happens doesn't.


QR codes abused for Qshing attacks


Tech leader of the year


Cyber Threat Hunting leveraging MITRE ATT&CK Framework


Is Australia finally coming to grips with the Cyber Threat?


Three cybersecurity lessons we can learn (or re-learn) from the history of industrial control systems attacks


Breaking the ransomware business model


Is the new security legislation enough to protect our critical infrastructure?


Let’s kill the passwords for good


Inspecting the future of ransomware threats with Vectra’s CTO


Open source stalkerware detector - TinyCheck


Security culture - does your organisation have it?


Zero-trust approaches in digital transformation & cloud adoption


Is today’s cyber security meeting CISO demands?”


Multi-cloud networking - challenges and solutions


DeFi and Cybersecurity: What the future holds?


Comparison between DeFi vs conventional Banking


Disable Ad Tracking in iOS and Android


How to remove your personal information from Google’s search results



Meta pledges additional resources to counter electoral misinformation


Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Multi-cloud networking - challenges and solutions

Disable Ad Tracking in iOS and Android – Reasons to do it now

Correspondents* & Contributors Garett Paton Neha Dhyani Jason Duerden Matt Hubbard Dale Heath Geoff Schomburgk

Vinoth Venkatesan Oliver Tavakoli Rebecca Taylor Matt Hanmer Guy Matthews Jane Lo*

Editor's Desk

We signed a Joint Workplan with @CyberGovAU , formalizing a strategy to enhance robust and effective collaboration to combat the common cybersecurity threats facing Australia and the United States. @CISAgov - @CISAgov - Cybersecurity and Infrastructure Security Agency, July 14, 2022


he day prior to Australia and the United States formalising yet another strategy

to enhance collaboration to combat the common cybersecurity threats, Victoria’s Deakin University was the subject of a cyberattack. Hackers used a staff member’s username and password to access student contact information held by an unnamed third-party provider and mass spam almost 10,000 students over a weekend via SMS. The SMS purported to be from a courier company and asked the recipients to click on a link to pay customs fees. In addition to the mass spamming incident, Deakin confirmed the contact details of 46,980 current and past Deakin students were also downloaded. The concerning irony is at the time key nation state allies in the US and Australia are signing joint cybersecurity strategies, this is an Australian university that delivers cybersecurity degrees, employs office appointed leaders in the cybersecurity sector, including the Chair of the Australian Information Security Association, and the successful attack comes on the back of a release of an Office of the Victorian Information Commissioner (OVIC) report on the security of personal information held by Victoria’s universities. The OVIC report found that Victoria’s universities had common cybersecurity vulnerabilities, including inadequately managing risks to personal information and not having written guidance about sharing personal information with third parties. Thereby this attack reflects poorly on all concerned. To underscore the challenge, findings in The State of Industrial Security 2022 , which surveyed 800 senior managers globally, including 100 in Australia, responsible for industrial internet of things (IIoT)/operational technology (OT) in their organisation, indicated critical infrastructure is under attack. Despite agreement that IIoT and OT security is critical, businesses continue to face significant

challenges as the geopolitical landscape becomes increasingly tense. The Australian cohort provided that attacks are widespread with 90 acknowledging they experienced a security incident in the previous 12 months and 84 experienced an incident that impacted for more than one day. These types of findings are now very relevant, as this month also saw the passing of the 8 July ending of a 3 month grace period for mandatory cybersecurity incident reporting in accordance with the Security of Critical

Infrastructure Act. The next obligation comes into effect on 8 October which provides CI owners and operators will need to register their Critical Infrastructure Assets. New guidance for cybersecurity incident reporting is available at The Australian Computer Society’s Digital Pulse 2022 report released this month confirms the country’s tech job numbers continue to boom, with over 1.2 million people expected to be working in the sector by 2027, with an average annual growth rate of 5.5%. The report highlights technology jobs are paying better than equivalent industries and proposes ways the nation can address the chronic IT worker shortage, including boosting the sector’s diversity and building the skills pipeline. The report found the nation’s tech workforce grew by 8% over the previous year, with over 870,000 Australians now working in IT roles. By comparison, the workforce as a whole only grew 3.4%. In this issue Neha Dhyani, a Senior Security Consultant at Nokia Solutions & Networks writes an important article on effective threat hunting that allows the security analyst to think like a threat actor, and then use that understanding to determine what clues to look for that might indicate an attack is underway. Jason Duerden welcomes the appointment of Clare O’Neil as Federal Minister for Cyber Security. This is the first time Australia has ever had a dedicated

minister for cybersecurity and highlights a trend of cybersecurity measures taken by the Australian government dating back to the beginning of this decade. And Matt Hubbard has picked out three ICS incidents to show how industries have learned to deal with ICS cyber attacks over the decades and what we still need to keep in mind when securing ICS devices, data, and systems. In our cover feature, we look at the demands on the CISO. The world of cybersecurity is akin to a giant iceberg – vast, complex, ever-changing and multi-faceted. Of its various facets, one in particular has the power to keep enterprise security professionals awake at night, and that’s the critical intersection that straddles the networking world and the cybersecurity world. This nexus is not only a major pressure point for the hard-pressed CISO, but also the object of much effort and investment in the security vendor community. We look at the market forces and trends that the CISO must navigate in a new and every challenging hybrid world. Stay tuned with us and the community via the regular Cyber Risk Meetups, Security Consultant Insight Series and host of event partners across Australia and the Asia Pacific. We otherwise continue to take a deep dive into the cybersecurity domain, corporate risk management and throughout we have links through to our Tech & Sec Weekly Series and the latest Cyber Security Weekly podcasts. On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Australian Cyber Security Magazine. Enjoy the reading, listening and viewing!

Chris Cubbage CPP, CISA, GAICD Executive Editor

WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at:

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 8 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at :

App now available

on iTunes &

DOWNLOAD NOW! Australian Cyber Security Magazine | 9




Kayelene Kerr Body Safety, Cyber Safety & Pornography Education Specialist

Kayelene is passionate about the prevention of child abuse and sexual exploitation, drawing on over 24 years’ experience of study and law enforcement, investigating sexual crimes, including technology facilitated crimes. Kayelene delivers engaging and sought after prevention education workshops to educate, equip and empower children and young people, and to help support parents, carers, educators and other professionals. Kayelene believes protecting children from harm is a shared responsibility and she aims to inspire the trusted adults in children’s lives to tackle sometimes challenging topics. Kayelene is the founder of eSafeKids and is recognised as one of Western Australia’s most experienced specialist providers of Cyber Safety, Digital Wellness and Pornography education workshops. We discuss the the current focus and activities of her business, background and motivations and the issues and trends around eSafety and children’s digital awareness

10 | Australian Cyber Security Magazine

Check out our latest Cyber Security Weekly Podcasts Episode 324 – Chinese cyber threat landscape – perspectives from a Taiwanese cyber security expert




Episode 322 – Russian information warfare and cyber threats – perspectives from a native georgian speaker and cybersecurity expert 00:00



Interview with Charles Li, Chief Technology Officer, and the Chief Analyst at Team T5 Charles is the Chief Technology Officer, and the Chief Analyst at Team T5. He leads Team T5 analyst team in threat intelligence research. He has been studying cyber attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences. In this podcast, he shares some highlights of his team’s presentation at Black Hat Asia 2022. Focusing on the notorious Chinese threat actor groups (APT 10, APT 27, APT 41) he discussed key characteristics, such as how their motivations extend beyond espionage to monetisation, tools overlap, targets, and growing OpSec sophistication.

Dr. Khatuna Mshvidobadze is a Professorial Lecturer of Cybersecurity at the George Washington University and Adjunct Professor of Cyber Security at Champlain College. She is also a Senior Fellow at the Rondeli Foundation in Tbilisi, Georgia. Earlier, she developed and taught cyber security courses for M.S. and M.P.S. programs at Utica College. She has been Deputy Director of the Information Center on NATO in Georgia and Adviser to the Office of the Minister of Defense of Georgia. Her articles have appeared in Georgian and in English, including in Defense News, Jane’s Defense Weekly, US News & World Report, Jane’s Foreign Report, Radio Free Europe/Radio Liberty and more. She has presented topics on cyber threats at different venues inside and outside of the country: The Office of the Secretary of Defense, US Department of Defense, FBI Headquarters and field offices, Department of Justice, Defense Intelligence Agency, U.S. Healthcare Sector Coordinating Council, Mitre Corporation, Raytheon BBN Technologies, NATO and EU events. She has also been a speaker at TEDx, DefCon and RSA conferences and more.

Australian Cyber Security Magazine | 11





Fortify integrates directly into Visual Studio and other major IDEs.

Through the Security Assistant integration, receive detailed information about security risks and recommendations for how to secure potential issues. Access all detected security issues in the Error List panel.




Use the Fortify plug-in to easily import results into the IDE and access the list of vulnerabilities and recommendations.

Use analysis tracing to identify vulnerabilities throughout the code.

Set up initial check-in and scan

Access real-time, as-you-type code analysis

Access scan results in Fortify Software Security Center (SSC) View a report of issues found, as well as prioritization and categorization of the findings.

Import results



Re-run the build and verify results in Fortify SSC.

Through the Secure Code Warrior integration, developers can access interactive application security training within Fortify SSC.

Fix vulnerabilities

Improve coding skills

Find and fix security vulnerabilities in your code using Fortify. • Seamless integration

• Access remediation advice

• Easy to use

• Track vulnerabilities throughout the entire code

• Prioritize issues

• For use for custom and open source code

See a complete list of our integrations. Visit Fortify Integration Ecosystem page ›


Commit code Use GitHub (or other repository) and initiate the build in Azure (or other CI/ CD servers such as Jenkins).

Track vulnerabilities

Movers and Shakers Australian Government agencies digitally lagging Adobe has announced new research which reveals Australian Government agencies are still at the beginning stages of their digital transformation. The study explored opportunities and challenges Australian Government agencies face with their digital transformation journeys, including digital document processes and e-signatures. The commissioned study ‘Digital Trust in Australia: Reduce Security Risks and Deliver Superior Citizen Experiences with Digital Document Processes’ conducted by Forrester Consulting on behalf of Adobe revealed that while the disruptions from the pandemic forced local agencies to accelerate their digital initiatives, most of them still used a hybrid approach of paper-based and digital documents. Only 14% of respondents said their agency had entirely digitised its document processes as most continue to use a variety of workflows. Digitisation in public service delivery has become critical to enhancing the citizen experience and delivering practical and secure processes. The pandemic brought the need for collaboration to the forefront, especially for government agencies who need to find ways to work together and serve the citizens diligently. Respondents feel Australian Government agencies are underutilising digital document process solutions, and that this is impeding the citizen and employee experience alike. 68% of respondents mentioned that lack of technology and tools impacted employee productivity, and 58% said their agency had difficulty maintaining security and confidentiality, with the right people having access to specific documentation. While government agencies have relied more heavily on paper-based processes than other verticals, they have undergone a mindset shift in the last 18 months regarding the digitisation of workflows. As a result, barriers to adopting digital document process technologies, such as e-signatures, are fading away. Before the pandemic, 56% of respondents said they were concerned about the complexity of integrating signatures with day-to-day productivity applications, but this has fallen to 18%. “One of the biggest challenges government agencies faces is the challenge of expanding digital services while preserving citizen trust,” said Chandra Sinnathamby, Adobe Director of

Digital Media B2B Strategy & GTM, Asia Pacific. “This calls for the adoption of solutions that easily digitise workflow processes while ensuring cyber resiliency. Digital adoption can meet the need for mobility, scalability, and auditability in government agencies. Hence, it is crucial for government agencies to develop a humanised approach to digital transformation.” Australian Government agencies are increasing their investment in the digitisation of documentation, with top priorities over the next 12 months including: Improving the use of data for decision-making (70%) • To accelerate the response to market change (64%) • Shift to being a digital government for IT modernisation (62%) • Improving overall risk management, including data security and privacy (62%) Based on the survey the study finds, “These increased investments will accelerate the shift to e-services and help agencies catch up with digitalleader agencies in other countries.” Among its further recommendations: “Your agency must look at digital document process solutions as general-purpose technologies on the way to a bigger transformation agenda. Doing so will help it achieve some key objectives, such as improving data-driven policy making, enabling self-sovereign identities (SSI), and strengthening security and compliance.” The key steps to deploying a digital approach are phased as government agencies are moving to modernise legacy technologies and adopt a cloudbased approach. “To continue to create trust among parties and to support compliance, it is important government agencies are collaborating with partners that offer identity authentication and signature services. This is the best way to future-proof an agency with more interactive documents infused with structured data for the long run,” said Sinnathamby. Adobe commissioned Forrester Consulting to conduct the online study with 150 senior business and technology decision-makers based in Australia, Singapore, and India with responsibilities for digital document processing at their organisation or government agency.

mx51 partners with Sysdig mx51 has partnered with Sysdig. Martin Doherty, Head of Cyber Security and Risk at mx51 said

“Having consistent scanning capabilities from early development through to release is huge for us. By enabling the team to self-serve, we essentially reduce the ‘security tax’ on our developers.” “When attempting to release a new product or feature the last thing you need is to be blocked because of some previously undiscovered vulnerability – and especially since the remediation is unforecast work and often harder to do. With Sysdig Secure, our developers can identify and remediate vulnerabilities as they go rather than dealing with a blocker at release.” “Collaborations like our work with Sysdig are crucial in ensuring that we can ship features at the pace our customers expect without having to sacrifice security. Our technology is bank-grade and Sysdig Secure ensures that we continue to meet the high security standards set by our major bank partners.” Gavin Selkirk, Vice President and General Manager, APAC at Sysdig said: “Cloud-based payment platforms like mx51 can’t afford to be slowed down by a massive number of unprioritised vulnerabilities or afford downtime on their services or worse, a breach.” “Sysdig secures five out of the top 10 US banks, and mx51 is one of our first Australian fintech partners. We are aggressively growing adoption in the region as organizations look to enhance the caliber of their cybersecurity practices as they aim to partner with major banks. SHARE.Twitter Facebook Pinterest LinkedIn Tumblr

Haventec’s authenticate launches on Auth0 marketplace Haventec has announced the availability of its Authenticate solution on Auth0 Marketplace. CEO of Haventec David Maunsell says, “We’re thrilled to join the Auth0 network to offer our Authenticate solution to meet the growing demand for transformative digital identity solutions. By eliminating the password, we are providing the security that companies need, the simplicity that consumers desire and the freedom that both parties want online.” “Haventec’s integration with Auth0 reinforces our solutions as market-leading and will raise awareness of our genuinely passwordless innovations across Auth0’s global network,” Maunsell added. Haventec’s Authenticate solution

Australian Cyber Security Magazine | 13

MOVERS AND SHAKERS complements Auth0 extensible identity, and the ease in which customers can seamlessly integrate adjacent technologies to facilitate the successful execution of larger projects such as digital transformation, threat detection, compliance, and customer conversion. “Auth0 Marketplace provides partners like Haventec with a central in-product hub where their solutions are visible to, and accessible by, thousands of Auth0 customers, and enables them to participate in the growing identity and access management economy,” said Cassio Sampaio, SVP of Product at Auth0. “Authenticate is a bestin-class technology that adds tremendous value to our Marketplace and its customers.” This announcement follows the news of Haventec’s induction into both the FIDO Alliance and Microsoft Azure B2C Directory, as well as several milestones including an $11M capital raise and the launch of their US expansion.

