THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Nov/Dec 2016
National Security & Legislative reform for IoT
AISA national conference review
Digital technology versus national security threats
Martin Place Siege Inquest
Deception detection Part 2
Stats man & the sea – professional profile
The great submarine leak
PLUS $8.95 INC. GST
TechTime, Quick Q&A, Cyber Security and much more...
Solve the challenges facing the IIOT â€“ Cyber Security & Interoperability
Waterfall's Unidirectional CloudConnectâ„˘
Protect your industrial site from online cyber attacks Translate industrial systems into "cloud" language Gather, Recode & Publish in the Cloud
Use Waterfall's patented unidirectional technology that supports the widest variety of SCADA & IT protocols
For more info: firstname.lastname@example.org or www.waterfall-security.com
From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI
Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.
LEARN MORE TODAY 1300 135 897 huntsmansecurity.com
Contents Editor's Desk 5 International Transnational Crime in Sri Lanka
The great submarine leak Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Tony Campbell Adeline Teoh Sarosh Bana
The stats man and the sea
Completely at sea
Combating Terrorism: Enacting the madman theory II
Quick Q @ A with Kevin Mitnik
Digital innovation in China - how the West is being won!
AISA CONFERENCE 2016 - SPECIAL FEATURE
Corporate Security What really happened
Digital technology vs national security threats
Worrying statistics - Inaugural cyber security survey for Australia
MARKETING AND ADVERTISING T | +61 8 6361 1786
Cover Feature Artificial intelligence & cybersecurity
Without security the internet of things is doomed and could kill millions
National security reforms needed before the internet of things
Scalable optics - New lanes laid for the internet of things super highway
T | +61 8 6361 1786 email@example.com
Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | firstname.lastname@example.org E: email@example.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US www.facebook.com/apsmagazine
Cyber Security What's causing the cybersecurity skills gap?
Singapore Cyber Updates
India's cyber trauma
Page 24 - Digital technology vs national security threats
Women in Security Championing for open source collaboration
Advertorial Obstinatley clinging to iconic obsolescence
National Security Fighting financial cybercrime with data
Lindt Cafe siege - Damned if you do damned if you don't
Deception detection uncovered - Part 2
TechTime - the latest news and products
Editor's book review
Page 28 - Artificial intelligence & cybersecurity
Page 10 - The great submarine leak
Correspondents* & Contributors
www.australiansecuritymagazine.com.au Page 32 Cover feature - National
security reforms needed before the internet of things
4 | Asia Pacific Security Magazine
Editor's Desk "The development of the Internet has posed new challenges to national sovereignty, security and development interests, which requires the international community to meet urgently and seriously and pursue common governance and win-win outcome. ”
Xi Jinping, at the first meeting of the
central Internet security and informatization leading group, Feb 27, 2014. States Army, Senate Armed Services Committee, September 15, 2016
he last months of the year is always a busy period. Be it planning for the year next or making sure the current year projects are on schedule for completion. Add to this the business of being in the security industry and it makes for a challenging and very rewarding period, including often gearing up for major event planning, as well as ensuring staff are rostered to cover security operation centres. This period particularly highlights what Professor Martin Gill said when introducing the OSPAs in Sydney last month, “the security industry has under sold itself around the world” and it is important to recognise the contribution of security to society. As we all appreciate and soon come to learn, security is ignored only until it is needed. For the Asia Pacific, it is indeed a time when security is becoming increasingly noticed as it becomes apparent that the region’s security is not what it was a decade ago. Having attended the Canalys Channels Forum in Macau in late October, it was insightful to receive the event’s annual briefing from Steve Brazier on how the APAC region is fairing both politically and economically. As Brazier pointed out to a soldout delegation, with 530 channel partners in attendance for a ‘Digital First’ conference, China is increasingly separating itself with far different dynamics than the rest of APAC. The South China Sea is a key risk and “you can't emphasise how important the South China Sea is… issues of security are going up and up and up.” With this in mind, Asia has been late to discover the importance of security and in IT Security, the average time taken between a breach and its detection in Asia is 520 days, whilst the world average is 146 days. Economically, India has over taken China in
GDP growth of 7% and it is India that is driving growth in the Technology industry. The country has also introduced a ‘Made in India’ policy and has welcomed the likes of Cisco for IT manufacturing in India and has commenced smart city deployments and a ‘Digital India’ with agreements with Intel. The introduction of a national Goods and Services (GST) Tax is further forecast to change the fundamentals of the Indian economy. Digital disruption continues to affect all countries with investment in government led digitalisation projects and centralised government IT departments. Overall, the technology industry remains relatively positive for APAC with hyper-converged infrastructure and data centres continuing to be deployed. Wi-Fi is also seeing big deployments across Asia and particularly with massive growth in China. Messaging apps have fast become the preferred way for people to make calls and communicate whilst other technologies, such as speech and face recognition, though still not perfect has become ‘good enough’ to begin making a big impact. Stand-out APAC countries, such as Myanmar have experienced some positive build up in 2016. Malaysia continues to be heavily dependent on oil and along with corruption scandals and the Ringit falling by 7%, has signed new naval defence agreements with China, joining the Philippines as another key country to accept, or succumb, to China’s obvious sphere of influence. So as regional and military tensions and the risk of war, instigated by the US, in the South China Sea continues to rise, I highlight my article on National Security and how it makes sense to take a national approach for Australia’s security, that holistically includes energy, social, physical and cyber security. Anything less is a half way
approach and we need to change the way we have unworkable legislation that is incapable of regulation and enforcement. It will remain derelict of our government’s responsibilities, but it seems this dereliction has become the norm the world over. Governments, indeed the Politicians, have much to answer for and yet offer little in the way of effective and improving change. Hence why the political elite is grappling with public backlash, disunity and the rise of Right and Left wing splinter groups around the world. Institutions, despite two decades coming, just aren’t geared for a digital age. In this last edition of Asia Pacific Security Magazine for 2016 and the last publication from My Security Media this year, we will be returning in 2017 with the US Federal Election decided and the free world as we know it on the brink of a fundamental shift. Let us hope it takes a turn towards celebrating positive change and human liberation. I began the year with the headline Game On! Just 11 months on the battle between security and innovation continues and it will be security that will be missed, but only with the realisation it is no longer there. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Asia Pacific Security Magazine | 5
Transnational Crime in Sri Lanka: Future considerations for international cooperation By Mitchell Sutton and Serge DeSilva-Ranasinghe
A changing criminal threat Despite the large blow dealt to drug, people and arms trafficking systems by the fall of the LTTE in 2009, Sri Lanka still faces serious challenges from transnational organised crime. The country has found itself both a transit and a source point along the larger South and Southeast Asian smuggling routes, and the problem has been exacerbated by its poor border control, it’s geographical position and the incidence of official corruption. The challenges faced by the country are, at their core, regional problems that can’t be countered by the Sri Lankan Government in isolation. Although the country is but a small link, activities in Sri Lanka have impacts in some way upon all stages of the trafficking chain, from producer countries to destinations. Bilateral and interagency law enforcement cooperation As a small island nation with a marginal ability to limit transnational crime seeping over from its larger neighbours, Sri Lanka has been keenly involved in international law enforcement cooperation since the 1970s. That cooperation has taken the form of multilateral regional cooperation
6 | Asia Pacific Security Magazine
forums, bilateral agreements and the provision of training and equipment by foreign governments. Those patterns have largely continued unchanged into the present day, although Sri Lanka’s moves to establish counter-people-smuggling coordination agreements with Australia appear to indicate a willingness to expand coordination efforts outside its immediate neighbourhood. Australia has been one focus of cooperation among many for the Sri Lankan Government. Cooperation is based on a broad Memorandum of Understanding on Combating Transnational Crime and Developing Police Cooperation signed in May 2009, and a more specific memorandum on cooperation against migrant smuggling signed later that year. The Australia – Sri Lanka Joint Working Group on People Smuggling and Other Transnational Crime was formed in 2012 to complement the latter agreement. These agreements have resulted in increased cooperation between Sri Lankan authorities, the Australian Border Force and the Australian Federal Police (AFP). The AFP has developed close operational-level contracts inside the Sri Lanka Police, including with the Criminal Intelligence Division (CID), the Maritime Human Smuggling Investigation Unit, the AntiHuman Smuggling Investigation Bureau and the Airport CID team. Along with Australian Customs and Border Protection
officers based in Sri Lanka, customs cooperation has also included two ex-Customs Bay-class patrol boats gifted to the Sri Lanka Navy in 2013 and further maritime cooperation, training, equipment and workshop. The Sri Lankan Government’s willingness to engage in extra-regional bilateral arrangements has also been evident in its approach to money laundering and corruption. Since 2008, intelligence-sharing memorandums have been signed between the FIUCBSL and banks or other counter-money-laundering agencies across the globe. Britain has been prominent in these efforts, committing around £750,000 to Sri Lankan counter-corruption efforts for the 2015–2018 period. An officer from the UK Serious Fraud Office has also been seconded to the High Commission to assist the Commission to Investigate Allegations of Bribery or Corruption and the Sri Lanka Police’s CID and Financial Crime Investigations Department. The provision of training and equipment by foreign law enforcement authorities has been a strong method of international cooperation, despite ongoing controversies in some quarters over the human rights record of the Sri Lanka Police. In recent years, the police have received counternarcotics training from the US, Canada, Germany, Thailand, India, Japan and the UK, as well as ethics and human rights training from Sweden and counter-corruption skilling from Switzerland. Australia has been prominent in these efforts, providing training and equipment to build Sri Lankan Government capability. This support has included computers, specialised intelligence software, office equipment and vehicles. Other agencies have also been involved; for example, the US has provided seaport security training for the police through the US Coast Guard. Sri Lanka has itself also provided law enforcement training to others, in the form of counternarcotics assistance to members of the Maldives National Security Service. Multilateral law enforcement cooperation At the regional and global levels, Sri Lanka has engaged in a number of initiatives to counter drug trafficking, people smuggling, money laundering and maritime crime. Most of its law enforcement cooperation efforts at the coordination level have been with the South Asian Association for Regional Cooperation (SAARC). The Sri Lankan Government was at the centre of efforts to establish the SAARC Convention on Narcotic Drugs and Psychotropic Substances (1990), the Colombo-based SAARC Drug Offences Monitoring Desk (1992), the SAARC Conference on Cooperation in Police Matters (first held in Colombo in 1996) and the SAARC Coordination Group of Drug Law Enforcement Agencies. Along with Australia, the country was also involved in the Colombo Plan Drug Advisory Programme, which was also designed to facilitate law enforcement and intergovernmental cooperation on the issue in the region, and the UNODC’s South Asia Regional Programme, which targets drug trafficking and official corruption. These initiatives have helped to improve information sharing between Sri Lanka and the major regional powers, especially the major drug transit points of India and Pakistan. The Sri Lankan Government has engaged robustly with the UNODC’s Global Maritime Crime Programme. In 2014, it assisted in the foundation of the UNODC’s Indian Ocean Forum on Maritime Crime and presented ways in which the Global Maritime Crime Programme could be
extended into maritime narcotics trafficking. It subsequently participated in the forum’s technical meetings on human trafficking and maritime heroin smuggling held in 2015. Aside from the UNODC, Sri Lanka has been an active member of INTERPOL since 1950. The Sri Lanka Police’s CID is designated as the INTERPOL National Central Bureau, with the Deputy Inspector General of Police as its designated head. Memorandums of understanding continue to be signed between Sri Lanka and INTERPOL, including one in 2015 expediting the visa application process for INTERPOL officials and other foreign investigators. Counter-moneylaundering efforts have also been occurring on a multilateral level. Although Sri Lanka had no domestic laws prohibiting money laundering until 2006, in recent years financial regulations have been tightened to crack down on the practice and comply with international agreements. Those agreements include UN Security Council resolutions 1267 (1999) and 1373 (2001) on terrorist financing, the International Convention on the Suppression of Terrorist Financing (2005), the regulations set out by the Financial Action Task Force (1989) and its subsequent updates, and the standards established by the Asia Pacific Group on Money Laundering (1997). The initial tranche of compliance laws included the Convention on the Suppression of Terrorist Financing Act (2005) and the Prevention of Money Laundering Act (2006), which forbid transactions involving profits from ‘dangerous drugs, terrorism, bribery, corruption, firearms and explosives, foreign currency transactions, transnational organized crimes, cybercrimes, child pornography and trafficking of persons’. The FIUCBSL was also established in 2006, and became a member of the Egmont Group of Financial Intelligence Units in 2009. Despite the improvements brought about by the creation of these frameworks, enormous enforcement challenges remain. More recent have been multilateral efforts to counter people smuggling. Sri Lanka has been one of the 11 states engaged in the Australian-instigated Law Enforcement Joint Management Group on People Smuggling since the group’s establishment in 2014. The Sri Lanka Police are due to host the third annual meeting of the group in Colombo in 2016. Good cooperation, but limited impact Law enforcement cooperation between the Sri Lanka Police and regional and global allies has generally been very good, and Sri Lanka has been at the centre of a number of longterm multilateral counter-trafficking initiatives. Likewise, bilateral arrangements designed to address immediate issues, such as the agreements between the AFP and the Sri Lanka Police on combating transnational crime, have also encountered a great deal of success. However, this cooperation is likely to remain of limited use unless the Sri Lankan police and military recalibrate their efforts to meet new threats and develop effective anticorruption measures. The Full Report is available at https://aspi.org.au/ publications/transnational-crime-in-sri-lanka-futureconsiderations-for-international-cooperation/SR94_SriLanka.pdf
Asia Pacific Security Magazine | 7
The great submarine leak
T By Sarosh Bana APSM Correspondent
8 | Asia AsiaPacific PacificSecurity SecurityMagazine Magazine
he wide-ranging data leak on India’s French-origin Scorpene submarines hosted on its website recently by the daily broadsheet, The Australian, on two consecutive days clearly undermines New Delhi’s sensitive submarine construction programme. The 22,400 leaked pages detailed the combat capabilities of the 1,565-tonne 61.7-metre Scorpene 2000 SSKs (dieselelectric hunter/killer submarines). Six of these submarines are being built under the Indian Navy’s Project-75 (P-75) under a Transfer of Technology (ToT) agreement between DCNS, the European leader in naval defence, and the Mumbai-based state-owned shipyard, Mazagon Dock Limited (MDL). The first of this series, construction on which began at the MDL yards in December 2006, is being launched in September, its commissioning scheduled a year thereafter, with subsequent boats delivered at intervals of nine months. The programme is running four years behind schedule, its original contract cost of US$2.63 billion in 2010 having spiralled to US$3.8 billion. The cost includes a US$1 billion Technical Data Package for MDL to gain competence in submarine construction, especially in the field of hull fabrication, outfitting, and system integration. While the question is whether India’s security is under threat as a result of the data leak, another question concerns
the motive of the morninger, owned by Rupert Murdoch’s News Corp Australia and published out of New South Wales, in exposing a friendly nation’s defence agenda. The paper has been described as one that acts more like a propaganda sheet for the rightwing of Australia’s Liberal party than a broadbased sounding board for big ideas and public policy. Canberra in April awarded the same French defence contractor, DCNS, an A$50 billion (US$38 billion) contract to design and build 12 next generation submarines. It is speculated that the expose could have been the consequence of corporate espionage, as competition is fierce in the global military sweepstakes. Variants of the DCNS Scorpene operate with the Malaysian and Chilean navies and will soon also be deployed by Brazil from 2018. The uploaded sets of documents contained the entire design plans, specifications and stealth capabilities of the Scorpene, as also detailed operating instructions for its underwater warfare system and revealed too was the range of technical specifications of the sonars and at what degrees and frequencies they would function. Almost the entire Operating Instruction Manual has been detailed, with explanations on target selection for weapon configuration and firing, among a host of critical minutiae. Of the leaked information, 6,841 pages elaborated on
the submarine’s communications system, 4,457 pages on its underwater sensors, 4,209 on its above water sensors, 4,301 on its combat management system, and 493 on its torpedo system. Bared also were the diving depth ranges, magnetic, electromagnetic and infrared data, frequencies at which the submarine gathers intelligence, requisite speeds and conditions for use of the periscope, noise specifications of the propellers, radiated noise levels that occur when submarines surface, levels of noise at various speeds, and the locations where the crew can speak to avoid sonar detection. The Australian reported it had been informed that the secret data were stealthily drawn from DCNS by a former sub-contractor in 2011 and taken to a private company in Southeast Asia before being passed on to a branch of that company in a second Southeast Asian nation. A compact disk containing the data was then posted in regular mail to a company in Australia. Evidently taken aback, Indian authorities downplayed the incident, affirming it did not compromise national security, as such information was available on “many naval defence websites”, and The Australian blacked out vital factors, and besides numerous parameters have been modified since 2011 in the submarines under construction. While it is not unusual for parameters to be altered at the behest of the customers, at
times within a series production, with follow on vessels being finer tuned and more streamlined, a comprehensive disclosure as by The Australian’s undoubtedly conveys confidential information and cannot be belittled. Such sensitive data would not only be unobtainable in the public domain, they would not be publicised by any credible websites guided by professional ethics. Much similar information very likely vests with various media agencies worldwide, but they would be circumspect in revealing it. There is also the question as to what Canberra’s reaction would have been if an Indian paper had carried detailed descriptions of Australia’s own submarine programme or its two 27,800 tonne Canberra-class Landing Helicopter Docks (LHDs), also known as amphibious assault ships. The two LHDs, HMAS Canberra and HMAS Adelaide, were commissioned in November 2014 and December 2015 and were constructed for the Australian Defence Force (ADF) at a cost of $2.9 billion. To be jointly crewed by personnel from the three services, they will provide one of the most capable and sophisticated air-land-sea amphibious deployment systems in the world, each being able to land a force of over 2,000 personnel by helicopter and water craft, along with all their weapons, ammunition, vehicles and stores. Design and construction
Asia Pacific Security Magazine | 9
were by Spain’s Navantia, while BAE Systems Australia, a subsidiary of BAE Systems plc and the largest defence contractor in Australia, was the prime contractor. Navantia’s Ferrol-Fene shipyard in north-west Spain constructed the hulls to the level of the flight decks, including the majority of fitting out, and the island structures were installed at BAES’s Williamstown shipyard in Victoria. Though he said that the leakage was “of concern”, Australian Prime Minister Malcolm Turnbull specified that the Indian Scorpene was a model different from the one Australia was buying. “The submarine we are building or will be building with the French is called the Barracuda, quite completely different submarine to the Scorpene they are building for India,” he told Channel Seven. “We have the highest security protections on all of our defence information, whether it is in partnership with other countries or entirely within Australia.” According to DCNS, the 97-metre 4,000-tonne Shortfin Barracuda Block 1A, designed specifically for the Royal Australian Navy, is “the world’s most advanced conventionally-powered submarine”, with state-ofthe-art signature reduction technology, pumpjet propulsion replacing ‘obsolete’ propeller technology, retractable hydroplanes minimising drag and noise, and outfitted with the most powerful sonar ever produced for a conventional submarine. Quick access tech insert hatches moreover allow upgrades to be carried out easily. As with issues of this nature, India’s Defence Minister Manohar Parrikar asked the Chief of Naval Staff (CNS), Admiral Sunil Lanba, to have the extent of the leak examined. Maintaining that any information lapse is viewed very seriously by the Indian Navy, the CNS pointed out that DCNS had been asked to launch an urgent investigation into this. “Detailed assessment of the potential impact is being undertaken at Integrated Headquarters, Ministry of Defence (Navy), an analysis is being carried out by concerned specialists, and an internal audit of procedures is also being undertaken to mitigate any probable security compromise,” he indicated. India has also taken up this matter with the Director General of Armament of the French government, with the request to investigate with urgency and share its findings with India. “It is not a leak, it is theft,” a naval official affirmed. “We
10 | Asia Pacific Security Magazine
have not found any DCNS negligence, but we have identified some dishonesty by an individual.” The matter is also being pursued with other concerned foreign governments through diplomatic channels to verify the authenticity of the reports. DCNS took the issue to the Supreme Court of the State of New South Wales that directed The Australian to withdraw the documents published on its website, to provide DCNS with all related documents in its possession and to desist from publishing any additional documents. “Confidentiality of information and communication is a matter of utmost importance and DCNS welcomes this decision of the court,” a DCNS statement mentioned. “In parallel to this action, DCNS filed a complaint against unknown persons for breach of trust, receiving the proceeds of an offence and aiding and abetting before the Paris Public Prosecutor.” The French contractor is understandably worried. Apart from having set up its subsidiary, DCNS India Pvt. Ltd, in Mumbai for the Scorpene construction, it is now establishing another fully-owned subsidiary to produce air independent propulsion (AIP) technology for its submarines. It has submitted its proposal for this to India’s Foreign Investment Promotion Board (FIPB). DCNS, after all, is seeking to bid for the lucrative $8.06 billion – possibly $12 billion - Project-75(I) contract for the construction of six new generation stealth diesel-electric submarines that is eliciting wide interest among shipyards both at home and abroad. Defence-oriented enterprises, which have invested heavily in creating and expanding their warship building facilities and competencies, are preening themselves for the competitive bidding for the tender that requires the submarines to be built in India at an identified shipyard, within the public and private sectors assessed to have the potential to build modern conventional submarines. It remains to be seen whether DCNS will be countenanced for the tender by the Indian authorities following this disastrous leak. The Indian Navy has already scotched all previous speculation of construction of three more Scorpenes being contracted out to DCNS.
I N V I T A T I O NCyber Security
EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR
5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com
MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors
Some of the main topics:
PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:
Email: firstname.lastname@example.org Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting
• • • • • • •
IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition
“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK
Express interest in joining us at this exclusive event email@example.com Asia Pacific Security Magazine | 11
The stats man and the sea Pirate hunter, undercover statistician or psychological medic? Karsten von Hoesslin's career is as hard to pin down as the oceans he covers as a 'maritime response consultant'.
I By Adeline Teoh ASM Correspondent
12 | Asia Pacific Security Magazine
'm flying in an Antonov 27, 50 metres over the water, dropping $3.5 million to a bunch of guys in raggedy clothes. Really, the money is just a prop," says Karsten von Hoesslin on how to make a ransom payment to Somali pirates who've hijacked a ship and taken its crew hostage. Ask him what he does for a living and the answer is necessarily circumspect. On paper he may be a 'maritime response consultant', but delve a little deeper and more amazing details start to emerge. Best known publicly as the host of National Geographic's series Lawless Oceans, von Hoesslin began his oceanic voyage many years prior with an interest in the South China Sea disputes for his Masters. "Having examined the United National Convention of the Law of the Sea, I asked myself 'how can something be so simply laid out and yet so complex to implement?'" The grants and funding he secured for that research also allowed him to peek at piracy issues where there were plenty of open source statistics but suspicions of under-reporting. "I then started my PhD research looking at various human intelligence methodologies for infiltrating organised crime groups," says von Hoesslin. "I started testing that in South East Asia in pirate networks, seeing how far I could infiltrate. The results were unprecedented, especially in comparison to what was reported in open sources." In addition to working with law enforcement agencies in South East Asia, he worked jointly with authorities on West Africa, Somali and Horn of Africa pirate issues. That exposed him to specialist training in areas such as hostage negotiation and behavioural profiling. It was at
this point he decided to pivot from intelligence work into more operational roles, "doing delivery drops, negotiations, support work and then actually commanding operations myself ", including that of delivering one of the highest value ransoms in Somali piracy history. But the rewards are less about the money and more about the people, von Hoesslin says. Having trained in paramedicine, tactical, flight and remote medicine as well as major incident medical management prepared him to work with the hostages of hijacked ships. "The people who were hostages were simply not in good enough condition to provide actionable intelligence. A lot of them are at various stages of PTSD and they haven't actually been given any psychological first aid," von Hoesslin explains. "There was a tremendous difference in the four days we would have with them, they were much better off. That was the most rewarding thing." Hunting phantom ships Filling in the gaps of some questionable statistics led von Hoesslin to his current role. There was a 'boom' in South East Asian piracy in 2014-15, he explains. "There were a lot of vessels that would disappear or were hijacked and sometimes they were off the books, it wasn't reported. I was able to find some of these vessels in Indonesia and various places where they were being heldâ€”some of them were insurance scams." It was at this point he crossed paths with National Geographic, who were filming an episode of Underworld, Inc on South East Asian pirates. National Geographic followed
von Hoesslin as he worked to locate phantom tankers, then approached him to develop a series called Lawless Oceans, which "examines the various crimes at sea ranging from drug smuggling to piracy to migrant smuggling and illegal fishing," he describes. Being on an international TV channel has its drawbacks as a maritime investigator, von Hoesslin admits, and it's doubly hard when he can be the only white man in a village in Asia or Africa. "I prefer to keep a low profile. Let's say there's an episode of Underworld, Inc on pirates, then that probably means that I have to be a bit more careful when I'm in the field afterwards," he notes. Fortunately he does have other occupations that seem to satisfy most people he meets: doing medical work, such as volunteering in hospitals, and practising heritage photography. For everything else there's human interaction. "I've been places where I've got my camera and I'm just taking pictures—not even intel pictures—and people go, 'you're CIA'. I just look at them and I say: 'You're right, I'm here for you.' They freeze and don't know what to say. I will break that moment with a laugh and they usually realise how silly their accusation sounds. You de-escalate their suspicion and then you can talk to them." Von Hoesslin is potentially open to a second series of Lawless Oceans. In any case, he's about to obtain a commercial licence to fly his drone—a handy piece of kit to record maritime crime unobtrusively, and for surveying—and he has advanced care paramedics training to complete. He says his next role is likely to be in crisis response on the medical side, "helping companies as well as NGOs better prepare for incidents, and more importantly, preventing them
from getting involved in bad situations". In the meantime, past success is reasonably easy to define. "On the law enforcement side, nothing gives me more joy than to see an active interest in a case, an arrest and then, most importantly, a conviction. On the human side it's to see people recover from bad things or even to see pirates not wanting to be pirates anymore. There are cases of people I've worked with in the past, assets, who then cleaned up and got regular jobs." As for von Hoesslin, his job is anything but regular with international travel always on the cards and a lot on his mind at all times. "If I take holidays I'm always calculating and figuring out how to do projects—'I will not stop until this current case is properly investigated'." And despite the frequency of guns, money and espionage in his career, he says he's not addicted to the thrill of it as some might be. "I get more of a thrill out of backcountry skiing."
