Page 1

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au

@AustCyberSecMag Issue 6, 2018

Beyond application whitelisting Data breach class actions suits

Data breaches: Reckless Corporations

Implementing the essential eight

Honey, I Hacked the Car! Cyber security in aviation

Do I need an ISMS? yes, here’s why

Cryptocurrencies: Tackling the doublespend or 51% attack

Beyond Application

Whitelisting

PLUS

Techtime


REINVENT OR BECOME OBSOLETE Keeping up in a Risky World 2018 One-Day Summit

Wednesday 14th November 2018 | Sydney TICKETS from $50

BUY ONE TICKET – get a second half price! Futurist Keynotes

 The Rising Imperative for Change  Cultural Impacts of Royal Commissions: Reinventing Ourselves  The Future of Working: Resolving the Cyber Skills Shortage  Deep in the Dark Web.….what can you teach us?  Industrial Disruption: How voice technologies and 3D printing are changing the game  The Reinvention Effect  Reimagining the Risk Professional of the Future

Shara Evans

Ross Dawson

Earn up to 8 CPE Special applies to all full-priced ticket categories

TO REGISTER: go to isaca.org/Sydney

Sponsorship enquiries: Marketing@isaca.org.au


Contents

Editor's Desk 5 Feedback loop - have your say!

8

Beyond application whitelisting -

10

Data breach class actions suits

14

Data breaches: Reckless Corporations? -

18

Everyone loves shiny new toys

22

Unearth the power of ITSM convergence

24

Honey, I Hacked the Car!

26

Cyber security in aviation

30

Do I need an ISMS? yes, here’s why

34

Implementing the essential eight

36

Cryptocurrencies: Tackling the double-spend or 51% attack

38

Why do MSSPs struggle, even in the cyber boom?

40

What industrial Control system malware means

42

T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au

Meet the twins in cybersecurity:

46

ASD’s Essential 8: Get the Basics Right

48

Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com

Facial Recognition

50

The future of data breaches, cyber resilience and incident response

54

A Cyber Risk meetup Exclusive & special speaker event with ICE71

56

Cyber Protection for The World’s Game

58

Editor Tony Campbell Director & Executive Editor Chris Cubbage Director David Matrai

Helping Australia build a secure healthcare network

Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au

Spectre and Meltdown

SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Who is the most offensive tester In the room

Techtime 60

CONNECT WITH US www.facebook.com/apsmagazine SMART ID: Ethereum blockchain identity management

@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors

www.youtube.com/user/MySecurityAustralia

Jodie Siganto

Ted Ringrose

Simon Pollak

Tony Campbell

Tony Vizza

David StaffordGaffney

Annu Singh

Richard Adams

Simon Ratcliffe

Daniel Marsh

Jane Lo*

Dr Richard Adams

www.australiansecuritymagazine.com.au

www.asiapacificsecuritymagazine.com

www.aseantechsec.com

www.drasticnews.com

|

www.chiefit.me

|

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com


Editor's Desk

W

elcome to the latest issue of the Australian Cyber Security Magazine (ACSM). It’s been an interesting few months in cyber both here in Australia and the rest of the world. The biggest breach in terms of sheer numbers affected Facebook, when attackers gained access to over 50 million user accounts via a software vulnerability. Facebook reacted quickly, erring on the side of caution when they logged approximately 100 million users off their platform, forcing users to log back in to refresh their access token. This got a lot of media attention, for sure, but there were a few local Australian breaches that raised a few eyebrows in the security community, albeit not as exciting for mainstream news to cover. Take, for example, the report of Chinese-based hackers infiltrating the Australian National University (ANU) network. This was worrisome, given ANU plays host to Australia's national security college and partakes in a variety of defence research projects. It has been alleged that the Chinese government was behind this attack, which makes sense given the importance of ANU in our national security machinery, but guaranteed attribution is always difficult, so we’ll likely never know exactly who the perpetrators were. What has been confirmed is that the attack was definitely launched from within China, and the scale of the breach was significant. The second attack worth mentioning happened back in July, when an organisation responsible for issuing Aviation Security Identity Cards (ASICs) was breached, raising concerns that airport security may be compromised. ASICs play an important role in airport security since their purpose is to prevent criminals and terrorists from accessing planes or gaining access to restricted airport zones. This breach compromised the personal information of those applying for or renewing ASICs; identity theft in this case could lead to dangerous or even catastrophic consequences. Finally, Western Australia’s Perth Mint was hacked in September. Thousands of customers were impacted as they reported users of their depository online service were affected. Very little is known about this breach, but what this and other shows is that at every level of government and industry attackers are active and continually targeting our important assets. Australia is not a sleepy backwater, off the radar of international cyber-criminals, rather we are a prime target and we need to face up to the fact that things will only get worse from here on. In terms of technology, following on from the recent hype in all things blockchain

and cryptocurrency, we’ll continue to cover interesting cybersecurity related subjects as they appear. However, a groundswell of interest in artificial intelligence (AI) and machine learning has risen, especially regarding threat detection, so this is another important area of research we’ll be covering more of in future issues. As malware becomes increasingly complex and evasive, especially with traditional signatures and algorithms, security vendors are hailing AI and machine learning as the key to unlocking our technology’s full potential. While many cyber security professionals remain sceptical on AI and machine learning being this panacea cure, venture capitalists are taking a more positive approach and investing hundreds of millions of dollars in all things cyber. Endpoint protection vendor, Cylance, for example, had investments totalling around $177 million prior to 2018, but this year they received a further $120 million in Series E funding. Analysts are reporting investment is increasing at pace, with research in AI and machine learning at the heart of the modern cyber value proposition. Both technologies are considered vital and strategic across every technology sector, not just cyber, so no matter what, it’s an area that is sure to grow. The rapid maturing of the overall cybersecurity market isn’t slowing either; forecasters are now predicting the global cyber industry will be worth over $34 billion by 2025, so it seems we are in the right place. In this issue we have one main theme, and some excellent ancillary content on a variety of interesting subjects. The primary focus of Issue 6 is on the use of basic security control sets,

such as the Australian Cyber Security Centre’s Essential 8. Do these basic control frameworks really work, or are they causing more harm than good in their limited coverage? Some of our stalwart regulars, like Dave Stafford-Gaffney, Dr Richard Adams, Elliot Dellys and Jodie Siganto are back looking at subjects as far ranging as compliant, privacy and breach notification, security management and application whitelisting, while a few new authors make their debut with us. Simon Ratcliffe (whom many of you may know from his time at Dell and Optus) covers the interesting subject of what makes a good SOC work, and Tony Vizza looks at how lessons from the aviation industry can help us make cybersecurity better for everyone. All that remains to be said is we hope you enjoy this issue of ACSM as much as we have putting it together, and as always, we are keen to get feedback. For now, stay safe and keep secure. Tony Campbell and the Editorial Team


WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Reac h over out to 10 indu ,000 profe stry s per msionals onth !

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 6 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au


Driving growth in  Australia’s cyber  security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Government agencies

• Scale-ups

• Research organisations

• Corporates

• Educational institutions.

• Venture capital funds

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitableglobalsupplychainsandgrowthmarkets.

The first step is to connect with us:  www.austcyber.com  

 info@austcyber.com  

 +612 9239 3250  

 @AustCyber

Australian Cyber Security Magazine | 7


MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Your one-stop shop for all things CCTV, surveillance and detection technologies

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.

promoteme@mysecuritymedia.com 8 | Australian Cyber Security Magazine

www.mysecuritymedia.com


The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE

promoteme@mysecuritymedia.com

www.mysecuritymarketplace.com

Australian Cyber Security Magazine | 9


Cyber Security

Beyond application whitelisting

W By Dr Richard Adams

hy are we consistently reading about businesses, educational institutions, government agencies and non-profit organisations falling victim to malware attacks, despite all the publicity and abundance of products offering solutions? Clearly something isn’t working. With rich rewards on offer there is an incentive for malware writers to be innovative, yet we seem fixated on the traditional method for the detection of malware that relies on a combination of two approaches – both of which are flawed. The risks are so high, we tend to believe any failed incidents must be caused by inattention to these methods. But, we find such logic to be deceptively incorrect. The first approach relies on some aspect of the malware being identified through a unique string within its code, i.e. its signature. This ‘blacklist’ approach requires the malware to have been previously identified, i.e. there are already one or more victims out there. Having identified an appropriate

10 | Australian Cyber Security Magazine

string within the malware code as a signature, this approach relies on the malware always containing this string in a form that can be located in a search. Notwithstanding the issue of ‘zero day’ exploits, malware authors have adopted a number of techniques in order to hide their presence from scanning of filesystems and memory. The authors of malware are aided in some respects by their ability to upload their own artifacts to public sites like Virustotal and purchase other security tools in order to defeat detection through signature recognition. Unfortunately, CPU instruction function testing is no more effective than signature checking and the use of simple base64 encoding, for which there is no guaranteed detection method and can be used to hide pivotal pieces of an attack. Yet, we seem reluctant to acknowledge these issues. To make matters worse, into the pool of potential threat artifacts there are endless examples of plain text executable


Cyber Security

code, which again seems to be largely ignored. This includes PHP, PS1 for PowerShell, java, python and so on. The second approach attempts to identify the presence of malware through its actions, either through monitoring individual machines or through monitoring network traffic, often looking for ‘blacklisted’ sites or domains. The problem of identifying unknown or suspicious activity on the network of a typical organisation has grown to the point that various tools now try and incorporate some form of Artificial Intelligence to cope with the volumes of data. However, when it comes to detecting new malware the Virus Bulletin Reactive and Proactive (RAP) Windows 10-based results for April 2018 show an average weighted score of 85% for the 31 tools tested. Is a failure rate of 15% acceptable? There are already tools becoming available that focus on preventing any executable from running that is not on a ‘whitelist’ – IF it can see the code execution. But, this

article focuses on an alternative whitelist approach using Intelligent Agents that has already been deployed inside a large government organisation which is the target of daily focused attacks. The key concept behind the approach is that for any malware to function it must contain executable code in some form, sometimes hidden and other times in plain view. The quest then, is simply to find suspect artifacts, even if you don’t know what exactly their impact would be when executed. We set out to identify only executable code in any file and determine if it is on a “gold list”, i.e. it is expected to be on that machine. The gold lists could be easily created, ideally using virtual machine instances of each standard build that is kept updated. If a file contains executable code, but isn’t on the gold list, then it is captured as a ‘malware candidate’. This is relatively straight-forward in terms of EXE and DLL code, but with the prevalence of JavaScript, the current MS move toward PowerShell management of remote systems and various third-party enabler applications, this becomes a much more complex task. So complex in fact, finding a core consistent method or value to trigger a response has become an application framework. Using the Intelligent Agent approach all executable code located across a network could be identified. Combining this approach with gold lists means an organisation would typically only have a few dozen objects needing further study, including any malicious code found anywhere on their systems. This approach does not interfere with the operation of the endpoint systems and although it is likely to generate a few false-positives in the first instance, it is much less likely to miss any unknown malware lurking on the network or lurking within email. There is also the advantage that malware authors will find it very difficult to detect the method since there is no installed application, nor are there any registry keys or services to indicate its deployment. Moreover, even hackers tracing the whitelist table hashes in memory are defeated because the “gold” hash, used for identity only, is custom designed to NOT resemble any hash algorithm. In effect, it is a secret whitelist hash approach, which takes nothing for granted and assumes the malware authors will be watching your every move. The key takeaway of this approach is that the combined use of the Intelligent Agent and the gold list greatly

Australian Cyber Security Magazine | 11


Cyber Security

Figure 6 VirusTotal results for malware 7Zip container

reduces the amount of skilled man hours required to trawl through logs and suspicious files, so they can quickly get to the suspicious artifacts and apply their skills in a more productive way. In addition, field trials have shown the benefit of deploying the Intelligent Agent to collect registry hives from infected machines in a form that can be quickly searched and reviewed as well as other relevant artifacts. Intelligent Agents – proof of concept Ten recent virus samples were downloaded at random from Dasmalwerk, placed into individual folders and then added to a 7Zip container. Each sample of malware had been named with a unique identifier and given the file extension

12 | Australian Cyber Security Magazine

“.file” (Figure 1). The 7Zip container was copied to a virtual machine that had Windows Defender running with the latest update applied. Windows Defender identified the 10 files contained in the 7Zip container as malware under 4 different categories (Figure 2). To make the test harder the 7Zip container was then added as an attachment to an email and the resulting PST file saved to the desktop of the virtual machine. The original 7Zip container was then erased from the virtual machine. This left just a PST containing the malware on the desktop The Intelligent Agent was then configured to identify and capture any files containing executable code anywhere on the virtual machine that were not included in the ‘gold list’ that had been created of the base machine. The search process took a little over 4 minutes to identify 810 files containing executable code that had been added by installed applications and use of the virtual machine since it was created from the base image. At the same time Windows Defender was set to scan just the desktop folder containing the PST with malware but it did not identify the presence of the malware that it had earlier found when it was in the 7Zip file (Figure 3). A full scan of the whole machine took 25 minutes with the same negative results. The Intelligent Agent had been configured to create a list of all artifacts that it had found to contain executable code. Examining the email hits shows the 7Zip container with the ten instances of malware found in the PST file (Figure 4). It is worth noting that there was no email client installed on this virtual machine. Examining the list of files containing executable code within the 7Zip container shows the ten malware artifacts (Figure 5). For this proof of concept example, the Intelligent Agent could scan the entire filesystem and locate malware artifacts contained in an archive attachment to an email in a little more than 4 minutes. It did this by finding executable code in ‘unknown’ files. It was possible to configure the Agent to send notification of the results by email (using its own client) plus the list of identified files. For the same scan windows Defender took 25 minutes but did not locate the malware. A copy of the 7Zip container was sent to VirusTotal during the trial run where 33 of the antivirus engines identified that it contained malware, however 25 engines declared it to be SAFE (Figure 6). Therefore, had any of these 25 engines been used as the endpoint antivirus protection they would have failed to locate the malware even if it was left on the desktop in the 7Zip container. Of the 57% of antivirus engines that DID identify the malware in the 7Zip container, they would be relying on the malware to have already claimed victims and not being able to detect their presence. The Intelligent Agent approach on the other hand would find executable code that had never appeared ‘in the wild’ – even if it was lurking in email. A copy of the 7Zip container was sent to VirusTotal during the trial run where 33 of the antivirus engines identified that it contained malware, however 25 engines declared it to be SAFE (Figure 6). Therefore, had any of these 25 engines been used as the endpoint antivirus protection they would have failed to locate the malware


Cyber Security

Figure 3 Intelligent Agent and Defender scan results

Figure 4 Review of email with executable code

Figure 5 Examining the contents of the 7Zip container

even if it was left on the desktop in the 7Zip container. Of the 57% of antivirus engines that DID identify the malware in the 7Zip container, they would be relying on the malware to have already claimed victims and not being able to detect their presence. The Intelligent Agent approach on the other hand would find executable code that had never appeared ‘in the wild’ – even if it was lurking in email.

Australian Cyber Security Magazine | 13


Cyber Security

Data breach class actions suits

G By Dr. Jodie Siganto

Hear our BSides Perth Interview with Dr. Jodie Siganto

iven the uncertainty about the right to sue for breach of privacy in Australia, I did not expect to see any significant litigation following the introduction of the new data breach notification provisions in February 2018. It looks like I was wrong, with at least three data breach related class action claims currently on the go in Australia. However, it remains to be seen how successful these actions will be, either in establishing a right to sue for breach of privacy or proving an entitlement to damages. Key take-aways • It’s not clear there’s a right to sue for breach of privacy in Australia. • Three data breach related class actions have been commenced, either arguing that there is a common law right to sue or seeking compensation pursuant to the Privacy Act. • The current law suits may result in clarification of the existence of a common law right to sue (in addition to the right to claim compensation from the Privacy Commissioner). • However, even if some right to sue for interference with privacy is established, it is not clear what level of damages or compensation may be awarded. • A previous class action-based claim to the Privacy

14 | Australian Cyber Security Magazine

Commissioner was not successful in securing payment of damages to the claimants. But, if confirmed to exist, the possibility of civil litigation may represent a significant new risk to Australian organisations affected by a data breach.

Background The status of the right to sue for a breach of privacy has been unclear in Australia for many years. The High Court left open the possibility of such a cause of action in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd in 2001. Since then, a tort of invasion of privacy has been recognised by two lower court decisions: Grosse v Purvis in the District Court of Queensland and Doe v Australian Broadcasting Corporation in the County Court of Victoria. However, both cases were settled before appeals by the respective defendants were heard. There have also been cases where the existence of a common law right to sue for breach of privacy has been questioned. The failure of a right to sue for invasion of privacy to develop at common law has led to calls for the introduction of a statutory right to sue. Over the last 10 years, the introduction of a statutory right to sue has been supported


Cyber Security

The amount claimed could be up to $1,000 per individual, which would total $300 million on behalf of the group. This claim is supported by litigation funding legal firm IMF Bentham. Key take-aways • It’s not clear there’s a right to sue for breach of privacy in Australia. • Three data breach related class actions have been commenced, either arguing that there is a common law right to sue or seeking compensation pursuant to the Privacy Act. • The current law suits may result in clarification of the existence of a common law right to sue (in addition to the right to claim compensation from the Privacy Commissioner). • However, even if some right to sue for interference with privacy is established, it is not clear what level of damages or compensation may be awarded. • A previous class action-based claim to the Privacy Commissioner was not successful in securing payment of damages to the claimants. • But, if confirmed to exist, the possibility of civil litigation may represent a significant new risk to Australian organisations affected by a data breach.

by at least four different commissions. Those opposed to the introduction of a statutory right to sue refer to concerns about it impacting freedom of expression rights and the ‘public interest in the free flow of information on matters of public concern and freedom of artistic expression’ which ‘could be threatened by unclear standards as to what is and what is not acceptable in the context of a statutory cause of action.’ Given this resistance, neither the Federal nor any State government has felt inclined to introduce a statutory right to sue. This means that, in the absence of the development of a common law action for breach of privacy, the surest avenue to seek compensation where there has been an interference with privacy in Australia is via a complaint to the Privacy Commissioner pursuant to the Privacy Act 1988 (Cth).

