Asia Pacific Security Magazine, Sep/Oct 2018 by MySecurity Marketplace

THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com

SEP/OCT 2018

India’s NRC anarchy

Lessons from the Bangladesh attack

Ongoing trends in cyber defence

Data Protection and Privacy: perspectives from Facebook, Google, Apple Law Society of Singapore Cyber Security Conference

Digital Consumption habits of Singaporeans

Australian Schools, Cyber Security & Data Protection

PLUS Tech Review: Vive HTC Pro

AUSTRALIAN SECURITY READERS SWITCH TODAY AND SAVE 20%* ON YOUR LIFE INSURANCE

NDING VA STA L UT

2016

CT IO N

EC DIR

No advisers fees No surprises at claim time Canstar award-winning insurance Customer satisfaction score of 95.8% # Tailored offer for Australian Security readers

E IN COME PROT

Call NobleOak for a quote:

1300 108 490 and mention ‘AUSTRALIAN SECURITY’ or search NobleOak Professionals to switch and save.

nobleoak.com.au/professionals *Important information. Please contact NobleOak to verify your actual premium and to apply for cover on 1300 108 490 which will take into account your age, occupation, sum insured, health and pastimes. The savings quoted are the average savings when comparing NobleOak’s premiums for its Term Life cover under NobleOak’s Premium Life Direct to the average cost of Term Life insurance products offered by other Life Insurance companies, including products available directly from the insurer (24 products from 12 insurers included in this comparison) and those available for purchase through a financial adviser or broker (10 products from 10 insurers included in this comparison). The premiums are based on a non-smoking Australian resident with a Life Insurance sum insured of $500,000 at 5 year age bands from age 30 to 65 for advised products and 30 to 50 for direct products. In many cases the saving for an individual is higher than the 20% average saving quoted. Life Insurance rates for insurers, including NobleOak, may change in the future and this could change the outcome. The premium comparison was undertaken in March 2018 based on published premium rates. Legal statements. Premium Life Direct is issued by NobleOak Life Limited ABN 85 087 648 708 AFSL No. 247302. Address: 66 Clarence Street, Sydney NSW 2000. Phone: 1300 108 490. Email: sales@nobleoak.com.au. Cover is available to Australian residents and is subject to acceptance of the application and the terms and conditions set out in the Premium Life Direct Product Disclosure Statement (PDS). This information is of a general nature only and does not take into consideration your individual objectives, financial situation or needs. Before you purchase an insurance product you should carefully consider the PDS to decide if it is right for you. The PDS is available by calling NobleOak on 1300 108 490 or from www.nobleoak.com.au. Clients should not cancel any existing Life insurance policy until they have been informed in writing that their replacement cover is in place. NobleOak cannot provide you with personal advice but our staff may provide general information about NobleOak Life insurance. By supplying your contact details, you are consenting to be contacted by NobleOak, in accordance with NobleOak’s Privacy Policy. #2018 client survey by Pureprofile.

RECOGNISING EXCELLENCE

#securityawards

2018

Organised by:

AUSTRALIAN

Security Industry The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals. www.asial.com.au/securityawards2018 Date: Thursday 18 October 2018 | Venue: Sydneyâ&#x20AC;&#x2122;s Doltone House Hyde Park Entertainment Sponsor:

2018

Lead Dinner Sponsor:

PRESENTING THE 4TH ANNUAL

National Policing Summit

Leadership, Strategy and Modernisation

17 – 18 September 2018

Hyatt Hotel, Canberra

PRESENTATIONS FROM: Marianne Vosloo, National Manager of Technology and Innovation, Australian Federal Police Pat Burke, Operations Manager Privacy & Law Enforcement Compliance Team, Apple USA Chris Dawson, WA Police Commissioner Deputy Commissioner Steve Gollschewski, QLD Police Assistant Commissioner Debbie Platz, National Manager Crime Unit, Australian Federal Police & President of Australian Council of Women and Policing (ACWAP) Michael Phelan, CEO, Australian Criminal Intelligence Commission Assistant Commissioner Erin Dale, Strategic Border Command, Australian Border Force Assistant Commissioner Michael Corboy APM, Traffic and Highway Patrol Command, NSW Police

SPECIAL RATE for Police/ Gov/NFP – Save $1100

GOLD SPONSORS:

EXHIBITOR:

IN PARTNERSHIP WITH:

MEDIA PARTNERS:

PRESENTING THE 2ND ANNUAL

RISSB Rail Cyber Security Conference Threats and opportunities of a digital railway 11 – 12 September 2018

Hotel Jen, Brisbane

INSIGHTS FROM SPEAKERS INCLUDING: Lynn Moore, Acting First Assistant Director General, Engagement, Operations and Intelligence, Australian Cyber Security Centre / Australian Signals Directorate Dr Kenneth Radke, Control Systems Team Lead, Technical Operations, CERT Australia Pablo Carpay, First Assistant Secretary, Critical Infrastructure Security, Department of Home Affairs Sebnem Kürklü, Cyber Security Manager, Aurizon Andrew Quill, ICT Manager, TasRail Simon Foster, Executive Director, Technical, ONRSR Lee Charnock, Signalling Engineering Manager, Metro Trains Melbourne Dr Ernest Foo, Senior Lecturer, Queensland University of Technology (QUT) Rachael Falk, CEO, Australian Cyber Security Research Centre Prof Peter Campbell, Honourary Professor for Infrastructure Systems, SMART Infrastructure Eugene Ostapenko, Manager Information Security, Business Services Group, VicTrack Duncan Unwin, CEO, Tobruk Security FEATURING: EXTENDED INTERACTIVE WORKSHOP SESSIONS: Consolidating learnings GUEST SPEAKER: Steve Sammartino, Futurist and Business Technologist CONFERENCE DINNER: Exclusive networking opportunity to connect with colleagues and associates MEDIA PARTNERS:

NCT

A Vision of IB Consultancy

Conference, Exhibit 9-11 October 2018 | Sh The worldâ&#x20AC;&#x2122;s most successful CBRNe event series is heading back to Vietnam for the 11th edition of NCT Asia! Taking place at the Hanoi Sheraton Hotel from 9-11 October 2018, NCT Asia will be organized in partnership with the Vietnamese Peopleâ&#x20AC;&#x2122;s Army Military Medical Department and with the support of the Vietnamese Agency for Radiation and Nuclear Safety (VARANS) and the Vietnam National Mine Action Center (VNMAC). Following attacks using chemical agents in neighbouring Malaysia last year, the Vietnamese are investing heavily in preparation for CBRNe incidents. Vietnam itself has made many strides in overcoming a long history of landmine and explosive remnants of war (EWR) contamination, and can provide key insights from lessons learned in CBRNe defense and response. There is no better place to be in the Asia region than Vietnam!

www.nct-

Asia

ion, Demonstration eraton Hanoi, Vietnam NCT Asia 2018 will kick-off with a live capability demonstration on the first day of the event, followed by two days of parallel conference and workshop streams. The event will also feature an exhibition tour of leading CBRNe industries. The conference and workshops will cover a wide-range of topics in the field of CBRN, C-IED and EOD including: Countering the IED threat in the Asia region; UXO and landmine clearance in post-conflict zones; and CBRNe capability development in South East Asia. The partnership with the Vietnamese Peopleâ&#x20AC;&#x2122;s Army and the support of VNMAC and VARANS will bring together high-level decisionmakers, experienced first-responders and industry leaders from all over the region! NCT Asia will be again the must-attend CBRNe event in Asia this year!

-asia.com

Contents

Editor's Desk 5

Editor ASM Chris Cubbage

Editor ACSM Tony Campbell

The importance of soft skills in security

Director & Executive Editor Chris Cubbage Director David Matrai Art Director Stefan Babij

MARKETING AND ADVERTISING

Australian Government- The state of cyber

T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE

T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au Copyright ÂŠ 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com

Vive HTC Pro review and developer thoughts

Lessons from the Bangladesh attack

Three things businesses need to know

Australian Government - The state of Cyber

The security implications of an aging population

India's NRC Anarchy

The law society of Singapore, Cyber Security Conference 2018

Data Protection and Privacy

RSA APJ 2018 - Cyber Security Highlights

Vive HTC Pro review and developer thoughts

Australian Schools, Cyber security and data protection

The ongoing trends in cyber defence

Insider threats: Operational tactical and strategic insights

Bad things come in small packages

Stuff GDPR

How Quantum cyber security can make data breaches irrelevant

Reinventing and scaling the SOC with AI

Cognitive bias in security

Applications of advanced data analytics

TechTime 72

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US

The Importance of soft skills security

Report review

Book review

Cognitive bias in Security

www.facebook.com/apsmagazine @AustCyberSecMag

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Correspondents* & Contributors

www.asiapacificsecuritymagazine.com

Jane Lo*

Lionel Snell

Danielle Surname

Elliot Dellys

Kieth Suter

Shannon Sedgwick

Jason Hilling

Guillaume NoĂŠ

Jaheer Abbas

Sarosh Bana

Bennet Ring

Federica Bisio

www.aseantechsec.com

www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

Australian Security Magazine |

Editor's Desk

“It’s never too late to make good trade policy. But I will say this: The world trading system is broken. Trump is “dead serious” in his determination to push China to change its trade policies.” - Larry Kudlow, director of the White House’s National Economic Council, 7 September 2018

t has been great to spend some time in Singapore and Kuala Lumpur over the last week, including attending Cyber Security Asia 2018 in KL and the second Cyber Risk Meetup in Singapore. My trip came off the back of the 50th ASEAN Economic Ministers’ Meeting in Singapore, which is the Association of Southeast Asian Nations (ASEAN) chair this year, hosting the annual series of meetings at the Shangri-La Hotel. In his opening speech, Prime Minister Lee confirmed that strengthening regional economic cooperation and integration is key for ASEAN to fully realise its potential. This includes progressing the implementation of the ASEAN Economic Community (AEC) Blueprint 2025, as well as supporting an open and inclusive multilateral system amid growing trade conflict. Despite the trade uncertainty raised by the USA and Chine trade war, ASEAN leaders also agreed to work on the Digital Trade Standards Cooperation Initiative - a joint development by ASEAN and Australia. The same week also saw Australia and Indonesia conclude an agreement of closer economic engagement, signing the IndonesiaAustralia Comprehensive Economic Partnership Agreement (IA-CEPA) designed to drive growth for Australian business by creating new opportunities in Indonesia. Australia’s Minister for Industry, Science and Technology, Karen Andrews said “Under this agreement, over

99 per cent of Australian goods exported to Indonesia will either be duty free or enter under significantly improved preferential arrangements by 2020.” Underlining the importance of the deal, Australia’s newest Prime Minister, the sixth leader for the country in a decade, ensured he kept with Malcolm Turnbull’s commitment to attend. Worth noting also, Scott Morrison has banned Chinese companies from supplying equipment for Australia's 5G network and eliminated the ministries of Innovation and Cyber Security in his Cabinet reshuffle. Without too much surprise to those who remain cynical over the North Korean leader’s summit, US President Donald Trump has cancelled a planned trip by Secretary of State Mike Pompeo due to insufficient progress toward ending North Korea's nuclear program. Leon Panetta, a former defence secretary and CIA director under President Obama said he is "very worried" about the situation with North Korea following President Trump and Kim Jong Un's "failed summit" that was "doomed to failure.” “The problem is that in many ways it was doomed to failure from the beginning because there was never the preparatory work that has to be done prior to a summit meeting," Panetta said about the meeting between the two leaders in Singapore. “They shook hands; they exchanged words. When the balloons went away, when the confetti went away, there was nothing there to require the North Koreans to do what was

necessary in order to denuclearize,” Panetta said on US television show "This Week." Amongst a jam-packed edition promoting the region’s best security and technology events, we have special reports on India’s registration of citizenship being undertaken by the government in the north-eastern state of Assam, which has determined four million people to be illegal immigrants. We also have a number of reports from Singapore Correspondent Jane Lo, including her interview with Australian Cyber Affairs Ambassador Dr Tobias Feakin and former Head of Security and CISO at the Bank of England Don Randall, MBE, as well as insights gained from the Law Society of Singapore Cyber Security Conference. We also retain selected articles from last months Australian Security Magazine, including Dr. Keith Suter’s article on the security implications of an aging population. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Cyber Security

The importance of soft skills in security? By Nigel Hedges

s information technology professionals the majority of us have experienced or at least heard of the stereotypes of IT people. You need only watch a few episodes of The IT Crowd to get a sense of this. Even in current times, there is a continued perception of poor communication skills and business alignment. I’m sure we’ve all heard terms linked to information security personnel, such as “road blocker”, “corporate fun police” or “project inhibitors”. However, the information security industry as a whole has been quite proactive in wanting to change this view. Gartner’s Security and Risk summits has highlighted repetitively for years now the drive towards Information Security as a business aligned ‘enabler’.

and genuine part of gaining success and opportunity in your information security career. Ignore it no longer! Even experienced professionals can do with regular soft skills refreshers to shake off acquired bad habits. The good news is, that soft skills is not only the domain of people born with a natural gift or for regular presenters at Australian information security conference circuits. There are many things that can help you develop soft skills, but here are 7 introductory things you can do to start improving your own soft skills as you interact in the information security industry.

Why it is important?

It’s easy to be noble about being imperfect. It’s another thing to actually do something about it. Often, when we are provided constructive feedback about our flaws there is a possibility of taking this personally. Very few actively enter the uncomfortable personal zone of trying to change our negative behaviours. For such a long time, it was possible for technical people to succeed simply based on technical

No matter how much subject matter expertise or knowledge we gather, if we do not spend time on improving our ability to communicate, our value can be diminished. The ability to create a difference for yourself, team and organisation may be limited. Soft skills are going to be an important

12 | Australian Cyber Security Magazine

1. Be humble and aware of your personal flaws and strengths

Cyber Security

However, critical thinking is an often over utilized skill. Being ‘negative nelly’ to other suggestions and input can stifle creativity, innovation and openness. cybersecurity, topics you are interested in. You will find that people will be drawn in and interested in something you can speak passionately about.

3. Don’t forget what you’re here to do Information Security is now recognized as such a vital and important part of the success of the organisation. However, and I hope this doesn’t come as a surprise, it is not the most important thing – the business is. This is not the time to get complacent. Stay focused on being business aligned and seek collaboration opportunities with the business when you can. We should be humble in the face of the growing importance for our expertise by not forgetting the adjacent importance of being business centric.

4. Be open to thinking differently

skills, this no longer the case. Getting constructive feedback (a.k.a. ‘areas for improvement) should not be seen as a personal failure. If you find yourself talking about blame or denying feedback, you will have to ask yourself – if I need someone to blame, am I ever truly in control of my situation? This ability to be self-aware is a critical and fundamental step to many other soft skills advancements. All feedbacks (even those that are delivered poorly) should be viewed as a platform to extract personal learnings, and if you develop an appreciation and gratitude for any and all feedback you get – it’ll make it easier to take.

2. Accept that you don’t have to be a carbon copy of someone in the industry There are great role models out there showcasing fantastic soft skills. They’re blogging, showing up on TV interviews, and seated at conference keynote discussion panels. These folks are to be commended for their contributions. You do not need to emulate their interests in order to be successful. Instead you should embrace your own passionate areas of

Critical thinking has served us since our ancestors were dwelling in caves and avoiding being eaten by large, clever animals. However, critical thinking is an often over utilized skill. Being ‘negative nelly’ to other suggestions and input can stifle creativity, innovation and openness. A well-known educator Edward De Bono called this ‘black hat’ thinking. In his book Six Thinking Hats he describes a mental framework (using 6 different coloured hats) for processing information in different ways. This includes optimism, gut-feel reactions, listing facts, creativity and of course critical thinking. It is an example of something that can teach us to not always interpret information in a one-dimensional way.

5. You can’t do this alone. Work better with other people Stephen Covey in his book 7 Habits of Highly Effective People wrote that humans follow a path of maturity: - Dependence (infancy) - Independence (adolescence and early adulthood) - Inter-dependence. Relying on peers and work colleagues is a great way to get complex things done.

6. Things aren’t always going to go according to plan Not all communication exchanges go the way we want

Australian Cyber Security Magazine | 13

Cyber Security

them to. You’ll aim to make more positive exchanges than negative ones and learn from the ones that didn’t go so well. Ask yourself, do you contribute to constructive, positive meetings? Do you get worked up when your ideas get shot down? Do you feel your recommendation to use a particular technology was shot down by the team? It’s important to become self-aware of these things, as a first step to doing something about it. Some security professionals feel that they have lost a fight when the business will not agree to a security recommendation. Ultimately, the business gets to decide and own any risk that they accept. It is important that no one leaves a meeting where ownership for a decision is in doubt. If you leave a meeting without ownership, it means there has been a lack of accountability on all parts. It can be frustrating when your plans do not get accepted by peers. It’s important to note that conflict is a natural part of our work environment and is healthy, so long as messages are sent and received in an assertive manner. Complaining to sympathetic peers to blow off steam in the background, is passive aggressive and not too helpful. Blowing up in a meeting and storming out is aggressive. When decisions do not go our preferred way, there is nothing wrong with letting people know – provided it’s done respectfully.