US$1.32 billion was the estimated cost of maritime piracy in the Western Indian Ocean during 2015, down from $7 billion in 2010. Source: oceansbeyondpiracy.org
Asia Pacific Security Magazine | 13
Shipping companies are under attack! In the new era of cybersecurity and cyberwarfare, many shipping companies fare poorly when it comes to taking on cyber warriors. Laxity is no excuse. It causes huge financial losses and shipping companies do not know what they are up against. Jaya Prakash files this story from Singapore. By Jaya Prakash
14 | Asia Pacific Security Magazine
new threat is confronting the globe's shipping industry and it is not piracy anymore. Just when everybody thought that piracy was gone for good, what the world's leading shipowners least anticipated was the danger that could arise from the very Information technology (IT) systems that had kept them connected to their customers and agents. Ignorance is no longer bliss. Shipping companies, port operators, ship managers and shipping agencies better know what the digital age of computer networks, IPhones, IPADS and smartphones have wrought and the havoc they can wreak. Devices purportedly invented to make life better for all of humankind is perhaps, an 'enemy' far more sinister that anything the shipping fraternity have been used to. Not even the Somali pirates who once terrorised commercial shipping have come close to what the double-edged sword in the Internet now threatens and presents. "Digital technology has unleashed some bewildering crime", exclaimed Vincent J Loy, a partner in Financial Crime & Cyber & Data Analytics Leader, in PwC Singapore to MySecurity.com With the globe ever more interconnected than before,
what is now somebody else's problem is no longer the way it was and is. Now it is everybody's concern because what the Internet has now done is to connect us all to criminals, terrorists and stalkers in the far-flung regions of the globe, and the security we once took for granted in our own homes and backyard will now have to be traded for the uncertainty the age of the Internet now brings. As more and more devices and a rising number of companies get online, they become ripe tempting targets for attacks and coercion and maritime companies better know they have a weaknesses hackers can easily exploit with impunity. To be sure hackers have without doubt been rife. Just ask Google of its experiences in China and the answers will come thick and fast. Not only did hackers once compromise the safety of a floating rig by tilting it off the coast of West Africa but, what happened in the Belgian port of Antwerp for it to be reported widely in newspapers with hackers, filching containers takes the whole scheme of hacking and phishing, to an entirely new level and new plane. And if that was not enough, hackers have also assisted Somali pirates choose their targets. They did this by
"...cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually." compelling ships to resort to faking their navigational data thus throwing the crucial spotting mechanisms of the sophisticated AIS tracking device shipping companies designed to locate ships on the open oceans, completely off the rails. If such a measure is taken to extreme lengths, hacker activity can plausibly even allow for the free and unhindered transport of contraband cargo like nuclear material - a prospect the likes of Iran and rogue nations like North Korea would relish because for once there is a new-found way to circumvent sanctions. It Is An Interconnected World "Cyber is connected to the world and we are highly dependent on the Internet", exclaimed a panelist over Singapore's Channel News Asia (CNA) during a prime time talk-show, televised on 14th September. That dependence has come with a double-edged sword as it now appears. Cyber criminals it has been learned, rake in some US$150billion annually CNA heard on the day of its television talk show, thus lending why cyber crime continues adlib with little or no known ways to tackle it resolutely. Encryption may be an option but, just how viable an option it is has never been distilled enough. Globally, Reuters wire service estimates cyber attacks against oil and gas infrastructure will cost energy companies up to $1.9 billion by 2018. What is worse the British government has tabulated that cyber attacks have already cost UK oil and gas companies some 400 million pounds (US$672 million), annually. Still if there is something deadpan worrying about it all, is the size of vessels shipowners have assigned themselves which far being from a commercial imperative, is fraught with security implications. With a growing tendency to build larger than usual vessels to save on fuel consumption and operating costs what the global shipping industry is hurling itself into is the creation of a new set of problems whilst resolving yet another. By having smaller crews with a heavier than usual reliance on software for navigation and operational needs, the risk and indeed the unmitigated risk only just escalates to the degree of a vessel's software being left unsecured and relied upon heavily by its crew. As matters stand, with technology running every mite of a ship operation from the loading of a cargo, to plotting its
navigation across oceans, nothing perhaps is left to chance. To compound an already tenuous situation is the tendency shipowners exhibit in wanting to report against security lapses, either out of adverse publicity or, of raising alarm amongst their stakeholders. What is worse than imagined is that software weaknesses in the maritime universe could be used to cause ships to malfunction or even run aground, according to research from the global information assurance firm, NCC Group. They have revealed security vulnerabilities in ECDIS (Electronic Chart Display and Information Systems), information technology product used by the shipping industry. These systems are usually installed on ships and used by navigation officers. And the real danger of increased usage of computer systems for navigation, container inspection, rapid unloading, distribution of goods and handling goods at ports can be easily exposed to cyber threats, if no proper security controls are implemented. No solution for now... There are just two kinds of scenarios confronting those living the cyber sword of Damocles: one is the nagging perception of threat estimates and the other is how to stave off that threat and remain safe as one could. Because security and attack scenarios against technologies and protocols have been ignored for too long in the maritime industry, the problem has just persisted that long. Windward, an Israeli firm that analyses AIS data found a rising number of ships 'afflicted' either for security, financial reasons, smuggling or plain pirate attacks. A particular U.N. report was specially scathing. It alleged efforts by North Korea to procure nuclear weapons were commited with the aegis of compromised AIS data. And that investigators on one ship carrying concealed cargo turned off its AIS signals, to disguise and conceal its trip to Cuba. If ever there is something to be done and done urgently, it ought to begin with a revolutionary change in mindset and training priorities in all shipowning companies; not just in the big ones. More investment has to to assigned to block hackers by denying them access however, ubiquitous they maybe. And these can range from having continuous cyber security assessments to evaluate incident response capabilities, detect if an active breach is in progress or to keep the company security conscious. Perhaps an ideal recommendation is to borrow a leaf from the hacker himself and be deceptive than predictable. The mere fact that most organisations look to automation to help assist in their cyber security defences give hackers valuable leads on when they can raid the networks of a company. Having scans at the same time every week or patches once per month and assessments once per quarter or per year, is just what a hacker needs to raid a company. The idea therefore, is to keep changing the routine of such housekeeping measures and keep a hacker guessing and thereby forcing him somewhat to give his vile life, up. Jaya Prakash can be reached at firstname.lastname@example.org
Asia Pacific Security Magazine | 15
Combating Terrorism: Enacting the madman theory II Superpowers go rouge!
I By Scott Fraser
16 | Asia Pacific Security Magazine
n recent times, over the last two years since I put the first paper together there have been a number of key events that have prompted me to update this post. Everybody's worried about stopping terrorism. Well, there's a really easy way: stop participating in it. - Noam Chomsky Russia, Iran, China, the US, Turkey, North Korea, Israel to name a few have displayed worrying trends which I have outlined in the body of this post. You'll also note an increase in terror activity mid to second quarter of 2016, this I feel and believe these to be a coincidence, a collection of terror incidents acted out around the same time but with no apparent connection. All the while Super Powers of the World appear to be consumed with each other and not the apparent WOT. State players are deliberately posturing and flexing in different parts of the World on an ever increasing scale. Russia is believe to still have and is actively working around it's Dead Hand project. Dead Hand was a weapon of last resort and if information is correct, it appears that it still is. It was created to ensure that even if the Soviet leadership was wiped out, a nuclear response could still be launched against the West and NATO in retaliation. If Dead Hand did not detect signs of a preserved military hierarchy, the system
would perform a check for signals of a nuclear attack, such as a change in air pressure, extreme light, and radioactivity. If the system concluded that a nuclear strike had taken place, Dead Hand would proceed to launch all of the remaining nuclear weapons from all of the silos throughout the Soviet Union at targets across the Northern Hemisphere. Not a good scenario and one that all have an option to do themselves given all are nuclear armed. Most countries have a varied and limited conventional options to combat perceived threats of their nemesis however prepared, it not be enough and it would appear that some are prepared to use whatever they have at their disposal, that's why you have nukes...right? Terrorism defined can be construed in a varying number of ways; essentially it is mission based, for example the US Federal Bureau of Investigation (FBI) I employs a definition of terrorism based upon the agencyâ€™s general tasks. Under this regulation an act of terrorism is defined as â€˜the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectivesâ€™. This, as it suggests could be played out as a State or a cell aimed at an individual or indeed, another State.
The US Department of homeland Security again modified their definition version of terrorism in a revised Domestic Terrorism and Home-Grown Violent Extremism Lexicon published 2011 as, ‘Any activity that involves an act that is dangerous to human life or potentially destructive to critical infrastructure or key resources, and is a violation of the criminal laws of the United States or of any state or other subdivision of the United States and appears to be intended to intimidate or coerce a civilian population to influence the policy of a government by intimidation or coercion, or to affect the conduct of a government by mass destruction, assassination, or kidnapping’. Is this to include war? Sounds like it, nuclear war....possibly, depending on who has their finger on the button, and taking in the rule of war - Jus ad bellum & Jus in Bello....or not. Refresher The US Central Intelligence Agency (CIA) uses a definition contained in Title 22 of U.S. Code: “premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents.” For the Australian Secret Intelligence organisation (ASIO), terrorism is defined in the ASIO Act of 1979 as, ‘acts or threats of violence or unlawful harm that are intended or likely to achieve a political objective, whether in Australia or elsewhere, including acts or threats carried on for the purpose of influencing the policy or acts of a government, whether in Australia or elsewhere’. This definition, which covers politically, ideologically or religiously motivated terrorist attacks, rightly includes consideration of violence outside of Australia as an intrinsic part of the threat posed. Essentially these examples are lawful unto their own States for the protection of those States, peoples, assets and interests either within or external; pretty much anywhere. The varying departments and Military’s of all nation States have varying definitions which drives and shapes their overall missions to counter their perceived terrorism threat. Does this meet the threat or merely define it and if so, so what? That being said, it could be argued that given definitions from the aforementioned States the significant threat is global. Declaring war and sending the military to fight other militaries is not terrorism, nor is the use of violence to punish criminals who have been convicted of violent crimes, but many would argue that nation States are also capable of terrorism. Point in note; Israel has for many years been criticized, especially in the Arab world, United Nations Resolutions, and human rights organizations, as perpetrating terrorism against the population of the territories it has occupied since 1967. In a recent RAND report the number of jihadist groups world-wide has grown by 58%, to 49 from 31; the number of known jihadist fighters has doubled to a high estimate of 100,000; and the number of attacks by al Qaeda affiliates has increased to roughly 1,000 from 392. The most significant terrorism threat to the United States comes from groups operating in Yemen, Afghanistan, Pakistan, Somalia, Syria and most recently Iraq which is tethering on the brink of civil war or worse, and as now the case in France and other areas, from ISIS and its supporters.
In the current global terrorism climate there are a number of Terrorism issues that transgress across or blur the collective boundaries globally. In 1994 whilst discussing Foreign Affairs, National Security Adviser Anthony Lake claimed "the reality of recalcitrant and outlaw states that not only choose to remain outside the family of democratic nations but also assault its basic values. Lake labelled five regimes as "rogue states": North Korea, Cuba, Iraq, Iran and Libya. Terrorism States Vs Rogue States Fast forward to today and it could be said that a whole array of Nation States that could be at a whim be named as a rogue state; so who’s a rogue state and who decides? Noam Chomsky penned an article and said; Abroad, the threats were to be "international terrorism," and most serious of all, "rogue states." A secret 1995 US study of the Strategic Command, which is responsible for the strategic nuclear arsenal, outlines the basic thinking. Released through the Freedom of Information act, the study, Essentials of Post-Cold War Deterrence, shows how the United States shifted its deterrent strategy from the defunct Soviet Union to so-called rogue states such as Iraq, Libya, Cuba and North Korea. The study advocates that the U.S. actively exploit its nuclear arsenal to portray itself as ‘irrational and vindictive if in the event that its vital interests are attacked. “That should be a part of the national persona we project to all adversaries, particularly the rogue states." "It hurts to portray ourselves as too fully rational and cool-headed," let alone committed to such silliness as international law and treaty obligations. "The fact that some elements" of the U.S. government "may appear to be potentially ‘out of control’ can be beneficial to creating and reinforcing fears and doubts within the minds of an adversary’s decision makers." The report also resurrects Nixon’s "madman theory": our enemies should recognize that we are crazed and unpredictable, with extraordinary destructive force at our command, so they will bend to our will in fear. The concept was apparently devised in Israel in the 1950s by the governing Labor Party, whose leaders "preached in favour of acts of madness," Prime Minister Moshe Sharett records in his diary, warning that ‘we will go crazy’ if crossed, a secret weapon aimed in part against the U.S., however not considered sufficiently reliable at the time. the hands of the world superpowers, which are a handful which regard themselves, personally, inwardly and now outwardly as super powers and with good reason and are subject to few constraints from anywhere; the ‘we will go crazy’ stance poses no small problem for the world and even more so for extremist if any or all are backed into a corner. World power States have this view of each other as States and as individual leaders that if any should strongly oppose their ideals of rule, law and order, freedom, democracy or right to exist should note to take care and act with a high degree of caution. Today all democracies face multifarious and noteworthy threats beyond jihadi terrorism. China is expanding its military reach along with its economic and cyber muscles, particularly within its immediate region. Russia has all but invaded Ukraine and is seen as a real threat to America's NATO allies, particularly following the Turkish missile
Asia Pacific Security Magazine | 17
incident. Iran is perceived to be dedicated to developing a nuclear-weapons capability and North Korea, which already has nuclear weapons, appears highly unstable. Global leaders of these States have already outlined they are being 'pushed' towards the nuclear option or is this the balancing act to convey, yes you have a more capable and technologically advanced force, but I have nukes, the evener. boarders building and essentially eyeing each other but still a handful of terror groups today remain fanatically dedicated to attacking any nation State regardless of whether they are perceived as Western, Eastern, Middle Eastern, Asian, Christian, Islamic or otherwise, anyway they possibly can. Global terrorism, what’s unfolding? Eschatological battle of ideals, culture clashes..? Extremist would like to think so, however as the saying goes; be careful what you wish for… as each global nation State has their own vision of their future and the rise of the threat from terror organisations, to mobilize a global response may well see the ‘we will go crazy’ initiative actually enacted...on multiple fronts, State on State and not against terrorism, rogue state win...or do they? In recent times, over the last two years since I put the first paper together there have been a number of key events that have prompted me to update this post. Russia, Iran, China, the US, Turkey, North Korea, Israel to name a few have displayed worrying trends which I have outlined in the body of this post. You'll also note an increase in terror activity mid to second quarter of 2016, this I feel and believe these to be a coincidence, a collection of terror incidents acted out around the same time but with no apparent connection. All the while Super Powers of the World appear to be consumed with each other and not the apparent WOT. ers are deliberately posturing and flexing in different parts of the World on an ever increasing scale. Russia is believe to still have and is actively working around it's Dead Hand project. Dead Hand was a weapon of last resort and if information is correct, it appears that it still is. It was created to ensure that even if the Soviet leadership was wiped out, a nuclear response could still be launched against the West and NATO in retaliation. If Dead Hand did not detect signs of a preserved military hierarchy, the system would perform a check for signals of a nuclear attack, such as a change in air pressure, extreme light, and radioactivity. If the system concluded that a nuclear strike had taken place, Dead Hand would proceed to launch all of the remaining nuclear weapons from all of the silos throughout the Soviet Union at targets across the Northern Hemisphere. Not a good scenario and one that all have an option to do themselves given all are nuclear armed. Most countries have a varied and limited conventional options to combat perceived threats of their nemesis however prepared, it not be enough and it would appear that some are prepared to use whatever they have at their disposal, that's why you have nukes...right? Terrorism defined can be construed in a varying number of ways; essentially it is mission based, for example the US Federal Bureau of Investigation (FBI) I employs a definition of terrorism based upon the agency’s general tasks. Under this regulation an act of terrorism is defined as ‘the unlawful use of force and violence against persons or property to
18 | Asia Pacific Security Magazine
intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives’. This, as it suggests could be played out as a State or a cell aimed at an individual or indeed, another State. The US Department of homeland Security again modified their definition version of terrorism in a revised Domestic Terrorism and Home-Grown Violent Extremism Lexicon published 2011 as, ‘Any activity that involves an act that is dangerous to human life or potentially destructive to critical infrastructure or key resources, and is a violation of the criminal laws of the United States or of any state or other subdivision of the United States and appears to be intended to intimidate or coerce a civilian population to influence the policy of a government by intimidation or coercion, or to affect the conduct of a government by mass destruction, assassination, or kidnapping’. Is this to include war? Sounds like it, nuclear war....possibly, depending on who has their finger on the button, and taking in the rule of war - Jus ad bellum & Jus in Bello....or not. Today all democracies face multifarious and noteworthy threats beyond jihadi terrorism. China is expanding its military reach along with its economic and cyber muscles, particularly within its immediate region. Russia has all but invaded Ukraine and is seen as a real threat to America's NATO allies, particularly following the Turkish missile incident. Iran is perceived to be dedicated to developing a nuclear-weapons capability and North Korea, which already has nuclear weapons, appears highly unstable. Global leaders of these States have already outlined they are being 'pushed' towards the nuclear option or is this the balancing act to convey, yes you have a more capable and technologically advanced force, but I have nukes, the evener. Still, what are these nations up to, and that is the collective East and West intent on shadowing aircraft, navel vessels, taking control of water ways gathering on boarders building and essentially eyeing each other but still a handful of terror groups today remain fanatically dedicated to attacking any nation State regardless of whether they are perceived as Western, Eastern, Middle Eastern, Asian, Christian, Islamic or otherwise, anyway they possibly can. Global terrorism, what’s unfolding? Eschatological battle of ideals, culture clashes..? Extremist would like to think so, however as the saying goes; be careful what you wish for… as each global nation State has their own vision of their future and the rise of the threat from terror organisations, to mobilize a global response may well see the ‘we will go crazy’ initiative actually enacted...on multiple fronts, State on State and not against terrorism, rogue state win...or do they?
....with Kevin Mitnik
Internet hacker and cyber security expert Internet hacker and now Cyber security expert Kevin Mitnick is in Australia in November for a conference in Sydney and Melbourne with business leaders where Kevin will talk about security risks and issues in the modern day business environment and how to best manage and combat such risks. What is your view of Open Source and the development of open source white hat communities? Do you see the need for these to be developed better, faster or with higher reward components as we move towards the Internet of Things. Kevin Mitnik (KM) I do like Open Source and I do believe that these communities should be expanded, but there is no management of these things as they are run on a completely voluntary basis. As far as moving faster and increasing rewards on open source projects, no one is really getting paid per say, so the reward is really just being a contributor. Maybe by creating additional incentives, it might make that particular community grow faster. We’re not seeing the notoriety of black hat hackers as we once did, rather we see the rise of particular hacker groups, such as Anonymous – can you explain why this might be? Is it the complexity of systems limits, individual hacker capabilities or is the risk of capture greater? KM - We do actually hear stories about individual hackers in the press all the time, we may not necessarily know their names but we do see their actions, usually for fraud or theft for example. Individuals from Russia have recently been indicted in cases. Anonymous is really a kind of idea, rather than an organised group, and people will jump on the bandwagon because they believe in a particular cause, and I think because Anonymous have had a lot of press due to some of its stunts, like hacking into police stations and hacking some of its officers, they have done a lot of brazen type of attacks, so it garners a lot of press. I also see an equal amount of press on other types of hacking activity as well. What can law enforcement do to better prevent and detect cybercrime, rather than the traditional approach of waiting for a report to be made and responding to a cybercrime report? KM - The problem is it’s not that law enforcement can’t do anything, or if a government starts regulating private sector businesses and become the watchman so to speak, I really don’t see that
happening. It is really just individual businesses that have to develop and mature their security programmes well enough, so that they become a difficult target, so that the attackers then go after the easier targets. The government could improve in their investigations by using different tools and techniques to track the perpetrators down. Nowadays attackers could use TOR, which is a system designed by the US Naval services to anonymise Internet searching to protect journalists and dissidents and that sort of thing. It is also used by hackers to mask their IP address. For example, what we call the ‘dark web’ and what exists on the dark web is a lot of criminal activity. The silk road site is an example of this, it was an online drug emporium, and eventually the FBI got its man, the details of how they did this has not been made public, but it could have been by a vulnerability in TOR. It is actually hard to track down the perpetrators if they really know what they are doing, if they are sloppy and unsophisticated then it is quite easy. Do you see law enforcement and government security services developing their cybersecurity skills at the necessary pace to stay ahead of the curve or do you think they will always be a few degrees (or more) behind the curve – how much of a gap to you currently see? KM - The problem is that the government and
public sector do not pay as well as the private sector, so it is difficult to attract talent into this area. This will only change if governments pay enough to attract the right people. How do you view the moral implications of your background, given your criminal activities have been turned towards making a profit and how do you think we can turn younger people to the white hat community before they start black hat activities? KM - Well, I do have a unique past. I am not profiting off my criminal activity now; I am profiting off all the good things I am doing today. I run a company that performs system vulnerabilities, before the bad guys do. I am also the owner of a company where we do security awareness training and automated phishing against our clients so that they can better protect their business against social engineering attacks. I did illegal stuff back 20 years ago, but now my notoriety is resulting from the good things that I am doing. Today it’s a lot different to back in the 80’s and 90’s, when I started. Now there is cyber security taught in schools and universities, so it’s a better environment now to teach and instruct students that will hopefully become cyber security professionals, nowadays there is coursework and available programmes to help those people do it in a moral and ethical way.
Asia Pacific Security Magazine | 19
Digital innovation in China how the West is being won! Evolving business models with investments in VR & AR makes China unique amongst a global IT market
D By Chris Cubbage Executive Editor
20 | Asia Pacific Security Magazine
igitalisation in China has been rapid, on a massive scale and is unique beyond any other country on the planet. Ecommerce in China is now 18 per cent larger than that in the USA. With over 1.3 billion people, China is naturally a major market for IT and has evolved its own digital ecosystem, mirroring that of the Westâ€™s Google, Amazon and Facebook with the likes of Baidu, Alibaba and Tencent. Mobile apps have also played a major part, like WebChat, which has over 200 million users and AliPay with well over 300 million users, more users than the USA population. The Chinese Government remains protective against foreign companies entering the market, despite the national economy slowing and transitioning from manufacturing to services. Verticals such as logistics, transport, retail, entertainment, healthcare and banking are all embracing digitalisation and the country is entering a golden era for integrating new technologies, with steady growth expected over the next decade.