Secolve hires big for new advisory board Secolve has announced it has appointed an advisory board. The advisory board comprises Energy Australia’s Chief Information Security Officer Catherine Buhler, former PepsiCo and Oil Search Limited Chief Information Officer and Senior Vice President Jackie Montado, Seqwater’s Head of Cyber Security Patrick Dunstan, and former Chief Information Security Officer at TasNetworks, Steve Mason. Announcing the new board, Secolve founder and CEO Laith Shahin said each appointee contributed a unique perspective and lived experience in the cyber security and OT space. “I am delighted to be partnering with a team of specialists so highly esteemed within the cyber and OT security sectors, and who have such extensive hands-on experience in their respective industries,” Shahin said. “The OT security landscape is constantly evolving, and we are proud to have been able to harness the best minds in the business to ensure our clients can stay one step ahead of threat actors and mitigate against adverse outcomes in case of attack.” Shahin said the diversity of the board would also assist clients with regulatory compliance requirements, particularly energy sector clients navigating AESCSF complexities. “The frequent sophisticated attacks critical infrastructure organisations face has made it increasingly difficult for them to secure their operations. There is never a one size fits all response – it requires a diverse and expert

14 | Australian Cyber Security Magazine

skillset to repel such attacks,” he said. “The depth and combined experience of our advisory board not only positions Secolve as a market leader in the OT security landscape, but also our clients. They benefit from a broad range of innovative approaches to tackling problems and simplifying processes, ensuring we understand the constantly evolving challenges they face and how to address them.” Jackie Montado said it was imperative businesses were proactive in securing the expertise required to protect their operational assets. “Our world is more technologically reliant than ever before and it is essential that we develop and operationalise cyber security solutions to protect our businesses, their customers, and employees. I am very excited about joining the Secolve advisory board and support its important mission to protect Australia’s critical infrastructure,” Montado said. Seqwater’s Patrick Dunstan agreed Australia’s cyber security response was at a critical juncture. “The sophistication and frequency of cyber-attacks in the industrial automation space is consuming more and more of utilities’ and OT-dependent businesses’ focus and resourcing. Combatting these attacks requires a specialised response and I am pleased to be able to assist Secolve in meeting these challenges, lending my experience and expertise to make Australia’s national critical infrastructure safer for companies and the communities reliant on their services,” Dunstan said.

Former AWS leader checks into Check Point Check Point Software Technologies has announced Les Williamson has joined the business as Managing Director for Australia and New Zealand (ANZ). With over three decades of IT and leadership experience, Les will be responsible for driving new business and revenue expansion for Check Point in the Australia and New Zealand market. As a key member of the Asia Pacific leadership, Les will continue to manage a high performing and diverse sales team, and implement local strategies to drive further growth in an increasingly virtual world with expanded cyber security threats. Prior to joining Check Point, Les has held country and regional leadership roles at global organisations including Ericsson, Cisco, Citrix and most recently AWS, where he led the Telecom Business Development function for Asia Pacific

and Japan. Les will report directly to Sharat Sinha, Vice President and General Manager, Asia Pacific and Japan. Commenting on Les’ appointment, Sinha said, “We’re incredibly excited to have Les, an industry veteran, leading the Australian and New Zealand business. Our strategic direction is built around delivering the best security solutions to partners and customers and Les’s industry experience and expert leadership will enable the development of ANZ companies’ security strategy required for their own digital transformation. By leveraging Check Point’s extensive security portfolio to provide this consolidated approach to prevention-first security, I’m confident that Les will bring a significant contribution to the development of our clients’ security and digital strategies, and protect their business for continued growth.” Les Williamson, Check Point Managing Director, Australia and New Zealand said, “I’m honoured to be joining Check Point at a time of great momentum to spearhead growth in the region. As digital transformation picks up speed, the need for comprehensive and trusted cyber security also increases in focus, and importance. Check Point’ Intelligence reports show a complex reality, with Australian and New Zealand organisations experiencing an average 890 cyberattacks per week in the last six months.” He continued, “At the same time, we see both markets and borders reopening and a push to regain economic momentum. So, it’s imperative for organisations to strengthen their cyber defences and protect their bottom lines. Working with my team, we will look to offer ‘preventionfirst’ solutions that go beyond traditional security, protecting areas that our customers have not even thought about. It’s always a prized opportunity to be part of something that brings true customer business relevance, and contributes positively to the broader ANZ economy.” The announcement follows the recent promotion of Rod Thorne as Australia Country Manager and executive appointments with Mark Baker as New Zealand Country Manager, Leo Lynch as Head of Channels ANZ, and John Marshall as Head of Distribution ANZ, bolstering Check Point’s leadership team.

How cyber-secure is your security system? A cyber-attack on your security system can result in considerable damage to your business. The solution you relied on today may not protect you tomorrow. From inception, Gallagher’s security systems are designed to be as secure as possible, and with regular software releases are continually evolving to ensure you stay up-to-date. Take a proactive approach to managing your security – choose Gallagher.

End-to-end authentication

Internal and external

System hardening and

Fully trained and

and encryption

cyber security testing

configuration advice

certified installers

Talk to our team today

03 9308 7722


A cyber attack's name may change, but the reason it happens doesn't. By Garett Paton Director Data Protection Solutions at Dell Technologies, ANZ


s Albert Einstein didn’t say, the definition of insanity is “to do the same thing over and over again and expect different results.” (Sidenote, it was a mystery novelist Rita Mae Brown who said, or at least wrote it,). And yet, when it comes to cyber security this is essentially the approach: not addressing the fundamental problems that create the vulnerabilities in the first place and then being surprised by an attack year after year. Now, it might seem strange to say that security does not always change dramatically over the years. No one can have missed the often-devastating attacks that have been front page news for much of 2021. And similarly, we’re seeing cyber-attacks used in conjunction with traditional warfare in modern conflicts. However, while the scale of the attacks has changed, the security industry is still facing the same problems it has for the past 20+ years.

So, what has changed and what hasn’t? The difference now is that the cost of complacency is now too high. In February, cybersecurity authorities in Australia, the US and UK issued a joint advisory highlighting the increased globalised threat of ransomware. They noted that Australian organisations of all sizes were potential targets, not just the “big fish”. Despite the high-profile examples, threats are hitting all levels of business And sure, ransomware attackers may be tweaking their

16 | Australian Cyber Security Magazine

methods to increase impact, by targeting the cloud, the supply chain or managed service providers. But they still use the same approach. Even in a year as unpredictable as 2021, the threats organisations and individuals faced were fundamentally the same as they’ve been for decades: phishing and fraud. The difference is they were updated to be attractive to today’s targets. The fact is, it is still too easy for adversaries to access an organisations’ networks and cause harm, and often through a known vulnerability. Without addressing these issues, hackers will continue their successful efforts In a nutshell, technology departments must get better at quickly identifying and fixing vulnerabilities before they can be exploited. In turn, tech providers must get more proficient at developing secure and resilient technology. When security is embedded into all technology, organisations are better positioned to identify, protect, detect and respond to threats. In essence, there three longstanding problems our industry needs to resolve now

Plug the workforce gap A hacker’s potential to cause harm is unlimited, so defenders must get it right every time. This requires impressive defences, but most organisations struggle to find enough cyber talent to build it. Talent may be the biggest issue facing our industry. According to not-for-profit AustCyber, nearly 17,000 more

According to not-for-profit AustCyber, nearly 17,000 more cyber security workers will be needed by 2026. As well as relying on graduates, organisations need to investing in training programs and developing employees in transferable skills.

days of their publication. It’s imperative to know what technology the company has at all times in near-real time, and to find and patch vulnerabilities within hours. While this level of excellence exceeds industry standards, organisations need to practice this effectively to defend against today’s threats.

Building More Secure Technology

cyber security workers will be needed by 2026. As well as relying on graduates, organisations need to investing in training programs and developing employees in transferable skills. That way, organisations can transition interested employees from non-traditional security backgrounds like risk, IT, data analytics or engineering roles into security positions. More broadly, nations and educational institutions should invest in cybersecurity as a long-term strategic priority. It’s essential to the safety and stability of our digitally dependent future. But it’s clear there still won’t be enough people to plug all the gaps, so it needs to be done in parallel with identifying areas to reduce labour dependency, such as automation using artificial intelligence and machine learning.

Manage Vulnerabilities While IT governance processes such as asset inventory and patch management are simple in concept, we as an industry tend to struggle with these basics –a win for the hackers. Organisations need awareness of technology deployments and their dependency on them. This extends beyond IT managed systems to anything plugged into corporate networks, as well as third-party cloud services. Further, the discussion around patching should focus on speed and prioritisation. It commonly takes weeks, if not months, for organisations to patch vulnerabilities, whereas hackers are on vulnerabilities within hours or

At the heart of many vulnerabilities are systems that were not designed with security in mind. They often use inadequate design and development practices. This issue only gets worse as the number of companies developing technology explodes with the digitisation of “smart” product lines across every sector. From appliance companies to watch makers, everyone develops code now. Technology providers must develop technology that’s intrinsically more secure and resilient, designed with the foresight on how these devices will connect into networks that are likely crawling with hackers. An intrinsic security approach results in technology that’s less likely to have security bugs, but also that fails with fewer consequences when vulnerabilities are inevitably discovered. Additionally, intrinsically more secure technologies reduce the need for the multitude of security tools that most organisations require, which in turn reduces the skilled cyber labour needed to operate them. This illustrates the harmony and interplay that exists between these three fundamental security areas, where only by implementing each in concert will we realise the full potential of this opportunity. But we can’t do it alone, we need to work together to solve the problems that affect us all, such as the coalition of countries, including Australia that have pledged to help Ukraine. Of course, we should always have one eye on the threats around the corner. But we should also spend our time solving the long-standing problems that hurt us every day, rather than pontificate about problems that don’t yet exist. With a renewed focus on getting the fundamentals right, organisations can begin to get the upper hand.

Australian Cyber Security Magazine | 17

QR codes abused for Qshing attacks As the popularity and trust of QR codes increase, so do the risks By Rebecca Taylor, Incident Command Knowledge Manager at Secureworks


lmost two decades after they were developed, the pandemic saved the Quick Response (QR) code from extinction. They have consequently expanded far beyond their original scope and while many uses are legitimate, threat actors are now leveraging the technology for malicious purposes. Invented in 1994, QR codes originally provided quick tracking information for car parts. This technology was adopted by other businesses and upgraded to facilitate access to websites and other information. In 2022, QR codes are used for tasks such as facilitating payments, downloading applications, distributing documents, and confirming event tickets. They even support security mechanisms, including the deployment of multi-factor authentication. The COVID-19 pandemic prompted widespread use of QR codes to report test results and confirm vaccination status. The technology’s popularity was confirmed by the unprecedented scanning of Coinbase’s advertisement during the 2022 Super Bowl. This evolution has persuaded users that QR code mechanisms can be trusted. However, threat actors are exploiting this trust to collect sensitive information or to deploy malware.

How are QR codes exploited? QR codes leverage mobile device cameras or scanners to read a matrix barcode. The device then translates the barcode into an action, such as a redirection to a social media site. While QR codes cannot be directly compromised, it is possible to substitute a QR code with another, abuse them to distribute malicious software, or redirect victims to a malicious website.

18 | Australian Cyber Security Magazine

Attacks that exploit QR codes are known as ‘Qshing’ (QR code phishing). In January 2022, the U.S. Federal Bureau of Investigation (FBI) warned QR code users about tampering and cited increased reports of stolen credentials and monetary loss. In March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a Qshing campaign that leverages a fake password reset page to steal credentials.

Do not fall victim to Qshing While there is no conclusive way to verify the legitimacy of a QR code other than opening it or using a QR code scanner app, we recommend that you consider the following steps when engaging with a QR code: 1. Utilise a security app on your mobile device. Many reputable vendors offer apps that provide antivirus detection and other security protections for mobile devices. Some of these apps include QR scanners. Scanning a QR code via the security app could intercept malicious QR codes or suspicious traits, adding another layer of protection. 2. Evaluate the QR code’s credibility. Does the QR code’s context and messaging seem appropriate for the setting? For example, a restaurant offering its menu via QR code is reasonable. However, users should be wary if scanning a QR code leads to prompts for information that doesn’t seem relevant (e.g., a game that requires personally identifiable information (PII), a request for credentials to access a bus schedule). If the QR code seems suspicious, you can try to verify its credibility by contacting the organisation or individual who issued it. In addition, it is important to evaluate the potential risks associated with sharing requested information. 3. Use the direct route. QR codes are often used to provide direct access to a website or application download. It is safer to visit

a website via a confirmed URL in a web browser and to download applications from the official app store. Similarly, we strongly recommend directly interacting with a bank or service provider (e.g., vendors such as utility companies, trusted financial apps such as PayPal or Venmo) rather than making payments or financial transactions through a site navigated to by a QR code. 4. Protect QR codes that provide access to PII. QR codes that link to sensitive data such as health information are tied specifically to an individual. Users should never share these QR codes with someone they do not trust. Additionally, it is not advisable to take a screenshot and publicly share these QR codes with others on social media platforms, as someone could be impersonated and could access private information. 5. Verify the QR code destination. The QR code itself may not be malicious, but it could redirect the user to malicious content. It is best to evaluate the authenticity and security of the content by considering factors such as URL validity, encryption status and page formatting. If something does not feel right, step away. 6. Minimise impact. If a user scans a QR code and navigates to a website or application that appears malicious or untrustworthy, then it is advisable to close the page or application, clear the cookies and site cache from the web browser, and delete the page or application from your browser history. If a user provided credentials or financial information, they should escalate the incident with the appropriate organisation and change their password. Mobile devices are typically harder to exploit without user interaction, but the expanded use of QR codes may lower users’ defences. Assessing the legitimacy of a QR code could avoid an expensive, stressful, time-consuming, or damaging mistake. Vigilance is key.


