THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Nov/Dec 2017
Overpromised or Underdelivered: Australian Cyber Security Strategy
Protecting crowded places from terrorism
Cyber defense in depth: high walls alone won’t defend the castle
NETEVENTS 2017 Global Summit, Silicon Valley, USA
Cyber Security Skills: Hiring to Train
$8.95 INC. GST
Special Feature! Women in Security | Techtime
CivSec 2018 CIVIL SECURITY CONGRESS AND EXPOSITION 1-3 MAY 2018 MELBOURNE CONVENTION AND EXHIBI TION CENTRE, AUSTRALIA
SECURITY, SAFETY AND SOVEREIGNTY FOR THE INDO-ASIA-PACIFIC
www.civsec.com.au For further information and exhibition enquiries contact the Sales Team Telephone: +61 (0)3 5282 0500 Email: firstname.lastname@example.org
Contents Editor's Desk 5
Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij
COAG Outcomes - Sharing biometric data of Australians
Protecting crowded places from terrorism
Overpromised or underdelivered?
Cyber security skills : Hiring to train
Cyber defense in depth: high walls alone won’t defend the castle
ASD Case Study highlights serious gaps in cybersecurity
Future of Cyber ‘Quantum’ Security: Can’t Copy, Can’t Intercept
Page 6 - COAG Outcomes - Sharing biometric data of Australians
Leadership + Research + B2B focused = The formula Correspondents Sarosh Bana Jane Lo Fiona Wade
MARKETING AND ADVERTISING T | +61 8 6465 4732 email@example.com SUBSCRIPTIONS
asiapacificsecuritymagazine.com Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: firstname.lastname@example.org
behind protecting consumers
Spy spotting : What careless mistakes reveal about cyberespionage in APAC
The future of apps in a multi-cloud world: F5 agility 2017
Hackers are humans: let’s beat them with soldiers
The premise of personal risk management skills
Murdering children online
The smartest tool in the cybersecurity toolbox
Netevents Global Summit : Silicon Valley USA
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Page 20 - Hackers are humans: let’s beat them with soldiers
Page 18 - The future of apps in a multi-cloud world: F5 agility 2017
CONNECT WITH US
www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
Page 46 - The smartest tool in the cybersecurity toolbox: ARTIFICIAL INTELLIGENCE
Dr Gav Schneider
Fiona Wade* Anthony Bergin Mike Stone Jason Brown
4 | Asia Pacific Security Magazine
Page 50 - Netevents Global Summit : Silicon Valley USA
Editor's Desk Putting Security, Growth and Network back into the Security debate "Xi has crafted a unique diplomatic strategy and style for his country, which serves to not only promote the great rejuvenation of the Chinese nation, but also to move forward towards the creation of a shared future for mankind." - Keith Bennett, vice chairman of Britain's 48 Group Club.
s 2017 draws to a close, it is naturally time to reflect and look forward to 2018. In the shadow of Australia’s recent release of an International Cyber Engagement Strategy, this edition provides an important reflection on the Australian Cyber Security Strategy, the Australian Cyber Security Growth Network, renamed AustCyber, and Australia’s Strategy for Protecting Crowded Places from Terrorism. Born of a political agenda, with arguably insufficient funding and focused on one aspect of security, the Australian Cyber Security Growth Network (ACSGN) has found itself some distance from what should have been an expanding term of reference. With what was the most important and exciting aspects of the ACSGN - the Security, Growth and Network, the growth and network elements appeared to recognise that cybersecurity is just one, critically interconnected part of a much larger ‘security’ challenge. From 120 companies, identified by AustCyber to exist in the ‘cybersecurity’ ecosystem, sitting within a yet unmapped national security ecosystem in Australia, there is just seven companies landing in San Francisco, as part of an extended trade mission. That is about 5 per cent of the Australian cyber security industry being supported to reach into Silicon Valley. Providing further insight, Andreas Haggman, a Principal Research Officer at Thales Australia has compared the Australian Government’s own assessment of its progress towards implementing the National Cyber Security Strategy with the Australian Strategic Policy Institute’s (ASPI) evaluation of the same progress. Haggman concludes, “The Government’s appraisal of its own progress with regards to the goals set out in Australia’s Cyber Security Strategy is, for the most part, not a reflection of reality…The importance of this article and of the ASPI evaluation is an excellent example of a way to hold government accountable for their strategic promises, paving the way for more effective policymaking in the future.”
Another important contribution to this edition, alongside our coverage of Australia’s COAG meeting, is an assessment, published courtesy of the Australian National University’s Policy Forum, of the Australian protecting crowded places strategy. The assessment confirms that this strategy also falls short. As stated within the strategy, “the approach taken to protect crowded places should be nationally consistent, proportionate and, to every extent possible, preserve the public’s use and enjoyment of these places.” Yet, the assessment finds, “the Strategy creates an impression that government is best placed to provide protective security advice. That's not the case: few in government have formal security-specific qualifications, certifications, professional memberships, or have had responsible corporate security experience...It's revealing, for example, that there's only one mention of an industry association in the Strategy. And there's no recognition that such bodies are a source of information and expertise…The new Strategy is just one piece of the jigsaw which needs to be placed in the bigger puzzle of national security and resilience.” As we move into 2018, the geo-politics and regional security of the Asia Pacific, or indeed the Indo-Pacific region could not be more fascinating and ever more challenging. China’s 19th National Congress confirmed the Communist Party intends, eventually, to surpass the West, not just by military and economic measurements, but with a global ideological evolution. By attempting to redefine the region as the Indo-Pacific, the West appears to be trying to sideline or counter China’s continued, growing dominance. The next two weeks will go a long way to setting the agenda for 2018 with President Trump coming to Asia on the longest trip to the region by an American president in over 25 years. With visits to Japan, South Korea and China, he will also attend the Asia-Pacific Economic Cooperation summit in Danang, Vietnam, and the Association of South
East Asia Nations summit in Manila, Philippines. North Korea’s nuclear program and China’s control of the South China Sea are obviously the primary issues for ongoing dialogue, and will remain so into 2018 and beyond. In this issue is a Singapore Feature by Jane Lo, with data collection and cybersecurity insights into the Singapore Formula One Motor GP, Singapore’s International Cyber Week, Cyber Security for Transportation Summit 2017 and Cyber Security for Airports and Maritime Summits. In addition, we have interviews with F5 Networks, RSA, WithYouWithMe and features with Kaspersky Lab, L’Oréal-UNESCO’s 2017 Australian Fellow for Women in Science and the NetEvents ‘Innovators in Cloud, IoT, AI & Security’ program at the Dolce Hayes Mansion, San Jose. Articles include an extract from Dr. Gavriel Schneider new book and Mike Stone, KPMG’s Global Head of Government Technology Transformation. I’ve also included my article on the ASD Case Study delivered at #AISACON17. Finally, MySecurity Media has released episodes of our Cyber Security Weekly Podcast and a new MySecurity TV video interview series – please check them out and welcome your reviews, comments and feedback – as well as continued contribution, discussion and debate! Thanks for a great 2017! And on that note, as always, we provide plenty of thought provoking material and there is always so much more to touch on.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Asia Pacific Security Magazine | 5
Cyber Security National Security
COAG Outcomes - Sharing biometric data of Australians By Fiona Wade, Canberra Correspondent
6 | Asia Pacific Security Magazine
n an age where cross jurisdictional cooperation is high on the agenda, it was not surprising that COAG’s data sharing announcement stole the spotlight. The state’s commitment to share the biometric data of most Australians was announced at the special COAG on national security held in Canberra on 5 October. At this meeting, state leaders were clearly united on the need share information across the country. In its communique, COAG said that the new arrangements “will help protect Australians by making it easier for security and law enforcement agencies to identify people who are suspects or victims of terrorist or other criminal activity.” The data sharing includes access not only to passport photos but also photos from driving licences. Prime Minister Malcolm Turnbull said at the following news conference that “This is not accessing information, photo ID information that is not currently available. We’re talking about bringing together essentially, federal government photo IDs, passports, visas and so forth, together
with driver’s licences.” And that is the point. All of this data is currently accessible. But it is the sharing of the data between states and territories that has been cumbersome and in most cases completely lacking. And this lack of sharing is not just limited to biometrical data. As it stands now, police in one jurisdiction have little, to no, real time access to criminal intelligence held in another state. And this can have dire consequeces. In 2006, two Victorian women were assaulted and murdered in their Altona home. The offender, William John Watkins, left Victoria and drove across South Australia and into Western Australia, where he was stopped for failing to pay for petrol. The police officer, not knowing that the driver was wanted for a double homicide, approached the car with minimal intelligence at his fingertips. What ensued was a violent altercation resulting in the death of Watkins, shot in self-defence. In the state coroner’s report into the shooting, it said: "The State Coroner also found that although a computer
"It’s not rocket science. The Police Federation of Australia, the country’s national police union that represents 60,000 police, has long called for a national case management system and a better shared intelligence regime." check was conducted on both the deceased and his vehicle prior to the police officer attempting to apprehend him in respect of the offence of stealing petrol, no information was available either as to the recently committed offences or even in respect of the prior criminal record of the deceased." Unfortunately, this situation could happen again, but it doesn’t have to. For the past few years, the Australian Criminal Intelligence Service (ACIC) have been developing the National Criminal Intelligence System (NCIS – pronounced ensis). With a successful trial under its belt, NCIS is now ready to be rolled out across the country, linking the intelligence databases of all jurisdictions and agencies. It just needs the government to fund it. NCIS is a whole of government approach and has the ability to collate, analyse and share criminal intelligence and information across state, territory and federal jurisdictions. And while each police jurisdiction and all the other separate agencies work on their own data platform, an advantage of NCIS is that it does not require these platforms to change. NCIS simply provides the linkage between all the varying platforms – so that the information and intelligence is accessible to everyone. NCIS will allow front line police and counter terrorism operatives to access the complete picture of a suspect. It includes contemporary deconfliction services, rapid search, graphical representation, visual analytics and other intelligence that is already available, but currently cumbersome to access. For example, a car, with Victorian plates, is being driven in NSW, by a WA driver and passengers from NSW, ACT and Tasmania. By checking NCIS, the front line police officer, who has stopped the car for a traffic infringement in NSW, will have real time access to the criminal intelligence held by all the jurisdictions on all the occupants. This includes flags from security agencies and DVO orders. It’s not rocket science. The Police Federation of Australia, the country’s national police union that represents 60,000 police, has long called for a national case management system and a better shared intelligence regime. There have been numerous inquiries undertaken by federal government, with all major political parties pledging support for collaboration and a national approach to intelligence data and casemanagement systems. This support was emphasised by the Parliamentary Joint Committee on the Australian Crime Commission’s 2007 report into the future impact of serious and organised crime on Australian society, while the 2008 Clarke Inquiry into Dr Mohamed Haneef called for a national case-management system for major police investigations, as a matter of urgency. NCIS is a game changer in the fight against crime and terrorism and police are calling out for it implementation.
Especially as the threat and type of criminal and terrorist activity continues to evolve. With the pilot successfully completed, NCIS is now waiting for federal government money to be able to roll our across the country. Costing $150 million for the initial start-up and $20 million every year thereafter, it is viable when compared to the money government has and continues to spend on securing sovereign boarders and investment in machine learning, biometrics and data analytics. The Prime Minister said, “It shouldn’t take seven days to be able to verify someone’s identity or seek to match a photograph of somebody that is a person of interest. It should be able to be done seamlessly in real time.” And while the main story from October’s COAG meeting came from ID sharing, other announcements herald an era where the states are keen to work as one, in light of ‘keeping Australia safe from terror’. This includes agreeing to a tougher, and importantly nationally consistent timeframe for holding people suspected of terrorist offences before they are charged or released. Measures also announced will see the federal government developing a new Commonwealth offence that will allow law enforcement agencies to intervene when a person possesses “instructional terrorist material”, as well as, developing a terrorism hoax offence, that ”will ensure that the potentially broad nature of terrorism hoaxes is criminalised in all jurisdictions.” The state leaders also welcomed the August launch of Australia’s Strategy for Protecting Crowded Places from Terrorism, and agreed to the expansion of the phone-based national Emergency Alert warning system to make it available for use during a national security incident. There is no doubt that all the country’s leaders have delivered a cohesive message that the security needs of the nation transcends political divides and this is a good thing. But there is plenty more to be done.
Asia Pacific Security Magazine | 7
Cyber Security National Security
Protecting crowded places from terrorism: Developing a public-private partnership approach Anthony Bergin and Jason Brown run the rule over Australiaâ€™s new strategy for protecting crowded places from terrorism. By Anthony Bergin and Jason Brown
8 | Asia Pacific Security Magazine
ollowing the recent Council of Australian Governments (COAG) special meeting on counter-terrorism most discussion focused on the announcement of national facial biometric matching capability. However, little attention was given to the fact that all states and territories welcomed the August launch of the AustraliaNew Zealand Counter-Terrorism Committee's (ANZCTC) Australiaâ€™s Strategy for Protecting Crowded Places from Terrorism. The strategy aims to make places such as sports stadia, transport infrastructure, shopping centres, tourist attractions, and civic spaces more resilient to terrorist attacks. Although some may disagree, the Strategy is a step forward in providing guidance and tools for both private enterprise and local government to reduce the likelihood and harm from a terrorist incident in areas where crowds present an attractive target for malicious actors, not just terrorists. The section on the role of local government is especially useful: it's the first time the third tier of government has been noted in a Commonwealth counter-terrorism strategy or plan.
The Strategy makes a positive contribution to developing Australiaâ€™s response to terrorism by highlighting the terrorism threat to owners and operators of crowded venues. But at the same time, we shouldn't lose sight of the fact that there's also value in an 'all hazards' approach to safety and security: many of the security and safety controls that can be implemented to deal with predictable hazards, such as natural hazards or industrial accidents, will also have a mitigating impact on the likelihood of extreme malicious acts. Barriers against an ATM 'ram raid', for example, will also be useful against a deliberate mass rundown. Video surveillance against theft provides reconnaissance and investigation for terrorist threats and acts. On the basis of likelihood alone, such control measures should be considered first before those controls for the lower likelihood, yet high-impact, malicious event. An all hazards risk assessment should be undertaken prior to conducting a venue terrorist assessment and audit. The malicious actor threat, from criminal, unstable individuals through to terrorists, should be part of this consideration.