The major drivers, according to Canalys APAC Research Director Nicole Peng, speaking last week in Macau at the Canalys APAC Channels Forum, has been driven by trends in the macro economy, consumer behaviour and onlineoffline market. Major trends in the macro economy has been the shift from manufacturing to services sector and strong encouragement from Chinaâ€™s Government for the country to innovate. The services sector now exceeds manufacturing as a GDP contributor and the country has also experienced rapid wage rises. The increases in wages has increased labour costs which is further driving business to focus on productivity. Urbanisation has led to better infrastructure, including network and wi-fi infrastructure. Increasing incomes has been significant for migrant workers moving within tier 2 and tier 3 cities and the logistics industry is a leading example of innovation within national supply chains. Another major trend is the consumer sector. China has a billion smart phone users and will grow to 1.3 billion by 2020. Online payment platforms such as Alipay are allowing rapid
"Mobile apps have also played a major part, like WebChat, which has over 200 million users and AliPay with well over 300 million users, more users than the USA population." adoption of online and retail services, including the transition to accessing all of government services. Consumer expectations on business is for them to embrace new technologies. The third major trend is the online to offline model which sets out to uncover latent supply between the physical and cyber experiences. This market is addressing an unmet demand in areas such as food ordering, travel, payments and transport on demand. There remains a large potential for greater cross selling and upselling to consumers in this area, with potential to best apply this market is the VR (Virtual Reality) and AR (Augmented Reality) technologies. VR and AR is anticipated to drive new digital transformation and provides a substantial user experience if correctly supported by new hardware and software. There remains a lot of challenges with the mix needing to combine the right form of hardware, new software platforms and most importantly, new content. Getting this mix right has the potential to fundamentally change how users operate online, engage socially and behave commercially. The VR and AR market has the potential to kick start a new wave of business and next generation content. Canalys Analyst Jason Low predicts that the VR industry will ship 6.3 million headsets worldwide in 2016 with 40% of these for the China market. In VR, advertising offers a more engaging experience to the consumer and also offers wider options for product placement. With these benefits in mind, Badui is looking to transition customers from web browsers to new VR platforms. VR will therefore require new hardware, new software and most importantly, new content which will need to be based on combining user data, image recognition and generating customised content. Alibaba is investing heavily in creating new online shopping experiences in new VR environments and virtual shopping malls will only be limited to the imagination of the developers. The aim is to change the way people shop for products online. The concept is to provide customers the ability to experience products virtually and generating immediate market scale by keeping the technology simple and accessible to everyone. With the amount of investment being made by the likes of Alibaba the VR technology is anticipated to mature quickly. Tencent has diversified into mobile and online gaming and is the most relevant for deploying VR hardware whilst combining social networks and VR content. Tencent has released its new VR platform called SOLAR-VR and is seeking to significantly expand across its gaming platforms, accommodating casual gamers through to hardcore gamers. LeEco, China’s largest online video company and Xiaomi, the world’s fourth largest smart phone maker, comparatively operate as a mix of Apple, Amazon and Google with business models combining smart electronic hardware, online retail platforms and delivery of mobile services. Xiaomi has made
investments into 50 companies that are producing new breeds of IT hardware ecosystems and has plans to expand its investments to reach 100 companies. Xiaomi investments follow strict rules that apply technology specifically to their user profile, namely 18 – 35 year old males that are techsavvy, price conscious and inspired by design. The companies also need to have a similar culture to its own and need to have developed a large user base. According to Hugo Barra, Xiaomi’s Vice President, “the game in China is building walled gardens and getting them to stay in your garden.” Xiaomi is also amassing substantial data on its users to better understand and predict their behaviours. With 150 million users, they are each lighting their screens on average 122 times a day and have an average total daily screen time of 4.4 hours per user. In Tier 1 cities, 17 out of 100 people have a Xiaomi device and in Tier 2 and Tier 3 cities its 13 and 6 out of 100, respectively. Data is being collected on users accessing social media, video, tools, games, books and news. The data analytics business concept is to deliver services with precision marketing and generate consumer buying power. LeEco, similar to Netflix with on-demand video streaming has also entered the smart phone and smart TV sector and has founded its own digital ecosystem based on Internet and Cloud platforms, with LeMail.com and LeTV Cloud that is surrounded by content, mobile services, Smart TV hardware, Music, Internet Finance, Sports and Automotive, part of a Super Electric EcoSystem (SEE) Plan. These all-encompassing business plans are endeavouring to brings multiple benefits including flexibility in pricing, so hardware prices are linked to subscription services. For example, lower hardware prices are offset by longer subscriptions and vice versa. So lower cost smart phones are offset with longer term or higher priced subscriptions. The business model is to create life time users and secure revenue from subscriptions, advertising and online shopping. The content driven ecosystem will also allow cross sector promotion and greater selling diversification. With integrated products and service range propositions expanding across industries. This flexibility in pricing and digitalisation blurs the boundaries between industries and expands the data they can access, analyse and create highly targeted and effective digital services to a consumer seemingly always hungry and willing for more. How the West competes with the Far East will continue to play out but generating similarly scaled digital business models is still someway away, with only Google, Apple, Facebook and Amazon on a similar path and needing a global audience rather than just a US centric model. Regardless, the global battle to get human screen time continues and is set to take on a whole new look within the next 5 to 10 years – so get your VR goggles and hang-on.
Asia Pacific Security Magazine | 21
Continuous improvement Network security, optimised networking and business continuity: Fortinet’s continuous improvement
N By Gary Gardiner Director of Technical Support, APAC at Fortinet
etwork security is moving beyond firewalls, advanced threat protection and data leak prevention into network optimisation and business continuity. Security is increasingly being seen as a business process enabler as opposed to simply an adjunct to your company’s IT infrastructure. And as more and more enterprises migrate mission critical applications into the cloud, business continuity and return on investment are becoming key considerations for executives as they evolve their infrastructure from cost centres into agile and elastic organisational assets. One company driving this transformation is Fortinet. Since establishment in 2000, Fortinet has been at the forefront of security innovation and delivery. It’s FortiGate firewalls have set the benchmark for comprehensive protection and speed since their introduction as UTM (Unified Threat Management) appliances in 2004; it’s FortiGuard Labs employ more than 250 expert researchers and analysts around the world and collects data from more than two million sensors to protect more than 270,000 customers every day. And its acquisition of security information and event management (SIEM) solution provider AccelOps earlier this year has expanded Fortinet’s functionality well beyond traditional security. Three key innovations Three innovations in particular set Fortinet apart: The FortiOS operating system, the FortiASIC architecture ‘system on a chip’ and internal segmentation. FortiOS operates in concert with your entire network environment to protect every component from the server to the client and into the cloud. The FortiASIC chip ensures low-latency operations up to five times faster than comparable solutions. Internal segmentation compartmentalises data and applications, either on-site or in the cloud, so that you can insulate individual groups of users, set multiple policies and contain and minimise the ramifications of any security breach. When combined with the operational and analysis capabilities provided by SIEM, enterprises now have unprecedented visibility into network traffic patterns and, by extension, all business processes. This granular level transparency enables organisations to optimise network operations, gain maximum value (indeed, it allows them to quantify IT spend versus performance, the ultimate benchmark for measuring ROI) and ensure that mission critical application services maintain maximum uptime for business continuity.
22 | Asia Pacific Security Magazine
Internal segmentation: Protection into the cloud Ensuring business continuity as enterprises move mission critical application services into the cloud can be problematic for risk management. Fortinet’s unique segmentation architecture isolates applications and data regardless of where (in-house or in the cloud) or how (physical, virtual or software-defined) they are stored and accessed. Indeed, Fortinet has been increasing its marketshare in the MSSP (managed security services provision) arena because internal segmentation is ideally suited for multi-tenant deployments. In addition, Fortinet’s granular-level visibility ensures that MSSPs can provide comprehensive traffic and activity reports for individual customers and groups of users. Continuous improvement Fortinet has evolved into a network optimisation and business continuity solution provider based on market-leading security technology, granular visibility and upstream and downstream SIEM analysis. Any security events can be immediately identified, contained (via segmentation) and mitigated resulting in minimal downtime, regardless of where on the network or in the datacentre or in the cloud they might occur. With real time traffic monitoring, including internal ‘east-west’ traffic inside the datacentre, you can see exactly which application resources use which data sets. And from there you can quantify how much resource each application service requires and correlate the costs to the benefits received. Cost accounting, risk reduction and maximising uptime are now functions of your network security infrastructure and no longer separate disciplines. This merging of governance imperatives is changing the way Boards look at their security profile. This transformation is being driven by a parallel convergence in network operations. And Fortinet is out in front on both counts. About the author Gary Gardiner, Fortinet’s senior security executive in APAC, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
Integrated Security Fabric delivers business continuity Fortinet’s end-to-end Security Fabric delivers: •
Transparency at the granular level
Driven by industry-leading secure operating system FortiOS and powered by the thirdgeneration FortiASIC SOC3 (System-on-a-Chip) architecture, no other security vendor comes close to providing the depth and breadth of security solutions. With the lowest latency on the market and real-time security updates from the global FortiGuard Labs, Fortinet is the security solution of choice for enterprise-level data centres.
Fully-integrated Fortinet’s Security Fabric solutions work together seamlessly to provide trouble-free installation, centralised configuration and ‘single pane of glass’ management. Combined with the FortiGuard Labs’ real-time security updates, Fortinet’s Security Fabric will always be armed with the very latest threat intelligence and detection / mitigation algorithms.
Extending security to business continuity When you install Fortinet Security Fabric solutions, you are investing in business continuity. With Fortinet’s Security Fabric, nothing that happens on your network goes unnoticed. Intrusions, data leaks, DDoS attacks, system slowdowns or simply business
as usual. Fortinet gives you unprecedented visibility into your network’s performance and virtually eliminates the ‘window of vulnerability’ that can result in interruptions in service delivery.
Validated performance NSS Labs has awarded Fortinet’s Security Fabric their highest recommendation. NSS certified that Fortinet’s ATP solutions detected 100% of exploits delivered by social media and drive-by downloads. Fortinet has also received NSS Labs’ recommendations for the FortiGate data centre intrusion prevention system, FortiClient endpoint protection and FortiWeb web application firewalls, amongst others. NSS has validated Fortinet’s security effectiveness above 99%. That, combined with industry-leading performance, delivers what you need to ensure fast, secure operations and business continuity.
AT A GLANCE •
Advanced Threat Protection
FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 6000 email@example.com
FORTINET SECURITY FABRIC CORE SOLUTIONS Fortinet’s Security Fabric is built around a core set of solutions, anchored by the FortiGate firewalls, that provide security from the server to the smartphone, into the cloud and everywhere in between. •
FortiGate next-generation enterprise firewalls / data centre intrusion prevention
FortiSandbox, FortiMail and FortiClient advanced threat protection (ATP)
FortiWeb web application firewalls
FortiAP, FortiSwitch and FortiCloud secure access solutions
FortiSIEM, FortiManager security operations and network optimisation
FortiGuard Enterprise Service Bundle real-time subscription-based security updates
FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS
Asia Pacific Security Magazine | 23
Do we have IT right?
25th November Crown Perth
Perth Conference 2016 24 | Asia Pacific Security Magazine
The economics of security By Bruce Schneier
ou’ve all heard of Moore’s Law: but there’s a lesser known law called Metcalf ’s Law and that is, “The value of a network equals the square of the number of users.” Take, one phone – it’s useless; two phones are at least useful; a thousand phones is a network; a million phones are suddenly essential. So, is this true for real networks? A network of cell phone users, email users, SMS, Skype, and Facebook, and is it also true of a virtual network? The network of window versus mac users or IOS versus Android users. The more people use a thing, the more valuable it is for each one of us that uses it. This notion of network effect lends itself to a single dominant player in the marketplace. Think of Facebook. There was a time when you were not on Facebook because it was too small; now it seems to be the time when you have no choice but to be on Facebook because you would never speak to your friends otherwise. That’s the network effect. It’s true for Skype. It’s true for any application, the more people on it, the more likely you are to be on it. So a single player wins, because that’s what makes sense.
to switch to a competing product. Normally switching costs are low. Think about Coke versus Pepsi. You drink a Coke and you don’t like it, you drink a Pepsi tomorrow. That means that Coke better taste good. Compare to that the switching costs are high, so I have a cell phone, I use AT & T. If I don’t like AT & T’s service I am kind of likely to use it tomorrow, because the cost of switching cell phone providers is pretty high. I don’t like my operating system, it’s really hard for me to switch. In IT, switching from one product to another can be really expensive, it is retraining of staff, rewriting of applications, it is converting data. So, here is the thing of it: the higher the switching costs, the more a company can piss you off before you switch. They can provide you with a less quality service because they know that switching is hard, and companies do all they can to keep switching costs high. This is why you see proprietary file formats, non compatible accessories, programmes that won’t let you take your data with you when you leave, it is all designed to keep switching costs high, because that basically allows them to keep customer service low and that is cheaper.
Fixed Cost versus Marginal Cost
The Lemons Market
The second piece of IT economics is fixed cost versus marginal cost. In any product, there are two sets of costs. There is the cost to develop the product, and the cost to create the one of it that you’re buying, so a normal product like a chair, someone designed it and they were paid, then the company made a lot of chairs, and that development cost was amortised into the per unit cost that, say a hotel, purchased when they bought the chairs. In IT, pretty much all the cost is in development. The first copy of Microsoft Windows, for example, cost $20 million (I’m making this up), the second copy is free. So, what this means is stealing the results of development is a very powerful attack, this is true for not just software, it’s true for movies, for music, for pharmaceuticals, and this is why you see so much effort going in to protecting the development costs. In other cases, the high fixed cost becomes a barrier to competition. Once Google maps the world, it’s hard for someone else to come in. A company like Google can further cut the costs to zero to prevent further competition coming in.
The fourth and last piece of IT economics is the notion of a lemons market. This actually came from an economist who won a Nobel Prize called George Akerlof, he studied markets with a symmetry of information he thought of by himself. Basically, markets where the seller knows a lot more about the products than the buyer. So think of the used car market, the seller knows a lot about the cars he sells, you as the buyer pretty much knows nothing. In those markets, I will spare you the economic math, in products where the seller knows more than the buyer, bad products drive good products out of the market. This is true for a used car market, and it’s true for IT security. This is why in the 1990s the best firewalls didn’t survive. This is why in the 2000s the best IDS programmes didn’t survive. Because we live in a Lemons market. And in a Lemons markets buyers tend to rely on economist pulled signals. So different signals are warranties – the used car market is full of warranties, take a car home drive it for a month and you don’t like it, you bring it back. Certifications, awards… have you ever wondered why our industry chases those dumb awards all the time? They’re signals. Awards, reviews, certifications, anything a buyer can jump on, and say I’m going to do that! I don’t know how to choose but this one won an award and this one is certified to ‘this’ standard.
Switching Costs The 3rd piece of IT economics is the notification of switching costs. The switching cost is the cost for you as a consumer
EDITOR’S AISA NATIONAL CONFERENCE TAKEAWAY’S This year’s AISA National Conference in Sydney presented a who’s who of vendors, and an international line-up of keynotes, including best-selling author and security expert, Bruce Schneier. It is no surprise that the event sold out. AISA has firmly planted itself as holding cyber security conferences not to be missed. Well done to Arno Brok and the team on an increasingly impressive event. Later this month we will be in Perth for the AISA WA Conference.
As our 2016 My Security Media lead partner, Huntsman was appropriately a centre piece outside the main theatre with a display of their safe automation and real time analytics platform. Huntsman’s focus over the last 12 months has been on promoting next generation SIEM technology. Michael Warnock, Director of Sales correctly pointed out that legacy systems just haven’t delivered on the promise of delivering a security eco-system to the necessary level. The challenge remains the emergence of the Internet of Things and the numerous solutions on offer, from the end point to SIEM, but there remains a lack of time and skilled resources on SOC teams, which are already being stretched. Huntsman’s SOC platform gives a greater correlation between events, removing any false positive alarm events and giving the customer the ability to automate. Moving from established manual controls to system automation is a big step but this platform promises to take a detected or suspected threat straight to a safe place and for sandboxing. Threats could be a piece of malware or it could be an internal person’s mischievous behaviour. The Huntsman system allows the SOC team
26 | Asia Pacific Security Magazine
AISA Opening Presentation with Adrian Turner, Cyber Security Growth Centre
to start hunting in proactive investigations against targeted and highest priority attacks, as opposed to just being reactive. The evolution has been towards high speed processing and automation. The platform also incorporates machine learning traditional SIEM, real time threat intelligence module, in the form of behaviour anomaly detection (BAD), which has been applying an Artificial Intelligence (AI) based patent for the last 8 years. Huntsman has two products, one for the Managed Security Service Provider (MSS) and a Cloud Edition. As Sales Director, Michael’s focus is expanding enterprise awareness, “we find that a majority of the large enterprise clients, such as the top 50 -100 Australian organisations are quite ‘cyber-security’ mature but those below this level are definitely behind and we see as being our commercial sweet spot.” Huntsman is experiencing year on year growth, not just in Australia but throughout Asia. With responsibilities across Asia, Michael Warnock has also managed the growth across APAC, with deals such as with SMART Communications, a leading telco in the Philippines and reports in Japan of massive sales growth. Huntsman’s UK Operations are soon to be announcing a key partnership with a very large MSSP to take the product to Europe and this activity is also
opening doors into the US market. Singapore is also a key APAC location for the company and they are working closely with the likes of Microsoft and Cisco on further developing the Cloud platform and have been selected by Microsoft to participate in the Smart Cities Road Show, rolling out later this month. As an Australian based company, established in 1999 Huntsman remains proud to have serviced their first customer, the Department of Defence since 2003. Huntsman has progressed to have a leading positon in the market and is now enabling customers to consume security as a pure service. The Huntsman platform is moving from a subscription based model to a utility model, being a pricing model based on per terabyte of log data. As Michael proudly proclaims, “we’re highly competitive and this technology is our own”. You’ll have a chance to check out the Huntsman platform at the upcoming Microsoft Smart Cities Road Show and AISA’s Perth Conference, 25 November 2016.
TANIUM Tanium was making a debut at AISA with its single server, patented technology platform which creates a linear chain of computers across the network. Using a system agnostic tool to extract all network data points
were able to be escalated from the company’s local network administrators and immediately raised for the attention of the Company’s Board of Directors to improve enterprise cyber security and system awareness. Tanium is sold and distributed based on subscription model and priced according to the number of end points.
in real time this is an impressive, scalable, self-aware and self-healing system. We had the chance to speak to the Director of Security, Andre McGregor and Director of Technical Account Management Chris Hallenback about the system’s capabilities. To best highlight the system’s usefulness, the mega retail chain Walmart was highlighted as an ideal end user example, with the company’s 13,000 servers reduced down to just one and with such a dramatic reduction, a significant improvement in efficiency of Walmart’s network communications. I was briefed on the Tanium Dashboard and operating platform by David Shephard, Tanium’s Regional Director and the system presents as a valuable
tool for any SOC or even just an IT Operator trying to maintain a trusted and verifiable network environment. One of the advantages is the apparent back to basics capability of full network visibility to allow an appropriate level of cyber hygiene in accordance to ASD’s 35 for application whitelisting and full system and application patching capability. Another User example Tanium was able to present was Wells Fargo, with a massive 350,000 end point network. These end points were scanned and mapped within two minutes to determine there was 40,000 applications installed on the network, despite IT Operations having only approved and were only actively managing 1,700 applications. These issues
Ixia and I have kept crossing paths this year, be it in Singapore, Silicon Valley or Sydney. Sitting down with Ixia’s Managing Director of APAC, Naveem Bhat, it was very encouraging to hear the company has reported a positive year. Naveem confirmed, “it has been a good year for us though some have found it tumultuous. Cyber security is a very resilient market and people are spending money. We have had a positive trend for 2016, and Q1 and Q2 results have indicated that. The global market has all been talking about cyber security and we’ve found the enterprise segment and federal government segments are strongest.” Ixia solutions are particularly strong within the US market, as well as across Asia Pacific and the company is hiring new people for positions in Canberra, Singapore and Japan. Australia is a particular focus. Naveem explained how Ixia sees the threat environment within three main categories and the company is focusing on how it operates within each. Starting with State to State cyber activity, or cyber warfare. Naveem explained, “all nations are adopting cyber security strategies as part of national security and defence systems. Cyber deterrence is the future
Asia Pacific Security Magazine | 27
pillar of 21st Century diplomacy but also having the potential to change geo dynamic balances.” The second category is cybercriminals against the enterprise which covers a broad spectrum from cyber espionage, data breaches, brand equity loss and financial compromise. Then the third category is the cybercriminal against the consumer, such as that seen by Ransomware.
CROWDSTRIKE Founded in Irvine, California five years ago, Crowdstrike has welcomed an industry veteran as VP Technology Strategy in Michael Sentonas to launch its intelligence solution as a next generation AV (anti-virus), EDR (Endpoint Detection and Response) and Hunting tool. Ideal for IR (Incident Response) projects, Michael speaks very highly of Crowdstrike’s Russian born founder Dmitri Alperovitch and impressively referred to the DNC hacks and naming of the Fancybear and CozyBear teams. To refer to the CrowdStrike reference blog, CrowdStrike Incident Response group was called by the Democratic National Committee (DNC) to respond to a suspected breach. CrowdStrike immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. “We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of
28 | Asia Pacific Security Magazine
all the numerous nation-state, criminal and hacktivist/ terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.” The ‘Bear’ reference refers to the Russians, just as the ‘Panda’ references refer to the Chinese. These are an easy and smart way to refer to such nation-state actors. CrowdStrike was also tracking the actor under the cryptonym of ‘Silent Chollima’ and has deemed them responsible for intrusions dating back to 2006. The Silent Chollima was the actor revealed by the FBI in late 2014 “As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions against Sony Pictures Entertainment.”…The vast majority of these attacks have been conducted against South Korea, including intrusions into their government and military systems to steal sensitive information, as well as destructive attacks against their financial and media sectors. The first major destructive attack that we detected from Silent Chollima occurred on July 4, 2009 when large DDoS attacks were launched against over thirty websites in the U.S and South Korea, including those of the White House, Pentagon, and major e-commerce and
financial services companies. Crowdstrike is now released across 176 countries and looking to expand further across international markets with a wider client portfolio. It has been six months since the last round of funding through Google Capital in Series C, raising US$100M and recently announced a new APAC presence, including a new Sydney office and new people hired in Canberra. Crowdstrike’s product strategy is to focus on the key aspects of network protection, taking a step back and identifying the underlying issues, appreciating that 40% of the big breaches happen of a result of malware but 60% is from misconfigurations and poor credential management, allowing the malicious or unintended insider threat to be effective. Michael concedes the “traditional technology is not delivering and customers can’t keep rolling out new signature detection or version upgrades. Crowdstrike seeks to combine security management, system detection and response and threat hunting as a service. The combined approach goes beyond the traditional to leverage machine learning in the Cloud. The standalone machine learning has been put into Virus Total for the industry to evaluate and for people who are not customers of Crowdstrike to be able to use. The machine learning scanning system works particularly well for commodity based attacks and applies other features which identifies the indicators of attack and allocates
rules around what a process is doing, as well as to what it is trying to execute. The Crowdstrike Indicators of Attack (IOAs) are leaders in detectors of ransomware and set out to stop the process pre-encryption, without the need for updates and sound black and white listing which is a key strength of the EDR.
NUIX With a job title such as ‘Director of Advanced Threats and Countermeasures and Director of Security North America’ I’d suggest you know your stuff. Not surprisingly then, that’s the case with Nuix’s Ryann Linn as we discussed the Nuix threat intelligence platform. Nuix has a range of impressive tools suitable for enterprise, analytics, regulation and enforcement and the Advanced Threat platforms provide impressive visibility and insight into systems, networks and data. The adaptive security end point product refers to Hash Lists, real time behaviour analytics and Indicators of Compromise (IoCs). An interesting tool amongstis the Nuix Investigative tools include Nuix workbenches which can process cases and format incident response and forensics. Subscription models are based on a license per server and licensed dongles and plugs into the machine. The SME (Small to Medium Enterprise) take-up is definitely increasing. Nuix Insight Adaptive Security combines six security technologies into one lightweight, intelligent endpoint agent, featuring: • Digital Behavior Recorder™: Continuously monitors and records endpoint activity straight from the kernel, including users, processes, Windows Registry changes, user sessions, DNS queries, file system information, Netflow communications, removable media, and print jobs • Real-time detection: A multilayered threat detection stack that automatically identifies malicious activity • Intelligent protection: Includes whitelisting, blacklisting, application control, and behavioral blocking • Response and investigation: Automated and manual options including incident triage and investigation capabilities allowing security analysts to search, filter, and organise single or multiple data sets collected by the Digital Behavior Recorder • Remediation: Allows analysts to terminate malicious processes based on their process identifier (PID) and to delete files and Windows Registry keys • Deception: Fake listening services that help analysts identify attackers during the reconnaissance phase of their attacks.
JANE FRANKLAND - WOMEN IN SECURITY Jane Frankland is clearly on a journey – up hill. Women in security and women entering the security sector are actually declining. It was therefore refreshing and encouraging to speak to a champion for altering this trend. There is plenty of talk around the cyber security
her. Please encourage her with a Linkedin follow. Reading Jane’s work quickly refers to the September 2015 (ISC)² published results from their global information security workforce study, entitled ‘Women in Security: Wisely Positioned for the Future of InfoSec.’ They surveyed nearly 14,000 professionals worldwide and alarmingly revealed that the workforce was predominantly male. In fact, only 10% of information security professionals were female. To make matters worse, the figure was the same as the year before, and had reduced from the year before that, despite the growing demand for more cyber security professionals. Jane responds with three key mistakes being made: 1.
skills crisis and Jane Frankland disagreed with the notion that needing passion in cyber security was the key – instead just having an ‘interest’ in security was enough to be the trigger for women to consider a functional role, or better, ‘a career’ in cyber security. More so, cut to a quick reference to Rik Anderson of Trend Micro, who placed the burden on the employer whose job it is to nurture their employee’s interest. As Jane crafts her book and continues to champion the cause to encourage and invite women into cyber security disciplines, she has a distinct battel ahead of
MISTAKE #1: We’re extremely poor at marketing cyber security especially in schools, colleges and universities. MISTAKE #2: Women need to see other women succeeding in order to believe that they can succeed too. MISTAKE #3: Women lack confidence and we're doing nothing to improve this.
As an advocate for the security discipline, it was refreshing to hear Jane point to the ‘key’ that can and will continue to advocate change – ‘Language’. It is the language of computer science that often negates entry. Within the STEM or STEAM (there’s a preference!) we can essentially block entrance at an early age and literally make mountains out of mole hills. Changing the language of computing, security and science can generate a fundamental shift in perception and adoption. Going back to the basics and fundamentals
Asia Pacific Security Magazine | 29
is what is required. Communication skills involve both the ‘visual’ but also the ‘doing’ and Jane highlights that “girls are often more attracted to the ‘doing’ than the boys are to the ‘visual’.” Jane also refers to the concept that “women see risk differently than men and are more risk averse, we compete differently and competition is not conducive to a lot of women”. So when competition is perceived then you may not get the women having representation. Gamification or team building is better for women and working in teams is more conducive to women’s involvement. So the industry and all sciences still have a lot to learn and adapt to if the trends are to change. With champions like Jane Frankland, there is at least a chance. Look out for her book, Women in Cyber Security: Standard not Exception, due for release in 2017.