7. Let Management / Promotion / Opportunity come to you An incentive for developing soft skills is that it leads to career progression and opportunity. Be careful not to adopt a ‘fake front’, such as putting on an act. This is ultimately not going to work. It’s also very draining when you’re spending energy to put on a personal front. By setting out to make small, incremental improvements in soft skills, those opportunities will naturally come when you’re ready. Some people get complacent once they get promoted to managerial positions in information security, and this can be very risky. Personal Leadership is about knowing when to lead, and when to follow. You should continue to learn from anyone you come in contact with. Managers today are leading less and less through hierarchical power positions, and more as colleagues. Being willing to follow your peers regardless of their position is a strong reflection of leadership.

Where to next? Attending information security conferences and watching panels and presentations is a good way to see how people apply soft skills. These are people in our industry who have already set themselves a personal challenge to improve their ability to communicate their ideas and opinions. It also gives an opportunity to network and meet people outside our work place. Make a pact with yourself to say hello to at least one new person and engage in conversation about why they are there, what they do, and what they intend to get out of the conference. One other advantage is conferences give you lots of interesting material to go back and share with your immediate peers

14 | Australian Cyber Security Magazine

and other colleagues. Another suggestion can be to see if your information security management will encourage meeting with peer organisations and meeting other people in similar roles. It often provides a great way to compare notes in a nonthreatening way, while practicing your communication skills. Here’s a list of skills you can research on google, and if you are really keen you can drop the article an author a line for a list of amazon kindle books that are worth looking into. List of Skills to research: - Emotional Intelligence Skills - Cultural Awareness Skills - Customer Service Skills - Lateral Thinking - Interpersonal Skills (MBTI, DISC) - Teamwork Skills - Meeting Skills - Communication Skills - Presentation Skills - Negotiation Skills - Conflict Management Skills - Personal Leadership About the Author Nigel Hedges is a 20-year veteran in the information security industry. He has spent a number of years on both sides of vendors and end-user organisations. In most recent years he serves as the Senior Security Architect at a large national retailer. He has a number of industry certifications including CISA, CISM, CISSP, CGEIT, CRISC, CCSK, ISO27001 Lead Auditor & Lead Implementer, SABSA Foundations. Nigel also holds a Master of Business Administration from La Trobe University, and is midway through a Masters of Cybersecurity. He can be reached at: nigel.hedges@reece.com.au

Cyber Security

INTRODUCING OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Your one-stop shop for all things CCTV, surveillance and detection technologies

The regionâ&#x20AC;&#x2122;s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android

E TUN IN ! NOW

Australian Cyber Security Magazine | 15

Cyber Security

Don Randall

Lessons from the Bangladesh attack

n 4th February 2016 Thursday, a day before Bangladesh’s weekend kicked off, 35 fake transactions from the Bangladesh Central Bank were sent in a matter of hours. The entire attack cycle, stretched over the next few days, ended when the funds reached the final destination on Monday 8th February 2016, the first day of Chinese New Year in Philippines. The investigation of “TTP” (technique, tactics, procedures) revealed other attacks with similar characteristics – $12 million

By Jane Lo

stolen from Ecuador's Banco del Austro in 2015, and a foiled attempt at Vietnam's Tien Phong Bank in May 2016. Today, there is still no word on who was responsible, and Bangladesh Bank has retrieved only about $15 million, mostly from a Manila junket operator. What lessons can we learn from the Bangladesh attack? We spoke to Don Randall, MBE, who was Head of Security at the Bank of England in 2008, and the Bank’s first Chief Information Security Officer in 2013. Today, he continues as the Cyber Ambassador in various commercial areas.

Tell us a bit about your experience in the private public sectors?

framework defined in consultation with Her Majesty’s government.

I served with the City of London Police from 1969 to 1995, with specific emphasis on fraud and counter terrorism before 13 years at JPMorgan Chase as Managing Director for International Security Manager for Europe, the Middle East, Africa and the Asia Pacific regions. I joined the Bank of England in 2008 and was appointed the Bank’s first Chief Information Security Officer (CISO) in 2013. The CISO role undertook 4 functions: Policy and Standards, Intelligence Investigation and Forensics, Education, and Support for the “CBEST” program, a

What are some of your key observations from your security experience in relation to economic crime?

16 | Australian Cyber Security Magazine

A time period spanning weekends and public holidays such as Christmas is when a window of opportunity to commit fraud is greater. Differing time zones, cultures and attitudes widens this window of opportunity. We see this activated in the Bangladesh attack over an international weekend. The timeliness of response was complicated not only by time zone differences but also asynchronous workweeks

Cyber Security

between Bangladesh and New York. And, the attack perfectly timed during a holiday period when significant fund flows into the casino accounts were not unexpected, and so failed to disrupt the attack at the end of the chain. A central point for intelligence gathering is also critical to understand potential threats and attacks, and to respond and remediate effectively. At Bank of England, I was also tasked to form the first ever Information Security Division. In partnership with the Information Technology Department, we set up a Security Operation Centre (SOC). What does Cyber Security mean for Central Banks? The Bangladesh attack illustrates the need to have robust controls to secure the payment systems. Market sensitive information such as research that forms part of decision-making behind the Monetary policy, has the potential of influencing the market, and also necessitates appropriate security policies and procedures. What has the UK financial sector done to strengthen its Cyber Security? In a response to the growing need to protect national security and safeguard the public online, the UK’s Cyber Security Strategy was created in 2011, and subsequently in 2016, UK’s National Cyber Security Centre (NCSC) was launched. NCSC brings together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure, and is a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents. The CBEST framework, mentioned earlier, replicates behaviours of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. One way of gathering threat intelligence relevant to the UK financial services sector is through working with the NCSC. What can we learn from the Bangladesh attack? The key to successful prevention, detection and subsequent prosecution is to practice fundamental Cyber Hygiene, and to understand the motivation of the attacker. To elaborate on the latter: primarily, people commit crime for three reasons. One is they need to, they’re cash-strapped, povertyridden and in such a bad state that the only way to go forward is to cross the line and commit a crime. The others are greedy, script kiddies who are in pursuit for peer recognition and want the power of the hacker, or those with an alternative motivation, the likes of terrorism Making away with large sums of money was an obvious outcome in the Bangladesh attack. Digital forensics may help to uncover the digital fingerprints of the perpetrators.

But more powerful is for us to understand the motivation which could help us identify if it is work of a syndicated crime group, a state actor, or a professional hacker. What should we do more to implement better security measures? The question that we also need to address is, whether we can build better security between issuing, transmitting and receiving organisation. The key to this information sharing with trusted parties, across both public and private sectors. We need to do more information sharing on threats, and also on the knowledge of adversarial tactics, techniques, and behaviour. Sharing information is important to allow early detection and rapid respond, and also in investigation and attribution. As we increase internet usage, the attack surface increases. Studies have shown that almost all users in the developed countries use the internet and usage had grown significantly in other countries and this trend will continue, so it’s imperative for countries to work together and combat the ever-growing problem. How do you go about practising this during your 50 years of law enforcement experience? Through founding various public-private security partnerships. For example, the Cross-Sector Safety and Security Communications (CSSC) partnership - a timely, accurate and authoritative law enforcement partnership. This was successfully used before and during the Olympic Games 2012 and Commonwealth Games 2014. And across all major UK cities. There is an absolute necessity to share information and working in partnership across the public private sectors allows for a more effective exchange of information for successful prevention, detection and subsequent prosecution. How has Singapore adopted some of your work? In 2004, I founded Project Griffin, a security partnership between the public and private sectors within the City of London. This brings together and coordinating the resources of the police, emergency services, local authorities, business and the private security industry in the event of a significant threat or incident. In Singapore, it had been adapted as ‘Project Guardian’. The annual “Exercise Heartbeat” a counter-terrorism exercise, is an example of the collaborative efforts across the public and private sectors. ‘Project Guardian’ also an example of national forums and initiatives for information gathering and sharing, recommended in the “Singapore Financial Industry Baseline Security Guidelines (June 2013)”, published by The Association of Banks in Singapore.

Australian Cyber Security Magazine | 17

Three things businesses need to know about the digital consumption habits of Singaporeans

I Attributed to: Jaheer Abbas, Senior Director, SEA & India at Limelight Networks Adapted from: https://www. limelight.com/blog/state-ofdigital-lifestyles-2018/

t is no secret that we are becoming increasingly dependent on technology and our digital devices as a source of information, entertainment, and to simplify everyday tasks. Recently, Limelight Networks released its State of Digital Lifestyles 2018 report, based on market research conducted on 5,000 consumers in ten countries including Singapore, Malaysia and the United States. The report found more than half of Singaporeans surveyed said they could not go a day without their mobile phones, confirming many traits of local consumersâ&#x20AC;&#x2122; dependence and usage of digital devices. As digital devices become a more integral part of our lives, expectations and frustrations continue to rise. Here are four things about the Singaporean consumer that businesses need to know in order to engage with them more effectively across multiple touch points. 1. Singaporeans are very technologically savvy, yet trust and security concerns deter adoption The adoption of digital assistants, such as Google Home and Amazon Echo, have been on the rise in Singapore, albeit in its early stages in Singapore. According to our findings, 14 per cent of Singaporean respondents own a digital assistant, five per cent below the global average of 19 per cent. The main hurdle to adoption is not the lack of availability or awareness of its benefits, but that consumer trust levels remain low - only 35 per cent of Singaporean consumers fully trust digital assistants to provide general information, and this figure gets even lower when it comes to trusting assistants for online shopping and home automation. Consumers are becoming increasingly conscious of the security of their online environments, and this translates into a rising demand for businesses they engage with to be sufficiently prepared to thwart attacks. Winning over and maintaining consumer trust is a constant challenge that businesses need to overcome. This is of key importance, not only for technology providers. In the age of growing cyberthreats, businesses need to diversify cybersecurity solutions to mitigate attacks of increased frequency, sophistication, and size. This could include adopting a multi-layered security approach and taking advantage of a Content Delivery Network (CDN) apart from having a cybersecurity solution to buffer volumetric attacks. Most importantly, these efforts will need to be communicated to customers to raise trust and eventually engagement levels

18 | Australian Cyber Security Magazine

2. Consumers get frustrated when they encounter disruptions in the digital experience We found that more than 92 per cent of Singaporeans find it frustrating to access digital content, especially when content stops playing and rebuffers, and when the experience is disrupted by errors. Younger consumers, in particular those between the ages of 18-45, expressed frustration in such scenarios. What this means for businesses is that they need to deliver consistent, high-quality viewing and content experiences with low buffer rates across multiple digital devices to provide the experience, consumers expect without the frustrations that cause them to abandon content. This can be mitigated by continuous monitoring of a userâ&#x20AC;&#x2122;s connection and optimising how content is delivered based on real-time analysis. The use of a CDN can also help ensure a high-quality experience and would be especially useful when businesses require broadcast quality content to be delivered across global reach and scale. 3. Singaporeans are among the least likely to pay for digital content, especially when it comes to movies and shows. According to the research, although consumer engagement with digital content is growing, most are unwilling to pay to access content. This is particularly true in Singapore, where consumers are among the least likely to pay for content, primarily because they remain unconvinced that paid content provides them with a far superior level of quality. With a multitude of options available to consumers when it comes to streaming services, focusing on the content offering alone is no longer enough. Businesses need to do more to improve the quality of content, and the overall user experience to stand out from the competition and compel consumers to opt-in to their content. Charting the way forward in digital for businesses In conclusion, it is now more important than ever for businesses to provide the best possible online experiences to meet the growing expectations of consumers. This includes providing quality content delivery across as many mobile devices as possible, whilst ensuring security, thereby encouraging consumer confidence and their affinity with the business.

Cyber Security

Australian Government The state of cyber

“Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

A By Shannon Sedgwick

mongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016). The 2016 Australian Cyber Security Strategy addressed five key goals; 1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,

20 | Australian Cyber Security Magazine

2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks, 3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence, 4 – Australian businesses grow and prosper through cyber security innovation, and 5 – Australians have the cyber security skills and knowledge to thrive in the digital age. These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals. Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will

Cyber Security

soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are: 1. Application Whitelisting 2. Restrict administrative privileges 3. Patch Application 4. Patch Operating Systems 5. Disable untrusted Microsoft Office macro 6. Multi-factor authentication 7. User application hardening 8. Daily backup of important data The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too. Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyberresilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018) One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on. Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards. A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts. When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient. It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for

the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018) The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage. Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016) A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry. Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference. About the Author Shannon is a Senior Manager in Deloitte’s Cyber Risk Advisory in Canberra and has had extensive experience providing consulting and cyber risk services to a range of both private and public clients from ASX 100 corporations to Defence. With a unique background in international risk management in non-permissive environments, Shannon is regarded as an industry SME in “holistic security”. Shannon regularly appears on national and international news programs, expert panels, industry publications, conferences, and radio networks discussing national security, cyber security, counter-terrorism, and breaking news events.

Australian Cyber Security Magazine | 21

Cyber Security

The security implications of an aging population

A By Keith Suter

ging is the new frontier. The components are: increased life expectancy, increased health expectancy and the growth in human enhancement technology. The bottom line is that society is heading for some major challenges which few policymakers are brave enough to address because they are far too focussed on short-term issues. This article will examine the “new frontier” and then examine three security implications: the cost of paying for older people, the tensions arising from pension/ superannuation adequacy, and labour shortages. This article is encouragement to think about the unthinkable.

The Three Components of the New Frontier First: there has been an increase in life expectancy. We have gained as much life expectancy in the last century as in the previous 5,000 years; this an increase of about 25 years. About 5,100 years ago, people lived on average for 25 years. In 1900 the figure had crept up to 50. Therefore giving people in western countries an old age pension was not a big burden on government because most people

22 | Australian Cyber Security Magazine

never lived long enough to collect it. Now life expectancy is around at least 75 years and there are concerns about the sustainability of pension schemes. This change can be seen in the various phases of aging. Traditionally a person had three stages: young, middle aged and then getting to ready to die. Now there are four stages: (i) childhood (ii) maturity (iii) well aged (the new “third age” with perhaps one third of a life spent in retirement) and (iv) the compression of morbidity (whereby a person’s body declines quickly). Never before has any society had so many older people; there are no precedents to guide us. The first Australian to live to 120 is already alive and she is probably currently in her 60s (unfortunately we do not know who she is and so we cannot warn her). Second: there is increased health expectancy. Growing older does not necessarily mean feeling older (“60 is the new 50”). Average incapacity-free life expectancy is rising faster than average life expectancy overall, and so people are not only living longer but they are also living more healthily. Many people are taking better care of their health and so reducing lifestyle risks (such as smoking). There is also the rise of the “counter-aging society”: older people refuse

Cyber Security

About 5,100 years ago, people lived on average for 25 years. In 1900 the figure had crept up to 50. Therefore giving people in western countries an old age pension was not a big burden on government because most people never lived long enough to collect it. Now life expectancy is around at least 75 years and there are concerns about the sustainability of pension schemes. security of aging” is also a national security matter. Here are three challenges.

The Economics of Aging

to act as though they are “old”. This means that today’s older people are much “younger” than their parents were when their parents were at their age (assuming the parents managed to live that long). There is a growing market for information on how to remain young. Finally: there is the growth in human enhancement technology. Human enhancement technology as such is not completely new, for example the invention of spectacles and hearing aids. Now far more technological progress is underway either (i) restore an impaired function (such as eyesight) or (ii) to raise the function to a level considered to be “beyond the norm” for humans. Examples include the use of cognitive enhancing drugs to improve memory and concentration; use of hearing aids and retinal implants to improve sensory perception, and the use of bionic limbs to restore mobility. These developments will, among other things, enable older workers and people with disabilities to stay in the workforce for longer and broaden their potential opportunities for work. To sum up so far, these are signs of a successful society. But they present major challenges that have so far attracted too little attention. “National security” is too often perceived to be a military matter. This article argues that “the social

Can we afford the elderly? This question is asked in two contexts. First, there is the increased cost of caring for an aging population: hospital/ aged care facilities. Aged care centres are a comparatively new idea. Traditionally old people stayed in the family home and helped out, such as looking after the grandchildren. Only some military veterans received the sovereign’s special attention of having their own aged care facility, such as London’s Chelsea Pensioners, which began in 1682. In Australia the move began in the 1920s and 1930s when churches converted spare land into facilities to take care of older Australians. The Menzies Government in the 1950s introduced commonwealth government funding to the not-for-providers of aged care. This has now become a multi-billion dollar industry and it is a major financial burden on government budgets (and a major media nightmare when scandals take place). As people live longer so there will be additional costs on aged and healthcare budgets. The second context is the “global pension time bomb”, as it is called by the Switzerland-based World Economic Forum (WEF). In 2017 WEF reported that the world’s six largest pension saving schemes (US, UK, Japan, Netherlands, Canada and Australia) are expected to reach a US$224 trillion gap by 2050. WEF calls this the “financial equivalent of climate change”. The situation becomes even more dire when China and India are also included in the calculations. Australia is seen as being at the least risk (thanks to superannuation reform beginning two decades ago). The US is at the most risk. The US state of Illinois is already teetering towards bankruptcy with pension benefit growth overwhelming the state’s economy. The bottom line of both contexts is that there will be an extra burden on government budgets. There may be some offsets (such as the reduced expenditure for child care and schooling). But the long-term view is that of increased pressure on government budgets, and so less available funding for other matters, such as defence.