The Strategy's recognition that the private sector has a vital role to play in protecting crowed places is welcome. This respects the owners and operators and recognises they understand the problem and to a greater or lesser degree have security as a part of their business. But in some places, the Strategy creates an impression that government is best placed to provide protective security advice. That's not the case: few in government have formal securityspecific qualifications, certifications, professional memberships, or have had responsible corporate security experience. It's revealing, for example, that there's only one mention of an industry association in the Strategy. And there's no recognition that such bodies are a source of information and expertise. The International Association of Venue Managers and ASIS International, for example, both have international sub-committees looking at the issue of protecting crowded places. The Strategy fails to recognise the concept of precincts created by the location of crowded places and associated business infrastructure. This would, for example, include areas such as the Sydney Olympic Park and the Victorian National Gallery and Arts Centre. In a precinct model, deployable physicals controls can be developed to suit the events planned and reduce vulnerability. A precinct approach would include the key businesses that would be affected by additional controls or by a malicious event occurring. It should include others in a precinct, such as hotels, restaurants and chemist shops, which may be part of the response. We'd note that some police commands and venue owners have already adopted this approach. Precinct operators should be members of the proposed Crowded Places Forums that are sensibly suggested in the Strategy and are being rolled out in each capital city. The Forums will be places for information sharing between police and owners and operators. The Strategy is right to observe that it's a 'key responsibility of government to ensure those who own and operate crowded places have access to high quality threat information'. The Strategy has included some useful audit and assessment tools. Large venues will often have their own Chief Security Officer. But the tools will help some operators, such as smaller shopping centres, who won't always have the resources to employ security professionals. In terms of methodology, there are some limitations in the assessment tools, but overall they will send owners in the right direction for engagement with police and government. The Strategy is also positive in promoting resilience as a key characteristic of being able to respond to incidents. But the real key to resilience is the people involved. This doesn’t just mean owners and operators: we need to build a greater awareness of public safety procedures for those in crowded places. The Strategy makes reference to the central role of security providers. But with several states dragging their feet, the failure to develop an effective national licensing regime, enhanced standards and training for security service providers is a severe hole in our protective security planning. The Strategy doesn't recognise what's required from security professionals: individuals who can conduct effective all hazards risk management, in particular related to
"In terms of methodology, there are some limitations in the assessment tools, but overall they will send owners in the right direction for engagement with police and government." malicious actors. Institutions such as the Australian Security Industry Association, Security Professionals’ Australasia and its Registry have developed a number of initiatives for recognition. But they require support and participation from government, with possibly a co-regulatory model being considered. The other important people issue is the opportunity to leverage the trained and licenced body of men and women already deployed on private sector security duties. Modest government funding might be considered in developing their capacity to supplement other first responders. Representation on the ANZCTC’s Crowded Places Advisory Group (CPAG) should include non-government organisations, such as Red Cross, as well as emergency services to ensure that advice on controls to reduce the terrorist threat don't have unintended consequences for other safety and security issues. Lastly, the Strategy has a problem in dealing with the proportionality of the controls that can be applied by the owner: it suggests liability for owner/operators if they get it wrong. The allocation of resources to mitigate risk has to have a reasonable degree of certainty that it will achieve the objectives. The nature of terrorism – with its high uncertainty, low probability and high consequences - is absolutely dependent on good intelligence and assessment of the threat to assist in identifying the right controls. This is a job for government and generalised assessments are of little help to a venue or other crowded place. That said, owners and operators do understand what's required under duty of care principles as set out in state occupational health and safety legislation. The new Strategy is useful in advancing a partnership approach with business owners and operators. Platforms like the crowed places forums and the CPAG, (with useful representation from the local government peak body, the Australian Local Government Association), should reach out to state governments. We agree with our political leaders that it's important for all stakeholders to implement the measures outlined in the Strategy as soon as possible. And it's useful that the Strategy is designed to be a 'live' document which will be reviewed on a regular basis by the CPAG and the ANZCTC. But the new Strategy is just one piece of the jigsaw which needs to be placed in the bigger puzzle of national security and resilience. Re-published courtesy of the Policy Forum www. policyforum.net
Asia Pacific Security Magazine | 9
Cyber Security National Security
Overpromised or underdelivered? Evaluating the Performance of Australia’s National Cyber Security Strategy By Andreas Haggman
his article compares the Australian Government’s own assessment of its progress towards implementing the National Cyber Security Strategy with the Australian Strategic Policy Institute’s (ASPI) evaluation of the same progress. Published in April 2016, the Strategy provided a plan of 33 actions the Government would take between publication and 2020 to achieve its stated objectives. A year after original publication, the Government published an Annual Update to the Strategy, appraising its progress according to the action plan. Each of the actions were assessed on a scale of four ratings: Not scheduled to have commenced, Progress, Strong Progress, and Completed. Out of the 33 actions, 2 were ranked as Not scheduled, 14 as Progress, 11 as Strong progress, and 6 as Completed. Not taking this appraisal at face value, ASPI published its own evaluation of the Government’s implementation in May 2017. This was largely optimistic, though it also criticised the Strategy’s action plan for lack of clarity, including lack of timeframes and the unmeasurable character of several actions. Similar to the Government’s own effort, ASPI provided a scale, albeit with a more fine-grained six ratings: Unmeasurable, Outcome-dependent, Not started, Underway, Significant progress, and Achieved. ASPI were also more thorough in their assessment, rating not just the 33 actions, but the individual sub-points within them. Accordingly, there were 11 Unmeasurable, 12 Outcome-dependent, 14 Not started, 22 Underway, 19 Significant progress, and 4 Achieved actions. With these basic metrics, comparative analysis can be conducted to evaluate whether the Government has so far overpromised or underdelivered on the National Cyber Security Strategy. Method Because the Government and ASPI assessments used different rating scales, it was necessary to normalise these with a quantified metric before they could be compared. This
10 | Asia Pacific Security Magazine
was done by assigning a score of 1 to 4 to each rating, with higher scores reflecting better ratings, as detailed in the table below. The Unmeasurable and Outcome-dependent ratings were assigned 1 to neutralise them. 0 was also assigned in cases where ASPI had rated an action as Not started when it should have been started. The scores were then assigned to each action as defined by the Government. Where ASPI had rated multiple subpoints within an action, the scores for each sub-point were aggregated and averaged to return a score for the action. The end result of applying this method was two scores for each action: one reflecting the Government rating and one the ASPI rating. A comparison of these scores could be used to determine whether the Government had over- or underestimated its performance for each action, and the deviation between the scores indicated the extent of the over/ underestimation. There was also a total score out of 132 [33 (actions) x 4 (highest possible score)] indicating overall performance. The ASPI rating was assumed to be the truer figure for two reasons. Firstly, ASPI applied a much more nuanced framework to its ratings, giving it greater detail and therefore accuracy. Secondly, ASPI is an independent organisation with little interest in fluffing such an assessment, neither towards a pro- nor anti-Government slant. With this in mind, it made sense to use ASPI as the benchmark against which to measure the Government’s performance. Results Overall, the Government scored itself 87 out of 132, while ASPI scored the Government 63.68. This suggests the Government considered itself well on the way towards achieving all Strategy objectives, while ASPI put the same progress at less than halfway. Numerically, this is an overestimation by the Government of its performance towards the Strategy objectives by some 37%. The Government overrated itself on 22 actions and underrated
itself on 4 actions, while 7 actions were accurately rated. Average deviation across all 33 actions indicated that the Government scored itself 0.71 higher than ASPI. The absolute largest deviation (by a factor of 0.57 over the next largest one), and therefore indicating the Government’s grossest misestimation, was in action 27 which sought to “Establish a Cyber Security Growth Centre to bring together a national cyber security innovation network that pioneers cutting edge cyber security research and innovation, through the National Innovation and Science Agenda.” Here, the Government adjudged the action to be Complete through the creation of the Australian Cyber Security Growth Network (since renamed AustCyber). The Growth Network was set up to foster start-up and scale-up companies in the cyber security sector, and had already led a delegation of Australian companies to the RSA conference in San Francisco. While ASPI recognised this success and rated the Growth Network sub-point as Significant progress, there were five additional sub-points to this action, one of which was rated Underway and the remaining Outcomedependent or Unmeasurable. Essentially, just creating the Growth Network is not enough; its performance needs to be monitored over time to fully appraise its impact. In this case, one would hope that the Government does not retire, having declared the task Complete, but build on this success by actively engaging with the Growth Network over an extended period of time. The next largest deviations came from actions 16 and 29, which respectively aimed to “Support the Council of Registered Ethical Security Testers (CREST) Australia New Zealand to expand its range of cyber security services” and “Work with business and the research community to better target cyber security research to Australia’s cyber security challenges.” In both instances, the Government had appraised itself to have made Progress, citing examples such as the Oceania Cyber Security Centre, and various partnerships between industry and universities. Despite this, ASPI rated every sub-point of the actions as Not started. This assessment appeared more valid for action 16 than 29, where the latter was given the rating because more time was needed to see the effects of Government measures (such as the Oceania Centre), while the former pointed to Government initiatives which had good intentions, but currently lacked evidence of implementation. More transparency in the machinery of Government may provide such evidence and result in closer aligning of the ratings. At the opposite end of the spectrum were the actions where the Government had underrated its performance. Notably this was in actions 7 and 26, which set out to “Boost the Government's capacity to fight cybercrime in the Australian Crime Commission” and “Build cyber capacity in the Indo-Pacific region and globally, including through public-private partnerships” respectively. In both cases, the Government had rated itself to have made Progress, but ASPI rated it as Significant progress. In regards to boosting capacity to fight cybercrime, measures to date include increased funding and a successful recruitment drive, which means an accurate rating probably lies somewhere between Progress and Significant progress. For Indo-Pacific regional relations, however, the Government certainly seems to
have underrated itself because several worthwhile actions have been completed to date, including the release of an International Cyber Engagement Strategy and sponsorship of officials from relevant countries to attend various fora in the region. On a tangential note, it is worth observing that goals like these can never be adjudged to be Completed/Achieved because they are ongoing. Finally, there were actions where the Government and ASPI rated progress equally. Of these, actions 25 and 33 which aimed to “Partner internationally to shut down safe havens and prevent malicious cyber activity, with a particular focus on the Indo-Pacific region” and “Work with other countries on cyber security awareness raising programs to deliver mutually beneficial outcomes” are the most noteworthy. These were respectively rated as Progress/ Underway and Strong progress/Significant progress. ASPI recognised the Government efforts to shut down safe havens, though noted that there is lots of work still to be done – which is seemingly acknowledged by the Government. With regards to raising cyber awareness, the Government’s Stay Smart Online campaign was highlighted by ASPI as a successful measure collaborating with the US and New Zealand. In both these cases there are clearly solid foundations on which to build future work. Conclusion The analysis provided in this article has shown that the Government’s appraisal of its own progress with regards to the goals set out in Australia’s Cyber Security Strategy is, for the most part, not a reflection of reality. Although the goals provided in the Strategy are realistic with regards to Australia’s economic capacity, diplomatic clout, and technical capability, the Government has overrated its progress towards achieving the stated objectives. In other words, the Strategy is more underdelivered than it is overpromised. By comparing the Government’s appraisal with the assessment provided by ASPI, we can begin to recognise where the biggest gaps in progress are and identify where further efforts need to be made. In this sense, the ASPI evaluation is an excellent example of a way to hold government accountable for their strategic promises, paving the way for more effective policymaking in the future. About the Author Andreas Haggman is a Principal Research Officer at Thales Australia where his work considers the full sociotechnical spectrum of security. He is also a PhD candidate in the Centre for Doctoral Training in Cyber Security at Royal Holloway University of London, where he is writing a thesis about cyber strategy wargaming.
Asia Pacific Security Magazine | 11
Cyber security skills : Hiring to train Interview with Chris Thomas, RSA Advisory Systems Engineer, who leads the threat detection and response team, and Rui Ataide, Principal Consultant, Incident Response.
By Chris Cubbage Executive Editor
12 | Asia Pacific Security Magazine
hris Thomas: "Industry needs to look at the opportunity to build people as opposed to hiring a senior 10 year veteran. Someone that has the right aptitude and the right attitude. Building these people requires industry to invest in some training and deliver them on the job. This is what RSA is doing at the moment and trying to embrace the skills shortage. We recognise we can’t go out and hire an experienced person every time. We still need to invest and build people up rather establishing formal internships or just having a bit of programing. We are implementing programs to up skill people and build the people that we want, molding them to the roles that we have, rather than just trying to hire experienced people. RSA is working closely with tertiary institutions to help train the next generation of security analysts. One such initiative is a partnership with Singapore's Temasek Polytechnic to create a learning SOC, where students gain hands-on experience in responding to cyber threats. RSA also offers courses to employees aimed at building soft skills like presentation and demonstration skills, public speaking, management and leadership, business and time management. These skills are as critical as technical skills in the working environment. Learning outcomes from Deakin University's Bachelor of Cyber Security and Master of Cyber Security include communication, critical thinking, problem solving, self-management and teamwork. Other universities, such as Southern Cross University (SCU), offer degrees in IT management. SCU says of its Masters of IT Management: "As an IT specialist, you know how complex information systems work. But do you have management skills to implement state-of-the-art solutions across multiple levels of business?" SCU claims the degree equips graduates with the ability to identify risks, integrate solutions and manage projects effectively across the broader business. Rui Ataide: The skills shortage requires the expectation for the hiring side to be reset. We don’t have people that are going to have 5, 6, 10 year’s experience on technology that is so recent and so new. This needs a bit of shifting and programs in university need to be getting people more exposed to certain environments and technologies, which
will help them to be a bit more industry ready. Currently, employers want one of two things in a prospective employee: 1. We want to you to have experience but we are not willing to pay for it; or 2. We want a graduate with 3 years’ experience. What does good look like? Chris Thomas: "There are different sets of skills that people need within the IT security space and within the SOC. Where companies, business and government need to be looking is at bringing in people at lower levels and then maturing them and training them so that they move towards the higher levels of skill sets. You need to understand technology, networking and operating systems but as you progress through your career and as you progress to responding to an incident, the level of skill that someone needs to go and understand a problem adapts. In a SOC it may involve moving from an alert to deep diving into a network packet or protocol or a binary file to look at it, break it apart and find out what can I abstract from that to improve my security posture. These skills take time to develop and the incidents also change. I think if you start to build a team from the ground up you can very quickly and easily identify people with the right attitude and people with the right mindset. Some of them are going to end up being in a SOC or the like. Technical leads may then follow a business and management path or will end up being the SOC manager or eventually a CISO. I think that is where we have to start focusing. Yes! We are still going to need to hire skilled people, especially companies that are just starting off. You need someone with the right skills in order to build and train a team around them. This is one of the areas that the industry has been lacking, the soft people skills that develop teams. How are we measuring that aspect? I think that’s a very important part because despite being the most brilliant technical mind, if you can’t articulate what it is you’re doing, it just doesn’t work out. Especially now that security is becoming more of a business and board level concern.
Cyber defense in depth: high walls alone won’t defend the castle By Mike Stone
or business and government, cyber security is the new arms race. We defend, and the enemy counters. We respond, and so do they. The cycle escalates in perpetuity. A strong cyber defense is an integral part of good IT operations. Operate and defend are effectively two sides of the same coin and a denial of service (DDoS) attack is still an attack whether it comes from an external source, or as a result of an error from your own IT department. You need to be able to respond to both effectively and have a clear understanding of the routes, or attack vectors, through which the breach occurred. Whether it’s a malicious attack or an error, you’ll need the same business continuity and disaster recovery plans and capabilities in place. To truly understand the potential attack vectors, you first need to have total visibility of all the assets on your network and their current status. As part of the process, you will need to evaluate the network paths across all systems and telecom carriers. While asset classification and identification are among the less glamorous aspects of information security, they are as essential to it as they are to good IT operations. The disturbing fact is that very few organisations have such a detailed understanding of their networks. Bad guys get in because they get to know your network a lot better than you do. They discover vulnerabilities and press at those points like a hot knife through butter. To my mind, the safest approach is to assume that you have been compromised and work on what needs to be done to address this. I call this approach Cyber Defense in Depth. Defending in depth Cyber Defense in Depth is a proactive posture that uses multiple methods at different layers to protect IT systems against attacks. People tend to think of cyber protection primarily in terms of perimeter protection, such as a firewall, but forget about the other layers, which are equally if not more important. A medieval castle is a helpful metaphor: you can build higher walls, but the risk is that you become complacent and forget that attackers can still tunnel under or poison food and water stores to spread virus and disease. There is another problem with living in a castle with high walls and closed doors: you have not only made access difficult for your enemies, but for your friends as well. Getting comfortable with intruders Perimeter protection has value, but is not the be all and end all. However, the majority of people invest their time in
anti-virus and firewalls. Anti-virus software may clear 60 to 70 percent of the junk, but you have to remember that there is a likelihood that there are cracks in the firewall that can be used to get in, unless you cut your network off from the outside world entirely and even then you can’t be sure! Organisations should operate on the assumption that their firewall has been breached and that there are people already inside the network who should not be there. So, then you must ask, what needs to be true for you to be ‘comfortable’ with uninvited guests inside your network? Firstly, you need to be able to detect, contain and remove malicious software, or malware, as rapidly as possible. Secondly, if uninvited guests are still inside then you need to ensure that they can’t steal any information or that what they can exfiltrate is worthless, which is where digital rights management has a significant part to play. When developing a cyber defense strategy, remember the castle metaphor and don’t let high walls lull you into a false sense of security. The most important thing is not whether a network has been breached, it’s whether you can protect what is most important - the organisation’s ‘crown jewels’ - its data and information. To be successful, organisations should develop multiple approaches including planning, strengthening internal protections, training employees, as well as guarding the perimeter. Given that most security breaches are caused by human error or omission, it makes sense to include a robust training program for employees that provides the tools to mitigate security risks. One important technical step is to improve security for devices on your network, known as end-points, as these are often the weakest link in security and are usually operated by employees. In planning a cyber defense, assume the castle walls will be breached and plan for it. About the Author Mike Stone is KPMG’s Global Head of Government Technology Transformation for Infrastructure, Government and Healthcare. He served as an officer in the British Army for 28 years and has worked as Chief Digital Information Officer for the UK Ministry of Defence as well as President of Service Design and Chief Information Officer for BT Global Services. This is the first in a series by Mike Stone on cyber defense in depth, with future articles discussing specific areas of work.
Asia Pacific Security Magazine | 13
ASD Case Study highlights serious gaps in cybersecurity by defence contractors
I By Chris Cubbage Executive Editor
14 | Asia Pacific Security Magazine
n November 2016, tipped off by a ‘partner organisation’ advising that an ‘APT actor’ had gained administration access to a fourth-tier defence contractor, ASD and CERT Australia were rapid to respond and on site the following day. Though on arrival, without official ASD credentials, the ‘customer’, a small aerospace engineering firm, with about 50 employees, called into question the bona fides of these ‘visitors’ from the Federal Government. Even calls to the CERT Australia Hotline did not initially verify the visit. Yet despite this and with the best social engineering techniques at play, they were able to later walk out with harddrives of historical backups, in order to commence an official forensic investigation. The investigation revealed the company had been compromised five months earlier, in July 2016, and involved a significant amount of data being stolen, and most was defence related, including data related to the Joint Strike Fighter program and other primary defence hardware. Step one involved gathering the Executives and IT Staff…of which there was one…together in a room and advising them they had been seriously compromised and yet “it was no one’s fault.” “The fact you have valuable information, you would have likely been breached either way and let’s focus on treating the problem. Too many organisations seek to apply blame and this isn’t helpful,” said the ASD Incident Response Manager, presenting to a full conference room in Sydney at #AISACON17. One may beg to differ. Blame could be easily attributed to the Executives who allowed this small self-managed network to be supported by one IT person, and without a security risk assessment, which would have highlighted the vulnerabilities involved with using a common local admin account, no DMZ, no regular patching regime, and with hosted internet facing services…all whilst handling defence data and commercially sensitive information. In this case, because of the defence data, the investigation became a combined ASD and CERT Australia investigation. It was a current and historical compromise. ASD deployed host based agents to the end points, Google Rapid Response (GRR) and Carbon Black to commence recording module loads, file modifications, to record what was happening in the environment. Investigators seized the server backups and related domains. ASD established an Exfil host on the remote desktop server and had hoped to
just review the access logs and seek out a foreign IP address. That was not the case but they did find a China Chopper web shell, a recognised and popular stealth access tool, commonly used by Chinese cybercriminals (1) and WinRAR, a data compression tool. The analysis determined about 30GB of defence and commercially sensitive data had been accessed and downloaded. A key learning outcome was that companies, particular defence contractors, need to become more granular on the type of security controls required. The techniques used by the APT Actor was not real tradecraft, instead just leveraged poor network configurations. The IT helpdesk server was vulnerable with internet access, single factor authentication, was unpatched and had a CVE via Metasploit. The vulnerability was easily executed but turned out wasn’t actually required, as a default username and password was still being used. ASD stated they realised this exploit was actively used against multiple Australian companies and the time difference between scanning and exploit was about 7 days, suggesting a nation state actor who was slow and deliberate. Once access had been gained, the APT Actor ran tools to collect credentials and ultimately gained full access, to the entire network. This access included reading emails of the company’s engineers, finance controllers and operational managers, and logging into all servers, including accessing CAD systems and company documents, touching all points inside the environment. The case study highlights ASD recommendations to disable local admin accounts and deploy password solutions, including two-factor authentication, to ensure each machine in the environment has a unique and regularly changed password. Reduced privilege reduces risk. ASD confirmed attribution is getting more difficult but nor is it always the goal. The response involved ensuring they get the Actor off the network and stop further access. “Cyber espionage is professionalising,” said ASD, “capability is in people not tools. Invest in people and build the workforce.” With the increasing workloads, confirmed in the ACSC Threat Report 2017, ASD is continuing to recruit. It is clear from this case study, that further and continued education is needed, not just technical training but educating company executives that they have a fiduciary duty to ensure they assess the risks and recognise ‘security’ is not to be assumed or disregarded.
Women in Security
Future of cyber ‘quantum’security: Can’t copy, can’t intercept DR JACQ ROMERO, L’Oréal-UNESCO’s 2017 Australian Fellow for Women in Science
or over ten years the L’Oréal-UNESCO For Women in Science program has supported Australian female scientists with the aim of ensuring that women are fairly represented at all levels in science. The program looks to encourage more young women to enter the profession and to assist them once their careers are in progress. In 2017, L’Oréal Australia announced the addition of a fourth $25,000 Australian Fellowship. Winner of a 2017 Australian Fellowship, Dr Jacq Romero’s research with the University of Queensland, lies within the rapidly emerging and increasingly important field of quantum physics and the theory of entanglement. That applies to information being shared between particles regardless of how far apart they are, even at opposite ends of the universe. “I work with photons which are the particles of light and their orbital angular momentum, which is associated with their twisted shape”, Dr. Romero informed APSM. The quantum world is relatively unknown, but already physicists are predicting that it has incredible potential to increase transmission of information, improve security and lead to exciting new technological advancements. “I work in quantum information. I want to understand quantum information in the space of higher dimensions because I believe it is important for the future of computation and communication.” There is still limited knowledge around how quantum information works in high dimensions, and therefore the full advantage and potential quantum information in this space is yet to be realised. Dr. Romero’s work sets out to provide the first experimental evidence to an existing theory to verify the fundamental differences in the way information works for larger quantum alphabets, compared to the classical encoding system we use today. Her findings
“I work with photons which are the particles of light and their orbital angular
By Chris Cubbage Executive Editor
momentum, which is associated with their twisted shape" will provide critical knowledge as we start to access more benefits of the quantum world. “You can pack more information into one particle of light or photon if you use its shape, because there are theoretically infinite amounts of different shapes light can be. This is important especially now that we are transmitting data at an unprecedented amount, we will ultimately reach a limit. We also have to make communication more secure, and quantum information is good for that because of two security benefits: you can readily detect “eavesdropping”, and it is also impossible to copy quantum information. That’s bringing a unique and absolute level of security in that no malicious party can fool or intercept the data. To apply security, you have to understand the underlying principles.” The quantum technology space is definitely exciting at the moment, recently China and Austria commenced quantum communication via satellite. IBM also has a quantum computer, available in the public cloud for people who want to program a quantum computer, “The challenge is now how do you scale it up”. Dr. Romero concluded, “My research is foundational. Understanding how information works in the quantum world will allow us take advantage of quantum physics. It is important to understand it so we can use them for our future technologies. It will definitely be a technology of our future.”
Asia Pacific Security Magazine | 15
From left Rebecca Nguyen, Anastasia Rae and Noushin Shabab.