FORCEPOINT Last but not least, and being the last meeting for the conference, we have to appreciate the patience of Forcepoint. But discussing User Behaviour Analysis and Insider Threat is always going to retain my interest. Forcepoint presented itself as the only vendor offering an Insider Threat and DLP solution with visibility and behavioural analytics to baseline normal employee behaviour and quickly identify and record risky behaviour. Guy Elion explained, “the combination of SureView® Insider Threat (SVIT) and TRITON® AP-DATA stops insider theft and the exfiltration of critical data caused by malicious or accidental user behaviour.” Guy confirmed. “this is giving something that is very unique to the market, so not only do you get an alert but you also get a snap shot of the intention of the user. We find the market is very interested in this specific issue within Australia and much more than any other segment on the international market. We also have deployed next generation firewalls that we had acquired from Stonesoft and see plenty of advantages for those customers with distributed environments.” Forcepoint is continuing to make investments in this area for the benefit of customers. Forcepoint is concluding the year having combined the technology and expertise from Raytheon, Websense and Stonesoft to offer a new band and focus. The re-branding follows the successful integration of the technologies after a series of acquisitions, first of Websense by Raytheon in May 2015 and then of Stonesoft’s next-generation firewall business and technologies, including with teams from Intel Security in January 2016. We look forward to seeing Forcepoint and all other vendors, plus more at AISA’s National Conference in 2017! Hope to see you there!
30 | Asia Pacific Security Magazine
Cyber Security Professional of the Year Pieter Danhieux
Diversity in Cyber Security Award Jacqui Loustau
CYBER EXECUTIVE ENHANCEMENT ROUND-TABLE A special premier event designed for executives and board members alike. A closed room, vendor independent round-table discussion with Q&A, so come along and ask your questions.
Allan S Cabanlong, ASEAN Eng. Executive Director, Cybercrime Investigation and Coordination Center (CICC) Philippines
Dr. Amirudin Abdul Wahab, Chief Executive Officer, CyberSecurity Malaysia
Friday 25th November, 2016 8.00 am - 1.00 pm Invitation only, places are limited. RSVP no later than 5pm Friday 04th November Invitation extension After lunch you are welcome to attend the AISA Perth Conference 2016 running in parallel.
Phillip Russo, Cyber investigator and digital forensics Expert, CIA Solutions
Gary Hale, Director, Cyber Security & Innovation, Cisco
Venue: Crown Perth Cost: Nil AISA Perth Conference 2016 Registration & Enquires, please contact: Mourad Khalil +61(0) 403980718 | firstname.lastname@example.org Daisy Sinclair +61(0) 415780257 | email@example.com
CYBER SECURITY - DO WE HAVE IT RIGHT? Why are organisations so scared? What should they be concerned about? Cloud? Data classification? Malware? Other threats? How is the rest of our region dealing with these issues? How should we manage or change?
Hear from four leading experts on this key topics and cut through some of what you need to know or do. A roundtable discussion and Q&A will be held so come along and ask questions. More about the event.
This event will help address fears, barriers, roadblocks and perceptions of organisations and individuals around cyber security - “the reality and the myths” - and to ultimately get to the bottom of what are the “real” things to worry about or manage.
AISA invites all individuals with an interest in information and cyber security to become members, see our new member’s link below. If on the other hand you or your organisation are keen on sponsoring the AISA Perth Conference 2016 event you may do so through the link.
BECOME A MEMBER
Asia Pacific Security Magazine | 31
What really happened? Why it’s so hard to get the truth when investigating an incident
S By Tony Campbell ASM Correspondent
omething that all incident responders need to be reminded of is that people lie. When you start to look into the root cause of a security breach, there will almost certainly be times when you ask questions of certain users, administrators and even external agents, where the answers are often intentionally not as accurate as they could be. Let’s take a look at a few of the reasons why this can happen and ways you can cut through the lies and get to the truth of the matter. Start with the Helicopter View… When the red lights start flashing and the warning claxon sounds, the incident manager sweeps in and starts gathering information about what happened, who it happened to and what’s been affected by the ‘event’. They would start by figuring out who was doing what when the problem was first detected, usually by asking simple questions like who was accessing the account that’s been compromised or finding out whether any new software (changes) had been rolled out to the affected systems. The details that the incident manager gets in these very early stages of the process are then used to
32 | Asia Pacific Security Magazine
frame and characterise the attack, which can then be used to find further clues that may lead to solving the case. This is where the problems can start. If a priority 1 incident has kicked off as a result of an administrator not doing something they should have done, or because a user has plugged in that USB thumb drive they found in the car park, their first reaction will be to lie to protect themselves. “Have you plugged anything foreign into that PC?” you say. “Ummmm, nope,” they reply, casually glancing at the door and scratching their nose. To try and coax people into telling the truth, try a different line of questioning, maybe starting with some irrefutable evidence from the systems that they won’t be able to deny. So, instead of saying, “Who’s put a dodgy USB drive in our computer system?” you could instead find out who was logged in at the time when the incident kicked off and tell them that attackers have been targeting businesses with USB disk drops, and we’re looking for that user to help in the investigation and to assist in determining how the attackers are targeting the business. This makes them feel part of the solution, thus instead of feeling guilty they feel empowered to help fix the problem and ensure others don’t end up in the
Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel.
of incident management time before it’s called out as a red herring. Incident managers must always distinguish between first-person observations, like, “I read the log file and found…” and hearsay “Eric said he discovered … in the log file”. Don’t trust anything passed to you that might be hearsay: track down the source and check it. Spot the Difference: Observation or Hypothesis
same situation. Getting the widest possible viewpoint of the situation, taking that helicopter view, will help you look at the problem from another perspective, which in itself can help lead to the root cause. Call in a variety of subject matter experts to look at problems from different perspectives, since each of those viewpoints will yield its own special kind of intelligence for your investigation. A typical scenario might be that an administrator sees an unexpected spike of network traffic from a soon-to-be-retired server. If you know this, you can then go and grab the logs from that server and get one of your analysts to start looking for more clues. Generally, you should try and have a subject matter expert on the incident management team explore each of the viewpoints relating to the incident (network, servers, firewalls and other security systems, etc.), keeping their investigation as broad as possible at first rather than jumping down the rabbit holes they discover. Spot the Difference: Observation or Assumption The incident manager has to be able to distinguish between facts and assumptions. Assumptions are ideas or conjectures that are often stated as fact, rather than corroborated truths with proofs. If a lazy administrator says, “The attacker has clearly exploited a vulnerability in the firewall,” then by committing this to the incident management team, it becomes a fact. However, as a conjecture, this profoundly distorts the investigation, focusing team effort into the investigating the wrong vector of the attack. If you hear certain facts like that being stated by engineers and subject matter experts in certain applications or systems, dig into the proofs each time to see why they are stating this as a fact. Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel. Spot the Difference: Observation or Hearsay Have you heard of Chinese whispers? Most of us have at one point in our lives played the kids’ game where a sentence is whispered to the next person in a row and when the message gets to the end of the row that kid states what they thought was passed on. It’s often an extremely distorted version of what was originally said, especially as the chain gets longer and longer as more kids join in. This also happens in businesses. If a couple of engineers get together, let’s say, for example, a desktop engineer and an IPS manager, what the IPS manager tells the desktop engineer may sound like a load of nonsensical security speak. However, an incident has just kicked off across the desktop fleet and the desktop engineer repeats to the incident manager some of the misunderstood nonsense he picked up from IPS guy. This could turn an innocent false positive event he was investigating into what the desktop engineer might consider the root cause of the issues, which will invariably waste a lot
Sometimes when people are careless or untrained in certain situations, they find it hard to distinguish between what they saw and a conceptual construction of what they think they saw. In the example about the desktop engineer and the IPS guys, the desktop engineer has now taken what he thought he understood and rationally, in his mind at least, deduced that he now knows what the problem is. But that's an assumption. This can also occur when someone thinks that maybe there’s a flaw in the desktop and then proceeds as if that were true without testing their hypothesis. “So, this desktop vulnerability can be exploited by this kind of magic packet attack, which the IPS guys have already seen today, so we need to quickly patch all these right now to fix the problem.” This is, of course, a ridiculous example, but you see the importance of cutting through the assumptions, instead looking for real eyes-on observations of fact. Observation wins every time over a pseudo-expert’s hypothesis, especially as these engineering types can be so convincing. Maybe it’s a good thing to patch the desktop later anyway, but it doesn’t follow that it’s the priority you need to consider right now in the middle of managing this incident. Use a Hypothesis, Challenge it and keep Challenging it People often think in absolutes, with their perception of the facts being somewhat bounded by their own limited knowledge. Furthermore, people are often willing to accept the null hypothesis, being happy that there’s nothing there, without knowing for sure. Rejecting the null hypothesis does not prove that a specific alternate hypothesis is necessarily correct. The evidence instead is restricting the full range of reasonable hypotheses that we could use to dig further into the case. Instead, we like to come up with explanation after explanation until what’s left is just a smaller set of explanations – but that does not mean that one of them needs to be right. Scientists will tell you that they can never prove an absolute truth but that they currently, within the boundaries of what they know, have no evidence to the contrary. Conclusion Incident management is hard. But the job is often made harder by facts being skewed by conjecture, people’s unwillingness to admit when they did something stupid or when they don’t want to look like they don’t know what they are talking about. You need to find ways to cut through the hearsay, conjecture and lies if you are going to resolve an incident in a timely manner. Sometimes in cybersecurity, it’s more about the people than it is the technology.
Asia Pacific Security Magazine | 33
Digital technology vs national security threats
I By Josh Kennedy
t’s no secret digital technologies have changed everything. These were once just predictions of the future. Now their rapid emergence onto the market means that governments, businesses and citizens expect high speed, secure access to the Internet, 24x7 online services, and near-instant global sharing of information is the norm. It’s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly oneand-a-half billion Facebook accounts, but also offers a new route to exploitation by threat groups. From extremism, to foreign state espionage, cyber threats, or proliferation activities, the use of online means to recruit and task vulnerable citizens is adding an unwelcome burden on the high-pressure workload of national security agencies. This is why it is more vital than ever to stay one step ahead of security threats through a paradigm shift in the core operating model of these government agencies. Traditionally, national security agencies knew what data they needed and where to find it. Today, gaining real-time insights from a large, fragmented and ever-changing pool of data is like looking for a needle in a haystack—one that is expanding at an ever-increasing pace. Current approaches to the collection, analysis, development and use of intelligence from opensource information (including social media, websites, blogs, online news, Web fora, and similar) are quickly becoming outdated as technology evolves at break neck speed. What’s changing? Today, national security agencies’ operational advantages are at
34 | Asia Pacific Security Magazine
risk from rapid advances in technology. Further, the maturity of opponents’ technical security tradecraft, and the struggle to keep up with these advancements is omnipresent across all regions of the world. Violent extremists have operational security (OPSEC) manuals and even a 24-hour help desk to aid in the worldwide recruitment and conduct of terror, an unprecedented and frightening prospect. Following the San Bernardino attacks that left 14 people dead, it was reported that authorities had failed to detect social media posts sympathetic to violent jihad on one of the killer's accounts during the immigration screening processes. Whilst a task such as immigration screening may seem instinctive for officers in such a role, without the time or resources for deep and accurate analysis of every case that arises, the ability to use advanced analytics to integrate covertly-acquired intelligence with open-source information becomes a highly limited proposition for national security agencies. Governments are slowly but surely becoming aware of the increasing difficulty in combating digital threats, and recognise a cross-agency picture is required. The Australian Strategic Policy Institute (ASPI) has echoed this and recommended the harnessing of communication, marketing and social media experts to fight new propaganda challenges. They’re also investing AUD $21 million to build a stronger social media counter-narrative capability. But where the disruption to market is so high and the outcome of not acting can be so devastating, the call to action must go beyond recognition and awareness alone. Governments need to enhance their capability to tackle traditional threats
through smart investment in digital technologies to develop rapid response to either prevent future incidents or more effectively respond to those already underway. What can be done about it? Step 1. Use digital technologies to enhance informationsharing and collaboration Public safety technology can supplement existing approaches to information-sharing and collaboration to accelerate and enhance intelligence. Advanced digital and collaborative tools enable national security agencies to preempt threats, target violent extremists, and counter-extremist narratives online. The ability to collect, analyse and develop actionable intelligence from data shared between multiple agencies significantly increases capabilities without the need for additional resources. Using digital tools to share such data can elicit a response more effortlessly, securely and effectively than by sending and receiving unstructured text requests. Matching data models, ontologies and taxonomies, as well as the auto-processing of data and use of joint analytical tools can greatly increase the speed and scope of information-sharing. Taking advantage of secure, private cloud solutions can enable national security agencies to benefit from a larger, consolidated pool of data (as appropriate under law) to identify threats or avenues of enquiry. Step 2. Seize digital transformation opportunities There is no single solution to combat existing and emerging
threats, but by using the same emerging technologies that opponents are using, national security agencies can enhance operational effectiveness. Islamic State are currently using social media to reach out virtually to promote and recruit nationally and internationally and collaborate with potential future members. With 46 per cent of social media users actively discussing news items online, it is easy to see why digital makes an attractive radicalisation platform. But this vast data pool can be exploited by national security agencies, too. Historically, no-one questioned the effective analysis of call data records; today, social media and other digital and online sources of information are being assessed as ways to affect predictive policing or intelligence activities in the future. Applying public safety technologies that make use of a wide range of content analytics (including sentiment analysis, word analysis, opinion mining and natural language processing) to open-source information can help prevent and detect threats. National security agencies operate in a digital world where vast amounts of relevant information reside in the public domain. It is not a case of whether to use any or all of a range of public safety technologiesâ€”but rather how to employ them in the right way to manage the growing diversity of both threats and data. By being pro-active and innovative in their usage of data and by adopting new digital technologies government leaders can support safe and secure nations and enhance national prosperity for the benefit of all. Joshua Kennedy White is Accenture Australiaâ€™s Intelligence & Homeland Security Lead.
"Itâ€™s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly one-and-a-half billion Facebook accounts"
Asia Pacific Security Magazine | 35
Worrying statistics Inaugural cyber security survey for Australia
hile it’s natural to assume large companies with large revenue streams would have the right measures in place to protect their assets, preliminary results from BDO Australia’s inaugural cyber security survey prove otherwise. In a first for the industry, BDO has teamed up with AusCERT, the Australian cyber emergency response team to conduct an in-depth industry cyber security survey – the outcome of which will help the market understand the challenges businesses and organisations face in the online world. Following some recent high-profile cyber-attacks, more and more companies are now being urged to be extra diligent with their cyber security and put the right measures in place to protect their intellectual property and assets. However, what was most astounding from the recent survey results was the number of Australian businesses that aren’t protected, with nearly 85% of companies with a gross revenue greater than $1 billion fully exposed to cyber-risk. These are worrying statistics given cyber-attacks and data breaches are a very real concern and the implications for businesses of this scale can be catastrophic. It also shows that cyber security insurance is very much still on the agenda. The good news is, protecting your business is certainly not an unmanageable process and those businesses that are prepared are the ones that will prevail should a cyber-attack ever occur. Preparedness comes in a range of forms, and when protecting assets, insurance is the logical fall back. While purchasing insurance could act as a security blanket for your board and executive, it’s imperative to determine to what extent cyber insurance is required for your business.
36 | Asia Pacific Security Magazine
With that in mind, here are six simple steps you should take to better understand your cyber risks and determine whether you need cyber insurance for your business. 1.Perform a risk assessment of your environment to understand your current cyber risks The first thing decision makers need to be clear on is identifying the company’s critical systems and data information assets and understanding who—in terms of cyber criminals or hackers—would be interested in them. You cannot be expected to understand what level of protection you need if you are not clear about which assets may be vulnerable. 2.Quantify these risks and model the potential impact this will have on your business. For instance, what is the financial impact to your business if you experience a cyberattack you can’t defend? Once you have completed the first step, you should then start to consider real implications. Ask yourself what the implications would be if the information in those systems were under the control of cyber criminals. Once you understand the implications it gives you a much clearer picture as to what the risks associated with those assets are. You then need to assess the cyber security controls for your critical assets and determine whether these are working effectively. This will highlight the risk exposure you have for those assets. Using risk modelling techniques, such as Monte Carlo simulations, you can then model and quantify the financial impact this will have on your business if not remediated.
3.Evaluate risk exposures and assess whether you are comfortable with the level of risk to your business. Or, do you need to get cyber insurance to cover this? For example, are you comfortable with the financial impact to your business or do you need insurance to cover this risk? Here is the real pinch point to decide whether cyber insurance is the right thing for your business; you are now at a point where you can evaluate the risk exposure. For example, what will the costs be to respond and recover from a data breach in one of your critical systems versus remediating or implementing stronger security controls to better protect the asset and the data records? This cost-benefit analysis needs to be repeated for all those risks and assets where there is a risk exposure to understand whether implementing stronger cyber security defences outweighs the cost of insurance to cover the risk. So, once you understand the cost to remediate versus insurance costs, your key decision makers need to assess the level of risk against the investment required to manage the risk exposure. 4.Implement a security risk remediation program to address the gaps you want to address Remediating the risk exposure is highly recommended, as this will allow you to establish better defences against cyber attacks, as opposed to only getting cyber insurance. This approach will allow you to be better prepared in the long run. Some of the key activities in a remediation program should include: • Implementing stronger security controls and defences for your critical assets, e.g. applying the latest security patches, enforcing stronger passwords, and implementing web application firewalls • Implementing security monitoring to detect security incidents on your critical assets early • Establishing a cyber incident response capability to allow you to rapidly respond to, and recover from, cyber incidents • Providing targeted cyber security awareness and education to your staff.
limited to Australia only? Incident response and remediation costs. Does it cover the costs of getting external assistance to respond to the incident, your legal costs, or regulatory penalties or fines? All special conditions and exclusions included in the policy statement.
It is also important to look at a number of cyber attack scenarios to see how the insurance policy will respond, e.g. will the policy provide you the required cover for data breaches at your cloud provider? Will the policy provide cover for a Denial of Service attack? Will the policy provide you cover for a Ransomware attack? Looking at all the cyber-attack scenarios that will be applicable to your organisation in relation to the policy will allow you to validate that the policy and cover is appropriate for your business. 6.Implement and validate your cyber incident detection and response processes to allow you to respond to cyber incidents when they happen As a final step, it is important that you have appropriate cyber incident detection and response processes in place. This extends further than just having an incident response plan in place, but testing and rehearsing your incident response plan across the organisation. This will ensure everyone in the organisation knows there role and responsibilities in detecting and responding to a cyber incident. It is recommended that this is done at least on an annual basis or whenever a new or critical system or business is added to your environment to make sure the process is current and effective. If you’re interested in understanding more about cyber insurance and some of the trends we see in the industry, stay tuned for more survey results, which will be released soon.
5.Evaluate cyber insurance policies for those risks that you cannot remediate and select an appropriate policy to provide the cover you need For those risks that are difficult to remediate, or where you want to include additional risk management strategies, you can meet with your insurance broker or insurance provider to understand the level of cyber insurance cover you need. It is important to evaluate and conduct proper due diligence on the insurance policy to ensure it provides the cover you need. This evaluation should, as a minimum, include reviewing: • Entities covered, especially if you are a large corporate group. Does it cover only the group or all of its subsidiaries? • Types and breadth of the cover offered. Does it cover both first and third party breaches? • Cover provided. Does it provide worldwide cover or is it
Asia Pacific Security Magazine | 37
Artificial Intelligence & Cybersecurity: Scaling up for the Internet of Things
T By Chris Cubbage Executive Editor
38 | Asia Pacific Security Magazine
he world may only get one chance at making IoT, the Internet of Things, actually work. No one knows where this technology is ultimately headed. Had the Internet’s originators in the early 1960’s taken a glimpse into the year 2016 and attended the NetEvents IoT and Cloud Innovation Global Summit at Saratoga’s Mountain Winery, a relatively short drive from the Stanford Research Institute (SRI) where the first Network Working Group meeting was held in 1968, I wonder how different the Internet may have been or how shocked they would be at the machine they have unleashed. We know that the Internet lacks ‘security by design’ and hence why security remains the fundamental element of how we safely enable the unfolding IoT revolution. According to Dr. Glenn Ricart of USIgnite, a not for profit organisation born from the White House Office of Science and Technology Policy and the National Science Foundation, “we are entering the time when we take the Internet away from humans and hand it over to machine controlled ‘things’.” The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job. Kathryn Hume heads up Fast Forward Labs, a specialist advisory firm operating across a range of industries including insurance, publishing, finance, media, and government on data product development, technology, and culture. Kathryn opened the two-day program by walking through the work they’ve done in natural language generation and deep learning in image analysis and text summarisation. As Katheryn impressively noted – the real impact of today’s technology lies in ‘making complex data simple’ and how the focus needs to extend beyond just the hype and find true, but often hidden value. There is a long way to go.
One shining light being shone on the security dilemma though is the application of Artificial Intelligence (AI) and how it is applied to solving the security challenges of today, and hopefully tomorrow. There are between 5 to 10 startup companies being created each week in Silicon Valley, California within the domain of AI and each focusing on the almost limitless applications across every industry. Stuart McClure, founder and CEO of Cylance, has moved security applications to beyond programming and in what is hyped to be a game changer, is teaching security systems to predict, prevent and detect cyber threats. Similar somewhat to the early application of actuarial science, Cylance is applying AI in the form of pre-execution algorithms to prevent, detect and respond to malicious code and anomalous online behaviour. As McClure points out, “if it’s blocked we don’t care and if it’s not blocked we want to understand why it wasn’t blocked.” Then Cylance sets to replicate and improve, training itself to look automatically and instantaneously for features that are going to be indicative of being good, bad and in between, and using millions of signatures, features and behaviours to initiate unsupervised learning and then move to supervised learning of all known clusters of bad profiles and continue to extract features and classify between good and bad. The approach is to build security systems to achieve prevention to 99% and the 1% they can’t prevent they want to detect 99% of the 1% and then develop the response to 99% of that 1% - and so on. Sounds straight forward and as this approach is applied on a massive scale, it is understandable why Cylance has emerged as one of the most effective cyber security companies on the internet. “Without AI, we can’t possibly scale to meet the demand” McClure asserts. But even at full scale in the Internet of Things – is 0.0001% risk, or an adversary’s opportunity, enough to cause a major catastrophe? To understand how AI is being applied, anyone who has raised children or trained a dog to fetch a ball will understand the concept. Kathryn and Stuart’s opening
discussion helped simplify the requirements. “An average person will need to see three cats and be told each time it’s a cat before they will recognise a fourth cat, but for AI, the computer needs 50,000 cats to start to recognise a cat. But accessing the data, CPU power and bandwidth is getting better and therefore so will AI.” When Cylance is applied to 100,000 node networks the system immediately starts detecting and then reverse engineering existing malware attacks. Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear. Despite my initial hesitations to the application’s market take up, Cylance is making rapid and significant inroads, with Series D funding raising around $100M, taking it to a total of $177M. Current valuation is believed to be at US$1.2B – putting Cylance into the unique ‘Unicorn’ category. The most recent announcement has been from Wedge Networks, and the newly released Wedge Advanced Malware Blocker, or WedgeAMB, the first product in the Wedge Absolute Real-time Protection (WedgeARP) series of enterprise solutions. The WedgeARP series provides fully self-contained, security platforms in the form of virtual machines that orchestrate real-time hyper-inspection engines. WedgeAMB applies Cylance’s AI technology to detect and block viruses and advanced malware, such as ransomware, at the network level, preventing them from entering enterprise networks. The combination of Wedge’s hyper-inspection with Cylance’s machine-learning engine and WedgeIQ threat analytics, WedgeAMB promises to be a break-through in malware prevention. According to the Federal Bureau of Investigation, ransomware is on the rise in 2016, with one group estimated to have been paid over US$120M in just 6 months. Ransomware-as-a-service is now also available. Advanced malware and ransomware attacks also account for millions of dollars in lost productivity and theft by cybercriminals
"Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear." operating on a global scale to exploit endpoint devices with increasing levels of sophistication. Unless solved, this malicious activity will put IoT at serious jeopardy of being hijacked before it begins. With millions of cyber-attacks occurring daily on networks around the world, cybersecurity seems the perfect area to apply AI. There remains just three key methods to a cyber-attack - denial of service to cause failure, execution based attacks and authentication based attacks. “AI can be applied to all three in a very meaningful and effective way”, but as McClure notes further, “you just need the data and we are a long way from automatic classification in AI”. As we come to understand where this technology will take us, the battles will continue, as the IoT revolution unfolds alongside the growing sophistication of attackers. We are yet to see where this all takes us but it will be an exciting journey nonetheless.
NetEvents 2016 opening panel discussion - Kathryn Hume, Stuart McClure and Ovum's Paul Jackson
Asia Pacific Security Magazine | 39
NETWORK CONNECTED DEVICES
Without security the Internet of Things is doomed and could kill millions!