Developing Cyber Resilience for a Future Ready Organization

15-16 August 2022 | Sheraton Imperial Hotel Kuala Lumpur Cybercrime and cyberattacks continue to rise with ever more data breaches and crippling ransomware attacks. A broader security strategy is needed as the attack surface grows, and we rely more on digital technologies in all areas of business and industry. With the support of forward-thinking security strategies and technology solutions to match, the modern business can minimize potential risk and step into a digital future confidently.


Supporting Organisations:

+603 22606500

Australian Cyber Security Magazine | 19

Guest-of-Honour Minister Josephine Teo, Ministry of Communications and Information (MCI) presenting award to Tech Leader of the Year” 2022 went to Caecilia Chu, CEO and co-founder of YouTrip, with Mr Sam Liew (President, Singapore Computer Society) on the right. Photo Credit: SCS


Tech leader of the year. By Jane Lo Singapore Correspondent


fter 2 years of virtual ceremonies, the Singapore Computer Society delivered a sold-out Tech Leader Awards 2022 gala dinner with 600 guests on-site of the iconic Island ballroom at Hotel Shangri-La in Singapore on 6th May 2022.

The enthusiasm and energy in the air was palpable. Indeed, as Mr Sam Liew (President, Singapore Computer Society) remarked at his Welcome address, “even though all of you have your masks on, our collective spirit of togetherness and joy to be back after three years cannot be masked!” Amongst the many reasons that this signature annual event was special this year was marking “Singapore’s successful transition into the endemic phase,” he said. For sure, the medical and health industry had been at the forefront fighting the pandemic, and the recent lifting of many restrictions was a welcome relief to all. However, the technology sector had not stayed at the side-lines during the outbreak. Rapid developments and roll-outs of innovative digital solutions to benefit the healthcare workers and residents – such as contact tracing – were evident during the last 2 years. Breakthrough products and services in these areas were recognised by the Tech Leader

Awards 2022. Under the “Digital Achievers” category, the winners included technology specialists in the health sector (“Integrated Health Information Systems”), as well as the global engineering and tech group (“ST Engineering). With solutions ranging from identifying patients with higher infection risk to improving patient care management, they showcased how technology could be real game changers during such times of crises. Of significance was also the maritime sector that saw several “Digital Achievers” recognised for digital solutions that produced material efficiency gains to logistics management. (They include: “Maritime and Port Authority of Singapore”, “NCS Engineering”, “PSA Singapore”). “Tech Leader of the Year” 2022 went to Caecilia Chu, CEO and co-founder of YouTrip, a locally launched Southeast Asian financial technology company. Besides managing a business that provides a multi-currency mobile wallet that has already received several accolades, she also commits her time to initiatives where she endeavours to inspire future women technology leaders. “Hall of Fame” saw the addition of Eddie Chau (co-founder & chairman, V-key) whose accomplishments over the past three decades, which feature him founding seven startups, sets him as an exemplary and well-seasoned figure in

Singapore’s tech landscape, making him a highly sought after mentor and advisor by Singapore start-ups. While celebrating the winners of today, Tech Leader Awards 2022 also recognised the “Future leaders in Tech”, with youth leaders who are already championing causes and leading initiatives to instil passion for tech amongst their peers. “In practically every sector where we have drawn up an Industry Transformation Map, there is a clear shift towards broader and deeper use of technology, in particular digital technologies,” said Guest-of-Honour Minister Josephine Teo, Ministry of Communications and Information (MCI) . To the public and industry who have been positively impacted in this digital transformation journey, Tech Leader Awards 2022 represents an invaluable opportunity to give due recognition to the outstanding work delivered by individuals and teams in the technology sector. What the 2022 Awards also highlighted was the ability of the technology sector to seamlessly deliver under pressure: the planning, preparation and logistics of the signature event in the local tech scene was condensed from the usual 4-month to an impressive 1 month. *** The judging panel that presided over the Awards comprised of judges from various sectors such as business, public, and academia. For a full list of winners, see awards/tech-leader/awards-winners-2022

Guest-of-Honour Minister Josephine Teo, Ministry of Communications and Information (MCI) and Sam Liew (President of the Singapore Computer Society) with the winners of Tech Leader Awards 2022.

20 | Australian Cyber Security Magazine


Sam Liew


President, Singapore Computer Society; Managing Partner, Government Strategic Business Group, NCS Group.



EPISODE 327 – SINGAPORE’S TECH LEADER AWARDS 2022 Interview with Sam Liew, President, Singapore Computer Society; Managing Partner, Government Strategic Business Group, NCS Group.

Accenture’s Global Technology Leadership Council and ASEAN Geographical Leadership Council.

Sam is Managing Partner, Government Strategic Business Group at NCS. He leads NCS’ government portfolio, which includes Public Service, Defence and Homeland Security. In addition, Sam is also driving expansion efforts to propel NCS as the go-to digital catalyst for governments and smart cities across Asia Pacific.

Sam currently serves as Board Director on the Gardens by the Bay Board. Sam also sits on the Board of Singapore Management University’s (SMU) School of Computing and Information Systems and Singapore Polytechnic’s School of Computing. In additional, he serves as Council Member on Enterprise Singapore’s IT Standards Committee. He has been conferred a Fellow by SCS.

Prior to NCS, Sam was the Managing Director of GIC. He was Director, Technology Group and also heads GIC’s Business Partner and Solutions Division. Sam was responsible for delivering GIC’s Technology, Data Analytics, and Data Science projects and initiatives. Before GIC, Sam was Managing Director at Accenture ASEAN Technology. He also led Accenture’s Asia Pacific Communications Centre of Excellence, delivering business solutions across Asia. He was also a member of

In this podcast, Sam gives an overview of the Singapore Computer Society, and the Tech Leader Awards 2022 (presented on 6th May 2022), the nation’s tech awards which celebrates the stalwarts of excellence and innovation within Singapore’s pulsating tech industry. He also shares some highlights of the Singapore 100 Women in Tech List, another major recognition program by the SCS. With Singapore’s emergence from the pandemic, Sam gives his take on what it means for the digital transformation trends, and a glimpse into what we may expect for Tech Leader Awards 2023. Recorded 12th May 2022 Singapore 7am.

Australian Cyber Security Magazine | 21









he Top Women in Security ASEAN Region Awards follow similar initiatives in India, as well as Africa, Europe and Canada and form part of a global campaign by the Women in Security & Resilience Alliance (WISECRA). This initiative is open to all ASEAN

professional women in security groups in Singapore. Malaysia, Indonesia, Philippines, Thailand and including the ASEAN Region Women in Security Network.

countries following a very successful 2021 awards and the Top Women in Security Awards held during 2020 in Singapore, Malaysia and Philippines.

years of experience in the security industry, be that in cybersecurity, electronics, physical, protective and management roles. Self-nominations are welcome. We thank them for their support.

We have gathered unique industry partnership arrangements, bringing together key chapters of premier, global security industry associations and

Thank you for the nominations, keep spreading the word!

Nominees must be women with more than three

Finalists and Winners will be notified by mid-July.

Selected from 49 Finalists!















Risk & Resilience


Electronic Security


Security Training or Educator


Security Researcher


Young Professional Ambassador







Cyber Threat Hunting leveraging MITRE ATT&CK Framework – Must for Modern SOC By Neha Dhyani


hreat hunting is a proactive cyber defense activity, which is focused on the pursuit of attacks and the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with advance malware, or exfiltrating critical data. Rather than just relying on reactive information or hoping that SOC (Security Operation Center) tool flags and alerts to the suspicious activity, threat hunter will apply human analytical capacity and understanding about environment context to more quickly determine when unauthorized incident happens. Threat Hunting allows attacks to be discovered during early phase with the goal of stopping them before adversaries can carry out their attack objectives. While skill & experience definitely helps, the ever-changing landscape of threat actors, and their sophistication, requires the threat hunter to take a well-organized approach and follow an open framework that structures a methodical hunt based on updated TTPs (tactics, techniques, and procedures) of top global threat actors.

Simplifying SOC Complexity with evolving threat landscape As per Gartner Board of Directors Survey 2022, 88% of respondents viewed cybersecurity-related risk as a business risk, not just a technology risk & 51% of respondents had experienced a cyber-security risk incident in the past two

24 | Australian Cyber Security Magazine

years. By getting ready for the inevitable breach, rather than expecting that it will always be prevented, organizations having Modern SOC with threat hunting capabilities can deliver a better security posture and set the foundation for their team to proactively hunt for advance threats. As per VMware Global Incident Response Threat Report (2021), respondents indicated that targeted victims now experience integrity and destructive attacks more than 50 % of the time. As per report, more than 60 % of respondents reported ransomware attacks during the past 12 months, and these attacks are becoming increasingly malicious. This escalation stems from adversaries implementing multistage campaigns involving penetration, persistence, data theft, and extortion. These stats prove that attacks are becoming more stealthy, destructive, and targeted leveraging advanced techniques. As per IBM’s cost of data breach report 2021, it took an average of 287 days to identify and contain a data breach On average, it takes organizations more than 7 months to detect a malicious attack and another 81 days to contain it. And the average cost of a breach lasting more than 200 days is $4.87 million, which means that every second counts. Attacks that caused the most damage and are toughest to detect and prevent include Advanced Persistent Threats (APTs) that are carried out during prolonged dwell times. Cyber Threat hunting is particularly needed in battling APTs

that start with an initial undetected compromise, and then build out long-term multi-phase attacks. The SolarWinds attack disclosed in 2020 is a known & famous example of an APT. SANS 2021 threat hunting Survey Report, indicates steady improvement seen in organizations overall security posture as a result of threat hunting. According to the report, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. Looking at the yearly trends since 2019, it appears that organizations improve their security posture by approximately 25% as a result of performing threat hunting. Overall, this brilliant result highlights the positive impact that threat hunting can have on organizations. Effective threat hunting relies on a mindset and a methodical framework that allows the security analyst to think like a threat actor, and then use that understanding to determine what clues to look for that might indicate an attack underway.

incorporates an exhaustive list of offensive TTPs based on real-world observations, that hunt teams can draw from when constructing hypotheses. TTPs are behaviours, methods, or patterns of an activity used by a threat actor, or group of threat actors. Cyber Threat hunter start each hunt activity with a simple query: what is it that we are looking for. Since ATT&CK Framework is a complete list of all presently known post compromise behaviours, it has answers to that query. The framework guides SOC teams on which cyber threat groups to watch out for, which specific techniques, platforms, data sources or software programs that might be used to target your SOC environment, and how to early detect and mitigate against the adversarial techniques described in the framework. MITRE ATT&CK framework can be used to discover potential threats and identify areas of risk and improvement in SOC environment. It provides a detailed catalogue of which data sources should be examined when investigating the possibility that a particular tactic or technique has been used in an environment. It can be used to assess how effective an organization SOC is at detecting, analysing, and responding to security breaches. Modern SOC should leverage on ATT&CK Framework to increase the efficacy of threat hunting program and look for wider set of evidence by hunting for adversarial TTPs rather than specific signatures. With superior information available on adversary groups/threat actors, the techniques they’re likely to use and how they will behave once they gain access to the target network, SOC teams can harden their defense and make targeted improvements to threat detection/prevention systems. Thus, threat hunting leveraging ATT&CK framework increase the likelihood of containing and preventing a threat, thereby strengthening security posture of an organization. About Author Neha Dhyani is Senior Security Consultant at Nokia Solutions & Networks with more than 15 years of proven expertise across domains including telecom security(5G/4G), Cloud Security, Next-gen SOC Security, EDR/XDR, Threat Hunting, Container security & Advance Threat Analytics. She is an Australian Computer Society (ACS) Certified Professional in Cybersecurity and holds various industryleading cybersecurity credentials.

Making Threat Hunting Effective & Efficient with MITRE ATT&CK Framework Threat hunters rely on MITRE ATT&CK framework that guides them to think through each stage of a potential attack, and then determine the evidence to search for. MITRE ATT&CK is globally accessible knowledge base that

Australian Cyber Security Magazine | 25


Is Australia finally coming to grips with the Cyber Threat? By Jason Duerden, Regional Director, Australia, and New Zealand for SentinelOne


ast month, Australia appointed Clare O’Neil as Federal Minister for Cyber Security. This is the first time Australia has ever had a dedicated minister for cybersecurity and highlights a trend of cybersecurity measures taken by the Australian government dating back to the beginning of this decade. In 2020, the government announced a $1.67B investment as part of the country’s Cyber Security Strategy 2020, which was intended to uplift the security and resilience of Australia's critical infrastructure. A year later, in 2021, the government turned its attention to upgrading the Essential Eight, a set of cybersecurity mitigation strategies intended to protect enterprises and organizations against all types of cyberthreats. The new version includes maturity levels, advising organizations and enterprises of appropriate cyber countermeasures based on their organization's size and cybersecurity needs. Australia has made significant strides to upgrade its cybersecurity posture since it initially published the Essential Eight in 2017, but it hasn’t progressed enough to keep critical industries safe. The Australian Cyber Security Centre reported a 13% year-over-year increase in cybercrime during the 202021 fiscal year. In the same period, a new data breach was reported every 8 minutes, with financial losses totaling over AU$33B. This is a staggering figure for our country.

26 | Australian Cyber Security Magazine

Even though it may seem that we’re losing the war, it’s important to acknowledge the government’s attempts to drive improvements in the Australian security posture as a whole. These are all positive steps for a country that once considered cybercrime an IT problem. However, for Australians to truly feel cyber-safe, the steps we've seen to date must be viewed as the first steps in a long-term prevention and mitigation campaign.

Stricter Reporting Means Higher Standards of Security Mandatory cybersecurity reporting is an essential regulation in much of the world. The European Union and the United States have mandatory incident reporting within 72 hours of an incident, while India recently enacted a 6-hour mandatory reporting window. In 2018, Australia mandated reporting for cyber breaches for companies with an annual turnover of more than $3M and specific industries, such as health service providers. The law is a good start but, unfortunately, doesn't go far enough. The only cyber attacks that require reporting are those where the breach is "likely to result in serious harm" to individuals. Cyberattacks that don't involve data breaches that are a risk to individuals do not need to be reported.


Furthermore, the Australian Bureau of Statistics reported that in 2020-21, 93% of businesses had a turnover of less than $2M. Clearly, only a fraction of companies within the country reach the $3M annual turnover threshold. Reporting mandates are vital to a country's cybersecurity posture because it requires businesses and organizations to implement advanced cybersecurity tools, such as Extended Detection and Response (XDR), to proactively monitor systems for breaches. Security teams need to be able to discern between false positives and actual attacks, quickly investigate breaches, and have the tools necessary to gather data and submit reports. Many Australian companies currently lack these capabilities and use legacy tools that are inadequate to respond quickly to cyber intrusions. Demanding reporting compliance will motivate them to upgrade their security posture to tools like XDR and take cyber threats more seriously.