Leadership + Research + B2B focused = The formula behind protecting consumers Anastasia Rae General Manager of Kaspersky Lab ANZ
Global cybersecurity company, Kaspersky Lab, has appointed Anastasia Para Rae to the role of General Manager of Australia and New Zealand. Prior to her new role as General Manager at Kaspersky Lab ANZ, Anastasia Para Rae was General Manager of Datacom and served in the company for almost 14 years in several roles including her recent role as Learning and Development Specialist. Rae is known for a diverse background of sales, IT outsourcing and operations. She also has strong technical experience in IT Outsourcing, Critical Data Centre hosting and operations, Hybrid Cloud Solutions as well as Telecommunications, Physical Security and Environmental Management. In her new role as General Manager of Kaspersky Lab Australia and New Zealand, Rae is responsible for strategic business plans for the region and building partnerships for growth in the enterprise arena. This recent May, together with founder Eugene Kaspersky, Rae made headlines in media and with the channel encouraging all business to take the next step in protecting business and end-users. In just 6 months she has motivated and worked closely with our sales team funnelling new businesses
16 | Asia Pacific Security Magazine
and maintaining strong relationships with our existing stakeholders. This has resulted in tremendous growth in the B2B and B2C divisions. Her influence in the channel and media events has also put Rae on the map as a strong and healthy player in the vendor market. She says, ““Organisations and businesses need to step up and manage risk on reputation and service guarantees. The average loss from a single targeted attack is close to $1,000,000 excluding reputational impact. In the event of cyberattack, a considerable investment is made for urgent response to improve software and infrastructure. The reverse needs to take place. We must not wait for attacks to happen for us to take precaution.” The new addition to the Kaspersky Lab family enjoy shared success as well as individual accomplishments in sales, leadership and general business management.
Noushin Shabab Senior Security Researcher
Noushin Shabab Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab, ANZ Noushin Shabab has nearly 5 years of experience working in cybersecurity specialising on reverse engineering and targeted attacks. She joined Kaspersky Lab ANZ in 2016 and is a member of the Global Research & Analysis Team
(GReAT) which is an integral part of Kaspersky Lab’s R&D department that leads the company’s anti-malware research and innovation. In her role as a Senior Security Researcher, she is responsible for the investigations of targeted cyberattacks with primary focus on local threats in Australia and New Zealand markets. Prior to joining Kaspersky Lab, Noushin also delved in security research and software development for an antivirus software company. She has first-hand knowledge of rootkit detection and mitigation technologies as well as APT malware analysis. In her last year, Noushin has made her mark with her investigations on a resurgent threat actor targeting South China Sea called Spring Dragon. She was invited to present her research at the Palaeontology of Cybersecurity Conference, as part of the INTERPOL World Congress 2017 alongside founder, Eugene Kaspersky. Shabab has also delivered this presentation at various keynotes which include the annual Cyber In Business Conference, Ruxcon and also brought woman together in a recent all-female cybersecurity panel. Her research plays great importance to developing and improving cybersecurity services within the company for the betterment of consumers and the channel to be protected. A graduated from Azad University of Iran, Kaspersky is proud to have their very first, female researcher in the ANZ region.
Rebecca Nguyen Enterprise Sales Manager
A Mother and ruler of her nest first, Rebecca Nguyen is Kaspersky Lab ANZ top female performer as part of the senior team for the past 6 years. She joined the Kaspersky Lab family in 2012 and had a steady climb up the ladder, from development roles to the channel manager for Australia and New Zealand (ANZ), and her most recent as Enterprise Sales Manager for ANZ in 2016. From winning small channel deals, Rebecca worked her way up, winning multimillion
“Once all of the above are in place, a can do attitude becomes front and centre of the business relationship and the sale itself does the talking on its own.” dollar deals in her leadership role as the first ANZ Enterprise Sales Manager. She remains Kaspersky Lab top female sales performer in ANZ for five consecutive years now. Rebecca begins a can do attitude with her number one question, “How can I make my clients superstars?” She thinks deeply about how she can help her customers achieve what they want. She further challenges herself in asking, what are the proactive ways to solving her customers existing problems and add value to their business? Nguyen says, “When you are available and flexible to your team and customers at all times, they soon understand your can do attitude and realise that the ultimate goal is to work together and not for each other.” She further adds, “Once all of the above are in place, a can do attitude becomes front and centre of the business relationship and the sale itself does the talking on its own.” Her tough deals include scoring two separate deals with Australia’s largest telecommunications and media company by selling Kaspersky Lab well-renowned Advance Persistent Threats (APT) reporting services that generated a bill of almost close to half a million dollars. Rebecca has also made a difference as a woman and as a professional in the IT sector within the ANZ region. She is a rising star among her fellow industry professionals and has earned her status through sleepless nights and hard work. Her noted achievements include her nominations at the recent Reseller News Woman in ICT Awards in New Zealand. Rebecca was the only candidate shortlisted for two categories in The Rising Star nomination and The Innovation Award.
Asia Pacific Security Magazine | 17
Spy spotting : What careless mistakes reveal about cyberespionage in APAC
rrors and small clues left behind by attackers are vital in attribution, providing valuable intelligence on the people behind a cyberespionage attack and the possible connections between them. Kaspersky Lab’s researchers have been tracking advanced cyberespionage operations originating in and targeting Asia Pacific countries for the last 10 years, and have undertaken a review of the contribution made by attackers’ careless mistakes. For example a threat actor called Dropping Elephant, likely operating from India, reported by Kaspersky Lab in July 2016, targeted high profile diplomatic and economic entities in countries including Australia, China, Bangladesh, Taiwan and more. Clues revealed traces of three individuals where one in particular carelessly disclosed a personal document that led Kaspersky Lab researchers to find the faces behind Dropping Elephant. Kaspersky Lab also published a report on Naikon APT in 2015. This cyberespionage campaign has been tracking geopolitical intelligence in countries around the South China Sea for over half a decade, Later that year, an alleged connection discovered by ThreatConnect researchers showed a domain name used in Naikon APT, was also found across several social media accounts. These social media accounts carried more than 700 posts and 500 photos which enabled researchers to track down an official’s real location and work address. What careless mistakes and clues reveal about the individuals involved in cyber espionage? - Apparent military connections - Organisations engaged in undercover threat activity for State Security - Private companies offering intelligent services - Cyberespionage campaigns that consist of a variety of people with different skilled roles and responsibilities Senior Security Researcher, Noushin Shabab says, “Cybersecurity researchers examine cyberespionage campaigns by chasing trails of clues and careless mistakes. Once we have all the necessary pieces of the puzzle, we share evidences with fellow experts to be able to know the spies behind an attack, their main objectives and techniques, All the historic information gathered through
18 | Asia Pacific Security Magazine
investigating targeted attacks, helps us discover the truths and the myths of cyberespionage in the Asia Pacific region,” says Shabab. General Manager ANZ, Anastasia Para Rae adds, ‘As cyberespionage and crime increases, it’s critical for organisations and experts to share cutting-edge knowledge’. We continue to witness the development of many attacks with no regard for the social or financial impact. The fact is, cyber spies will continue to take advantage of social engineering and open source data to develop sophisticated attacks. Investment in prompt and detailed information will better defend our businesses and ensure we can detect and respond to attacks. Kaspersky Lab’s Anti Targeted Attack Platform defends businesses from a multitude of threats every single time, no matter what form the attack takes.” In order to protect your personal or business data from cyberattacks, Kaspersky Lab advises the following: - Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints. - Educate and train your personnel on social engineering as this method is often used to make a victim open a malicious document or click on an infected link. - Conduct regular security assessments of the organisations IT infrastructure. - Use Kaspersky’s Threat Intelligence that tracks cyberattacks, incident or threats and provides customers with up-to-date relevant information that they are unaware of. Find out more at email@example.com. About Kaspersky Lab Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.au.
CYBER SECURITY WEEKLY PODCAST TUNE IN NOW!
Live cross to San Jose, California for the NetEvents Summit
Interview with Bonnie Butlin, keynote speaker at #AISACON17
Introducing the WA Capture the Flag Competition
Discussing ASD's Top 4 Mitigation Strategies with Scott Hagenus of EMT
w w w . au s tr al i anc y b e r se c u r i t y m a ga z i n e . c o m . a u
Cyber Security National Security
The future of apps in a multicloud world: F5 agility 2017
C By Chris Cubbage
loud, mobility, and the Internet of Things continue to elevate Apps to the core of business plans. As organisations undergo digital transformation, optimising applications for actionable intelligence and generating a business return remains a challenge. A multiCloud strategy is seen as the key to minimising the risks of ‘keeping all eggs in one basket’, however, as we learnt at F5’s Agility 2017 conference, the move to the Cloud is resulting in surprise cost overruns and ongoing security challenges. With the advent of operating and managing private, public and multi-cloud environments, scalability, flexibility, programmability, security and innovation are all key for business continuity. For 20 years, F5 has been a staple industry name and remains focused on enabling companies to power Apps to ‘go faster, smarter and safer.’ Hosting 400 delegates in Sydney last week, F5 had them complete a survey about how they are undergoing their own transformation in Cloud environments.
Worried about Cloud lock in
Rob Malkin, Managing Director for Australia and New Zealand provided findings from the survey which highlighted customers are still grappling with their ‘digitalisation journey’. “The anecdotal evidence,” Rob explained, “is that a majority of customers have moved to Cloud but they are then getting a surprise with a large bill and finding they’re then stuck. Security is another key issue in this respect. Despite managing multiple Cloud environments, the pendulum appears to be swinging back to private Cloud. Only 45 percent were confident their Apps are sufficiently protected against threats in the Cloud.” Security remains the biggest concern when using public, private and hybrid environments and the result is customers are not moving as many of their Apps to the Cloud. Security skill sets in a multi-Cloud environment are also being challenged and this is creating a lack of confidence. Rob Malkin highlighted a case example, “We had a
Confident about cyber threat protection in Public Cloud
No physical DC by 2020
Source: F5 Agility 2017 Delegate Cloud Survey. August 2017 n=55
20 | Asia Pacific Security Magazine
Q9: What are some of the obstacles you have faced with public cloud adoption? Answered: 55
large multi-national customer approach us who got their business case approved for their project and migrated to the Cloud, only to find the costs were three times higher than the approved business case due to their data usage. In addition, with the reporting regulations coming in Australia this February, customers have to consider where the costs are, as well as the location of their data storage.” One customer was pleased to present their F5 experience and the accolades were impressive. SK Cheng, Manager for Networks and Telephony at the University of Melbourne gave insight into a technical heart transplant with the installation of C2400 F5 Viprion Chassis with B2250 Line Cards to run F5’s Management suits for LTM, GTM (Local / Global Traffic Manager), APM (Access Policy Manager), AFM (Advanced Firewall Manager) and ASM (Application Security Manager). SK highlighted one of their key stakeholder’s priorities. “The first question asked by new University students? ‘How do I connect to Wi-Fi?’ As a large, leading university, we handle a lot of traffic and operate at a scale between that of a service provider and an enterprise. Therefore, we chose the F5 C2400 Chassis as we had confidence it could handle the traffic, based on its use by banks and telecommunication providers, so we took that assurance.” The operation was meticulously planned. SK explained, “Working over a Friday night, starting at 10:00pm, with two F5 engineers, we were ready for system testing by 8:00am Saturday morning. With our plans rolled out for all Tier 1 applications, it was a very smooth migration and the university did not know we had performed a major heart transplant.” “It’s been a great partnership and great journey with F5 and want to thank F5 for the support,” said SK. “You need to be backed up by the best people and ( Jason and Zolt) were great. We rehearsed multiple times with the team and it was our only chance to bring in the new hardware otherwise we would have been looking at another six months due to University operation requirements. We had also tested Tier 2 and some Tier 3 applications, including printers. So, we were
very pleased that it all went to plan.” “One of the key learning outcomes,” SK noted, “was the acknowledgment we have very different stakeholders across the university and as a university, it never sleeps, so engaging with stakeholders early is crucial.” Rob Malkin confirmed F5 is now busier than ever. “We’re doing a better job at thought leadership over our traditional load balancing business. Our WAF containers, connectors and cloud security is being very well received. Customers are dabbling and moving to the Cloud but still not really understanding the cost. Those that are buying the cheapest from other vendors are often finding they’re locked in. It’s a crowded space and each client is being driven by different offerings. Being an established vendor, we have earned the client’s trust so the question becomes how do they approach the multi-Cloud environment.” F5 has been elevated to the Gartner Leader’s quadrant and is one of the most frequently cited vendors in WAF appliance shortlists, with particular progress in their Cloudbased WAF service. Gartner asserted, “Its renewed efforts in enhancing behaviour-based anomaly detections appeals to security-conscious organisations.” For the ANZ market, F5 is growing year on year and for two out of the last four quarters has been the fastest in the world, with the security portfolio leading that charge. Rob proudly reiterated, “We’re growing the team year on year, with another 5 to 6 people joining us by September. We now have 35 in Australia and 100 across ANZ. The new offices in Sydney are fantastic and the vibe is great. We are focusing more on Tier 2 and Tier 3 BFSI’s and the healthcare sector and take up of our software, as well as hardware products is the strongest in the APAC region.” Rob concluded, “As we kicked off over the last 12 months, the F5 business was in good shape but with the launch of the new office, focus on customer satisfaction and the new solutions deployed in the ANZ market, it’s a great time, across the region, to be part of the F5 family.” Next year’s F5 Agility Conference scheduled for early in 2018 will be held in Sydney and will have a focus on ‘security’.
Asia Pacific Security Magazine | 21
Hackers are humans: let’s beat them with soldiers
I By David Robinson
and Jayson Christian
22 | Asia Pacific Security Magazine
n terms of the security of our information systems, it is my opinion that western materialism is contributing to Australia’s growing cyber risk. We are increasingly viewing our information systems as an entity that can be defended with a one stop shop of cyber security products. This type of thinking is leaving our economy and businesses wide open and the growing threat of complex cyber attacks is only increasing. It is critical that a ‘systems defence’ strategy is implemented to harden our ICT infrastructure. The first point I want to make is that in the defence of your information, the enemy is not your market competition. The enemy is the unknown human executing malicious attacks on your systems. The threat vector is the internet. Computers here are not the enemy; criminals and humans are the hostile actors. We need to start assessing these threats as people rather than the exploit that they are using. If you understand the threat you can anticipate it. A cyber security professional with a military background understands this better than most. They have been trained and think in a parallel that business cannot. They will intuitively design a system that is best placed to anticipate and stop the threat at the most likely vector. A military minds first thought is going to be ‘how best can I defend this system with the resources I have at my disposal?’ and ‘what are the multiple ways to efficiently do this?’. Their first thought is
"This is the new frontier of warfare — the new frontier of espionage. It's the new frontier of many threats to Australian families, to governments, to businesses"
not going to be ‘how best can I sign this customer up to our platinum plan because that is where my commission is made’. My previous background in military intelligence has limited my exposure to the commercialisation of information security. So as I assessed the industry in 2017, I was appalled at the flooded product market that is providing business with a sense of security on purchase. One of the primary aims of military defensive strategy is to create a protection system so you can return to offensively attacking your enemy. At no point is the military mind thinking of sales. Information security strategy needs an approach that is trained at anticipating threats (hackers) and reducing risk. The activity of a risk audit is not the one stop shop for cyber security, we need benchmarks and standards that specify credible defence.
Prime Minister Turnbull stated in January of this year that “This is the new frontier of warfare — the new frontier of espionage. It's the new frontier of many threats to Australian families, to governments, to businesses,". It is my opinion that business co-operation needs to be enhanced ten fold. Australia’s economy needs to be protected by a tangible system of defence. Our country’s economic strength is weakened by industry vulnerability in cyber security and on this issue we need to think Australia first. I want to reframe the discussion around cyber security so we look at our information security systems first in terms of systems defence. Security confidence in the IoT space is based around successful information security. The economic value of the industry, the quality of our products and the safety of our information will all improve if we can successfully defend our information systems. WithYouWithMe, a tech startup helping current and ex-service members effectively transition into the Australian private sector, recognised this and developed a cyber security program to answer this dilemma. Service personnel are best placed to understand that you can spend billions building a cybersecurity castle - only to realise the hackers have invented the canon. They have been through millions of dollars of government funded training to learn to anticipate the human threat. Withyouwithme is
currently harnessing this talent and facilitating free skills gap training for a pipeline of soldiers in cyber security. The first cohort of 50 veterans are already being secured by Australian companies and this is just the beginning of a shift in the industry from commercialisation to a strategy of attack. One veteran that is currently enrolled in the WithYouWithMe Cyber Security Program is Jayson Christian. Jayson Christian enlisted into the Australian Defence Force in 1991 for growth, development and job security. He served for 18 years and discharged at the rank of Sergeant after a tour to East Timor, a detachment to the RMP in Germany on Ex Long Look and five tours to the Middle East. After serving for Australia for almost two decades, he is now a full time bus driver in the Sunshine Coast, Queensland. Jayson was left feeling under-qualified and confused as he tried to navigate his next career path. “There is no direction for when you leave, they thank you for your time and then it’s time to move on”, he said. “I wish I knew what I know now, I would have started a career in cybersecurity a long time ago as it is another opportunity for me to serve” Jayson believes that defence members are the perfect fit for cyber security roles as they possess analytical skills, providing unique insight to solving complex problems, are team orientated and determined to complete tasks even in high-pressure situations. “Our ability to adapt and overcome is ingrained in us from the day you step off the bus at your respective recruit institutes” he says. “Cyber is the perfect fit for me as a whole. I like to excel, have a passion for learning and am results driven. I feel that the attributes I obtained during my service in Personal Protection and Security directly correlate to cyber security in combatting threats and attacks” Jayson advises other veterans transitioning out of the defence force to take their time to research and use the information available to them. He thinks the most important thing for companies to realise is that veterans bring to industry an incredible amount of knowledge and expertise that has been instilled and developed over a period of time, attributes that take people in the private sector a lifetime to develop. “Veteran skills, experience and attributes are transferable and desirable in ways you probably can’t even fathom” Jayson concludes. If you would like to find out more about the WithYouWithMe Cyber Military training Program and access this new pipeline of high quality cyber talent for your organisation, reach out to the team via their website www.withyouwithme.com.au WithYouWithMe is a veteran owned tech start up that solves the problem of effectively transitioning personnel from the ADF to the Australian private sector. Australian society has long struggled to manage the transition of veterans into the workplace because they generally don’t understand the military lifestyle, career, experiences and skills, and thus cannot assign positive values to them. WithYouWithMe is partnering with Australian businesses to fill this knowledge gap and educate the Australian working force on the true value of veterans in the workplace.
Asia Pacific Security Magazine | 23
The premise of personal risk management skills : Why we should start with the fundamentals
T By Dr Gav Schneider
24 | Asia Pacific Security Magazine
he complexities and threats of our fast paced and modern world have never been more diverse or challenging than they are now, ranging from ever evolving cybercrime, modern day terrorism to old fashioned violent assault and petty crime. In addition, the fast-paced world, and the way we live brings levels of stress and pressure that our predecessors did not have to deal with, as an example the fact that we are now expected to be plugged in and reachable 24/7 in itself has many negative consequences from a health perspective. As an excerpt from my new book, I would like to discuss a few key concepts around the topic of Personal Risk Management. The aim is to provide the reader with an understanding of how the world has changed in terms of the level of awareness, prevention and capability that the average, everyday person needs to consider towards keeping themselves and their loved one's safe. This key aspect is that it’s all about you, the reader. The focus on you, is crucial because at the end of the day it doesn’t really matter how skilled, competent or capable other people are. The reality is that when things go wrong, those who, by definition are tasked to protect you would probably not be there to assist. These include security officers, soldiers or law enforcement officers. Had they been present, the incident would probably not even have occurred. The world has changed in terms of how terrorists and criminals think and act. While technology and global travel have made things a lot easier and simpler for us, the core reality is that our opposition use these very same tools against us every day. Issues such as self-radicalized violent extremism, the evolution (or devolution) in terrorist methods of attack -
from well-planned, complex and integrated attacks on targets of significance to lone-wolf attacks using simplistic weapons such as knives – have become commonplace. This has resulted in the normal civilian having to invest a significant amount of effort in personal safety and security. This is especially true in the western world, although far more individuals are killed by radicalized terrorists in areas like the Middle East or Africa than the media tends to report and focus on. Despite the media’s ongoing sensationalist broadcasting of global terrorist or criminal incidents, it is imperative that we maintain a sense of perspective when it comes to these issues. The fact is that globally there are significant losses in numerous other areas (which actually makes terrorism in terms of loss of life and financial loss seem inconsequential) as well. Some of these include: • Health and safety issues, including accidents in the workplace, • Medical issues, • Workplace violence • Domestic violence • Crime such as fraud, assault, and other related activities; etc. In support of the above, the findings of a report compiled by the International Labour Organisation entitled: “The cost of violence/stress at work and the benefits of a violence/stressfree working environment” indicate some worrying issues : • Violence (from external threats like terrorist attacks as well as internal threats) represents a problem in a growing number of workplaces even though the number exposed directly to physical assault remains relatively low.