Australian Cyber Security Magazine | 23

Cover Feature

Erosion of Social Cohesion

Labour Shortages

“My doctor says I can live for another 30 years but my accountant says that I can only afford to live for another 20 years”. Another set of challenges is at the level of individual psychological impact and the damage to national morale. A current example is the research by Princeton University’s Angus Deaton and Anne Case. Almost all Americans are living longer, including Afro-Americans and Hispanics. But Deaton and Case have found an anomaly: middle aged white male and female Americans in economically depressed areas (captured by Trump in the 2016 presidential election). These Americans are dying prematurely through depression and opioid addiction. Will this type of crisis become more widespread? Social cohesion is based on a society getting richer and happier (however that is measured). Economic growth and psychological well-being are the glue that hold a society together. Some of the stereotypical Trump voters have shown how prolonged unemployment (such as in the West Virginia’s coal mining areas) can have a social cost. Here are two warning signs of threats to social cohesion. First, some pension schemes (such as Australia’s national superannuation one) are based on personal investment in the market (rather than a guaranteed regular payment from the state). This investment is a volatile source of income. Stock markets are currently doing well. But “corrections” take place every few years. A person can be unfortunate to retire at the time of a market downturn and so lose some of the investment. Looking to the longer-term, superannuation projections can only be based on the “known knowns” of today’s economy. However some commentators have raised concerns about the “known unknowns” which represent a threat to the continuation of today’s wealth. These “known unknowns” include climate change, resource scarcity, large numbers of asylum seekers and “climate refugees”, growing gap between rich and poor, and block chain technology (which could undermine banks, which represent over 30 per cent of the total value of the Australian Stock Exchange). In short there will be increasing anxiety over the adequacy of superannuation arrangements. Second, the children and grandchildren of the aging “baby boomers” (people born between 1946 and 1966) are suffering from “inheritance impatience”. These young people see their older relatives living in large homes with generous superannuation arrangements. They would like access to that wealth. A new branch of law has been developed to deal with this problem: elder abuse. Elder abuse has occurred throughout history but now it is becoming far more common. About five per cent of Australia’s older people experience abuse. Financial abuse is the most common form of elder abuse. Most of this abuse comes from adult children anxious to get the wealth of their parents. To sum up, the prevailing view in most of western societies is that life will continue to get better. But that may not be the case. In the future, older people may have little incentive to continue the daily struggle of staying alive.

Finally, an aging population will mean shortages of labour. This is a byproduct of the demographic transformation: falling fertility and rising longevity. This is already being seen in trades and professions which particularly recruit young people, such as nursing, teaching and military service. There are two potential solutions – both politically controversial. First, more immigration should be permitted. Africa has a rapidly growing population. Perhaps more African workers should be allowed into western developed countries which are running out of young workers. There is also a surplus of young people in many Islamic societies, such as the Middle East and North Africa (MENA) and Indonesia. However, given the rising anti-immigration political movements, this may not be possible. Second, more should be done by government to encourage people to have children. The kindergarten (“garden for children”) movement began in Germany and other parts of western Europe over a century ago to encourage both parents to go to work. This saw a reversal of the then stagnant population growth (in an era when governments decided there was a need for larger populations to provide large armies). Making day care available is no longer enough. South Korea, for example, which has one of the world’s lowest fertility rates, is trying to find ways of guaranteeing women that have careers that they will be able to resume their careers after their babies are born. Unfortunately, the South Korean attempts have generated public anger, with women resenting being treated as breeding farm animals. It also means that a workaholic South Korean business community will need to develop more family-friendly business practices. Thus, we have some major social challenges in all western societies: changing the attitude of employers to retain older employees and not pension them off, and to reassure women that their careers will be safe once their children are born. To conclude, global society is now where it has never been before: grappling with the challenges of an aging population. Unfortunately, not enough attention is being given to these challenges.

24 | Australian Cyber Security Magazine

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au

Cyber Security

SECOND EDITION | 20 SEP 2018 | THE LEELA MUMBAI MEDIA PARTNER

EXPLORING NEW INNOVATIONS FOR A GREATER CYBER-SECURITY STRATEGY SPEAKERS

HITESH MULANI

SAKSHI VIDUR

CISO Mahindra & Mahindra Ltd.

Global Cyber Security Leader - KFC Asia Pac Yum! Brands International

PREMIER GOLD PARTNER

ADV. PUNEET BHASIN BITHAL BHARDWAJ Cyber Law Expert Cyberjure Legal Consulting

CISO GE South Asia & China

BRONZE PARTNER

EXHIBITOR

Cyber Security

Cyber Security Agency of Singapore proudly pr esents

SINGAPORE INTERNATIONAL CYBER WEEK 2018 FORGING A TRUSTED A N D O P E N C Y B E R S PA C E DATE

VENUE

18 - 20 September 2018

Suntec Singapore Convention and Exhibition Centre W W W . S I C W . S G

ORGANIZED BY

EVENT PARTNER

Australian Cyber Security Magazine | 27

Cyber Security

21-22 November 2018 â&#x20AC;˘ Melbourne Exhibition and Convention Centre, Australia

Digital First: Accelerating Digital Transformation in Water and Energy

2000+ 130 Attendees

50+

Exhibitors

Multi-Topic High Level Conference programme

Speakers

Smart networks & digital meters

Analytics & Cloud

Innovations in Digital Services

Digital Customers

Digital Power Plant

Customer Engagement & Smart Homes

Digital Field Operations

Operational Excellence

Digital Water

Key Conference Streams SAP Customer & Digital Plant Pavilion

Topic Hubs

Streams

www.australian-utility-week.com 28 | Australian Cyber Security Magazine

Organised by:

Cyber Security

Australian Cyber Security Magazine | 29

Cyber Security

India’s NRC Anarchy

A By Sarosh Bana

political maelstrom is raging across India as the registration of citizenship being undertaken by the government in the north-eastern state of Assam has determined four million people to be illegal immigrants. Opposition parties like the Congress have questioned the procedure of registration, accusing the government led by the right-wing nationalist Bharatiya Janata Party (BJP) of “targeting” minority communities and those known not to vote for it. There are fears of a crisis similar to that of the Muslim Rohingyas who started fleeing a military crackdown begun against them in August last year in Buddhist Myanmar. The process of registration was mandated by the Supreme Court, the highest court of the land, which sought for the National Register of Citizens (NRC) concerning Assam to be updated for the first time since 1951 to account for illegal migration into the state from Bangladesh. To be deemed a citizen required proof of residence in Assam before 21 March 1971 or evidence of being a descendant of those who were bona fide Indian citizens till 24 March 1971. Assam’s citizen registry is based on the state census of 1951. Immigration is a deeply political and emotive issue anywhere it occurs. It has been influencing electoral outcomes across Europe, and has stoked fears of a humanitarian crisis in the United States where the policy

30 | Australian Cyber Security Magazine

to separate children from families crossing into the US without documentation has been condemned by the outgoing UN High Commissioner for Human Rights, Zeid Ra’ad al-Hussein. The UNHCR chief is not seeking a second four-year term, indicating that global powers retreating from their commitment to human rights had rendered his job untenable. The Commission cites the highest levels of displacement on record at present, with 22.5 million refugees languishing in different parts of the world in search of a normal life. The subject of the Assam NRC has also been raised by four UN special rapporteurs on minority issues in their letter to India’s External Affairs Minister Sushma Swaraj. Expressing concern over the fate of the “Bengali Muslim minority in Assam”, they wrote that “the NRC update has generated increased anxiety and concerns among the Bengali Muslim minority in Assam who have long been discriminated against due to their perceived status as foreigners, despite possessing the necessary documents to prove their citizenship”. The BJP-led government had issued two notifications, in 2015 and 2016, that disallowed Hindu, Sikh, Buddhist, Jain, Parsi and Christian immigrants from Bangladesh, Pakistan and Afghanistan from being deported under the 1946

Cyber Security

India triumphed in the war that lasted between 26 March and 16 December 1971, and East Pakistan seceded from the Urdu-speaking western half to become the People’s Republic of Bangladesh.

Foreigners Act and the 1920 Passport (Entry into India) Act. As most Bangladeshi immigrants are Muslim, there are fears that this minority community is being singled out as it largely does not vote for the BJP that pursues a Hindu ideology. There are concerns that those deemed non-citizens may be disenfranchised as there have been numerous instances where even those providing legacy data of their forebears in India have been excluded from the draft registry. They have included public servants and their relatives as also family members of the late President of India, Fakhruddin Ali Ahmed, a Muslim, apart from those who have served with distinction in the nation’s armed forces. As with the Trump administration that has not disclosed what might happen to the more than 2,300 children detained since its “zero tolerance” policy was enacted in mid-April, the Indian government too is silent on the fate of those it deems unlawful immigrants. On the possibility that many of the “illegals” might have shifted out of Assam to avoid the NRC, there are fears that such a registry might ultimately be extended to all of India. India’s Supreme Court-supervised NRC survey has its genesis in the India-Pakistan war of 1971 that was triggered by the mass intrusions into India by Bangla-speaking people escaping an ethnic genocide perpetrated by Pakistani forces

in the then non-contiguous half of the country, called East Pakistan. The Indian government estimates the number of these escapees at 20 million, though unofficially it is reckoned to be at least twice that. Evidently, UNHCR ignores these figures in its estimates on worldwide refugees. India triumphed in the war that lasted between 26 March and 16 December 1971, and East Pakistan seceded from the Urdu-speaking western half to become the People’s Republic of Bangladesh. Most of those who had fled settled in Assam, to the east of Bangladesh, and in West Bengal, to the west. Their language, Bangla, is the endonym of Bengali, which, together with Assamese, belongs to the group of Eastern Indo-Aryan languages. The strife-torn Rohingyas, who have similarly fled into bordering India and Bangladesh, speak Rohingya, or Ruáingga, that too is part of this linguistic group. Though Bangladesh has provided refuge to over 800,000 Rohingyas whom it now wants relocated to Myanmar – while a further 40,000 have infiltrated into India – it rejects Indian claims of illegal Bangladeshi immigrants on its territory and has stalled all attempts by India to push them back across the border. A veritable clandestine industry had sprung up in India in the ‘70s and ‘80s that helped many of these settlers destroy all evidence of their Bangladeshi antecedence and provided falsified documentation granting them legitimacy. India is a signatory to the UN Protocol Relating to the Status of Refugees, and by UNHCR estimates, has 109,000 Tibetan refugees, the Dalai Lama being the most eminent of them, 65,700 Sri Lankans and 10,400 Afghans, apart from the Bangladeshis and Rohingyas, and some others. It is often felt that a country as big as India (3.29 million sq km) with a population of 1.32 billion can withstand demographic changes, but the most populated country, China, has only a slightly larger population (of 1.38 billion) across a territory that is exactly three times larger. India is besides a developing country where critical government services often fall short in reaching its own citizens. To allay all apprehension, the BJP has clarified that the NRC is yet at the draft stage and those whose names do not figure on the list will neither be detained nor lose their citizenship rights. The four million exclusions have been permitted to file claims and objections until 28 September, after which the final NRC will be published by 31 December. The government has accused the opposition parties of politicising the issue, as it had actually been the Congress government that had in 1985, when it was in power, proposed the updating of the NRC. The Congress now maintains that while its government did intend to identify and send back all infiltrators, the BJP government’s present action appears motivated and subversive, with a strong communal bias that can destabilise society and politics. Despite its denials, the BJP views the Assam problem

Australian Cyber Security Magazine | 31

Cyber Security

as largely a Muslim one, though both Hindus and Muslims came over from Bangladesh. This is because the 17 per cent surge in Assam’s population between 2001 and 2011 was led by Muslims, whose population soared by 30 per cent in this decadal period, against under 11 per cent for Hindus. This rate of growth is not deemed possible without illegal immigration. At 148,460 sq km, Bangladesh is about twice Assam’s size of 78,438 sq km, but has a population – 166.5 million - over five times that of Assam’s 31.2 million. However, it is not Muslims alone who seem to be disadvantaged. The Supreme Court is hearing plaints against the government’s moves to mine personal data for putting a mass surveillance system in place, not least through a mandated unique identification (UID) number called aadhaar. Even though the issue is being determined, new rules have reduced the citizens to reaffirming their nationality and authenticating their identity to avail of most public and private services, and even while applying for their maintenance and renewal. The apex court contends that the UID has the potential to profile every individual if interlinks are established. The NRC has had its sinister fallout already, with mobs of vigilantes in states neighbouring Assam accosting people in the streets and questioning their identity. Seldom has the Indian public been so exercised by the politics of hate and fear as at present, with 68 persons having been killed in mob attacks over the last three years, and journalists, intellectuals and liberals seen as critical

of the BJP and its government being trolled, stalked, threatened and even attacked and murdered. There have been 371 cases of hate crime recorded in the four years that the BJP has been in power, 228 targeting Muslims. These have involved cases of mob lynchings, a result of growing vigilantism and witch hunts in various parts of the country. What has aggravated such targeting of the marginalised has been the open support to and even praise of the culprits by the political leadership. Much to the consternation of the public, government representatives have at times also blamed rape victims, urging for sensitivity in their attire or for the timings they venture outdoors. Such backing has frequently discouraged police inquiry and kept those attacked or their families from coming forward to lodge complaints. Many believe the politics of vendetta will only increase as the nation nears the general elections due next May where the BJP is expected to face voter reprisals. Adjudicating upon the high profile case on 2 August regarding the murder of two slain rationalists in 2013 and 2015, the High Court of Mumbai observed: “We are witnessing a tragic phase in the country today. Citizens already feel that they can’t voice their concerns or opinions fearlessly. Are we going to see a day when everyone will need police protection to move around or to speak freely?” The Supreme Court too has expressed alarm over the spate of lynchings, maintaining that these “horrendous acts of mobocracy” cannot be allowed to overrun the law of the land.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices

Encouraging cross-domain collaboration on broad intelligence

and enabling technologies

topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

32 | Australian Cyber Security Magazine

aipio.asn.au

Cyber Security

Australian Cyber Security Magazine | 33

Cyber Security

The law society of Singapore Cyber Security Conference 2018 By Jane Lo, Singapore Correspondent

n April last year, “Shadow Brokers”, a group that operated in the Dark Web, leaked a new batch of attack tools and zero-day exploits files allegedly stolen from the NSA in 2013, and triggered the WannaCry chaos in May 2017. WannaCry, and its derivatives (Petya and NotPetya) affected computers in more than 100 countries across the globe, hitting critical infrastructures, and hospitals in UK. Within the region, according to the Singapore Computer Emergency Response Team (SingCERT) from the Cyber Security Agency of Singapore (CSA), “about 500 Singapore IPs could have been affected” by the ransomware attacks. DLA Pipper, a prominent law firm, was also a victim of the attacks. Cyber attacks could be potentially stressful if law firms do not have a ready back-up plan to allow lawyers access to their documents for trial preparations or motions to meet a deadline, or worse, if the information is leaked to competitors or held for ransom. With global and local developments in laws on cybersecurity and data protection, The Law Society’s inaugural Cybersecurity Conference brought by the Cybersecuity and Data Protection Committee could not be more timely.

34 | Australian Cyber Security Magazine

Here we look at some key takeaways from the keynotes and the panel discussions.

Singapore Cybersecurity Act Dr Janil Puthucheary - Senior Minister of State, Ministry of Transport & Ministry of Communications and Information, in his key note address, noted platforms such as the United Nations Group of Governmental Experts (UNGGE), and the ASEAN Ministerial Conference on Cybersecurity (AMCC) to develop global and regional cyber norms. He also highlighted the Singapore Cybersecurity Act, which was passed into law by Parliament in February 2018, and received the President’s Assent in March 2018. The Act requires operators of 11 CII sectors - Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media – to secure their infrastructure and report incidents. It has four key objectives: a.