Class action claims In 2017, a class action against NSW Ambulance Service was brought on behalf of 130 ambulance staff whose medical records were accessed without authorisation by a NSW Ambulance contractor and sold to personal injury lawyers. The law firm involved in the class action said the total damages could reach "millions of dollars", with individuals

claiming for pain and suffering, humiliation, psychological injuries and economic loss. (More information here.) The same law firm is looking to bring a class action following the PageUp data breach in June 2018. Interested participants can sign up here. It is not clear whether this action would be based on a claim for compensation with the Australian Privacy Commissioner or initiated as a claim in tort in the Supreme Court. A different law firm is reported to be lodging a complaint against Facebook with the Australian Privacy Commissioner on behalf of more than 300,000 Australian individuals whose data was obtained by Cambridge Analytica via the Facebook ‘This is my Digital Life’ quiz. The amount claimed could be up to $1,000 per individual, which would total $300 million on behalf of the group. This claim is supported by litigation funding legal firm IMF Bentham. The chance of recovering the sort of amounts claimed in these cases seems remote. It’s not clear that the Privacy Commissioner will award compensation in any of the above cases, certainly in the absence of evidence of real distress or anxiety. A recent determination by the Privacy Commissioner indicates some of the issues likely to be faced. In 2017 a claim was made on behalf of 328 employees of a building sub-contractor, whose superannuation details were wrongly disclosed to the head contractor, Cbus. The complainants were represented as a class by a law firm who argued that they were entitled to $2,000-$3,000 in general damages and between $3,000 - $4,000 in aggravated damages per class member, which collectively amounted to a sum of $2.97 million. To support the claim, various members of the class gave statements that, when they

Australian Cyber Security Magazine | 15


Cyber Security

became aware of the breach, they were ‘unhappy’, ‘angry’, ‘upset’, ‘disappointed’ or ‘uncomfortable.’ Legal costs were also claimed. Ultimately, the Commissioner decided a public apology plus a review of procedures were sufficient response to the breach and did not award any financial compensation. Based on this, indications are that class action claims for data breaches will not find much favour with the Commissioner unless there is substantive evidence of actual loss or damage suffered by the class members, which must be something beyond concern or anger. This is certainly consistent with the experience in the US where courts have been reluctant to award damages in data breach cases unless there is some basis for real concern regarding fraud or identity theft.

evidence of loss sufficient to justify compensation, given the Commissioner’s findings in the Cbus case. If any of the current law suits proceed in common law, based on an action for breach of privacy, it may result in clarification of the existence of a common law right to sue (in addition to the right to claim compensation from the Privacy Commissioner). This would certainly be a positive step forward in Australian law and would address the current gap in the legal remedies available to the victims of privacy breaches because of the reluctance of both Federal and state governments to introduce a statutory right to sue. However, if confirmed to exist, the possibility of civil litigation based on an accepted tort of breach of privacy will also represent a significant new risk to Australian organisations affected by a data breach.

Prospects of success? Of the cases considered here, the NSW Ambulance claimants are probably best placed to recover compensation given there is actual evidence of misuse of their data. However, this could be tempered by the expectation that the personal injury law firms who wrongly received the data would be trusted to delete it and undertake not pass it on to third parties. This in turn would have an impact on the extent of the distress suffered by the individuals concerned, reducing the level of concern they may legitimately feel. It is not clear that claimants in either the PageUp or Facebook/Cambridge Analytica will be able to provide

About the Author Dr Jodie Siganto PhD LLM CISSP CIPM CIPP/E Dr Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore. She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues. Since then, she has specialised in providing information security and privacy consulting and training. Dr Siganto completed her PhD on privacy and information security practice in 2014

The ‘go-to’ tool for leading professionals

www.mysecuritymarketplace.com 16 | Australian Cyber Security Magazine


LEADING CYBER SECURITY SUMMIT FOR SHIPPING, PORTS, MARITIME AND OFFSHORE OIL & GAS INDUSTRIES GLOBALLY COMES TO SINGAPORE!

2nd CYBER SECURITY FOR MARITIME SUMMIT 2018

■ Main Summit: 13 & 14 November 2018

■ Post-summit Workshops: 15 November 2018

■ Pre-summit Workshops: 12 November 2018

■ Venue: Copthorne King’s Hotel Singapore

DISCUSS & SHARE INSIGHTFUL EXPERIENCES ON DEALING WITH ALL MARITIME CYBER THREATS!

WHAT IS SO “WOW” ABOUT THIS SUMMIT?

HACKING VS DEFENCE TECHNIQUES DEMONSTRATION →

How tools using Shodan expose SCADA system, Database and Servers to cyber risk?

How intruders attack web application to steal data and information?

WHO SHOULD ATTEND? Heads/Senior Managers/Managers/ Engineers/Project Managers of: ↘

Information Security / Information Technology

Information Systems

Infrastructure Security

Security

Operations

Emergency Management/Services

Harbour Masters

5 FEATURED WORKSHOPS AVAILABLE!

A

Future of Maritime Industry: Preparing Yourself for the Port Automation & Cyber Risk

B

Proven IT Protection Techniques: Testing Your Maritime IT Security System Against Cyber Threats

C

Unplanned Outages on GPS: Executing Immediate Response towards Jamming or Spoofing of Signals

D

Defence Technique: Experiencing the Latest Attack Methodologies and How they Work on Ransomware Scenarios, Malware Threats & Phishing Attacks

E

Disaster Recovery & Business Contingency Management: Step-byStep Guide to Prepare, Response and Recover Your Business Operations from Cyber-Attacks

Contact Us Today! PHONE +65 63760908

EMAIL enquiry@equip-global.com

WEBSITE www.equip-global.com/cyber-security-for-maritime-summit-2018

Researched & Developed by:


Cover Feature Cyber Security

Data breaches: Reckless Corporations?

O By Ted Ringrose, Ringrose Siganto

n 22 February 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme obliges organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm to the affected individuals, and to notify the Australian Information Commissioner (Commissioner) of eligible data breaches. The notification to individuals must include recommendations about the steps they should take in response to the breach. Now the Commissioner has released the first full quarter report of notifiable data breaches, for the period 1 April to 30 June 2018.

The number of breaches reported per month of 2018 is set out below. Even if January and February are ignored, it’s clear that there is an upwards trend in the number of notifications being made. Number of notifications Total received in the quarter — April to June 2018 Total received January to March 2018 Total received 2017-18

242

63 305

The number of breaches reported per month of 2018 is set out below. Even if January and February are ignored, it’s clear that there is an upwards trend in the number of notifications being made.

The OAIC Quarterly Report Sectors Most Affected The number of notifications for the quarter appears significantly higher than for the previous quarter, though that is skewed by a number of factors, including that the scheme only came into force on 22 February 2018. Prior to that, organisations were not obliged to report data breaches.

18 | Australian Cyber Security Magazine

The report discloses that the sectors most reporting breaches were (in order) health services (20%), finance (15%), legal, accounting and management services (Advisory Services) (8%), private education (8%) and business and


Cyber Security

Month of 2018

Number of

The health sector was more susceptible to human

notifications

error (59%) than Advisory Services (30%) and

January

0

February

8

March

55

April

65

May

87

Kinds of personal information

June

90

affected

business and professional organisations (20%).

Contact information

professional organisations (6%). It should be noted that notifications made under the My Health Records Act 2012 were not included in this report, as they are subject to specific notification requirements. Further, state educational intuitions are covered by State and Territory privacy law and were not included in the report. We are of the view that these sectors are not the necessarily those most impacted by data breaches. Rather, each sector is heavily regulated and scrutinised and, in our opinion, the members of these sectors are the most likely to: • be aware of and concerned to meet their legal obligations; • want to be seen to be transparent; and • to employ or have access to the services of privacy professionals. For these reasons, these sectors are those most likely to report incidents.

Most Common Causes of Breach The cause of the breaches were (in order) malicious and criminal attacks (59%), human error (36%) and system fault (5%). But these percentages were not consistent across each sector. For example, a much higher rate of malicious and criminal attacks affected Advisory Services businesses (60%) and business and professional organisations (73.3%) than the health sector (40%). The health sector was more susceptible to human error (59%) than Advisory Services (30%) and business and professional organisations (20%). It’s clear that human error and malicious attacks are by far the biggest cause of personal information incidents. This has been the case for a long time.

Information Compromised The information compromised is unsurprising. As notifications are only required to be made when there is a likelihood of serious harm to the affected individuals, it is expected that these categories of information will feature in notifications and the report.

More Breaches or Simply More Reporting? We don’t think it’s possible to conclude that the report shows that there have been more data breach incidents occurring in this quarter than the last or even that the number of breaches is increasing. The Commissioner notes that: The growing number of notifications under the scheme demonstrates an awareness by entities of their obligations to notify the OAIC and affected individuals where a breach

% of data breaches 89%

Financial details

42%

Identity information

39%

Health information

25%

TFN

19%

Other sensitive information

8%

of personal information is likely to result in serious harm. We think that is correct. As awareness of obligations grows, notifications will increase. It does not necessarily follow that an increase in reported breaches means that more breaches are occurring. However, it’s important to remember that in determining whether a breach is notifiable, it’s is the opinion of the affected organisations as to whether the breach involves a likelihood of serious harm to affected individuals (not the opinion of the individuals affected). Therefore, many breaches will go unreported if, in the organisation’s opinion, there is no likelihood of serious harm to the affected individuals.

Reckless Corporations? To us it seems a bit much to conclude that this report “revealed disturbing trends around the security of our information and what value is placed on its protection” or that it is “a damning condemnation surrounding businesses’ failure to protect the privacy of Australians and the information held on us (sic)” . From working with major Australian corporations, we know that most do value the security of personal information. Indeed, they spend large sums of money and devote a great deal of management time to the maintenance of secure systems and in training their staff about security and privacy. We are also confident that every organisation which has notified the Commissioner of a privacy breach during the last quarter will be reviewing its systems and training programs to help prevent further incidents. They also take security and privacy seriously because their reputation is at stake. But no amount of investment will eliminate human error, nor will it dampen the desire and ingenuity of bad actors who want to make money or mischief at the expense of the privacy of Australians. Of course, there are irresponsible organisations that aren’t doing a damn thing about privacy - either through ignorance or indifference. But many are. And though every organisation can do more to safeguard individuals’ personal information, those which fulfil their legal obligations and notify the Commissioner and affected individuals of a personal information incident are to be applauded.

Australian Cyber Security Magazine | 19


E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au


PODCAST HIGHLIGHT EPISODES Episode 103 – World-renowned cyber security expert, “The Ethical Hacker” – Oliver Stone’s cybersecurity adviser on “Snowden” and CEO of Estonia startup Seguru.io This is a broad interview with Ralph Echemendia, world-renowned cyber security expert, known internationally by his alter ego “The Ethical Hacker.” For over 20 years, Ralph has delivered training on hacking and other security information to corporations including the US Marine Corps, NASA, Google, Microsoft, Oracle, AMEX, Intel, Boeing, Symantec, and IBM.systems provides new business opportunities with developing smaller and lighter payloads.

Episode 109 – Cybernomics: Digital Asset Valuation & Cyber Risk Measurement with Dr. Keyun Ruan, Computer Scientist & Author “Digital Forensics” This interview with Dr. Keyun Ruan dives into her research in identifying the value of ‘cyber’ in business, establishing traceability for better risk management, analyzing the attacker’s role in cyber risk and the outlook for the future of cyber risk quantification. Dr. Keyun Ruan has worked as a PhD researcher at the Center of Cyber security and Cybercrime Investigation (University College, Dublin) and in cloud forensics at the Cyber Security Research Lab (EADS).

Episode 112 – Interview with the CEO of CyLon at ICE71, Singapore. CyLon is the world’s leading cybersecurity accelerator We sit down with Anton Opperman, CEO of CyLon at ICE71. CyLon is the world’s leading cybersecurity accelerator. Since launching in London in 2015 CyLon has run several accelerator programmes, successfully accelerating over 50 cybersecurity startups, many of which are now working with major global corporations, governments and world-leading investors. CyLon is working in partnership with Singtel Innov8 and NUS Enterprise to deliver the ICE71 Inspire and ICE71 Accelerate programmes.

Episode 107 – Child Cyber Security Ambassador & Child Hacker – Reuben Paul, 12, aka “RAPst4r”, the Founder of CyberShaolin Following his presentation on stage at Cyber Security Asia, Kuala Lumpur, we sat down with Reuben Paul, our youngest guest and Cyber Security Ambassador, Child Hacker, Black Belt in Shaolin Do Kung Fu, USA Gymnast, Video-gamer & Cyber Ninja. These are some of the growing titles used to describe 12-year-old Reuben Paul aka “RAPst4r”, the Founder of CyberShaolin.

Episode 117 – GDPR & Cambridge Analytica – A Cyber week in London with Jane Lo, Singapore Correspondent Jane started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore. er experience included using data predictive analytics for fraud at global financial institutions (Deustche Bank, JP Morgan) and advisory to financial institutions with PriceWaterHouseCoopers.

@BSidesPer 2018 Podcast series #BSidesPerth BSides Perth 2018 attracted over 300 delegates, including kids and families, to UWA Business School and along with t-shirts, beanies and tool kits, delegates also received a cool and unique handmade conference badge, using a NodeMCU ESP8266 WiFi SoC. Security BSides (commonly referred to as BSides) is a hacker convention, held amongst a growing eco-system of events in Australia and New Zealand that provide a community driven framework for information security conferences.

Data Centre Deep Dive with #DCDAustralia & #DCDSingapore IAs part of our Data Centre #DCD media partnership here is a series of interviews which deep dive into the Data Centre industry, recorded in August & September 2018 at Data Center Dynamics – DCD Australia, Sydney #DCDAustralia and DCD South East Asia in Singapore #DCDSingapore. • Business Drivers & Data Centres, with Stephen Worn, CTO & CEO DCD North America • Achieving sustainable data centres and the next Moore’s Law trends, with Prof. Ian Bitterlin, Leeds University • Is this the McDonalds of the DC industry? Meet Digital Realty, the world’s largest full scale data centre provider • How IoT data capture and processing is driving new edge-to-core data center network • Data Centre trends in the era of edge computing and security considerations around rapid deployment • The future of Data Centres in an age of robotics, AI, IoT, machine learning and AR/VR, Prof. Greg Sherry

Episode 100 – Intrepreneurship, SCADA systems and maritime supply chains Ken Soh, CEO of Athena Dynamics Pte Ltd speaks about his journey into Intrepreneurship, shipping and maritime security frameworks, SCADA Systems and the inspiration sourced from Israel. As CIO of BH Global Corporation, Ken’s journey got underway when the company funded a study week in Israel and he returned to Singapore as an Intrepreneur, the CEO of Athene Dynamics and servicing BH Global Corporation’s supply chain customers. Ken effectively turned the IT department into a profit centre and software distributor. With consideration to shipping and maritime security trends and supply chain security, we then dive into two of the company’s software products: Sasa Software is a 9-layer, ultra-deep-scanning anti-malware and sanitisation (CDR) solution augmentable by uni-directional data diodes with Wintel based proxies; and ICS2, a SCADA monitoring platform that specialises in real-time behavioural analytics of OPC data passively extracted from control systems.

www.australiancybersecuritymagazine.com.au


Cyber Security

Everyone loves shiny new toys

B By Simon Pollak

ack when they were common place, I recall going into my local bait and tackle store and seeing a display of fishing lures on the counter touting some super power or other that would almost guarantee you’d catch more fish. I asked Steve, the shop owner, who I’d known for some years, his opinion and his reply has remained with me ever since. “You know what Simon, some lures are designed to catch fish, others are designed to catch fishermen. This one is designed to catch fishermen.” This advice has served me well in the many intervening years, across many different sets of products. In the last few years, with cyber security becoming a concern at all levels of busienss, I am observing far too many decision makers failing to fully consider whether their security expenditure is the most suitable for their organisation. There are a number of broad questions that should be asked with any security investment, cyber or otherwise, that

will assist in evaluating any expenditure. What problem does it solve or what risk does it mitigate for my organisation? In the physical security world, we’d find it laughable to deploy a team of Ghurkhas, SEALS, and SAS soldiers to stop kids sneaking in alcohol into a party. Same principle in cyber security - just because a product solves a problem, is it a problem that you need to solve? If you’re not a target for state sponsored hackers, then maybe an APT detection product isn’t the best solution for you. Across the spectrum of risks that my organisation faces, does this address a high priority risk or a low priority risk? Similar to the previous question; is this the best, or at least a good use of my organisation’s resources. Start with the basics. Ensure you have systems and processes in place for patching, identity and access management, encryption, data classification, perimeter security etc. If you


Cyber Security

'There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?' the solution you are considering protect? A solution that prevents your manufacturing systems going offline for days or weeks may protect a great deal of value, whereas data leakage prevention for information that’s available from your public facing website, less so. How does this fit in with my overall security strategy? As an organisation’s security posture matures, though ideally for all organisations, there will be a security strategy that identifies risks, priorities, and opportunities in the business context. Does this solution align with and assist with progressing that strategy? Will it integrate with my existing tool set? If you already have security tools and systems in place, the ability to integrate a new solution into your existing environment is an important consideration. If a product is going to result in a disparate set of notifications that reduce the likelihood of them being actioned correctly, is there a product that will better integrate, or has the cost to integrate been allowed for? How will it be supported?

have internet connected devices with default credentials or known vulnerabilities, then maybe you should address this before you worry about real time network forensics. Can I do something with the output that this solution provides? There’s a world of difference between information and intelligence. If a solution gives you information that you don’t have the ability to action, does it add any value? Once you know someone from China or Russia has logged into your systems, do you have the ability to assess whether it is genuine or malicious, then block or remove them if it is malicious? What am I protecting, and why? Your systems, your processes, and your information all have a value to your organisation. How much value does

It’s all well and good to have the latest, greatest products, however, for technology to be effective, it requires support, maintenance and updates in order to remain effective. Has support; both availability and expense been evaluated as part of the product assessment? What is the product support lifecycle, and will it be adequately supported for as long as you are expecting it to be in use? There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?” So, next time your preparing to spend your hard-earned cash on a security solution, just remember to question whether they are fishing for fish or fishing for fishermen. The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity. About the Author Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Master of Cyber Security and a Master of Business Administration (Technology).

Australian Cyber Security Magazine | 23


Cover Feature Cyber Security

Unearth the power of ITSM convergence

E By Tony Campbell ACSM Editor

nterprises that run their own IT systems, or rely on service providers managing it for them, normally have several different teams providing network operations, security operations and overall service management. What’s interesting about this approach is that there is often duplication of effort across these groups, with cyber security insights gained in any team other than security falling into an operational void. Let’s look at the justification for conjoined network and security operations teams, as well as the tools and processes they might use to do their job.