By Chris Cubbage Executive Editor
40 | Asia Australian PacificSecurity SecurityMagazine Magazine
re we setting up the Internet of Things to fail, and potentially with a massive and catastrophic consequences? Cybersecurity researchers Charlie Miller and Chris Valasek caused the recall of 1.4 million vehicles after hijacking the Chrysler Jeep’s digital systems over the Internet. The pair remotely hacked into the car and paralysed it on a highway whilst in traffic. They were able to disable the brakes, cause unintended acceleration and turn the vehicle’s steering wheel at any speed. Other vulnerabilities have been discovered in Tesla vehicles and more is reportedly yet to come. In late September 2016, Pharmaceutical firm Johnson & Johnson wrote to diabetic patients using one its insulin pumps advising that it was at risk of being hacked, after Jay Radcliffe, a researcher (and diabetic) with cybersecurity firm Rapid7 discovered he could access the communications between the pump and the RF frequency remote – in theory allowing a hacker to administer unauthorised injections. This follows rising concern on connected medical devices, with Kaspersky Labs revealing in February it had hacked into a hospital’s IT infrastructure and was able to access a MRI device. These selective examples in the automotive and healthcare sectors highlight the biggest focus areas in Information Technology (IT) coming together with Operational Technology (OT) and how security will remain the key to enabling or disabling the industrial tsunami unfolding in the form of the Internet of Things (IoT). When you consider the IT space, a majority of hacks are often abstract in their affect, such as lost or compromised data. But like the examples above, when you consider the type of industrial assets that you see in the OT space, they will invariably have a physical impact were they to be hacked. The impact of attacks against connected OT equipment
has the potential to impact on human safety, environmental damage and cause massive disruption in a way that we aren’t necessarily seeing on the IT side. OT security has a much different priority when you look at what we need to safeguard, as opposed to IT. According to Tom Le from GE Digital WurldTech, speaking at Structure Security in San Francisco, we can look at the entire universe of connected devices in the form of a pyramid. At the top of the pyramid is the typical end point devices that we all use, such as laptops, smart phones, with the security on these devices being ‘pretty good’, as long as the operating systems are regularly patched. In the middle of the pyramid we have the devices we may only use occasionally, such as the HVAC (heating, ventilation, air conditioning), smart lighting in the home, increasingly smart refrigerators and televisions, and connected cars. Then beneath these two layers, we have a wide array of devices that we don’t even notice but are everywhere because we tend not to interact with them, such as CCTV cameras, transport system nodes, power generation stations and manufacturing equipment. At this lower level, although we don’t see them, they will impact us should they be successfully attacked or compromised. The primary concern is that the devices at the top of the pyramid has good security but the other two areas have much less integrated security and as of today, the integrated security design reduces as you move down the pyramid. Air gapping between the operating system and the Internet has been touted as a workable solution but as Tom Le asserted, “this is potentially a myth and is certainly not the ‘holy-grail’ solution.” There have been reports that aviation Wi-Fi systems could be hacked via the entertainment Wi-Fi systems and the FBI has begun investigating these claims. Any industrial facility, be it a power plant, manufacturing
facility or city management system, even if it was to ‘air-gap’ them off and say none of these assets are going to be allowed to be connected to the Internet, there will still be indirect connections. There are contractors coming in to the facility with transient assets such as their own mobile devices, laptops and a common vulnerability is a USB key, now a common attack vector. A recent highlight of this is Victoria Police are investigating malware infected USB devices being left in residential letterboxes. So even if we have assets that we don’t believe are connected to the Internet, they are very likely to remain exposed because of the indirect connectivity. Taking it one step further, the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet. Now we’re saying that even if you’re not currently connected or indirectly connected, the Internet of Things is going to seek to bring many millions of these industrial OT assets online so we can experience the benefits of innovation, efficiencies and analytic tools – but that’s a huge swing from where operators think they’re safe today to approaching the reality of the short-term future where we are going to see more and more connected assets that are being brought online. Even after 20 to 30 years of IT security, we are still trying to get it right and are still experiencing breaches on a regular basis. There is something in the news every day, every week and the breaches aren’t getting any smaller, from the Sony hacks (2011, 2014, 2016) to the Yahoo hack discovered last week, with up to 500 million accounts compromised – since as far back as 2012! We are still not getting it right. Ducks & Swans: IT Security does not apply to OT Security There are significant and fundamental differences between IT and OT assets, with the IT assets tending to have a very short life span, be it like the iPhone where every couple of years you change and get a new one. Or your laptop computer than needs software patches or even a whole new OS installed and upgraded. We’re willing to disrupt these small device operations and go through a full system reboot, patching process or a complete OS upgrade, including multiple system reboots and take the risk of experiencing annoying system bugs, yet to be fully ironed out. In stark contrast, OT assets have much greater operational life cycles, many around 15-20 years, with some traditional systems even being as long as 40 years. Likewise, the maintenance and upgrade times is not just a matter of minutes, hours or even days, sometimes it will be a four to five year process. So the concept of applying an IT security patch system or end point security applications to the OT asset infrastructure environment is very difficult to apply, if not completely irrelevant and misleading. The other critical aspect is that some of the systems in operation within our critical infrastructure, particularly for our power generation and transport systems are no longer able to be updated and a majority are obsolete. As an example, thousands of industrial facilities still operate on Windows XP hosts that are the basis of software management systems for these facilities and it has been sometime now that Windows
“...the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet." XP is even being supported. Patches are needed to be paid for out of the normal band and subject to individual commercial agreements. Some companies may choose not to pay. Many of these systems are now starting to experience malware type attacks that have been eradicated some time ago on the IT side but are being re-propagated on the OT side. And even amongst the many factories and plants that are in operation, it isn’t possible to apply many of the patches that are potentially available because the threat of system change is greater than the threat of a cyber-attack, in that any change or upgrading patch may not actually work and could bring down or compromise that critical asset or piece of critical infrastructure. So the strategy around the OT side needs to be around the containment and mitigation more so than remediation. It becomes that operational safety is of paramount importance and human safety and operational availability are the two primary missions on the industrial side. The challenge is now that it’s not just about cyber-attacks, in fact nearly 80 per cent of the issues caused in the industrial assets are misconfigurations more so than a targeted attack. Thereby the priorities that we are accustomed to on the IT side, like confidentiality, integrity and availability are completely different on the OT side. The question is not if and how the two technical disciplines of IT and OT are to be melded, the reality is when will this actually occur. These two areas continue to converge and already we have 6.5 billion to 8 billion devices connected to the Internet, and a majority of these are the higher end of the pyramid. But the fastest growing area of connecting devices will be the industrial assets. A recent study out of Princeton university, cited by Le, identified 13 per cent of imbedded devices that were directly connected to the Internet had retained the default root password, so that number was calculated to be 540,000 devices across 144 countries. The study had focused on only subsets of devices across subsets of the entire Internet’s connected devices connected today. To scale this up to the predictions of between 20 – 50 billion devices by 2020, if we remain anywhere close to 10 – 13 per cent of default accessibility to the devices then just this one vulnerability alone, let alone the wide ranging of other configurable or inherent vulnerabilities will inevitably exist. We are going to be a long way away from a safely converged IT and OT environment. In a follow-up study, it was found as much as 60 percent of Internet connected imbedded devices that had any kind of user interface were vulnerable to attack – in simple terms, sixty per cent of these devices would fail a routine penetration test. When we appreciate the scale of vulnerabilities today, then scale this up between 2 to 3 times by 2020 - 2025, we are literally setting up the Internet of Things to fail, and potentially with massive and catastrophic consequences.
Asia Pacific Security Magazine | 41
National Security reforms needed before the Internet of things The half way approach putting all Australian’s at risk: Why it’s time to decide if security technology should or shouldn’t be regulated by Police and Fair Trading Departments
T By Chris Cubbage Executive Editor
42 | Asia Pacific Security Magazine
his article concerns the inadequate and unworkable legislation affecting the physical and cyber security sectors in Australia, with State based legislation being applied when a national approach is required and urgent reform needed as the convergence of physical and cyber security systems continue rapidly towards the Internet of Things. In early October, the US government formally accused Russia of hacking the Democratic party’s computer networks and said that Moscow was attempting to “interfere” with the US presidential election. The accusation marks a new escalation of tensions with Russia and came shortly after the US secretary of state, John Kerry, called for Russia to be investigated for war crimes in Syria. Then there is Ukraine. The December 2015 Ukraine power outages, referred to in the ACSC Threat Report 2016, highlight the “vulnerabilities of critical infrastructure to sophisticated adversaries. In a well planned and highly coordinated operation, an adversary successfully compromised and affected the systems supporting three power control centres, taking down 30 substations and leaving over 225,000 Ukrainians without power for several hours. The adversary also delayed restoration efforts by disabling control systems,
disrupting communications and preventing automated system recovery. These effects were the result of over six months of planning and involved a range of activities, including compromise through spear phishing, the theft of user credentials through key loggers, and data exfiltration.” In late September, security researcher Brian Krebs' site KrebsOnSecurity got knocked offline by one of the biggest DDOS attacks ever recorded, which peaked at 620 Gbps. But the most crucial distinction from a normal DDOS strike: These bots were mostly IoT devices. The majority of the estimated 145,000 devices were CCTV cameras and DVRs. Many of these were using either default passwords or easilyguessed ones ("1234," "password," "admin"). In the ACSC Threat Report 2016 a case study described how the ACSC was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The report informed that “CERT Australia led the ACSC’s incident response, working alongside the AFP and ASD to determine the extent of the compromise and the identity of the responsible actor. Working onsite with the victim, the AFP identified a significant amount of data had been stolen from the network, including sensitive information relating to the organisation’s
physical security and layout. The ACSC’s investigation revealed the actor used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise. The actor was able to escalate their privilege to administrator level, enabling further compromise.” Physical access to information processing and storage areas and supporting infrastructure must be controlled to prevent, detect, and minimise the effects of unintended access. Buildings containing a designated data centre for example, will necessarily employ stricter access controls than those that do not. There are also minimum physical access controls, which should be practiced to govern access to all buildings in an effort to protect information resources. So it forms that any Information Security Consultant designing, auditing or reviewing a corporate information system, such as to ISO 27000 standards, is going to advise on the physical security components of that system. But by doing so these consultants are breaching their respective State Government’s Security and Related Activities Acts. These legislative breaches are occurring across the country. When this was raised during the review of the legislation in Victoria, the Victorian Police Minister responded to decline any attempt to reform the legislation yet confirmed enforcing the legislation would be
overly burdensome and police will continue to ignore the breaches. The question is why not remove security technology from attempts of legislation and focus on the intention of these laws to control the public interface between security officers, crowd controllers and bodyguards. Why are police trying to continue to regulate security technology such as CCTV, access control and intruder detection systems in a physical environment when these systems are now controlled in an IP network environment? The convergence of IP based systems is effectively complete, despite legacy systems still around. We are now seeing the emergence of security robots and artificial intelligence in security systems – is this technology subject to legislation? By 2020-2025 the Internet of Things will be too big for police (or anyone) to control or regulate from a technology perspective. Otherwise police should start requiring Information Security Consultants to get licensed, fingerprinted and audited in each of their respective state operations. Welcome to my world! So should the cyber security profession be regulated? In a the study, Tackling Cyber Crime: The Role of Private Security - A Security Research Initiative Report by Professor Martin Gill and Charlotte Howell ( June 2016) the research addressed four key areas – the current approach to managing
Asia Pacific Security Magazine | 43
“a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. cyber security, the relevance of convergence between physical and cyber security, perspectives on law enforcement, and the potential role of private security in responding to cyber crime. There is now a wealth of information on the scale of cyber crime, including on the so called Dark Web, and there are a host of authorities confirming that the costs are astronomical, not least the cost of protection, that the impact can be significant, affect many, and appear to be increasing. In addition, there is evidence that the response is inadequate, and often under resourced, leaving businesses searching for the right solutions. Eric Hansleman speaking at IFSEC 2015 highlighted the current problematic position, ‘In the last year, businesses spent $70bn on cyber security. Meanwhile criminals will have made 10-20 times that amount’. The threat is international and just by way of example, the ACSC Threat Report 2015 summarised ‘the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of iceberg’. So what are our police and government regulators doing about this whilst stilling trying to regulate the physical security sector? Not much other than effectively restricting physical and cyber security professionals from cooperating and working together at a national level. To highlight continued breaches of state security legislation, most commonly around the element of security technology, a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. The Fund guidelines stipulate compliance to the Security and Related Activities Act. The Project Management company does not hold a security agent or security consulting licence. In WA, the security industry is bound by a WA Police Code of Conduct formulated under the provisions of Section 94 of the Security and Related Activities (Control) Act 1996. The Code of Conduct requires to follow all the parameters to be professional, truthful, ethical and with the public interest in mind and Part 8 places the obligation on the licence holder to inform the Regulator of non-compliance with the Act. Having raised this breach with WA Police licencing, the confusing and wilfully inaccurate interpretation from the Officer in Charge read as follows: “The State CCTV Strategy has been developed following analysis of crime trends involving offences against the person, not property. I have been advised the main purpose of the Strategy is to provide a surveillance role to protect against offences against the person, to create a safer community. The future positioning of cameras is based around this goal. The Security & Related Activities Act (the Act) requires an installer to be licensed to install CCTV equipment for a security purpose.
44 | Asia Pacific Security Magazine
While a ‘security purpose’ is not individually defined in the Act, a security officer and a security consultant is defined as a person who for remuneration watches, guards or protects property, or advises on such matters. To this end, I have interpreted a security purpose as watching guarding or protecting property, not persons. Watching persons could be described as surveillance, which is not covered by the Act. The WA Police have drafted amendments to the legislation to make the Act clearer and remove such ‘loopholes’. The drafts are not expected to be introduced before parliament until well after the State election next year, and it is intended the industry will be consulted about the amendments before that occurs in any event. While the Strategy is structured toward a surveillance purpose, they recognise the knowledge and experience of the security industry and as such have included requirements for suppliers of services to be licensed, notwithstanding the surveillance purpose rather than a security purpose. As a result, I believe no offence has been committed.” This interpretation is intentionally confusing, wilfully inaccurate or otherwise shows police don’t understand the very legislation they are duty bound to enforce. Reports from ASQA earlier in the year on the security training sector confirmed that licensing was “a mess”. In Queensland last month the state government directed its interim training ombudsman to review security training following the deregistration of a security training organisation and advising 236 former students that their qualifications were no longer valid. ASQA had found the RTO was essentially handing out certificates without providing any training. The industry called for the inquiry to be extended to licensing and for the federal government also take a “serious look” at the mutual recognition law, and give states more power over licensing. The frustrating aspect to this is the Federal Government was willing to call a snap meeting of state and federal energy ministers following the South Australian statewide blackout, which prompted calls from the Coalition for a nationally consistent approach to energy security and was seen as a ‘wake up call’. Regrettably this meeting only resulted in another review but the point here is those conducting this work should have the wisdom to link energy security to public safety in the full context that ‘security’ deserves. The security sector does deserve and should continue to demand this attention and having asked for reform now for the last ten years, continuing to ignore it for the next ten will only result in the formation of other crises events and yet other ‘wake up calls’. As regional and military tensions rise along with the risk of war, Australia’s national security is interdependent and requires a holistic approach – there is no point regulating a security officer at the front door but letting an information security consultant enter without probity and vice-versa. Nor is there any point in regulating the installation of the physical intruder detection system and ignoring regulation of the network’s IDS – doing so makes the entire approach a halfhearted farce. The responsibility rests with our legislators to adopt a national approach to Australia’s security, that includes energy as well as social, physical and cyber security. Anything less is clearly inadequate and derelict of the government’s duty of care to all Australians.
Scalable optics: New lanes laid for the 'Internet of Things' super-highway
S By Chris Cubbage Executive Editor
ince I can remember, the digital world has always needed, or better, wanted more bandwidth. For the Internet of Things (IoT) to scale to two to three times the current size of connected devices over the next four to five years as forecast, major leaps in bandwidth will be needed. These leaps forward are indeed being taken – and they’re big! Thanks to the NetEvents IoT and Cloud Innovation Summit held in Saratoga, in late September, I visited the only company dedicated to designing and manufacturing large scale IP photonic integrated circuits (PICs), Infinera, based in the heart of Silicon Valley’s Sunnyvale, California USA. Infinera has taken a US$300 million stake in the game, having amassed over 500 patents since 2004. “We don’t sell hardware or software - we sell networks” says David Welch, PhD, President and Founder. “This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. I expect that instead of holding up two of our PICs
that are doing 2.4TB, I expect in 10 years we will be doing 50TB coming out of something on the same size. In that sense, Moore’s law in optics is alive and well!” Listening to David Welch, it’s easy to succumb to the charm of a technical genius. Welch simplifies the complex down to this, “Consider you have two axis to watch in driving more bandwidth onto an element and thereby drive cost structures down. You can put more wavelengths on, which is what we do, or you can drive your electronics faster. But if you drive your electronics faster you make it harder to take advantage of less efficient modulation architectures. Right now, the subsea bandwidth is being increased by deploying more new fibres in the trans-Atlantic to trans-Pacific architecture than has been in the last several decades. So a lot of the growth has been driven by the Googles and Facebooks and Internet content providers. Typically, however, they share that bandwidth with regular service providers, so the sign on the door may be Facebook but they may only have a fraction of the fibre being deployed and the rest of the bandwidth may
Asia Australian Pacific Security Magazine | 45
“This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. be owned by other service providers, mainly because their business traffic is driving that demand. The space is too big and the application space for the range of customers is too vast for it to be controlled by just a few providers.” Cloudification is the biggest area of network growth and datacentre interconnect (DCI). We are in a rapid upward trend of new datacentres, with mega datacentres being built and now more metro datacentres are being driven by position applications and getting content closer to consumers – server to server (East-West) traffic – data centre to data centre (north south) traffic – need to be positioned to follow the user around the globe. Google has said their datacentre to datacentre traffic is increasing significantly and consumer traffic is also increasing. Amazon’s growth and most of their profits and business is coming from their cloud infrastructure with an incredible amount of video being uploaded. This is driving more and more demand on networks. Infinera operates across three key markets, long haul and subsea communications, being number one in North America, datacentre interconnect, being number one for ICP/ CNP (Internet Content Providers/Carrier Neutral Providers) and Metro datacentres, being number three in 100G Ports with their XTM series. Within these markets the company endeavours to build intelligent networks which are scalable, flexible and high performance, which are also faster to deploy, highly reliable and combine unified management and application-optimised design. The 5G network will be deployed in 2019/2020 and will drive 100G off a cell tower and when the edge of the network is 100G the centre of the network will be in Terabytes (TBs). Trends in the optical networking market have two basic drivers. The metro to metro datacentres, with the number of disbursed datacentres rapidly increasing in order to reduce latency in communications between humans and machines. Then the real multiplier is the machine to machine traffic, which is about 1,000x multiplier than what you will see on a screen, as seen by an individual. The amount of traffic wanting to come online with operational technology (OT) can be seen with driverless cars alone, with between 10GB – 25GB per car needing to be uploaded per hour. These trends also include distributed buildings with more and more capacity going to be leaving the building back to the network. Infinera’s senior management team were given the opportunity to brief global media, including MySecurity Media, on their announcement of the Cloud Xpress 2, a second generation purpose built DCI optical link. It became increasingly clear that Infinera is set to achieve their vision
46 | Asia Pacific Security Magazine
“We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement to “enable an infinite pool of intelligent bandwidth”. Optics has become a true enabler of the foreseeable future and all the growth of the Internet will ride upon optics – and the optics in the ground is insufficient. For the Internet of Things to become a reality, we need to put more in. Here comes the next generation of super highways! The new Cloud Xpress 2 delivers a 1.2 terabit per second (Tb/s) channel in only one rack unit while enabling a fibre capacity with up to 27.6 Tb/s on a single fibre pair. The Infinite Capacity Engine is powered by Infinera’s next generation FlexCoherent® Processor and the cutting-edge photonics of Infinera’s fourth-generation PIC. Cloud Xpress 2 incorporates software-activated bandwidth delivery technology that is configured to lower operational costs. In addition, the Infinite Capacity Engine supports low power consumption and security is designed in with in-flight wirespeed data encryption. Encryption is a critical requirement for network operators and Infinera was the first to deliver a compact DCI solution with built-in encryption on the Cloud Xpress. The Cloud Xpress 2 now extends the same encryption solution and scales it to a new level of capacity. Like the previous Cloud Xpress products, the Cloud Xpress 2 is designed for plug-and-play with simplified provisioning and support for data centre automation. With built-in optical amplification the Cloud Xpress can transmit 1.2 Tb/s up to 130 kilometres using a single fibre pair without
an external multiplexer or external amplifier, resulting in fewer fibres and less space. Alternative solutions will require at least six fibre pairs fed into an external multiplexer daisy chained into an external amplifier which results in more complex configuration and maintenance. Infinera continues to innovate with the Cloud Xpress 2 enables automation and scale to data centres, delivering topology auto-discovery, zero-touch provisioning support, standard application programming interfaces for programmability and streaming telemetry, and stackability with multiple chassis to be managed as a single system. By minimizing the number of components in the system and using PIC technology, Cloud Xpress 2 delivering DCI with high reliability. According to Welch, “We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement in the optics and it’s the start of the advancement of that optical engine as it proliferates across all the networks. This is the biggest, fastest growing metro application on the market and its enabled by the vast majority of the market share based on photonic integration technology, which has transferred the whole concept of datacentres. Why? Because it takes 15 minutes to deploy a box, plug it in, establish the bandwidth, get the software to roll up to the interface and when you’re making a mega datacentre, that’s what you like to hear.” In early October, Infinera announced it has joined the Optical Internetworking Forum (OIF) and the Open Networking Foundation (ONF) to demonstrate multi-vendor, multi-layer software defined networking (SDN) Transport Application Programming Interface (T-API) interoperability with the Infinera Xceed Software Suite and the DTN-X Family of packet optical transport platforms. Global carrier participants hosting the interoperability testing include China Telecom, China Unicom, SK Telecom, Telefonica and Verizon.
Asia Pacific Security Magazine | 47
48 | Asia Pacific Security Magazine
2ND BIG DATA & CEM WORLD SHOW 1-2 MARCH 2017 | JAKARTA, INDONESIA #BIGITIDN17
+603 2261 4227
SVP Head of IT Governance & Risk Management Bank Commonwealth
Big Data Project Director Telkom Indonesia
GM Uber Indonesia
Kristiono Setyadi CTO Jakarta Post Digital
EVENT SPONSORS GOLD SPONSOR
Muhammad Neil El Himam
Director of ICT Infrastructure Indonesian Agency for Creative Economy (BEKRAF)
OfďŹ cial Media Partners :
Follow us @ BIGIT Technology
What’s causing the cybersecurity skills gap? How the Industry is Strangling Cybersecurity Career Development
I By Steve Cottrell
50 | Asia Pacific Security Magazine
t seems that not a day goes by without another news article cropping up bemoaning the global cyber security skills shortage, but very few cut to the root of the issue. Part of the problem relates to the term ‘cyber’ and the mystique associated it. All but the security industry seems to hold a widespread view that ‘cyber’ is a new term, and the issues of computer security have only manifested within the last five years. In reality, security (or a lack thereof ) has existed for as long as we have had computers, networks and the Internet; we’ve simply rebranded what was once computer and network security to its more media friendly new name of cybersecurity. In looking at the large talent pool of information and network security specialists out there, it seems strange that there is a cybersecurity skills shortage, but the issues lies in the fact that our industry is not doing a great job in attracting, harnessing and nurturing new talent – i.e. building tomorrow’s cybersecurity workforce. Many companies don’t seem to understand how to align their security functions with the rest of the organisation. The responsibility for security often gets rotated around the business like a never-ending game of pass the parcel, in an attempt to find an executive willing to take ownership of the problem (which often is seen as the proverbial hot potato). Without wishing to get into an ideological debate relating to
the optimal reporting line for the cybersecurity function and where the CISO should sit within the executive team, the skills issue has disrupted the development and maturation of cybersecurity career paths. We see organisations attempting to align cybersecurity professionals’ careers to existing IT architecture or IT/network support disciplines (or sometimes Enterprise Risk or General Compliance), which simply doesn't work. The attributes and experience needed to develop and grow a cybersecurity career are markedly different from those required to be successful within a general technology function. Adding to the problem, pay scales are often benchmarked and aligned to existing technology careers, making ill-founded assumptions that roles such as IT architect are analogous to a security architect. If you consider this point along with the fact that many of these benchmarking exercises ignore the law of 'supply and demand', factoring in the number of suitably experienced and skilled professionals available within the market, then it’s a wonder why organisations are surprised that cybersecurity vacancies go unfilled for months, or even years, on end. Businesses are obviously in the market to make money and, ultimately, compensation packages are set at a level to keep the bottom line healthy and profitable. This is prudent
"I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains" and makes perfect sense, but as organisations consider cyber and information security to be a generic IT discipline, this is partially contributing to the skills shortage. Step outside of the IT department into Legal, Regulatory, HR etc. and different frameworks apply, recognising the unique functions being performed and the market rates of those areas. The niche and currently scarce nature of the cybersecurity skill set needs to be recognised and salaries need to rise in line with the specialist status. This will help attract new talent to the discipline, by encouraging existing experienced IT and network professionals to cross-skill and specialise in cybersecurity, as well as encouraging highcalibre school leavers to enrol in cybersecurity courses at university (as they can see an exciting and lucrative career ahead). This point is crucial in helping address the skills shortage over the short to medium term, while ensuring that organisations attract the calibre of individuals needed to be successful in these roles. How often do you see an advertisement on a job board that reads, “High calibre Senior Cybersecurity Manager required. Must have extensive proven experience, ideally will have CISSP, CISM, BSc/ MSc. Fantastic package on offer - $120k base plus exceptional benefits” - clearly the company won't find anyone for this kind of salary, or they'll have to compromise and ultimately take the first person with some of the skills they need to deliver what should really be a role delivered only by absolutely suitable candidates. I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains. Looking ahead over the next few years, there are undoubtedly strategic initiatives that need to be undertaken where we begin to 'grow our own' security professionals within our organisations rather than demanding the finished product from the job seekers market. I would like to see the broader information security and cybersecurity industry (and especially the numerous professional bodies) coming together to agree a multiyear professional development curriculum, building experience in general security risk, cybersecurity operations, security architecture and risk management. All with a view to delivering a 'well rounded' security practitioner who can then ultimately specialise in different areas, as their career progresses. This works in other industries, such as medicine. Medical doctors are required to build a firm foundation of knowledge in numerous physiological disciplines, gaining a level of practical post-graduate experience before ultimately specialising in one area. This represents a different approach from the norm (and often abused) 'badge of honour' certifications prevalent within the technology and security industries today, the ones that are typically one-off
exams to be passed, sometimes backed up by a level of formally validated or self-certified demonstrable practical experience. There are now some fantastic degree and Masters’ courses being offered by universities all around the world, specialising in all aspects of cyber and information security, but they can't provide 'on the job' practical experience, which is often what’s really required to truly excel and deliver real security value and risk reduction in the real world. The two to four years following graduation are perhaps the most critical for a professional cybersecurity career, which is where our industry should be looking to nurture and develop the skillset by providing a structured modular career framework, which is recognised across the industry and around the world. Too many recent graduates become disillusioned early on, so we need to keep their motivation high by providing plenty of variety and structure whilst making it easy for them to gain the valuable business context and skills they need to carve out a successful career as a professional. Providing clear attainable short and long-term goals and the ability to switch between multiple cyber career tracks is really important. As with all ‘supply and demand’ equations, as supply increases I would expect to see a levelling or braking effect in terms of the compensation packages required to attract top cybersecurity talent, but if we add in the modular career framework, it will be simple to gauge appropriate remuneration levels with regards to experience, rewarding truly niche high-end skills as appropriate. As we all know, it is not as easy as saying ‘I need a cyber security professional’; it’s often more a case of ‘I need a cyber security professional with an operational background who understands risk in a business context’. We cannot afford to be complacent, assuming that the large number of cyber and information security university courses now available will ultimately solve the longerterm skills issue. As an example, looking at engineering (mechanical, electrical, civil etc.) graduates in the UK from the 1990s, what is the percentage of graduates that are actually ending up pursuing careers related to their degree versus moving to an industry sector which was perceived to be more lucrative with better career opportunities? I don’t know the answer to this question, but by the volume of graduates I interview with qualifications in these areas, and also by the people I meet across the broader industry qualified in these areas, I would say the percentage is likely high. Let’s not allow history to repeat itself within the cybersecurity industry. About the Author Steve is the regional Chief Information Security Officer / Security Director role at Aviva has end-to-end accountability for security risk management, incident response, compliance, and cyber security transformation across all UK & Ireland regulated businesses (Life, GI, Health, AGC, Investors).