First, to strengthen the protection of CII against cyber-attacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their

obligations to protect CII from cyber-attacks. Second, to authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cyber threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. Third, to establish a light-touch licensing framework for cybersecurity service providers. Cybersecurity service providers often have significant access into their clients’ sensitive computer systems and networks. Such services, if abused, can compromise and disrupt the clients’ operations. A licensing framework will give businesses and clients more assurance, and is part of our strategy to raise the quality of cybersecurity services in the long run. Fourth, to establish a framework for sharing Cybersecurity Information. The Act facilitates information sharing, which is critical as timely information helps the government and owners of computer systems identify vulnerabilities and prevent cyber incidents more effectively. The Act provides a framework for CSA to request information,

Cyber Security

"With global and local developments in laws on cybersecurity and data protection, The Law Society’s inaugural Cybersecurity Conference brought by the Cybersecuity and Data Protection Committee could not be more timely. " Dr Janil Puthucheary - Senior Minister of State, Ministry of Transport & Ministry of Communications and Information, giving his key note address. Photo Credit: The Law Society of Singapore

and for the protection and sharing of such information. Several similarities between local and global data protection regimes Data protection principles devised to reflect protection of personal data include the US Privacy Shield, UK Data Protection Act, and EU General Data Protection Regulations (GDPR) which came into effect on 25th May 2018. GDPR famously grabbed headlines with heavy fines for non-compliance (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher) but, does GDPR apply to Singapore organisation? And for those who already comply with Singapore’s Personal Data Protection Act 2012 (PDPA), what steps are needed be GDPR-ready? There are in fact several similarities between local and the GDPR, Mr Yeong Zee Kin (Assistant Chief Executive / Deputy Commissioner, Personal Data Protection Commission (PDPC)), panelist at Session, reminder the audience. The core of Singapore’s PDPA, and EU’s GDPR can be traced back to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Singapore’s PDPA, as with GDPR, governs the collection, use, disclosure and care of personal data, and came into force with the formation of the Personal Data Protection Commission (PDPC) in 2013. Both the local and EU regimes aim to cultivate the cultural philosophy for organization to take care of data belonging to data subjects, establishing data protection controls and remedial actions in case of an incident. Both the local and EU regimes embed the concepts of a Data Protection Officer appointment (although this role is mandatory for all Singapore’s registered organisations) and Data Protection Impact Assessment (DPIA). Practice Strong Cyber Resilience, and Breachby-Default

Plenary Session 1: Managing the Legal Spectrum: Singapore & EU. The panel offers insights into how the Singapore Cybersecurity Act will operate in tandem with other laws and regulations in Singapore. For example, the Computer Misuse Act and other relevant legislation will continue to govern the investigation and prosecution of cybercrime perpetrators. These are also considered in comparison with the framework in the EU (ie the GDPR). From Right Moderator Mr Jeffrey Lim - Partner, Wong Partnership

Panellists Ms Gwenda Fong - Director of Strategy and Planning Division, Cyber Security Agency of Singapore (CSA) Mr Yeong Zee Kin - Assistant Chief Executive / Deputy Commissioner, Personal Data Protection Commission (PDPC) Mr Christopher Ong - Senior Director, General Commercial Crime Directorate and Technology Crime Unit, Financial and Technology Crime Division, Attorney-General's Chambers (AGC) Associate Prof Warren B. Chik - Associate Professor of Law, Singapore Management University (SMU) Photo Credit: The Law Society of Singapore

Concluding his remarks for the conference, Mr Gregory Vijayendran (President, The Law Society of Singapore) reminded the lawyers of the importance of Cyber resilience. “Cyber resilience encompasses cyber security and business continuity management that aims to defend against potential cyber attacks and ensure your organization’s survival following an attack” and that it is “not only a critical survival trait in the future. I dare say it is an organizational existential trait in the future. Leading law professionals like those of you participating in this conference from the Law Society help keep your organization cyber

Australian Cyber Security Magazine | 35

Cyber Security

part of audit, versus illegitimate access. Finally, when dealing with local legislations, and global legislations with extra-territorial reach, it is always important to clarify the outcomes the regulators are looking for, in order to support clients on compliance strategy. It is also useful to consider specific use cases in the dialogue with clients on the intent of the legislation.

Plenary Session 2:Current Compliance Framework & Legal Advisory With the incoming Cybersecurity Act, there is a renewed focus on the management of technology risks that businesses face and how this translates practically into compliance. The panel provides practical perspectives on how businesses should approach compliance and the management of technology risks (specifically cybersecurity risks). From Left Moderator Mr Joey Pang - Vice President, Technology Operations & IP, DBS Bank

resilient because of the choices you make. That choice included the choice to attend this event. You are in the right place at the right time.” Whilst Security-by-Design, Privacy-by-Design are well-known concepts, Dr. Steven Wong (President, Association of Information Security Professionals (AISP)), panelist at the Plenary Session 2 challenged the audience to adopt a “Breach-by-Default” approach, to implement robust Risk Management and Incident Response Plans within their organisations. (that is, assume the defenses are already breached, what are the next steps to resolve, remediate, and recover?) Lead by Example Mr Gregory also emphasized that the interest on the topic of cybersecurity for lawyers “is also to acquire the requisite niche domain knowledge so that we can advise with accuracy when (not if) a cyber attack takes place and issues of liability and losses need to be considered in an intelligent and informed way.” Panelists at the Plenary Session 2 agreed that law firms who have strong grasp of cyber security knowledge, and who understand advances in technology will be able to offer value-add advice to clients. Internal and External Threat Actors Adapt External threat actors are well-known for their

36 | Australian Cyber Security Magazine

Panellists Mr Phoram Mehta - President, ISACA Singapore Chapter; Director, Head of InfoSec, APAC, PayPal Pte Ltd Mr Lam Chee Kin - Managing Director & Head Group Legal, Compliance & Secretariat, DBS Bank Dr Chong Yoke Sin - Chief, Enterprise Business Group, Starhub Dr Steven Wong - President, Association of Information Security Professionals (AISP), Associate Professor and Programme Director, Academic Programmes, Singapore Institute of Technology (SIT) Photo Credit: The Law Society of Singapore

rapid adaptation; while law enforcement have demonstrated successes, threat actors do not stop evolving their tactics, techniques and technology. Mr Lam Chee Kin (Managing Director & Head Group Legal, Compliance & Secretariat, DBS Bank), panelist at Session 2, suggested that not only do we have to continuously monitor the evolving cyber crime landscape, but importantly to also “think like them”. Dr. Steven Wong also reminded the audience that we ourselves as users, should also avoid finding means to bypass security policy restrictions as that may inadvertently open up new vulnerabilities. An example is the use of personal mobile phones to take pictures of the computer monitors to bypass the restrictions of an air-gap environment where the corporate network is separated from the internet. This may potentially lead to disclosure of sensitive corporate information through these personal mobiles. This addition of end-points in fact enlarges the attack surface, making it even harder to control and monitor potential breaches. Some final tips … Use the several Cyber Security industry frameworks and best practices as guidelines when drafting legal contracts such as those for Penetration Testing, to draw boundaries between legitimate access to uncover vulnerabilities as

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

NATIONAL SECURITY

DEFENCE

LAW ENFORCEMENT

REGULATION

BUSINESS

ACADEMIA

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration Sharing cutting edge and emerging global intelligence practices and enabling technologies Supporting and representing intelligence professionals throughout their career lifetime Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Cyber Security

Full house at the Beyond the GDPR: A Global Approach to Privacy and Data Leadership discussion between Stephen Deadman, DPO Facebook and Simon Chesterman, Dean, Faculty of Law, National University of Singapore. Photo Credit: IAPP Twitter.

Data Protection and Privacy:

Perspectives from Facebook, Google, Apple By Jane Lo, Singapore Correspondent

he digital era of the modern world means that there is a lot more data being collected, processed and stored by organisations. Where data relates to personal sensitive information, the loss or misuse can be devastating, as we can see from the July’s Sing Health data breach that led to the leak of 1.5 million patients' personal data, outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers. At the IAPP Asia Forum 2018 held on 23rd – 24th July, Mr Tan Kiat How (Commissioner of PDPC) highlighted in his speech: ”Progressive policies are key enablers of data-driven innovations. Stringent data protection laws may earn a country the reputation of consumer empowerment, but this may be at the expense of business friendliness and may stifle innovation. Too laisse faire an attitude is not conducive either. Consumer adoption of emerging technology may be slow, if silence from the data protection authority results in low public trust and confidence. Singapore believes that there is a viable middle ground. Our assessment is that AI

38 | Australian Cyber Security Magazine

as a technology is still developing but more importantly, businesses have only just begun to explore how AI can be used to enhance their products and services. We need to give both technology and businesses the room to explore and grow. However, consumer concerns must be acknowledged and addressed. The PDPC is not ignorant about these issues nor can we ignore consumer concerns.” Data protection principles devised to reflect these concerns include the US Privacy Shield, UK Data Protection Act, and EU General Data Protection Regulations (GDPR) which came into effect on 25th May 2018. GDPR famously grabbed headlines with heavy fines for non-compliance (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher). At the IAPP Asia Forum, we gathered some perspectives from Facebook, Google, Apple in the role of privacy in continuous innovations. The Cambridge Analytica Crisis Just weeks ahead of the new European Data Protection law (GDPR) came into effect on 25th

May 2018, Cambridge Analytica filed applications to commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014. Since the crisis, the priority, Facebook said, is making its privacy settings more accessible and providing clearer explanations about how data tools are used. Facebook CEO Mark Zuckerberg has since apologized and agreed to testify before Congress about the controversy. “We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So in addition to Mark Zuckerberg’s announcements last week — cracking down on abuse of the Facebook platform, strengthening our policies, and making it easier for people to revoke apps’ ability to use your data — we’re taking additional steps in the coming weeks to put people more in control of their privacy,” ,” Facebook vice president and chief privacy officer, Erin Egan, and vice president and deputy general counsel, Ashlie Beringer, said in a statement. What changes have been made?

Cyber Security

tools to demonstrate compliance. Privacy and Artificial Intelligence Last year, Google announced that it will stop scanning the emails of Gmail users to personalize advertising. “Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products,” Diane Greene, CEO Google Cloud, wrote in a blog post. While this decision indicated that Google addressed the privacy intrusion concern, another question arose this year: is the using of personal data, including key words in emails for training artificial intelligence a breach of privacy? In response, Google clarified in a July blog (Suzanne Frey, Director, Security, Trust & Privacy, Google Cloud) that: “The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails. To Beyond the GDPR: A Global Approach to Privacy and Data Leadership. How Facebook approached the challenge of providing a consistently high level of privacy protection across the world from its new DPO, Stephen Deadman, and why innovation needs to play a central role in supporting regulation to ensure that efforts to derive economic, social and individual value from data are successful and pursed in a responsible and sustainable manner (Left) Stephen Deadman, DPO Facebook. Stephen Deadman, who is currently the company’s global deputy chief privacy officer, will step in as Facebook’s data protection officer starting on Friday. He’ll also be DPO for Facebook-owned Instagram and WhatsApp. (Right) Simon Chesterman, Dean, Faculty of Law, National University of Singapore

Stephen Deadman (Facebook’s global deputy chief privacy officer, stepped in as Facebook’s data protection officer (DPO) in May. He is also the DPO for Facebook-owned Instagram and WhatsApp), set out some of these changes at the IAPP conference. These included privacy shortcuts menu “where you can control your data in just a few taps”; new menus for users to more easily access and delete their data; and features to allow users to securely manage information and posts shared on the platform, downloading this data or deleting it from the site altogether.

Facebook added it is also reworking its terms of service and data policy to “better spell out what data we collect and how we use it.” “These updates are about transparency,” Facebook had said in a statement, “not about gaining new rights to collect, use, or share data.” Facebook had also suspended hundreds of apps in the first stage of its review into apps that had access to large quantities of user data. Winning trust is core to success, Stephen Deadman emphasized. Concerns about businesses use of data and trustworthiness will stifle people’s ability to want to use the services. And it is important to get the basics right, in designing and implementing infrastructure and

be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.” Google’s Privacy Policy further explains: “We use different technologies to process your information for these purposes. We use automated systems that analyze your content to provide you with things like customized search results, personalized ads, or other features tailored to how you use our services. And we analyze your content to help us detect abuse such as spam, malware, and illegal content. We also use algorithms to recognize patterns in data. For example, Google Translate helps people communicate across languages by detecting common language patterns in phrases you ask it to translate.” Inevitably, as artificial intelligence (AI) advances, privacy concerns become increasingly Closing General Session - Keynote Panel: Incentivising Accountability & Certifications as Enablers for Global Data Flows. Whether in Asia or around the world, ‘accountability’ is on the lips of every regulator. These global organisations will tell you what it means to them and how it works in practice. Moderator: Bojana Bellamy CIPP/E, President, Centre for Information Policy Leadership, Hunton Andrews Kurth Keith Enright, CIPP/G, CIPP/US, Legal Director, Privacy, Google David Alfred, CIPP/A, CIPT FIP, Chief Counsel, Personal Data Protection Commission, Singapore Huey Tan, APAC Senior Privacy Counsel, Apple Hilary Wandall, CIPP/E, CIPP/US, CIM, FIP, General Counsel, Chief Data Governance Officer, TrustArc Photo Credit: TrustArc Twitter

Australian Cyber Security Magazine | 39

Cyber Security

important - and the announcement by Google allegedly leaving the Project Maven AI program reflected these concerns.

transparency on what these values are.

From Compliance to Accountability Google’s CEO Sundar Pichai announced in a June blog, seven objectives for its AI research and applications that “we will not pursue”. Amongst these objectives is an explicit reference to “Incorporate privacy design principles – “We will incorporate our privacy principles in the development and use of our AI technologies. We will give opportunity for notice and consent, encourage architectures with privacy safeguards, and provide appropriate transparency and control over the use of data”. Increasingly seen as a practical way of moving beyond compliance to designing and implementing the core privacy principles in the organisation is the concept of accountability,

The San Bernardino case raised the question of whether technology companies should be compelled to build software to break into its own devices (or programs or infrastructure). And Apple defended its philosophy: that no one, not even Apple, should be able to look inside your phone. Apple’s Privacy page states that ““Apple products are designed to do amazing things. And designed to protect your privacy”, and “privacy is a fundamental human right”: “And so much of your personal information — information you have a right to keep private — lives on your Apple devices. Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call,

At the IAPP conference, Keith Enright (CIPP/G, CIPP/US, Legal Director, Privacy, Google) said that Privacy is “a value conversation”. Accountability means that the organization must be able to confidently demonstrate it is operating consistently with its values and provides

email, or message. Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom. We’ve proved time and again that great

First Trillion Dollar Public Company

experiences don’t have to come at the expense of your privacy and security. Instead, they can support them.” Huey Tan (APAC Senior Privacy Counsel, Apple) emphasized that Privacy is an enabler and moving beyond regulatory compliance to accountability – commitment to think about personal data the organization has to deal with, building the controls into the programs which stand up to scrutiny is “another feather in your bowl”. Or in other words, a competitive advantage. This mindset is clearly winning support from many, as Apple became the world’s first trilliondollar public company on Thursday, 2nd August 2018, 42 years after it was founded.

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Venture capital funds

• Scale-ups

• Government agencies

• Corporates

• Research organisations • Educational institutions.