Network Ops and Security Ops Network operations teams manage the health of the enterprise’s network, managing routers, switches, network quality of service and troubleshooting issues with connectivity when users or systems go offline. The systems used by network operations teams are powerful administrative tools capable of analysing, at the packet level, the data traversing the business’s wired ethernet networks, Wi-Fi systems and even out to its cloud connected-systems. The security operations team will look at systems from the perspective of potential compromises and identify

24 | Australian Cyber Security Magazine

possible attacks and patterns of user behaviour that might be indicative of malicious intent. Security analysts monitor similar tools to that of the network team, just looking at the data through a different lens. You can immediately see that the focus of the network and security teams are slightly different but, in many aspects, aligned. Most businesses, however, segregate these activities since the former is about keeping the network running (available) while the latter focuses on stopping cyber-attacks. This leads to organisations investing thousands of dollars on two sets of administrative tools to perform, largely, what are the same activities.

Redesigning NetSecOps Instead of considering these aspects of IT service management as separate, take a step back and look at the activities both undertake on a daily basis. Many of the tools used in security operations can provide valuable insight to the network team, and vice versa. For example, a Security Information and Event Management (SIEM) system ingests security event logs from the enterprise’s network systems and correlates on patterns related to attacks. Fundamentally, that is what a SIEM does. In the


Cyber Security

One of the less quantifiable benefits you get from joining the network and security operations teams together is it helps address the age-old problem of the security skills gap. hands of the security operations team, a SIEM helps identify patterns of activity indicative of security threats, however, the same data set could be profiled for routing issues and malfunctioning network devices, since the logs convey everything that’s going on with that system. Similarly, network operations teams use tools that monitor the health of network systems, content distribution networks, and WAN links, usually working in real-time so the network analyst immediately sees where a connection is down or is overwhelmed with traffic. In the hands of the security operations team, this network health information can raise suspicions and show potential denial of service attacks or massive data exfiltration, which their own toolsets might not show them. Now imagine an environment where the core network and security tools are available to both teams. If the SIEM alerts on an indicator of compromise and the network monitoring tool shows a related link-down or a route change, where an internal network segment is under extreme loading and some strange administrative behaviour changes how the network is configured, those data points could indicate an ongoing attack. By keeping these systems apart, the security team might start hunting for a threat, but could consider it a lower priority event since there is no additional evidence of an attack, while the network team starts working with a WAN provider to remediate what seems like a normal outage. In all reality, it could take many hours before the incident response process begins and by that stage it may be too late to stop the attack. A second example of where the two teams could collaborate is in availability management. Security is about protecting the confidentiality, integrity and availability of information and systems and often malfunctioning network equipment can lead to a loss of availability. It might be that the network device’s logs start to report a security violation or a configuration issue before it stops working, so this alert, when ingested into the security operations team’s SIEM tool, could be passed to the network operations team to investigate. As you can see from these basic use cases, a conjoined operations capability can be incredibly powerful, but it takes a redesign of the process model to make it work. It can require cross-training of the operations guys in each other disciplines and tools, where the network operations team learns how to query the SIEM and the security guys learn how to diagnose network link issues, but the benefits will reap huge rewards. Furthermore, tool integrations can be considered

during the redesign. The SIEM tool could be used to signal the network operations tools directly, raising alerts or correlating events worth investigating, and the same in reverse goes for the network monitoring tools. The SIEM can be used to ingest data from the network management tools, allowing security analysts to profile this data in their threat models. When the security team begins to use threat modelling alongside the network tea, understating the context of network availability in their own defensive mindset, this drives better outcomes for the business.

Conclusion The value of joining your network and security operations together is immense. However, if businesses are to realise this value, they must consider more than changing the management structure, rather they need to redesign the processes and fundamental rules of engagement that underpin the service management mission. By sharing the technical systems and processes across both teams, they will save money – goes without saying – but the return on investment from the cross-purposing of the teams will significantly increase productivity and the value each toolset provides. One of the less quantifiable benefits you get from joining the network and security operations teams together is it helps address the age-old problem of the security skills gap. Having a background in network operations is the one of the best starting points for a new cyber security analyst. You can use this comingling of staff to identify potential security talent and where they excel, a career development plan can be put in places to move them into a security analysts role rather than a network administration role.

Australian Cyber Security Magazine | 25


Cyber Security

Honey, I Hacked the Car! Cyber security in vital in autonomous vehicles: so how good is it today?

T By Annu Singh

he year is 2015 and two cyber security researchers, Charlie Miller and Chris Valasek, hack a Jeep Cherokee via its onboard Wi-Fi system to control the vehicle remotely. They sent commands to the CAN Bus (internal car network) and remotely controlled all of the car systems, including everything from the engine and transmission to its steering wheel and brakes. This discovery lead to the recall of 1.4 million cars by Fiat Chrysler. In 2017, Chinese researchers took control of a Tesla Model X through its Wi-Fi and cellular networks using malware they sent to the car’s web browser in a series of circuitous exploits. The researchers managed to gain control of the vehicle’s brake systems, as well as being able to open the trunk and doors, and take control of the radio. Tesla fixed these vulnerabilities shortly after the disclosure. Both of these experiments were conducted under controlled conditions, so no one was hurt. However, connected and autonomous vehicles (AV) are complex technology systems of multiple networks and software applications, communication busses, sensors, data

26 | Australian Cyber Security Magazine

platforms, as well as connectivity to and from the vehicle from financial systems, transportation and road systems, communication and navigation systems, home security systems, etc. Advanced vehicle safety depends on an array of electronics, sensors and computing power. As connectivity of these interdependent systems increase so does their vulnerability to potential attacks. An AV can have anywhere from 30 to 100+ Electronic Control Units (ECUs) which in turn have thousands of lines of codes. An AV can be hacked to re-route to a wrong destination putting the passengers at risk, vehicle stolen, misused or broken up into pieces for resale. A hacked AV could potentially be used to breach your home security (override garage, home security system) and leaves you exposed to burglary. Hackers can even get into your personal data and financial systems, as these in today’s world are connected to vehicles for road paying road tolls and fines. With the rise in connected cars and the race towards fully AV, cybersecurity for AV becomes critical to realisation of a trustworthy, safe and secure AV dream. Cybersecurity in AV


Cyber Security

needs to be addressed on two fronts 1.

Cyber security needs to be looked at across the supply chain of the AV industry. Manufacturers & suppliers need to adopt a design thinking approach to build in cybersecurity within the design and architecture of AV components at the early stages of product design to ensure the ADS (automated driving systems) work as intended, rather than have security solutions added as an afterthought, using over the top quick fix approaches.

Design aspects like extent to which the design and architecture itself can ensure cyber security needs to be addressed. OEMS are exploring solutions like: Airgaps: which involves isolating the most critical systems from the most exposed systems of the vehicle, like physically separating infotainment systems from critical systems like braking, steering and engine systems. Redundancy: How the hijacked/hacked systems

can be supported or compensated by other supporting systems thus eliminating a single point of failure. Industry is looking at Aviation and high-speed locomotive industries for addressing scenarios like CPU switchover, activating emergency brakes etc. Analog back up: As a last recovery resort, the ability to switch to mechanical drive controls that has final authority to override all digital signals. In addition to design, secure and structured development process implemented in close collaboration with the product security team and the company IT security team to eliminate any breach that could allow introduction or exploitation of system vulnerabilities and finally maintenance and response to ensure product security is not compromised throughout the lifecycle needs to be addressed for designing a robust cyber resilient ADS to evoke trust and faith WRT reliability and safety in users before AV comes into mass production. A white paper by McKenzie ‘Shifting gears in cyber security of connected cars’ describes these aspects in further detail.

Australian Cyber Security Magazine | 27


Cyber Security

Furthermore, user awareness would also be critical in this war on safety. Tech savvy users may understand this new environment and be proactive in their safety behavior, but traditional users may need to be educated on do’s and don’ts, Over the air (OTA) updates, mitigation and remediation measures. Cybersecurity features that may impact other desired systems like substandard connectivity to infotainment systems, paid/cumbersome updates, long time to download updates etc. may affect the customer experience too. OEMS will need to think of building features like onscreen in car guidance and disabling the ignition if unknown devices are connected to the vehicle. 2. OEM’s need to work with each other, regulatory bodies and users to set standards and best practices for this field at the industry level. National Highway Transport Safety Administration (NHSTA), USA recommends a multilayered approach to vehicle cybersecurity based on the fundamentals of NIST Cybersecurity framework. According to NHSTA, a systematic layered cybersecurity protection approach, that focuses on a vehicle’s entry points, both wireless and wired, as either could be potentially vulnerable to a cyberattack, should cover 4 key aspects: • Risk based prioritized threat identification for safety critical vehicle control systems, • focus on architecture, methods and measures that strengthen built in cyber resiliency in the vehicle components, with capability to recover quickly from the incident when it occurs. • timely detection and rapid response to vehicle cybersecurity incidents on the roads, • methods for effective intelligence and information sharing across the industry to facilitate quick adoption of industry-wide lessons learned. The UK government’s Department of Transport (DoT), along with the Centre for the Protection of National Infrastructure (CPNI) have also issued cybersecurity guidelines termed as ‘The Key Principles of Cyber Security for Connected and Automated Vehicles‘ for AV OEM manufacturers, suppliers and engineers. It focuses on eight principles, which are broken down further into more detailed sub-principles: • Principle 1: Organisational security is owned, governed and promoted at board level. • Principle 2: Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain. • Principle 3: Organisations need product aftercare and incident response to ensure systems are secure over their lifetime. • Principle 4: All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system. • Principle 5: Systems are designed using a defence-indepth approach. • Principle 6: The security of all software is managed throughout its lifetime. • Principle 7: The storage and transmission of data is

28 | Australian Cyber Security Magazine

secure and can be controlled. Principle 8: The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

AV cybersecurity is a new field and several key players like government bodies, universities, OEM manufacturers and suppliers are actively involved and collaborating in varied research in this field. University of Michigan used the existing automotive threat models to develop a risk assessment framework that can analyse and enumerate application-based threats across different automated driving applications across all levels of automation. These guidelines and framework provide direction on the design of future security solutions and secure architectures for production Automated Driving Systems (ADS). New technologies like Blockchain are also being extensively explored for vehicle to vehicle connectivity over distributed nodes. Blockchain is a transparent cryptographic distributed ledger system that contains digital log transactions, shared across a public or private network. Blockchain technology can help AV verify the accuracy of the data that they collect from the environment. As blockchain is immutable technology, computing power required to hack the data stored on blockchain make it a safe bet. In centralised systems, the chances of an accident due to network failure triggered by a system failure due to connectivity issue remains high. This also has the potential to be addressed with blockchain, as there would be no downtime in network connectivity. Blockchain is a new field and its full potential is yet to be uncovered, but it shows promise for solutions that enhance safety of personal data and crashes due to hacks. While we understand that a complex array of factors like cost, time to market, strategic alliance with supply chain partners, internal know-how and customer experience will play a key role in defining the optimal cybersecurity strategy for the autonomous vehicle, it is clear that a robust cybersecure AV that is reliable, safe and secure will act as a foundation to build confidence, acceptance and adoption of the vehicles of the future. Here is to a smooth ride – bon yoyage!


Cyber Security

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 29


Cyber Security

Cyber security in aviation Lessons from the Aviation Industry Point to a Brighter Future

T By Tony Vizza

he number of reported cyber security breaches has risen at an alarming rate. In the US alone, there have been 1,579 data breaches, resulting in over 178 million records being exposed in 2017 , representing a 44.7% increase on 2016, itself a record year. Cybercrime is now the second most reported crime around the world and in the UK, cybercrime now accounts for over 50% of all crime . Amidst all of the doom and gloom, there is cause for optimism. In the context of human development, there are examples to be found of once nascent industries that are both common, as well as safe today. Perhaps the most analogous of industries that could be analysed to determine the future of the information security industry, is the aviation industry. It is a well-known fact that the Wright Brothers managed to perform the first sustained, controlled, powered and heavier-than-air flight, in an aircraft in the United States in 1903. It is far lesser known, however, that human-carrying kites existed in China and Japan, for military purposes,

30 | Australian Cyber Security Magazine

as far back as the 6th Century AD/ACE, while manned ballooning flights occurred in 1783 in France. Likewise, in the computing world, ancient computer devices, such as tally sticks and abacuses were used over 4,000 years ago in the Middle East which gave rise to mechanical calculators in the 17th century, tabulators in the 19th century and later, electrical calculators and programmable computers. It was not until the era of the personal computer in the 1980’s, however, that computer use entered the mainstream with its own “Wright Brothers� moment. As was the case after the Wright Brothers flight, where aircraft improvement and innovation grew at a frenetic pace, the availability of technology to the masses after the PC era began and has accelerated the development of information technology. Noting that aviation has a 70-year lead on Information Security, and with that time the many triumphs and setbacks, what then can we learn from our peers in the aviation industry, that we can apply to the information security fields?


Cyber Security

“You have to know the past to understand the present” – Carl Sagan investigated before a take-off was conducted by the captain, the person ultimately responsible for the safety of all passengers and crew. This focus on safety has driven the airliner accident rate to their lowest ever levels on record in 2017, despite a record 36.8 million flights in that time . In the information technology arena, on the whole, the focus on cyber safety remains minimal. Products continue to be released every single day where information security considerations are poorly addressed, if they are addressed at all. The adoption of safe information security practices amongst the lay computer user continues to disappoint, with poor password complexity and password reuse, for example, continually cited as a cause of cyber breaches. Until the information technology field adopts safety as its number one priority, the rate of information related breaches will continue to rise.

Training and Certification The Focus on Safety On a recent flight from Hong Kong to Sydney, the departure of the A380 aircraft I was on was delayed twice. First, a foreign object became caught in one of the planes doors as it was being closed after the aerobridge had been retracted. This necessitated the redeployment of the aerobridge and two ground-based engineers to inspect the plane door to determine if any significant damage had occurred and thus whether it was safe to take off. Following this, a lightning storm prevented the aircraft from taking off. When the pilot advised the passengers of the delay, he unapologetically and emphatically stated that the airline he flew for embodied “safety before schedule” and vowed to do what the flight crew could to make up time in the air. The aircraft landed almost two hours later than scheduled. While it is highly unlikely that either of these two delays would have caused an accident, the focus on risk management, where safety is prioritised over convenience meant that the delays would have to be thoroughly

Aviation pilots are amongst the most trained and certified professionals in the world today. To earn a licence that is recognised by the International Civil Aviation Organisation (referred to as the Private Pilot’s Licence, or PPL in Australia, an individual must have learned flight theory, completed 90+ hours of flight training with an accredited provider, pass a PPL theory exam and then pass a PPL flight test . In addition, the pilot requires the necessary medical and security certifications to qualify for the examination process and in order to maintain your PPL to allow you to carry passengers, you must complete three take-offs and landings within the previous 90 days. It is important to note that earning a PPL only allows the pilot the ability to fly a very limited number of single engine aircraft, and that a pilot must become certified in the different type of aircraft to be able to fly them. In contrast, there are no formal certification requirements for aspiring cyber security professionals to work. While there are a number of certificates available to demonstrate some level of proficiency in information security, the most recognised certification in the world today

Australian Cyber Security Magazine | 31


An example of a Flight Checklist for a Boeing 747-200 Freighter Source: Patrick Smiths Ask the Pilot – www.askthepilot.com/checklists

that parallels the theory and practical component of the PPL is in fact the CISSP, the Certified Information Systems Security Professional, an ISO/IEC 17024:2012 accredited certification, which requires the candidate to demonstrate both an understanding of the theoretical elements of information security, as well as 5 years of demonstrated and hands-on experience within the cyber security field. While attaining CISSP certification offers the practitioner the ability to demonstrate their experience and knowledge in cyber security, it is, rather regretfully, not compulsory to attain.

Flight Checks and Auditing A crucial element of aviation is the rigorous use of audit functions prior to, during and after each and every flight. Since the crash of the Model 299 (later known as the B-17 Flying Fortress) during a demonstration flight in 1935, Boeing adopted the concept of the checklist as a permanent and mandatory tool to assist pilots to address shortcomings in the human capacity to remember lengthy and complicated processes. These checklists are thoroughly followed and cross-checked by both captain and co-pilot for each flight. This ensures that important tasks are not forgotten, tasks that could result in an accident if not completed at the appropriate time. In addition, the verification of each task is “cross checked” by another qualified individual to minimise chances of errors.

32 | Australian Cyber Security Magazine

In comparison, this same universal acceptance of risk minimisation culture through auditing and compliance simply does not exist in the information security world. The omission of basic steps in the configuration of information security appliances is often cited as a leading cause of a cyber breach. In fact, the UK Information Commissioners Office has determined that 80% of all data breaches have occurred due to human or process error . Globally, IBM has determined that 70% of all lost data occurred due to misconfigured cloud storage servers, databases, networks or backup gear. The lesson here is that it would be prudent for information security practitioners to adopt a “checklist” and “cross-check” approach to the configuration and upkeep of cyber protection solutions.

Redundant Systems and Redundancy in Depth All aircraft systems that provide safety-critical functionality includes, by design, the concept of redundancy. For example, all modern commercial airliners feature at least two engines, and these aircraft can fly with only a single engine operating. In addition, triple modular redundancy within each engine itself ensures that each system’s subcomponents are triplicated, meaning that for a system failure to occur, all three sub-components must fail. This


Cyber Security

means that almost all aircraft accidents today happen because of human error rather than mechanical failure. In modern information technology environments, this concept of redundancy is also used, albeit not as successfully as in the aviation realm. Storage systems operate using technologies such as RAID, allowing for single or even multiple hard disk drive failures to occur without loss of data or integrity. Another example of this is in networks, which often have redundant switching and power paths to allow for failover in the event of a link or power failure, or service outage. In the information security realm, redundancy is often considered from the “defence in depth” concept – being that if a defence mechanism is compromised, another layer of defence exists to provide added protection. This defence philosophy has been adopted from our cousins in the physical security world, who use gates, fences, locks, doors, access control systems and alarms to deter or otherwise keep out intruders. However, defence in depth is often done poorly by information security practitioners. Many organisations are protected by a firewall and an endpoint security product, with little to no other controls in place. Technologically speaking, these controls can be easily circumvented, particularly when they have not been deployed correctly.