Develop Cyber Education Programs for Business Small businesses frequently feel immune to cyber threats. They believe their relative obscurity keeps them floating safely beneath the radar of threat actors. Unfortunately, we have seen this is not the case. A 2021 study by Cisco found that 65% of Australian SMBs were victims of a cyber incident within the last 12 months, and two out of three say the incident cost their business $645K or more. Threat actors target small businesses for several reasons. SMBs lack sophisticated cybersecurity protections and are easy to attack. While ransomware payments and the value of the data is lower than that of a large corporation, smaller enterprises give threat actors a playground to practice. Additionally, while SMBs may not be an attractive target on their own, the relationships small businesses have with larger companies could provide a backdoor to a larger enterprise. The Australian Cyber Security Centre needs to prioritize cyber-education for these businesses. By creating a series of educational programs, short videos, webinars, and brochures, they can use SMBs to raise the floor of cyber protections and mitigations across the country.

Promote Cybersecurity Diversity As of 2018, only 25% of the Australian cybersecurity workforce was female, and even fewer were First Nations Australians. The Australian government can increase the talent pool by encouraging more women and First Nations Australians to view cybersecurity as a career choice. Appointing Clare O'Neil as the first Federal Minister of Cyber Security was an inspired choice and one that should drive more women and First Nations Australians into the field. Coupled with industry mentorship programs, university scholarships, and flexible work arrangements, Australia has the potential to become one of the first countries with an equal number of male and female cybersecurity professionals.

It’s Time to Make the Essential Eight Truly Essential The Essential Eight is Australia’s cybersecurity mitigation strategy playbook. They are mandatory for non-corporate Commonwealth entities, but private enterprises of all sizes are not required to adhere to these recommendations. Initially published in 2017, the Essential Eight is a set of mitigation strategies intended to protect enterprises and organizations against all types of cyberthreats. These guidelines were designed to set a foundation for cyber security controls. Together with the maturity models, they offer guidance for any business trying to stay safe. They help prevent attacks through application control, patch applications, configurations, and application hardening. Companies that implement all eight strategies may limit damage from attacks through restricted administrative privileges, patching operating systems, and requiring multifactor authentication. Regular Backups form the third prong of the Essential Eight as part of data recovery. However, even the updated version of the Essential Eight is little more than a good baseline that offers a compliance checklist. To take the next step and develop into a risk management framework, it needs to follow the lead of the U.S. government, and mandate accepted cybersecurity tools like Endpoint Detection and Response (EDR) and zero trust networks. If Australia is ready to take its cybersecurity to the next level, upgrading the Essential Eight and turning it into an official regulation for all businesses would be a substantial step.

Leading the Asia Pacific Region Australia has made some significant strides over the last few years. It is leading the way in the Asia Pacific region and has taken actions demonstrating that they are ready to fight cybercrime. However, the country is still lagging behind North America and Europe in cyber-readiness and regulation. If Australia wants to be a truly safe environment for its businesses and citizens, it must continue raising the security bar for its enterprises and SMBs, by driving improvement in security posture. Unfortunately, taking history as a guide, the mass adoption of change only takes place when it becomes law. Australian organisations can benefit from a more aggressive adoption of new cybersecurity technologies like XDR and AI-automation, which enable them to replace siloed security and address cybersecurity challenges from a unified standpoint. Today’s cyber attackers move fast. Fast enough that even some next-generation protocols like the 1-10-60 rule have become obsolete models for effective detection, investigation, and response. True XDR allows faster, deeper, and more effective threat detection and response than legacy EDR, collecting and collating data from a wider range of sources.

Australian Cyber Security Magazine | 27


Three cybersecurity lessons we can learn (or re-learn) from the history of industrial control systems attacks By Matt Hubbard, Director, Market Intelligence, Armis


rom the time engineers started building industrial control systems (ICS), bad actors have looked for and found ways into them. While the motivations for ICS attacks are timeless—espionage, sabotage, ransom, and even revenge—ICS cyber security threats have evolved to adapt to new technologies and security practices. The history of attacks is an interesting topic, especially as you wrestle with how to secure new technologies and stay ahead of threats. A document like the U.S. Department of Energy’s 2018 history of ICS attacks gives security, IT, and operational technology (OT) teams plenty of examples to study, with a timeline stretching from 1903 through the 21st century. I’ve picked out three incidents to show how industries have learned to deal with ICS cyber attacks over the decades and what we still need to keep in mind when securing ICS devices, data, and systems.

further. It infected the software downloads that ICS/SCADA manufacturers made available to their customers “in an attempt to infect the computers where the software is installed.” The security researchers who discovered the campaign noted that the content of the malicious code suggested that beyond data theft and espionage, the attackers may have been planning remote ICS hardware takeovers. Although it was novel at the time, remote takeovers where attackers tamper with critical infrastructure systems are a rising concern. ICS security lessons learned: Your ICS is only as secure as your least-secure vendor, so you need to have ongoing discussions about how security affects your relationship. Also, monitor device traffic continuously to quickly detect and respond to data exfiltration.

Lesson 1: Your ICS is only as secure as your most vulnerable third-party provider

Lesson 2: Identify and monitor every device in your environment

In 2014, attackers repurposed Havex malware, a remote access trojan (RAT) that initially targeted the energy industry, to go after ICS manufacturers and their customers. The known targets included ICS software manufacturers and at least one industrial camera vendor. In addition to sending RAT code through spam and exploit kits, the retooled Havex malware went a step

One of the most extensive and damaging ICS attacks on record was the December 2015 shutdown of the electrical grid in and around Kyiv, Ukraine that left more than 225,000 people without power. In a detailed analysis of the incident, Booz Allen Hamilton identified 17 steps the attackers took to infiltrate ICS systems, disrupt industrial processes, and destroy data.

28 | Australian Cyber Security Magazine

picture of your environment, including assets, networks, devices, and expected patterns of communication so you can understand your risk profile. Continuous monitoring for activity and threat detection are critical to spotting malicious internal activity early. Also, maintain and update segmentation and firewalls to limit intruder damage.

Lesson 3: Real-time patches, updates, and alerts are table stakes for ICS cybersecurity When a wave of SamSam ransomware attacks swept across the U.S. in 2018, the media focused on the cities whose data and services were disrupted. But these attacks also targeted critical infrastructure, including the Port of San Diego, in a foreshadowing of the ongoing attacks on shipping and port organizations in 2021. SamSam, like the Ukraine attack, appears to have been state-sponsored with the goal of disrupting critical operations. CISA described the mode of attack as a combination of remote desktop protocol exploitation to enter and persist in target networks, via stolen credentials or brute-force attacks, followed by privilege escalation and malware execution. The attackers used relatively simple means, such as attachments in phishing emails, to “infect victims with minimal detection.” ICS security lessons learned: Deploy OS and application patches and updates for all devices in the environment as close to real-time as it is practical. Especially for RDP systems and virtual machines. Endpoint identification, assessment, and monitoring are also critical (automation can help). Also, as with the grid-attack example above, real-time environment activity monitoring and alerts must be a priority.

• • • • • • • • • •

Among those steps were: Perimeter device scanning and identification as part of infrastructure reconnaissance RAT malware delivery through phishing emails targeting Microsoft Office users at electricity distributors RAT installation and execution to establish communication between attackers and target networks Credential harvesting, internal network snooping, and new network target identification ICS network control access Malicious firmware creation Electrical outage scheduling Outage execution, including breaker tripping and cutoff of field device connections Call center DoS attack and power cutoff to telephone communication and data servers Destruction of critical system data

Choose an ICS security solution that’s built to pass the tests of time Every year, ICS cybersecurity threats grow increasingly sophisticated. Be prepared for whatever new attack methods evolve with a comprehensive device security solution that identifies every device in your environment. One that includes vendor and remote devices, monitors those devices for vulnerabilities and risks, alerts your team to threats, and finally automates and streamlines integrated device management. For more information on Armis please visit

The Booz Allen Hamilton report, like many cybersecurity analyses, concluded that the grid attack was statesponsored, most likely by Russia. Today, state-sponsored cyberattacks are on the rise; attackers hit more than 20 U.S. targets in Q1 2020 alone, so the lessons of the Ukraine attack merit careful study. ICS security lessons learned: Develop a clear, complete

Australian Cyber Security Magazine | 29


Breaking the ransomware business model By Dale Heath Head of Solutions Engineering, Rubrik A/NZ


lmost every week another ransomware attack hits the headlines, and each week seems more concerning than the last. Gone are the days of malicious payloads being delivered in poorly-written spam mails. Today, attackers are taking a ‘hub-and-spoke’ approach to inflict the most amount of damage, against the widest number of victims, with the least amount of effort possible. By weaponising the trust enterprises place on the service providers within their ecosystem, attackers continually thwart perimeter, endpoint, and application-layer security defences, gaining access to the data of hundreds – if not thousands – of businesses in one fell swoop. With any inbound communication potentially posing a threat to Australian enterprises, a ‘zero trust’ approach ensures critical data is always protected and can be rapidly recovered following an attack. It is clear the ‘trust but verify’ approach to data protection is no longer adequate and businesses must rethink their protection and ransomware recovery plans.

Zero Trust Data Management The traditional approach to cybersecurity has been to adopt a fortress mentality, focusing on preventative measures and

30 | Australian Cyber Security Magazine

perimeter defences. This assumes 100% of attacks can be stopped ‘at the border’ while also assuming anything ‘inside the border’ can be trusted. Enterprises have been investing in such measures for decades, yet still attackers are able to thwart them time and time again. This demands a rethink. While perimeter security still has its place, organisations need to consider how they can make their data resilient when an attacker breaches those defences – this is the core of a zero trust approach to security. Developed by the National Institute of Standards (NIST), zero trust is defined as “an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.” Consider the physical security of a bank branch as an example. Its doors might include heavy locks, complemented with CCTV, alarms, and security guards. But once past these defences, are cash and gold left strewn in a storage room? No. They’re locked away heavy safes. This is the heart of a zero trust model. It assumes everyone is a bad actor and you can only grant access to approved, safe members. The ‘crown jewels’ of every business today is its data, and that data must be protected in a similar way.

Security at the point of data For any victim of ransomware, recovery – without being forced to pay multi-million-dollar ransoms – comes down to the quality of its backups. Ransomware attacks are evolving all the time but there’s one recent development that is particularly concerning. Attackers have begun targeting backup data to make recovery even harder. Having secure, immutable, and airgapped data copies ruins the entire ransomware business model because it allows a business to restart operations from a ‘save point’ prior to the infection. Hackers understand this, so by also encrypting backup data, the victim is more likely to have to pay the ransom. The Australian Cyber Security Centre recommends organisations make copies of their critical data at least daily to ensure operations can restart quickly following a ransomware attack. The more frequently data is backed up, the more rapidly you can recover without having to pay attackers the ransom – which recent research suggests is AUD$1.25 million on average. This ability to rapidly recover operations from secure data copies is the best ransomware counter-measure businesses have at their disposal. Consider the experience of Queensland-based Langs

Building Supplies. The business was hit with ransomware one morning, with the malware quickly encrypting hundreds of thousands of files. Despite the extent of the attack, Langs was able to completely restart its operations from its immutable backups within just an hour. Rather than face days, weeks, or even months offline struggling to recover its systems – along with the need for expensive cybersecurity consultants and forensic specialists to support remediation – Langs’ business was back operating at 100% capacity before lunchtime on the same day. Data security solutions, like those Langs relied on, are the core of a zero trust approach. Because these copies of critical data can’t be modified by anything other than approved applications, and because they’re natively air-gapped (meaning the data can’t be accessed through standard internet links), backups can be relied upon to rapidly restore business operations following an attack. With a zero trust approach to data security, every user, every application, and every device is treated as untrustworthy. By only providing the minimum level of access needed to perform an approved task, and assuming an attacker has already infiltrated the network, trust can no longer be exploited.

Australian Cyber Security Magazine | 31

Is the new security legislation enough to protect our critical infrastructure? By Geoff Schomburgk, Vice President for Asia Pacific & Japan, Yubico


nergy, utilities, oil, gas and telecommunications are increasingly under cyber attack from nationstates, cybercriminals and hacktivists seeking to cause security and economic disruption. Whilst the 2020 Colonial Pipeline attack was a wake-up call proving just how vulnerable these critical infrastructure companies are to modern cybercriminals due to a single compromised password resulting in a ransomware attack. Have Australian* companies in the critical infrastructure sector done enough to protect themselves in the two years since then?

Widespread regulatory change The Colonial Pipeline attack was a pivotal point, triggering widespread regulatory change across the globe and in March 2022 the United States Senate approved new cybersecurity legislation that will force critical infrastructure organisations to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Based on evolving intelligence, President Biden recently urged critical infrastructure owners and operators that the Russian Government was exploring options for potential cyberattacks so they must “accelerate efforts to lock their digital doors.” Whilst, in Australia, the recent revisions to the Security Legislation Amendment (Critical Infrastructure) Act 2021 represent one element of the Government’s response to the growing cyber threats faced by Australian critical infrastructure organisations.

32 | Australian Cyber Security Magazine

The increasing threats were backed up by the findings in the Australian Cyber Security Centre’s (ACSC) ACSC Annual Cyber Threat Report published in September 2021, which found that cyber-attacks are increasingly severe and frequent at a rate of one attack every eight minutes. Of increasing concern is that the report revealed approximately a quarter of cyber incidents reported to the ACSC in the 2020-21 financial year were associated with Australia’s critical infrastructure or essential services. In passing the 2021 Security of Critical Infrastructure (SOCI) Act, Australia joins other leading global economies in implementing a regulatory regime to protect its core critical infrastructure assets from cyberattacks. Whereas previously the SOCI Act only covered specific assets in the electricity, gas, water and maritime/ports sectors, the Act now expands the coverage to encompass eleven sectors, including higher education, communications, healthcare, water and sewerage, space technology, food and grocery, defence, data storage and transport. *Source - Gilbert & Tobin

New powers to seize control The second tranche of the new controversial legislation introduced in February 2022 includes last resort powers for the Australian Signals Directorate empowering them to install and maintain computer software to allow them to take control of serious cyber security incidents that impact the ability of Australia’s critical infrastructure assets to deliver essential services.

Failing to comply with an action direction can result in a penalty of two years imprisonment and/ or a fine of $26,640 or $133,200 if the entity is a corporation. critical sectors is expected to be completed by August 2022. We all know that prevention is better than a cure but with somewhat vague guidance offered to date to the newer organisations in the critical infrastructure sector, many will do the absolute minimum to achieve compliance to a deadline that keeps shifting.

Mandatory reporting of cyber incidents

Youngsville, NC United States, Yellow tape marks empty pumps at a deserted gas station. Fuel reserves in NC were depleted after the Colonial Pipeline was shutdown in a cyber attack.