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com

40 | Australian Cyber Security Magazine

info@austcyber.com

+612 9239 3250

@AustCyber

Cyber Security

RSA APJ 2018 - Cyber Security: Highlights of Australian perspectives By Jane Lo, Singapore Correspondent "With cyberthreats looming larger than ever, finding solutions can’t wait for tomorrow." This is the genesis of the theme for RSA Conference 2018 – Asia Pacific and Japan held at Singapore Marina Bay Sands 25th – 27th July 2018. “Now Matters. Now is the time to take action, now is the time to learn, now is the time to come together to secure the world from cyberthreats.” We share some highlights from keynote speakers on the Australia experience. Promoting International Peace and Stability in Cyberspace – Dr Tobias Feakin “A year on from last year’s RSA Conference, we have seen a marked increase in the frequency, scale, sophistication and severity of malicious cyber-activity. High profile incidents like NotPetya and WannaCry have demonstrated the unprecedented level of global harm that such malicious activity can cause. So how do we effectively mitigate the burgeoning scale of threat that is now so publicly realising its potential to harm our national and economic interests?”, asked Dr Tobias Feakin (Australian Ambassador for Cyber Affairs, Department of Foreign Affairs and Trade). “A technical response is only part of the

answer, we need to renovate international policy to meet the challenges of digital connectivity and ensure we all reap the benefits. This is why Australia is working to implement an International Stability Framework for cyberspace,” he said. Dr Tobias Feakin set out the five core measures of the framework (further detailed in “Australia’s International Cyber Security Engagement Strategy” published in October 2017): 1)

Application of existing international law to cyberspace. International law has developed over centuries. It comprises rules and principles that, inter alia, govern relations between states. While the domain may

be comparatively new, the rules are not. International law applies in cyberspace. The unique attributes of cyberspace mean that existing international law can be usefully complemented by agreed norms of behaviour. Alongside states’ international legal obligations, these non-binding norms establish clear expectations of proper state behavior. – Australia’s International Cyber Security

Engagement Strategy 2017 2) Implementing agreed norms of responsible state behavior, including operationalisation of norms of responsible state behaviour recommended in the 2015 report of the UN Group of Governmental Experts on developments in the field of information

Australian Cyber Security Magazine | 41

Cyber Security

norms promote predictability, stability and security. Norms must be developed consistent with international law. – Australia’s International Cyber Security Engagement Strategy 2017 3) Deterring and responding to those who don’t follow the rules. In other words, deter, mitigate and attribute malicious cyber attacks by criminals, state actors and their proxies, including those that seek to interfere in the internal democratic processes of states. Having established a firm foundation of international law and norms, the international community must now ensure there are effective consequences for those who act contrary to this consensus. Australia is committed to countering, deterring and discouraging malicious cyber activity, especially by states and their proxies. We will work with partners to strengthen global Dr Tobias Feakin, Australian Ambassador for Cyber Affairs, Department of Foreign Affairs and Trade Tobias Feakin is Australia’s inaugural Ambassador for Cyber Affairs. He leads Australia’s whole-of-government international engagement to advance and protect Australia’s national security, foreign policy, economic and trade, and development interests in the internet and in cyberspace. Feakin was a member of the Independent Panel of Experts that supported the Australian Cyber Security Review to produce Australia’s 2016 Cyber Security Strategy. He was the Director of National Security Programs at the Australian Strategic Policy Institute from 2012 to 2016 and established the Institute’s International Cyber Policy Centre. Photo Credit: RSA APJ 2018

Narelle Devine – Chief Information Security Officer, Australian Government Department of Human Services. After 23 years serving with the Royal Australian Navy, Narelle Devine was appointed Chief Information Security Officer for the Australian Government Department of Human Services in 2016. The department delivers essential welfare and health services payments and her team protects $190 billion in payments the department makes each year and the personal and financial records of 26 million Australians. Photo Credit – RSA APJ 2018

and telecommunications in the context of international security, and focus on positive practical measures that states can take to put these voluntary norms into practice.

42 | Australian Cyber Security Magazine

Norms establish clear expectations of behaviour in specific circumstances by specific groups. By signaling acceptable behaviour of states in cyberspace,

responses to unacceptable behaviour in cyberspace. – Australia’s International Cyber Security Engagement Strategy 2017 4) Implementing confidence building measures to build trust, including risk reduction, transparency and cooperative measures. Confidence building measures are one of the most important tools in our diplomatic toolkit. Australia is committed to implementing these measures to maintain a peaceful and stable online environment. … Australia will look for opportunities for practical cooperation on cyber issues with ASEAN partners. – Australia’s International Cyber Security Engagement Strategy 2017 5) Capacity building to enhance the ability of everyone to meet the challenges of cyberspace. Australia embraces a holistic idea of ‘cyber capacity’. This includes a state’s ability to: ensure people’s rights online; achieve economic growth through digital trade; combat cybercrime; and engage in conversations about Internet governance and international security in cyberspace. … Similarly, cyber capacity building will encompass important elements beyond purely technical training, including policy and legislation, education and infrastructure. – Australia’s International Cyber Security Engagement Strategy 2017 In his key take-aways, Dr Feakin highlighted that “we are modernizing the existing rules-based

Cyber Security

Director, Global Security Solutions at Telstra, Neil Campbell is responsible for driving Telstra’s security strategy across all of the markets that Telstra operates in around the world. Campbell has spent more than 25 years specialising in cybersecurity. Campbell spent nine years in the Australian Federal Police, with most of his police service in the AFP’s Computer Crime Team. Photo Credit: RSA APJ 2018

order to meet the challenges of the digital age. This is a renovation, not a demolition and rebuild”. He elaborated: “We do not need to demolish. We need to understand renovations are difficult. We need to retain the character of the building. We need to modernize it to make sure it is ready for everything that is set to come.” And “everyone in the room has the responsibility to make sure it works.” Outside the Box – Redefining the Workforce to Defeat the Cyber Adversary – Ms Narelle Devine Australian Government Department of Human Services holds sensitive personal financial information of every Australian citizen from newborns to the elderly and everyone in between. “We manage 11 million linked government accounts, 26 million customer records, and we process nearly half a billion dollars a day in payments, which are facilitated by approximate 280 thousand authentications each and every day.” Ms Narelle Devine (Chief Information Security Officer, Australian Government Department of Human Services) pointed out at her Key Note. “The department is vital to the normal operations of the Australian society”, she said. “An attack on our systems will see hundreds of thousands of citizens unable to support their families and medical services will be severely

impacted, if the flow of money stops just for a few days”, she added. And, to be sure, the evolving landscape and growing digitization in society has seen the need for skilled cyber staff skyrocket. So how does DHS defeat the Cyber Adversary to protect its 26 million customers? By “thinking outside the box by investing in existing and future talent, showing people are key to defeating the cyber adversary” and understanding that “cyber is a people business, not an IT one, your workforce, training and operations needs to reflect that diversity.” “Our security posture is only as good as each and every individual in the department,” she said. Not only is there diversity in age, gender, the DHS’ cybersecurity team also brings together psychologists, lawyers and politics graduates. For education and awareness, a person with a communications major was a better fit, rather than a person with a major in cyber.

A Cyber Secure Nation

Reflecting on the growth of her team and the intensity of the workload, (her team had grown from 25 to 200 people in the last two years, and dealt with two global cyber attacks), she emphasized: “The skill shortage is going to get worse before it gets better. So we need to move away from the idea that only formally educated can fill those roles. And if you are big enough, invest in growing your own”. Some key tips she shared included: • “Automate wherever you can, and more importantly where it makes sense to. Free up humans to do the work where computers can’t.” • “Aptitude testing is invaluable. It helps funnel those scarce training dollars into the right people and the right activities. It will also make you aware of your skills gap so you can fill them.”

becoming increasingly targeted. Respondents reported more ransomware attacks in this year’s survey than any previous years and 31 percent of Australian respondents whose business has been interrupted due to a security breach in the past year are experiencing these attacks on a weekly or monthly basis. Also of note is that a quarter of respondents globally did not have, or did not know if their organisation had, a security incidence response plan in place”. With the global nature of cyber threats, it is well acknowledged that countering the vulnerabilities of the internet is a global effort. Mr Neil Campbell offered Australian observations that could be applied in other countries or region: • Do not discuss details and specifics of your organisation’s security on public platforms. • Back up and conduct continuity planning, patch early and often • Foster a strong local cyber security community in your country

Finally, “ask if you need help. There are plenty of organisations out there that specialize in areas that may not be your strength. Or peers that are either struggling with or have overcome the same main issues that you have.”

“As organisations focus on working in the digital age and their digital transformation they need to think about doing things differently from a security perspective and disrupting the status quo,” said Neil Campbell (Director, Global Security Solutions at Telstra). The Telstra’s Security Report 2018 highlighted some encouraging findings. “The industry is shifting its mindset, moving to a ‘expectation of breach’ mentality, and implementing a wide range of programs too, including security audits, risk assessments and compliance tools through to continuous enduser training. In many countries, there is also a strong focus on governance, risk management and compliance in the face of several new laws regarding privacy and breach reporting.” “However, other findings are more concerning. Ransomware is on the rise and is

He also stressed that organisations need to “apply the controls right for you.” Ultimately, security is critical to the success of any modern organisation and security risk must be managed to acceptable levels. Businesses will continue to use different technologies, such as cloud services and mobility. Employees will continue to access information using their own devices, in remote locations and will need to take precautions. Every organisation must determine for itself what constitutes an acceptable level of risk. - The Telstra’s Security Report 2018

Australian Cyber Security Magazine | 43

Cyber Security

Vive HTC Pro review and developer thoughts

T By Bennett Ring Correspondent, MySecurity Media

he consumer VR revolution may have begun with more of a whimper than a bang, with both the Oculus Rift Consumer Version 1 (CV1) and HTC Vive experiencing much lower sales volumes than anticipated, but this hasn’t stopped the technology growing exponentially faster than anticipated. The biggest leap forward is the pixel density of the displays used within; initial projections by NVIDIA in 2016 were that it would take at least five years to hit 4K x 4K screens per eye, but we’ve already seen prototypes from Pimax with 8K screens just 12 months later. The first commercial VR HMD to hit the market with an improved pixel density is HTC’s new Vive Pro, aimed at professional VR developers, and it has a price tag to match. At AU$1,199 for just the HMD, with no controllers or Lighthouse tracking stations included, it’s a vast price increase compared to the original HTC Vive kit, which currently retails for $879 and includes two motion controllers and twin Lighthouse tracking stations. We recently got eyeson with the Vive Pro, and were immediately impressed by the increased Pixels Per Inch, or PPI. This is thanks to an increase from the original Vive’s resolution of 1080 x 1200 per eye, at 448 PPI, to the Vive

44 | Australian Cyber Security Magazine

Pro’s 1440 x 1600 per eye, or 615 PPI, a 37% increase. This means the screen-door effect, or sub-pixel grid array visibility, has been vastly improved. In practice, this makes it much easier to resolve fine detail, be it crisper text or distant features, which is especially noticeable in vehicle simulations with complex cockpits, as well as photographbased scenes. The screens are based on the same AMOLED panel technology of the original, running at 90Hz to deliver a motion-to-photon latency of approximately 7ms, though your mileage will vary depending on the GPU powering the HMD. Further investigation reveals the Vive Pro screens are the same as those used in Samsung’s Odyssey Mixed Reality HMD. As with all consumer HMDs, the Vive Pro uses a Fresnel lens design to increase the field of view of each screen, up to 110 degrees. Unfortunately these lenses have the side effect of ‘God-rays’, where bright parts of the scene cause a corona towards the edge of the screen, but we definitely noticed an improvement when compared to the original. The other major change is a new mounting design, which is much simpler to fit to each user’s unique headshape. Not only is it easier to mount, it also results in a much

Cyber Security

tighter fit, which is very important given that the Fresnel lens design has a sweet-spot; outside of this and the image blurs, but the tighter mount of the Vive Pro makes this less of an issue. The exterior of the Vive Pro HMD now also includes two cameras, though only one is currently active, but the plan is for the second to be used to recognise exterior objects. It’s possible that this may do away entirely with the need for exterior controllers, as the stereo cameras should be able to recognise the user’s hands, using kinetic detection algorithms similar to those found in the Leap Motion product. The final chassis design change is the inclusion of twin 2.5-inch stereo headphone speakers, whereas the original required the use of additional headphones Sound quality is excellent, with very little distortion even when the volume was set to 100%. However, the speaker arms are a little short, so those with larger heads may find that they have difficulty in covering their ears entirely. Due to the increased resolution of the displays, HDMI is no longer supported as a video source, instead using DisplayPort 1.2, along with a USB 3.0 Type C and USB 3.1 Type A plug, all of which connect to the exterior video link box. There’s still a 15-meter tether cable between the HMD

and the link box, but HTC has demonstrated a wireless kit which isn’t on sale yet. While this does remove the issue of tripping over cables when in room-tracking mode, it does increase latency by an as-yet undisclosed amount. While we were thoroughly impressed by the increase in image quality and improved mounting design, this device is aimed at professional VR developers, so we spoke to Mitchell Manganaro, Studio Manager at Melbourne-based VR developer Opaque media, to see how the improvements have impacted the company’s VR project design. According to Mr Manganaro, the biggest enhancement from his perspective is both the improved resolution, as well as even better room-tracking. “With the Vive Pro the user gets a higher resolution screen, which is great for showing off even better-looking content. There is an even better advantage though, and it’s the second-generation tracking solution. Out of the box you get up to 10m x 10m of tracking space, and it will be scalable to 20m x 20m soon.” Unfortunately our test-space was limited to just 3m x 3m, so we were unable to test this increase. User comfort is also a major upgrade from the original, with Mr Manganaro stating that, “The comfort of the device has been a point of praise around the studio.”. On the other

Australian Cyber Security Magazine | 45

Cyber Security

Mitchell Manganaro

hand, he also believes that the colour quality of the screens has been decreased, though the technical specifications don’t indicate a decreased colour quality. While the Vive Pro makes it easier to resolve increased detail, developers are still targeting markets that are using lower resolution displays. As a result, content for these devices has to be built in mind for two different usage scenarios. “Creating content that will run on current hardware is key, as adoption rates for Vive Pro won’t be that high, (so we are) creating content for the Oculus Rift CV1 and HTC Vive 1.0, and then putting out content at higher resolution for Vive Pro.” There’s no denying that the improved resolution results in a vastly improved user experience, but there is

46 | Australian Cyber Security Magazine

an accompanying leap in overall cost of ownership that we believe limits the Vive Pro to professional use only. Compared to $879 for the complete HTC Vive 1.0 kit, versus $1,999 for the Vive Pro with twin controllers and Lighthouse base stations, the increase in price is hard to justify for consumer-focused users. Thankfully we should see the Vive Pro become part of the base Vive kit in the near future. We’ll be going hands-on with a variety of Windows Mixed Reality HMDs in the near future to see how they compare, which have an identical resolution as the Vive Pro. In the meantime, if you’re already an owner of the HTC Vive or Oculus Rift CV1.0, unless you’re a professional developer creating content for higher-resolution displays due in the near future, there’s no need to upgrade.

Cyber Security

New South Wales, Australia Chapter

harbour cruise

“Do you have 20/20 Security Vision”? ASIS National Conference 17th & 18th October 2018

DANIEL LEWKOVITZ

RACHELL DELUCA

David Harding Prof. Martin Gill Dr Kira Harris 17th & 18th October 2018 Sheraton On The Park

161 Elizabeth Street, Sydney NSW 2000 www.ASISNSW.ORG.AU

CHRIS CUBBAGE

CODEE LUDBEY

Early Bird = $750 for Members Early Bird = $900 for Non-Members Ticket Includes: • 2 Day conference ticket • Morning and afternoon tea for both days • Buffet lunch in Feast restaurant both days • Networking Cruise on Sydney Harbour

Australian Cyber Security Magazine | 47

http://www.asisnsw.org.au/NSW/NSW_Events.html

DroneZone D O W N U&N Unmanned D E R A N D D RSystems ASTICNEWS . COM

DRONE ZON E

CONFERENCE & SEMINAR PROGRAM FRIDAY 1 â&#x20AC;&#x201C; SUNDAY 3 MARCH Friday 1 March

DroneZone RPAS Conference

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Industry (Mining, Resources & Construction) Drones in Agriculture (Heavy Lift Drones & Precision Farming) Drones for Local Government (Parks, Property & Maintenance Inspection)

0930 - 1130

Drones in Search & Rescue (Oceans, Mountains & Beaches)

Room 4

Friday 1 March

Responsive Drones & Robotics Conference

Room 6

0930 - 1130 1200 - 1300 1330 - 1500

Robotics 2025 and Beyond (Whatâ&#x20AC;&#x2122;s the future) Responsive Drones (For a secure workplace & society) Robotics, Artificial Intelligence & Human Convergence (+ VR- AR)

Saturday 2 March DroneZone RPAS Conference

Room 5

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drones in Agriculture (Field Mapping & Harvest yield) Drone Pilot Training (CASA Licensing & Registration)

0930 - 1130

MRO for Drones (Safety & Repairs)

Room 4

1200 - 1300

Starting your Drone Business (Tips for entering the industry)

Room 4

The Responsive Drones & Robotics Conference is a joint initiative of Room 6 DRASTICnews.com and the DroneZone DownUnder Showcase.