A Well Regulated Operating Environment The system of international rules and regulations that govern aviation are extensive and detailed. The Chicago Convention on International Civil Aviation was signed in 1944 by members of the newly forming United Nations and today is responsible with regulating and coordinating international air travel. This convention and subsequent amendments has been ratified by the national governments of the signatory states and contains over 12,000 international standards and recommended practices. The Chicago Convention defines rules governing airspace, air traffic control, aircraft registration, airworthiness and safety, training and certification of personnel, communications protocols, search and rescue operations, investigations of accidents and even units of measure. It also forbids airlines that do not conform to these regulations from flying, either within a nation or to other nations. In addition, provisions exist for newly discovered vulnerabilities to be immediately actioned (for example, the grounding of all Airbus A380 aircraft with Rolls Royce engines following the Qantas QF32 incident where the engine catastrophically failed at cruising altitude). In comparison, the information security field lacks the same approach to data security and information privacy. Whilst there are a number of voluntary international cooperation schemes in place, no cyber-focused international convention exists. While there have been attempts to define a specific information security convention at the United Nations level, this has been unsuccessful, and the work has been left to national governments to define their own set of rules and regulations that very often significantly differ from each other (for example, the European Union’s GDPR and the Australian Notifiable Data

Breach scheme) while some nations (such as the United States) lack a national cyber security law.  

Prevalent Use of Automation Aviation has relied on a high degree of automated systems for many years. It is commonly known that modern airliners have the ability to take off, fly and land themselves through the flight management system . The well-known autopilot was first invented in 1912 and the automated landing system first came into prominence in the 1960’s. Through further developments in technology such as fly-by-wire, aircraft can now land safely in conditions that otherwise would be unsafe to land and practically fly from place to place with minimal human interaction. An analysis of the decision trees that make up these avionics systems indicates that each course of action requires a number of decision gates to be crossed, rather than a simple situation where, for example, autopilot disengages as soon as one single condition is satisfied. In comparison, the information security world’s approach to automation has been piecemeal at best. While many systems offer automated courses of action in response to a perceived or actual threat, the logic often stops there. Consider, for example, when your personal computer discovers something it identifies as malware. This item is usually prevented from executing and the user is prompted for a course of action (these are generally to allow, block, quarantine and delete). Other systems such as SIEM (security incident and event monitoring) solutions still require human intervention to manage the alerts generated from these systems, with the number of alerts often exceeding the capacity available to manage each of them. While there have been developments made in information security automation and artificial intelligence, these developments lag far behind the aviation realm.

In Conclusion It is often said that flying is the safest form of travel, and numerous studies on the subject indicate this to be the case. This level of safety has occurred due to a variety of factors - recognition that the paramount focus on safety, before schedule; the appropriate training and certification of flight staff; the extensive use of flight checks and auditing; the deployment of redundant systems and redundancy in depth; the high levels of regulation in the aviation environment; and high levels of automation. If the cyber security industry is seeking to find ways to emulate the success of the aviation industry to ensure a safe and secure world for its users, it would be advisable to learn from the valuable lessons gained from years of aviation, to develop the best possible means to protect the information of consumers, organisation’s and government.  


Cyber Security

Do I need an ISMS? yes, here’s why By David Stafford-Gaffney

As a business leader, in any vertical or industry, there are times you give more of yourself to the achievement of business outcomes, than you do to your own family. It’s not a flaw, if there is ultimately a balance, although that is another article. You work hard, you’re passionate, you want your kids or family to look up to you and what you and your partner have achieved and at times that comes at a cost. However, ultimately, you do it to make a better life and you know (or hope) it’s only for short bursts. You wear the impact of your efforts like a scar from battle, with the exhausting late nights setting strategy, the stress incurred from the tough decisions that impact people’s lives, the interstate trips away from the family, the actual delivery of the strategy and finally, the operationalisation of it, never too far away from your thoughts. You know all too well that there is still one more move to be made, the enactment of the organisational change program, to see everything through and being methodical, planned and process driven, you leverage the trusted Deming Cycle to stay on track. However, there is one thing you hadn’t planned on and as you are listening to a question at a conference on regulations surrounding privacy information, your mind starts wandering, trying to recall if this was one of the requirements you considered during the recent transformation. Your almost certain this was not a

34 | Australian Cyber Security Magazine

consideration. Imagine not considering where and how you handle customers’ Personally Identifiable Information (PII), or payment card data, or health records. Who has access to them? How is that access managed? How are the records themselves stored and transmitted? How are the assets they reside on protected and who makes decisions on changes to them? How are changes to the systems managed to minimise disruption? And ultimately, how do you preserve all of this in the event of a major adverse situation? This is not an uncommon situation and the reality is that overlooking this results in no small impact, your organisational change agenda has been announced, the strategy is in place, changes to delivery now come at a massive cost, redesign of systems, architectural changes to support new data flows and information management requirements. Worst, if you don’t have an in-house IT team, the bill is even higher as you begin to engage expensive outsourced resources. And, if you require a level of certification to attest to the levels of assurance and governance afforded to these systems, you now have yet another organisational change initiative to plan and deliver. You’re not alone, if you hear someone talk about security, cybersecurity, or hackers and think it’s a problem for your IT team, however, the reality is very different. Reputational damage suffered because of a notifiable data


Cyber Security

breach (new Australian legislation as of February 2018) can have dramatic effects on liquidity, share price, consumer confidence, product launches and many other facets of business. So, the first step in setting your business up for success is to realise that security is about your business and not solely about IT. Once you understand this, you can begin planning how you can use security to support your business plans. Strong security governance as directed by the ISO27001 standard, is far more than technical controls. It requires senior leaders in the business to set the security agenda and openly declare support for the initiative via sponsorship and endorsement of an Information Security Management System (ISMS). They agree that security becomes part of almost every business process, including: • • • • • •

On-boarding and off-boarding of staff Project management Change and Incident management Asset management Business continuity Security of the businesses operating and non-operating locations • Operations • Risk Management • Privacy • Legal/Regulatory compliance • Information Management • Software development, both in-house and outsourced • Effective supplier management This is not a quick and easy path to wander down, nor is it something you can outsource. Information Security Management is a way of working, it must become part of your organisational culture to be truly effective. There are requirements for regular, formal meetings, where minutes are recorded and evidence of adherence to process is captured, along with a demonstrable approach to improvement, a set of well-maintained mandatory documents and most of all, it can be a very different way of working. It might include a few extra steps in a procedure, might make some processes take a little longer, might introduce new forms or templates, might require additional clearances for working, or new mandatory skillsets, or even the testing of plans that support the business through adverse events. Time needs to be invested to really plan this out and understand what this journey looks like and why you might consider it. If you are unsure as to why you might require good security governance and the benefits of the implementation of an ISMS, consider the following: •

that meet these obligations. To support the business in the achievement of its strategic goals, an ISMS can assist to reduce the risk of reputational damage. Reduce the risk of regulatory fines from the Office of the Information Commissioner or others. Reduce the risk of the loss of sensitive information to competitors or criminals. Perhaps you’re concerned about the ability for your organisation to recover from a security related incident and the costs that might arise from the resolution of a breach. Remember that even insurance offered to cover cyber security will require that you have at least some level of governance within the organisation.

Take some time to really understand why you might consider going down the path of establishing an ISMS. Remember that in the points above, not one talks about IT, this is because good security governance supports the business in achieving its objectives. Also keep in mind that this system will require some level of change within every facet of the business and will need to be as well planned as other large organisational change initiatives. Finally, if you cannot gain support and buy in from the most senior leaders, you will be destined for failure or at least an incredibly difficult and stressful experience. However, that is no reason to stop, use your skills of influence to educate the senior leaders, until you have their support. Always keep in mind that security performs a key supporting role that allows the business or organisation to achieve its objectives. It reduces levels of uncertainty through the establishment of good governance and effective risk management. While there is a focus on information technology in parts, it makes up one of 14 business domains (ISO27001) that good governance should be applied to. So, when you find yourself thinking about how to minimise risk and disruption through the achievement of your strategy, perhaps look at commissioning a security baseline assessment against one of the well-known standards. I’m confident you’ll be surprised at how easily your hard-earned capital reserves are at risk of being thrown in the wrong direction, reducing liquidity and hampering growth and transformation objectives. Or, at the very least, damaging reputation, resulting in similar impacts.

An ISMS can offer competitive advantage and differentiation as a declaration of your commitment to the management of your customers’ valuable data. This is certainly the case if your ISMS is independently assessed and you gain ISO27001 certification. If you’re concerned about the growing regulatory, legal and contractual obligations your company is required to adhere to, an ISMS will strengthen governance across the organisation and deliver business outcomes

Australian Cyber Security Magazine | 35


Cover Feature Cyber Security

Implementing the essential eight

T By Tony Campbell ACSM Editor

he Australian Cyber Security Centre (ACSC) most cited security guidance is, “Strategies to Mitigate Cyber Security Incidents,” or more commonly called the Essential Eight. Let’s look at these eight security controls and see why ACSC recommends that all organisations should adopt them to bolster their cyber defences.

Get the Basics Right Three of these controls are basic system management procedures that organisations should already be doing. Timely installation of patches (for applications and operating systems), along with backups, are the best place to start. If patches are applied as soon as vendors release them, a significant volume of malware can be rendered inert. Attackers require vulnerabilities for malware to attack: without vulnerabilities, they cannot operate. Modern operating systems and applications automatically install patches, so there’s no excuse to be anything but up-to-date. System backups are fundamental management

36 | Australian Cyber Security Magazine

activities that all organisations should be doing. Backups provide the most reliable way to recover from a virus attack and can be used to recover lost or damaged data. The most prevalent cyber threats affecting today’s organisations are Ransomware; data is encrypted and the only way to recover it is to pay the ransom in the hope the criminal will provide the decryption key. However, a properly backed up system allow quick recovery to a point, prior to infection.

System and Application Hardening The Essential Eight has two controls in this category: hardening Microsoft Office and general user application hardening. Office can run embedded applications that automate certain functions. These applications (macros) are written in an embedded programming language called Visual Basic for Applications (VBA). Macros can access the operating system and pass data between Office applications, which is why criminals use it to write exploit code. Microsoft recognises VBA’s potential for abuse and


Cyber Security

"Most social networking sites and online services have implemented enhanced authentication, requiring an additional factor, such as a pin number or one-time code obtained from a mobile device" implemented enhanced authentication, requiring an additional factor, such as a pin number or one-time code obtained from a mobile device. In cyber security parlance, this is known as multifactor authentication (MFA) and has become the standard for authenticating a user’s identity. ACSC suggests that organisations should adopt MFA for remote access, such as for VPN access or remote desktop access. Furthermore, administrative accounts should also use multifactor, since hijacking an admin account provides the attacker with the keys to the organisation’s ICT kingdom. MFA makes it much harder for the hacker to impersonate a legitimate user, since they not only have to guess their password, they also need their fingerprint, iris scan or mobile device, depending on which MFA service(s) are implemented. ACSC’s guidelines on MFA can be found here.

Software Restrictions The last two security controls are more complicated and harder to get right. These are: • •

provides policy settings to disable untrusted macros. This feature uses special signatures to identify trusted macros; any macro without a signature is blocked. More details on how to lock down Office can be found here. Regarding other applications, many have specific hardening options supported by the vendor. For example, it’s possible to configure most web browsers to block dangerous scripts, such as embedded Flash applications, from running. Flash has been notoriously bad for security since inception, so it’s advisable to configure browsers to block it. Further blocking of ads and Java applications can defend against attacks. Most applications can be hardened; it’s just a matter of looking on the vendor’s website and following their instructions. ACSC also has several guides to help with application hardening, such as their advice on Java lockdown here.

Passwords are Old School Most social networking sites and online services have

Restricting administrative privileges; and Application whitelisting.

Administrative accounts are the keys to an organisations’ virtual kingdom, so they should be carefully controlled. Most operating systems allow locking down of user accounts, but it’s also worth building a role-based model for administrators, only providing system privileges based on duties. ACSC provides the following advice to help organisations implement better control over admin accounts: Restricting Administrative Privileges. Lastly, application whitelisting is by far the most powerful of the Essential Eight controls. Done properly, whitelisting prohibits unknown applications from running, meaning viruses, malware, adware and Ransomware are all blocked. The problem is, whitelisting, even on Microsoft Windows, is very hard to get right. There are various implementation modes, some of which are easier to apply than others, but it’s only the strictest mode that provides full protection. The other modes, while partially effective, leave gaps that hackers are wise to. For the trouble, it’s worth it when done right, but it’s not a control to do in half measures. At suboptimal levels of security, whitelisting provides more pain than it’s worth, so go into any whitelisting project with eyes wide open. ACSC’s guidance can be found here.

Australian Cyber Security Magazine | 37


Cyber Security

Cryptocurrencies: Tackling the double-spend or 51% attack

I By Annu Singh

magine if you could spend the same currency note in two different places. In traditional currency this is not possible due to several checks and balances by governance bodies, like banks and governments that prevent counterfeiting or such misuse of the note. How does this work in the world of bitcoin and other cryptocurrencies that are decentralized? Bitcoin is a digital currency created by Satoshi Nakamoto in 2008. Like all cryptocurrencies, bitcoin works on peer to peer networks that use blockchain distributed ledger technology, which form a chain of blocks to create permanent records of transactions in an encrypted, auditable and secure way. Once data is recorded in a block it becomes very difficult to change it. A bitcoin block has 3 main components of information recorded on it: 1. Data 2. Hash 3. Hash of the previous block. Data stored inside a block depends on the type of block chain. A bitcoin chain stores details of transactions like sender, receiver and the amount of bitcoin. Hash in the block are unique and can be compared to a fingerprint. Hash helps identify the block and all its content. Once a block is created its hash is then calculated. Any changes made in block, results in changes in the hash. Hash is therefore useful in detecting any tampering done to the block. Bitcoin use SHA256 cryptographic hash. The third element inside a block is the hash of previous block. This

38 | Australian Cyber Security Magazine

connects with the hash of current block to effectively create a chain of blocks. If there is any change in the previous block its hash changes and so does the linkage with the current block, leading to a cascading effect to the chain of blocks ahead in the block chain, turning them invalid. First block of the chain is known as Genesis block and does not have a linkage to any previous block. But using hash is no longer a guarantee against tampering. Computers these days are very fast in calculating hundreds and thousands of hashes per second. You can effectively tamper with a block and recalculate all the hashes in a block chain, to make the block chain valid again. This is called as ‘double spend’. So, to mitigate this blockchain you have the concept of “proof of work”. ‘Proof of work’ (PoW) is a mechanism that slows down the creation of a block. In bitcoin, this is called mining and involves members processing complex, resource-intensive equations to create strings of characters that other members use to verify the legitimacy of the transaction. Mining capability is measured in the number of attempts to find a block that a miner can perform. Each attempt consists of creating a unique block candidate and creating a digest of the block candidate by means of the SHA-256d. Hash power can go 1ph/s (peta hash per second) and above depending on the setup. It takes about 10 min to calculate the required proof of


Cyber Security

work and add a new block to the chain. This mechanism prevents tampering of blocks because if you tamper with one block you need to recalculate the proof of work for all the block. So, the security of a block chain comes from creative use of hashing and proof of work mechanism. Another way that block chain protects themselves is by being distributed. Blockchains use peer to peer networks instead of a central authority to manage and everyone can join. Members in a network are called nodes. When someone joins this network, he/she gets a full copy of blockchain. Nodes can use this to verify everything is in order on the network. When someone adds a new block to the network, it is sent to everyone on the network and each node on the network verifies that it has not been tempered with. If all checks out, each node can add it to its block chain. All nodes on the network creates a ‘consensus’ by agreeing and validating the blocks that form a blockchain. Blocks that are tampered with are rejected by other nodes in the network. This results in transactions that cannot be altered or reversed, unless the change is agreed to by all members on the network in a clear, transparent and trustworthy manner. Mining speed depends on factors like hash rate, bitcoins per block, bitcoin difficulty, electricity rate, power consumption and pool fees. The decentralized nature of the blockchain network prevents any single node or group of nodes from undermining the system. All nodes are equal and adhere to same rule. To successfully tamper with a blockchain, you need to tamper with each block of the chain, redo the proof of work (PoW) for each block and take control of more than 50% of hash power of the peer to peer network. When someone has >50% of the network hash power, he/she would be able to generate blocks to selectively confirm certain transactions or rewrite the recent transaction history. This is termed as a 51% attack. Superior hash power and the ability to generate a private blockchain longer than a public chain, forms the key foundation of a double spend attack. In a 51% attack, the attacker creates a private blockchain (not broadcast to the network) in parallel to the public blockchain being validated by nodes and uses the bitcoin to exchange services or goods. Once the public blockchain has ‘x’ blocks as per the service provider’s expectation, they release/deliver the service. The attacker then broadcasts the private chain, which has by now blocks >x to the network, making it the largest blockchain, which immediately replaces the public chain, effectively removing the record of the previous transaction for goods or services, thus allowing the attacker to obtain the service for free, aka double spend. But this is near impossible to do, as generally the cost of resources required to get 51% control of network hash power, far outdo the profits. Depending on the Bitcoin difficulty, it needs to be anywhere from 3 Ph/s or 3000 th/s to 7.5 ph/s of hashing power to mine 1 btc per day. The two most powerful electronics devices mostly used for bitcoin mining are: • AntMiner S7 • AntMiner S9 AntMiner S7: has capacity of 4.73 Th/s and its power efficiency is 0.25 W/Gh.