"It’s not rocket science. The Police Federation of Australia, the country’s national police union that represents 60,000 police, has long called for a national case management system and a better shared intelligence regime."
Employees in service industries, e.g. retailing and health care are most at risk of physical assaults whilst taxidrivers and police officers are the most vulnerable groups with respect to homicide and, as has been demonstrated most recently, media institutions and those covered by the media are most vulnerable to terror attacks. Whilst violent attacks and even murders have received considerable attention in the US, across the world, a far greater number of people generally report being exposed to violence of a psychological nature (such as arises from publicised terror attacks) or bullying. The costs to organisations are primarily related to sickness, absenteeism, reduced productivity, replacement costs and additional retirement costs. A significant proportion of the workforce also report being exposed to sexual harassment. There may be further costs due to damage in production or equipment as well as costs in connection with grievance and litigation, e.g. investigation and mediation costs. A potential public loss of goodwill towards the organisation may be another more intangible cost. The costs to society are related to medical costs and possible hospitalisation, benefits and welfare costs in connection with premature retirement as well as potential loss of productive workers. On the basis of figures from a number of countries we estimate that in total, stress and violence at work may account for 1-3.5% of GDP.
The goal is not really to divide threat issues into different categories as this can become very complicated in terms of having to have a separate approach to terrorism, natural threats, crime, and other issues. The main goal is to basically establish an attitude of proactive awareness and some standard operating procedures (S.O.P.), or plans of action, that the individual can then take and superimpose onto his or her environment. The reasoning behind this is to provide the individual with the ability to identify, predict and hopefully avoid any threat that may cause them harm. Should it come to a worst-case scenario, where the threat cannot be avoided, our goal is to empower the individual with some skills to manage the threat with the objective of surviving such an incident with the minimum amount of injury or loss. Ideally, such skills would also extend to helping the individual’s loved ones, or those around them. These skills should be integrated into the individual’s everyday repertoire. The reason for this is simple, the more complicated the skill, tool or SOP, the greater the chance that the individual will not be able to recall it in situations of extreme stress, and the more things can go wrong. The old adage “Keep It Simple, Stupid” (the ‘KISS’ principle) certainly holds true here. The message is very simple - we need to accept that we must take responsibility, to some degree, for our own safety
Self- Actualisation Esteem
Love / Belonging
Physiological and security. Despite their best intentions, the authorities are fighting an intense, seemingly losing battle against extremism, cyber-crime, crime and evolving threats, simply because of the limited resources available to them in countering these threats. The goal is for you, the individual, to become part of the solution. This may mean you taking a more active role in contributing to your country, your region, your town and your neighborhood’s specific security or safety setup. The aim is to not only make you, but also the community you live in, a more unattractive target for those who wish to harm others. Accepting that something bad may happen to us is no easy matter, especially when that something bad may include losing our lives or the lives of loved ones, etc. And yet these are the very things we need to invest time and effort into, as unpleasant as it may be. As human beings, we are wired to ignore unpalatable issues, we believe that crime or terrorist attacks won’t happen to us, and if it has happened before, that it can’t possibly happen again. The goal should be one of empowerment. In my experience, I have found that people fear most that which they do not understand. With that in
Asia Pacific Security Magazine | 25
SHEEP WOLF SHEEPDOG mind, understanding how crimes and terrorist attacks are committed, and how we could proactively act to minimize these threats happening to us is crucial. The first step in this process is to accept that it could happen to you. Depending on where you live and what you have been exposed to in your life this could be very easy or very difficult to do… It is crucial that we deal, once and for all, with the denial most of us harbor that somehow, we are exempt from these criminal activities and bad things happening to us. From a psychological perspective, the well-known and often quoted 'Hierarchy of Needs' developed by the renowned Psychologist Abraham Maslow first published in 1943 in his paper "A theory of human motivation" illustrates that we need to address our safety and security needs (bottom 2 levels) first before we can move onto other aspects. As such this Article is focused primarily on those aspects first, in order to form the foundational building blocks for more evolved needs that sit in the Self-Actualization level. This is critically important, as I have found that whilst in today's modern world, where we often have the luxury to focus on the upper three levels of the pyramid (Love/Belonging, Esteem and Self-Actualization) we tend to simply take for granted that our lower two foundational levels will always be met. Thanks to many aspects such as the formalization of society, modern technology, etc. in most first world countries these aspects do seem to be a mandatory expectation. However, one simply must look at local crime statistics, chat to local law enforcement, ambulance, or emergency services officers, or notice the poor or unemployed in our communities and you realize that in many cases the expectation is not always met. Because of our inherent denial of unpalatable issues, we tend to keep blinkers on and not address the lower two levels of need in a coherent and structured manner, that is until something negative happens which forces action and skills development at these levels. In reality, our approach to self-development should be based on a solid foundation of knowing that we can address and manage our needs in the lower two levels and not rely on the uninformed perception that these levels will always be met because we expect that others manage them for us. As such a focus on health and wellbeing, and safety and security are the key aspects of personal risk management. The aim is to build a strong foundation of lower level knowledge, skills, and capabilities so that you can focus on the higher levels unencumbered by doubts and prepared to deal with any issues that life may present. A strong foundation is always the best way to build! It’s about being able to live your life the way you want
26 | Asia Pacific Security Magazine
to, in a safe manner. In many cases this level of enjoyment cannot be attained because of the blinkers we have on, in many cases without even knowing that we have them. This is especially true when we consider our own cognitive biases and related mental shortcuts we have developed to cope with our complex world. In practical terms because of our biases and mental shortcuts we experience a lack of awareness and become easy targets for people with ill intent. We can no longer apply what’s known as the ostrich syndrome, where we stick our heads in the sand and hope that everything around us won’t go wrong. And if it does, that it will become someone else’s problem. We need to ensure that we have the capability to take the necessary actions when called for so that we become a key role player in ensuring that our world is a safer place, not just for us, but for our children too. Action does not necessarily mean that you must become an expert in self-defense and combative skills. While learning to defend yourself is a valid life skill, and one I believe every person should develop, the reality is that developing just a few key abilities can result in a direct enhancement your own and everyone’s safety and wellbeing. These abilities start with self-knowledge and situational awareness and include some of the following: The ability to observe your surroundings; the ability to evaluate and understand what may cause harm or be a threat; the ability to assess the behavior of the people around you; the ability to determine whether there is any ill intent or anything suspicious or out of the ordinary; and the ability to have the knowledge, foresight and confidence to remove yourself from such situations or in the worst case manage incidents if they occur. As well as the ability to report what you have noticed or experienced to the relevant authorities and finally and possibly the most important, is to maintain a robust mental state of resilience and be able to bounce back from things as required. The above skills can make a massive difference toward the well-being, safety and security of not only yourself, but all those around you. Our goal should be to invest our effort and energy into the avoidance and prevention of situations that might cause harm or damage. This is directly opposed to focusing solely on survival and reaction – both of which remain critical skill sets but are reactive in nature. The reality is that if we allow situations that might cause harm to escalate to a point where we have to rely on these critical skill sets, our chances of walking away from such situations unscathed are slim to none. The essential point is that we all have a responsibility to work towards a safer and better world. potentially switch themselves on when necessary and become active contributors to a safer world. Dave Grossman, well-known author and researcher, presents a conceptual view of people today where he subdivides society into three main roles, namely sheep, wolves and sheepdogs. The sheep is the person going about their everyday life, not wanting to be hassled or inconvenienced by security and safety concerns. Their safety and the safety and wellbeing of those around them is generally not a primary concern of the sheep. The second role is that of wolves, who prey on the sheep due to opportunities or their own sociopathic or psychopathic tendencies. Although there is no doubt that
there are some really evil people in this world, in many cases these wolves may not have direct nefarious intent. Some are preying on the sheep based on their circumstances, such as criminals who justify their actions based on need and risk (i.e. stealing to eat). It should be noted, however, that no matter how ‘noble’ their reasons for preying on sheep are, they may still cause significant harm to the sheep. Some examples of clearly defined wolves are terrorists or career criminals. In many cases, Criminologists have found that in their own heads wolves may have justified that what they’re doing is right from a psychological, ideological or religious perspective – even if it means blowing up a school bus full of children… No matter how these wolves rationalize their actions, from our perspectives their justifications can never validate them harming other people in pursuit of their ideology. Lastly there are the sheepdogs. Sheepdogs protect the sheep from the wolves. Generally speaking, sheep don’t like sheepdogs because they look like wolves. However, when the wolf comes knocking, the sheepdog is often valued above all else. The premise of this empowered personal risk management is for you to find that little sheepdog inside yourself. The sheepdogs who have made a career out of protecting the sheep, such as those in the military, lawenforcement and related agencies, cannot be everywhere at the same time. Because wolves are cunning, chances are that when you are confronted with a wolf, those who are traditionally looked at as the sheepdogs may not be there to rescue you or your loved ones. Whilst you might tend to think of releasing your “inner sheepdog” only in violent situations, such as an armed robbery, assault with the intent of doing grievous bodily harm, etc. These are not necessarily the only situations that might require your inner sheepdog to be released. Think of situations like a fire breaking out in your home, being involved in a motor vehicle accident, or a child drowning in a swimming pool. All of these situations will require you to dig deep, and find the inner resolve to help those in need under immense pressure. Another example may be basic cyber security. You might invest in the very best virus protection, firewalls and various other tools for your devices, but if you click on suspicious email links sent from an unknown source, even if it is from your mysterious wealthy uncle living abroad, who would like to give you a million-dollar inheritance, you may land up infecting and disabling your entire machine. In other words, spending money on protection is not beneficial if we do not apply an integrated approach and simply believe that because we have taken basic measures we are no longer at risk at all. A fundamental shift is required to first, identify and acknowledge the sheepdog in you (even if you are diametrically opposed to violence), and secondly to release it as and when needed. This is the foundational if we are to become empowered in the way we manage risk. It’s imperative that you make the shift from relying on others to protect you and your loved ones to accepting that responsibility for yourself. We are very aware of the fact that the balance of being more aware of your surroundings, if unchecked can lean towards being paranoid. Being paranoid is just as ineffective as not being aware at all. The goal is to enjoy life to the full whilst at the same time being more aware of what’s going on around you. I believe that the one cannot
exist without the other, i.e. you can't truly squeeze the most out of life if you are paranoid or unaware. It is important that you learn to continually adjust the balance for yourself. We call this balancing act Dynamic Risk Equilibrium (DRE). Living in fear of what “the wolves” might do and allowing that fear to dominate your life, actually translates to the wolves winning. It’s crucial that you find a healthy balance between being prepared and enjoying life. The following simplistic diagram of the Dynamic Risk Equilibrium (DRE) may help you find this balance. We can interpret the diagram as follows: The more security aware you are; the more comfort you sacrifice. Or alternatively, the more you cling to your comforts (e.g. taking a shortcut home, even though the shortcut leads through a dodgy part of town), the more you sacrifice on security. Both have a direct effect on you living a full life. The more security awareness and balance you establish in your life and the lives of your loved ones, the more you will achieve comfort in the process. The converse is also true. The more you cling to your creature comforts at the expense of you and your loved ones’ safety and security, the more your ability to live a life marked by relative safety and fulfillment will suffer. Only you can make the decision on what your ideal balance will be. It is important to remember too that as the name highlights DRE is dynamic and needs to be monitored and adjusted all the time.
Asia Pacific Security Magazine | 27
Murdering children online
S By Sarosh Bana APSM Correspondent
28 | Asia Pacific Security Magazine
oon the only thing you would be left with is a picture of me,” was the chilling message left behind on his Facebook page by a 14-year-old schoolboy from Mumbai moments before he eased himself off the seventh floor ledge of his building to a bloody death below. The ninth grade pupil was not suicidal, neither was he given to depression or mood swings. He was a bright child with normal behaviour, until, that is, he got inextricably ensnared by this dark savage online “game” that borrows its name from the magnificent deep-sea mammal called blue whale. The boy had spent two whole days searching for ways to end his life before he became India’s first fatal case of the ‘blue whale challenge’ that incites credulous children into committing suicide. He had also messaged his classmates that he would not be attending school from the following week. A neighbour had seen him walking on the edge of the terrace and called out to him. Getting no response, he had rushed to the terrace only to find to his horror that the boy had jumped by then. The mobile phone left behind had a photo taken by the lad, showing his legs dangling from the ledge with the concrete driveway seven storeys below. Many youngsters, mostly teenagers, have since been pushed over the edge by this game, as in Kerala, Pune, Indore and Dehradun, but a 22-year-old from Puducherry in south India was one of the more fortunate victims who could
extricate themselves from this game before they took the final step. Drawn into the blue whale challenge through a link he had received from a WhatsApp group, the youth says that once ensnared, the victims find it almost impossible to withdraw. “It is a virtual death trap where one goes through a traumatising experience and even those seeking adventure get mentally affected,” he remarks. “The tasks given by the blue whale administrator are to be completed before dawn, the first few days requiring the posting of personal details and photographs that are collected by admin.” The youth says he was so consumed by the game that he left his job to devote all his attention to the blue whale tasks he was assigned. Fortunately for him, his brother noticed changes in his behaviour and informed the police about his probable involvement in the blue whale game. The police closed in on him at 3 am one morning when he was about to etch the whale symbol on his arm with a knife. “I went to the Akkaraivattam graveyard around midnight, took a selfie and posted it online, and had to watch horror movies alone everyday, as the idea is to make victims shun fear,” he confesses. “It was mentally very taxing as I avoided talking to people at home and remained confined to my room.” This spate of incidents has roused wide outrage in India, with some states like Gujarat and Uttar Pradesh having banned the game, while the state of Kerala has written to
the Central government to promulgate a national ban. The Supreme Court has also taken up a case that seeks a blockade of this macabre game that was launched online in 2013 by 22-year-old Russian, Philipp Budekin, and which has been responsible for 130 teenage deaths in his country. Budekin defended his game, saying he was cleansing the world of “biological waste”. A Siberian court recently sentenced him to three years in jail for inciting violence in Russia, but many deemed the sentence unjustifiably light for a crime that has exacted such an enormous toll, with deaths of teenagers having also been reported from other countries like China, Saudi Arabia, Brazil, Argentina, Bulgaria, Chile and Italy. Budekin has not only preyed on the vulnerable, but has through his ‘game’ unfortunately given a grisly connotation to the beautiful ocean-dwelling mammal that the blue whale is, the largest animal that has ever lived on earth and which has for long been endangered. India’s Ministry of Electronics and IT (Meity) has directed internet majors like Google, Facebook, WhatsApp, Instagram, Microsoft and Yahoo to remove the links to the game, which is not an application or even a game to be downloaded, but a link customised by the “blue whale admin”. It is not a group game, but one that can be played out entirely by oneself, and assigns 50 demented tasks that the players need to complete within 50 days. The final task prompts the player to commit suicide and also share photos just prior to this step. Cyber experts believe the government will need to devise innovative strategies to deal with this menace of self-harm games and accordingly amend the Information Technology Act of 2000 so as to thwart the propagation of such destructive pursuits. They also find the need to sensitise family members and have schools introduce awareness programmes to avoid such incidents. One expert counselled for a gaming regulator who would have the authority to identify and dictate a line of action against such internet games that instigate the participants to indulge in demonic acts like raping someone or inflicting injuries and crippling others or their own selves. Police Cyber Cells too are issuing advisories to parents and guardians, asking them to track their wards’ online activities, as more children are finding themselves alienated from their parents who are caught up in their own lifestyles. Psychologists and mental health practitioners maintain that it is very crucial for parents to overcome their own anxieties and approach their children with utmost calmness if their suspicions are aroused. While the blue whale challenge pursues players to end their own lives, there are any number of websites that urge youngsters to “play killing games online for free”. For instance, a website called GaHe.Com advertises that it has selected 528 of “the best” killing games that can be played online for free. “Killing games on this page are sorted according to users’ rating, a game with the highest score is listed at first, so it’s easy to find a good Killing game on GaHe,” it mentions of its games that involve ‘slaying’ a range of victims with various weapons and tactics. “We also add new games daily to ensure that you won’t get bored of playing old games again and again - enjoy!” The Madras High Court, from south India, has directed
“It is not a group game, but one that can be played out entirely by oneself, and assigns 50 demented tasks that the players need to complete within 50 days. The final task prompts the player to commit suicide and also share photos just prior to this step." the Central government to take appropriate measures expeditiously to bring all Over The Top (OTT) services – provided over the internet by bypassing traditional distribution - into a legal framework that obliges compliance with the laws of India, and the sharing of required information with the law enforcing agencies. The Court also asked for internet service providers to be directed to take due diligence to remove all blue whale links and hash tags under circulation on social media platforms and the dark net. It besides urged the government to use its diplomatic and political relationship with Russia to block this dangerous online game. In response to the international ire against the game, Instagram says it is now showing users a warning when they search for pictures relating to blue whale. The warning reads: “Posts with words or tags you’re searching for often encourage behaviour that can cause harm and even lead to death; if you’re going through something difficult, we’d like to help.” But below the post, it provides the option to “see posts anyway”.