Asia Pacific Security Magazine | 51
TechnologyCyber Singapore FocusSecurity - CCTV
SINGAPORE CYBER UPDATES Highlights from the Singapore International Cyber Week 2016 (10th Oct 2016 – 12th Oct 2016, SunTec Singapore International Convention & Exhibition Centre), and the Cloud Expo Security 2016 (12th Oct -13th Oct 2016, Marina Bay Sands Expo and Convention Centre). When hackers broke into the computers of Bangladesh’s Central Bank in February of this year and committed one of the largest cyber heists ever in which $951million fake payments were ordered, $81million was already cleared and processed by the time the fraud was discovered. Details of the techniques and methods believed to be linked to the heist revealed by government and private investigation teams raised widespread concerns that these tools and techniques used may allow the same, if not other sophisticated international criminal syndicates to strike again. One consolation is that the losses could have been 10 times worse, with the attackers making off with nearly $1billion had all the fraudulent transactions been cleared. Cyber attacks such as the Bangladesh heist and the Carbanak attacks which targeted the ATMs and transaction systems take advantage of vulnerabilities of the global financial processing networks to successfully steal and move millions of dollars across borders.
52 | Asia Pacific Security Magazine
The significance of these attacks lie in their large-scale haul and sophisticated coordination: by adopting techniques which targeted different systems, processes, departments and countries; and the significant planning involved in deleting evidence of their activities and covering cyber tracks to remain undetected. Besides banks, transportation networks, hospitals and other essential services have also been subject to wide ranging cyber infiltrations, where the attackers seek to extract data and monetize the stolen data, compromise critical infrastructure, manipulate and influence public opinion. Cyber attacks are growing more sophisticated, frequent and impactful. According to the 2016 Cyberthreat Defense Report, 76 percent of responding organizations were affected by a successful cyberattack in 2015 – up from 70 percent in 2014 and 62 percent in 2013. Left unchecked, these attacks can create a hostile cyberspace, making it difficult to trust and perform basic online transactions and interactions.
For Singapore, setting out a Smart Nation vision – which centers on harnessing the power of technology – will make the nation more productive, but also at the same time pose significant challenges, as the increasing connectedness means a corresponding elevation of potential cybersecurity threats. The good news is that the Singapore Government has consistently taken cyberthreats seriously.
Singapore Technology CyberFocus Security - CCTV
Singapore International Cyber Week 2016 (SICW) Singapore’s cybersecurity journey started a decade ago with the first Infocomm Security Masterplan. Just a year and a half ago, the Cyber Security Agency (CSA), was formed to specifically address the cybersecurity threats, and to coordinate efforts across government and among the various other stakeholders. In the latest cybersecurity push, CSA held the inaugural Singapore International Cyber Week 2016 (SICW) to connect over 3,000 policy makers, industry players and innovators. The theme “Building a secure and resilient digital future through partnership” reflects Singapore’s desire to strengthen the nation’s digital future through building robust local and international partnerships. Opening the SICW, Singapore Prime Minister Mr Lee Hsien Loong launched the “Singapore’s National CyberSecurity Strategy”. “Our government networks are regularly probed and attacked. We have experienced phishing attacks, intrusions, malware. From time to time, Government systems have been compromised, websites have been defaced and also suffered concerted DDOS attacks that sought to bring our systems down. Our financial sector has suffered DDOS attacks, and leaks of data. Individuals too have been targeted”, he said. “Individuals too have been targeted. Fake websites masquerading as SPF, MOM, ICA, CPF pages, hosted in other countries, phish for personal information or scam people into sending money.” (SPF: Singapore Police Force; MOM: Ministry of Manpower; ICA: Immigration & Checkpoints Authority; CPF: Central Provident Fund) To coordinate efforts in cybersecurity, the National CyberSecurity Strategy will have four components: 1. 2. 3. 4.
Build a Resilient Infrastructure Create a Safer Cyberspace Develop a Vibrant Ecosystem Strengthen International Partnerships
Increasing inter-government collaboration and partnerships There are tangible examples to “Strengthen International Partnerships”, a key focus of the Cybersecurity Strategy. Opening ceremony key note speaker, Mr Christopher Painter, Coordinator for Cyber Issues, US Department of State, cited the Memorandum
Singapore Prime Minister Mr Lee Hsien Loong
of Understanding signed between United States and Singapore in August this year, which covered cooperation in areas such as regular CERTCERT information exchanges and sharing of best practices, coordination in cyber-incident response and sharing of best practices on critical information infrastructure protection. Mr Conrad Prince, UK CyberSecurity Ambassador, Defense and Security Organization, Department of International Trade, referred to the CREST Singapore Chapter - the first CREST Chapter in Asia established in partnership with the Cyber Security Agency of Singapore (CSA) and the Association of Information Security Professionals (AISP) - to introduce its penetration testing certifications and accreditations to Singapore. ASEAN Discussions and Dialogues To strengthen partnership within ASEAN (Association of South-East Asian Nations), a ASEAN Ministerial Conference on Cybersecurity at Shangri-La Hotel was convened as part of the SICW, bringing together the ASEAN Member States to facilitate discussion and share knowledge on cybersecurity issues and fighting cybercrime. Dr Yaacob Ibrahim, Minister for Communications and Information, Minister-In-Charge of Cybersecurity said “Countries today face a full spectrum of cyber threats- cybercrime, attacks,
espionage and other malicious activities. We in ASEAN have not been immune to this”. According to the Singtel FireEye Southeast Asia Cyber Threat Report, new findings have identified Southeast Asia as a region that is increasingly under cyber-attack. The joint SingtelFireEye report, “Southeast Asia: An Evolving Cyber Threat Landscape”, details how Advanced Persistent Threat (APT) actors and other cyberattack groups are among those keenly interested in targets located in Singapore, Philippines, Malaysia, Thailand, Vietnam, Indonesia and Brunei. Dr Yaacob Ibrahim proposed 3 areas that ASEAN could work on, to further efforts against the threat: Fostering ASEAN Cyber Capacity Building; Securing a Safer Common Cyberspace, Facilitating exchanges on Cyber Norms. “While staying plugged into the global conversations, we should also make sure that norms and behaviors are kept relevant and applicable to our unique ASEAN context and cultures”. He also announced the launch of a S$10million ASEAN Cyber Capacity Program (ACCP) to build cyber capacity in ASEAN Member States. Focus areas under the program includes cyber policy, legislation, strategy development as well as incident response; and Singapore’s sponsorship of the global initiative called Cyber Green (which aggregates global open source
Asia Pacific Security Magazine | 53
TechnologyCyber Singapore FocusSecurity - CCTV
Cyber security in a smart nation
YM Dato Paduka Awang Haji Hamdan bin Haji Abu Bakar
Deputy Minister at the Prime Minister’s Office and Director of the Internal Security Department
H.E. KAN Channmeta
Secretary of State, Ministry of Post and Telecommunications
Dr. Basuki Yusuf Iskandar
Head of ICT Research and Human Resource Development Agency, Ministry of ICT of Indonesia
Air Rear Marshall Warsono
Deputy Coordinating Minister for Political, Legal and Security Affairs
H.E Dr. Thansamay Kommasith
Minister of Post and Telecommunications
YB Datuk Seri Panglima Madius Tangau
Minister for Science, Technology and Innovation (MOSTI)
Dr Yaacob Ibrahim
Minister for Communications and Information and Minister-in-charge of Cybersecurity
H.E. Le Luong Minh
ASEAN Secretary General
H.E. Lt-Gen Kyaw Swe
Union Minister for Home Affairs
Republic of the Union of Myanmar
H.E. U Kyaw Myo
Deputy Minister of the Ministry of Transportation and Communications
RAdm Rufino S Lopez Jr (Ret)
Deputy Director General, National Security Council
H.E. Prajin Juntong
Deputy Prime Minister and Minister for Digital Economy and Society
Mr. Nguyen Thanh Hai
Director General of Security Information Department, Ministry of Information and Communications
Senior Colonel Nguyen Van Thinh
Deputy Director-General of the Department of Cybersecurity
information in an index for cyber health) which will allow access for ASEAN members states to the data through Singapore. Industry Partnerships To make Singapore’s cyberspace safe for businesses, individuals and the society at large, strong partnerships with multiple stakeholders across the cybersecurity ecosystem is needed. During the SICW, CSA announced new agreements with top industry players – BAE Systems, (ISC)2 , Microsoft and Palo Alto Networks, to boost training in cybersecurity and raise cybersecurity capabilities. Mr David Koh, Chief Executive of CSA, said “Cybersecurity is a multidisciplinary issue and it
54 | Asia Pacific Security Magazine
is necessary to have all hands on deck to grow the capabilities for the sector.” These partnerships will see the industry players engage with local cybersecurity startups for research and development of cyber technologies, encouraging professionals to deepen their skills and enhancing security awareness, to share cyber threat analysis, and developing educational platforms for cybersecurity outreach. Developing skill set and supporting startups are also keys to “Develop a Vibrant Ecosystem”, one of the pillars underpinning the CyberSecurity Strategy.
“Singapore aspires to be a Smart Nation. But to be one, we must also be a safe nation”, said Prime Minister Mr Lee Hsien Loong in his closing remarks. “Creating a Safer CyberSpace” is another key focus of the CyberSecurity Strategy. As Singapore is transforming to become a Smart Nation and adopting Internet of Things (IoT) technology - digital healthcare, smart watches, internet-enabled appliances, smart manufacturing and connecting devices, vehicles, buildings – significant volume of data will be generated, collected, stored and shared via the cloud. According to Gartner, it is forecast that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 11.4 billion by 2018. The volume of data will continue to grow as we get more digitally connected. Securing the data and ensuring the confidentiality, integrity and authenticity is critical to prevent, mitigate risks and minimize the financial, social, reputation and economic impacts of an attack. Weakest link Cyber attacks often arise from an exploitation of the weakest link in the IoT security chain. From a well-meaning employee sending work documents home to unpatched systems running home heating-cooling systems, physical vulnerabilities and human behaviors provide new attack vectors for cyber criminals. These challenges are addressed across various themes such as governance, threat landscape, detection and defense approaches at the 25th edition of GovWare (the region’s conference and exhibition on cybersecurity for cyber thought leaders, industry players and academia), and the Smart Nation IoT Security Conference, held in conjunction with the SICW. Speaking at GovWare, Professor Issac Ben-Israel, Chairman, Israel Space Agency & Chairman, Israel National Council for R&D, Director ICRC, Tel Aviv University said “Smart City” or “IoT”– smartness that come from computer chips to make our lives faster, easier – is the trend at present and “is not imagination” or “Science Fiction”, and we have “created dependency on these chips”. Cyber criminals will use “weak points” in this dependency to do damage. Attacks and preventive measures The declining costs of IoT technology makes it attractive for us to adopt, but Professor Yu Chien Siang, founder of GovWare, noted: “embedded devices are often low-cost, low power, restricted in both memory and computing power, and could be easily accessible by the adversaries. As such, many
Singapore Technology CyberFocus Security - CCTV physical attacks are possible including side-channel attacks (SCAs), which can be used to extract the secret key from electronic devices using power, electromagnetic (EM) emanations, timing analysis or acoustics. Such attacks have been shown against transit cards, car immobilizers, and Field Programmable Gate Array (FPGA) devices.” He also pointed out, the biggest threat may not necessarily be the deletion or the removal of data, but the modification of it, an example being the change of patient’s records such as blood type. He termed this as “Computer Torture”. Poor and diverse designs are other key challenges in IoT security highlighted by Dr Steven Wong, Associate Professor & Program Director, Singapore Institute of Technology, President of Association of Information Security Professionals and Co-chair of CREST Singapore Working Committee. “Many IoT systems are poorly designed and implemented, using diverse protocols and technologies that create complex configurations” he explained. There is also a “lack of mature IoT technologies and business processes”, and “limited guidance for lifecycle maintenance and management of IoT devices”. IoT privacy concerns are complex and not always readily evident, he added. To address these challenges, he suggested developing “a common set of standards and guidelines for IoT when there are so many parties and technologies involved”. But he also cautioned that “even with IoT standards and guidelines, who will really follow them?” One way is to strategically target critical areas/ groups to drive adoption. He also suggested the possibility of “Singapore’s smart nation as an international test-bed for standards and guidelines”. Be Prepared Risks will increase when we go IoT because of interconnectivity, as pointed out by John Lee, ISACA Singapore Chapter President, speaking at the Cloud Security Expo Asia 2016. And often, the cyber attack is not a matter of if, but when. He urged the need to “Prepare for Black Swan”. Financial services practitioners and observers would agree that banks have a history of dealing with unexpected financial market events that are difficult to predict, and which have widespread ramifications and contagion effects, termed the “Black Swan”. One clear example is the Great Financial Crisis that occurred during 2007- 2008. The potential for a Black Swan event in the digital world has yet to receive similar levels of attention, and failure to accept cyber risk as a core risk may prevent governments, businesses and individuals to develop fallback and containment plans to mitigate unexpected cyber attacks.
A resilient and trusted cyber environment
With a reputation as a "non-nonsense" and "business-friendly" financial center, Singapore is known for a trusted, sound and stable location to do business in. Recent examples included the Monetary Authority of Singapore (MAS) stripping Falcon Private Bank of its license for "serious failures in anti-money laundering (AML) controls", a development that followed the shuttering of the Singapore branch of Swiss bank BSI in May for "serious breaches of anti-money laundering requirements, poor management oversight of the bank’s operations, and gross misconduct by some of the bank’s staff ". The Bangladesh heist is a clear example where a cyber attack was launched to facilitate a financial criminal activity that spanned across several countries. Cyber criminals operating from one country attacking inter-bank payment systems can cause damages, from minor inconveniences to significant disruptions globally. Being connected to the global network of financial flows and playing host to hundreds of foreign financial institutions means that Singapore is not immune to this. Not only banking, but essential services such as energy, healthcare and transport are powered by infocomm technology. As an international financial, shipping and aviation hub, Singapore houses critical systems that transcend national borders, such as global
payment systems, port operations systems, and airtraffic control systems. Successful attacks on these supra-national Critical Information Infrastructures (CIIs) can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. “Building a Resilient Infrastructure” is a key focus of the CyberSecurity Strategy, to ensure that Singapore’s essential services are protected. A new Cybersecurity Act will also be introduced in 2017, to provide a comprehensive legal framework for national cybersecurity. Cybersecurity, beyond a necessity to defend and protect, is also an enable for the economy and society. Singapore's CyberSecurity Strategy sets out the vision, goals and priorities and outlines the country’s commitment to build a resilient and trusted cyber environment. It aims to catalyze participation by all stakeholders – government agencies, the cyber industry, professionals and students, academia and researchers, and providers of essential services. It also signals Singapore’s willingness to forge strong partnerships with the international community to combat the transnational nature of cyber threats. Jane Lo has more than 15 years of experience in enterprise-wide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.
Asia Pacific Security Magazine | 55
Cyber Feature Cover Security
India’s cyber trauma
R By Sarosh Bana APSM Correspondent
56 | Asia Pacific Security Magazine
ecently, India’s Defence and other ministries were placed on high alert following concerted cyber attacks on the country’s government and commercial organisations by the Chinese People’s Liberation Army’s (PLA’s) Western Theatre Command that faces India all along its northern Himalayan borders. The Ministry of Defence (MoD) issued an alert to the army, navy and air force that a Chinese Advanced Persistent Threat (APT) group called Suckfly, based in Chengdu region where the Command is located, is targeting Indian agencies, with the defence establishment as its prime target. Suckfly, which carries out cyber espionage through a malware called Nidiran, camouflaged its attacks with certificates stolen from legitimate software developing firms in South Korea. “This cyber espionage was undertaken by infecting computers of both government and commercial houses involved in e-commerce, finance, healthcare, shipping and technology,” the MoD alert cautioned. “Sensitive information from targeted computers and networks is being used to undermine national security and economic capabilities.” An APT is a network attack in which someone gains unauthorised access and stays there undetected for long, the intention being to steal data instead of causing damage to the network or organisation.
These mounting cyber onslaughts against India’s defence establishments have reaffirmed a proposal for the setting up of a dedicated tri-services command for cyber security. A proposal for such a command had indeed been drafted following a 2012 cyber attack by Chinese hackers, who managed to penetrate the commuter systems of the Indian Navy’s Eastern Command, where the country’s first indigenous nuclear submarine was constructed and is based. More recently, a strange email was received by senior executives of the Mumbai-headquartered Tata Group (US$103 billion revenue last year) from chairman Cyrus Mistry asking them to transfer US$4,500 to a specified bank account. “We are coming up with a project of Tata Group; kindly deposit US$4,500 in a/c no. xxxx,” the email mentioned. “This project should not get stopped due to financial crunch.” Appropriately, it was the Group’s chief ethics officer, Dr Mukund Rajan, who caught the lie, recognising the hoax. He informed Mistry of the online impersonation, and a police inquiry is now under way to identify the perpetrator. A similarly fake email ID of Mistry had been created last year by a former Tata employee, subsequently arrested, who had sent emails from this account to officials of the Group company of Jaguar Land Rover ( JLR), asking them to
Cyber Cover Security Feature
consider his curriculum vitae for a position in the purchase department. Numerous corporates, including multinationals, across the country are being defrauded by online pranksters and fraudsters. Many of the cases have a similarity with that of Tata’s, where emails are sent to the finance departments through spoofed email IDs of the company heads with instructions to deposit funds in specified bank accounts. Cyber police maintain that an email can be ascertained to be fraudulent only after going through the full-header or logs of the suspected email address. “In most cases, while the spoofed emails are of different managing directors and directors of companies, full-header analyses reveal that they were sent from one exec.m@exces. com,” says an official. “Earlier, cyber fraudsters used to make minor alterations while spoofing email IDs, but now they hack the complete corporate email IDs of the promoters and use them to communicate with the finance officers.” In one instance, a finance officer received an email from his managing director asking for Rs600,000 (A$11,869) to be deposited, but the fraud came to light when the MD called him in the nick of time for some other reason. India is clearly one of the most cyber attacked countries in the world, a recent study estimating a 350 per cent surge in cyber crime cases registered under the country’s Information Technology (IT) Act, 2000, between 2011 and 2014. Indian authorities have been alarmed by the growing number of attacks on cyber networks that are posing a huge risk and severe threat to the nation’s, and individual Indian’s, financial and security interests. Criminals are exploiting cyberspace for their own ends as it touches nearly every part of our daily lives through broadband networks, wireless signals, local networks, and the massive grids that power the nation. “More than 8,000 Indian websites were hacked in the first three months of 2016,” Communications and IT Minister Ravi Shankar Prasad informed Parliament recently. “While 28,481 websites were hacked into in 2013, 32,323 sites were attacked in 2014, 27,205 in 2015, and 8,056 until March this year.” Cyber crime and security were a major enough issue for Indian Prime Minister Narendra Modi to discuss with U.S. President Barack Obama during his visit to the U.S. in June. “The entire world is concerned about cyber security, and Indian IT professionals can do a lot for cyber safety of digital assets across the world,” said Modi. “Can we secure the world from this bloodless war? India must take the lead in cyber security through innovation; I dream of Digital India where cyber security becomes an integral part of national security.” Both leaders felt that defending against, and defeating, cyber attacks will require the combined efforts of both the public and private sectors, working to develop new technologies and new approaches for maintaining real-time protection of their individual networks. The recent study, “Protecting interconnected systems in the cyber era”, conducted by ASSOCHAM (Associated Chambers of Commerce and Industry of India) and business consultancy PwC India (PricewaterhouseCoopers India) notes that operational systems are increasingly subject to cyber attacks, as many are built around legacy technologies with weaker protocols that are inherently more vulnerable.
“The continued and regular sharing of cyber security intelligence and insights are essential to improving the resilience of these systems and processes from emerging cyber risks,” it mentions. It adds that the Computer Emergency Response Team-India (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents recorded in 2015. Pointing out that cyber attacks are occurring around the world at a greater frequency and intensity, the study indicates that the profile and motivation of cyber attackers are fast changing. A new breed of cyber criminals has emerged whose main aim is not just financial gains, but also causing disruption and chaos in businesses in particular and in the nation at large. “The importance of cyber security in India has increased exponentially over the last few years, with an emphasis on Digital India and e-commerce and many government services now being delivered online,” explains Sivarama Krishnan, Leader, Cyber Security, PwC India. “The new breed of hackers understands cyber vulnerabilities and how to exploit them and they play by a new set of rules, the ‘bare minimum’ being ineffective against increasingly adept assaults.” He advises businesses to rethink their cyber security practices and focus on innovative technologies that can help reduce risks, seeing advantage in having the right data, understanding data and knowing how to take active steps in putting information to good use. Pratyush Kumar, who chairs ASSOCHAM’s National Council on Cyber Security and is also Vice President, Boeing International, and President, Boeing India, says the worldwide threat of terrorism, turmoil in the South China Sea, Brexit, the state of transition in the Middle East, the coup attempt in Turkey, etc. are all factors adding to uncertainty and volatility in the world. “Concurrently, we are being deeply impacted by the furious pace of technological evolution, especially the explosion of Big Data, mobility, the Cloud, Internet of Things (IoT), machine learning and analytics,” he observes. “If properly managed, these technologies can transform our society, but on the other hand, an uncertain and volatile world also puts this very technology in the hands of operators anywhere in the world for causing tremendous damage, given the growing linkages between cyberspace and physical systems.” U.K.’s Sophos Group plc, a global leader in endpoint, encryption and network security, lists India among five countries with the highest percentage of endpoints exposed to a malware attack and thus more prone to cyber attacks. Research by the company’s SophosLabs division on such incidence in the first months of 2016 discovered a growing trend among cyber criminals to target and even filter out specific countries when designing ransomware and other malicious cyber attacks. Apart from India, the countries with the highest so-called Threat Exposure Rates (TER) were Algeria, Bolivia, Pakistan and China. The research gleaned millions of endpoints worldwide that were analysed by a SophosLabs team. To ensnare more victims, cyber criminals are now devising customised spam in regional vernacular, and touting brands and payment methods that appear culturally compatibile. To beguile the recipients, they make their scam emails
Asia Pacific Security Magazine | 57
impersonate local postal companies, tax and law enforcement agencies, and utility firms, including fraudulent shipping notices, refunds, speeding tickets and electricity bills. On 5 October, while releasing in India a report on internet governance as head of the Global Commission for Internet Governance (GCIG), former Swedish Prime Minister Carl Bildt mentioned that as an emerging cyber power, India needed to engage seriously on issues of internet governance. He deemed it necessary for India to address over-the-horizon threats like cyber attacks, cyber spying and cyber crime. One of the conclusions of the report was that surveillance was an important part of cyber governance, “because in its absence, people tend to lose trust in the internet”. “The purpose of the report is mainly to bring to the attention of policymakers across the world the significance of the challenges we are facing and of the potential that exists,” said Bildt. “Too much of this has been debated among technical people, while policymakers haven’t addressed the issue sufficiently.” He found that for policymakers, safeguarding freedom of expression and of information on the internet is under increasing challenge. “The world is entering the Internet of Things (IoT) and everything will be connected with everything, everything will have an IP address,” he remarked. “Everything can potentially be turned into a weapon in the cyber world, and this brings the requirement for cyber security, stability and governance to a very different level.” The report found only
58 | Asia Pacific Security Magazine
three governments, of the United States, Estonia and China, addressing this issue. Whereas the economic contribution of the internet is as high as US$4.2 trillion in 2016, the IoT could result in upwards of US$11.1 trillion in economic growth and efficiency gains by 2025. Bildt deemed Beijing’s level of attention notable, saying, “The Chinese do it slightly differently, to put it mildly; they do both offensive and defensive because it has to do with the stability of the regime, and the future of the Chinese economy - for them it’s a high priority issue.” According to him, the world is slowly initiating conversation on cyber behaviour, with elements coming out of the U.S.-China agreement, and India being on the United Nations’ Group of Governmental Experts on Information Security. “These are important as the top countries are beginning to set rules for the internet,” he notes. “It is important that India is part of this conversation as it is the second largest in the world in terms of connected people, as well as largest in terms of unconnected people, and hence has an important voice both in the connected world and the unconnected world.” The number of internet users in the world has increased threefold in the last 10 years, but during the same period, their number has multiplied nearly 15 times in India. As per Connecticut-based IT research and advisory firm Gartner, Inc., the number of devices connected to the internet will reach 27 billion globally by 2020, with a total revenue of around US$300 billion. India will have an around five to six per cent share of the global IoT industry.