AntMiner S9: has capacity of 13.5 Th/s and its power efficiency is 0.098 W/Gh. Assuming even 3Ph/s for example, means a miner would need 220 antminer S9's, which gives a hashing power of 13.5*220, with an electricity bill of $800 per day and $240k per year, not to mention the cost of the hardware. As the process is so resource and cost intensive, it is not easy to pull off a 51% attack. But considering the recent attacks on cryptocurrencies like Reddcoin, Litecoin & Altcoin, a few other steps are now being looked at to encounter the 51% attack: • Increase the number of minimum confirmations required, that is increase the time of PoW; which renders the attacks significantly costlier and slower to execute, thus reducing the profit or incentives to carry out such attacks. BTC-e responded to a 51% attack on Feathercoin by increasing their confirmation requirements to 100 blocks rather than the usual six. The Reddcoin merchants also increased their number of confirmations from 6 to 60, when Reddcoin was 51% double spend attacked. • In theory, honest miners can rent hash power from cloud (from pool owners and core teams) to defend the network integrity, if a threat is detected to thwart 51% control. Dedicated Denial of Service (DDoS) can also be used as a strategy, based on the time frame of the attack, to slow down the attacker and considerably reduce their hash power. • Implement a penalty on delayed submission of the blockchain - A white paper was recently published to propose the introduction of a penalty in the form of a block acceptance delay, in relation to the amount of time the block has been hidden from the public chain time, being measured in block intervals and not timestamp. • Proof of Stake Velocity (PoSV): Few cryptocurrencies are looking at moving away from PoW, to mechanisms that focus on ownership (stake) and activity (velocity). To increase your chance of finding a valid block and receive block rewards, instead of buying GPU or ASIC for more hash power, you just need to have a bigger holding of cryptocurrency and keep your wallet running and connected to the Internet to participate. With PoSV in place, the attacker will have very little incentive to carry out any attack, which reduces the value of his own holdings. PoSV further limits how much coin-age he can accumulate by punishing excessive hoarding. As a result, PoSV can provide better security than PoW. Ideally no entity wants to breach >50% hash power, as seen by steps taken by GASH, as they want to protect their investment in hardware, as well as maintain their profit margins, but with concentrated mining power and drop in the cost of lease, we have seen in some circumstances it is now economically feasible to pull off a 51% attack on operational public blockchain networks. This continues to draw attention from experts, as I write this article, who continue to research into layered defense strategies to make the blockchain network more secure every day.

Australian Cyber Security Magazine | 39


Cyber Security

Why do MSSPs struggle, even in the cyber boom?

B By Simon Ratcliffe

eing longer in the tooth can be useful if you remember the lessons you learned and can apply the principles to new problem domains. We know experience is what you get just after you needed it and like jumping from a plane without a parachute, you don’t often get a chance to go back and try it again. When at University my Economics lecturer spent many hours describing economic theories that all made sense at the time. He had us leaning forward hanging on to his every word, until nearing the end of the lecture he would reveal case-studies that at some time and at some place saw progressive economists and politicians put these theories in to practice, to eventually be dispelled as complete bunkum. This was usually followed by coups, wars, depressions, or worse still, the emergence of actors and egoists who rose up, as citizens shifted their hopes from pursuing the literati, to courting the glitterati. They once called it ‘dismal science’ because every theory appeared to lead to a grim future, but there is a lot to learn and apply to the field of information security. Having been part of the early Managed Security Service Provider movement of the late nineties, many years before this information security lark attained the ‘cyber security‘ label, my cohort had a dream to find a way to provide detection and response services at the scale and unit cost to make them accessible to all and save us from the scourge of OSHI*. (Organised criminals, State actors, Hacktivists, Insiders… and today with the raised concern for Terrorism, it may be time for a new acronym*).

40 | Australian Cyber Security Magazine

Many clients had missed the importance of the PDR mantra (Protection Detection and Response). They had missed the critical knowledge that all successful security systems rely on three pillars and information security is no exception. We knew their over-investment in protection technologies would continue to fail, leaving timely detection and effective response to stand between them being on their game or being left out of the game. But how could we create protection, detection and response capability for all, at a consumable price? The 1700’s economist and author, Adam Smith, spoke of limiting government intervention; that ‘laissez faire’ or, an ‘invisible hand’ would allow market forces, the self-interested actions of the people, to create an equilibrium where supply met demand, to arrive at a consumable market price. To date this has not happened in the information security industry and unfortunately the only invisible hand at play has continued to erode the Australian economy through the clandestine taking of intellectual property, investment decisions and state secrets. The reasons are many, but certainly one challenge has been one of not experiencing what economists relied on to test their theories, that of ‘ceteris paribus’, the concept of everything else remaining the same. The threat landscape has constantly changed, and the service providers and large enterprises have been caught out. They of course had good intentions. They set a course to build their SOC’s SIEM’s and sensors with people and


Cyber Security

processes to suit, only to find the OSHI had changed their M.O. and their clients had adopted new ways of working, with mobility, cloud and other market influences blowing away the perimeter concept. If everything had remained the same, market forces may have driven the reach and scale that allowed the service providers to improve their services and reduce cost, but now the concept of industrial inertia has set in and those who invested heavily are attempting to only slowly change course, without openly condemning their investments in legacy systems and loudly crying out to the market that they got it wrong. Stock prices depend on it. The MSSP and large enterprise investments in the people, processes and technologies has been huge. Unlike in the industrial revolution where manufacturers figured out optimal locations to suit the cost/price tensions around supply of inputs versus location of market, to enjoy a true purple patch before they had to resort to expensive imports, MSSP’s and large enterprises never enjoyed such a period with security operations. MSSP’s took aim at the target rather than ahead of the target. (or to use that North American analogy, skated to where the puck was, not to where it was going.) It has meant they invested heavily in infrastructures and platforms that perhaps were never fit for purpose, but today are sadly lacking. There is no doubt that cyber security is front of mind and if you knew what you were measuring, would observe spending growth. The industry as a whole, and certainly the larger players have, however, not lived up to expectations, creating scepticism around their value, that has in turn led to a fragmented proliferation of new entrants often sporting something way short of a ‘whole’ product or service and many organisations still trying to do it all themselves. In his biography the Snowball, Warren Buffett referenced the car industry of the early 1920’s when 200+ firms were making cars in the US, but none were making money, even in a boom market. The cyber security market is similarly fragmented, and the eventual consolidation seen in the motor vehicle industry is urgently required. Warren glibly comments that he would not have been investing in cars at this time; he would have been shorting horses! Openness, honesty and a re-examination of the outcomes we seek is required. Those who wrote the business case to invest in failed solutions must be granted a pardon, and those who skated to where the puck was, should not be condemned. The economies of scale that come with division of labour and the specialisation of MSSP’s and shared enterprise environments are concepts we must embrace, but we need to stop thinking our business imperatives and minimum viable products (MVP’s), can be tossed in and wrapped up in a service provider’s protective blanket, with the hope that things will work out.

There is no panacea. Although we have so many common challenges around the confidentiality integrity and availability of information, the success of our endeavours relies on the resilience and

uniqueness of our offer to the market. We must all consider how to create solutions with these things in mind from the ground up and assume any elements we introduce in to our ecosystem/value chain today have not been adequately secured either. The more recent involvement of government is to be applauded. Unfortunately, Adam Smith was wrong about laissez fair and the invisible hand. It could never really work when everything has not and will not remain the same. Government has significantly helped raise awareness to an executive level and is now an active vehicle for the delivery of the sound advice that has not been forthcoming from the technologists, thanks to self-interest, competitive tensions and a failure to reach the ears of the right audience. Altruists have begun to save the day, through collaboration and the sharing of knowledge for the common good, so that enterprise and government, recognising security as an enabler, may now invest more wisely and reap the rewards. The government influence around regulation is also to be applauded, where a light guiding hand has been necessary to aid focus on challenges that market forces have to date been unable to resolve. As with epidemiology, ‘hygienic’ practices address many information security challenges through awareness, cultural and behavioural change, adaptation of legacy systems/ processes and development of new solutions that are secure by design. As business leaders have lifted their heads to understand the challenge, we have seen business decisions being made. The technologists have been politely asked to pause and organisations as a whole have taken up the mantle. In time, reduced risk and greater resilience will come with behavioural change, simplification and progressive homogeneity of operating environments. Technology debt and legacy threats should diminish, as cloud service providers take on our secure by design solutions and become the resilient custodians of our future endeavours, taking care of our more fundamental security services requirements. There may always be the need for more focused detection and response specialists that have the time and inclination to intimately understand your environment, are able to hunt for specific indicators of compromise and understand the implications of what they find, wherever you do business and wherever your information is used. A number of these exist today and will likely to be scooped up by brave enlightened behemoths prepared to attack themselves, be folded in to other cloud provider offers or grow in their own right. In the interim the long-standing PDR mantra in this space needs an ‘A’ prefix. Advisors who understand APDR, the secure path to take, the partners to take along for the journey, will unlock significant potential for their clients, allowing them to securely leverage the opportunities that new technologies can bring and there is nothing dismal about that!

Australian Cyber Security Magazine | 41


Cyber Security

What industrial Control system malware means

T By Daniel Marsh

RISIS, otherwise known as TRITON and HATMAN is a piece of malware that targets industrial control systems (ICS) and was discovered in late 2017. This malware was written specifically to target the Schneider Electric Triconex safety instrumented system (SIS), specifically the Triconex 3008 processor module (Dragos, 2017). As sensational as some articles might be, TRISIS did nothing, an error in the code prevented successful execution which would have disabled the SIS and led to operations halting or a complete disaster. The real impact of TRISIS is not the physical damage and destruction that could have occurred, but the resulting code being modified and targeted at different SIS and a whole new world of attacks against industrial control systems (ICS) worldwide. TRISIS may be considered a proof of concept, it proved quite spectacularly that not only are ICS vulnerable to attack but that the attackers were persistent in the environment for more than 12 months without being detected. TRISIS was most definitely not the first malware to target industrial control systems, not only has there been predecessors specifically targeted at destroying the uranium enrichment process but common ransomware has infected human-machine interfaces (HMI) causing loss of monitoring and control, and ultimately blackouts across entire countries. TRISIS is said to be a game changer (Dragos, 2017), not only because of the successful persistent threat, but also the specific targeting of SIS and the capability to potentially bring these life-saving devices down. Although the world has experienced that connecting

42 | Australian Cyber Security Magazine

Figure 1 - open enterprise security architecture

devices and convergence without performing due diligence a generally bad idea and targets are primarily opportunistic (exceptions do exist, of course), not connecting devices does not make you safe. Air gaps can be breached, sometimes very easily by carrying a USB key, sometimes they're breached because of poor documentation, and sometimes they are breached through highly sophisticated attacks using voltage changes to transfer data between devices (Guri, 2018).


Cyber Security

Figure 2 - enterprise IT security zone model

Organisations maintaining ICS need to bring themselves into the 21st century of technology, which is a wild statement, but necessary. When Information Technology (IT) and Operational Technology (OT) convergence has found its way into the business strategy we find that although IT has good cybersecurity controls implemented, OT is very lacking both in the capability to implement and the capacity to support added controls. OT is a broad statement covering ICS, SCADA, PLC's, SIS, Building Management Systems (BMS), sensor arrays, and everything else not associated with traditional IT. OT environments consist of devices that often required 100% uptime, devices are not rebooted for fear of never turning back on, further, they run with at high utilisation / low capacity limiting the ability to implement cybersecurity controls without a major uplift. Stepping into the 21st century for OT does not need to be daunting and needs to take a structured approach to business strategy, goals and aligning the OT environment with these. A lot of principles from IT are still very applicable in OT, there is no need to rebuild the process

for implementing cybersecurity in your OT environment. The enterprise security model in figure 1 from the Open Enterprise Security Architecture (O-ESA) by the Open Group provides a well-formed and structured approach to developing an enterprise security architecture. Utilising the same governance approach for enterprise IT as taken for OT provides added efficiencies and understanding of processes, policy and assists in developing an aligned approach to cybersecurity for the organisation as a whole. Ultimately, leveraging this framework helps break down the silo's IT and OT work in, allowing incompatible teams to work together, enabling IT and OT convergence and further enhancing the capability and capacity to align with business strategy and achieve business goals. The key factor in developing a successful organisational security architecture is understanding that, technically, the approach to implementation is different, as different as French cuisine is to American Hotdogs. The same concepts apply, primarily that of implementing a zone architecture and ensuring the functionally independent devices are isolated

Figure 3 - industrial control system security zone model

Australian Cyber Security Magazine | 43


Cyber Security

Figure 3 - industrial control system security zone model

from each other. In IT, the focus is primarily on a simple three-tier architecture consisting of interfaces, logic, and storage, whereas OT and focuses on isolation of based on function, such as smart grids and their zones, transmission, distribution, and generation of power. With all zone model approaches, identifying system criticality, as well, critical. A critical system warrants additional controls to ensure it is resilient, redundant and protected from high threat attacks. Figure 2 shows a detailed security zone architecture, with the consideration that each box is representative of multiple sub-zones, which is easily adapted to OT environments as seen in Figure 3, which provides each zone logical and physical separation from each other. Although Enterprise IT can have an all-in approach to cybersecurity (all controls all, all monitoring, all seeing, all preventing), OT environments have an added level of complexity - their environments consist of low-level devices such as pumps, motors, and actuators, logic controllers, including SIS, to data historians, HMI's and workstations. To capture these diverse systems, the McAfee 3x3 security model should be considered, each column reflects business, SCADA, and plant components and each row represents data, network, and endpoint systems. This model, when applied to specific systems, such as the power generation function of a plant can help classify components utilised and enables an educated approach to implement cybersecurity controls (American National Standard, 2007), the matrix can be seen in figure 4.

44 | Australian Cyber Security Magazine

IT is seen as a business enabler, without IT most businesses cannot function let alone exist (what is Google, if not for the Internet). OT, too, is an enabler, it enables us to live our lives, safely, with electricity, water, gas‌ the Internet. Cybersecurity is often still seen as that annoying little brother, running around poking faults at everything and hindering the business. Cybersecurity is a business enabler, it enables the business to operate safely in hostile environments, it enables safe and protected convergence of IT and OT, it protects the business from others and from itself. Businesses need to engage from the top down, delivering strategy but also bottom-up and ensuring that technically the strategy is achievable. Integrate a cyclic process, even of the simplest nature, plan-do-check-act, to foster the continual growth, learning and correction required to bring OT security into the 21st century. About the author Daniel Marsh has 17 years of experience as trusted advisor to organisations across Australia focusing on cyber risk management and developing reliable and secure systems and infrastructure. He specialises in risk frameworks, information security models and architectures, threat intelligence, threat hunting and vulnerability management.


Cyber Security

Australian Cyber Security Magazine | 45


Cyber Security

Meet the twins in cybersecurity: Empowering Gen Z and addressing talent shortage.

M

eet twins, Noushin Shabab and Negar Shabab. They grew up attending a special school for whiz kids and are now slowly making their mark in education and the industry to bridge the country’s alarming cybersecurity talent shortage. It all started when Jacqui Loustau, founder of the Australian Women in Security Network (AWSN) met Noushin Shabab, member of Global Research and Analysis Team (GReAT) at Kaspersky Lab, during a cybersecurity panel in Melbourne last year. Several meet ups later, Loustau together with co-founders of the AWSN Cadets, Elizabeth Bonny and Diane Loi, collaborated with the twins on workshops for the AWSN female cadets. The Shabab’s were the first mentors to provide technical workshops and mentorship which aims to boost their cadets confidence and equip them with the necessary tools before embarking on a profession in cybersecurity. Today, this initiative has grown to 60 girls from different universities across Victoria. Recently, the pair also collaborated with Cyber Security

46 | Australian Cyber Security Magazine

Challenge Australia (CySCA). Launched in 2012, CySCA is Australia’s only national hacking competition, Run by the Department of Prime Minister and Cabinet, the competition targets students in higher education to unearth the next generation of cyber security talent. They worked closely with Dr. Fengling, who leads RMIT’s involvement with the challenge to teach a custom, tailor made syllabus with a niche in reverse engineering for the competition participants. Dr. Fengling Han says, “Cyber-attack is considered as one of the threats to business growth globally. To address the cyber security skill shortages in Australia, CySCA aims at promoting cyber security as a career option by highlight the key skills required in cyber security practice. Penetration testing and network forensics are the main topics in CySCA. RMIT Computer Science students show strong interest in competing in the CySCA this year. We have a record of 5 teams (4 students in one team) registered, include a team from first year students, and an all-female team. They have seen so many internship placement and job positions on


Cyber Security

"...just give it a shot and you most certainly won’t regret it. This is an industry that lets you grow as much as you want. There is no end to the learning process and the rewarding feeling you get from you work. We live in the age of technology and cyber and you will soon find your job being your lifestyle.” cyber security.” These identical twins are perhaps the hand few Australians with a niche in reverse engineering. Based out of the Melbourne office, Noushin says, “In 2016 when I first started looking for a job in this field, I noticed how large the skill gap shortage of security researchers were in Australia. However, since the attack that caused Census (Australian Bureau Of Statistics) to shut down and Wanna Cry ransomware, the government and education ministries found it crucial to grow a new breed of students and professionals in the field of cybersecurity. Her older sister by a few minutes, Negar adds, “Our new projects and partnerships with these universities and are very exciting as both parties can truly make a difference for this industry.” In 2017, ACT Government estimated that Australia would need another 11,000 cyber security specialists over the next decade. With the rise of connected devices, more organisations are constantly faced with finding the right security fit to combat cybercriminal activity. Negar who is part of the application security team at PS&C Group says, “I do see many discussions around the talent shortage. There are many industry led, national competitions held by the government which show that we are moving in the right direction. However, what remains a lingering concern, are how organisation only recruit professionals and experts in the field. This leaves a very small window for graduates who wish to pursue a career in cybersecurity and newcomers to grow in this space. What should start effectively are internship positions and graduate roles offered by companies to create opportunity for experienced people who come from other fields but are looking for a future in cybersecurity. Kaspersky Lab and Swinburne University of Technology have also signed a Memorandum of Understanding (MoU) to support cybersecurity education and bridge the country’s skill gap. The partnership will focus on enhancing cybersecurity education of information and communication technology courses run by Swinburne’s School of Software and Electrical Engineering. Students and teaching staff are able to benefit from the “Train-the-Trainer” program that promotes regular exchange of information such as industry insights and best practices. “This partnership will enable our staff to remain at the cutting-edge of cybersecurity technology in Australia and the world,” says Professor Hung Nguyen AM, Pro Vice-Chancellor of Swinburne’s Faculty of

Science, Engineering and Technology of the MoU signing in June.” He added, “Our students will better learn how to apply the knowledge they are learning to real-life problems, giving them a competitive advantage in this growing industry. Together with Kaspersky Lab we can foster the development of educational and research projects in the field of cybersecurity.” Kaspersky Lab ANZ General Manager, Margrith Appleby says, “The current skills shortage is a result of a lack of defined career paths. We believe our partnership with Swinburne University Of Technology within their respective faculties in software, engineering, science and technology will ensure the development in training and educational content for a new future of cybersecurity experts in Australia.” When asked if these cyber twins have any advice for Gen Z, left handed Noushin says, “Always have a curious mind. Never stop asking questions about your surroundings in this line of work with your circles, peers, mentors and role models. Don’t be afraid of asking silly questions and speaking your mind. This is because all these ingredients build the confidence and knowledge for you to grow your skills and potential in cybersecurity.” Her right handed sister advices,” All I want to say is, just give it a shot and you most certainly won’t regret it. This is an industry that lets you grow as much as you want. There is no end to the learning process and the rewarding feeling you get from you work. We live in the age of technology and cyber and you will soon find your job being your lifestyle.”