Asia Pacific Security Magazine | 29
Cyber Security SINGAPORE CYBER WEEK
Cyber data protection and security in Formula 1
he Singapore GP, which took place from 14th Sept to 17th Sept, on a floodlit street circuit against a backdrop of historic landmarks and glittering modern skyscrapers, is also famed for its off-track action. Memorable headline acts such as Bon Jovi, Lady GaGa, Shikira had entertained the Padang crowd in the past, and highlights this year included Ariana Grande, OneRepublic, and Seal. For four days, Singapore swung into party mood with motor and music fans descending on the island-city to join in the F1 excitement, visit the touristy attractions sample the local cuisines, and meet business contacts and network. The Singapore GP with its compelling television and photos is not possible without the extensive and complex preparations and logistics - construction and coordination to host and run a world-class race began months before, including the preparations to collect, protect, store and secure data. “This sport is so rich in formation and data.” said Chase Carey, Formula One ® Chairman and CEO, the American who took over from long-time supremo Bernie Ecclestone 6 months ago. When Singapore hosted the first night race in F1 history in 2008, Ecclestone hailed it as the “crown jewel” of the sport. Chase
30 | Asia Pacific Security Magazine
Carey, highlighting the uniqueness of the night race in Singapore, said the Singapore F1 is a “signature race” that “anchors” F1’s Asian strategy. In the world of F1, each Team hosts a treasure trove of data - or the “crown jewel” of confidential and sensitive data, ranging from car design to engine performance - assets critical to the
accomplishment of the Team’s goals and need to be secured and protected against breaches and intrusion. Data analytics plays an extremely critical role in monitoring and optimizing the performance of Formula One ® cars. Today’s heavily instrumented F1 cars are equipped with hundreds of sensors on each
CyberWEEK Security SINGAPORE CYBER
Acronis who has had the pleasure of being the very first Singaporean company to have been featured as a sponsor on a Formula 1 car - the Scuderia Toro Rosso racing team. Photo Credit: Scuderia Toro Rosso
on a Formula 1 car - the Scuderia Toro Rosso racing team, in the days leading up to the 2017 Formula One© Singapore Airlines Singapore Grand Prix. Day - 5 before Race Day Interview with Serguei Beloussov, Acronis CEO
Serguei Beloussov, CEO, Acronis, Russian-born Singapore businessman and innovation, on the essentials of backup, data protection and the partnership between Acronis technology and Scuderia Toro Rosso. Photo Credit: Acronis
car, capturing vital statistics such as tyre pressure, fuel burn efficiency, wind force, GPS location, engine and brake temperature. These are analysed real-time in a continuous feedback loop by the Team’s crew, track-side engineers and operations analysts on-site and back at headquarters - to monitor competition, car and track conditions, and to adjust race strategy. Performing at the highest level of competition where a difference of a fraction of a second could either win or lose the Team a podium finish, the technological ability to measure and react on such metrics culled from the chassis, tyres, and throughout the engine to maximise the car’s performance, is crucial to the Team’s winning strategy. The data also contributes crucially to simulations and modelling that are
as sophisticated as Aerospace industry technology in predicting the car’s performance and safety. Information such as car’s speed, stability, aerodynamics performance and tyre degradation are fed into test runs, to design a car that is capable of performing at its optimal best. And this search for perfection continues up to the day before the race. The value of the gigabytes of data tracked, monitored, stored, analysed during practice runs and race day, and post-race day is unquestionably an important source of competitive advantage. So, how do F1 Teams protect and secure the data against breaches and intrusions? We followed Acronis who has had the pleasure of being the very first Singaporean company to have been featured as a sponsor
Founded in 2003 by Russian-born Singaporean Serguei Beloussov, Acronis specializes in back-up, ransomware protection, disaster recovery and secure file sync and share solutions. With offices in United States, Japan, Russia and Germany, it chooses Singapore for its Headquarter and R&D centre. In fact, Acronis is committed to investing half of its $10million budget in the area of Artificial Intelligence. At the headquarters location at SunTec towers in Singapore, Serguei shared his love for the City State. “Convenience, safety, productiveness” are what make Singapore an attractive place for top professionals to live in. Excellent schools, world-class health care, diverse food choices and a modern smooth functioning network of transport infrastructure add to its attraction. With its solid reputation abroad, and stable politics, Singapore is also an attractive location for businesses. Indeed, one can easily squeeze in a full gym workout, a few offsite meetings, errands running, answering emails in the office – all within a day – in Singapore.
Asia Pacific Security Magazine | 31
Cyber Security SINGAPORE CYBER WEEK banker) can be automated through the single-source of truth and tamper-proof protocols promised by Blockchain. And this will further increase productivity and allow us humans to do more of the creative work. He added, “in F1 where there is so much data, BlockChain will also increase the trust in the integrity and authenticity of the data shared within the team”. As I left the Headquarters, hectic preparations were underway for inviting a renowned BlockChain expert to share his views on the promise of this technology, while champagne bottles and wine were being brought in for next day’s celebratory weekend to Acronis Racing Weekend agenda. Day - 4 Before Race Day Acronis Racing Weekend 13th Sept – Virtual Reality, F1 Simulator, AI Robot
Carlos Sainz, Scuderia Toro Rosso [left], is behind the wheel of the STR 12 for his third season in Formula 1.- Daniil Kvyat, Scuderia Toro Rosso [right], raced for Red Bull Raciging, where he stayed until the start of the 2016 European races, when he was moved back to Scuderia Toro Rosso. With Acronis Robot, who not only replied to questions about the solar system, also displayed an impressive a range of dance moves to music requests.
“All these reduce the uncertainties, and makes it easier to forecast and plan ahead”, said Serguei. With a PhD in Physics, Serguei has a clear pragmatic but also at the same time a romantic approach to how well Singapore is transforming itself into a knowledge-based economy. The Smart Nation is an excellent initiative and it is an opportunity for Singapore to be more romantic – in addition to the par excellence in pragmatic planning - for talented professionals who desire more creative and productive work. But, he emphasised, being hours in flight time from conflict-zones is not a reason for Singapore to be complacent. “This is especially more so given Singapore is a highly interconnected city, and Cyber Criminal can just as easily launch an attack from the tower next door, or from abroad”. What can Singapore learn from Russia in the area of Cyber Security? Serguei laughed, “we are taking about comparing one of the smallest countries with one of the largest countries. Even the late Mr Lee Kwan Yew was wise enough not to make the mistake of assuming what works in one
32 | Asia Pacific Security Magazine
country could work in another.” After almost 20 years as a Singapore citizen, Serguei has ambitious plans to help build Cyber skills and capacity in the city state. “We work very closely with the leading Singapore’s universities and tech communities in joint projects, as well as growing its internship recruitment drive and giving Tech Talks”, he explained. At that point, the phone rang. A few moments in rapid-fire Russian punctuated with bursts of frustration at his banker’s authentication questions (Date of Birth and Home Address – which are publicly available), he hanged up and concluded that “Blockchain is an indispensable and important block of embedding security in our digital lives”. A classic way to define security goals for an organisation is the “CIA” model. This refers to the components: confidentiality, integrity, availability, as well as access controls, and authenticity. And Blockchain is seen by many as the holy grail in efficiently solving the puzzle of meeting these goals. Standard, repetitive and one-size-fitsall identity verification protocols that exist now (which he just went through with his
The event kicked off with Virtual Reality Demo, F1 Simulators, AI Robots, and a mouth-watering demonstration of Chinese Chicken Rice preparation by the Michelin Star Chef Chan Hon Meng. With the event off to an appetizing start, I discussed with Raffaele Boschetti, Head of IT Dept. of Scuderia Toro Rosso F1 Team, and Fabrizio Minuto, Deputy Head of IT, of Scuderia Toro Rosso F1 Team, Daniil Kvyat and Carlos Sainz on Cyber Security in their day-to-day operations. “Insider is a big issue”, said Raffaele. “This is especially so because there is a material turnover in the F1 industry.” This insider threat is seen through an example of cyber industrial espionage whereby a staff was leaving for a competing Team, deliberately copied statistical data with the intention to leverage off the analytics to the advantage of his new employer. He was subsequently disciplined and barred for life from the industry, highlighting that managing the risk of data leakages is a priority not to be overlooked. In this adrenaline-fueled, high-octance world of F1, momentarily data losses on race day itself – inadvertent or deliberate or Ransomware– or IP (intellectual property) data breaches on car design during the manufacturing phase, can mean the difference between “performing a good race versus not finishing one”, said Raffaele. He emphasised the focus on performance and reliability in a missioncritical environment. “F1 is a data driven business and Innovation related to data management is really important for the team’s success”, he added.
CyberWEEK Security SINGAPORE CYBER
Spectacular fireworks at the end of the race. Photo Credit: Singapore Tourism Board.
As in other industries, their Cyber security policies to protect the end-points and network that host the F1 team’s missioncritical data (the “crown jewels) against external intrusions and insider threats include cloud security, behavioural analytics, access controls, permitted media. Critically, encryption policies are high priority to protect the confidential car telemetry transmitted on-site to the headquarters, and to licenced partners. At this opportune time, the Acronis Robot showcasing the latest innovation in Artificial Intelligence made its grand entrance, for a Q&A session with Scuderia Toro Rosso drivers Carlos Sainz and Daniil Kvyat. Day - 3 and Day - 2 before Race day – Practice Day 1 and Practice Day 2 Data collection and crunching. And backups. In 2014, race teams at the U.S. Grand Prix collected more than 243 terabytes of data according to AT&T, which is a few terabytes more data than there are in the Library of Congress. "10 terrabytes of data float through the system, which makes it the biggest science project on the planet for that period of time, eclipsing even the human genome project," during the 90-minute race, said McLaren Applied Technologies CEO on an CNBC interview ahead of the Singapore GP race. “200 Petabytes of data is collected across the teams last year, a mind-blowing 40% increase year-on-year. This is
exponential growth,” said Chris Vlok, a NewZealand F3 driver during a break in between watching the practice runs. He elaborated: “The volume of data collected during the practice sessions is heavily scrutinized before the qualifying, to devise the racing strategy, but also to make calculated changes to the set up of the car, as well as outline any changes the driver should make”. With the right metrics monitored, the engineers and the driver analysed the machine and human factor(s) behind the performance compared the other car(s) in their team (or to the same race of the previous year), to optimise the mechanical variables (such as fuel burn) or driver factors (such as steering angle, brake pressure) to devise a strategy map and gain that hundredth of a second." The anecdote shared by the STR team – the panic caused when a laptop hosting the critical data and the strategy map was dropped at an earlier F1 race this season, potentially losing the team its strategy map – shows how data-hungry the industry is, and consequently how important reliable backups are – the team was able to recover the data so rapidly that the driver’s knowledge of the loss came only after the race was concluded. Day - 1 before Race Day – Qualifying Race Tech Talk on Ethereum Cryptocurrency, Blockchain.
Blockchain expert Alex Garkusha, co-founder of one of the world’s most successful ICO
consulting firms - ModernToken – gave a fascinating presentation of challenges and opportunities presented by the Blockchain technology at the Acronis HQ. With experience in the “BlockChain of yesterday” (cryptocurrencies) and the “BlockChain of today” (smart contracts), Alex answered questions on a very topical theme - the peaks and troughs of Bitcoin, and initial currency offerings (ICOs). With the recent regulatory crackdowns on ICO, the most notable example being the Chinese government and the subsequent impacts on the value of Bitcoin holders, the oversubscribed audience asked: what are needed to establish the necessary trust and confidence in the ecosystems in ICO? What is the relationship between ICO raised on the Ethereum platform and the impact on the value of Ethereum? Eugene Aseev, at his RSA Asia 2017 talk (two months earlier in July) on “Changing Data Protection: Heading towards a Blockchain-Operated Future”, illustrated the use of BlockChain in Data Notarization (in other words, the integrity or authenticity of data), through the use of Merkle Tree structures of the files’ fingerprints, anchored into the BlockChain with a timestamp. Aside from the challenge of building scalable industrial solutions that are capable of processing large volume of data, and balancing that with the low intrinsic rate of recording onto the BlockChain, there is also a need for Digital Notary Legislation to recognise that a signature secured through
Asia Pacific Security Magazine | 33
Cyber Security SINGAPORE CYBER WEEK
F1 Simulators. Photo Credit: Acronis.
BlockChain technology is considered to be in an electronic form and to be an electronic signature. Recent legislations passed are encouraging, such as the Vermont Blockchain law – Act No. 157 (H.868): “Blockchain Technology (effective July 1, 2016) creates rebuttable statutory presumptions of authenticity for records using blockchain technology” Embedded as part of backup protocol, Blockchain will undoubtedly give users the confidence that the data has been verified and signed as authentic. And in the motorsport of F1 with the hundreds of terabytes transmitted, shared, analysed and stored over a racing weekend, the technology will increase the cost of deliberate data
34 | Asia Pacific Security Magazine
alteration by illegitimate actor seeking to profit from misleading the targeted racing team. Singapore Airlines Formula© One Singapore GP - 17th September 2017 Rain fell on this race day and a dramatic crash at Turn 1 of the Marina Bay Street circuit saw the retirement three of the top four starters, including Ferrari duo Sebastian Vettel and Kimi Raikkonen and Red Bull’s Max Verstappen. In a sport that involves machines travelling at hundreds of miles an hour, accidents do happen. And this is a datarich sport: the car telemetry data, together with additional forms of data such as radio communication traffic, closed-circuit TV, weather data feed the team’s systems to display visuals and correlated metrics to understand what actually happened on track – and what could have been avoided. Not only is the data and the
diagnostic process necessary for the teams that were involved in the incident, they also play an important evidential role in the stewards’ determination if an incident require further investigations or is considered a racing accident where no one driver is deemed to have committed an offence. (In this Singapore GP crash-out, the race stewards cleared all parties of any wrongdoing after an inquiry). The crash data, particularly the visuals, also play an important part in improving the safety of the sport. In the Fernando Alonso's high-speed crash in the Australian Grand Prix last year, recordings allow the team of experts to understand how forces on the body (head, neck, shoulders) is exerted in a high-G crash and how they interact with anything that is in the space of the driver (padding, belts), and what needs to be improved in the next generation of cockpit design. With both Ferraris and Verstappen out of the race, Mercedes’ Lewis Hamilton stormed to victory to extend his lead in the world title race. What’s next? The Scudeira Toro Rosso team now travels onto the Malaysia GP, armed with data and insights that would mean reviews and changes of car settings and driver’s techniques.
See our website for details
w | w
t a jus it trali Aus ’t hack n ca
| w ww.a us
o m Com s single state
Te fundinrrorism g law s Digit aga al War Islam inst the ic Sta te
gy holo a Psyc rviving u for s nt attack viole
Get each print issue per year for only $88.00
2017 orld ol W ecurity Interp Cyber s s | view nect and re t ven Con nal e ines Regio| Philipp re gapo
Sin ek in
1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE
ed unifi your : Three ring s Secu nication erations id mu com key cons
T hoekr uch m m gy – RecCByobnolo
d lia? fe an A sa re Austra secu
o rity: gnition & Facial secu r Video en in Senio Wom habab, rcher, Analytics b hin S esea Nous ecurity R ersky La S Kasp
urity r sec e US Cybe ets in th PL s ra s a of nected e &A, Drone con ick TQearr d r u Q te s, n o...rism in rity ime, evcieuw ore re S eTcehcT
VIEW L -RE els ECcIAuss Ctrhaalinann u rSitPy fo s ac’ a ly u u a c A e n rity ltCha & - M G’s s COA onwea Fourtu‘smecu COU
g the akin n 61: T o DATA n’s lead h o Nati r researc cybe
NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o .au Ban role en Plan com ine. The yber nning agaz uritym nsec of c nce alia ustr .a w sura ww e E | the IT in to b Modern AZIN re kes ating MAG Secu isCin ITY Rg avig the futu it ta ity y N t ri o E U S a u ty f E r Wh art c eo ORAT Strate ORP gy scap DC a sm T AN land ING
L Y’S NTR
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Asia Pacific Security Magazine | 35
Cyber Security SINGAPORE CYBER WEEK
Singapore International Cyber Week 2017 “Building A Secure and Resilient Digital Future Through Partnership”
ingapore International Cyber Week (SICW) 2017 (18th – 21st Sept, Suntec Singapore International Convention & Exhibition Centre), organised by the Cyber Security Agency of Singapore (CSA), took its second edition to greater heights that saw participation of over 7,000 international and regional policy makers, thought leaders, industry experts and visitors from close to 50 countries. The theme: “Building A Secure and Resilient Digital Future Through Partnership” echoed Singapore’s focus on strengthening the nation’s digital future through building robust local and international partnerships. Events under the SICW umbrella include the ASEAN Ministerial Conference on Cybersecurity (AMCC), the International Cyber Leaders’ Symposium (ICLS) and ASEAN Cybercrime Prosecutors’ Roundtable Meeting (ACPRM). Over 250 participating companies and sponsors including Palo Alto Networks, Carbon Black Inc, Imperva Inc, NEC and BAE Systems, and country pavilions including France, Holland, Malaysia and United Kingdom, as well as Singapore,
36 | Asia Pacific Security Magazine
also showcased Cyber Security innovations in the GovernmentWare (GovWare 2017) exhibition. Aspirations of the next generation of industry professionals were also demonstrated through their cybersecurity research and projects at a dedicated Pavilion for Institutes of Higher Learning (IHLs). From the current hundred-of-thousands to the projected couple-of-millions Cyber Security skills shortage cited by advanced countries invited to SICW 2017, capacity building and upskilling are clearly keys to realising the vision of a secure and resilient digital future. At his Opening Speech, Deputy Prime Minister of Singapore and Co-ordinating Minister for National Security Mr Teo Chee Hean spoke on the progress in building Singapore’s capabilities: “we established the Cyber Security Agency (CSA) in 2015, and CSA has just achieved Full Operating Capability, after successfully carrying out its first exercise involving all 11 Critical Information Infrastructure (CII) sectors in Singapore”, and more needs to be done. On this, he highlighted several initiatives in investments in people, capabilities and networks.
One initiative underway is the creation of new cyber defence vocation for National Servicemen (“Cyber Defenders”) to tap on cyber talent pool selected from educational institutions, with the aim to have about 2,600 servicemen on board in about a decade - a “significant build-up” from current numbers. In addition to roles in Security Operations Centre monitoring, Incident Response, and Forensic Investigation, these Cyber Defenders will also support CSA to defend critical information infrastructure (such as the power grid, transportation and telecommunications network). Another is the establishment of the Defence Cyber Organisation (DCO) (by The Ministry of Defence (MINDEF)) to monitor and defend MINDEF and the Singapore Armed Forces (SAF)'s networks 24/7 from cyber threats, through oversight, capacity development, vulnerability assessments and compliance, operational monitoring and incident response; including the Cyber Defence Test and Evaluation Centre, fully operational since 2015 to provide facilities for network security testing, cyber defence tools evaluation, and cyber defence training and exercises. Others announced during SICW
CyberWEEK Security SINGAPORE CYBER Strengthening of CyberSecurity Communities of Practice
ASEAN Cybersecurity and ICT Ministers and Senior Officials with Deputy Prime Minister of Singapore and Co-ordinating Minister for National Security Mr Teo Chee Hean (front row, centre). Front Row L to R H.E. Haji Mustappa bin Haji Sirat (Minister of Communications, Brunei Darussalam), Teo Chee Hean (Acting Prime Minister, Singapore), Dr Yaacob Ibrahim (Minister for Communications and Information and Minister-in-Charge of Cyber Security, Singapore) Second Row: L to R H.E. Kyaw Myo (Deputy Minister, Ministry of Transport and Communications, Myanmar), H.E. Dr. H. Wiranto (Coordinating Minister for Political, Legal and Security Affairs, Indonesia) Third Row: H.E. Bounsaleumsay Khennavong (Vice-Minister of Post and Telecommunications, Lao PDR), Y.B Datuk Seri Panglima Wilfred Madius Tangau (Minister of Science, Technology and Innovation, Malaysia) Fourth Row: H.E. Teng Savong (Secretary of State, Ministry of Interior, Cambodia), H.E. Tram Iv Tek (Minister of Posts and Telecommunications, Cambodia) Fifth Row: Mr Allan Cabanlong (Assistant Secretary, Department of Information and Communications Technology, Philippines), H.E. Pansak Siriruchatapong (ViceMinister for Digital Economy and Society, Thailand), H.E. Senior Lieutenant General To Lam (Minister of Public Security, Viet Nam), H.E. Nguyen Thanh Hung (Deputy Minister of Information and Communications, Viet Nam)
Photo Credit: Ministry of Communications and Information.
include private-public collaborations and partnerships: • the CSA Academy, which will partner leading industry players to train those in government and critical infrastructure sectors; • the CSAT (Cyber Security Associates and Technologists Programme), to catalyse private-sector companies to invest in the upskilling of professionals for cyber
security job roles through on-the-job training; a Memorandum of Understanding between CSA and Information Systems Audit and Control Association (ISACA) to develop the Cybersecurity RiskBased Capability Assessment tool, and to enhance the competencies of Governance, Risk and Compliance (GRC) professionals and strengthen Cybersecurity Communities of Practice; working with the Industrial Control Systems community to develop a set of cybersecurity guidelines for industrial control systems (such as those used in the energy, water, maritime and land transport sectors).