The Act introduces new requirements for companies responsible for “critical infrastructure assets” to report cyber security incidents impacting them to the Australian Signals Directorate (ASD). This aims to provide intelligence about cyber security risks to critical infrastructure and to enable proactive and reactive cyber defence strategies. There are two levels of reporting: critical cyber security incidents and other cyber security incidents. Failing to comply with the reporting obligations can result in a fine of $11,100 per breach, or $55,500 if it is a corporation.

Strong US response Failing to comply with an action direction can result in a penalty of two years imprisonment and/or a fine of $26,640 or $133,200 if the entity is a corporation. Following consultation, this bill was split in two so that critical aspects of the bill could be progressed whilst other aspects of the bill could be the subject of further debate between government and industry. The 2021 Bill, which widened the scope of application of the Act, introduced further reporting requirements and provided additional powers to the Commonwealth, was passed and became law on 2 December 2021.

Critical Infrastructure Risk Management Program On 10 February 2022, the second phase of the SOCI legislation was introduced to Federal Parliament as a Bill, which proposes to introduce obligations on entities to establish a critical infrastructure risk management plan (CIRMP) for critical infrastructure assets increase cyber security obligations for “systems of national significance”. Though currently there are no specifics around how this program will work and no deadline has been given for it to be implemented. The consultation process with the industry for the proposed introduction of the risk management program is currently underway. The Government has completed its first-phase consultation for the electricity and water and sewerage sectors and consultation with the remaining nine

The US government seems to have taken stronger, tangible action by strengthening its legislation with respect to the cybersecurity of its critical infrastructure companies, by implementing mandates for zero trust and phishing resistant Multi-Factor Authentication (MFA). Legacy authentication is increasing risks for our critical infrastructure With the gaps in this updated SOCI legislation and the lack of outcomes from the previous Australian Cyber Security Strategy launched in 2020, Australian critical infrastructure organisations are being offered little guidance and few practical actions to implement in their businesses to improve their cybersecurity protection. For instance, an essential element of a Zero Trust strategy was stated by the Australian Government in this initiative as phishing resistant MFA. Implementing MFA can be a strong first line of defence to protect against modern cyber threats. However, legacy authentication such as usernames and passwords are still widely relied on and can be easily hacked. Whilst mobilebased authentication such as texts, one-time codes, and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps and man-in-the-middle attacks. With the average cost of a data breach across the energy sector alone being AU$6.47 million, it’s imperative that Australian critical infrastructure organisations adopt modern phishing-resistant MFA to secure critical IT and OT infrastructures while ensuring compliance with the new legislation.

Australian Cyber Security Magazine | 33


Let’s kill the passwords for good By Vinoth Venkatesan


fter years of teasing hints that a password-less future is just around the corner, you’re probably not feeling any closer to that digital liberation. Ten years into working on the issue, though, the FIDO Alliance, an industry association that works explicitly on secure authentication, thinks it has finally identified the missing piece of the puzzle. The alliance said it has finally developed a mechanism that will be able to replace passwords as the primary form of authentication for the first time. FIDO has a long-standing connection to authentication innovation, being responsible for the USB hardware-based auth keys and part of the W3C that issued the WebAuthn security specification. The primary concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your biometric or passcode lock. Unfortunately, security implementations with extra bits (like USB auth keys) break what FIDO said is a crucial rule in consumer products. To that end, FIDO announced, in collaboration with W3C, a new version of WebAuthn that will support the password-less world (eventually!).

FIDO’s vision for a password-less future

users without a password for supported apps, and this is one of the proven password-less authentication options already in consumption. The alliance also pointed out that prevailing multi-factor like One Time Password (OTP) is prone to phishing and can be made to enter on malicious sites. According to FIDO, The framework for password-less authentication relies heavily on mobile devices and the underlying security of the operating system. Another crucial component of the proposal is Bluetooth, which would turn devices into roaming authenticators, used as a proximity login protocol. It is not a surprise considering FIDO’s previous work in this area. We are looking to use Bluetooth in two scenarios in this deployment 1) proximity-based authentications and 2) to authenticate a new device – the password sharing option will get eliminated when switching to a new smartphone. FIDO clarifies that the whitepaper detailing its proposal does not change its standards. Instead, it’s a change expected from authenticator vendors to make things easy in their implementation. The paper also recognizes that FIDO’s proposal wouldn’t necessarily boost security to AAL3 levels but said it would still be an improved version of using plain passwords or phishable second factors. When asked if this is the death knell for passwords – This is something only time will confirm for us. After almost a decade of work, people indeed seek relief from passwords.

FIDO is looking to leverage the mobile devices that are already there in peoples’ hands for a password-less future. A smartphone is something that end-users typically have, and virtually all consumer-focused two-factor authentications already use the user’s smartphone. FIDO mentions Apple’s adoption of “Passkeys,” which uses iOS biometrics and iCloud keychain to verify identities, as one example of its proposal. Passkeys can authenticate

About the Author: Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.

34 | Australian Cyber Security Magazine


Australian Cyber Security Magazine | 35

Inspecting the future of ransomware threats with Vectra’s CTO By Oliver Tavakoli Vectra Chief Technology Officer

In the last few years businesses and security leaders have been zeroing in on how to better manage and secure cloud infrastructure amidst a wave of change, as enterprise cyberattacks evolve and proliferate. Recent studies have revealed that 80% of Australian organisations were hit with ransomware in 2021, up from 45% in 2020. Vectra’s own research found that 57% of ANZ respondents feel it is possible or likely they have been breached whilst being unaware it is happening, 75% have experienced a significant security event that required an incident response effort, and 9% are not fully confident their security tools would protect against sophisticated attacks. As CTO for Vectra, a big part of my focus is the future, creating ‘thought experiments’ to determine the best ways to protect our critical data and systems. With planes back in the skies, I was delighted to be speaking at the Australian Cyber Conference this month to discuss and debate some of these so called ‘experiments’ with others in the industry. Ransomware remains as significant a topic of debate among cybersecurity professionals in Australia as it does elsewhere in Europe and the US. The other consistent issue is related to supply chain attacks, including traditional on-premises products as well as services delivered via the cloud. Within Australia, migration to cloud and SaaS, and the inability to source experienced talent that understands the

36 | Australian Cyber Security Magazine

security implications of clouds, are also connected issues. There is real tension between businesses wanting to go agile through cloud adoption, and security teams trying to gain visibility and implement security in those environments. In a perfect world, that tension is resolved in a balanced manner, but we don’t live in a perfect world and often the business imperative to rapidly roll out new services outstrips the ability of organisations to do so securely.

The problem with cloud Not so long ago, on-premise networks were wide open to attackers and so this has been our focus. Now, employee traffic is predominantly accessing applications across the internet, so we neet to be looking at logs in cloud platforms such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP), cloud identity systems such as Azure AD and Okta and collaration applications such as Microsoft 365 and Google Workspace. Highlighting how businesses are being inundated with cyber criminals looking to capitalise on vulnerabilities, the Australian Cyber Security Centre (ACSC) reported it received one cybercrime report every eight minutes over the 12 months to June 30, 2021. On top of this, the ACSC stated that Australia experienced a 13% jump in cybercrime over the year, with about one incident in four targeting critical

"...80% of Australian organisations were hit with ransomware in 2021, up from 45% in 2020. Vectra’s own research found that 57% of ANZ respondents feel it is possible or likely they have been breached whilst being unaware it is happening, 75% have experienced a significant security event that required an incident response effort...." them to encrypt data much faster and without heavy lifting. At Vectra, we look at a cloud like AWS or Azure as having two different attack surfaces. There's the traditional attack surface where attackers go through the network to attack a workload running in the cloud, escape the workload, and then steal data. And there's the management plane or the control plane of a cloud platform which represents a more potent and less well-understood set of controls. Recognising this, Vectra has solutions to cover both attack surfaces. We work to protect customers being attacked from the network, and we work to protect businesses being attacked at the control plane of their tenant in a cloud. The inbound initial vector can be incredibly complex and varied, but once it lands and establishes some foothold in the environment, we help the business find and stop the incursion before it does actual damage.

Looking forward infrastructure and services as working from home during the pandemic made more people vulnerable to online attacks. A common story is that the pandemic drove businesses to move into multi or hybrid cloud setups, not through a grand strategy but because of a pressing need. Services such as Microsoft 365 or ecommerce platforms were implemented quickly, without consideration for how this impacted infrastructure or security. On top of this, different business units or departments often evolved in different directions, adding layers of complexity. Now we find ourselves at a point of reckoning, where we must understand the reality of the situation and how to fix it.

Ransomware in the cloud

We know that as customers’ valuable data is moving to the cloud, and so will ransomware. We are asking questions such as, what does the combination of cloud and ransomware look like, how quickly will attackers become cloud-capable, and what measures should we take now? This was the focus of my presentation at the Australian Cyber Conference in Canberra and many of the surrounding conversations. Highlighting the early harbingers that exist, I looked at how we can protect ourselves against ransomware in cloud systems, and why this is substantially different to the defensive measures required for on-premise. By discussing such issues, I hope to encourage CISOs to bridge the worlds of security and business so investments can be prioritised and our infrastructure can be protected.

The move to cloud has left gateways for attackers to leverage and gain a point of entry, and they are beginning to take full advantage of this. On-prem, if a cybercriminal wants to encrypt a business’s data, they must go through the laborious exercise of connecting to a server, pulling all data across the network, encrypting it and writing it back to the server – and finally deleting the original copy. Ransomware operators try and get their hooks into as many places as possible, and encrypt as much as possible, to be successful. In the cloud, ransomware operators can leverage serverside encryption provided in the cloud platformas, allowing

About the Author Oliver Tavakoli is Chief Technology Officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. He is a technologist with experience managing larger (100+ member) teams, but with a bias towards leading small teams of smart technical individuals. His specialties include networking architectures, systems software design, computer security principles, organisational design.

Australian Cyber Security Magazine | 37




Oliver Tavakoli Chief Technology Officer at Vectra

Oliver Tavakoli is Chief Technology Officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Oliver will be visiting Australia at the end of May and discussing how Ransomware will be coming to a cloud near you. Oliver points to this concept as a thought experiment on what to expect next. Ransomware and software supply chain attacks have dominated the cybersecurity news feeds and have certainly also captured the attention of mainstream media. While supply chain attacks have already shown a clear appreciation for target organisations’ cloud footprints and have leveraged that understanding to pull off some of the more impressive attacks, almost all ransomware attacks have continued to focus primarily on traditional on-premise IT estates. This is because tools to attack these environments (Metasploit, Cobalt Strike, Bloodhound, etc.) have been available for more than a decade and that many hackers have great familiarity with these tools and that there continue to be many organisations whose environments are insufficiently hardened to withstand an attack by a moderately skilled adversary.

38 | Australian Cyber Security Magazine


Oliver Tavakoli Chief Technology Officer at Vectra 00:00

EPISODE 325 – REDEFINING DEFENCES – SHIFTING TO CLOUD AND DIGITAL OUTSOURCING – TRENDS AND OBSERVATIONS Oliver Tavakoli is Chief Technology Officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Oliver will be visiting Australia at the end of May and discussing how Ransomware will be coming to a cloud near you. Oliver points to this concept as a thought experiment on what to expect next. Ransomware and software supply chain attacks have dominated the cybersecurity news feeds and have certainly also captured the attention of mainstream media. While supply chain attacks have already shown a clear appreciation for target organisations’ cloud footprints and have leveraged that understanding to pull off some of the more impressive attacks, almost all ransomware attacks have continued to focus primarily on traditional on-premise IT estates. This is because tools to attack these environments (Metasploit, Cobalt Strike, Bloodhound, etc.) have been available for more



than a decade and that many hackers have great familiarity with these tools and that there continue to be many organisations whose environments are insufficiently hardened to withstand an attack by a moderately skilled adversary. Two trends will drive ransomware to the cloud: 1. the inexorable movement of most data of value to the cloud (in this context, “cloud” is intended to cover both SaaS-delivered applications like Office 365 and public clouds like AWS and Azure) and 2. the gradual availability of tools (for example Rhino Security Labs Pacu) to attack clouds and hackers’ increased familiarity with them. This presentation will discuss what this combination of Ransomware and cloud is likely to look like. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM.

Australian Cyber Security Magazine | 39


23–26 October 2022 Sofitel Melbourne on Collins Melbourne, Australia

The Australian Institute of Professional Intelligence Officers (AIPIO) is aligning with like-minded partners*, particularly throughout the Five Eyes community, to bring together the first International Intelligence Conference of its type.


Ethics Partnerships Capability Senator Vernon White

Emerald Sage



The Beneficial Outcomes of Collaboration

Circumventing Sanctions: Using OSINT to Identify Illicit Hizballah Procurement Networks


Biased policing? Intelligence and its role in delivering fair and equitable outcomes

Why attend this conference?

Registrations are NOW OPEN

Intelligence International 2022 provides a unique event for intelligence managers, leaders and practitioners to generate new ideas, discover successful strategies and learn the processes that are driving the future. It delivers the insight, opportunity and connections we need to build a bigger, stronger and more versatile intelligence focus in our organisation.

Intelligence International 2022 Registration Fees All prices in Australian Dollars and inclusive of GST EARLY BIRD

Attend In Person

prior to 22 July 2022

Hear from over 45 international Industry leaders and subject matter experts Grow your network of likeminded industry professionals from the Five Eyes Enhance your capabilities with over 15 dedicated skills building and professional development sessions

Participate and collaborate in robust discussion with your intelligence peers through live Q&A

Develop new techniques and tools

Access sessions on demand post event

Full – Non-Member

from 22 July 2022





Full – AIPIO Member/Partner*/Affiliate^ 


Full – Student



Day Only Registration



AIPIO Member/Partner*/Affiliate^






Attend Online

* Partner Member Associations include (IAFIE, IALEIA, ACIA, NZIIP, CAIS-ACER and CAPIA ^ Affiliate Organisation must be a representative of an organisation directly associated with AIPIO

Who should attend?

Student Scholarships

This conference is relevant to intelligence leaders, managers and practitioners alike. Whether you are from law enforcement, business, regulatory, security, finance, academia -or any other domain of intelligence practice – this conference is for you.

Sycon Security Consultants are providing five Student Scholarships open for Intelligence International 2022 to find out more or to apply please visit

Proudly Sponsored By

To find out more or to register, scan the QR code or visit We invite you to stay in touch with the AIPIO community and follow us on Twitter (@aipio) or hashtag #intelintelligence2022 for conference related tweets. Connect with like-minded intelligence professionals via LinkedIn and stay in touch with news regarding the Conference and new developments.