Episode 118 – Meet cyber twins @ noushinshbb @NegarShbb #womenincyber #malware #analysis #appsec Staytuned for upcoming podcast interviews from Kaspersky Lab #KLNext summit, Barcelona Spain.

Australian Cyber Security Magazine | 47


Cyber Security

ASD’s Essential 8: Get the Basics Right By Elliot Dellys

F

rom military strategy to the law of parsimony, history has shown us that an approach that makes the fewest assumptions is often an effective one. This philosophy was at the core of ASD’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions, which were collectively assessed as capable of mitigating 85% of identified intrusion techniques. So, why is it that so many organisations find implementing its successor, the Essential Eight , challenging today? Frederick the Great once told his generals that “He who defends everything defends nothing”. While military history has always been a fertile breeding ground for information security clichés, it is not without reason. Even some foundational concepts, such as defence-in-depth, have their roots in the military formations of the Red Army, Wehrmacht, or Roman legions. Yet our inability to pick our information security battles can be as lamentable as our fixation with war

48 | Australian Cyber Security Magazine

and conflict. Organisations lacking information classification or asset inventories spend millions on Data Loss Prevention solutions without knowing what they need to protect or where they need to deploy it. Others conduct penetration tests against infrastructure that is known to have not been patched for months or even years. In some cases, working groups are created to discuss low severity vulnerabilities, while administrator accounts with weak passwords are littered throughout the environment. Much like a Prussian king, security resources are in short supply, yet there are a multitude of plausible threats to defend against; so how do you prioritise? The Essential Eight was devised to address exactly this problem by establishing an information security baseline for government systems: where it is assumed you cannot defend everything, these strategies help prevent you from inadvertently defending nothing. Nonetheless, when


Cyber Security

The Essential Eight and the law of parsimony both relate to the reduction of attack surface area. Just as a mathematical theorem which poses the fewest assumptions reduces the possibilities for falsification assisting organisations to align with the Essential Eight, I regularly encounter two interesting themes. The first is that many miss key prerequisites. Information sensitivity is frequently not defined, or there is no inventory of systems handling this information. Networks are only as secure as the weakest link in the chain, so it is critical to ensure there is adequate visibility of the environment. Another core prerequisite is that the threat landscape is defined, and tolerable residual risk levels are agreed upon. More than once, I have seen organisations sink considerable effort into securing workstations, while neglecting to harden core network infrastructure. While asset musters and risk assessments are often regarded as tick-box, compliance exercises (especially in agile, fast-paced organisations, for whom time is money), defining the context from the outset invariably saves time and effort in securing the environment in the long run. After all, it means little to have a strategic goal of “protecting our most sensitive information”, if you don’t know what it is or where it resides on your network! The second theme is that many are surprised (pleasantly, for once!) to discover no additional technology is usually required for implementing the Essential Eight. While nothing says “kicking security goals” like dropping big money on an exciting new product, this rarely brings us any closer to meeting the baseline. Antivirus solutions? Towards the bottom of the list, with “limited” effectiveness (bump that up to #12 with “very good” effectiveness if you’re using heuristic or “next-gen” software). Network-based intrusion detection systems? In the bottom four, again with “limited” effectiveness. While you may find managing the patch cycle or whitelisting applications easier with proprietary tools, these are rarely big-ticket items. This discrepancy between big-budget and big-impact is by no means unique to the Essential Eight, either. An excellent blog post by Snyk recently demonstrated that the two most prolific OWASP vulnerabilities in major breaches for 2016 were ‘Using Vulnerable Components’ and ‘Security Misconfiguration’ . In all likelihood (an apt phrase, given the lack of likelihood in OWASP rankings – but that’s another topic altogether), you are more likely to suffer a breach due to an overlooked or poorly configured network component than a persistent and brilliant malcontent. So why do so many organisations struggle with the basics? Often it is because we are so busy doing the multitude of things that seem to matter that we miss the few that truly do matter; in essence, the Essential Eight teaches us the value of getting the basics right. Almost every mathematician and philosopher since William of Ockham has quoted his famous “razor”, yet as a guiding principle it is equally applicable to information security: among competing hypotheses, the one that requires the fewest assumptions should be selected. How many times have you heard this story: a customer, friend or colleague discovers strange activity on a device or network and immediately concludes they’ve discovered a backdoor, intruder, or 0-day – only

to discover (or be led to discover…) that a forgotten, but benign application or device is to blame? By implementing the Essential Eight’s number one recommendation of whitelisting applications and keeping on top of asset registers, we can drastically reduce our attack surface area and potential culprits for any detected weirdness. In a similar vein, Italian theologian Thomas Aquinas paraphrased the razor so perfectly that he no doubt would have flourished as a CISO: "If a thing can be done adequately by means of one, it is superfluous to do it by means of several”. While I’m an advocate of defence-indepth, it is frequently due to either indecision or lack of confidence that organisations decide to muddy the water by throwing several controls at a problem that could be effectively addressed with one. At best, this is a waste of time and effort, and at worst, it can reduce the overall security of the environment. Log management practices commonly exemplify this issue. While it can be tempting to enable verbose logging for every device, application or process in the environment, doing so usually drives the overhead and signal-to-noise ratio through the roof, reducing the overall efficacy of the control. Sometimes less is more, and capturing key events related to high value information, applications or processes generally provides greater assurance that anomalies are not ignored than capturing every conceivable event. In another notable example, recently an organisation told me that it had implemented 17-character passwords – for every… single… account. While the control was no doubt effective for reducing the likelihood of password cracking, the result was an effective DoS of the service desk phone line with countless furious users. Further, implementing a control that is both disruptive and disjointed from the user risk profile inevitably provides a strong incentive for users to circumnavigate it. The Essential Eight and the law of parsimony both relate to the reduction of attack surface area. Just as a mathematical theorem which poses the fewest assumptions reduces the possibilities for falsification, a few simple yet effectively implemented security controls are typically easier to configure, manage and track. Even a single device with an unpatched operating system, unauthorised application, or poorly secured administrator account can offer an adversary a foothold that can undermine a multitude of other security measures. This is especially true where the size or complexity of the environment increases the likelihood of misconfiguration or incomplete deployment, as well as potentially creating a false sense of security. I would recommend every reader peruse the Essential Eight for a sanity check. If you’re concerned about the potential impact of a network intrusion but you’ve never tested your backup solution, administrative privileges are not restricted, and untrusted Microsoft Office macros are not blocked, regardless of that shiny new security product it might be worth getting back to the basics.

Australian Cyber Security Magazine | 49


Cyber Security

Facial Recognition

T By Jane Lo Singapore Correspondent

he use of biometrics technologies had been widely depicted in classic Science Fiction movies such as Blade Runner, Robocop or Terminator. Outsmarting these technologies by protagonists had also been cleverly portrayed. In Back to the Future 2 (1989) where fingerprints were used to unlock doors and validate digital payments, the ‘fingerprint bandits’ amputated digits of key executives to access highly-secured devices. In Gattaca (1997), Vincent Freeman passed the biometrics testing to qualify for a space-flight program, by meticulously scrubbing and removing his own genetic material, and replacing with another in a genetic registry database. In Minority Report (2002), John Anderton evaded the citywide optical recognition system with a black-market eye transplant. The “Facial Recognition” forum by Trueventus (17th – 18th October 2018, Hotel Fort Canning, Singapore) reviewed the expansion of biometrics usage - specifically facial recognition - and the indisputable paradigm shift from physical keys and IDs to face as the key to identity. Facial recognition has come a long way since the pioneering work by the French police officer Alphonse

50 | Australian Cyber Security Magazine

Bertillon. In 1894, he developed the sophisticated process and method of recording and retrieving identifying characteristics including body measurements and photographs to track criminals. By standardizing the views (full face and profile views) and the lighting, he invented the modern mug shot and laid the foundation for facial recognition principles. Technological advances mean that these early techniques have evolved into a sophisticated framework of capture, detection, identification and matching: • • •

High performance cameras to capture moving images at a split sub-second of high-resolution quality. Powerful GPU and CPU resources to process high volume screening of persons in the crowded spaces. Algorithms to correct for optical tradeoffs such as magnification, field of view, depth of field; or to correct for natural changes (aging) and cosmetic surgery. Emerging Deep Neural network algorithms to improve accuracy of matching and reducing false positives


Cyber Security

Phuket Smart City mobile face recognition project, highlighted by Dr. Chaiyoot Chamnanlertkit (Founder / PIAC, Chairman. Know-Edgeorg, ISE Corp S.E. Ltd, Thailand). Photo Credit: Herta

As with conventional authentication protocols, such as passwords that can be hacked or credit card details exposed, biometric data can also be stolen or counterfeited. Case studies Helen (Senior Sales Director, NEC Asia Pacific Pte Ltd, Singapore) presented the use cases of the technology across industries, with examples of NEC’s work, from identifying VIP customers, to stadium ticket control, or forensic investigation. Two other examples highlighted the role of the technology in repairing reputation by improving public perceptions of safety and security. The Phuket Smart City mobile face recognition project, highlighted by Dr. Chaiyoot Chamnanlertkit (Founder / PIAC, Chairman. Know-Edgeorg, ISE Corp S.E. Ltd, Thailand) is one. Reeling from the deadly Bangkok bombing incident in 2015, where there were thousands of CCTVs in the area failed to prevent the incident, Prime Minister Prayut Chano-cha ordered an overhaul of 300,000 security cameras across the country. The Phuket project, where an alarm is raised once a backlisted subject is detected by the Herta

technology, highlighted Analytical Capabilities such as facial recognition with connected CCTVs contribute to “making life efficient and safe”. Thomas Yip (General Manager, Herta Official Distributor – Cyrus Innovations Pte Ltd, Singapore) highlighted another Herta project – the deployment of its facial recognition technology in Uruguay football, to identify unauthorized persons entering the stadiums. By restricting access, the tools contributed to reducing episodes of violence and hooliganism, to provide a positive and safe environment for fans who support their teams.

Spoofing – a biometric vulnerability Potential to do-away with passwords or one-time-pads for authentication is an attractive proposition and powerful driver behind the rapid evolution of biometrics technologies. But its deployment across diverse activities such as forensics, border and access control, surveillance or

Australian Cyber Security Magazine | 51


Cyber Security

or at the enrolment stage (generating a new identity using an artefact of a real or fake user) to access the system. Compared to conventional IT security risk, spoofing may pose a greater challenge to security professionals. Facial traits may not be as confidential as key words as materials can be gathered from public information. There are even online guidelines/tips on creating fake masks, fingerprints or irises to fool biometric systems. And unlike traditional IT hacks, an attacker does not need to be technically sophisticated.

The Elephant in the Room

Facial Recognition in Uruguayan Football . Photo Credit: PRNewsfoto/Herta

Thomas Yip (General Manager, Herta Official Distributor – Cyrus Innovations Pte Ltd, Singapore) highlighted another Herta project – the deployment of its facial recognition technology in Uruguay football. Photo Credit: TrueEvents.

e-commerce leads to security threats. As with conventional authentication protocols, such as passwords that can be hacked or credit card details exposed, biometric data can also be stolen or counterfeited. In the world of Facial Recognition, this is known as Spoofing. A well-cited case in October 2010 involved an elderly white looking man who boarded an Air Canada flight bound from Hong Kong to Vancouver. Helen Chua (Senior Sales Director, NEC Asia Pacific Pte Ltd, Singapore) pointed out that the passenger went through multiple identity check points and it was only during the flight when his real identity was exposed - he visited the bathroom, removed his mask and emerged as a young Asian man. The case highlighted the hyper-realism features of mask and difficulties in spotting their use in spoofing the biometric systems. Spoofing could be executed at authentication (presenting a fake physical copy of the genuine’ s user trait)

52 | Australian Cyber Security Magazine

Several research and development efforts focus on developing anti-spoofing methods based on motion (e.g. eye blink, instructed movement), texture, image quality, thermal detection or hardware. An industry example is the deployment of NEC's Liveness Detection at one of the busiest airports in the world. Solutions also exist to address other challenges such as poor implementation (sub-optimal camera angles/ focal length), poor algorithms, or limited data diversity for training. But the elephant in the room, is addressing data privacy concerns, according to Brian C. Lovell (Professor, The University of Queensland Australia, speaking on “Safety vs Privacy: Assessing the ethical implications of Facial recognition for greater security measures”). The arrest of a fugitive after the technology identified him among a crowd of about 50,000, is a clear benefit of the innovation. But cases such as Amazon falsely matching 28 lawmakers with mugshots raise questions if the technology is being responsibly deployed. Tech companies are not ignoring these concerns. Microsoft's chief legal officer, Mr Brad Smith had argued “for thoughtful government regulation and for the development of norms around acceptable uses”; Google Cloud CEO, Diane Greene said on a BBC interview that “we need to be really careful about how we use this kind of technology.” Indeed, striking the delicate balance between harnessing the technology for its benefits without breaching personal privacy is a huge challenge, and we are just at the beginning of tackling it.


Cyber Security

AUCKLAND | 27-29 November 2018 The Enterprise Digital Transformation New Zealand conference brings together leaders from a variety of industries to identify opportunities to develop digital capabilities for better customer service, engagement and delivery. Attendance at this timely event will give your digital transformation project the best chance of success. The event will include insightful case studies and interactive panel sessions covering the most pressing questionson digital transformation delivered by 25+ industry leaders.

QUOTE IT-10 WHEN REGISTERING TO RECIEVE 10% OFF YOUR TICKET PRICE

+64 9 890 9450

www.dte-nz.aventedge.com info@aventedge.com Australian Cyber Security Magazine | 53


Cyber Security

The future of data breaches, cyber resilience and incident response By Alan Hartstein ACSM Correspondent

S

ydney’s latest Cyber Security Meetup not only drew a record crowd but was largely successful in demystifying the complex issues of data breach and incident response to an eclectic audience of lawyers, techheads and crypto and blockchain enthusiasts. The three speakers all offered personal insights into the increasingly globalised world of data connectivity and how breaches affect everyone from multinationals to anyone with a MyHealth record or a Facebook account. First up was Olga Ganopolsky, General Counsel, Privacy and Data, at Macquarie Group, who is responsible for all of the 28 jurisdictions Macquarie operates in. With her extensive knowledge of the data and privacy space, she was able to provide valuable insights into how lawyers view the issue in an international context and the current shape of data breach regulation globally. “Data breaches take everyone out of their comfort zones, including lawyers,” she says. “If data is global, the question then becomes how relevant are local laws?” While some global frameworks have already taken shape, such as the European Union’s General Data Protection Regulation which came into effect in February this year, there was still a spectacular lack of uniformity for reporting and policing data breaches, Ganopolsky says. In the EU, for example, organisations are obliged to notify authorities within 72 hours of a data breach, while in the US

54 | Australian Cyber Security Magazine

the laws change from state to state and New York actually has three separate regulators responsible for data breach. This lack of uniformity runs not only across nation states, but cultures and in some cases, such as the US, even across industries. This means that something which is deemed immediately notifiable in Australia may not be considered worthy of notification in a country such as The Philippines, which is rapidly becoming a hub for global outsourcing. Then there’s the added layers of complexity when it comes to ascertaining where the breach originated and who was responsible, made all the more complicated if, for example, a service provider inadvertently did something to a customer’s IT platform or infrastructure. Ganopolsky believes it is still possible to operate in such a regulatory minefield and, from a legal standpoint, understanding the regulatory framework of the country where the breach has occurred is essential, however difficult that may be. “Facts are important, but context is essential, and that involves making a real effort to understand the quirks of the country or territory in question.” Being human-centric and understanding the people who have been affected and how it has affected them is also vitally important in a globalised environment, she says, especially since the current gap in global frameworks is not going to be rectified anytime in the near future and cultural sensitivities will always be prevalent.


Cyber Security

response teams, with predictably disastrous consequences. “This company ended up spending over 50 per cent more on fixing the breach than they should have because they didn’t have proper response systems in place,” Swart says. Instead, they should have tested their environment for internal and external threats, given staff better training on what to do if an incident occurs, and above all else kept calm, he adds. Regarding the future, Swart believes drones, AI and blockchain (all the major buzzwords, as he put it), will have a positive role to play in data security: drones through their high-speed computing platforms, AI through its potential to investigate breaches and remedy them and blockchain through its ability to provide an evidentiary link for every computing chain. “Preparation is always better than response and communication between stakeholders is essential for postincident reviews,” Swart adds.

Data breaches affect everyone

Keep your incident response simple Dr Ignatius Swart, a security professional of more than 15 years standing, is a Managing Consultant of Privasec and also leads the NSW GRC and Incident Response teams. He was largely in accord with the previous speaker’s comments on the complexity of the issue, especially in light of huge data breaches to the likes of Facebook, a plethora of banks and high-profile cases such as dating site Ashley Madison. Having said that, he believes there are some simple steps organisations can take to greatly reduce the risks of such breaches. “First and foremost, there need to be defensive systems in place for when a breach occurs. Knowing where and why it happened will go a long way towards remedying it,” Swart says. Swart recommends a return to basics, where there is a simple security framework in place with a tested plan with clearly defined roles for those responsible across an organisation. Often there are procedural steps that hinder incident response, like failure to withdraw password authorisation for users whose machines might be affected, especially if the attack occurs after hours when there’s virtually nobody around. Then there was the time when a major multinational suffered a major data breach which affected some very large customers, several of whom sent in their own incident

Finally Andre Jenkins, the leader of CEC’s Analytics Strategy, offered some unique insights into the risks everyone faces to their privacy and what can be done to keep their data secure. He also provided the bulk of the mirth for the evening, with special reference to Facebook’s Mark Zuckerberg spending untold millions to purchase surrounding houses in Palo Alto to ensure his privacy while being seemingly flippant about the data privacy of the hundreds of millions of ordinary folk who use his platform. What made his talk especially interesting though was his posing the question of whether anyone could guarantee privacy now or going forward and whether it would still be as relevant in the future. “If data is the new world order, we need to make informed decisions about a product that changes all the time,” he says. His example of health data was a powerful one, judging by the audience’s response. It used to be that credit card fraud was the most feared form of data breach, but now you just report what happened and get most or all of your money back. “Loss of health data, on the other hand, could lead to identity theft or the loss of your job if it fell into the wrong hands,” he opined, “especially in the future when it may become much harder to differentiate between what’s real and what’s stolen.” This, he adds, is why Care.data, the UK equivalent of Australia’s MyHealth, is now defunct after a relatively short period of time as people stopped trusting the government to be responsible custodians of their most intimate information, even allowing for the myriad of benefits that belonging to such a system brings with it. The upshot of all of this, Jenkins adds, is that for someone with no technical knowledge, privacy and data breach concerns can be overwhelming, and that is likely to remain the case for the foreseeable future.