Specifically, on the strengthening of cybersecurity Communities of Practice, Dr Steven Wong (President, Association of Information Security Professionals – AISP - a local body for information security professionals; Associate Professor, Singapore Institute of Technology; ViceChairman, IEEE Consumer Electronics Society Singapore) set out the crucial elements on achieving this vision, at his SICW talk on “How the community of practice can help connect the pieces to build a vibrant cybersecurity ecosystem”. First, he pointed out how the establishment of standards “can bring things together”. The wide range of standards from many organisations around the world is mind-blowing – for examples: National Institute of Standards and Technology (NIST) Cybersecurity Framework, ISO 27001/27002 Information Security Management System (ISMS),Internet Engineering Task Force (IETF) RFC2196, to name a few. “Just standards in IoT alone is massive”, he further elaborated - there are protocols for 802.11 Wifii, Bluetooth, Ethernet protocols, or various Linux, Andriod, TinyOS Operating Systems, not to mention the different Access Points or Routers device types. So, in the IoT world, how can standards bring things together? He gave some guidelines: adopt best practices such as Privacy-by-Design and Security-by-Design, Authentication/ authorization frameworks, and layered protections. Understanding lifecycle controls for IoT devices is also key given the myriad of devices available. Second, we need to consider “setting standards for services and workforce”.
For the first time, the scope of Exercise Cyber Star was expanded to cover all 11 designated Critical Information Infrastructure (CII) sectors in Singapore. Seven sectors - namely Aviation, Healthcare, Land Transport, Maritime, Media, Security & Emergency and Water – were exercised in July 2017, alongside the Banking and Finance, Energy, Government, and Infocomm sectors that were exercised in 2016. - Photo Credit: Ministry of Communications and Information.
He illustrated this with an example of bringing together the different roles played by a group of public-private contributors. The multi-stakeholder public-private collaboration between CREST (a UKheadquartered not for profit organisation), and AISP with the support of CSA, established a CREST Singapore Chapter for penetration- testing certifications last year. Developed in collaboration with the Monetary Authority of Singapore (MAS), the Association of Banks in Singapore (ABS) and the Infocomm Development Authority of Singapore (IDA), the certification addresses a very real concern faced by Financial
Asia Pacific Security Magazine | 37
Cyber Security SINGAPORE CYBER WEEK
Left: Theresa Grafenstine, ISACA Board Chair, inspector-general of the U.S. House of Representatives, USA, Right: David Koh, CEO, Cyber Security Agency of Singapore - Photo Credit: ISACA Singapore
[L to R]: Professor Loh Han Tong, Deputy President (Academic) and Provost of SIT; Mr David Koh, Chief Executive of CSA; Mr Ian Glover, President of CREST International and Dr Steven Wong, President of AISP and Co-chair of CREST Singapore Working Committee at the CREST Examination Facility at the unveiling of New CREST Examination Facility at Industry Event in July 2016. Photo Credit : CSA
Students from the Institute of Higher Learning pitted their cyber skills against one another at the Singapore Cyber Conquest. Photo credit: SICW 2017
Institutions in the area of Penetration Testing “How to be more assured about the quality of service that cannot be effectively assessed until something bad happens?” Dr Wong explained selecting CREST, a well-established certification and accreditation body used by the Bank of England and the Australian government, answers the concern through:
38 | Asia Pacific Security Magazine
The people doing the job “CREST provides rigourous examinations consisting of both theory (knowledge based) and practical components” The company that hires them “CREST member accreditation and a government mechanisms through the code of conduct”
Third, setting standards also require speaking a common language. “In Singapore, the IS-BOK (Information Security Body-ofKnowledge” was developed in 2009 to provide one of the most holistic coverage of Information Security at that time”. The BoK clarifies, for instance, what we mean by “Risk Management” or “Security Incident Management”? (the former includes Risk Assessment, Risk Treatment, Risk Monitoring and Communications, Risk Methodologies and Key Success Factors in Risk Management Implementation; the latter “Preparation, Identification, Escalation and Response, Analysis and Investigation, Recovery, Testing and Maintenance.”) With these initiatives, MoU and Partnership announcements, there is no doubt that Singapore is showing solid and steady progress in capacity building. We sat down with Dr Steven Wong at SICW 2017 to understand what is next in capacity building, and took this rare opportunity to gather his thoughts on the trending topics of Data Privacy, CryptoCurrency, and Singapore’s CyberSecurity Bill. Interview with Dr Steven Wong “It’s a long process, capacity building includes not only classroom training but also on-the-job training, experience, and also the right mindset”, he said. “Training will address to some extend the gap between supply and demand, and the supply is not catching up”, he continued. With Cyber Security underpinning the end-to-end protection of digital data – from setting policies, vulnerability and risk assessments, monitoring, detection, to response and recovery - “clear articulation of jobs roles is required to help identify the gaps”. Malware analysts, network administrators, forensics investigators are some examples, and while there are basic common requirements, each is a specialised role with differing area of focus as well as legal compliance needs (especially for forensics investigators). WannaCry which affected computers in more than 100 countries is a tangible example that there is no “100% security”. Reportedly, the WannaCry worm, a NSA Cyber-Weapon that found its way into the public domain, mutated into Petya and NotPetya that followed a couple of months. He warned that the level of sophistication and frequency of attacks are only going to increase, which mean for each of us, falling victim to Cyber attacks is no longer a
CyberWEEK Security SINGAPORE CYBER
Singapore and International companies showcase at the 26th edition of Govware 2017, part of SICW 2017. Photo Credit: SICW 2017.
question of “when” or “if”. “It is no longer ‘will we be hacked’ nor ‘when we will be’. We already are - hacked” It is well publicised that hackers who break into systems could easily remain undetected for up to an average of 200 days. With this in mind, the focus has to be on establishing a robust incident response framework and recovery strategy. As with any risk management approach, the effectiveness needs to consider the organisation’s risk appetite coupled with a cost-impact analysis, which includes recovery. In this spirit, following the successful launch of Penetration Testing, CREST progresses to expand to establishing standards in security operations centre and incident response. “Heavy leakage” of talents in the industry was another concern. “The job is stressful. When there are incidents, the responses need to be immediate and effective. Not only that, but the industry evolves very rapidly and best practices are ‘moving goal posts’ due to the incessant evolution of attack tactics. Professionals need to upskill very often and this is not easy. Add to this pressure is the negative publicity whenever there are breaches or incidents”. “Look at it this way. When there is an incident, the good-side is penalised, while the bad-side is rewarded. We need to be better at giving recognition, at celebrating successes”. To this end, the inaugural Cybersecurity Awards was launched to recognise outstanding cybersecurity professionals, enterprises and students who have made significant contributions to Singapore’s cybersecurity ecosystem. Organised by
AISP, and supported by CSA, and six other professional and industry associations*, the first Awards ceremony will take place early next year. What about cultivating the ‘right’ mindset? A Cyber Security specialist must be able to think critically, and solves complex problems in the Cyber Space with its ever-shifting borders, exponential rate of attacks, and threat actors operating from often hard-totrack locations, under multiple cover names and roles. “It is an art as much as science.”, he emphasized. Beyond the technical and onthe-job training, mindset is important. An important contributing attribute to self-motivate and continuously upskill is the passion - reflected in going the extra-mile, or as Dr Wong specifically put it “how much do you want to educate your client, when you present your Penetration Testing report”. Passion, together with inert ability can be discovered through a non-structured outof-the-box training approach. “Training has to mimic the playground, so that youngsters with talents in this field can be presented with the opportunities to exhibit their talents. And we can then help develop them”. On the other hand, there had been cases where talented individuals, tempted to impress their friends or gain kudos from their peers, attacked networks or deface websites. And often, it is a mere “press of the button”, said Dr. Wong, “with little understanding of the potentially harmful consequences”. Unlike a physical attack, impact on lives of a cyber attack maybe geographically removed or chronologically delayed, giving individuals
the false impression that there are no consequences to a Cyber incident. He believed that more awareness need to be developed in this sphere. But also, that a “track back to go to the good-side” for these individuals who attacked “at the folly of the moment” must be made available. “A yellow ribbon, mentoring programs, support system, a bridge to cross back to the good-side and at the same time keep them close and monitor them”, Dr Wong explained. These could arguably be of value to the growing industry who would gain not only from skills of these individuals but also their insights and thinking. What else do we need to consider in the Singapore CyberSecurity Bill? “To some extent, this is also being considered in current drafting of the Cybersecurity Bill - what is the right balance, so that we penalise the cyber fraudsters and criminals with real malicious intent? And also create a safe haven – which mimic the realworld, for training?” The right balance is also a fine one to strike for businesses. “The drafting is also considering the right balance, so that the cost for businesses for compliance is not too high. But neither can it be too low for the businesses not to take their responsibilities seriously.” It is widely acknowledged that current draft clarifies a coordinating power, powers of investigation and required standards of profession. Expected to have been tabled this year, it will instead be introduced in Parliament in 2018, in order for the government to study the suggestions and
Asia Pacific Security Magazine | 39
Cyber Security SINGAPORE CYBER WEEK Security framework. Ultimately, if we backup reliably, ransomware would no longer be an attractive vector for the attackers, Dr Wong concluded. But – at the same time, the growing importance of Cyber Security also gives us the opportunities to develop and embed Cyber Literacy as part of our on-going learning and innovation in this era of interconnected devices. Cyber Norms
Paul Nicolas, Senior Director, Global Security Strategy and Diplomacy, at the NATO CCD COE (NATO Cooperative Cyber Defence Centre of Excellence)’s CyCon in May. Photo Credit: Paul Nicolas/ NATO CCD COE.
feedback received from the various stakeholders, including sector leads, potential critical information infrastructure (CII) owners, and the wider industry and public, according to Dr Yaccob Ibrahim, Minister for Communications and Information, at the opening ceremony of the AMCC.
to sharing.” Similarly, with Crytpocurrencies, Dr Wong proposed that an understanding of what “blockchain” is for amateur cryptocurrencies investors will give them a framework for a more rational decision-making processs, instead of blindly following the trend.
What about effectiveness of regulation, in the areas of Data Privacy or Cryptocurrencies?
Awareness is key. Cyber Literacy, developed during the younger years while the “pain points from suffering an attack” are not too high, that expose the younger generation to vulnerabilities could be an effective way of self-regulation. “Awareness comes with a loss”, he said. “When the youth realise, for example that over exposure on social media may cause them real tangible loss of personal privacy, they will adopt a more educated approach
40 | Asia Pacific Security Magazine
Dr Wong pointed to the growing sophistication of the attack landscape – not only is the pool of available cyber weapons growing, but the time to create variants of malwares is also shortening. The air-gapping solution implemented in the Singapore government agencies (the separation of the internal versus external internet network) is a preventative measure, and with the rapidly changing landscape in the Cyber Space, would require recurrent reviews. With no “100% secure” system, incident response must form an important part of the Cyber
Establishing Cyber Norms is also an important towards building trust in the digital future. “Trust that our interactions online are secure, and that our sensitive personal data will not be misused. Trust that thieves do not steal our valuable personal savings or commercial intellectual property. Trust that essential services like healthcare will be available at all times, and not held ransom by cyber-attacks”, said DPM Teo in his opening remarks. At policy level, “countries are working on global cyber norms which help build trust in cyberspace, especially in the protection of supranational CIIs.” Within ASEAN, the ASEAN Ministers Meeting on Cybersecurity (“AMCC”) successfully organized, in May, an ASEAN Cyber Norms Workshop to follow up on last year’s SICW discussion on cyber norms. Dr Yaacob at the opening ceremony of AMCC, elaborated: “the workshop also helped to heighten the awareness of ongoing global cyber norms discussions at platforms such as the United Nations Group of Governmental Experts (UNGGE)”. Recently, in 2015, UNGGE proposed a new set of rules and principles for the responsible behaviour of nation-states or “norms” in cyberspace. Taking reference from these norms, the AMCC agreed that such norms will help to enhance trust among ASEAN Member States. Another initiative is Singapore’s partnership in the Global Commission for the Stability of Cyberspace (GCSC) (launched by the Dutch government, the Hague Center for Strategic Studies, and the East-West Institute) in Feb 2017, to “develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behaviour in cyberspace.” An example of translating this into practice was the adoption of Securityby-Design to manage risks (such as legacy, cryptocurrency security risks) in the financial services sector - detailed by Commissioner,
CyberWEEK Security SINGAPORE CYBER
Name ( From Left to Right )
The Hon. Dato Mustappa Sirat
Minister of Communications
H.E. Teng Savong
Secretary of State, Ministry of Interior
In charge of Security and Capacity Development
H.E. Tram Iv Tek
Minister of Posts and Telecommunications
Air Rear Marshall Warsono
Deputy Coordinating Minister,
Communications, Information and State Apparatus, Coordinating Ministry of Political, Legal and Security Affairs
H.E. Bounsaleumsay Khennavong
Vice Minister of Post and Telecommunications
Y.B. Dato Jailani Johari
Ministry of Communications and Multimedia Malaysia
Y.B. Datuk Seri Panglima Madius Tangau
Minister of Science, Technology and Innovation
H.E. Le Luong Minh
ASEAN Secretary General
Dr. Yaacob Ibrahim
Minister for Communications and Information and Minister-in-charge of Cyber Security
H.E. Kyaw Myo
Deputy Union Minister, Ministry of Transport and Communications
Pol. Col Soe Naing Oo
Head of Forensic Science and Training, Criminal Investigation Department, Myanmar Police Force
H.E. General Hermogenes C. Esperon Jr (Ret.)
National Security Adviser and National Security Council Director-General
Mr. Allan Cabanlong
Assistant Secretary, Department of Information and Communications Technology (DICT)
H.E. Dr. Pichet Durongkaveroj
Minister of Digital Economy and Society
H.E. Pansak Siriruchatapong
Vice Minister for Digital Economy and Society
H.E. Senior Lieutenant General To Lam
Minister of Public Security
H.E. Nguyen Thanh Hung
Deputy Minister of Information and Communications
Boon Hui Khoo (who was also Singapore’s Police Commissioner 1997-2010, and Interpol President 2008-2012), at an August FinTech Security Summit. While the Governments continue to invest in greater offensive capabilities in cyberspace, the expertise of private technology sector with supportive nonprofit groups could be leveraged to better deter nation-state attacks in cyberspace. An example is the “Digital Geneva Convention”, which Microsoft is committed to working with governments on, “that will safeguard citizens around the world from major state-led or state-sanctioned cyberattacks”, said Paul Nicholas, Senior Director, Global Security Strategy and Diplomacy.
“We should work towards further strengthening partnerships with similar regional and international organisations to identify and respond to trans-boundary threats in a timely, coordinated and coherent manner”. Strengthening International Partnerships
In his closing remarks, Dr Yaccob stressed that a “coherent, coordinated global effort is key to a trusted and resilient cyber environment”. A good example of such a cooperation
Country Brunei Darussalam
was an Interpol-led operation early this year. Bringing together investigators from Singapore, Indonesia, Malaysia, Myanmar, Philippines, Thailand and Vietnam to share information on specific cybercrimes, close to 9,000 malicious servers and hundreds of compromised websites were identified in the operation. Indeed, just “as ASEAN came together in the face of a security threat 50 years ago and created the pre-condition for all of us to do well, so too can we work closer together on cybersecurity to take full advantage of the fruits of digitalisation. Today’s conference will be another step forward to take stock, make plans and move forward as a united and cyber resilient region”.
Asia Pacific Security Magazine | 41
National Security CYBER WEEK SINGAPORE
Critical information infrastructure Defense-in-depth E
arlier in June, the US Homeland Security and the FBI sent out a general warning about the Cyber attack to utilities. The US government said it was concerned about the “persistence” of the attacks on choke points of the US power supply, which suggested that hackers were trying to establish backdoors on the plants’ systems. This came at a time when industrial firms were particularly anxious about cyber disruptions on their operations, particularly after the Dec 2015 attack on Prykarpattya Oblenergo in Western Ukraine - the first cyber-physical attack since Stuxnet malware which degraded Iran’s uranium processing capability in 2010; another followed in Dec 2016, on the Kiev’s power grid, which cut off power in the residential areas. Utilities are not the only Critical Infrastructures vulnerable to Cyber attacks. Amongst the victims of the ransomware, WannaCry, were airports and shipping companies. Critical infrastructures are attractive targets in Cyber attack campaigns, as catastrophic failure can cause disproportionate effects on a country’s
42 | Asia Pacific Security Magazine
trade, financial systems and transport and logistic systems. Held in Singapore, the Cyber Security for Transportation Summit 2017 (CSTS 2017, 10th – 13th October) saw two Critical Information Infrastructure cyber-security events co-located at Furama Riverside Singapore - Cyber Security for Airports and Cyber Security for Maritime Summits. Airports, aviation authorities, ports, maritime authorities, offshore shipping, oil and gas energy and solution providers gathered to discuss the latest technologies, techniques, strategies and best practices in the industry. Cyber Security for Airport and Maritime Summits
In his Welcome Address, Mr Gurmukh Singh Bawa, (Airport Economist and Former General manager, Public Relations as Head of the Department, Airports Authority of India), said, “All kinds of civil aviation operations have security issues imbedded into them through various IT-Systems, Sub-Systems, Chips, Micro-Chips loaded with software codes that can be altered or
influenced by the un-authorized persons; this includes airports, airlines, ground handling agencies, various automation systems operating in the civil aviation and their maintenance processes. The cyber security checklist may run into over 100s of operations and thousands of staff and other third party personnel involved or associated with them”. While the attributions of attacks ranging from DDoS (when the Tokyo’s Narita Airport Website was taken offline during a weekend last year), to power failure and software glitches (disrupting check-in systems at United Kingdom’s Heathrow Airport and Singapore’s Changi Airport this year) may not always be obvious, there are inevitable financial damages: compensation to affected travellers, costs incurred in investigations and forensics, running contingency services, and regulatory penalties for controls failures. According to a survey among the world’s top 200 airlines carried out by SITA (the travel technology provider to the air transport industry), “cyber security at airlines is progressing. Three years ago less than half of airlines (47%) said they were making advanced preparations to manage cyber risks -today this has doubled to 91%”. The
SINGAPORE CYBER WEEK
focus on cyber security, it explained, also reflects the move to the ‘Internet of Things’ (IoT) in which a vast number of physical objects will become connected to the internet. In other words, a digitally connected airport network is vulnerable to an attacker gaining foothold, who then transverses the network, penetrates privileged access, and executes illegitimate actions. Digital Connected Assets of the Airport
Mr Gurmukh Singh Bawa, (Airport Economist and Former General manager, Public Relations as Head of the Department, Airports Authority of India Photo Credit: Cyber Security for Airports Summit 2017
Ilgar Aliyev (Technology Governance and Information Assurance, PoB FTZ Azerbaijan), at his talk “Evaluating and Prioritizing Cyber Security Testing in Airport Industry to Detect Operation Weaknesses” Photo Credit: Cyber Security For Airports Summit 2017
Ilgar Aliyev (Technology Governance and Information Assurance, PoB FTZ Azerbaijan), at his talk “Evaluating and Prioritizing Cyber Security Testing in Airport Industry to Detect Operation Weaknesses”, illustrated the digital interaction between the passenger and the airport facilities and staff through “Digital Connected Assets of the Airport”. For example, the “land-side” part of this connectivity originates as soon as at the point of Arrival, to Immigration, Gate, Baggage Collection; and similarly from the perspective of the departing passenger, from the point of Check-In, Passports, Entertainment, to Departure. Threats, including Human Errors, third party failures, malicious actors or system failures (similar to those that a “non-CII” corporate network is exposed to), can result in disruptions with impacts ranging from “vital” to “critical”. Jason Wells (CEO, QCC Global, Singapore Asia), at his talk “Practical Strategies in Technical Surveillance and Cyber Attacks Governor against Airport
Control Management Systems – Lessons Learned”, detailed the severity of the impacts of airport functions and supporting utilities, services, operations and controls, in an event of a disruption. Of these such as Passenger Management (e.g. baggage handling systems), Safety and Security (e.g. authentication systems, customs and immigration), Airline / Airside Operations (e.g. de-icing systems), it does not come as a surprise that attacks on IT and Communications, which encompass infrastructure systems and components, such as GPS, SITA Enabled Common Communications network, IT Equipment Hardware and Software, will certainly result in catastrophic impacts to operations of the airport. Another dimension to consider is a 5G network powering the IoT. He pointed out this allows stolen data to be transmitted covertly at high volume and speed, and is particularly of relevance to Singapore, where (Straits Times, 23rd May 2017, ‘The Road to 5G’), “expected deployment of high-speed 5G mobile networks in 2020 will not only mean faster Internet access for customers, but will also benefit a whole host of industrial applications. High bandwidth, low latency and large capacity will allow for more connected devices and smarter living”. These high speed benefits will be opportunistically exploited by Cyber criminals and hackers. Indeed, Mr Gurmukh Singh Bawa, said: “The IoT is going to be all around Aviation; be it efficient management of the flight, working of load factor vis-à-vis trajectory of navigation and weather patterns, Terminal Access, Security, Boarding and Baggage Handling through the biometrics based IDs and encrypted data shared through gadgets; Shopping at Airports, Airport Operations’ Management, Airport Equipment Maintenance, Aircraft Maintenance etc. The applications are numerous and ever increasing; the expected increase in the activities, economic pressure, and environmental concerns are further necessitating sharing the information. The point, which we are deliberating at present, is the safety of the enormous amount of data that is being shared in the public domain”. Insider Threats
Safeguarding against threats posed by technological vulnerabilities forms an important pillar of the “people, process, technology” security paradigm.