Open source stalkerware detector TinyCheck By Vinoth Venkatesan

What is Stalkerware? Stalkerware is hidden software that enables users to spy on people through their devices and is often used to constrain the partner. According to Kaspersky, there is an 18% yearly rise in Stalkerware usage on mobile devices in the META region alone. Stalkerware involves keystroke loggers, location monitoring apps, invasive email, text readers, and remote access features that can take command of your webcam and microphone.

How to identify your device is running Stalkerware? Although spying apps try to obscure themselves, most reveal their presence in one way or another. Below are some essential items to observe on your device(s) to know the existence of Stalkerware. • Mobile data is running out quicker than expected. • The battery is dying faster than usual. • The device turns on geolocation, Wi-Fi, or mobile internet even though you turned them off. If you have most of these concerns on your device, please follow the below steps based on your device type to validate it further. Apple — Read about iOS permissions on Apple’s website and ensure each app is configured correctly. Andriod — Check which apps have access to Accessibility (Settings -> Accessibility). Accessibility is one of the most potentially unsafe permissions in Android. Accessibility person allows apps to snoop on other programs, alter settings and do many other things substitute as the user. That

makes the permission very convenient for spyware. Give that kind of access to your antivirus utility, but nothing else.

TinyCheck — The next step in Stalkerware detection TinyCheck is an open-source initiative from Kaspersky. This software allows you to easily capture network communications from a smartphone or any device associated with a Wi-Fi access point to analyse them quickly. TinyCheck can check if any suspicious or malicious communication is outgoing from a mobile device using heuristics or specific Indicators of Compromise (IoCs). Of course, TinyCheck can also spot any malicious communications from cybercrime to state-sponsored implants. It allows the end-user to push the extended Indicators of Compromise via a backend to detect ghosts over the wire.

Steps to Make it Work Before the TinyCheck installation, you need to have: A Raspberry Pi with Raspberry Pi OS or any computer with a Debian-like system. Two functional Wi-Fi interfaces and a working internet connection. Then head to the TinyCheck GitHub page to download and follow installation instructions. Once installed, the operating system will reboot, and you’re all set to use TinyCheck. Post-installation, TinyCheck can be accessed from http://tinycheck.local, a tunnel that helps the user throughout network capture and reporting. It allows the user to set up a Wi-Fi connection to an existing Wi-Fi network, creates a transient Wi-Fi network, captures the communications, and shows a report to the user in less than one minute.

Australian Cyber Security Magazine | 41


Security culture - does your organisation have it? By Matt Hanmer Managing Director of Infoblox, Australia and New Zealand


ith 63% of Australian respondents citing phishing as the biggest attack vector, human error still seems to be the weakest link in the security landscape. So what we can we do about it? We can only build the defences against cyberattacks so high, and as technology is ultimately there to serve humans, there is always going to be the vulnerability of human behaviour that technology can’t overcome. With this in mind, I believe organisations need to adopt a new ‘culture of security’ to prevent human error, and organisational culture must play a critical role in an organisation’s security and protection. As most already know, organisational culture is hugely important to a business’s success. Work culture is the collection of values, expectations, and practices that guide and inform the actions of all team members at any given time. A collection of traits that make an organisation what it is, all the way down to its DNA. I believe it’s time to include security in that set of values, expectations, and practices, and ensure that a ‘security culture’ is baked into organisations at the most fundamental level. Team members need to know that through their actions they are protecting not only themselves but the organisation as a whole. So, what would be the pillars of a security culture? I believe there are six pillars that organisations must consider when building a protective culture to augment and accompany their existing cybersecurity protection, protocols, and plans. 1. Frame of mind: Employees must have the correct frame of mind when it comes to security. Do they understand the risks to themselves and others, and do they want to do what is best for the company? What do they believe their obligations are in this area? 2. Impact: Team members need to be aware of the real impact of not fulfilling their obligations. Do they know that even the smallest actions can have a huge impact to both their professional and personal information? 3. Awareness: What is their understanding and awareness of the specific cyberthreats that the organisation faces, and how does this shape their view of their responsibilities and obligations? 4. Knowledge: Employees must know why they must

42 | Australian Cyber Security Magazine



take precautions and follow the protocols that they do. Internal communication: It’s up to the organisation to communicate this to the team, and this communication must be effective. It can’t be left up to the employees to learn while they are already doing their job. Protocols, risks, security policies, suspicious links, passwords, and other skills must be taught effectively. Rules: Organisations need a set of rules that each team member must follow to demonstrate a culture of security. These must be easy to understand and remember, at all times.

Behaviour is key. Much of a security culture ultimately comes down to behaviour and ensuring that there is a change from risky security behaviours to safer best practice. Poor security behaviours includes badly chosen passwords, sharing passwords and reusing passwords in other places. Also discovering a security problem and assuming someone else will fix it so not doing anything about it, accessing suspicious websites, opening an attachment from an untrusted source, and not updating software when required to. 58% of Australian respondents in a recent survey reported experiencing up to five IT security incidents in the past year. The plethora of security incidents highlight a need for organisations to leverage a defence-in-depth strategy that protects every avenue and shores up weak spots in their networks. While most organisations use anti-virus for computers and SIEM to consolidate security events alerts, they could better defend their infrastructure by layering in DDI metadata, something they already have from DDI systems that connect devices on the network, to enhance visibility into network activities. With more than 90% of malware touching DNS on the way in and out of the corporate network, organisations could also invest in a DNS security solution that uses high quality, aggregated and curated threat intelligence to help prevent users from accessing fraudulent domains or communicating with command and control sites. This preventative measure is especially helpful with many employees working remotely at least part-time. As cyber crime evolves, organisations need to continue layering defences to protect corporate assets. For more information on Infoblox, please visit


Zero-trust approaches in digital transformation & cloud adoption


eturning to Melbourne on July 13, the latest Cyber

Risk Meetup focused on the Zero Trust Approach, cloud adoption, and the challenges and learning opportunities from some of Victoria’s leading CISOs. Jamie Rossato (pictured) Information Security Director

at Lion, delivered the keynote and set the landscape of today’s digital transformation journey and challenges. We then heard from an esteemed panel for a very active discussion with plenty of audience engagement on issues of privacy, confidentially and availability and the challenges of balancing the demands and risks of each. Special thanks to the panel (pictured R-L) Shane Moffitt, Deputy CISO, Victorian Government, Helaine Leggat, MD, ICT Legal Consulting, Mardi Griffiths, CISO, Swinburne University of Technology, Jamie Rossato and moderated by event host, Shamane Tan, Chief Growth Officer with Sekuro and Cyber Risk Meetup Founder.

Special thanks to the sponsors Illumio, Rubrik and for Dragos hosting the event at their new Melbourne offices. Cyber Risk Meetups are supported by MySecurity Media and Sekuro. Well done also to Professor Matt Warren of RMIT University for capturing the door prize – a copy of Shamane Tan’s latest book – Cyber Mayday.

Security Consultant Insight Series - meetup



Complimentary food and beverages

Australian Cyber Security Magazine | 43


Is today’s cyber security meeting CISO demands?”

By Guy Matthews, Editor of NetReporter



he world of cybersecurity is akin to a giant iceberg – vast, complex, ever-changing, multi-faceted. Of its various facets, one in particular has the power to keep enterprise security professionals awake at night, and that’s the critical intersection that straddles the networking world and the cybersecurity world. This nexus is not only a major pressure point for the hard-pressed CISO, it is the object of much effort and investment in the security vendor community. It has also been the subject of much scrutiny on the part of Mauricio Sanchez, Research Director, Network Security & SASE/ SDWAN with independent research firm Dell’Oro Group. He visualises the market for network security as divided between product types that have been around for a while, and newer technologies designed to address more contemporary challenges: “In the former category we have things like firewalls, email security and secure web gateways,” he says. “Some of these are now delivered as platforms in the cloud. And on the application and delivery and security side, closer to the data center, are things like web application firewalls and application delivery controllers. Then bringing together enterprise networking and security we have SD-WAN and what I call the great convergence of SASE.” Sanchez sees a number of market forces and trends influencing developments in these areas, perhaps the most glaring being the pandemic: “We've seen a huge increase in incidents, whether that be ransomware or denial of service

44 | Australian Cyber Security Magazine

attacks,” he notes. “It seems that the hacker community is taking advantage of the current situation. I think hybrid work is a second market force that has resulted in an upheaval of enterprise IT and the rise of the remote workforce. Then there’s the shift to everything being online. The need to reach out to your customer with a digital experience has really motivated enterprises to up their game and invest, but in doing so they also open themselves up to a new set of security implications.” The cybersecurity landscape of last 20 years has, argues Sanchez, been a story of fragmentation. Now he sees evidence of some consolidation with large vendors getting larger and looking to grab the entire CISO cybersecurity spend. “Another phenomenon we have noted is a shift from hardware to cloud-delivered network security,” he says. “Moving on from an age of hub and spoke and hardware deployed at each physical point, we now have a new breed of security vendors delivering their value exclusively through the cloud. There is no hardware to buy, just a contract to sign and you're off to the races.” CR Srinivasan is Executive Vice President, Cloud & Security Business with global carrier brand Tata Communications, and has additional responsibility as the company’s Chief Information Security Officer and the Chief Information Officer. He has noted a number of large trends that are influencing the shape of the cybersecurity market: “There’s remote work, and virtual ‘work from anywhere’,”


Figure 1: Network security trends

“It seems that the hacker community is taking advantage of the current situation. I think hybrid work is a second market force that has resulted in an upheaval of enterprise IT and the rise of the remote workforce. he notes. “A distributed workforce is now the norm. We’ve also seen many enterprises pushing for their processes to become digital, a trend that accelerated during the pandemic. There was demand to increase the number of processes that were part of the digital transformation drive. Then of course there’s the move to cloud, which has also been accelerated with more and more workloads moving in that direction. All of this is putting pressure on network security.” He additionally sees enterprises being challenged more and more by their customers: “Those customers are looking for new capabilities, and at a faster pace than before. Businesses must keep up with market expectations, and compete effectively. This means becoming a lot more dynamic and composable, more flexible in what they do. And along with all of this, digital trust is becoming more important.” Dr Ronald Layton, Vice President, Converged Security Operations with Sallie Mae Bank, knows a thing or two about digital trust. Prior to Sallie Mae, he was acting assistant director in the United States Secret Service with a variety of responsibilities, including an assignment to President Obama which saw him put in charge of the day to day operations and long term strategy of presidential information systems. He’s also a former Deputy Director of the National Cybersecurity Division, and Program Director of the Electronic Crimes Task Force. He describes himself as ‘the guy with a geek hat and a pistol’. “As cyber risk professionals, we continue to embrace

human behavior and try to wrap security blankets around it,” he says. “I see security as being about three Cs. Human beings are curious, we want convenience and we want to be comfortable, and so all of these things provide challenges in the security environment. As risk professionals, we have to continue to evolve and respond to these things.” Given the current climate of raised risk, what should a CISO or a risk executive be doing? Dr Layton’s advice is foremost to push towards a SASE environment, and towards the notion of Zero Trust: “It’s about how do we, as risk professionals, adjust to these human behaviors, to make sure that we're still operating in a secure environment,” he concludes. So just what is the nature of all this risk? Ryan Hammer, Chief Information Security Officer with vendor Ciena, is responsible for the overall strategy and execution of the company’s enterprise and product security functions. He points to statistics that indicate that an unpatched machine with Internet connectivity can now measure its survival in minutes, perhaps hours, but certainly not weeks or months. “With some of the kinetic warfare activity that's occurring, we’ve seen governance loosened,” he believes. “The Internet is starting to feel more like a free fire warzone than just a rough neighborhood. Certain sectors are being hit much harder than others. But with a pervasive and porous perimeter, with machines and people all over the world working at various different hours connecting to

Australian Cyber Security Magazine | 45

Cover Feature

Figure 2: Cloud-delivered security

a wide range of infrastructure, that makes it much more difficult for us to manage without some of these additional technologies. It's a very rapidly changing landscape for sure, and the deck is often stacked against us as CISOs. It's the old adage that the threat actor only has to be successful once and we have to be successful every time.” With Zero Trust one of the best answers to all this increased risk, it’s useful to hear from John Kindervag, SVP, Cybersecurity Strategy with managed security services player ON2IT. He formerly spent eight years at analyst firm Forrester where he invented the concept of Zero Trust. He pinpoints the ransomware trend as one of the great modern cybersecurity evils: “When people started to insure for ransomware, that ended up increasing the number of ransomware attacks,” he says. “It’s just like when life insurance was invented, there was a rash of murders. The invention of cyber insurance has created a surge of attacks which at the end of the day means that when CISOs want to innovate, they need to think what that really means.” Given current conditions, Ben de Bont, Chief Information Security Officer, ServiceNow, sees his role as a threefold one: “It’s about protecting our company and our customers on the one hand, second it is to provide trust, transparency and assurance to our customers, many of whom represent the most regulated or critical infrastructure globally. The third part is using our own security products, testing them out, providing feedback to our product division.” So with the cyber climate as it is, what are vendors of security solutions doing to help? How can they better come to the aid of the CISO? “If you look at the vendor landscape there are probably 50 to 100 vendors who are all doing different things,” believes Srinivasan of Tata Communications. “Some of them are specializing in a very small area, and some claim to do many things under a framework but may not have equal capability or equal depth in each one of those areas. I think there's a lot of help that's needed in the areas we’ve discussed.” Hammer of Ciena is in agreement: “I'll add that there's lots of acronyms in security, but to me that’s just a reminder that it's important to have a focus on the basics,” he observes. “It’s one thing to be focussing on your AI

46 | Australian Cyber Security Magazine

DevSecOps strategy, but really we need to focus on the fundamentals and make sure that those are rock solid.” Kindervag of ON2IT steps in to remind those who are suffering from terminology confusion and tech overload that Zero Trust should be regarded as a strategy and not a technology: “When you take a strategic approach, you can change the whole game,” he notes. “When I joined Forrester in 2008, I wanted to bring strategy to cybersecurity because most people get confused between strategy and tactics. They say they're being strategic, but they're actually being tactical. Zero Trust is about protecting things, and if we don't understand what we're protecting then we're going to be completely unsuccessful.” “A rule of thumb that I use is to tell security vendors what our requirements are for driving down risk, and not have them tell us what solutions they say we should be using,” interjects de Bont of ServiceNow. “We like to take a risk-based approach and look at what we actually want to achieve. And then we'll consider some products, rather than the other way around. It's a little surprising to me how many times it happens in reverse.” When talking to the vendor community, CISOs might wonder exactly what gaps they need to address and where priorities truly lie. Rarely is anything straight forward in the information security world, and seldom do easy answers present themselves reminds Hammer, of Ciena: “It all moves so fast and changes so continually,” he comments. “We're constantly planning and checking to make sure that everything is in place. One important thing is being able to demonstrate that you have a commercially reasonable security program in place. It is also important that we remember that we are stewards of the security program for our company, and we're responsible for making sure that all the pieces are in place, and that we can comfortably demonstrate traceability between the things that we should be doing and the things that we are doing. Sometimes it’s about protecting the business, other times about protecting customer data, or access our partners, or intellectual property and securing our products.” In a complex landscape, Srinivasan of TATA advocates a practical and pragmatic approach: “Look for a commercially viable security program and not something that you would ideally like to have,” he suggests. “Because there’s always a trade-off between what risk you're trying to protect against, and cost.” Dr Layton of Sallie Mae Bank, the geek with the gun, concludes by advising the CISO to do what they can to take the element of human error out of risk: “Just make it hard for humans to do something that is just screwy. As a risk executive, what you're really trying to do is eliminate surprise, and to control your environment. You should never be ambushed by some exogenous factor that you did not make an account for. It’s about putting in all these trip wires so at least you have a better idea of what's coming.”