Australian Cyber Security Magazine | 55


Cyber Security Cyber Security

Privasec’s Chief Offensive Officer, and leader of the Red Team Karan Khosla sharing real life case studies with the audience. Photo Credit: ICE71

A Cyber Risk meetup Exclusive & special speaker event with ICE71

By Jane Lo Singapore Correspondent

B

reaking into a building, accessing the hidden world of a rogue intruder, and other “war stories” were shared at the third edition of the Cyber Risk Meetup held on 1st November, 2018 at JustCo in the heart of Singapore’s Central Business District. Co-organized with ICE71, the region’s first cybersecurity entrepreneur hub founded by Singtel Innov8 (corporate venture capital unit of Singtel), and NUS (National University of Singapore), the sell-out event of security practitioners and enthusiasts networked and shared best practices, thoughts and experiences on defending against the rapidly growing cybersecurity risks in the region. Keynoting the event was lessons learned from Red Teaming exercises. As opposed to traditional assessments such as Penetration Testing, which may be scoped to focus only on technical risk. Red teaming assesses the organisation’s business risk and its ability to

56 | Australian Cyber Security Magazine

detect and respond to incidents Privasec’s Chief Offensive Officer, and leader of the Red Team Karan Khosla, revealed two real-life case studies and the role social engineering played in gaining unauthorised access to buildings and secured areas. Most non-practitioners may over-estimate the effort and time spent on the actual attack phase, but in fact, he said, “most of the cases, reconnaissance takes up the 90% of time”. Typical techniques to bypass physical access controls include looking legitimate (e.g. putting on officious looking uniforms), tailgating (following smokers back into the buildings via fire-exit doors), claiming false credentials in requesting for information such as access cards (and replicating them). Another common technique is phishing, to extract confidential information such as user ID and passwords. In a case recounted by Karan, the password opened up access to a master

mailbox that led to several inboxes of the senior executives. The key to defend and protect against these social engineering attacks is identifying the weakest link – and usually this means enhancing security awareness of staff. This was one of the key messages of the discussion panel. Panelist Steve Ng (Lead, Digital Operations & Platforms, Mediacorp), David Robinson (CTO, STT Connect) and Viktor Pozgay (CISO,Avaloq Sourcing APAC), moderated by Shamane Tan (APAC Cyber Security Advisor) emphasised that whilst there are growing sophistication of attackers and number of breaches, there are basic Cyber Hygiene measures that can be adopted by everyone. Exercising caution over the use of devices such as USBs, and adopting encryption when transmitting confidential and sensitive information are some well-known examples.


Cyber CyberSecurity Security

Prashant Haldankar, CISO Privasec raising a question to the panel. Photo Credit: ICE71

Panelist (Steve Ng (Lead, Digital Operations & Platforms, Mediacorp), David Robinson (CTO, STT Connect) and Viktor Pozgay (CISO,Avaloq Sourcing APAC), moderated by Shamane Tan (APAC Cyber Security Advisor). Photo Credit: ICE71

ICE71 organisers welcoming guests to the Cyber Risk Meetup 1st Nov 2018 event at JustCo, Singapore. Photo Credit: ICE71

Panelist (Steve Ng (Lead, Digital Operations & Platforms, Mediacorp), David Robinson (CTO, STT Connect) and Viktor Pozgay (CISO,Avaloq Sourcing APAC), moderated by Shamane Tan (APAC Cyber Security Advisor). Photo Credit: ICE71

Interestingly, while brute-forcing password may be a way to access a google email or Hotmail account, most hackers seek to reset passwords relying on answers found on social media to “what is your pet’s name”. The lesson is that whilst secure passwords are critical, minimal divulging of personal information on social media or other public platforms is also crucial. Key best practices for enterprises were also highlighted during the 30-minute panel discussion. (LIVE FEED LINK HERE) Gaining senior management level buy-in into cyber security polices and strategies is a priority, according to Viktor Pozgay (CISO,Avaloq Sourcing APAC). Rapid remediation is an important defence when there is an incident. “When you have an intruder in your network, the question you need to ask yourself is how fast can you remediate”, and “if you find that it takes you weeks to patch, start making changes now”, said David Robinson (CTO, STT Connect). Engaging a variety of vendors for different parts of security is also part of effective security risk management, to minimize single point of failure whether through legitimate or illegitimate methods, according to Steve Ng (Lead, Digital Operations & Platforms). “People is your most important asset”, Steve said. Incidents need to be identified as early as possible, and with staff who are knowledgeable with the right skills and experience, they would be able to identify early warning signs and any anomalous behavioural patterns. “No one does the attack on day 1, there are leading indicators”, David agreed. So, whilst the weakest link may be the staff, they are also key to protecting the organisation against attacks. “Educate your people”, said Steve. Indeed, raising awareness of the cyber security landscape and the part that everyone can play in protecting the organisation is the ultimate best defence.

Australian Cyber Security Magazine | 57


Cyber Security Cyber Security “Forging a Trust and open Cyberspace” was the theme of the Singapore International Cyber Week 2018, held at SunTec Singapore Convention & Exhibition Centre, 18th – 20th September 2018. Photo Credit: Cyber Security Agency of Singapore – Governmentware 2018

Cyber Protection for the World’s Game The 2018 FIFA World Cup which took place in Russia from 14 June to 15 July 2018, with half the globe watching and costing an estimated $14 billion, was also the first World Cup to use the video assistant referee (VAR) system. Written into the Laws of the Game by the International Football Association Board (IFAB) in 2018, six years after the goal-line technology was approved, the adoption of VAR was yet another example of the growing trend in the use of technology and data analytics in sports. Performing at the highest level of football inevitably involves players and referees contesting controversial decisions over millisecond movements of a foul play or a handball. Harnessing technology with the aim to square disputes and reduce questionable calls is undoubtedly a natural and practical solution with today’s faster, powerful and yet cheaper data processors and storage.

tirelessly dissecting each with statistics such as possession, passes completed, corners, shots on target. Each history is used to predict the next winning or losing team, to debate on merits or gaping holes in performance, to challenge the wisdom of the team’s strategy, or even to suggest how to do things better the next time. Data extends beyond analysis of team demographics, match history and playing data accrued real-time on-pitch, to off-pitch training data. As the volume of data grows, so does the recognition to gain special insights into the notso-obvious. Through aggregations and algorithms, identification and correlation of factors behind what would ultimately generate goals give the team a competitive edge, on top of raw talent and pure athleticism.

Data … and more data in the World’s Game

For the many fans who experience during the 90-minute game a roller-coaster emotional ride, from anticipation to nail biting fear to excitement, unhesitatingly take to social media to form and voice their own opinions and analysis.

To be sure, data collection and analytics is not new in football. Sports commentators had long been logging events of the game,

58 | Australian Cyber Security Magazine

By Jane Lo Singapore Correspondent

Football industry understands that to keep the game exciting, relevant and resonate with the public is engaging the groups of loyal fans, building personalized connections and messages with them. The potential global exposure a football team can receive through digital channels means aligning the fans beyond the traditional physical brands printed on the team’s jersey or scarf. Twitter, #tags, websites are becoming the go-to places for teams to announce the latest on signings, team news, line-ups. Players also boosting their brands, marketability and image with selfies, or wefies with fans. Attracting fans beyond the base country or continent means creating data content of rich experiences and compelling stories that fans can follow, on their own devices, wherever they are. Securing the data … Technology Partnership with Arsenal Football Club

And for the fans… Without a doubt, data in this digital era is now an integral part of tactical and strategic planning in an industry where broadcasting rights are worth billions and transfers top tens of millions. So, it follows that securing and protecting against the loss of this data is critical.


Cyber CyberSecurity Security

Looking ahead …

Launch of Acronis’s Technology Partnership with Arsenal during Arsenal’s pre-season tour to Singapore (July 27th) Left: Arconis Vice President – APAC & Japan Steve Goh, Arsenal player Alex Iwobi Peter Silverstone, Commercial Director, Arsenal F.C., Arsenal player Pierre-Emerick Aubameyang Acronis COO/ President & Co-founder Stanislav Protassov, Arsenal player Aaron Ramsey The launch event saw ardent fans rewarded with autographs and photo opportunity with the players Alex Iwob (who was also part of Nigeria’s World Cup squad in Russia), Pierre-Emerick Aubameyang (who joined Arsenal from Borussia Dortmund in January 2018), and Aaron Ramsey (one of the longest serving players within the current Arsenal squad). Photo Credit : Acronis Singapore

We find out more from Arsenal Football Club, and its Technology Partnership with Acronis, which just released an Artificial Intelligence powered backup and already a partner of choice for multiple data-driven F1 teams, at a launch event during Arsenal’s pre-season tour to Singapore. Founded in 1886, with 13 league titles under its belt, a record 13 FA Cups, plays 38 matches in the Premier League, and more with its participation in the EFL Cup, and the UEFA Europa League, Arsenal’s first-team and academy training sessions recorded at the club’s training ground in Colney amounts to 8 TB of data a year, the equivalent of 875 matches. The secure storage of this data is announced at the launch. Speaking on the partnership, Acronis COO/ President & Co-founder Stanislav Protassov said that “data volume is growing 100% every year” which included “video and digital content, fan generated content, fan database, business documents”, and the data is “used to analyze and improve strategy and deliver better results in the game and financially”.

He added: “starting from Data Protection and expanding to Cyber protection for cloud workloads and Arsenal datacenter to advanced application of artificial intelligence”, Acronis protects data, applications and systems “against loss and ransomware threats”. Peter Silverstone, Commercial Director, Arsenal F.C. said there are “750 million followers and 80 million of whom who engage on social media sharing and exchanging data”. Safety and security of the data to engage with the hundreds and millions of fans, and of the terrabytes recorded at the training ground, following best practices involves establishing protocols to ensure integrity and accuracy of data shared and stored, and availability of data in the event of accidental or malicious data loss. “At the highest level of competition, data is a critical asset. The teams that understand its importance partner with Acronis to optimise their data management. Arsenal FC has been a leader in data use, which is why we are proud to be partnering with them.” said John Zanni, President of Acronis.

The adoption of Artificial Intelligence in recent secure data solutions such as Acronis True Image 2019 points to the need for security as the use of data grows in sports. Referring to Formula One ®, Chairman and CEO, Chase Carey noted in an interview while attending the Singapore F1 last year, “This sport is so rich in formation and data.” The heavily instrumented cars are equipped with hundreds of sensors on each, capturing vital statistics such as tire pressure, fuel burn efficiency, wind force, GPS location, engine and brake temperature. Where a fraction of a second could either win or lose the Team a podium finish, the technological ability to measure and react such metrics is a key competitive edge. In ball sports, the National Football League (the American football league which generates the most revenue of any sports globally), recently announced a deal to install sensors in shoulder gear to track movement and location data. In fact, evaluating performance derived from data to gain competitive edge was first introduced by Michael Lewis in “Moneyball: The Art of Winning an Unfair Game”, and since then, the adoption of data analytics in sports has accelerated. Data is increasingly seen as crucial to strengthen fan engagement beyond storytelling or news updates. “A knowledgeable fan is an engaged fan” means providing fans with data to formulate their own predictions. Armed with more data, fans’ ability to cut-and-slice using various statistical methods is a powerful draw. It becomes an important part of their experiences to be able to compare different views and strategies, on social media or blogs with their graphs, tables and accompanying commentary. Certainly, the introduction of VAR technology in the World’s Game generated much debate – did it disrupt the momentum of play? Did it make its mark at World Cup in assisting penalty calls? Was it crucial to support the French team’s claims for a handball in the Finals? As FIFA said on its website: “Innovations are changing our everyday life. New ideas are the driving force of the football industry for improving comfort, safety and performance aspects for the players and referees on the pitch”. And without a doubt, advances in processing power combined with realms of data will continue to give us new insights and point out the not-so-obvious - learning interesting revelations will certainly keep the game dynamic for fans and players alike.

Australian Cyber Security Magazine | 59


Cyber Security

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products

Machine Learning, often oversold as Artificial intelligence, a double-edged sword for cybersecurity Machine learning (ML), usually oversold as artificial intelligence (AI), presents a doubleedged sword for businesses, because, while it provides cybersecurity advancements, it can also give cybercriminals an advantage. While malware researchers use ML to better understand online threats and security risks, adversaries can use it to become harder to detect, and more targeted or successful in their attacks. IT departments and security decisionmakers need to understand the complexity of ML in cybersecurity, and how to strike a balance between risk and reward. Security professionals need to stay one step ahead of savvy cybercriminals, and optimise ML in unique and effective ways that cybercriminals can’t, according to ESET. ML, as a subcategory of AI, has already triggered radical shifts in many sectors, including cybersecurity. ML has helped security developers improve malware detection engines, increase detection speeds, reduce the latency of adding detection for entirely new malware families, and enhance abilities to spot suspicious irregularities. These developments lead to higher levels of protection

for organisations against advanced persistent threats (APTs), as well as new and emerging threats. With that being said, cybersecurity professionals are beginning to recognise that AI/ML is limited in its capacity to combat online threats, and that the same advanced technologies are readily available to cybercriminals. According to an ESET survey, the vast majority of IT decision-makers are concerned about the growing number and complexity of future AI/ML-powered attacks, and the increased difficulty of detecting them. (1) For example, in 2003, the Swizzor Trojan horse used automation to repack its malware once every minute. (2) As a result, each of its victims was served a polymorphically-modified variant of the malware, complicating detection and enabling its wider spread. (3) Two-thirds of the almost 1000 IT decisionmakers surveyed by ESET agreed that new applications of AI/ML will increase the number of attacks on their organisations, while even more respondents thought that AI/ML technologies will make future threats more

complex, and harder to detect (69 percent and 70 percent respectively). Nick FitzGerald, senior research fellow, ESET, said, “Amongst the recent hype regarding AI and ML, many organisations and security decision-makers fail to realise that these tools aren’t reserved for responsible, constructive use. Technological advances in AI/ML have an enormous transformative potential for cybersecurity defenders, however, cybercriminals are also aware of these new prospects. “Cybercriminals might, for example, adopt ML to improve targeted attacks and thus become more difficult to uncover, track and mitigate. Cybersecurity developers can’t rely on ML to fight online threats when hackers are using that same technology. They must be realistic about the limitations of ML, and understand the consequences these advancements can have.” While ML isn’t a silver bullet cure to cyberattacks, it is being effectively and smartly incorporated into anti-malware protection products to improve detection of ever evolving online threats.

Artificial intelligence is key cybersecurity weapon in the IoT era As businesses struggle to combat increasingly sophisticated cybersecurity attacks, the severity of which is exacerbated by both the vanishing IT perimeters in today’s mobile and IoT era, coupled with an acute shortage of skilled security professionals, IT security teams need both a new approach and powerful new tools to protect data and other high-value assets. Increasingly, they are looking to artificial intelligence (AI) as a key weapon to win the battle against stealthy threats inside their IT infrastructures, according to a new global research study conducted by the Ponemon

60 | Australian Cyber Security Magazine

Institute on behalf of Aruba, a Hewlett Packard Enterprise company (NYSE:HPE). The Ponemon Institute study, entitled “Closing the IT Security Gap with Automation & AI in the Era of IoT,” surveyed 4,000 security and IT professionals across Australia[1], America, Europe and Asia to understand what makes security deficiencies so hard to fix, and what types of technologies and processes are needed to stay a step ahead of bad actors within the new threat landscape. The research revealed that fifty-one percent of Australian respondents agree that the quest

to protect data and other high-value assets, security systems incorporating machine learning and other AI-based technologies are essential for detecting and stopping attacks that target users and IoT devices. The majority of local respondents agree that security products with AI functionality will help to: Increase their team’s effectiveness (58 percent) Provide greater investigation efficiencies (71 percent) Advance their ability to more quickly


discover and respond to stealthy attacks that have evaded perimeter defence systems (56 percent) Thirty two percent of local respondents said they currently use some form of machinelearning or other AI-based security solution, with another 22 percent stating they plan on deploying these types of products within the next 12 months. Current Security Tools are not Enough “Despite massive investments in cybersecurity programs, our research found most APAC businesses are still unable to stop advanced, targeted attacks – with 59% percent believing they are not realizing the full value of their defence arsenal, which ranges from 10 to 75 security solutions,” said Larry Ponemon, chairman, Ponemon Institute[2]. “The situation has become a ‘perfect storm,’ with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, especially given the current lack of security staff with the necessary skills and expertise to battle today’s persistent, sophisticated, highly trained, and well-financed attackers. Against this backdrop, AI-based security tools, which can automate tasks and free up IT personnel to manage other aspects of a security program, were viewed as critical for helping businesses keep up with increasing threat levels.”

Survey results also highlighted the importance of visibility and the ability to define which resources that people and IoT devices can access, with 56 percent of APAC respondents stating network access control is an important element of their company’s overall security strategy and critical for reducing the reach of inside exploits. Even though 72 percent of APAC respondents say that their organisations deploy NAC, it is alarming to find out that only 14 percent of them are confident that they know all the users and devices connected to their network all the time. Additionally, more than half of Australian respondents said it’s hard to protect expanding and blurring IT perimeters resulting from requirements to concurrently support IoT, BYOD, mobile, and cloud initiatives (54%). Comparable to the global result of 55% overall. “Partnering with the Ponemon Institute helps us to improve customer experiences by better understanding security teams’ challenges, and then arming them with advanced solutions that enable quick identification and responses to an everchanging threat landscape,” said Larry Lunetta, vice president of security solutions marketing for Aruba. “The insight gained from this study enables us to continually improve our ability to provide an enterprise wired and wireless network security framework with an integrated and more comprehensive approach for gaining back visibility and control.”