Asia Pacific Security Magazine | 43
Cyber Security National Security CYBER WEEK SINGAPORE
Jason Wells (CEO, QCC Global, Singapore Asia), at his talk “Practical Strategies in Technical Surveillance and Cyber Attacks Governor against Airport Control Management Systems – Lessons Learned”
John DiMaria (Research Fellow Global Product Champion, BSI Group Inc) Photo Credit: Cyber Security For Maritime Summit 2017
And the “Insider Threats” within the “people” pillar is a significant contributor to the proportion of Cyber Incidents. Thomas Liau (Programme Director Cyber Security, Nova Systems), in his talk: “Mitigating, Fighting and Preventing against Insider Threat for Cyber Security effectively within the Airport Operations Management to keep Airport Operations safe”, recommended not only investing in and acquiring a strong knowledge of characteristics internal to the organisation: “your people” and “your
44 | Asia Pacific Security Magazine
Jurgen Vissen (SOC Architect, IBM Security Services APAC), on “Design, Build and Run a Cognitive Security Operations Center (SOC) like a Fighter Pilot in Airport Industry Photo Credit: Cyber Security For Airports Summit 2017
assets”, but also understanding actors in the external environment - “your enemy”. Mitigating Insider Threats include standard practices such as adequate Contingency Planning, informative Cyber Analysis and Cyber Intelligence, operating Safety and Security Working Group. To mitigate threats (not only insider), several best practice frameworks have been developed by the industry to provide conceptual principles and fundamental control guidelines. These include the OODA Loop, Defense-in-Depth concept, the ISO27001 standards, and others such as the COBIT and NIST frameworks, or principles adopted from the intelligence service. OODA Loop, Defense-in-Depth
Jurgen Vissen (SOC Architect, IBM Security Services APAC), suggested that we think like “a fighter pilot” and implement three core data and competency requirements derived from the United States Air Force Colonel John Boyd’s “OODA Loop” (“Observe, Orient, Decide, Act”) concept: • Information: Comprehend sensor data, contextual data, cyber intelligence, news
events, vendor product vulnerabilities, threats, and tasks • Analytics: Interpret and process the information using various analysis and synthesis tools. • Visualization: Depict Cyber Situational Awareness information in visual form for better and quicker understanding Ilgar Aliyev suggested the Defense-in-Depth approach, in which multiple layers of security controls (defense) are placed throughout an information technology system. This widely adopted approach by industry professionals, includes standard controls such as Device configuration, Patch Management, Logical Access Controls, IPS/ IDS (Firewalls, network segmentation, Intrusion Detection Systems), Firewalls, User Awareness. One of the most widely recognised one that comprehensively sets out key controls for a “defense-in-depth” framework is the ISO/IEC 27001. ISO/IEC 27001
At the Cloud Expo Asia - Cloud Cyber Security Expo KeyNote Theatre, (Todd
CyberWEEK Security SINGAPORE CYBER
From Left: Raymond Macaisa (IT Architect, Red Sea Gateway Terminal (RSGT)) Steven Sim, Senior Manager –(IT Security PSA Corporation Ltd) Chiang (Northport Malaysia Bhd) Photo Credit: Cyber Security For Maritime Summit 2017
Redwood (Director, BSI Asia Pacific General Manager) and John DiMaria (Research Fellow Global Product Champion, BSI Group Inc)) introduced the concept of “Information Resilience” and the application of ISO/IEC 27001 standards. To make organisation more resilient, ISO27001 embodies technology controls such as encryption; employee awareness and user access are some of the internal controls, as well as external controls such as vendor management, and partnership such as sharing cyber-intelligence with peers. The implementation of ISO/IEC 27001 necessitates three phases: “understand and prepare”, “see how ready you are” and finally “review and get certified”. Mr RedWood and DiMaria highlighted, however, the need to “go beyond a focus on compliance”. Consistent with a key control within the ISO/IEC 27001, they emphasized that the “journey does not stop with certification”, to “continually improve the suitability, adequacy and effectiveness of the information security management system”. Red Teaming and Alignment of Business and Technology Risk
Tam Huynh (Senior Director- Cyber Security, Kroll) on “Proactive Defense Against Cyber Threats” Photo Credit: Cyber Security For Maritime
Aside from the most recent NotPetya ransomware which hit Maersk terminals and cost an estimated $300million in losses, the Maritime sector had also suffered other notable attacks - one that specifically target shipping lines to cause reputational damage
(e.g. hack of the Iranian Shipping Line), or another that exploited the shipping firm’s server vulnerabilities to identify, locate and steal cargo of value. Tam Huynh (Senior Director- Cyber Security, Kroll) on his “Proactive Defense Against Cyber Threats” outlined an approach which is adopted in the intelligence community: “Red Teaming”. Using simulations based on realistic scenarios such as attackers’ targeting of the ship’s navigation system, red teaming assesses the organisation’s business risk and its ability to detect and respond to this incident, as opposed to traditional assessment such as Penetration Testing which may be scoped to focus only on technical risk. A holistic view of enterprise risk that embodies both business and IT risks was also highlighted by Steven Sim (Senior Manager (IT Security), PSA Corporation Ltd) in his talk “Future-proofing Maritime Ports against Emerging Cyber-Physical Threats”. Through detailing specific threats targeted at cyber-physical systems (including IoT/ IIOT) and blended cyber-physical threats, he pointed out the associated security pain-points and nuances. Tackling each, he recommended pragmatic solutions leveraging on CyberSecurity framework(s), threat model(s) as well as layered defenses by design, default and deployment across portfolio, process and people. One example was COBIT ("Control Objectives for IT). By using its best
Cyber Security for Airports Summit: Fr Left to Right
• Ms Lee Siu Min, Thales, Singapore
First row • Delegate, Airports Company, South Africa • Delegate, Airports Company, South Africa • Mr Gurmukh Singh Bawa, Airport Economist and Former General Manager, Public Relations as Head of the Department, Airports Authority of India • Mr Biju Hameed, Head of Information Security & Compliance, Dubai International Airport, UAE • Delegate, Airports Company, South Africa • Mr Ilgar Aliyev, Technology Governance and Information Assurance, PoB FTZ, Azerbaijan • Ms Roanne Tang, Changi Airport, Singapore
Second Row • Rick Ville, Sales Consultant IT & Controls Services, Vanderlande Industries B.V, The Netherlands • Joni Karywawansyah, Airport Technology Network Operational Support, Angkasa Pura Airports, Indonesia Third Row • Harsha E Thennarasu, Chief IT Security Advisor, HKIT Security Solutions, India. • Dheeraj Chandwani, Business Manager – Cyber Security.
Asia Pacific Security Magazine | 45
Cyber Security National Security CYBER WEEK SINGAPORE Exercise Cyber Star
Participated by more than 200 professionals and executives, comprising sector leads and CII owners from the 11 sectors, and exercise scenarios covering various cyber attacks (e.g. web defacement, data exfiltration malware infections, ransomware, DDoS), the exercise tested CII owners’ incident management and remediation plans in response to these simulated attacks. Singapore’s Cyber Security Bill
CSA conducts Exercise Cyber Star 2016 and unveils new Cyber Forensics Laboratory . Demonstration of an Automated Malware Analysis Tool to Deputy Prime Minister, Mr Teo Chee Hean.
practices for governance and control process, he underscored how business and IT goals are linked, supported by the roles and responsibilities of business and IT process owners. Referring to the Maritime industry’s safety standards revamps post-Titanic, he likened cyber security measures to these safety approaches - threat detection and response, incident and business continuity processes and drills, incident escalation and crisis management - still very much relevant today for a strong cyber resilience.. Singapore Initiatives
Eleven CII sectors operators (formally identified across these sectors: utilities, transport, and services. (aviation, maritime, land transport, banking, energy, water, government, healthcare, infocomm, media, security and emergency) and CSA (Cyber Security Agency of SIngapore) will be implementing three tiers of response as set out in the National Cybersecurity Response
Plan - Tier 1 for cyber campaigns that threaten national security, Tier 2 for cyberattacks on a sector, and Tier 3 for cyberattacks on a specific operator. Further supporting the Singapore Cyber Security Strategy in the areas of CII’s Cyber Capacity are threat monitoring centres (Cyber-Watch Centre), simulation exercises (Exercise Cyber Star) and legislations (Cyber Security Bill): Cyber-Watch Centre (CWC)
Established by Infocommunications Development Authority of Singapore (IDA) (now known as Infocomm Media Development Authority) in 2007 as an example of a proactive defence-in-depth security measure, it monitors cyber threats to government networks and provides early warnings. To enhance the threat intelligence gathering functionalities, the centre will evolve to be a Government Security Operation Centre (SOC) through artificial intelligence and analytics smarts.
Panellists at the ISACA/CSA discussion forum on Singapore Cyber Security Bill, represented by ISACA and CSA, including ISACA President John Lee, seated third from left. Photo Credit: ISA
46 | Asia Pacific Security Magazine
To be introduced next year, the new bill will require CII owners and operators to take responsibility for securing their systems and networks. This includes complying with policies and standards, conducting audits and risk assessments, and reporting cybersecurity incidents. CII owners and operators will also be required to participate in cybersecurity exercises to ensure their readiness in managing cyber incidents. Following the initial drafting of the bill, a consultation process was opened to the public by Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA). As part of this process, ISACA (Information Systems Audit and Control Association, representing members in Assurance, Risk, Governance and CyberSecurity professions globally with 140,000 constituents and 2,200 members in Singapore) together with CSA organised a discussion forum on 24 Jul 2017 to provide feedback on the public consultation. Lasting two hours, and well attended by 80 members, the CSA directors opened the forum with an introduction of the Bill followed by a Q&A dialogue. The feedback formed part of the suggestions from the various stakeholders, including sector leads, potential critical information infrastructure (CII) owners, and the wider industry and public, to be studied by the government for presentation in Parliament in 2018.
PERIMETER PROTECTION For any size system. THE NEW FLIR FB-SERIES thermal security camera delivers affordable, best-in-class perimeter protection for short to midrange distances and is certified by 3rd party technology partners.
FLIR offers the widest range of advanced surveillance products to fit any situation.
Learn More at flir.covm/security
Cyber Security National Security
The smartest tool in the cybersecurity toolbox:
H By Alan Zeichick, Tech Editor, NetEvents
48 | Asia Pacific Security Magazine
umans can’t keep up. Humans can’t effectively handle the flood of malware attacks, zero-day exploits, phishing, patches, updates, weak passwords, ransomware, distributed denial-of-service (DDoS) and insider incidents that occur on enterprise networks. There’s too much data to absorb, and the patterns that might indicate a vulnerability or attack are too subtle. Artificial intelligence (AI) to the rescue, in the form of expert systems, neural networks, and machine-learning algorithms. AI can be used to discover patterns in log and transaction data, and flag outliers. AI can be used to decide if email attachments are safe or malignant. AI can make predictions, using analytics to help a Chief Information Security Officer (CISO) and his/her teams stay one step ahead of hackers. Without AI, everything from mobile devices to cloud services are at risk, believes John Michelsen, Chief Product Officer of Zimperium, which offers a mobile threat defense solution. “You probably have no software on your device that is detecting whether or not the device is under attack,” said Michelsen, “To solve that problem, we took the philosophy of wanting to put a nervous system on that device. It would sense attack, so it would feel what it's like for it to be attacked, whether it's network connection, via apps, over Bluetooth, whatever the means you could attack that device. That lent itself to non-deterministic machine learning in AI based techniques.” Zimperium’s z9 is effective against zero-day device and network attacks, and the only machine
learning-based engine capable of detecting previously unknown mobile malware on-device in real-time. It is being integrated with MobileIron’s security and compliance engine and will be available as a combined solution. This integration will address one of the most significant mobile security gaps faced by enterprises: the ability to detect device, network, and application threats and immediately take automated actions to protect enterprise data. Monitoring the Payment Cards, Protecting Institutions MasterCard, the credit-card company, is heavily invested in AI, explained Ron Green, the company’s Executive Vice President and Chief Security Officer. “We use AI or advanced analytics to do analysis for card transactions, things that cards are doing, either the cardholder or the users of the cards. It allows us to monitor for transactions that tend to be fraudulent, so we could predictively analyze and block or stop a transaction from happening.” The upshot: “We are able to stop the attack before the attack becomes large scale. When a company faltered or failed and allowed a bad actor to get into its systems, we can see that something has happened in that environment and we can limit the damage that that company is exposed to,” he continued, saying that MasterCard’s AI can tell if a card processor or other business been attacked based on the usage of its cards.
“We had to have a high detection of previous unknowns and extremely low false positives. By the way, that is the real trick for these kinds of [AI] solutions, is can you keep your false positives to negligible” Automating What Humans Can Do AI is also core to NETSCOUT, a leader in network and security analytics and application performance management – but as a helper to human experts. “We have access to a lot of data, said Gary Sockrider, Principal Security Technologist at NETSCOUT. “ We take that data and we use it for defense, we use it for reconnaissance, we use it to understand what the bad guys are doing, we use it to help our customers, our clients, be successful in this war. How do we do that? We've taken this vast amount of data that we have access to and we put real humans in front of it, analyze it, and then we automate.” Why use AI? Performance. “The automation allows us to scale and react faster,” he continued. “It's really about taking human intelligence and applying that in an automated fashion that is scalable, that's repeatable, and that's as fast as we need it to be. Of course, we continue to pursue that in every direction, we continue to grow the scale, we continue to grow the speed, continue to grow the algorithms, everything is fine-tuned continuously.” Finding Patterns in Overwhelming Data So much data, so much malware! That’s why Sophos, the anti-virus company, turned to AI, explained Anup Ghosh, Sophos’ Chief Strategist for the Next Gen Endpoint. “Artificial intelligence and machine learning are buzzwords, not silver bullets, and won’t solve all of our security problems. However, there are some very, very good use cases for their use.” He continued, “The problem with sticking humans on a malware detection problem is it's not a good fit. Humans are good at making decisions, machine learning is very good at crunching very large data sets and recognizing patterns. You can't have a huge human team monitoring gazillions of false positives. “ “We developed models using deep learning that could train over very large data sets, on cloud infrastructure to be able to process very large data sets,” added Ghosh. “So we are very good at being able to use deep learning which is
used by consumer facing companies like Google, Amazon Alexa, Apple and so-on in a security product. By very good I mean by performance measures of high detections of unknown threats, and that is the key. We wanted to solve the problem of how do you detect threats that were not previously known and that is where machine learning gave us a very good advantage.” The real trick is handling false positives – that is, when the system claims to have found an attack or malware, when there was actually no danger. “Without a recognition for false positives you have an incomplete solution,” explained Ghosh. “We had to have a high detection of previous unknowns and extremely low false positives. By the way, that is the real trick for these kinds of [AI] solutions, is can you keep your false positives to negligible” Real-Time Decision Making “When we really think about advanced attacks it's interesting to talk to red teams, which are basically teams that simulate attacks and figure out what they really do,” said Oliver Tavakoli, Chief Technology Officer of Vectra Networks, a cybersecurity company. “Once the attackers get inside, how do they sustain control, how do they move, how do they ultimately accomplish their goal? This often times looks more like a heist movie, a bank robbery of a vault where you have to go through a myriad of steps.” That’s where AI can help pore through the data, he said. “We sit on a lot more data, we have the processing capability to process a lot more data, but it becomes impractical to have a user stare at this data, squint at it, and try and find patterns in it. Machine learning is very good at finding patterns, and depending on how complex the patterns are, you may have to go from the spectrum of something like Naive Bayes on the one hand to deep learning, where you're really building up what have historically been called neural nets.” Ultimate, Tavakoli said, “Machine learning is a tool that can unlock patterns in large swathes of data and express them in a compact form and then allow you to hopefully, in real time, apply it to detecting something and making a decision.”
Asia Pacific Security Magazine | 49
AI Can Hurt Attackers Too
Hackers and AI: All About the Money
Don’t forget that whatever good guys can do with AI, bad guys can do too, advised Roark Pollock, Senior Vice President at endpoint security company Ziften. The objective of defenders, therefore, need to be: Make the attack hurt the attackers by consuming a lot of their resources. “We can use AI to start to make our adversaries feel more pain,” he said. “A lot of the investments in AI today are on how do I identify known bad malware? How do I identify known bad behaviors? We can flip AI and use it to identify what's wrong with our own infrastructure, harden that infrastructure, make sure our vulnerabilities are patched. If we can do that we increase the pain level on our adversaries and make it more difficult for them to get into our environments but we also increase their cost curve or increase their cost benefit analysis. So they may not choose to go after us with the same type of easy attacks and it's much more difficult and much more costly for them to go after us.” Sooner or later, Pollock continued, the bad guys will start using AI in their attacks, “It's interesting we talk about the promise of machine learning or AI for us as an industry, but AI also holds a promise to our adversaries. It's a tool that can be used by both sides and at the end of the day this is potential for a stalemate if we're just using it to play a cat and mouse game. I think the real promise for AI is in our ability to use it to increase the strength of our software, increase our operating systems, all of the tools that we use in our infrastructure, our networking, all of the pieces that we build up our infrastructure with. If we can use AI to strengthen those tools and those pieces then at the end of the day we end up with a much more secure infrastructure going forward.”
And the end of the day, beyond state-sponsored cybercrime and terrorism, money will remain the motivation for many attackers, said Zimperium’s Michelsen. “Machine learning and other AI technology is agnostic to its use. Some people will use machine learning to defend their networks and on the other side of the coin people will use machine learning to get better and more efficient at stealing people's money.” He continued, “There have been a lot of technology innovations in software testing including machine learning to find vulnerabilities in software. So really big software houses use this technology, the same kind of technology can be used to find vulnerability in other people's software, so you can exploit it. I don't think it's mainstream yet, I do think people who are looking at industrializing hacking for commercial purposes will definitely use AI technology because it makes them far more efficient.”