INSIGHTS TO ENHANCE ORGANISATIONAL STRENGTH
Crisis & emergency management conference Pan Pacific, Perth | 24 November 2016
The Resilience Conference 2016 will cover topics such as security, technological emergencies and how to handle a digital crisis, featuring:
• Chris Cubbage - Executive Editor of the Australian Security Magazine • Jamie Wilkinson - Head of Digital for Cannings Purple • Frazer Holmes - Regional Director of InTec1 Keynote speakers include: • Mohammad Fuad Sharuji - Crisis Director for MH370 & MH17 Malaysian Airlines PROUDLY SPONSORED BY
• Stuart Ellis - CEO for Australasian Fire and Emergency Service Authorities Council • Paul McGill - Deputy National Commander for New Zealand Fire Services (NZFS)
What is in it for you and your organisation? – Learnings from recent world events and how to apply these into your organisation’s emergency management capability. EVENT PARTNER
+61 8 9388 2222 firstname.lastname@example.org www.ifap.asn.au/resilience
Women in Security
Championing for open source collaboration
H By Chris Cubbage Executive Editor
60 | Asia Pacific Security Magazine
aving been fortunate to be in California’s Silicon Valley courtesy of NetEvents Global IoT and Cloud Innovation Global Summit, I took the added opportunity to stay on for a few extra days and catch up with our June/July 2015 ‘Women in Security’ series participant, Prima Virani who was scheduled to speak at the Structure Security Conference in San Francisco. When we first me this 25 year old Security Engineer graduate at an Australian Information Security Association meeting in Perth, Western Australia, in 2014, she was just 23 years old and starting out her cybersecurity career having graduated from Murdoch University and with the aspiration to head off to San Francisco. Within just two years, Prima has not only found herself on a small security team for a major American brand in Pandora Media, a music analysis application that personalises music according to the listener’s taste, but alas we find her speaking on stage being interviewed Bob McMillan, computer technology reporter with the Wall Street Journal and fellow security engineers Nick Anderson of Facebook, Hudson Thrift of Uber and Leigh Honeywell, security lead with the collaboration tool, Slack. Open source software and security collaborations are being increasingly advocated for small to medium sized
companies that are essentially growing so fast and at such a speed that their focus is on developing their product and they primarily also have to be working on product security. As Prima elaborated, “they have to protect their infrastructure but with a small team that don’t have expertise or resources in all areas, and so there is a need for more support and this is where open source can contribute a great deal for fast developing commercial products.” This thinking is supported by the likes of Facebook’s Nick Anderson who has also seen the advantages of open source, highlighting that “with the build up of open source communities, there are bonds being built, with problems being solved and often with the common intent of improving a product so it works better for them, just as much as for you.” As Prima also asserted, “one of the biggest advantages of open source communities is giving the capability of scaling. It doesn’t come with a hefty price tag and it makes the company better prepared if the product takes off quickly.” One of the key outcomes of the Structure Security event was to highlight that there has never been a greater liberation of information and a greater variety of choice for infosec workers and this is in contrast to the traditional ‘lock it down’ and ‘restrict access’ approach. Some of the favourite open source tools being touted included OSQuery, touted as
Women in Security
'Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie'
having a Swiss army knife capability, while others included Box and BlastAlert. Aside from the championing for open source adoption, the panel also showed that Women in Security is a little more balanced in the US than possibly Australia – we still see industry panels made up on only men. Having spent a couple of years in the USA now, Prima has found there is really a different attitude to security engineering in the US than in Australia. She points out that a lot of the companies in the US are ‘huge’ brands and super resourceful in terms of the kind of people they hire and the creativity they are prepared to try. “There is a younger workforce and the transition out of college and university into the industry is quite straight forward. Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie.” The approach taken in the USA is likely to be different to that to the company next door and there is greater diversity in thinking and openness to different forms of thinking. Despite that, being in America you do need to be careful of group think and ‘over’ Americanisation. With Prima’s current role on a five member security team, her tasks include infrastructure security, incident management, endpoint and network security and information security program management. For a young adventurist and an average Aussie who wanted to head out and see the world, it hasn’t been that much of a challenge. “My move to the USA wasn’t so much about the job, it was more about the lifestyle and the experience as a whole. I travelled to San Francisco about six months before moving here and stayed for a week, which was enough time to fall in love with the place. When I got here I stayed in a hostel for a week and then a friend’s place before I set myself up in a studio apartment.” “After I had made up my mind that this is where I wanted to come to, it took about four months before I got a positive interview. Most of the companies weren’t even considering my resume because they didn’t understand the
visa requirements and the ‘Valley’ has enough engineers being developed that they don’t really have to be looking outside of the country, unless the company is being very particular about who they’re looking for. Despite a lot of talk about the cybersecurity skills gap, there is still limited risk being taken to employ from outside the country and how immigration and work visas can be in America. I was fortunate to get an E3 Visa for Australians living and working in the US.” Prima highlights the importance of developing a local network, having had a friend in San Francisco through whom she was able to connect with more friends and by keeping in touch, this network continued to grow and become a support and friend based network. One channel that proved most useful was ‘Meet-up.com’ which connects industry professionals and special interest groups. Prima took a focused approach, “I like to attend events that are of interest and meet people that way, rather than randomly showing up and meeting people at random.” Importantly, Prima confirms her education in Australia grounded her very well and established her with the required skills to at least 70 per cent in some areas but like any graduate, achieved only 50/50 in some other areas. “I was fortunate to have had some experience first in Perth where I laid my foundation. Had I been thrown into this pool at the outset then I may have not had the perspective as I do now, as I now have a wider perspective and it helps to a degree with a global brand like Pandora. But the relevance is subtler than a direct skill base.” Parts of San Francisco can be intimidating and took a while to get acclimatised. “The gun situation in the US still frightens me to a degree and in that sense Australia is so much better. But that aside there is so many more opportunities here outside of work in technology.” Prima has an active and expanding interest in Art, poetry and performance dancing and she is multi lingual in English, Hindi and Gujarati. Despite being young, she has taken on coordination roles, including for an industry group called ‘Ladies who Linux’. “There is a great sisterhood building here and a key mentor for me as been a fellow Aussie, Tammy, and I find my interests and work feed off each other and supports each other.” With this type of dedication, participation and skills development, we’re proud to have an opportunity to follow up on Prima’s progress and success. We hope this inspires other Australian women and cyber security professionals to get active and seek out their aspirations, be they local or overseas. The opportunities abound!
Asia Pacific Security Magazine | 61
Obstinately clinging to iconic obsolescence
A By James Wootton Director, Protega Technologies Information Security Consulting www.protegatech.com
62 | Asia Pacific Security Magazine
s those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case! I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’. It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection! But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism. I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security. Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy. A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us. Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a
greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap): • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good? • Working Fire alarm? • Working Smoke alarms? • Secure safe for high value assets? • Secure Doors? • Secure Windows? • Secure garage door? • Adequate and appropriate Insurance? Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking, ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one! So, why do we cling to broken technologies that are woefully inadequate in cyberspace? Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the
money and time invested in them if they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!) Enough rhetoric, present me with a solution already! Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and
of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’. From an organisational standpoint, consider elements of the following, balancing bang for buck: • Policy overhaul and possibly security accreditations to focus your efforts; • User awareness training; • Sandboxing and content analysis technologies; • Much as I hate the phrase, application aware, next generation firewalls; • User and Networking behavioural analytics. And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust.
Asia Pacific Security Magazine | 63
Cyber Feature Cover Security
Drones Robotics Automation Security Technology Information Communications
www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews 64 | Asia Pacific Security Magazine
Main conference: 29-30 November 2016 Venue: Max Atria, Singapore Expo, Singapore
ACHIEVING COMPREHENSIVE MARITIME SECURITY & SURVEILLANCE IN ASIA PACIFIC OUR DISTINGUISHED SPEAKER LINE-UP INCLUDES:
Vice Admiral Patchara Pumpiched Deputy Chief of Staff, Royal Thai Navy
Admiral Maritime Dato’ Haji Ahmad Puzi bin AB Kahar Director General, Malaysian Maritime Enforcement Agency (MMEA)
Captain Eduardo Fabricante Deputy Commander, Coast Guard Fleet, Philippine Coast Guard
Captain Zahari bin Samsui Assistant Chief of Staff, Future Operations Fleet Command Royal Malaysian Navy
THEMES FOR 2016: Enhancement of maritime security operations through multilateral cooperation: Find out the latest vessel platform requirements in Indonesia from the newly appointed Chief of Bakamla,. Hear also from Admiral Maritime Dato’ Haji Ahmad Puzi on MMEA’s joint responsibility initiatives in securing Malaysia’s EEZ. OPVs requirements, operations and maintenance strategies: Hear from regional Navies and Coast Guards about current and operational OPV and naval platform development plans
Rear Admiral Rafael G Mariano Vice Commander Philippine Navy
“An important event gathering experts from numerous professional fields. Very good for information and systems update as well as networking and enhancing knowledge and experience” Capt. Mohd Fadzli, Chief of Staff, Royal Malaysian Navy
Dedicated discussion on search and rescue and humanitarian missions: Find out the challenges in SAR missions and latest operational strategies that has become a rising priority to enhance surveillance capabilities Enhancement of border protection against maritime threats: SE Asian government bodies are actively looking to beef up the protection and monitoring of their respective EEZ. Find out the coordinated efforts and strategies in enhancing maritime security. Researched and developed by:
T: +65 6722 9388
F: +65 6224 2515
Asia Pacific Security Magazine | 65
Fighting financial cybercrime with data
C By Carlo Lacota Assistant Vice President, Banking and Financial Services, Cognizant &
Dushyant Kapoor Director of Consulting, Banking and Financial Services, Cognizant
66 | Asia Pacific Security Magazine
ybercrime is a serious threat to anyone and everyone online. However, in the digitally connected world with online transactions far outnumbering those in hard cash, the threat couldn’t be higher for financial services and banking firms. For established brands, even the smallest data leak or security breach could rapidly balloon into a front page news story, costing more than just the loss of their data to cybercriminals: It could also lead to a loss of customers’ trust in the financial institution, ultimately leading to irreparable business loss and significant financial costs. Banks are having to deal with a new generation of customers who expect to be offered a plethora of personalised banking services and would switch banks easily if they thought their data was not being used well or was being compromised.
Banks and other service organisations understand that collecting client and industry-related data is the key to successfully digitising and retaining a tech-savvy customer base. However, it also makes them an ideal target for hackers who are using more and more aggressive and sophisticated techniques — including ransomware and mobile phone hacks — to get access to customer and financial transaction data. Devising the right privacy and protection policies for the goldmine of customer data is critical for the banks to, on the one hand, deter potential hackers from getting unauthorised access to that data and, on the other hand, allow customers to transact effortlessly whilst allowing internal staff appropriate access to that data in order for them to provide customised experiences and relevant offers to the customers.
Data: A path to customer centricity
Understand, research, and then plan
In the digital world, customers are generating increasingly vast amounts of data through every online transaction and touch point. While on the one hand, protecting this customer data is a challenge for the banks, it is being used by the banks to better understand their customers and develop customised offers for them.
The first step in implementing adequate controls is to understand the risks and their business impact. Banks need to invest time in properly assessing the risks they might have to confront. To be relevant and give banks enough information to future-proof their business, this assessment should be based on the organisation’s size, channels, geographies, customer types,
Cyber Cover Security Feature
as well as product and service complexity. By mapping these risks against internal policies, procedures and controls, banks can assess their effectiveness in mitigating risks and fine-tune them accordingly. Ownership of data within a bank or a financial services organisation is critical to clarify responsibilities for implementing controls and assessing their effectiveness on an ongoing basis. Preventing before fighting Implementing information security controls is necessary, but far from being enough. Ongoing risk assessments can help banks get ready in case of an attack — and banks should assume they will be attacked. More importantly, ongoing risk assessment and mitigation needs to be undertaken proactively by the banks to effectively prepare for situations when risks eventuate. Once a bank’s system is hacked, the damage is done, and it can only try to control the damage, financial as well as reputational. Proactive security is not just about securing systems and reacting to attacks, but also about anticipating future attacks at every step of the way. In an age where hackers are using ever smarter tools and techniques to gain unauthorised access to organisations’ data sources, the key objective of organisations should be to build a resilient system that can be restored and brought back online quickly in the event of a security breach. While data is a part of the cybersecurity problem, it is also a part of the solution. Combining data management with advanced analytics can be effective in detecting and preventing
growing threats. By collecting and analysing massive volumes of current and historic data within the organisation, as well as from external agencies providing financial crime data, banks can gain a comprehensive view of customers and transactions, as well as insights into hitherto unnoticed relationships between various entities. Forensic data analytics can help banks identify and predict risk patterns and issues in advance, enabling them to pre-empt criminal activity, particularly insider threats and data breaches that involve gaining unauthorised access to sensitive data. Working with the right data, and the right architecture The key to integrating multiple risk strategies lie in the banks’ ability to get high-quality and consistent data from across the organisation. This is no easy task for large banks, many of which have accumulated multiple systems and technologies over the years as a result of mergers and acquisitions. If banks and financial services organisations want to have an efficient and proactive information security strategy, it is key that they work towards standardising the large volumes of customer, transaction, crime and other unstructured and semi-structured data they own. By using best-in-class architecture and investing in the right data analytics platforms, organisations can significantly improve the overall data quality and accuracy needed to support real-time monitoring and data-driven decision-making. Proactive prevention is the best weapon against cybercrime.
Asia Pacific Security Magazine | 67
Dammed if you DO and Dammed if you DON’T
T By Fraser Duff
68 | Asia Pacific Security Magazine
here are many questions being asked by Senior Council acting for the Dawson family as part of the Coronial inquest into the Lindt Café Siege, and understandably so. Police operations have never been more under the microscope. There is almost daily reporting in the media into the Police decisions, actions and operational capability on that fateful night in December 2014. The actions of the NSW Police on that evening have evoked strong public opinion and the Police situation is almost one of; damned if you do, and damned if you don’t. Perhaps one way to reduce the risks associated with such a loss of public faith would be to revisit who and how incidents of this nature can best be dealt with. In doing so, we need to revisit ALL possible resources and methods of operation objectively. A debate as to whether terrorist incidents should remain under the control of Police or whether future Military involvement needs to be considered and evaluated? This question raises some big issues. Specifically, whether Australia has the stomach for a military intervention on home soil and whether our risk averse culture hinders this type of commitment and resolution going forward? Before exploring this question, I might first suggest that we not lose sight of the bravery of a small group of Police officers from the tactical operations unit (TOU). Above all else, these officers risked their lives. They were also severely affected by the decisions and actions of the ‘Police Operational Command’. It was these officers who had to come in off the back foot, behind the eight ball in an
Emergency Action and engage a man committed to mayhem and murder. They are the bravest of souls and we can only ever be grateful for their service. Leigh Sales on the 7.30 report recently asked the Premier Mike Baird (24th August 2016) a very challenging question about the siege. Leigh asked, “If your son was one of the hostages in the café that night, would you be happy with how the Police resolved the incident”? The Premier didn’t answer the question. It’s perhaps his absence of an answer that provides some insight into current community and public sentiment. The answer for any parent who had a loved one in such dire circumstances and facing possible execution would be a resounding NO. The Premiers attempt to then shed light on how operational equipment experienced failings on the night including; night vision goggles, communication systems and the command truck, fall well short of the mark. We don’t want an incident as significant as this to have the lessons learnt reduced to such a low level as 'equipment failings'. There are far greater issues, much higher up the food chain. The Commissioner Mr. Scipioni and Deputy Commissioner Catherine Burn have been ducking for cover, distancing themselves from any of the decision making or operational command of the terrorist incident. These are the Captains who will not go down with the ship. In fact they are already in the lifeboats, while public confidence dwindles over the handling of the incident. What message does their behaviour now send to the Police who may be called upon to command an incident tomorrow?
If we examine issues at a strategic level, then the Police brand is now on public trial. They have been backed into a corner with only one option left, to strongly justify all their actions and decision making on the night in the belief that everything was done that could be done. At the risk of being derided by the staunch Police advocates, I feel the more open and public the debate about what occurred and how it was resolved the greater the chance for real learning and future improvement. The intent should always be to learn the real lessons from that night and hopefully be in a much stronger position to make decisions that prioritise the lives of each and every innocent victim above all else. Strategically we need to consider the apex of our response, i.e. the operational command and control aspects of dealing with an ideologically based attack on our way of life. This is an area where perhaps policy change will yield the biggest benefit in enhancing future efforts to maximise public safety. Hopefully this is where the Coroner will publish his most valued findings in what may be our longest and most detailed coronial inquest. We spend 100’s of millions of tax payers’ dollars each year on our Counter Terrorism readiness capability. The end result being that when we have an ideological self proclaimed gunman/killer taking numerous hostages and threatening lives, and the Police Operational Commander by virtue of his own evidence indicates that he would not authorize an assault, until death or serious injury had occurred to the hostages. I truly can’t believe this position and further, that
if faced with the same set of circumstances today would do exactly the same thing. If command, with all the evidence before it, did genuinely NOT believe it likely that a life would be taken, then I understand this statement. If, however we take from this, that any future event involving a person espousing extremist beliefs, where murder is perceived as LIKELY and no lethal force would be taken, then I would have the gravest concerns over this type of decision making framework. If this is the framework that our Police agency believes our community supports, then that’s equally of grave concern. With respect to the Assistant Commissioner Mr. Mark Jenkins (who is no doubt a highly capable Police Officer and a well respected commander in the Police, who is reported as having previously held positions in Police Media, HR and State Crime Command), the question we could ask is; “are the experiences of Police commanders providing the public with the very best profile for decisions that involve responding to a terrorist incident involving an individual espousing extremist views and holding multiple hostages in need of rescue”? It also drawers into question the level of influence the Police Negotiators and Psychiatrist had over the decision making and response to the siege and the fate of the hostages. If our decision making frameworks remain as they appear to be, then how will our next group of hostages feel when confronted with a terrorist related incident? Will they be wondering who amongst them must die in order for an attempt to be made to rescue them? Will they be abandoned
Asia Pacific Security Magazine | 69
"The 60 to 70 grain projectile travelling at approximately 3,000 feet / second with its high energy output (approx 1,325 ftlbs) was always going to have; over penetration, fragmentation and ricochet issues for those close by..." to their fate and therefore have to act as some did in the Lindt Café and take survival into their own hands and either attempt to escape or collectively try with all ‘able persons’ to overpower the hostage taker? Surely the mission on the night, which must be written down somewhere, would have said, “Save the lives of the hostages at all cost”. Senior ranking Police (AC’s) took operational command and responsibility for all decisions and actions on the night. Interestingly the Commissioner and Deputy Commissioner have disappeared behind a veil, beyond reproach and accountability. These are very senior Police; political and experienced bureaucrats familiar with navigating their way around a large machine bureaucracy and ascending its dizzy heights. (Note the recent public spats and the Police Integrity Commission investigation into the behaviour of the Assistant Commissioners and Deputy Commissioner over their wire tapping and public undermining of each other as they jostle for political clout). Experienced managers and policy makers yes, but does this make them the best operational commanders for terrorists/hostage incidents? It was noted that one of the operational commanders suggested, that by virtue of his having previously commanded the ‘Mosman hoax collar bomb threat’, that he was now capable of making the best operational (which is quite different from tactical) decisions around suspected explosive devices, which were supposedly in the possession of Man Monnis. Further stating that in his view ‘contain and negotiate’ was, and still is the best way forward for the resolution of any future terrorist incidents. In light of this revelation, compare Police operational
70 | Asia Pacific Security Magazine
commander’s backgrounds to that of a military operational commander (TAG COMD) East or West. Military forward commanders are Special Forces Soldiers normally a Lieutenant Colonel (LTCOL) or higher, from either the Commando or SAS Regiment with significant operational experience in Afghanistan, Iraq, East Timor and a host of other operational theaters of war, with real mission capable experience. They are not bureaucrats or political in nature, they are in effect the best soldiers Australia has, highly experienced, highly capable and mission driven. In reality, there is no correlation between commanding the hoax collar bomb threat and dealing with a terrorist who may or may not have explosives. That would in no way provide you with the experience needed to make sound operational decisions under pressure when hostage’s lives are at risk. Where tactics, surprise, speed and precision are of the essence to save hostages lives. A hoax collar bomb threat is a far cry from an ideological gunman prepared to execute hostages. If Police command believe that a dead man switch linked to a backpack full of explosives precludes any aggressive action by Police at any time, this further raises the issue of capability. Dead man switches are not used over long periods of time as they are actuated by pressure release. They are designed to be used by terrorists at targets/barriers/barricades etc. where they may be shot while driving /walking/ running or riding a bike on approach to the target to fulfill their objective. Alternatively the pressure switch is released when having reached their objective/target and needing to detonate the device. If they are killed, either way their hand releases the pressure switch, triggering the device. These devices are usually armed just prior an attack taking place. They are not armed for long periods of time i.e., 17 hours as it’s improbable to hold a pressure switch for that long without accidental actuation. There is a great myth around supposed explosive devices, because most people, Police included never get close to, use, or understand explosives unless they have been in the Military, Police bomb squad or a mining engineer etc. Once the activation method is properly appraised, regardless of whether Monnis had a bag full of explosives, an effective countermeasure would still be a carefully positioned marksman/ sniper, which is something I’ll address later. Snipers bring about a swift and violent end to an incident with no time for a terrorist to arm and then trigger an explosive device. This is something the military can contend with. So where does this leave us? Current command and control of ideological based terrorist related incidents where hostage lives are at risk on home soil, does not rest well with senior Police bureaucrats. I don’t believe Police command in its current form will ever hand over an incident to the Military. We simply can’t do what we’ve always done and resort to a ‘contain and negotiate’ strategy in the belief that it will always work. We need to focus on the best resolution means available to save the lives of the hostages. We also need to have the courage of our convictions to deploy our absolute best resources in a deliberate action and seize the initiative when confronted by this ideological based threat. Perhaps if we were bold enough we could move away from the current sovereign state based Police command and control model. Perhaps through a change of legislation a
"Beyond this most critical aspect of the review; ‘operational command’, there are some tactical considerations that need to be examined for future actions. A key one is the use of high velocity military 5.56 calibre ammunition inside a building constructed of mainly thick stone/block, concrete and marble walls at distances less than 40 meters." federal/commonwealth based model could be considered, well beyond what we currently have i.e., how the Europeans are engaging with combined Police and Military assets. A national agency, (not the Federal Police) i.e., Office of Homeland Security (for want of a better name), could be tasked with responding to terrorist/hostage related incidents across Australia. They would take full command for the activation and resolution of incidents in each state. This agency could combine at the outset the TAG Military commanders and state based Tactical Police resources, once a set of specific criteria have been met. The advantage being that it would relieve the Police of command and decision making responsibility, allowing them to focus on other important aspects of incident management i.e., public order, crowd management, perimeter control, traffic control and criminal investigations etc. Homeland Security could then have operational and tactical responsibility with Military and Police resources deployed in the most effective and unified way. The aim should be to remove bureaucracy, political hierarchy and ego or fear based decision making. Replacing it with tactical command and control decision making, based upon a sound appreciation of the situation, engaging the very best assets, specialised in responding to terrorist attacks. Beyond this most critical aspect of the review; ‘operational command’, there are some tactical considerations that need to be examined for future actions. A key one is the use of high velocity military 5.56 calibre ammunition inside a building constructed of mainly thick stone/block, concrete and marble walls at distances less than 40 meters. While Police have avidly defended their use of the M4 assault rifle and cited its military/parra military application, it’s a choice that perhaps now needs to be reappraised against other suitable alternatives for a confined close quarter’s engagement. The 60 to 70 grain projectile travelling at approximately 3,000 feet / second with its high energy output (approx 1,325 ft-lbs) was always going to have; over penetration, fragmentation and ricochet issues for those close by, whether the rounds hit the target or not. The alternative being the more traditional 9mm (or similar) weapon with its heavier 100 grain projectile travelling at closer to 1,100 feet / second (or less with heavier subsonic ammunition) and its much lower energy output approximately (383 ft-lbs). It’s still highly accurate and just as lethal in close quarters, without the high velocity and high energy output, reducing the unnecessary risks stated above at close range. I’m sure this aspect is now being more closely considered as it’s a question of, ‘fit for purpose’ over ‘one size fits all’.