Saturday 2 March Robotics & Robots at Home & School 1000 - 1100 1130 - 1230 This is 1300 - 1400

Buying a Robot (What and where to buy) Study Robotics (TAFE & Universities) opportunity to be part of a special exhibition Play with Robots (Science & Games clubs)

an and distribution of a cobranded print and digital edition for primary online websites and media centres RPAS Conference Room 5 Sunday 3 March DroneZone across the Avalon International Airshow 2019 0930 - 1130 1200 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drone Pilot Training (CASA Licensing & Registration) The Responsive & Robotics Conference DRASTICnews. Drones for Sport Drones & Recreation (Drone Racing &and Sports Entertainment) com will receive additional promotional and marketing exposure via

Sunday 3 March Robotics & Robots at Home & School Seminars 1000 - 1100 1130 - 1230 1300 - 1400

Room 6

www.airshow.com.au Buying a Robot (What and where to buy) Study Robotics (Secondary, TAFE & Universities) www.dronezonedownunder.com.au Play with Robots (Science & Game clubs)

& channels of www.mysecuritymedia.com

For more information visit our website: www.dronezonedownunder.com.au or contact Rodd Craig - M: 0457 848 104 E: rcraig@amda.com.au

www.airshow.com.au

019 is organised by Aerospace Australia Limited (ABN 63 091 147 787). A not-for-profit corporation limited by guarantee and registered as a charity, its mission is to aviation and the development of Australia's industrial, manufacturing and information/communications technology resources in aviation, aerospace and defence. 48 | Australian Cyber Security Magazine

D R ON E ZON E

DOW N UND ER

AND

D RASTICNEWS . COM

Trade promotions, started with Farnborough UK Airshow followed by: Aviation AIA Conference, 30 -31 July D & I Conference & Dinner, 1 -3 August Land Forces Expo & Conference, 4- 6 September IAC, 1- 5 October AUSA, 8- 10 October Euronaval, 22-26 October UK Security Expo, 28-29 November

Nelson New Zealand Canberra Adelaide Bremen, Germany Washington USA Paris London

Receive exposure across 160,000+ visitors to the show and the 10,000+ visitors through the DroneZone including industry, federal and state governments and international buyers.

Australian Cyber Security Magazine | 49

Cyber Security

Australian Schools, Cyber Security and Data Protection By Pip van Wanrooij

ustralian Schools have been identified as soft targets by online criminals. This is due, in part, to the numerous points of accessibility within school networks and general lack of cyber security awareness. Thus, it makes sense to prioritise data protection legislation (law) in this area as responsibilities and rights to privacy currently dominate this arena. This deficiency in understanding and inadequate controls in managing personal and sensitive information means that cyber criminals are targeting schools like never before. The use of digital technologies, social media apps for learning, Bring Your Own Device (BYOD) and lack of security architecture within school environs is making the data of students and teachers ripe for the picking.

Digital Technologies versus Cyber Security The integration and usefulness of technology within the classroom, as an essential element of learning and development, is unquestionable. Yet the lack of cybersecurity awareness, end-user education and general digital competency across all learning disciplines in this

50 | Australian Cyber Security Magazine

space is a major concern. In these changing times, the ramifications of data breaches can and will affect a student or teacherâ&#x20AC;&#x2122;s identity management, right to privacy, reputation management, aspects of their professional and personal lives and financial security.

GDPR and Australian Schools After four years of debate the General Data Protection Regulations (GDPR) were approved by the EU Parliament on 14 April 2016, with an enforcement date of 25 May 2018. Organizations in non-compliance may face heavy fines. The GDPR centres on implementing more rigorous obligations and culpability for those responsible to manage and collect data, in its various forms. Reducing online vulnerability, misuse and theft of confidential data is key to this new data protection legislation in the EU. Handling of confidential data, issues of consent, data portability and increasing accountability requires continuous monitoring and measurement.

Cyber Security

India triumphed in the war that lasted between 26 March and 16 December 1971, and East Pakistan seceded from the Urdu-speaking western half to become the People’s Republic of Bangladesh. affect students and a school’s data privacy and security. A balance is required between embracing the benefits of the use of digital technology and taking caution to maintaining continuous cyber security awareness. This includes identifying and changing flawed security beliefs of those in the school community, and at the federal and state government levels.

Future scope of data breaches for schools Cyber-attacks will continue to impact on the school community. Insurance costs amongst educational institutions require increased investment as inadequate data security practices continue to expose personal information of individuals within school and educational institutions. Improved cognizance and comprehension of data protection and cyber security education may help futureproof this industry, decrease data exposure and lessen blowbacks of compromised data. Guidelines, policy and best practices are beginning steps in cultivating a better approach to minimising vulnerability of school networks, educating educational institutions and reducing legal liability.

What is the impact of the GDPR and why does it need concern us here is Australia?

About the Author Pip van Wanrooij is an educator and security focused professional with a background in higher education, research, technology and international engagement across various locales in Asia, Europe and Australia. She is currently collaborating with WA local councils on cyber literacy programmes and improving digital technology understanding and capability. As a speaker she has presented on cyber security awareness and data privacy at educational institutions, businesses and K-6 school community.

The GDPR and the Australian Privacy Act 1988 share many common requirements, including: the need to implement a privacy by design approach to compliance; the need to demonstrate compliance with privacy principles and obligations; and the requirement to adopt transparent information handling practices. There are also some notable differences, including certain rights of individual EU citizens (such as the ‘right to be forgotten’) which do not have an equivalent right under the Australian Privacy Act. Recently the media have drawn attention to a number of massive data breaches within the health and education industries. Access to highly confidential health data and identity information has been broadcast into the realm of cyberspace. Once out there, the potential for misuse, disruption, identity theft or financial fraud is huge. Immediate instruction for all educational stakeholders is required to ensure they have an understanding on what constitutes a cyber data breach, the legal and financial implications of poor data security and how this can directly

Australian Cyber Security Magazine | 51

Cyber Security

The ongoing trends in cyber defence By Milica D. Djekic

he security is a never ending game between the threats and those who would invest a significant effort in order to prevent, manage and respond to those threats. Basically, right here we would talk about the war between the good guys and bad guys who would use all possible weapons to get that war. In case of cyber defence, those weapons could be the technological advancements being used in correlation with the computers, web and mobile systems. Some sources would indicate that the defence is about the risk management. In other words, the risk could get considered as a potential of someone or something to negatively impact some environment. In sense of cyber security, we would talk about the risk being present in a cyberspace. The cyberspace is any digital surrounding that could serve as the information exchanger and data trafficker. The vitally important thing to the cuttingedge environment is the information. The information is any content we are not familiar with and once we get aware of what it is – we would deal with data. Practically, this would mean that the information is something being known at its

52 | Australian Cyber Security Magazine

source and while it’s on the move or at its final destination it would get known to the rest of a network. The digital world would recognize only Os and 1s being the binary signals and those states would get correlated with the certain voltage ranges. These systems by themselves are not very smart, because they would be so dependable on human efforts. In other words, in the phase of a research and development – it’s so important to resolve so many practical issues that would give some kind of brightness to your technological solution. If you carefully predict all feasible scenarios, your solution would get capable to handle so many different situations. Otherwise, it would remain silent in front of all practical schemes coming on to so. The fundaments of computer sciences and digital technologies would go deep into a history of mathematics and science. The certain time before the human race has invented the first digital solutions – the entire branch of mathematics being known as the binary logics has existed. Going back to the past, we would find some evidence that so many skilful people would deal with the logical

Cyber Security

The 20th century would make a boom into that field and the digital era would begin. The origins of mathematical logics as well as cryptographic science would go so far away and they would find their roots in the ancient times of European history

problems, but they would not see any correlation with the possible technological improvements. The 20th century would make a boom into that field and the digital era would begin. The origins of mathematical logics as well as cryptographic science would go so far away and they would find their roots in the ancient times of European history. So commonly, Europe would get assumed as the cradle of our civilization and so many European expeditions would travel worldwide during the past in order to discover the new worlds. Well, how could the human kind history get connected to a development of the digital sciences? The answer to this question is not that simple at all. The fact is that the technological revolutions bringing us electricity have happened in the 19th century. At that moment, so many mathematical theories dealing with the binary logics have been discovered. With the progress of electrical energy solutions people would start thinking how all those mathematics could get applied in the practice. They would invent something being known as a switch and the entire revolution would begin. The switch is an electrical element

that would let an electrical current going through so only if it is closed. On the other hand, if the switch is open – there would be no current through that wire. So, if we can play with those two sates of the switches being normally open and closed or in other words, coping with the 0 and 1 signal we could put our entire mathematical theorems into a service of those advancements. Apparently, if you have a well-developed mathematical theory with the rigid clues relying on logics and if you correlate that some electrical elements could serve as 0s and 1s signals carriers, you should realize that it’s possible to give a birth to the entire new branch of science and technology. The electricity systems using the high voltage would get known as electrical power systems, while those coping with the low voltage are simply the electronics solutions. You would easily get that the digital technologies are mainly the electronic ones by their nature. Today’s marketplace would be flooded with so many advanced devices being intelligent, smart, embedded or mechatronics by their prefix. These devices would do only what the humans have instructed them to do, so they would not deal with a lot of their own intelligence. So many modern digital solutions would get inspired with the biological systems and it’s not the rare case that some technologies would attempt to mimic human thinking and behaviour. Next, one of the ongoing tendencies in cyber defence would suggest that the attacker’s tools would get more and more sophisticated. The similar situation would occur in the defence pool for a reason that environment must be capable to respond to the current challenges. The trends would indicate that so many people over the globe would deal with the internet connectivity and the ongoing flow would cope with so many Internet of Things (IoT) solutions. Also, there would be a plenty of wireless technologies that would mainly satisfy our on the move needs. The main imperative of the nowadays human society is an increasing mobility and the cutting-edge trends would follow those requirements. Finally, we should wrap up this effort with some kind of conclusions! Let’s say this article is only an attempt to start much deeper story that should give a comprehensive overview to cyber security and its applications. The ongoing trends in cyber defence would suggest that it’s important to understand the fundaments of computer science and engineering in order to make your cyber experience being much more adapted to the existing needs. As it’s quite obvious, digital age is not something that would come at once, but rather the area that would deal with the long past and so many attempts and mistakes that would bring us the current situation in the world. Moreover, it’s so significant to know the history of something in order to better understand the present and consequently, get ready for the future.

Australian Cyber Security Magazine | 53

Cyber Security

Insider Threats: Operational, tactical and strategic insights By Milica D. Djekic

ccording to a definition, the insider threats are that potential of individual to misuse his authorized or unauthorized access to some community in order to affect so in the quite negative manner. The insider threats are usually correlated with the cyber security, because the majority of operations in the developed economies would seek from their staffs to use computers, internet and mobile technologies. As it’s well-known, the insider threats could be unintentional and malicious by their nature. The unintentional insider threats are those community’s members who would so carelessly release so confidential information. They would not expect any financial reward for such an action and they would not get correlated with any malicious actor’s group. On the other hand, there would be the real malicious actors getting the part of some enterprise who would do everything and anything to cause harm to their employer. These folks would get paid for their arrangement and they would commonly get a support from some organized crime or terrorist group. So, if we talk about this sort of crime schemes, it’s important to mention that such a case would need the detailed investigation, because those guys would so frequently deal as a team being organized at operational, tactical and strategic levels. At the beginning, we could try to review how cyber

54 | Australian Cyber Security Magazine

technologies could get misused in order to make some way of advantage to the malicious actors being the part of some organization. The fact is that the entire globe is getting internetized and there are the billions of the world’s network users on the planet. These people would deal with their accounts, multimedia platforms, social media and so on. In such a case, it’s getting clear that anyone gaining the access to some company’s infrastructure could attempt to share his privileges with someone being outside of that community. That’s how the organized crime and even terrorism enter the legal system. The good question here would be what their aims in such a case are. We can say that their goal could be to weaken some business and if we observe that from the quite wider perspective – if you make one business collapses, you could do so with many of them applying such a criminality scenario. What is the motive to the bad guys to do so? In our opinion, it’s the desire for power. If some country’s economy goes down, that society would get suitable for the organized crime and terrorism. We know that the poverty and lack of the proper education could be the key factors in developing the bad social habits and negative selections. Once you get such a situation, your community would become the paradise for the crime. Additionally, this sort of

Cyber Security

What is the motive to the bad guys to do so? In our opinion, it’s the desire for power. If some country’s economy goes down, that society would get suitable for the organized crime and terrorism.

a threat could cause the existence of the conflicting zones in the world and that would also mean the crime’s boom! The best methods how we could prevent some organization getting the victim of the malicious insider threats is following the best cyber security practice and coping with the welldeveloped awareness raise training and programs. If many businesses shrink, the entire economy would shrink and as no society is isolated from the rest of the world – there would be the possibility that such a situation could get reflected to the entire region and, further, the rest of the world. This may appear as a quite handy scenario how to trigger the Great Recession and in the reality there is the huge feasibility that things work like so. So, what’s also important to know about the malicious insider threats is that they would operate as the part of some malicious organization and so often they would serve at the operational level to their patrons. As we got the strict hierarchy within the defence and intelligence communities, we would cope with the quite rigid hierarchy amongst the organized crime and terrorist syndicates, too. Every malicious organization would deal with its masterminds who would formulate the strategies of its actions and the bad guys being at the bottom of the scale would execute those plans. The members balancing between the strategists and

operational folks would be recognized as the tactical level criminals. These guys would be familiar with the strategy at some point and they would also so skilfully manage the operational members on their tasks. The big question here is how the criminal enterprises got the information about the selection process within some company. The answer to this question is quite clear – they would use the service of cybercrime underground that would make so many breaches to so many organizations in order to assure as much as possible information from the outside from that asset. Hope it’s obvious why following the best cyber defence practice could get from the crucial significance to get those cases being prevented. If we add that the cybercrime could cost the global economy several trillion dollars per annum so soon, it’s getting clear that the hacker’s operations could get the convenient method to shake the global economy as well. So, operational, tactical and strategic guys are those who would conduct the entire scenarios and try to make all of us shrink in front of them. Apparently, it’s also important to highlight the role of the law enforcement agencies that should cope with the good skill, experience and expertise in order to recognize and resolve such a situation. In other words, we need the helpful mechanisms to prevent such a crime, resolve it in case it happens, and finally – use some crisis management skills in order to recover our organization from a disadvantage. In conclusion, this discussion could get understood as an attempt to make the better insight into the quite challenging topic such as the insider threats. This effort could serve as the good starting point to the future research and also raise our awareness about that ongoing concern. It’s not that easy to recognize the insider threat within today’s so complex and dynamic environment, but we hope that some coming studies could support us in our attempt to protect ourselves from the crime. At least, this could be the useful direction to security professionals how to manage that sort of a risk. Milica D. Djekic is an Independent Researcher from Subotica, Republic of Serbia. She received her engineering background from the Faculty of Mechanical Engineering, University of Belgrade. She writes for some domestic and overseas presses and she is also the author of the book “The Internet of Things: Concept, Applications and Security” being published in 2017 with the Lambert Academic Publishing. Milica is also a speaker with the BrightTALK expert’s channel and Cyber Security Summit Europe being held in 2016. Her fields of interests are cyber defence, technology and business.

Australian Cyber Security Magazine | 55

Cyber Security

BAD THINGS COME IN SMALL PACKAGES D By Jason Hilling Senior Director for NETSCOUT Arbor, Asia

istributed Denial of Service (DDoS) attacks come in many guises. One of the more popular these days is the application-layer attack, sometimes called a layer seven attack, because it targets the top layer of the Open Systems Interconnection (OSI) model, which supports application and end-user processes. Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, applicationlayer attacks are more subtle and insidious â&#x20AC;&#x201C; and much more difficult to detect and block. Posing as legitimate application users, attackers target specific resources and services, sending repeated application requests that gradually increase in volume and eventually exhaust the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional flow-based monitoring solutions. While service providers can detect and block volumetric attacks as well as larger application-

layer attacks, smaller application attacks can easily escape detection in the large Internet Service Provider (ISP) backbone, while still being large enough to cause a problem for the enterprise network or data centre.

A Growing Threat Application-layer attacks figure prominently in the DDoS threat landscape. HTTP and secure HTTPS services are targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications. For a bank or an online retailer that depends on its web presence to attract and serve customers, the impact can be catastrophic. Not only does the attack prevent the normal operation of the business, but it can also make a site invisible to search engines, or at least bump it from the front page of search results.

Cyber Security

Application-layer attacks contradict the perception of DDoS attacks as large-scale threats that overwhelm defences and incapacitate networks through sheer brute force. attempts to gain access to servers or data. But they are vulnerable to state or resource exhaustion. The problem is that what starts as a trickle of legitimate-looking app service requests eventually turns into a flood, and application-level defences won’t recognise the flood of legitimate requests as an attack at all. Another problem is that the applicationlayer attack is often just part of a larger “blended” attack employing multiple attack methods, which may not be targeting the application layer that a WAF is analysing. For these reasons, a DDoS perspective is necessary to detect and thwart application-layer attacks. Without a dedicated DDoS solution, security teams may not even realise they are under attack when their site goes offline. They’re left scrambling to restore service on the fly, diverting IT resources and eating up hours or even days that can translate into millions of dollars of lost business.

The First Line of Defence

DDoS attacks have changed significantly in size, frequency and, most importantly, sophistication. They’ve also changed in terms of duration, as identified by NETSCOUT Arbor's 13th Annual Worldwide Infrastructure Security Report, the average duration of a DDoS attack in 2017 was around 46 minutes, down from 55 minutes last year. However, do not equate length with risk because the impact could last much longer. For example, say an online retailer’s website is brought down by a DDoS attack during a busy sales period. The multiple back-end systems which rely on it to communicate can take much longer than 30 minutes to synchronise and come back up.