Officially hosted by the Ministry of Energy Thailand, and co-hosted by PTT, the exhibition and summit have grown to play an integral role of convening Asia's ministerial policy makers, global energy leaders, project developers, financiers and energy professionals to connect, discuss and accelerate Asia's energy transition towards a cleaner sustainable energy future.

4000 +

1000 +

200 +

80 +


Hosted by


Diamond Sponsor

Organised by

Co-located with


Multi-cloud networking - challenges and solutions By Guy Matthews, Editor of NetReporter


ulti-cloud networking really matters. It has evolved in short order to become a vital consideration for enterprises and organizations worldwide. In consequence, the likes of AWS, Google Cloud, Microsoft Azure, as well as many other platforms, have seen tremendous growth rates on a year to year basis. “This is because these clouds have become so important for the realization of enterprise digital transformation,” believes Brad Casemore, VP Research, Datacenter and Multi-cloud Networking with analyst firm IDC. “These platforms are not only destinations for workloads but are central to the redefinition of operating models for IT organizations. And all this has had a tremendous effect on the network, because we have moved from hosting applications in on-premise data centers to a distributed landscape that includes cloud and increasingly, as we move forward, edge environments.” The network, he says, has had to be modernized to meet all these changes: “It needs to be able to bring a degree of simplicity without a compromise on performance and security. It needs to offer elastic scale, as well as many cloud attributes in terms of being API-based and more softwaredefined. And it needs to do this across a more distributed and complex landscape than we've ever seen before.” IDC conducted recent research into how certain types of application are affecting technology choices across the wide area network: “These are very important considerations for enterprise IT organizations and buyers,”

48 | Australian Cyber Security Magazine

notes Casemore. “Another aspect of this is applications access and the digital experience, the consumption side of things. You have to consider things like security, and latency, and applications performance. We're seeing a lot of work being done by SDN vendors to integrate with cloud transport networks. We're also seeing the way that cloudnative technology is changing the networking picture and making new demands on networks. IDC foresees an impressive multi-cloud adoption growth rate through to 2026: “I see tremendous prospects, and it all speaks to the problems that enterprises are trying to solve with effective technology,” concludes Casemore. To extend the dialogue, Casemore turns to a number of multi-cloud stakeholders, including Jim Brinksma, Chief Technology Officer with Megaport, a global network service provider with approximately 2,500 customers. He agrees that connectivity is key: “Without the right network connectivity, the overall cloud migration experience can really suffer,” he says. “Other obstacles include initial procedural efforts like creating your credentials plus the educational efforts that are associated with trying to understand the different naming conventions of the features and how they align. Then there’s understanding how network egress charges could impact your ability to distribute certain workloads. Networking is an enabler but there will always be little speed bumps that that you'll have to go over as you're getting your feet wet and learning how to get into the networking game in a multi-cloud

environment.” It's relatively easy to get started with cloud migration, but the complexity soon exponentially increases, concurs Bryan Ashley, Vice President of Solutions Management & Marketing with Aviatrix, creator of a secure cloud networking platform for public cloud and edge use: “It’s about how to instantiate a framework or a landing zone that scales over time and supports massive amounts of workloads, and maintains consistent connectivity and redundancy as well as security and governance.” Sreekanth Kannan, VP of Product Management & Marketing with Arrcus, a hyperscale networking and software company, says his company looks at the multicloud market as three different segments: “There’s the global 2000, the mid-market enterprise and the small enterprise,” he notes. “The bulk of it is mid-market enterprise and global enterprise, which have their own DevOps teams in IT teams. The way they normally start is with a hybrid cloud to see how well that goes. You need to provide an on ramp, because you cannot make it into a complete lift and shift. The first steps are baby steps - crawl, walk, run.” Ashley of Aviatrix believes that multi-cloud challenges are made harder by a widening skills gap with organisations often employing a lean team to try to figure a way past the various challenges: “Whether they are deploying single cloud or multi- cloud, inevitably they have to operationalize the thing. They often turn it over to some tier one people to run and make sure that everything is up.” Ashley recalls something his mother used to tell him: “It's all fun and games until someone loses an eye,” he says. “And the reality is that enterprises are starting to lose some eyes. It can be easy to get started, but soon things can get out of control. Businesses need to be able to put in some structure and develop a true strategy. They need to be able to operationalize it all. We’re all looking for ways to start to do things in a repeatable fashion, one that allows us to really have the control that we need.” Ranga Rajagopalan is VP, Chief Architect with VMware, and his responsibility includes networking security and load balancing: “I believe the key is security,” he says. “Every organization is going to get breached or hacked. When that happens the question how far and where did that spread? What applications got hacked? Do we have full visibility to contain the breach? And what do we do about it? Without good quality multi-cloud networking and security, the answer is you don't know. Perhaps after days or weeks and a lot of work you still don't know. As an industry, we have to provide the right solutions in a way that people can actually use without the need to get PhDs in every networking, security and application delivery technology.” Kannan of Arrcus reminds the panel that it is still early days in most people’s multi-cloud journey: “Just think of the percentage of workloads that are actually in the cloud, versus distributed on-prem and other places,” he urges. “We haven't crossed the halfway mark. Yes, there are some organizations that are completely cloud native, that have decommissioned their data centers, but not many.” Brinksma of Megaport concludes with a reminder that it is sometimes important to take a step back and

Figure 1: Multi-cloud and WAN technology choices

Figure 2: The future of multi-cloud

truly understand what people are trying to achieve with multi-cloud: “That is probably the first thing you should be doing, and it can lead you in the right direction. Then it’s about things like automation, and being able to have the appropriate tooling, not only for Day Two but moving forward. That means having the ability to look at metrics across all the different clouds and be able to make those metrics actionable.” Wrapping up the discussion, IDC’s Casemore offers these thoughts: “Of the people IDC has spoken to about multi-cloud, many of them say ‘I didn't realize the network infrastructure implications of going hybrid and going multi-cloud and particularly of going up the stack to cloudnative’. But I think it's important to understand that if you have the right criteria in place, you can simplify this journey to a large extent.”

Australian Cyber Security Magazine | 49


DeFi and Cybersecurity: What the future holds? By Vinoth Venkatesan

What’s DeFi? Decentralised finance is blockchain applications that cut out intermediaries from financial products and services like loans, savings and swaps. It has its rewards but also carries plenty of risks. DeFi fundamentally uses blockchain technology to unlock value that traditional finance cannot. Rather than trusting a middleman like a bank or a fintech firm with their money, people trust “the code”.

DeFi Hacks DeFi is still in its early stages but has multiplied over the past couple of years. The sector currently has over $108 billion in digital assets flowing through various projects, according to data by DeFi Llama. Same time in 2020, that number was around $1 billion. Hackers have also caught on just as quickly. Chainalysis’s report showed that seven of the ten largest crypto thefts from January 2021 to March 2022 involved DeFi protocols. Just three targeted centralised exchanges. According to Chainalysis, more stolen funds flowed to DeFi platforms (51%) in 2021. Centralised exchanges were the top destination of stolen funds and fell out of favour of late, receiving less than 15% of the total. More centralised crypto exchanges now have anti-money laundering and KYC (Know Your Customer) processes, which threaten the anonymity of cybercriminals. On the other hand, open-source DeFi platforms actively shun these processes and avoid the intermediaries – thus likely to remain the top target of crypto crooks for the foreseeable future. A list of these breaches and other fraud involving cryptocurrencies can be found in the Map of Security Breaches and Fraud Involving Crypto 2011-2021.

Where it’s heading? The recent DeFi hacks were carried out by attackers spotting vulnerabilities in protocols and smart contracts, especially flash loan protocols and cross-chain bridges. The rising tide of digital theft impends cryptocurrency’s confidence broadly and brings down regulators’ wrath on a still-nascent industry.

50 | Australian Cyber Security Magazine

Since the blockchain code is typically public, hackers can view it easier to spot vulnerabilities and manipulate the protocol to exploit them. Due to code exploits and flash loans, the major shift in exploiting DeFi protocols in 2022, as opposed to the social engineering attacks over the years. This explains why attackers no longer rely on many people falling for phishing scams but can instead attack the DeFi protocols directly. Cross-chain bridges have become a mark for attackers because a more extensive surface area allows for more attack vectors than a typical single blockchain. Bridges also typically have a smaller developer community, which means a smaller number of validator nodes that must sign off before transactions are recognised. In the Axie Ronin bridge attack, only five out of nine validator nodes needed to be signed, an opportunity the hacker targeted. As the governments and regulators are increasing the focus on DeFi projects, DeFi companies need to move quickly to ensure that attackers don’t take advantage of open-source code. DeFi projects need to take a proactive, end-to-end approach to their security. This means having smart contract audits of every line of code, both before launch and any time the code is changed. Security measures include on-chain monitoring tools to protect smart contracts after deployment and avoid centralisation, another significant attack vector in 2021. Centralisation played a vital role in the Axie hack: The attacker managed to gain control of four Ronin validator nodes in one go through social engineering and gained access to another through a bug. There is also a need for the community to come together, support each other, protect each other, and attempt to ward off these attackers, leveraging Web3’s community ethos. It will take a collective effort to secure the blockchain — and if the industry doesn’t provide it, Central Banks might step in. About the Author Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.



Nivedita Newar Head of Cyber Security Strategy & Governance MBA-IT, CISSP, CRISC, SABSA, CCSK, ISO27001-LI


Raven David Cyber Security Governance & Risk Manager CCSP, CISM, CISSCP, CRISC, ISO27001-LI

The Tangible Uplift Program has announced the launch of the Women in Security “Tangible Uplift” Program-2022, with My Security Media its proud media partner. The program is aimed at any IT or Cyber Security female professional in Australia from either a technical or non-technical background, who ultimately aspires to move to a security leadership position. THE GOAL The goal of the Tangible Uplift Program is to train and assist 50 women across Australia in 2022 to pass the CISM written exam in order to increase their cybersecurity skills/knowledge, uplift their credibility index and marketability, provide a pathway to obtain CISM certification and, assist with job readiness. The Certified Information Security Manager or CISM Training by IT Masters sponsored by CAUDIT aims to make female IT professionals proficient in information security management. The CISM course is designed to teach professionals international security practices and expertise to manage designs, administer and assess IT security for organizations of every size and scale. Australian Cyber Security Magazine | 51


Comparison between DeFi vs conventional Banking By Vinoth Venkatesan

Basics of DeFi Decentralized Finance or “DeFi” is an umbrella term encompassing the vision of a financial system that functions without any intermediaries, such as banks, insurances, or clearinghouses, and is operated just by the power of smart contracts. DeFi applications strive to fulfil traditional finance services (also called Centralized Finance, or just CeFi) entirely permissionless, global, and transparent. DeFi is likely to have a substantial impact on how banks function in the future and even can shift the structure of the whole financial system at a macroeconomic level.

DeFi challenging traditional finance actors Since its inception, the vision of a new financial system has accompanied the blockchain space, and it’s been an aspirational dream for the blockchain community. Past two years, DeFi has grown astonishingly, and billions of USD have gone into ecosystem development. In the following, you will see the comparison with conventional banking systems and an overview of the actors in the DeFi ecosystem to provide a clear context on how DeFi is reducing the gap over traditional banking.

Conventional Banking vs DeFi — Comparison

52 | Australian Cyber Security Magazine

A quick look into the traditional banking vs DeFi based protocols; this data will help you understand how DeFi is snowballing.

DeFi will outperform the traditional finance system in the future There are three reasons why DeFi has the potential to outperform the conventional financial system and gain increasing attention in scientific, economic, and public debates: 1.

Speed of growth: DeFi is a highly scalable and global ecosystem. Once DeFi as a whole (or a specific DeFi application) proves its utility, exponential growth is possible. DeFi Pulse monitors the total value locked (TVL) on smart contracts on all relevant DeFi applications.


Room for growth: According to Messari, a crypto market analytics firm, the capitalization of all DeFi applications was just 1.5% of the total crypto market as of July 2020. In addition to that, we can argue that there is much room for growth only by further asset redistributions within just the crypto space.


Conventional Banking


Commercial Banks

Borrowing and lending are the basic building blocks of an effective financial system. The main business of commercial banks is to receive deposits and give loans to their clients. As holders of funds get an incentive to provide liquidity to the markets and, in exchange, earn a return on their otherwise unproductive assets.

DeFi protocols enable for the first time to borrow or lend money on a large scale between unknown participants and without any intermediaries. Those applications bring lenders and borrowers together and set interest rates automatically following supply and demand. The recent hype around DeFi applications is due to borrowing and lending protocols, such as Compound. In contrast to traditional finance, loans in DeFi are secure by over-collateralization. However, companies such as Aave are currently working on enabling uncollateralized loans similarly to conventional finance.

Investment Banks

The business model of investment banks usually involves the advisory on financial transactions. Also, the creation or trading of complex financial products and the management of assets fall in the realm of investment banks.

DeFi protocols are already offering similar products. For instance, Synthetix is a derivatives issuance protocol, enabling the decentralized creation and trading of derivatives on assets such as stocks, currencies, and commodities. Also, decentral asset management for cryptocurrencies is evolving. Yearn Finance, for example, is an autonomous protocol that searches for the best yields in the DeFi space and invests automatically for its users.


An exchange function organizes different assets, such as stocks or foreign currencies, between two or more market participants.

The centralized exchanges (CeFi) like Coinbase or Binance offer to swap a cryptocurrency unit against another.


An essential function of insurance is to smooth out risks and bring security to market participants

An example of decentralized insurance is Nexus Mutual, which offers insurances that cover bugs in smart contracts. Considering everything is based on smart contracts in DeFi, vulnerabilities in smart contracts are a real risk for DeFi users. Decentralized insurances are still in their infancy, but a more significant amount and more sophisticated insurance models can emerge in the DeFi space in the future.