A final contentious point which is worth revisiting is the use of marksman/ snipers in such circumstances. It was cited by Police that they couldn’t be used because of their unfavourable positions. While there has been some conjecture over this, it’s an option that will need to be seriously considered and addressed in the future. Snipers are one of the greatest assets a tactical commander has and possibly the best form of obtaining an immediate end to the incident. The Police marksman positions, as described, indicated that they couldn’t engage, (not that they would have been given the operational green light) because their locations restricted them due to having to fire from immediately behind a pane of glass, which would significantly effect the bullets form, stability and trajectory. Not to mention the bullet would then have to travel through a second pane of glass at the target, thereby reducing its effectiveness, accuracy and likely success. It’s a valid point, but it emphasizes the difference between being in a good Observation Position (OP) vs being in a good Firing Position (FP). If the OP and FP are both the same then that’s terrific, but that’s not always the case. Therefore the onus is on the tactical officers to have both positions covered or as the case may be, remove the glass/obstacle from immediately in front of their position. Marksman need to be taking the FP so they can effectively engage the target. (As mentioned in my previous article, a round can travel through one pane of glass close to the target and still be accurate and effective). To obtain a good FP marksman need to have exceptional urban camouflage and concealment skills, stealth and time. Good FP’s can be very difficult to achieve, particularly with media present and may require the marksman to maintain an uncomfortable position for long periods of time without relief. My views may sound biased towards the military. This is because like all families in Australia, we want reassurance that we have the absolute best available resources in the country to be able to respond to such an incident in the future, and protect the lives of our loved ones. In determining this, we need to identify at the operational and tactical level, which resources possess the very best skills. This will require government to examine the frequency and duration of time spent honing these specific skill sets, and the level at which this then enables skills to be further advanced through the benefit of application and repetition. We need to be confident that our commanders and resources are doing everything in their power to rescue the lives of the hostages, beyond having too much regard for the life of a terrorist, regardless of their perceived mental state.
Asia Pacific Security Magazine | 71
2 T R A P
Deception detection uncovered: Truth seeking through interrogation The Role of your Body in Eliciting Truth
I By Sophie Zadeh Body Language Specialist
n part one of this article, in the previous issue of Australian Security Magazine, we looked at three nonverbal behavioural cues that can alert us to potential issues when observed in a suspect during interrogation. We looked at the meaning of the one sided shoulder shrug, the eyelid flutter and the tongue jut. You will have observed these nonverbal cues throughout life as they are relatively common, especially the one sided shoulder shrug. However, they probably didn’t register consciously, unless you were already aware of their meaning and significance. In context they can be very telling of a person’s true feelings or intentions. They are reliable indicators that can be instrumental in leading to the truth. If you read part one of this article, Identifying Nonverbal Cues, Clues to Dig Deeper, did you manage to observe any of these nonverbal cues, once you understood their meaning? Did this lead you to discover anything significant? Let me reiterate that these cues act only as red flags, indicating areas in which we may need to dig deeper and not as indicators of deception, since there is no ‘Pinocchio’s nose’ of deception; no single cue indicative of deception. How these red flags are addressed through questioning techniques and behaviour (of the investigator), is key to seeking the truth. Let’s explore the second component crucial to uncovering the truth; the role of your body in eliciting the truth. Fostering Feelings of Comfort Our own nonverbal signals have an impact on how successful we are in seeking the truth. Before looking at what we should convey with our body, let’s first consider this:
72 | Asia Pacific Security Magazine
“Astonishingly, more than 1 out of 4 people wrongfully convicted but later exonerated by DNA evidence made a false confession or incriminating statement.” — The Innocence Project That’s a staggering statistic, with most suggested reasons for this pointing towards extreme interrogation techniques and conditions. A false confession feels like an easy way out for the suspect. One that will put an end to the situational discomfort. If we also consider that most nonverbal cues associated with lying are actually indicators of stress (and not lying), it makes sense that an environment conducive to seeking the truth, is one in which conditions that could cause (additional) stress are limited. When a suspect feels more comfortable, we will see an increase in nonverbal cues that indicate stress, only at those times when their stress levels peak; potentially, but not always, when they are lying. On the other hand, if the suspect is under constant high pressure, these cues will be increased throughout the interrogation, making it harder to see the indicators that are important. So being aggressive, just doesn’t work. The discomfort of a criminal investigation is not limited to the suspect. When faced with a suspect who has (potentially) harmed others, the interrogator will, most likely, feel some kind of negative emotions stemming from the criminal act. It’s important to minimise these emotions and display body language that shows openness and trust, fostering an environment of comfort. A ‘true’ confession is more likely to be delivered to an interrogator who has built rapport with the suspect, in the same way that a salesman is more likely to get a sale from someone he has built rapport with.
Fostering comfort through nonverbal behaviour: First Impression First Impressions are critical to any interaction or relationship, and can make or break the success of the desired outcome. Research shows that people form their perceptions within seconds of seeing someone, before conversation begins. Once that impression is formed it’s hard to break, due to confirmation bias; the tendency to interpret new evidence as confirmation of one's existing beliefs or theories. Therefore, if it’s a positive impression, all behaviour after that will be viewed in a positive light and vice versa. Yet most people aren’t aware of this and pay little attention to what they are communicating in those first few seconds. Understanding the importance of the first impression and paying attention to our nonverbal behaviour can be incredibly powerful, giving us the ability to form positive relationships more conducive to success. Whilst traditional perceptions, or connotations, of ‘interrogator' and ‘interrogation' may seem at odds with creating a positive impression, remember we’re trying to create feelings of comfort which are more conducive to seeking the truth. Would you be more open, honest and willing to cooperate with somebody you like, or dislike? We’re also trying to limit stress, so that nonverbal cues that indicate stress (e.g., nose touching, increased blink rate, self soothing), show up in the suspect at those times when the cognitive burden of deception gets stressful, and not throughout the duration of the interrogation. Let’s consider a few nonverbal behaviours that are essential to creating a good first impression and feelings of comfort. Show your hands Eliciting trust is crucial to forming a positive first impression and fostering comfort. To do this the interrogator must show their hands, quite literally, as our hands are our biggest trust indicators. Studies show that the first place we look, as we see someone approach, is their hands. If we can’t see them, we have trouble trusting them. Think of this from an evolutionary perspective, where a stranger approaching posed a potential threat. To establish whether the person was a friend or a foe, a quick look at the hands would indicate whether or not a weapon was being carried. Therefore to elicit trust hands must be clearly visible, not in pockets or under the table. Touch Touch is important for building relationships because when we touch our body releases Oxytocin, the hormone responsible for bonding and connection. One study found that waiters tips increased by 41% when they lightly brushed the hand or arm of their customer. Another study found that library user experience ratings increased, again with a slight brush of the hand. Whilst we all differ in our comfort levels when it comes touch, and we should be conscious that there are certainly no-go areas. The handshake happens to be an appropriate means of touch in the Western world. It’s also said to provide
the equivalent of three hours of rapport building time. It’s important to realise that the handshake isn’t universal, it’s a cultural gesture which reflects the culture or society in which we grew up. Handshake preferences differ between nations, cities and from person to person. Therefore, contrary to popular misconceptions, the handshake says nothing about a person’s confidence or power. A good handshake comprises of the following: • • • •
Straight, no twisting or turning power plays! Make eye contact Mirror the pressure you receive (show nonverbal respect) Don’t grimace if you don’t like the handshake you received, remember you’re trying to create a good impression and feelings of comfort (again, show nonverbal respect)
Smile There’s a reason that the smile is the only expression that can be seen from up to 90 metres away. The evolutionary bearing is, again, a survival mechanism; seeing somebody approach with a smile indicates friend, rather than foe. No need to smile throughout, but an initial and occasional smile at appropriate times is essential for building rapport. These nonverbal cues are the primary cues essential for creating a good first impression. They may sound obvious, yet their value is often overlooked, with many people not being aware of what they themselves convey. On establishing a good first impression, body language should remain open, with the use of open palm gestures and an open torso, avoid blocking behaviours such as arms across body. A good way to keep body language open is to get used to expressing with your hands as you talk. Using purposeful hand gestures prevents blocking behaviour, with the added benefit of keeping your hands visible (maintain trust) and engaging your audience. Research shows that we can better understand and interpret speech when listening to someone gesturing with their hands as they talk; communication on two levels. Used in the right way, nonverbal communication can give you control over how you are perceived and influence over the behaviours of others, because when someone likes and trusts you, they naturally buy into you. Added to this, a knowledge of nonverbal communication can help you to understand the true feelings of others. When you know which cues to look out for, and pay attention to where exactly they occur (they are always in direct response to a stimulus), you can identify obvious or concealed expressions that provide clues to deception and point you in the right direction of further investigation. The nonverbal cues mentioned in this article, are just some of many signals that you can look out for in others, or convey yourself. Practice identifying these cues in all interactions, so that you begin to get used to understanding their meaning. And start to pay attention to the signals that you, yourself, convey, noticing how others respond to these behaviours.
Asia Pacific Security Magazine | 73
See our website for details ma
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
rity in Secu ment, rn Gove anberra C
of cult The ware the a
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
74 | Asia Pacific Security Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
Seagate Backup plus HUB
To have your company news or latest products featured in our TechTime section, please email email@example.com
Latest News and Products Asia Pacific Security Magazine | 75
TechTime - latest news and products
Farpointe partners with Cypress on wireless mobile, handheld card readers Farpointe Data, announced that handheld mobile reader (WMR) systems using Farpointe reader modules are now available from Cypress Integrated Solutions. The handheld reader combines a Farpointe card reader and a wireless Cypress Suprex Reader-Extender in one portable unit so that the user can perform reads at any place versus readers in only a fixed location. As a result, the WMR can remotely verify credentials, check IDs in trucks and buses, create emergency assembly points/muster stations, verify staff attendance at training sessions and create access control points away from buildings. "We get 'oos and ahhs' with our handheld wireless mobile readers," emphasizes President Paul Ahern of Cypress Computer Systems. "They are used to reading credentials in applications where it just would not be practical to use a fixed reader. Whenever we offer one to a prospect who uses it for the first time, we always get a big smile." The handheld unit transmits card data to a Cypress WMR base unit that is connected to an access control panel from a distance of up to 150 feet (45.7 m) indoors and up to 250 feet (76.2 m) outdoors. Challenging installations are simplified with the addition of RF expanders and repeaters using the Cypress bridging architecture. Vehicle-mounted readers for employee and/or visitor logging and tracking are also available. The WMR system includes a Wiegand or serial panel interface for real-time verification. AES Encryption for secure communications is available upon request. No channel selection is
required as the units are preconfigured at the factory. A diagnostic indicator on the central unit determines the operational status. Up to eight units can operate in the same area without factory modifications. Multiple grip colors accent the WMR. "Truly versatile, the Cypress WMR is a terrific incremental addition to any wireless electronic access control system," adds Scott Lindley, President of Farpointe Data. "We would encourage any access control manufacturer, integrator or user to consider the various enhancements it brings to a security system." About Cypress Integrated Solutions Cypress Integrated Solutions is a recognized leader in the design and manufacture of electronic security products and technologies. Cypress specializes in unique and secure communication solutions for physical and logical access control. Since 1983, Cypress has been the industry leader in providing wired and wireless solutions to connect virtually any access control and security manufacturer's hardware. http://cypressintegration.com/ About Farpointe Since 2003, Farpointe Data has become the global partner of choice for premium RFID solutions. Encompassing a broad range of access control readers and credentials, these solutions include 125-kHz proximity, 13.56MHz contactless smartcard and 433-MHz long-range technologies. Electronic access
control system professionals around the world count on Farpointe's exacting designs, superior manufacturing, competitive prices and excellent performance to enhance their access control systems. www.farpointedata.com
Robots invading ASIS 2016 Easy to implement and powerful to use, Gamma 2 Robotics’ RAMSEE works with Hexagon’s safety and monitoring software to combine mobile sensor data with other static data sources into a map-based common operating picture — enhancing human capabilities while significantly reducing labor costs. “Sensor data and video feeds provided by RAMSEE are integrated into Hexagon’s safety software suite. “ RAMSEE is equipped with a wide variety of sensors that feed data on intruders, motion, heat, fire, smoke, gas, and more into the Hexagon-based command-and-control environment in real time.
76 | Asia Pacific Security Magazine
PATROL – Provide autonomous and manual patrolling, even in total darkness MONITOR – Display real-time video from four cameras, including forward-looking infrared (FLIR), 180 degree forward-facing camera, 180 degree rear-facing camera, and head-mounted PTZ camera. RESPOND – Detect and respond to alarms triggered by RAMSEE and/or other third-party sensors and systems. ANALYZE – Measure performance and recap daily activity of RAMSEE and other sensors with activity reports
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
New Unifly 1.6 release which introduces new features and extended compatibility New Logbook The new Logbook on your smartphone gives you an overview of all executed flights. It displays the drone, date, take-off time and duration of the flight. Search and Validate Remote Locations With the new Search bar on Launchpad you can look up specific locations. Simply enter the location you are looking for and the app will navigate to that particular spot. It is now also possible to do the validation for a location other than your current location.
Detailed Rules Information Tapping View Rules will give you detailed information about the local rules and regulations. It also offers additional instructions and advice with regard to the local flying criteria. With Launchpad you have all the local legislation in the palm of your hand! Unfily Webinars Are you new to Unifly Pro or are you considering subscribing to our services? Then register for one of our free online training sessions and learn how to work with our application!
Extended Compatibility The Unifly Pro application is now also available for Mac users! In addition to getting the Mac version up and running, great efforts were made to get our applications compatible across all possible platforms. So as of now, our applications run on all tablets, smartphones and all operating systems including Linux. Besides on Google Chrome and Firefox Unifly Pro is now also compatible with Internet Explorer 10+ and Edge.
Australia’s Civil Aviation Safety Authority makes amendments to drone laws CASA has announced amendments to Part 101 that came into effect on 29 September 2016, reducing the cost and legal requirements for lower-risk remotely piloted aircraft (RPA) operations. Learn more about the amendments to Part 101. As part of the amendments to Part 101 that came into effect on 29 September 2016, CASA also created an excluded category of remotely piloted aircraft, allowing private landowners to carry out some commercial-like operations on their own land with: • a small RPA (2-25kg) without needing anRPA operator’s certificate (ReOC) or a remote pilot licence (RePL) • a medium RPA (25-150kg) without needing a ReOC. (You will require an RePL). Australia’s safety laws for drones, or more technically correct, remotely piloted aircraft
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
(RPA), as defined in the Civil Aviation Safety Regulations Part 101, vary for flying commercially or recreationally. From 29 September 2016, if you are flying for money, or any form of economic gain, you need to have an RPA operator’s certificate (ReOC), or if you’re flying an RPA weighing less than two kilograms, you simply need to make a notification (notify). If you are flying for recreation purposes only then the regulations are less restrictive and allow you to fly an RPA without needing to be certified, providing you follow some simple safety rules. Holders of UAV operator’s certificate
(UOC) can continue to operate as per their certificate and will only be issued a ReOC from 29 September 2016 if the certificate is varied or renewed. Full details available at https://www.casa. gov.au/aircraft/landing-page/flying-dronesaustralia
Asia Pacific Security Magazine | 77
TechTime - latest news and products
Brisbane’s premium student accommodation location secured with SALTO
The decision to study away from home is never an easy one, so a new accommodation brand Student One, has launched in Brisbane to provide a premium dedicated student living solution that allows students and parents to make that choice with confidence. As the newest entrant in the Australian student accommodation market, Student One’s new $110 million 687-bed redevelopment of the former Boeing House at 363 Adelaide St in the city, is paving the way for up to 2400 new beds to be developed over the next three years in Brisbane’s city centre. Surrounded by Universities, English Language Schools and Pathway Institutes, the 158 storey Student One on Adelaide Street residence features a mix of 55 five-bedroom share apartments, 196 studios and 108 twin bed-studios protected by a smart access control system from SALTO, as well as nonintrusive CCTV technology. Installed by local security specialists Toplock Locksmiths, the access control is fitted to student bedrooms, administration areas and student common areas. Director Mark Bowater
78 | Asia Pacific Security Magazine
says “SALTO was a great choice for this project and we’ve fitted quite a bit of kit, including 673 AElement locks and 589 Energy Saving Device’s (ESD’s) as well as controllers and wall readers located in eight strategic hotspot points. Controlled via contactless smartcards(which the students also use for cashless laundry services) the AElement locks provide a wireless standalone networked system through SALTO Virtual Network (SVN) technology. This captures individual student audits and battery status every time they badge through an offline door, with the data then downloaded at one of the hotspot points on one of the residences 3 lifts or in other common areas. The in-room ESD’s meanwhile help save a considerable amount of the room’s electricity consumption. These work when the students insert their smart ID card into the ESD and it activates the air-conditioning system in the room.” Student One CEO Tim Weston said “I had previously used SALTO technology on other student accommodation projects and was impressed with its ease of use and advanced ‘Data
on Card’ and Virtual Network operating system. With our Student One on Adelaide Street property now open we’re already at work constructing our next two locations, at 38 Wharf St and 97 Elizabeth St, which will provide an additional 1600 plus beds. We were happy to go with SALTO to provide our access control, as we knew it could grow with us as we added more sites to our portfolio in Brisbane.” Scott Fraser, SALTO General Manager Australia & New Zealand, concludes “SALTO is in use around the world in educational environments where it provides security, access control and campus management and we’re delighted to add Student One to our growing customer base. In Australia we’ve now installed thousands of our standalone electronic locks in universities, student housing, schools, research institutes, academies, kindergartens and more making it the number one choice of flexible security solution providing a secure environment for all their students and staff.”
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Cyber TechTime - latest news and products
Palo Alto networks introduces new guide for Australian directors and officers. Palo Alto has announced the publication of “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (Australian Edition)” to provide Australian boards, executives and officers at enterprises, government agencies and other organisations with practical, expert advice on how to best protect them from cyberattacks. Building on the success of the US Edition launched in October 2015 with the New York Stock Exchange (NYSE), the Australian Edition was written in conjunction with Australian thought leaders from the public and private sector together with Forbes. The contributing authors include: – Mike Burgess (Chief Information Security Officer – Telstra) – Rachael Falk (Cyber Security Expert) – Ben Heyes (Chief Information Security & Trust Officer – Commonwealth Bank of Australia) – Tobias Feakin (Founding Director – Australian Strategic Policy Institute) – Adrian Turner (CEO – Data61) – Maj. Gen Stephen Day (Former Head of the
– – – – –
Australian Cyber Security Centre) Jennifer Westacott (CEO – Business Council of Australia) David Irvine (Chair – Australian Cyber Security Research Institute) Cheng Lim (Partner – King & Wood Mallesons) Arno Brok (CEO – Australian Information Security Association) with the foreword by the Honourable Dan Tehan MP assisting the Prime Minister for Cyber Security.
Collecting the expertise and experience of CEOs, CISOs, lawyers, consultants and former government officials, this Guide is intended for those new to the cybersecurity topic as well as seasoned leaders in the field. It contains practical and expert advice on a range of cybersecurity issues intended to enable business leaders to start having the conversation on topics such as compliance, skills gap, incident management, prevention and response. To learn more about cybersecurity from leading experts and contributors, and to
download your own copy of the Guide, visit: http://go.paloaltonetworks.com/nextgen For more best practices, use cases and expert advice on managing cybersecurity risks, visit: www.securityroundtable.org To learn more how Palo Alto Networks helps organisations prevent successful cyberattacks with its next-generation security platform, visit: www.paloaltonetworks.com. About Palo Alto Networks Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our gamechanging security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Find out more at www.paloaltonetworks.com.
Seagate launches new backup plus hub for all your digital needs Seagate Technology has announced its Seagate Backup Plus Hub is now available in Australia. Based on Seagate’s award-winning Backup Plus Desktop, Seagate Backup Plus Hub is the world’s first external storage hub to provide a complete solution for your digital life whilst playing as a desktop organiser too. This sleek drive boasts up to 8TB capacity and it includes two integrated USB 3.0 ports for connecting and charging your devices. For typical digital data-loving computer users, this drive provides up to 8TB capacity to better manage data rather than juggle it across multiple USBs or devices. Its intelligent two-port USB hub makes Backup Plus Hub a charging station. The integrated USB slots allow users to charge two USB-connected devices, such as phones, tablets, cameras, Fitbit, etc. at any time, even if their computer is not powered on. Users can also easily connect their devices directly to the Backup Plus Hub for data transfers and access two USB-connected devices just like if they were plugged directly into the computer. With the new Backup Plus Hub, Android and iOS
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
device users are able to easily backup photos and videos, and free up their mobile device memory at any time. Seagate Backup Plus Hub includes the Seagate Dashboard software with two years 200GB free Microsoft OneDrive® cloud storage so users can back up, access and share their favorite files from any device or location.
from “links.erelease.com.au” claiming to be www.seagate.com. Follow Seagate on Twitter, Facebook, LinkedIn, Spiceworks, YouTube and subscribe to our blog.
Pricing and Availability The new product is now available in Australia at leading retailers. The RRP for 4TB Backup Plus Hub is AU$229 and AU$419.00 for 8TB Backup Plus Hub. About Seagate Seagate creates space for the human experience by innovating how data is stored, shared and used. Learn more at MailScanner has detected a possible fraud attempt
Asia Pacific Security Magazine | 79
EDITOR'S REPORT REVIEW
2016 THREAT REPORT
Australian Cyber Security Centre (ACSC) Threat Report 2016 www.acsc.gov.au
n first glance this looks like a well worthwhile report and in the similar category to that of the Australian Crime and Intelligence Commission (formerly the Australian Crime Commission) reports on national and significant organised crime, illicit drug activities and fraud, but I question which doors these reports are being used as ‘door stops’ for. Like the ACSC Threat Report 2016, all these reports simply advise us that the problems are getting worse and bigger. The ACSC Threat Report mentions ‘legislation’ only once and the word ‘reform’ doesn’t appear at all. If you want to know there is a problem then just read each issue of the Australian Security Magazine (ASM) – I question why our federal government agencies are spending tax payers money on highlighting the problem but without offering any effective solution or response. This is the second Australian Cyber Security Centre (ACSC) Threat Report. It claims to contain mitigation and remediation advice to assist organisations to prevent, and respond to, cyber threats. The ACSC advises “the current hype associated with the proliferation of ‘threat
80 | Asia Pacific Security Magazine
intelligence’ can be a distraction from what really matters: the motivation to allocate effort and resources to improving your cyber security posture by implementing technical controls. If you are relying on threat intelligence to respond to threats already discovered, it is too late for you and your organisation.” This is hardly constructive advice. The ACSC is the focal point for the cyber security efforts of the Australian Signals Directorate (ASD), the Defence Intelligence Organisation (DIO), the Australian Security Intelligence Organisation (ASIO), Computer Emergency Response Team (CERT) Australia, the Australian Criminal Intelligence Commission (ACIC), and the Australian Federal Police (AFP). Note the AFP is also the ACSC’s conduit for State and Territory law enforcement. These are all federal agencies yet the State police are excluded from being mentioned. The report is also contradictory to itself. It states “a range of states now have the capability to conduct cyber attacks against Australian government and industry networks. However, in the absence of a shift in intent – which could occur relatively quickly – a cyber attack against Australian government or private networks by another state is unlikely within the next five years.” Excuse me? It goes on, “the absence of effective repercussions following past cyber attacks internationally will embolden some states to continue developing and using cyber capabilities as a coercive tool. A continued lack of international consensus on proportionate and appropriate responses to offensive cyber activity makes the threshold for response ambiguous, raising the risks of miscalculation.” Note that at the time of writing the US is planning counter cyber attacks against Russia. In contradiction to this statement, the report confirms, “Australia continues to be a target of persistent and sophisticated cyber espionage. The cyber threat to Australia is not limited by geography; adversaries with even a transitory intelligence requirement will target Australian individuals and organisations regardless of physical location. Our knowledge of adversaries who target Australia continues to grow – particularly for sophisticated adversaries that target government networks and key industry sectors. The ACSC is aware of diverse state-based adversaries attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. But the number of cyber security incidents across the breadth of Australian non-government networks either detected or reported is highly likely to be a fraction of the total.” “The extent of cybercrime is a significant
concern. High levels of misreporting and underreporting make it difficult to accurately assess the prevalence and impact of cybercrime. While it is very difficult to establish an accurate figure, the actual costs of cybercrime at the systemic level include the costs of immediate responses, system remediation costs, and flow-on costs to government and support programs that assist cybercrime victims.” There is no recommendation or even discussion around the introduction of mandatory reporting. Instead there is an admission that “the ACSC’s visibility of cyber security incidents affecting industry and critical infrastructure networks is heavily reliant on voluntary self reporting. Some companies may be hesitant to report incidents to the government due to concerns the disclosure may adversely affect their reputation or create legal or commercial liabilities. For example, in some cases victim organisations have sought legal advice before reporting an incident. Many cyber security incidents across the private sector are undetected or unreported.” As discussed in detail in this edition of the ASM, the report confirmed that “despite the many benefits internet and ICT connectivity provide, administrators of critical infrastructure need to remain alert to, and protect against, adversaries seeking to interfere with networks supporting critical infrastructure. Industrial control systems (ICS) support the automation and management of physical components used in production and distribution for critical infrastructure networks, and underpin the delivery of essential services to the Australian population. The prevalence of ICS technologies in critical infrastructure – and the evolution towards greater connectivity and dependence – presents opportunities for sophisticated adversaries. For example, with adequate access, knowledge and capabilities, a sophisticated adversary could modify ICS systems to achieve a disruptive effect on critical infrastructure.” It took a catastrophic power outage event for the Federal Energy Minister Josh Frydenberg to call a snap meeting of state and federal energy ministers following the state wide blackout in South Australia, only to get as far as agreeing to an independent review to provide a blueprint for energy security. Had these Ministers read this report they would understand it isn’t just climate change bringing massive energy security storms our way – it is also the connection of these critical infrastructure systems to networks, either directly or indirectly – why do we wait for a ‘wake up’ call event instead of using reports such as these for the purpose they are intended – to instigate effective and coordinated national response and reform.
CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING • FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)
FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION
SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS
w w w. a m l e ch o u s e . co m
CIOs, IT Leaders and decision makers • Big data • Communications • Cloud computing • Technology systems • Interviews with industry thought leaders plus much more.
82 | Asia Pacific Security Magazine
Published on Nov 9, 2016
The Asia Pacific Security Magazine is published bi-monthly and features news, articles and promotes partner events from across the region.