IoT and Cloud Adds Significant Risk Ponemon researchers found that the majority of APAC IT security teams believe that a key gap in their company’s overall security strategy is their inability to identify attacks that use IoT devices as the point of entry. In fact, only 22 percent of local respondents believe their IoT devices are appropriately secured, and sixtyseven percent say their organisations have no or a low ability to secure their IoT devices and apps. Continuous monitoring of network traffic, compliance monitoring tools, and detecting behavioural anomalies among peer groups of IoT devices, were cited as the most effective approaches to better protect their environments. Even the ownership model for IoT security presents potential risk. When asked who inside their organisation was responsible for IoT security, responses ranged from the CIO, CISO, CTO, and line-of-business leaders, with no majority consensus. Thirty-three percent identified the CIO, with no other executive or functional group achieving response totals above 20 percent. Surprisingly, “No Function” was the third-highest answer (15 percent).

Ponemon Findings Parallel other Aruba Research

Additional Assets Aruba blog: After all the Hard Work, Why Does the Security Gap Still Exist? Infographic: What’s threatening IT security and what are people doing about it? About Aruba, a Hewlett Packard Enterprise company Aruba, a Hewlett Packard Enterprise company, is a leading provider of next-generation networking solutions for enterprises of all sizes worldwide. The company delivers IT solutions that empower organizations to serve the latest generation of mobile-savvy users who rely on cloud-based business apps for every aspect of their work and personal lives. To learn more, visit Aruba at http://www. arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook, and for the latest technical discussions on mobility and Aruba products visit Airheads Social at http:// community.arubanetworks.com. About Ponemon Institute Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. For more information, please visit https://www.ponemon.org/

The Ponemon Institute study parallels findings from an Aruba global study conducted in June 2018 of 7,000 employees across 15 countries. That study revealed that cybersecurity is a challenge for employers, especially for those working in smart buildings. The report found that although employees reported higher levels of cybersecurity awareness, with 52 percent of global respondents thinking about security often or daily, they also admitted to taking more risks with company data and devices. 70 percent admitted to risky behaviours such as sharing passwords and devices. It also showed that 25 percent of employees globally have connected to potentially unsafe open Wi-Fi networks in the past 12 months. Additionally, 20 percent said they use the same password across multiple applications and accounts, and 17 percent admitted to writing down passwords in order to remember them.

Australian Cyber Security Magazine | 61


Cover Feature

Bitglass 2018 financial services breach report: Number of breaches in 2018 nearly triple that of 2016 Malware and Hacking Responsible for Nearly Three Quarters of All Breaches in 2018 Bitglass has released its 2018 Financial Breach Report. The study uncovers information about the top threats in financial services, the industry’s latest and largest breaches and more. 2018 has been far more dangerous than 2016, the last year that Bitglass conducted a financial breach report. In this year’s study, there were nearly three times as many breaches as there were two years ago. This is largely due to the explosive growth of hacking and malware around the world. These threats have undeniably led the charge against financial services firms this year. “Financial organisations regularly handle sensitive, regulated data like home addresses, bank statements and Social Security numbers,” said Rich Campagna, CMO of Bitglass. “This type of information is an incredibly attractive target for criminals, meaning financial services firms need to be highly vigilant when it comes to cybersecurity. Failing to protect data and reach regulatory compliance can spell disaster for any company.” Key Findings

From January to August of 2018, financial services firms experienced nearly three times as many breaches as they did over the same time frame in 2016. • The 103 breaches in this year’s report dwarf the 37 recorded in 2016. Hacking and malware were responsible for nearly three quarters of all breaches in 2018. This is a massive increase over previous years, wherein they were responsible for 20 percent – just behind the leader, lost and stolen devices, which caused 25 percent of breaches. The top three financial services breaches in 2018 each exposed more records than the sum total of all breaches in Bitglass’ 2016 report. This suggests not only that breaches are becoming more frequent, but that they are growing larger in scale, as well. • The top three breaches in 2018 were SunTrust Banks (1.5M records exposed) Guaranteed Rate (188K records exposed), and RBC Royal Bank (66K records exposed). In 2016, the sum total of all breached records was 64,512. Noteworthy threats to financial firms in 2018 include cloud cryptojacking, ransomware-as-a-

service platforms, modular banking trojans like Emotet and ransomware like WannaCry. Methodology Bitglass aggregated data from the Identity Theft Resource Center (ITRC) and the Privacy Rights Clearinghouse (PRC). Each year, these standalone databases detail information about data theft in financial services organisations. By analysing their records in tandem, Bitglass was able to uncover insights about the financial breaches that occurred in 2018. To learn more, download the 2018 Financial Breach Report here: https://pages.bitglass.com/ FinancialWorldBreachKingdom.html About Bitglass Bitglass, the Next-Gen CASB company, is based in Silicon Valley with offices worldwide. The company’s cloud security solutions deliver zero-day, agentless data and threat protection for any app, any device, anywhere. Bitglass is backed by Tier 1 investors and was founded in 2013 by a team of industry veterans with a proven track record of innovation and execution.

NIST Releases Final Public Draft of the Risk Management Framework (SP 800-37, Rev 2) NIST has announced the final public draft Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy. There are seven major objectives for this update: To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization; To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF; To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;

62 | Australian Cyber Security Magazine

To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible; To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the relevant tasks in the RMF; To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5. The addition of the Prepare step is one of the

key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. In addition to seeking your comments on this final public draft, we are specifically seeking feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comment on how organizations would executive this task and how we might provide the most helpful discussion to assist organizations in the execution. The public comment period for the draft publication is October 2 through October 31. Please submit comments using the comment template to sec-cert@nist.gov. Digital


Cover Feature

ISACA Research: Only 4 in 10 tech professionals confident in security of their Oorganisations’ AI deployments Transformation Barometer finds better security needed to harness the positive potential of AI and mitigate risks of malicious attacks Despite heightened interest in enterprise deployment of artificial intelligence, only 40 per cent of respondents to ISACA’s second annual Digital Transformation Barometer express confidence that their organisations can accurately assess the security of systems based on AI and machine learning. This becomes especially striking given the potential for serious consequences from maliciously trained AI; survey respondents identify social engineering, manipulated media content and data poisoning as the types of malicious AI attacks that pose the greatest threat to society within the next five years. AI/machine learning also continued to rise toward the top of technologies considered to have the highest potential to deliver transformative value to organisations. While placing second in these rankings in the 2017 and 2018 Digital Transformation Barometers, AI/machine learning went from 18 points behind big data in 2017, to just 3 points behind big data in 2018. As the perceived value of AI continues to increase, the proportion of organisations planning to deploy AI continues to increase as well, with a 35 per cent increase over the 2017 report. “Enterprises must make the needed investments in well-trained staffs capable of putting AI safeguards in place,” said Rob Clyde, CISM, NACD Board Leadership Fellow and ISACA Board Chair. “As AI evolves—consider the likely proliferation of self-driving vehicles, or AI systems designed to reduce urban traffic—it will become imperative that enterprises can provide assurance that the AI will not take action that puts people in harm’s way.” In addition to today’s common uses for AI, such as virtual personal assistants and fraud detection, there are high hopes that AI and machine learning have the potential to set major breakthroughs in motion across various industries, including helping to accelerate medical research, improving farmers’ crop yields and assisting law enforcement with solving difficult cases. These advancements, though, are unfolding so quickly that it often is challenging for organisations to develop the expertise needed to put the corresponding safeguards in place to account for potential

security vulnerabilities and ethical implications. While AI/machine learning—along with big data and the public cloud—lead the way in promising enterprises transformative value, these technologies also are among the top five facing organisational resistance in their deployment, with public cloud prompting the highest level of resistance (52%) globally. Interestingly, in Australia / New Zealand (ANZ), blockchain was listed as the highest resistance (48%) to deployment with public cloud ranking second (46%). The more than 5,000 respondents among ISACA’s global community of business technology professionals also helped to identify which emerging technologies appear to be more hype than reality. Big data, AI/machine learning and public cloud were the top three technologies that practitioners anticipate will be deployed at their enterprises in the next year, while only 12% globally (9% in ANZ) indicate their organisations will deploy blockchain, and the percentage drops to 6% (7% in ANZ) for augmented reality/virtual reality. Other research highlights: Organisations overwhelmingly pursuing digital transformation Nine in 10 enterprises are attempting digital transformation as they look to spark innovation and explore efficiencies, but a majority of them (64%) are encountering challenges in trying to integrate emerging and immature technologies. The research findings suggest that organisations still are evaluating the worth of digital transformations and often are guided by leaders lacking digital literacy— an understanding of technology and its related risks and benefits. However, organisations that have embraced emerging technologies have been rewarded. The Digital Transformation Barometer data explores the progress that organisations have made on this frontier, the extent to which they understand and are adopting transformative technologies, the impact of digital literacy, and the state of this journey through different industries across the world. “ISACA’s global membership shows in this research that digital transformation is by no means complete, and organisations are still struggling with fundamental questions of risk,

security and return on investment,” said Clyde. “It’s impossible to guarantee results when deploying less familiar technologies, but this survey suggests that organisations that have adopted new technologies overwhelmingly consider their journeys to be worthwhile. As organisations continue to navigate uncertain territory, finding qualified leaders to help steer these journeys and instill an organisational commitment to innovation is critical.” Familiarity breeds confidence For emerging technologies such as AI, having digitally literate leaders correlates to lower perceived risks, which can be key when making the case for deploying technologies. In turn, the actual deployment and testing of technologies gives companies the chance to familiarise themselves with these emerging technologies, which can help companies more accurately assess risk vs. reward. 33 per cent of companies whose leaders do not possess technological expertise perceive AI to be high-risk, while just 25 per cent of companies with digitally literate leaders perceive AI to be high-risk. Organisations led by digitally literate leaders were almost twice as likely to deploy AI than other organisations (33 per cent compared to 18 per cent). For enterprises going hands-on with emerging technologies, the perceived benefits of deploying these technologies is clear. Using AI as an example, 76 per cent of enterprises testing AI said that it was worth the risk, with just 9 per cent saying that it was not worth the risk. In enterprises that are not testing AI, the confidence in AI being worth the risk drops by a third, while the proportion of respondents saying it is not worth the risk more than doubles. While the results highlighted here are specific to AI, other emerging technologies follow similar patterns when considering how digital literacy impacts deployment, and how respondents weigh risks and rewards. Digital Literacy Stays Consistent Year-OverYear Critically, the previous edition of the ISACA Digital Transformation Barometer Survey found that just 53% of respondents described their

Australian Cyber Security Magazine | 63


Cover Feature

leadership as being digitally literate. In 2018, globally that number stayed consistent, with 54% of respondents describing their leadership as digitally literate. However, in ANZ the number increased 11 percentage points compared to 2017. There are a number of benefits organisations reap when their leaders are digitally literate: Digitally literate executives are far more receptive to adopting emerging technologies. 96% of companies with digitally literate executives were very or moderately receptive to trying new technologies. Digitally literate leadership leads to less resistance within organisations to deploying emerging technologies. Digitally literate leaders are more likely to be planning to deploy technologies that are key indicators of organisational digital transformation in the next year. Companies guided by these leaders are nearly twice as

likely to deploy AI within the next year, and slightly more likely to deploy big data, than those without. For the full 2018 Digital Transformation Barometer research report and to access related resources, visit www.isaca.org/digitaltransformation-barometer. About ISACA’s Digital Transformation Barometer Research The ISACA Digital Transformation Barometer research, conducted in the first quarter of 2018, includes survey responses from 5,847 information technology, security and business executives, managers and professionals from a wide range of industries, company sizes and global locations, including Africa, Asia, Europe, Latin America, Middle East, North America and Oceania. Results can be found at www.isaca. org/digital-transformation-barometer.

About ISACA Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations. ISACA leverages the expertise of its 450,000 engaged professionals in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including 217 chapters worldwide and offices in both the United States and China.

How blockchain will influence information management Most famous for its role in underpinning cryptocurrencies, blockchain is set to redefine traditional business models due to its innovative method of logging and authenticating data, according to M-Files. Blockchain is made up of records of transactions and data types. As each group of records is validated, it forms a block which is then added to the chain, making it impossible to alter the information without being caught. The blockchain is in chronological order and is copied in various locations, distributed across numerous participants. This contributes to its immutability; changing one copy of the blockchain would create a discrepancy that would be immediately identified. Blockchains eliminate the need for intermediaries such as banks or property registers. More than half of the world’s largest corporations are either actively considering or in the process of deploying blockchain. (1) The key benefit of doing so is the ability to better manage their information. M-Files has identified two key examples of how blockchain can be used to transform information management: 1. Preserving the integrity of log data Most information management systems log the key events in the repository but these logs aren’t necessarily secure. A security incident could include tampering with the logs to remove evidence of the attack.

64 | Australian Cyber Security Magazine

Yet, for those logs to be useful, businesses need to be able to trust that the data is accurate and uncompromised, whether by accident or through a malicious act. Blockchain technology could solve this challenge by providing a trusted, independent, secure way to ensure log entries can’t be deleted or manipulated. 2. Cost-effective alternative to digital signatures Digital signatures have replaced so-called ‘wet ink’ signatures in many business transactions. A third party issues the signing certificates to verify authenticity. Digital signatures use complex mathematical algorithms to confirm data is legitimate and protect against forgery. However, there is a cost associated with acquiring trusted certificates and there could be uncertainty around whether the third party is truly impartial. Blockchain eliminates the need for a third party and allows multiple signatures, all of which can be authenticated and distributed across multiple systems in a network. This works because neither party to the agreement can alter that agreement once it’s in the blockchain without the other party being aware of it. This lets companies independently verify the authenticity of their own documents without the use of a third party, saving on costs and time. Nicholas Delaveris, alliance and partner manager, Australia and New Zealand, M-Files, said, “Blockchain holds untapped potential

to ensure data integrity, so it will revolutionise information management processes. It’s most valuable when it comes to issues around trust, verification, authentication, and auditing. The true potential of blockchain can’t be overstated: businesses are only just starting to scratch the surface of what it can do.”


Cover Feature

Venafi Research: Large number of look-alike domains pose phishing risks to online shoppers Fake domains can be used to steal sensitive account and payment data Venafi has released research on the explosion of look-alike domains, which are routinely used to steal sensitive data from online shoppers. Venafi’s research analysed suspicious domains targeting the top 20 retailers in five key markets: the U.S., U.K., France, Germany and Australia. As the rate of online shopping increases, customers are being targeted through look-alike domains. Cyber attackers create these fake domains by substituting a few characters in the URLs. Because they point to malicious online shopping sites that mimic legitimate, wellknown retail websites, it makes it increasingly difficult for customers to detect the fake domains. Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe for online shoppers who unknowingly provide sensitive account information and payment data. “Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” said Jing Xie, senior threat intelligence analyst for Venafi. “Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates. In spite of significant advances in the best practices followed by certificate issuers, this is a really bad idea.” “No organisation should rely exclusively on certificate authorities to detect suspicious certificate requests,” continued Xie. “For example, cyber attackers recently set up a look-alike domain for NewEgg, a website with over 50 million visitors a month. The look-alike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers.” According to Venafi’s research, there has been an explosion in the number of potentially fraudulent domains. There are more than double the number of look-alike domains compared to legitimate domains, and every online retailer studied is being targeted.

Key findings from the research include: The total number of certificates for look-alike domains is more than 200 percent greater than the number of authentic retail domains. Among the top 20 online German retailers, there are almost four times more look-alike domains than valid domains. Major retailers present larger targets for cyber criminals. One of the top 20 U.S. retailers has over 12,000 look-alike domains targeting their customers. The growth in look-alike domains appears to be connected to the availability of free TLS certificates; 84 percent of the look-alike domains studied use free certificates from Let’s Encrypt. As the holiday shopping season approaches, there will likely be an increase in look-alike domains. For online retailers that discover malicious domains, they can take several steps to protect their customers: Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites. Retailers can report a domain at: https://safebrowsing. google.com/safebrowsing/report_general Report suspicious domains to the AntiPhishing Working Group (APWG). The APWG is an international voluntary organisation that focuses on limiting cyber crime perpetrated through phishing. Retailers can report a suspicious domain at: https://www. antiphishing.org/report-phishing or via email to: reportphishing@apwg.org Add Certificate Authority Authorisation (CAA) to the DNS records of domains and subdomains. CAA lets organisations determine which CAs can issue certificates for domains they own. It is an extension of the domain’s DNS record and supports property tags that let domains owners set CA policy for entire domains or for specific hostnames. Leverage software packages to search for suspicious domains. Copyright infringement software may help retailers find malicious websites, stopping the unauthorised use of their logos or brands. Solutions that also provide anti-phishing functionality can help aid in the search for look-alike domains. “Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future,” concluded Xie.

“In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates.” For more information, please visit: https:// www.venafi.com/resource/Venafi-ResearchBrief-The-Risk-Lookalike-Domains-Pose-toOnline-Retailers Additional Resource: Blog: Venafi Retail Research: Will Holiday Shoppers be Duped By Look-alike Domains? https://www.venafi.com/blog/venafi-retailresearch-will-holiday-shoppers-be-duped-lookalike-domains About Venafi Venafi is the cyber security market leader in machine identity protection, securing connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted. With over 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organisations, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. For more information, visit: http://venafi.com

Australian Cyber Security Magazine | 65


Cover Feature

Accelerating ASEAN-Australia digital trade An Issues Paper has released by Standards Australia will help facilitate digital trade across Australia and ASEAN Member States. Based on extensive consultation throughout the region, the Issues Paper outlines the key opportunities and challenges for digital economic growth. It fits within the broader ASEAN-Australia Digital Trade Standards Initiative announced during the ASEAN-Australia Special Summit held in March 2018. This initiative aims to understand and identify opportunities for digital trade between ASEAN Member States and Australia. It has been highlighted that the harmonisation of international standards will be a key cornerstone for the initiative. “Digital trade presents a new wave of market opportunities. It has the potential to enhance all aspects of the global economy, from agriculture to manufacturing, telecommunications, and service-based industries,” said Adrian O’Connell, Standards Australia Deputy CEO and General Manager – International. “All eleven of the economies involved have

66 | Australian Cyber Security Magazine

something to gain from this collaboration. Ultimately, we are working to support growth in the region and prepare for future challenges.” The Issues Paper was developed following an ASEAN-Australia Digital Trade Survey and Focus Group Sessions in Australia and across all ten ASEAN Member States. Next steps include a Digital Trade Standards Workshop which will be held on 16-17 October 2018 in Sydney to agree on recommendations to progress this initiative. A possible long term work program has the potential to forge even closer economic ties between ASEAN and Australia in the future


Cover Feature

68 | Australian Cyber Security Magazine

Australian Cyber Security Magazine, ISSUE 6, 2018  
New