Protecting Apps is Not Enough IT security teams are often under the mistaken impression that a Web Application Firewall (WAF) provides adequate protection against application-layer attacks. Since applications are the targets, this seems logical on the surface. And WAFs are certainly necessary to filter or block

An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloudbased defences through cloud signalling. The best place to deploy application-layer DDoS detection and mitigation measures is at the traffic entry point at the edge of the enterprise data centre or ISP infrastructure – ideally outside the firewall. Because of the small scale of these attacks, they are harder to detect and stop once they have worked their way into the data centre or network. Application-layer attacks contradict the perception of DDoS attacks as large-scale threats that overwhelm defences and incapacitate networks through sheer brute force. Network guardians need to be on the lookout for these smaller but smarter threats that can work their way through the slightest openings. One final point, on-premise doesn’t just mean the enterprise network itself. It’s also about the migration to “the cloud”, and the need to provide the same kind of on-premise protection for assets hosted in either public or private cloud environments, which have the same application layer vulnerability to DDoS that you have in the on-premise datacentre. Enterprises should make sure that as they move critical assets to the cloud, they are providing the same level of application protection there.

Australian Cyber Security Magazine | 57

Cyber Security

Stuff GDPR!?

W By Guillaume Noé

here are the hordes of cold and scary European privacy policy enforcers? Can you see them slowly roaming and moaning in French, German and other private languages in Sydney, Melbourne, Brisbane or in other parts of Australia? Look around! It is here! We should all be afraid and prepare for an ultimate onslaught of privacy regulation that has been compared to the upcoming winter in Game of Thrones. Not even Jon Snow and his feisty fellow Rangers of the Night's Watch could do anything to help the careless

business decision to either ignore it or make the most of it.

unprepared. It may be too late. You may already draft a cheque of €20 million addressed to the European Union. You may also consider ruling out doing business with those hypersensitive privacy European Unionist snobs! Alternatively, you could assess the real risk of noncompliance to your business and the opportunity that complying could provide. You could then make an informed

you’ve never heard of", asked “Are you prepared?”, and reminded “It’s not too late to get ready”. You may also have been confused on the subject and wondering whether you should care about it at all. For example, an article published on the Australian Computer Society (ACS) website quotes a cybersecurity vendor representative, supposedly positioned as a GDPR expert, on the criteria of applicability of the regulation. The article

58 | Australian Cyber Security Magazine

GDPR is Confusedly Here! Welcome General Data Protection Regulation (GDPR)! Congratulations to the European Union, the proud collective parent of the awaited privacy regulation. The regulation weighs 88 pages (in English) and is now enacted following months of apocalyptic level warnings. We have certainly be warned that “GDPR is coming!” and "The biggest change

Cyber Security

states that "Officially, GDPR will only apply to companies with over 250 employees". It is unfortunately inaccurate and illinformed. The regulation provides no provision for such full exemption. It officially applies to all businesses managing EU residents' personal data, independently of the business sizes and at least for the most part of the regulation requirements. The only exception applies to some record-keeping requirements under specific conditions. Other “advisors” also provide misleading information on social media, such as, that the applicability of the regulation would depend on whether a business would have a local office in the EU. There is also no such provision in the regulation. To avoid any confusion on GDPR, consult: • The official regulation text from the EU Law website; or for a shorter version • The excellent summary provided by the OAIC under Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation.

Ruling out business with the EU? I got privy to a passionate debate on the subject of GDPR held within an Australian FinTech start-up community, where a CEO said he was considering excluding the EU from his business plan. GDPR would bring his business challenges, outweighing potential business benefits in the EU region in the short term.

of making it harder for me to develop my product”, but “the ‘right to be forgotten’ adds substantial overhead to the management of legitimate collection and use of data (it might even make it impossible to legally run some businesses!).”. He also added that the EU only represented 10% of his target market globally. The CEO conducted a thoughtful assessment of the implications of GDPR compliance on his business and tested those implications against potential business return in the EU. He made an informed business decision to deprioritise the EU market, for now, in view of the effort and cost of complying with the regulation.

Businesses may find it difficult to appreciate how GDPR sanctions could eventually be enforced upon them in Australia, and consider disregarding the regulation because: • Local privacy sanction precedents are few and minor; • Local maximum sanctions poorly compare with the EU; • The protocol for GDPR sanction enforcement to non-EU members relies on a desired international collaboration (good will); and • For Australian organisations with a turnover lower than $3M: they are exempt from complying with local privacy regulation.

EU Privacy Compliance vs AU Business Priority Challenged on his assessment, “can you really ‘afford’ not to care about the privacy of your customers as a priority?”, the CEO added: “I care about my user’s privacy deeply, to the point

also provide misleading information on social media, such applicability of the regulation would depend on whether a business would have a local office in

Sanctions

The start-up assessed that “Both of the above will require you to create new interfaces, new business processes and new security systems to prevent abuse (e.g. when someone asks for all their data, how do you give it to them if they can’t access their account for whatever reason?)”.

“advisors”

as, that the

What is the risk to Australian companies?

Key GDPR challenges The CEO shared his assessment. He would face the following two biggest GDPR challenges: 1. ‘Right to be forgotten’, “which causes all sorts of issues when trying to design systems where payments (for which data must be kept) and non-payment information (which users can demand to be deleted) is involved”; and 2. ‘Access to own data’, “you have to give people access to their own data. Sounds easy, right? Unless you transform their data in a way that reveals internal business processes, and even worse, if you create data that joins individuals who can both demand their data be released yet are required to have their data kept secret.”.

Other

In Australia, the maximum penalty for breaching the Australian Privacy Act is $2.1M. What organisations have been sanctioned in the past? • Telstra was fined $10,200 in 2014 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online. • Freelancer was fined $20,000 in 2016 by the Office of the Australian Information Commissioner (OAIC) for damages to a European former account holder and for breaching the Privacy Act. • Any other disclosed cases.

the EU. There is also no such provision in the regulation.

In comparison, EU countries have numerous cases of example-setting sanctions. For example in France, the CNIL (French local privacy watchdog and supervisory authority under GDPR) maintains a public list of sanctions (23 cases at the time of writing), including hefty fines such as €100,000 (~$155,000) for Darty in January 2018 (before GDPR). The maximum penalty under Australian regulation also poorly compares with the scale of the GDPR regulation administrative fines by a factor of 15 (€20 million ~$31M or 4% global turnover, whichever is greater with GDPR vs $2.1M with the Australian Privacy Act). In addition, the Australian Privacy Act provides an exemption of compliance for Australian organisations with a turnover of less than $3M. There is no turnover threshold under GDPR.

Australian Cyber Security Magazine | 59

Cyber Security

Enforcing sanctions in Australia Under GDPR, the applicability of administrative fines or sanctions to non-EU jurisdictions relies on a desired international cooperation based on reciprocity. "supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders... there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts". GDPR clause (116). OAIC resources on GDPR, such as this article, provide no clarification on a potential enforcement protocol, aside from a generic statement of commitment to internationally coordinated approaches to privacy regulation. I enquired directly to the OAIC and asked in writing: "How would GDPR sanctions be enforced in Australia?". The OAIC kindly replied that in essence they could not advise on the subject (well, who can then?). The Bright Side of Consumer Data Protection Complying with consumer data protection and privacy regulations, such as the EU GDPR or the Australian Privacy Act, may come at a cost of changing processes, technologies and importantly organisational cultures. Australian businesses doing, or contemplating doing business overseas, have the choice to comply with local regulations such as GDPR, disregard them and accept a risk,

or forfeit doing business in some countries. It is a business risk decision. Whether opting to comply or not with privacy regulations, investing in better consumer data protection practices has a very bright upside, because customers have growing privacy concerns and business is lost over privacy concerns according to the OAIC's Australian Community Attitudes to Privacy Survey 2017 (ACAPS). Mounir Mahjoubi, the ‘geek’ who saved Macron’s French presidential campaign from cyber attacks and now French Secretary of State for Digital, brilliantly called the opportunities that GDPR and better consumer data protection practices provide to businesses. Mahjoubi suggests (in a speech) to make the most of compliance requirements. With better data protection, businesses can: 1. Serve their clients in better ways; 2. Build new services and innovative ways to manage data; 3. Optimise the usage of data; and very importantly 4. Improve data security and better manage business risk. When it can be prioritised and afforded, complying with consumer data protection and privacy regulations, such as GDPR, can be a very valuable business risk management practice and a valuable business differentiator at the same time.

RMIA Annual Conference 2018

Major Matina Jewell Paul Chivers Risk Advisor - “I’m a Celebrity... Get (Retired) CSP Me Out of Here!”

Robb Eadie

Chief Risk Ofﬁcer - BHP

Chris Gatford

Director & Founder - HackLabs

Dr. Hilary Lewis

Division Director, Head of Risk Culture - Macquarie Group

David Piesse

Global Insurance Lead & Chief Risk Ofﬁcer - Guardtime

Deborah Goldingham Marketing & Communications Strategist

FOR MORE DETAILS AND TO REGISTER, VISIT US ON THE ALL NEW WWW.RMIACONFERENCE.COM.AU

60 | Australian Cyber Security Magazine

Peter Deans

Chief Risk Ofﬁcer - BOQ

David Coleman

Assistant Minister for Finance Federal Government of Aus.

Grant Hehir

Audtor General - Australian National Audit Ofﬁce

RISK MANAGEMENT INSTITUTE OF AUSTRALASIA

Cyber Security

How quantum cyber security can make data breaches irrelevant By Vikram Sharma, Encryption Expert and CEO and Founder of Quintessence Labs

or me, this is a particularly exciting time in the history of secure communications. Recently, we've seen the effects of cyber-attacks on the business world. Data breaches have caused losses of hundreds of millions, if not billions of dollars. It wouldn't take many large attacks to ravage the world economy. About 15 years ago, when I learnt of a newfound ability to create quantum effects that don't exist in nature, I was excited. The idea of applying the fundamental laws of physics to make encryption stronger really intrigued me. How does this work? Well, there are three important elements in encryption: 1. An encryption key 2. The key exchange 3. The encryption algorithm The encryption algorithm is like a lock, which encodes and decodes the document. Using the key, it encodes the text in the documents, converting them into random numbers. If someone were to open the document without the encryption key and the algorithm, they wouldn't be able to read the documents; it would simply look like a bunch of random numbers. Most security systems rely on a secure method for key exchange to communicate the encryption key to the right place. However, rapid increases in computational power are putting at risk a number of the key exchange methods we have today. In recent years, there's been a growing body of research looking at using quantum effects to make encryption stronger. With advances in quantum computing, which leverages the microscopic properties of nature to deliver unimaginable increases in computational power, it’s never been more important to encrypt. Quantum computers are so powerful that they will crack many of the encryption systems we use today. Random numbers are the foundational building blocks of encryption keys. But today, they're not truly random. Currently, we construct encryption keys from sequences of random numbers generated from software, so-called pseudorandom numbers. Numbers generated by a program or a

mathematical recipe will have some pattern to them, however subtle. For years, researchers have been looking at building true random number generators, but most designs to date are either not random enough, not fast enough, nor easily repeatable. But the quantum world is truly random - devices that can measure quantum effects can produce an endless stream of random numbers at high speed. At QuintessenceLabs, our quantum random number generator is the world's fastest. It measures quantum effects to produce a billion true random numbers per second. It is used today to improve security at cloud providers, banks and government agencies around the world. But even with a true random number generator, we've still got the second big cyber threat: the problem of secure key exchange. Current key exchange techniques will not stand up to a quantum computer. The quantum solution to this problem is called quantum key distribution, or QKD, which leverages a fundamental, counterintuitive characteristic of quantum mechanics: that the very act of looking at a quantum particle changes it. Consider again the encryption “lock.” Instead of two parties directly exchanging a key to decode a file, we instead use quantum effects on a laser to send the key over standard optic fiber. We assume a bad actor is trying to hack this exchange, but any attempt to intercept the quantum keys while in transit will leave detectable fingerprints, and allows those intercepted keys to be discarded. The retained keys can still be used to provide very strong data protection. And because the security is based on the fundamental laws of physics, a quantum computer or any future supercomputer will not be able to break it. My team and I are collaborating with leading universities and the defence sector to mature this exciting technology into the next generation of security products. The internet of things is heralding a hyper-connected era with 25 to 30 billion connected devices forecast by 2020. We're betting that quantum technologies will be essential in providing this trust, enabling us to fully benefit from the incredible innovations that are going to so enrich our lives, and a day when the breach is completely irrelevant.

Australian Cyber Security Magazine | 61

Cyber Security

Reinventing and scaling the SOC with AI: Helping humans, not replacing them By Alan Zeichick Tech Editor, NetEvents

When it comes to cybersecurity, there are no rules.

ou can’t write rules that will differentiate good guys from bad guys on the Internet. That’s because the bad guys keep changing tactics, learning from their mistakes, and getting smart. You can’t write rules that will filter out all the malicious or phishing emails. You can’t write rules that will filter out malware in email attachments, or block fake websites, or say, “This is a safe packet payload, and this is a dangerous packet payload.” Well, a minor correction: You can write rules, but they won’t work well enough to replace SOC analysts, particularly the Tier 1 analysts that perform triage, with too many false positives, and too many false negatives. Fortunately, the goal isn’t to replace SOC analysts, but to help them be better, faster, and more effective at their jobs. Think about bomb-detection dogs. Their job isn’t to replace human explosives experts. Instead, dogs are used to augment humans – to do a job faster, at less cost, and with greater accuracy than humans could do alone. We don’t have malware-detecting dogs (yet), but artificial intelligence techniques, such as machine learning, can learn to protect users, organizations, devices, applications and networks. Applied AI can work better than any rule-based system in the SOC. Before exploring how AI can solve the SOC problem, let’s review some of the trickier aspects of challenge, which is its inability to scale.

The SOC Problem is a People Problem Want two words to define the SOC problem? Economic inefficiency. That’s according to Malcolm Harkins, Chief Security and Trust Office at Cylance. “Over the past couple of decades of security operations,

62 | Australian Cyber Security Magazine

we’ve produced a growing need for labor. Thus, we have created the labor shortage because the existing controls have been insufficient and ineffective,” Harkins says. “In the SOC that’s resulted in a level of alert fatigue and what I call decision maker dementia for the executives who are pulled in too many different directions with competing priorities.” Alert fatigue? Decision maker dementia? Yes, says Harkins: “SOC executives can't figure out how to scale. We've not focused on the economic inefficiencies we have created with the approach we have taken to security. With the SOC revolution done the right way, we can gain the economic efficiencies back.” A related problem is scaling the SOC horizontally by adding more operations centers around the world to gain 24-hour follow-the-sun coverage, says Rishi Bhargava, Co-Founder of Demisto. “Distributed SOCs create problems because major incidents can’t be handled by one person, because the investigation can’t continue when that analyst goes home. So, how do you do the hand-off? How does the collaboration happen?” A third issue is skillsets, and maintaining training without all the alert fatigue. Greg Kiker, Global Senior Cybersecurity Consultant for Atos SE, explains, “You've got Tier 1 analysts, who you need the most of a lot of the time in a SOC, going through alerts. However, Tier 1 analysts don’t want to stay Tier 1 analysts for long. They’re in shortage; they want a lot of money for what they do, and the turnover rate and training demands are huge.” Greg Martin, CEO and Co-Founder of JASK, agrees: “This is exactly the problem with security operations! We're built on a flawed model. The Tier 1, Tier 2, Tier 3 security analyst model is outdated and needs to change. It doesn’t keep up with the current state of the threats we are facing.” “We have technology that we can automate handling alerts and doing triage,” Martin continues. “We no longer

Cyber Security

need level 1 SOC analysts. We need to give this work to machines and put our humans into higher-level roles within the SOC.”

Enter the Bomb-Sniffing Dogs It’s won’t be with a bark, but rather with a beep: Artificial intelligence, particularly machine learning, Big Data analytics, and behavioral analytics, can and should sniff out anomalies. Not based on rules, but by patterns: Something looks wrong. This application is acting like it’s been hacked. This user isn’t behaving in the normal way. This wireline device has changed IP address, and that shouldn’t happen, so maybe it’s being spoofed. This server might have a bot on it. How does one add AI, and AI-based automation, to a security operations system? You start by understanding and reducing the problem, explains Cylance’s Harkins. “First and foremost, automation has to start with a complete look at your control architecture. Unless you have the right set of preventative controls you're going to have more response and reaction. So, you've got to do that because that will then lower the number of things that you need to deal with, in other words, reduce the number of alerts.” Harkins continues, “Even though you’ve reduced the potential for harm, you must recognize that you can’t eliminate all risk. You've simply cleared the clutter. Now you can start figuring out how to instrument your network, and then expand that instrumentation for additional coverage where your prevention capabilities don’t fully take a foothold.” Atos’ Kiker stresses the need to have openness everywhere. “When we choose AI and other technologies they have to be open now. They have to provide APIs. They have to work together. This is a huge baseline that's needed to start in automation. Not every technology is open.” “I think security is getting to openness,” agrees Demisto’s Bhargava, but he worries about interoperability and orchestration between automation and AI tools, ensuring they can work from a single policy playbook. “If you build a playbook, don't lock the playbook within your silo. So, it's like a lot of the environment where automation is being deployed, these playbooks are written in Python. Bad idea. Can you take Python script from one tool and run in another? No. Do it in exchangeable formats. For the industry, but especially for enterprises, openness should be part of the criteria — otherwise they are locked in.”