Central Banks

Central banks carry out a nation’s monetary policy and control its money supply, often mandated with maintaining low inflation and steady GDP growth. On a macro basis, central banks influence interest rates and participate in open market operations to control the cost of borrowing and lending throughout an economy.

Stablecoins are on blockchain protocols that have the principle of price stability inherently encoded and, thus, fulfil the function of a reserve currency. The introduction of stablecoins set the foundation of the functioning decentralized financial system, as they enable participants to engage with each other without the underlying risk of price volatility. There are three options for how a cryptocurrency can reach price stability.

With the emergence of decentralized exchanges (DEX), holders of cryptocurrencies no longer need to leave the crypto space to swap their tokens. A prominent example of a DEX is Uniswap, and DEX is composed of smart contracts that hold liquidity reserves and function according to defined pricing mechanisms. Such automated liquidity protocols play a crucial role in developing an independent decentralized ecosystem without CeFi intermediaries.


Newmarket segments: According to The World Bank, 1.7 billion adults do not have access to banking services. DeFi is permissionless, meaning that anyone can access those financial services anywhere. In principle, just electricity, an internet connection, and smartphones are sufficient. DeFi could provide a viable option in regions where banking services are too expensive compared to income.

Conclusion: DeFi is here to stay For the first time in history, a financial system is developing without intermediaries at a large scale. So far, DeFi applications cannot compete in terms of security, speed, and ease of use with traditional finance solutions yet. But DeFi has produced real, working applications that have already attracted billions of capital. Those resources will be used to develop more competitive and user-friendly applications. About the Author Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.

1) Stablecoins can reach high degrees of price stability by pegging a currency to other assets. For example, for each issued unit of USD Coin, a real US Dollar is held in reserve. 2) From a decentralized finance perspective, another interesting approach is the issuance of stablecoins by using other cryptocurrencies as collateral. A leading protocol for the DeFi stablecoin ecosystem is Maker DAO, which issues the DAI cryptocurrency and ensures with its algorithm that the value of 1 DAI is hovering around the value of 1 US Dollar. 3) More experimental approaches aim to reach price stability without collaterals. For instance, the protocol Ampleforth automatically adjusts the supply of tokens based on the demand.

Australian Cyber Security Magazine | 53

Disable Ad Tracking in iOS and Android – Reasons to do it now By Vinoth Venkatesan

The Identifier for Advertisers (IDFA) on iOS or Android Advertising ID (AAID) on Android - is the key that allows most third-party tracking on mobile devices. Restriction on these features will make it significantly difficult for data brokers and advertisers to profile and track you. Also, it will limit the amount of your personal information up for sale. This article will review the history of device ad identifiers and how they have enabled persistent tracking, identification, and other privacy invasions. Before we go there, let’s figure out how to revoke tracker access to your ad ID right now:-

On Android Open the Settings, and navigate to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. This will prevent any app on your phone from accessing it in the future. You can opt-out in Android version 12 and above, but a similar feature may not be available on older versions. Instead, you can reset your ad ID and instruct apps not to track you as below.

On iOS Apple needs apps to ask permission before they can access your IDFA. When you install a new app, it may ask you for permission to track you.

54 | Australian Cyber Security Magazine

Select “Ask App Not to Track” to deny IDFA access. To see which apps you have previously granted access to, go to Settings > Privacy > Tracking. Here you can disable tracking for specific apps that had permission earlier. Apps that have permission to track you only will be able to access your IDFA. You can disable the “Allow apps to Request to Track” by changing the slider to the “off” position (similar to be screenshot above). This will prevent apps from requesting to track in the future. If you have granted apps authorization to track you in the past, this will prompt you to ask those apps to stop tracking. You can also grant or revoke tracking access on a per-app basis. Apart from IDFA, Apple has its own advertising system for its targeted audience. This one is separate from the third-party tracking it enables with IDFA. To disable it, navigate to Settings > Privacy > Apple Advertising. Disable the “Personalized Ads” slider to the “off” position to disable Apple’s targeted Ads. In February, Google indicated that it might eventually phase out the ad ID. It plans to introduce a version of the Privacy Sandbox framework to mobile devices to support behavioural advertising that removes the reliance on crossapp identifiers. Google assured developers that it wouldn’t impact much on the ad ID for the next two years.

It Matters For Sure The ad identifier is a string to uniquely identify your phone, tablet, or other smart devices. It exists for one purpose only - to help companies target their advertisements. The ad ID is the significant channel that enables a whole range of privacy breaches in leading cases like invasive 3rd-party profiling by Facebook, and Google, psychographic targeting by political consultants like Cambridge Analytica, and location tracking by the US military. Since every app and tracker see the same ID, it helps data brokers compare notes about you. Broker A can buy data from broker B and then use the ad identifier to link those two datasets together. From time to time, participants in the data pipeline will argue that the ad ID is anonymous or pseudo-anonymous, not “personally identifying” information. This is not true in practice. The ad ID is generally used to help collect personally identifiable data, like granular location data. If you can see where a person works, periods of sleep, studies, socializes and seeks medical care, you don’t need their email address to help identify them. The entire industry exists to help trackers link ad IDs to more directly identifying information, like email addresses and phone numbers. In a vacuum, the ad ID may be anonymous, but in the context of the tracking industry, it is a pervasive and influential identifier.

Disabling the Ad-ID makes it substantially more challenging for most advertisers and data brokers to track you. It is not only helpful to your privacy; it also makes the surveillance advertising industry less profitable. And don’t take my word for it: Facebook has said that Apple’s App Tracking Transparency feature would decrease the company’s 2022 sales by about $10 billion. Eliminating this tool from their toolbox will result in considerably fewer data related to you in the wild.

Evolution of Ad Tracking In the initial days of smartphones, static trackers were used to identifying the devices - the “Android ID” on Android and “Unique Device Identifier” (UDID) on iOS. These identifiers were unique, permanent, and frequently accessed by third parties without user knowledge or consent. These identifiers were used to track users across apps. It was rightfully identified as a problem for user privacy. In 2010 the Wall Street Journal exposed the extent of the issue. In 2011, things started getting traction after a series of probing from US members of congress, and Apple began restricting access to the UDID. The below chart provides the evolution of Ad tracking in the mobile industry.


Evolution of Ad Tracking

2021 2016 2013 2012

2010 2010 Static trackers were used to identify the devices - the “Android ID” on Android and “Unique Device Identifier” (UDID) on iOS

The Wall Street Journal exposed the extent of the issue. In 2011, after a series of probing questions from US members of congress, Apple began restricting access to the UDID

Apple quietly introduced the Identifier for Advertisers (IDFA). The most significant difference was that IDFA could be reset

Google introduced the Android Advertising Identifier (AAID). Like Apple, Google made its identifier available to all apps without special permission. It also allowed users to reset their ad identifier but not restrict access to it or delete it.

Apple updated Limit Ad Tracking to set the IDFA to a string of zeroes effectively deleting it. This meant that users had a practical, technical opt-out of IDFA tracking for the first time

Apple introduced App Tracking Transparency (ATT), which requires apps to get affirmative consent before tracking users with IDFA or any other identifier. This had an enormous impact on the tracking industry

Android finally started rolling out a way for users to disable their ad ID. As of April 1, 2022, Android also requires developers to request separate permission to access the ad ID

Australian Cyber Security Magazine | 55


How to remove your personal information from Google’s search results By Vinoth Venkatesan


ow everyone can submit removal requests for Google Search results containing personal information. Previously, the company had a very stringent process to remove search results with sensitive data. It can be terrifying to have your phone number, email address, or home address show up in a search result, and you need to act to protect your privacy. In addition to removing personal information, Google considers removal requests for deepfake pornography, images of minors, and other explicit content. Getting results scrubbed from the search results won’t remove the actual web pages that host information. Although as a result of your request, the web page could be removed from all searches on Google. As part of the announcement, Google’s Global Policy Lead for Search, Michelle Chang, wrote, “Open access to information is a key goal of Search, but so is empowering people with the tools they need to protect themselves and keep their sensitive, personally identifiable information private.” The new measures can protect against malicious doxxing and information leaks that are only implicit threats. To kickstart the removal process, visit the support page and click the blue “Start removal request” button halfway through the page. As part of the request, you will be asked

56 | Australian Cyber Security Magazine

whether you have reached out to the website owners to remove your personal information. It is not a must-have action to submit the removal request, so you can tap “No, I prefer not to”. Then in what you would like removed section, select: “Personal info, like ID numbers and private documents.” Following that, you can list down what type of personal information you want to remove from the Google Search, such as your driver’s license or contact details. These steps are only for removing results from live websites, and there’s a separate form that needs to be filled for cached pages. Then the follow-up question is on whether the request pertains to doxxing, which Google defines as “contact information being shared with threatening, malicious, or harassing intent.” Post that, Google will request your full name, country of residence, and email. You can only submit takedown requests for results about yourself or someone you officially represent. Finally, Google will ask for the URL of the offending content or image, and it allows up to 1,000 links part of one request. For more details on gathering these links, check out Google’s guide to finding content URLs, image URLs, and search results page URLs.


EXCLUSIVE SECURITY & TECHNOLOGY OFFERINGS register as an industry professional to gain access to our exclusive content or promote your brand to feature your content to a global market across all our channels. REGISTER FOR ACCESS PROMOTE YOUR BRAND

www. myse cu r itym ar ke tp lace . co m



STATE OF CYBER SECURITY 2022 Interview with


According to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, organisations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. The eight annual survey features insights from more than 2,000 cybersecurity


professionals around the globe, and examines cybersecurity staffing and

Jenai Marinkovic

We speak with Jonathan Brandt and Jenai Marinkovic on behalf of ISACA for a

vCTO/CISO, Emerging Trends Working Group

58 | Australian Cyber Security Magazine

skills, resources, cyberthreats and cybersecurity maturity.

report deep-dive discussion.




Jesper Trolle CEO


Exclusive Networks has joined forces with security leaders in calling on the industry to take global action in a bid to end the recruitment crisis in cybersecurity, which is currently faced with an estimated shortfall of 2.7 million professionals. The Paris-headquartered global cybersecurity specialist is one of the founding partners supporting an initiative launched today by investment and advisory firm NightDragon and Next Gen Cyber Talent, a non-profit

Denis FerrandAjchenbaum

cyber education provider, to raise $1 million to fund cybersecurity courses for

SVP, Global Business Development & Ecosystems - Executive Committee Member

University, opening an office on campus and currently sponsoring 12 students,

students in the US from diverse and disadvantaged backgrounds. Exclusive will be lending its experience and expertise to the campaign having recently established a partnership with California Polytechnic State 9 of which are already progressing through their security certification training assignments, delivered by Exclusive and its partners. All are expected to go on to full-time roles in the industry after completing their education.

Australian Cyber Security Magazine | 59




The application security industry continues to evolve at pace as organisations

Niel Pandya

recognise that software security risks need to balance with business

Chief Technology Officer

In any annual trend list, there should be few surprises. After all, most trends

imperatives that accelerate digital innovation.

are a continuation of what was important just a month or year ago. Fortify has a holistic AppSec vision that is based on being excellent on foundational elements. This includes broad and accurate language coverage; an integration ecosystem that allows minimum friction into the existing tools our customers use and love; and an end-to-end application security platform that takes into account that not every organization is the same. We speak with Niel Pandya,CTO and Business Development Lead for the CyberRes line of business under Micro Focus – covering APJ. Niel has over 25 years’ experience in technology and Security – ranging from Data Security to Security Operations, Application Security and Identity. Niel has been working with organisations across the UK and APJ to help address Cyber needs that help build business resiliency. Working across different verticals, Niel has been supporting cyber programs from Smart Cities, Digital Citizen to Digital channels.

60 | Australian Cyber Security Magazine



Join us for a selection of curated online educational seminars covering the latest topics and trends from the smart city world. Check out some of the listed topics below. Build your network, gain knowledge, and meet like-minded people, business and policy experts, academic researchers, and decision makers from the smart city community

TOPICS IoT & Industry 4.0 City command centres & integration opportunities Emergency management & comminications REGISTER INTEREST

Sustainability & Net Zero Mobility & 5G Networks Policy & Governance Smart Buildings Video Analytics & Sensors



Australian Cyber Security Magazine | 61

Interview with

Roy Wong

Executive Chairman, DC Alliance,

Albert Wong General Manager, DC Alliance

Rhinehart Silas Vice-President, Pacific Blockchain Corporation.

62 | Australian Cyber Security Magazine

In this interview, we speak with Roy Wong, Executive Chairman, DC Alliance, Albert Wong, General Manager, DC Alliance and Rhinehart Silas, Vice-President, Pacific Blockchain Corporation. DC Alliance, a Singapore-based data centre business with an Uptime Institute Tier III certified data centre in Perth, Western Australia has signed a Memorandum of Understanding (MOU) with Palau-based Pacific Blockchain Corporation to explore the commercial viability of developing a Tier III rated Data Centre in the Republic of Palau - our first step outside of Australia. The proposed facility will be the first and only Data Centre in Palau as well as the Republic’s first Tier-rated facility. The 1MW UptimeCertified Tier III Data Centre will be able to accommodate up to 200 racks initially, with the development potential to increase capacity to 5MW with up to 1,000 racks. Both companies will, from the outset, explore adopting sustainable and/or renewable solutions to develop an environmentally responsible Data Centre.

Search and find all upcoming featured security events

Plus many more! Australian Cyber Security Magazine | 63




AICRAFT is a South Australian company specialised in edge computing to build smart sensors and systems with tailored artificial intelligence (AI) models. The company offers purpose-built electronics to craft ultra-compact, high-speed, low power embedded AI solutions for high performance multisensor and multi-modality fusion. With experience and expertise in Defence technologies, AICRAFT innovates to facilitate real-time Big Data analysis without typical latency, power and storage penalties. AICRAFT’s first product is a nanosatellite edge computing module to be launched in August this year. The module is expected to set a new worldbreaking standard by performing 5 to 10 times the computing capacity of current solutions on orbit and operate 24/7 compared to 10-15 minutes at present. Other upcoming products include a nanosatellite power saving device and rugged edge computing hubs for integration with various autonomous systems. Dr Tony Scoleri is the co-founder and CEO of AICRAFT, a South Australian company established in early 2021 to focus on novel microelectronics and hardware solutions for Artificial Intelligence applications.

Check out the latest issue HERE



Access exclusive and curated content from the startups to the top brands: Products, resources, events, webinars, updates, interviews & podcasts. REGISTER FOR ACCESS PROMOTE YOUR BRAND


Everything about your favorite companies in one convenient place. OUT CK ST CHEE LATE TS TH ODUC PR

www. m y se cu r itym ar ke tp lace . co m