AI-on-AI Cybercrime and Cyberdefense Sophos’ Ghosh agreed with Pollock’s concerns about adversarial AI. “Security companies are being dragged into adapting forms of AI, particularly machine learning, because of its ability of pattern recognition very well. However, I think what's really the driver here, if necessity is the mother of invention for the tech industry, I think money is the driver for adoption of AI and machine learning on the adversarial cybercrime side.” Just wait a couple of years, Ghosh said: “In 12 to 18 months, we will see rapid adoption of machine learning for adversarial purposes. For example, we know spearphishing campaigns drive a lot of cybercrime and if you're in that business you've got infrastructure for developing botnets, you're leveraging micro targeting for malvertising, you're automating so much of this process and you are looking at conversation rates.” That means, he said, “security companies which fight these bad guys will also have to adopt machine learning. Now you have an AI on AI scenario and it will also propel us forward to adopt machine learning for real time. So it won't be just enough to extract the pattern and say, here you go, human analyst, think about this. You will have to react at machine speed as well.”
50 | Asia Pacific Security Magazine
Making Predictions and Striking Back Vectra’s Tavakoli mentioned two more aspects of AI: Predictive analytics and countermeasures. “There are two notions of predictive. One is trying to predict what vulnerabilities we have that haven't been exploited. There's a separate notion of trying to predict where an attacker will go next.” He explained, “The latter is somewhat easier in the sense that as you build up data sets where you have seen attacks play out, when you see the first two strokes, it's like seeing the first two chess moves. You kind of have a sense of where this is likely to go in terms of the game of percentages. In terms of the AI versus AI side, we're fundamentally too far removed from it at this stage to predict what will break the stalemate. In some senses it's like all war, the side that not only has great tooling, not only has great technology, not only has a capability of using it but also has a capability of suppressing any qualms about using it in as a destructive way as necessary.” Defenders are in a less good situation because you're defending your home turf and the attacker is attacking you on your home turf, Tavakoli added. “When the attacker will often times have very few qualms about collateral damage and yet you, since it is your home turf, will have those qualms. So this is an age old conundrum in terms of all kinds of physical battles and it translates into cyberspace as well. If you cannot really - if you don't know who the attacker is and you cannot strike back in their home territory, if you're purely defending yours, you will always be at a disadvantage and it will be hard to win that in an AI battle. So figuring out how to strike an opponent, not just in terms of stopping their offensive forces, but actually hitting them where it hurts, is the problem.” Humans Can Keep Up – With Help With hundreds of thousands of new malware variants appearing every week, with constant DDoS attack, spearphishing attempts, and attempts to subvert networks, humans can’t keep up. It’s not a matter of intelligence, it’s a matter of scale. With artificial intelligence assisting human intelligence, we can process all the data — and make good decisions about attacks. It’s a solid combination.
SMi’s 19th Annual
CONFERENCE & EXHIBITION 2017
Europe’s Leading Military Communications Event for Satellite Professionals Tuesday 7th November - Thursday 9th November 2017 | Park Plaza Riverbank Hotel | London, UK HOST NATION KEYNOTE ADDRESSES: Harriett Baldwin MP, Minister for Defence Procurement, UK Ministry of Defence
Dr Graham Turnock, Chief Executive, UK Space Agency
Air Commodore Nick Hay, Head of Capability C4ISR & SRO for Future Beyond Line of Sight Programme, HQ Joint Forces Command, UK Ministry of Defence
KEYNOTE ADDRESSES: Deanna Ryals, Chief of International MilSatCom, U.S. Air Force
Brigadier General Nag Jung Choi, Commander of Defence Communication Command, Republic of Korea Military*
Colonel Cameron Stoltz, Director Space Requirements, Director-General Space, Canadian Forces
Colonel Shinichiro Tsui, Counsellor National Space Secretariat, Japanese Cabinet Office
MILITARY AND GOVERNMENT SPEAKERS ALSO INCLUDE: Colonel Laurent Jannin, Head of Syracuse III and IV Programs and MilSatCom Operations, DGA France Colonel Jan der Kinderen, Programme Manager MilSatCom, Defence Material Organisations (DMO), Netherlands MoD Lieutenant Colonel Frank Ruckes, Staff Officer, Cyber-/IT- Division, CIT I 3, German Federal MoD Lieutenant Colonel James Dryburgh, DDC4OPS CIS Branch, New Zealand Defence Force Lieutenant Colonel Luigi Mauro, Chief SATCOM Section, Department 1, Computer Science, Telematics and Advanced Technologies, Italian MoD Major Geoffroy Beaudot, SatCom and CIS Programme Manager, Luxembourg Directorate of Defence Dean Olson, Senior SATCOM Policy Analyst, Chief Information Office, Department of Defense
Brigadier General Carlos de Salas, Head of C4ISR & Space Programmes, Spanish Armed Forces Commodore Christian Anuge, Director of ICT, Nigerian Defence Space Agency Colonel José Vagner Vital, Executive Vice President of Space Systems Coordination and Implementation Commission (CCISE), Department of Air & Space Technology - DCTA, Brazilian Air Force Lieutenant Colonel Martin Vlach, Senior Staff Officer, Communication and Information Systems Agency, Army of the Czech Republic Eron Miller, Chief, SATCOM Division, Infrastructure Directorate, Defense Information Systems Agency (DISA) Bernd Kremer, Service Line Chief, Directorate Infrastructure Services, NATO Communication and Information Agency Mike Rupar, Branch Head, Transmission Technology Branch, Code 5550, US Naval Research Laboratory *Subject to Final Confirmation
PRE-CONFERENCE WORKSHOPS | Monday 6th November 2017 A: Global Government Payload Exploration
B: Interference in SatCom Systems
Hosted by: The Hosted Payload Alliance 8.30 - 12.00
Hosted by: Jamie Dronen, Director, MILSATCOM Future & International Programmes, The Aerospace Corporation 12.30 - 16.00
SPONSORS LEAD SPONSOR
To keep updated with programme developments or to reserve your place, please visit:
Global MilSatCom Community
@SMiGroupDefence Asia Pacific Security Magazine | 51
Cyber Security National Security
NETEVENTS GLOBAL SUMMIT S I LI CON VALLEY, USA
I By By Chris Cubbage, Executive Editor
n late September APSM spent a week visiting San Francisco, San Jose and Silicon Valley, courtesy of NetEvents and attending the ‘Innovators in Cloud, IoT, AI & Security’ program at the Dolce Hayes Mansion, San Jose. During the three days we were driven through Silicon Valley, briefed on a range of new and emerging technologies, companies and gained insights from a range of technology and industry focused panel sessions. Tracking on the first stop The drive through of Silicon Valley started with a visit to Zebra Technologies, a company with US$3.6 billion in revenue, 6,500 employees and 4,600 patents issued and pending. Spending 10 per cent of sales on R&D has transformed this company from manufacturing barcode scanners to now broadly across hardware and information technology systems and services. Key technology offerings still remain in barcode printing but the diversification has expanded across a range of verticals for mobile computing, data capture and printers. In your everyday life you are probably near a piece of Zebra hardware. Enterprise asset management is a key theme Zebra conveys to clients as their devices can be used for data capture and data analysis with a real-time approach to sense, analyse and act. The case study presented to the NetEvents group was the NFL and the insertion of tracking devices into the shoulder pads of every player in the league, including at training. These devices have a year-long battery life and
52 | Asia Pacific Security Magazine
operate in the 6 – 6.5Ghz range, tracking the player in real time and within centimetres of accuracy. Sitting inside the shoulder pad, the units are naturally wash and impact resistant. Each player is allocated up to 10 tag sets for each year and each device carries just 8 bytes of data. With three tags worn by each player, this is sufficient to provide their orientation, XY coordinates, speed, acceleration and these primary datasets then allow the contextualising of the data, with the other data sets being generating by the other players. Devices are now being inserted into the ball, so the full contexualised movement of a full NFL game, between players and ball, is captured in real time and analysed. All data is fed back to a hub and the algorithms in the hub do the real time calculations, such as tactical schematics and performance. Local positioning systems around the stadium is hyper-timed and designed to operate as a standalone system with inbuilt redundancy. The Kinduct athlete management system also uses the data as part of a player management and injury prevention system. Now in its third year with the NFL, Zebra is looking to other markets including college football, rugby, hockey and ball instrumentation has received interest in Australia and European sporting codes. Next Stop: Netscout Next stop was Netscout Systems, announcing their nGenius® Packet Flow eXtender (PFX) software for service assurance and cybersecurity monitoring. Built on the NETSCOUT
ISNG® platform, the PFX software is designed to complement the nGenius Packet Flow System product portfolio and delivers real-time security assurance solutions. The disaggregation of software-driven packet broker functionality from the underlying hardware aims to provide highly scalable, cost-effective network visibility. Brian McCann, President Security Business Unit provided a briefing on Arbor Networks, a division of Netscout and the size, frequency and complexity of cyber attacks, in particular DDoS attacks. Service providers continue to be observed as being the most frequently attacked, with attacks of increasing volume and with corresponding application attacks, with volumetric attacks, using reflection and accentuation, being used to disguise these targeted application attacks. Arbor’s threat visibility provides real-time insight into the scale of attacks with Australia, Singapore and Malaysia presented and demonstrating the scale and number of attacks occurring every day.
ZERO DAY MOBILE EXPLOIT DETECTION Zimperium reports to be the first and only company to provide a complete mobile threat defense system that offers real-time, on-device protection against both known and previously unknown threats. The MTD (mobile threat defence) platform provides visibility, security and management of attacks on all three mobile threat vectors - Device, Network and Applications for iOS, Android and Windows devices. Zimperium’s machine learning-based engine, z9, reports to have detected 100 per cent of zero-day mobile exploits without requiring an update. With this unique machine learning approach, mobile user privacy is claimed to be protected at all times.
EMERGENCY OF LEAF-SPINE INFRASTRUCTURES Apstra Inc. announced AOS 2.0 which brings together vendor-agnostic autonomous operations of an integrated underlay and overlay network infrastructure. This release includes automation of the entire lifecycle of VXLAN-based Layer 2 network services within and across racks. AOS 2.0 accelerates the process of migrating from legacy L2 data center infrastructures to modern Leaf-Spine infrastructures, with fully automated and integrated L3 underlay and L2 overlay. Support for L2 services across racks ensures that legacy applications work without any modifications, and support of the VXLAN protocol across various vendors provides choice in hardware. AOS 2.0 is enterprise-class and incorporates Role-Based Access Control (RBAC), in addition to HTTPS and headless operations, and commenced shipping in October 2017. AOS 2.0 provides vendor-agnostic telemetry and correlation between the overlay and underlay, and is compatible with VMware NSX and VMware vRealize Cloud Management. Worth a look!
HYPERCONVERGED SECONDARY STORAGE PLATFORM Cohesity delivers hyperconverged secondary storage and announced the launch of Cohesity Orion 5.0, a storage platform that combines end-to-end data protection and big data storage on distributed, infinitely scalable architecture. This latest version provides a backup solution and searchable archive for large amounts of structured and unstructured data. On a single platform, working across cloud and on-premises infrastructure, Cohesity Orion provides administration, reduced data copies, accelerated search and retrieval, and lower storage costs. A good case study involves a police department’s videos
Asia Pacific Security Magazine | 53
and how Cohesity’s role involved backing up the growing critical and mandatory-to-save data, from police vehicle and body cameras, and making these files instantaneously available upon request. Ben Price, director of administrative and residential IT at the University of California, Santa Barbara said, “From backup to recovery, analytics to monitoring and alerting, Cohesity consolidated everything under a simple, easy-to-access user interface.” In addition, Cohesity’s platform scales incrementally to cover companies’ overall storage needs as they increase or decrease, instead of requiring administrators to set up separate environments for each specific workload. It also eliminates the need to monitor and manage different architectures. With the increasing size and diversity of data that organisations need to store, use of separate infrastructures have led to massive inefficiencies. Copies of the same data accumulate on each point solution, and administrators must work across multiple user interfaces to handle separate data use cases. Cohesity Orion 5.0 tackles these inefficiencies by providing a platform for data protection and archiving through a single-pane-of-glass user interface. An indexed and searchable platform thereby gives IT administrators easier access and greater insight into their data and eliminates redundant copies. Cohesity Orion demonstrated linear, non-disruptive scaling through 256 nodes, 3 petabytes capacity, and 80 GB/s throughput in a test conducted by the Taneja Group. ARTIFICIAL INTELLIGENCE & MACHINE LEARNING Panel Discussion transcript takeaways: Anup Ghosh, Chief Strategist, Next Gen Endpoint, Sophos and Ron Green, Executive Vice President and Chief Security Officer, Mastercard Anup Ghosh, Chief Strategist, Next Gen Endpoint, Sophos
I think we should be clear, artificial intelligence, machine learning, they're buzz words and it's not a silver bullet, it's not going to solve all of our security problems. However, there are some very, very good use cases for their use. One example is because of the volume of data that's available on certain types of threats like malware, there's effectively infinite - now they’re out there. The problem with sticking humans on a malware detection problem is it's not a good fit. Humans are good at making decisions, machine learning is very good at crunching very large data sets and recognising patterns. So, when we began our work it was actually part of a DARPA funded project in cyber genome which was essentially a math for the genome of malware. We developed models using deep learning that could train over very large data sets, taking advantage of things like AWS and [on demand elastic] cloud infrastructure to be able to process very large data sets. More importantly, we're able to realise a trained model in a very compact representation you could put on an endpoint. That is actually super important.
54 | Asia Pacific Security Magazine
You have academic research in AI machine learning but if you're going to develop a product it's got to be consumable, it has to be operational in a real enterprise environment, which means you have no tolerance for false positives. You can't have a huge human team monitoring gazillions of false positives. We are very good at being able to use deep learning which is used by consumer facing companies like Google, Amazon Alexa, Apple and so on in a security product. By very good, I mean by performance measures of high detections of unknown threats, and that is the key. We wanted to solve the problem of how do you detect threats that were not previously known and that is where machine learning gave us a very good advantage. But without a recognition for false positives you have an incomplete solution. We had to have a high detection of previous unknowns and extremely low false positives. By the way, that is the real trick for these kinds of solutions, is can you keep your false positives to negligible. There is still a very high detection of previously unknown threats in a very compact representation. So that was what we figured out and what's going into SOPHOS's products today. Ron Green, Executive Vice President and Chief Security Officer, Mastercard
We already have dedicated deployments and interest in artificial intelligence. You can look at our recent purchase or acquisition of Brighterion, it's an AI company to further build out our capabilities. We use AI or advanced analytics to do analysis for card transactions, things that cards are doing, either the cardholder or the users of the cards. It allows us to monitor for transactions that tend to be fraud or will go to fraud so we could predictively analyse and block or stop a transaction from happening. We actually have a capability we call SafetyNet, which in its analysis of what things are happening, we can tell if a processor or an organisation that has established card limits, that they've actually been attacked based on the usage of the cards. We're able to stop the attack before the attack becomes large scale. So as an example, if you recall breaches where a processor gets attacked and there's $14 million extracted from the accounts in over a weekend, we are able, through our network, our SafetyNet, to do that analysis on what's happening with the cards and we can stop the activity after it started. We even have reports from secret service agents who have done surveillance on card organisations, they're going out to do their cash out scheme, and they get some money out. Now some money will go out but we can limit - instead of $14 million in loss or multimillion dollars in loss, we can limit it to $50,000, about $100,000 in loss, because we can see the trend where these accounts are starting to go bad. We call it a SafetyNet because where the company faltered or failed and allowed a bad actor to get in, we can see that something has happened in that environment and we can limit the damage that that company is exposed to. Necessity is the mother of invention and technology companies are being dragged into using AI as the real driver for the tech industry, then money is a key driver for the adversarial and cybercrime side for use of machine learning.
The extent you can use machine learning to craft really good campaigns to get humans to click on links, including social media campaigns – then we may have an AI against AI and I do think we are rapidly moving to having machine learning adversarial activity. (Sophos). AGGRESSION GROWING AND NEEDED FOR 5G APSM sat down for a briefing from the Dell’oro Group and an overview of investments being made into the 5G network expansion. According to Stefan Pongratz, an Industry Analyst with Dell’oro, 5G has gone through a few cycles, with milli-metre waves and high bandwidth infrastructure preparations but it has since morphed and we’re starting to deal with the reality. It will be similar to other technology shifts in infrastructure and application, with sub-6Ghz Macro deployments steadily gaining traction across the majority of the world by 2020 which will introduce sub-6Ghz ranges. China and Korea are driving the hardest. There will be commercial 5G deployment in the USA by Q4 (Oct – Dec), 2018. 2019 will be the year when things start ramping up in the USA. China is becoming much more aggressive and by 2021 will be the leading and largest mobile infrastructure operating on the 5G bandwidth. China is spending billions of dollars in investment for large scale deployment with a much wider spectrum. The Ministry of Industry and Information Technology (MIIT) has bandwidth swaps of 200MGHz band and will provide persistent mobile performance. AT&T and Verizon have spent a lot of time and money investigating the bandwidth limitations and how to guarantee substantial improvement in performance. 2011 peaked in the investment in mobile networks in the USA and India is
about six years behind the leading markets. It is projected that more than 90 per cent of the 5G market will come from China, Japan, Korea and the USA. Europe is seeking more proof cases and has invested in LTE (long term evolution) networks and tends to wait or roll out for macro hotspots, such as those observed in Stockholm and Helsinki. However, it is anticipated that 5G will be adopted at a faster pace than what 4G did. Virtualising the core will allow operators to personalise the networks as the applications change, including for connected cars, Augmented Reality, Virtual Reality and overtime, 5G coupled with new Apps, has the potential to foster greater participation in the technology industry and drive incremental investments for new use cases. Pongratz said, “We have the vision for technology, like Augmented Reality and Virtual Reality, but we still do not know when it will occur. Nokia had the vision for the smart phone in 1998 but it wasn’t until 2007 when it was released into the market. It may happen like this, that it won’t be until 2022 or could be 2035 until the new release of technology is realised.” In comparison to the Mobile RAN Revenue vs Macro Units, revenue is similar to 2007/2008 which was a couple of years waiting for new things to happen, which was ultimately shown to be the LTE market. 60 per cent of the world is now covered by LTE, so we have deployed the infrastructure and there is limited growth left. This is resulting in the decline in revenues and will continue to occur and stagnate for the next couple of years. From the vendors and service providers perspective, with currency adjusted mobile revenues, these will remain flat and if Capital Expenditure reduces, the need for an aggressive investment in 5G will be paramount and increasingly competitive across the global regions, as the mobile market matures.
The Evolution of Security Assurance Services Scaling Agility
Appliances & Software Cloud (SaaS) Software
Horizontal Scalability (Containers)
Broader TAM, SaaS Offering for Enterprise
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
Asia Pacific Security Magazine | 55
2 INSURTECH, BIG DATA ANALYTICS & DISRUPTIVE INNOVATION FORUM ND
TRANSFORMING THE FUTURE OF INSURANCE TODAY MONDAY, 4 DECEMBER: PRE FORUM WORKSHOP AND INSURTECH INNOVATIONS SHOWCASE TUESDAY, 5 DECEMBER: MAIN FORUM DAY 1 WEDNESDAY, 6 DECEMBER: MAIN FORUM DAY 2 VENUE: SHERATON ON THE PARK, SYDNEY
30+ SPEAKERS | 10+ INSURTECH INNOVATIONS SHOWCASE | 30+ TOPICS SESSION BRONZE SPONSOR
VISIT CLARIDENGLOBAL.COM/CONFERENCE/INSURTECH-AU-2017 FOR MORE INFORMATION
The Asia Pacific Security Magazine is published bi-monthly and features news, articles and promotes partner events from across the region, i...
Published on Nov 8, 2017
The Asia Pacific Security Magazine is published bi-monthly and features news, articles and promotes partner events from across the region, i...