The Elephant in the Room “AI is real. It's here. It's powerful technology. So let’s address the elephant in the room, which is AI,” said Cylance’s Harkins. “AI’s not going to solve world hunger today but when applied to tasks like identifying malware or automating tedious SOC jobs, it's a very powerful tool.” Don’t be left out, Harkins warns: “Companies that are not investing in AI are simply going to be left behind. Where we see AI really accelerating and providing value in the early days - because it is very much the early days of us using AI in cybersecurity - is around human augmentation.”

Rishi Bhargava, Co-Founder of Demisto; J.J. Guy, Chief Technology Officer, JASK; Greg Martin, CEO & Co Founder at JASK

The right applications of AI won’t replace humans, Harkins says, but make the humans significantly more efficient and effective. “When we use AI like that, maybe the humans will be doing new roles in the SOC that they weren't doing before – because they didn’t have time before. That is a really good thing. That is not a threatening thing. That is progress and that is what we need today. “Don't underestimate the power of human augmentation, observed JASK’s Chief Technology Officer, J.J. Guy, citing Kasparov's Law: Weak human + machine + better process is superior to strong human + machine + inferior process. “It took 20 years for IBM to develop Deep Blue’s chess-playing ability to where it could beat Gary Kasparov,” recalls Guy. “However, what emerged is that a mediocre chess player paired with Deep Blue was able to beat Gary Kasparov long before Deep Blue could do that by itself. A human using intuition and judgment, aided by the artificial intelligence, blew Gary Kasparov out of the water.” The goal of AI in cybersecurity isn’t to beat humans, but to help them, Bhargava adds. “You're not trying to use AI to beat the smartest analyst in your SOC. That's not the goal. But can you use the AI help and the automation help to get that baseline a little bit above so that the baseline work is done by these tools? Yes. You escalate the analyst and then you take that baseline above in the next year and then you move it up. So, this is how you make progress.”

Not Going to the Dogs Bomb-detection dogs make the humans much more efficient at finding explosives because dogs have brains that can be trained, and possess olfactory sensors that people lack. Sure, dogs get occasionally distracted (squirrel!), and their canine brains don’t work the same way as human brains. That’s okay. Dogs don’t need to be like humans. They need to be good at being bomb-sniffing dogs – and therefore, augment human soldiers or security agents to be much more effective at detecting threats. That’s the best use of AI to help scale the SOC. After all, dogs don’t know rules. They just know that something smells like something they’ve been trained to detect. Bark!

Australian Cyber Security Magazine | 63

Cyber Security

Cognitive bias in security We have new tyres, but the car’s still burning…

H By Elliot Dellys

ad you believed the headlines over the last twelve months, some of our most commonly used technologies would now be unusably insecure, including Bluetooth, WPA2, and any Intel or AMD processor made after 1995. Add to that the constant, ominous threat of the latest and most terrifying form of ransomware, and you could be excused for thinking that securing your devices and networks is a lost cause. Yet just as quickly as these threats appear, they often seem to fade away. While of course this is largely due to the protection offered by security patches, I believe there is something more interesting at play. The Chicken Little syndrome that infects so many organisations in the aftermath of an announcement of a new vulnerability or malware strain, is undeniably pervasive and can cost organisations millions in wasted time and resources. In the last issue we looked at Spectre and Meltdown – attacks that leveraged speculative execution with potentially disastrous results, including sensitive information disclosure and browser-based remote code execution. However, we also uncovered why these vulnerabilities are unlikely to be your organisation’s most pressing cyber risk. Using the analogy of worrying about the tyres of a burning car, I proposed that security decision-makers can easily fall foul of paying disproportionate attention to the new and exciting, while continuing to overlook the enduring and mundane, exposing organisations to risks that are far more potent. In this issue, we will look at how the 24-hour news cycle may affect public debate and lead to security decisions

64 | Australian Cyber Security Magazine

that are unnecessarily influenced by hype. We will also look at trending security search-term data over the last 12 months, contrasted against breach and security expenditure statistics, to demonstrate how this cognitive bias may play out at scale. To continue the analogy from Issue 4, organisations are buying new tyres, but wondering why their cars are still burning. To help manage this risk, I will offer some structured analytic techniques that can counter cognitive bias or group-think to ensure your security strategy is delivering the best possible return on investment. First and foremost, the fact that vulnerabilities that are not being actively exploited in the wild can make front page news is a telling sign of the booming public interest in cybersecurity. While this trend has clear benefits for the industry and the communication of good security practices, there are some comparatively poorly understood drawbacks. One is that organisations that have not implemented basic security measures, have never conducted a phishing exercise, or are sitting on unactioned penetration test or audit findings, are consistently focussing time and effort on whatever vulnerability or malware strain is making the headlines. While wanting to know your organisation’s exposure to KRACK, BlueBorne or Meltdown/ Spectre is not inherently wrong, security budgets are finite. Considering many of the highly publicised vulnerabilities or attacks over the last twelve months are difficult to exploit – or are yet to be seen outside of a lab at all – why are they the focus of so much attention? This is particularly curious when adhering to commonly-known and relatively simple

Cyber Security

Google Trend data on cybersecurity search terms. From left to right: Wannacry, Petya, Krack, BlueBorne, Spectre and Meltdown. Note that each line represents relative and not absolute search volumes.

security practices (i.e. regular patching) is often sufficient for mitigation. At least in part, the cause simply seems to be that the high-end threats make for better news stories. A self-propagating zero-day attack, capable of jumping from device-to-device via Bluetooth is far more thrilling than an employee clicking on a link or improperly configuring an S3 bucket. Yet it is the latter that has been responsible for the leaking of hundreds of millions of records over the past 12 months. This disconnect between entertaining narrative and mundane reality is of course not unique to the security industry, but is the foundation of propaganda and (although I cringe using the term) “fake news”. It therefore makes sense to draw on a discipline not often seen in cybersecurity discussions to find an explanation. The study of media effects, a branch of communications theory that investigates how media consumption shapes human thought and behaviour, is clearly fit-for-purpose. The earliest studies of the impact of the media on behaviour emerged following the growth of Hollywood in the 1930s and the profoundly disturbing impact of propaganda in Nazi Germany. Unsurprisingly, the theories that emerged from this historical context stipulated that people were passive sponges who were easily swayed by the mainstream media. We know these now as “hypodermic needle” or “magic bullet” theories, due to the perception that the media had a direct and irresistible influence in shaping public thought. Over time, as more data became available and greater academic rigour was applied, more nuanced theories emerged. One of the more enduring, and credible, is known as the “Uses and Gratifications” theory, which posits that the public selects and consumes media from a wide variety of sources to achieve a particular goal. This in turn can reinforce bias, as pre-existing beliefs are strengthened by a prejudicial selection of media. In the context of security, only reading about the worst-case scenarios for a KRACK attack can solidify your existing beliefs or fears. This effect is no doubt compounded by the tendency of the media and security vendors to exaggerate or dramatise the impact of the latest security scare to boost readership or flog products. In the aftermath

of the publication of the Meltdown and Spectre papers, headlines referred to the vulnerabilities as a “train wreck”, for which vendors were “scrambling” and the patches were a “disaster”. Language like this does little to temper the paranoia that can mask a business’ actual risk exposure. What is more interesting still is the pattern of how we consume dramatic cybersecurity news. By plotting relative search-term interest (derived from Google Trends) for different security hot-topics over the last twelve months, it is possible to see a pattern of surging interest followed by an equally abrupt decline. Further, the frequency of these flurries of activity is so steady it almost resembles the intervals of a human heartrate on an ECG: While media attention and genuine risk exposure are by no means mutually exclusive, it is concerning to consider that strategic thinking could be driven by the 24-hour news cycle. A robust security culture is the product of diligence, patience and persistence in managing risks over time, with a keen eye for shifts in the threat landscape – not reactionary erraticism to whatever is on the cover of this month’s Wired (or the ACSM, for that matter!). So, how do these spikes in activity align with the causes of security breaches at large? In Australia, some insight can be found from the Notifiable Data Breach Scheme’s Quarterly Statistics Report, which reveals that of the 63 reported breaches between 22 February 2018 (when the scheme took effect) and March, over 50% were due to human error. These figures are also reflected abroad. According to Gemalto’s 2017 Year in Review, 76% of breached records were due to accidental loss. Shockingly, this figure represents an annual increase of nearly 580%. Mismanagement of cloud repositories was a leading factor for this growth, with typically securityaware organisations, such as the National Security Agency and Accenture falling victim to misconfiguring S3 buckets. Others, holding vast amounts of personally identifiable information, lost as many as 123 million (Alteryx) and 198 million (Deep Root Analytics) records due to AWS misconfiguration. Clearly, not getting the basics right can be disastrous. This is further reflected in the fact that only 3.12% of breach events affected encrypted data. At the very least,

Australian Cyber Security Magazine | 65

Cyber Security

implementing simple security measures can be a deterrent, by increasing the time and effort required for leveraging an attack, using the newest and most sophisticated techniques. This begs the question for those with an eye on the security budget: what is the comparative financial risk for newly discovered vulnerabilities or attacks, compared to misconfiguration or human error? The Ponemon Institute’s 2017 Cost of Data Breach Study indicates that malicious or criminal attacks are the leading single cause of breaches and also the costliest per compromised record (at $154). However, malicious attacks collectively constitute less than half of all breach events, as system glitches and human error constitute 24% and 28%, respectively. Furthermore, although the per-capita cost is greater for malicious attacks – 18% higher than system glitches and 27% higher than human error – the expenditure typically allocated towards mitigating these risks is disproportionate. I often encounter organisations that invest heavily in addressing technical vulnerabilities through FTE, penetration testing and sophisticated security products, while configuration reviews and security awareness training remains largely undeveloped. I would encourage the reader to compare what proportion of their security budget goes towards training and educating the workforce; few are likely to find it is only 27% shy of that which is spent on addressing technical risks. The 2017 U.S. State of Cybercrime Survey indicates adding new technologies and conducting audits and assessments alone constitutes for 74% of the security investment of surveyed companies. This is despite the fact that phishing remains both one of the most effective methods of compromise (independent of the vulnerability or exploit used) and the most commonly reported cybersecurity event (36%). Evidently, there is a disconnect between the key causes of compromise and where we focus our attention and effort. So, what can we do to limit the effect of this cognitive dissonance? Just as we leverage a technical solution for a technical vulnerability, cognitive vulnerabilities require cognitive solutions. In the last issue I referred to testing key assumptions, and there’s several established methods for doing so. One of my preferred techniques is known as the Analysis of Competing Hypotheses (ACH). Developed by Dick Heuer Jr, a long-term Central Intelligence Agency analyst, ACH allows the practitioner to explicitly identify a wide range of reasonable alternatives to a given position, to enable the identification of new threats types and actors. The exercise begins by preparing a matrix with hypotheses across the top axis and evidence along the side; ideally contributed by a variety of stakeholders with different skill and knowledge sets to minimise bias. Individual pieces of evidence are then evaluated based on their relevance and diagnostic value for each hypothesis – by putting the evidence front and centre, preferences for specific hypotheses is cast aside. This process is repeated for each evidence item, until a list is produced of the most likely hypotheses and the evidence items with the greatest diagnostic value. Finally, participants attempt to disprove (rather than prove) as many of the remaining hypotheses as possible in a structured and objective manner. The final result is a full spectrum of weighted hypotheses – those

66 | Australian Cyber Security Magazine

that are likely, those that are less likely, and those that may be susceptible to change. This process, while timeconsuming, can produce a uniquely comprehensive view of an organisation’s threat landscape, and can uncover assumptions or risks that may otherwise be overlooked. Another technique, better-known amongst the cybersecurity community, is red-teaming. This is the practice of assuming the perspective of the adversary, to challenge underlying assumptions and discover new attack methodologies. The value of red-teaming is not solely limited to penetration testing however, and can be invaluable for crafting a mature security strategy. Again, the efficacy of the technique is largely a product of the selection of participants – often, those without a background in security can provide valuable insights that are devoid of preconception, bias or ulterior motives. The exercise is then run through a Socratic dialogue, with one party asking a series of questions, ranging from those with a direct relation to the subject at hand (e.g. “What would be the simplest way for me to get access to our organisation’s most sensitive data?”) through to the more ideological or psychological (e.g. “Why would I want to harm our company’s reputation?”; or “How would I react if the department told me my information had been breached?”). By undertaking a detailed, structured and open-minded dialogue, errors in reasoning, unchallenged assumptions, or new threats and untreated risks can arise that even organisations with robust security practices can miss. Of course, no technique is perfect, and no organisation or individual is ever devoid of prejudice or bias. The key is to remain cognisant of the broader organisational context, so that when the media hype spikes, an unemotive and methodical approach to risk and vulnerability management is maintained. This is the most effective way to ensure that when the car starts flaming, your extinguisher is already at hand.

PODCAST HIGHLIGHT EPISODES R OVE 0 0 30,0 ads! nlo

dow

Episode 89 - Data mining techniques & machine learning algorithms applied to covert channel & DGA detection – interview with AizoOn’s Cyber Security researchers In this interview, we discuss how Data Mining techniques and machine learning algorithms can be extremely useful when applied in covert channel detection and Domain Generation Algorithms (DGA) detection. In the last few years, passive analysis of network traffic has become a challenging task due to the high variability of organisations’ IT networks. This often makes classical signature or even statistical detection approaches not sufficiently accurate in detecting potentially anomalous or malicious traffic, due to the lack of focus on network users’ behavioral analysis.

Episode 82 – 4th Joint Cyber Security Centre launched by the Hon Christian Porter MP, Australia’s Federal Attorney-General In this episode Chris Cubbage speaks with the Hon Christian Porter MP, Australia’s Federal Attorney-General, at the opening of Australia’s fourth Joint Cyber Security Centre (JCSC) in Perth. The new Perth centre, part of the Turnbull Government’s $47 million JCSC program is the first of its kind in the west. It offers critical support to Australia’s business community, particularly the west’s vast energy and resource sector.

Episode 88 – When the hype actually delivers - Robotics' clear cost savings, efficiency gains & safety results for NSW security manufacturer & distributor

Episode 81 - Deep dive into the CyberLock electromechanical master key system - courtesy of Davcor Group

This interview with DAVCOR Group Managing Director Marc Cohen discusses the business decision process around the introduction of the AutoStore Robot warehouse, which resulted in impacts on business efficiencies, cost savings in warehouse space and inspired the use of robotics in other aspects of the business, including the use of two Universal Robot arms for cycle testing on locking mechanisms. Payback on the AutoStore system is less than two years on rental space alone, including 75% reduction in power usage

In this episode we speak with Geoff Plummer, Davcor Group’s Business Manager Technical Products and dive deep into Davcor’s twenty year journey from physical keys to cyber locking systems, in particular the CyberLock. CyberLock is an electro-mechanical master key system, effectively combining software, electronic keys, electronic cylinders and communicators. The software can be run locally or in the cloud and just as importantly, the power for the whole system is a battery in the Bluetooth enabled key. As a consequence the system is secure and flexible. Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 84 - Intent Based Networking & Apstra's hardware-inclusive, closed-loop intent-based distributed operating system In this episode we dive into Intent Based Networking with Mansour Karam, CEO and founder of Apstra, Inc., based in Menlo Park, California. Apstra has pioneered Intent-Based Networking and Intent-Based Analytics to simplify how data centre networks are built and operated. The privately funded company has recently announced a deployment by Awnix, a provider of cloud services and products, for the first AOS supported deployment of OpenSwitch (OPX) on Dell Z9100-ON switches in a Tier 1 service provider production network. AOS is a hardware-inclusive, closed-loop intent-based distributed operating system that automates the full lifecycle of network operations and enables the network to configure itself, fix itself and defend itself.

Episode 78 – Applications of Augmented Reality DXC Technology This interview with Jarrod Bassan, Practice Partner for Mobility & IoT Lead (Australia/NZ) for DXC Technology discusses the application of Augmented Reality (AR). DXC Technology formed in April 2017 from the merger of CSC and Hewlett Packard and retains technology interests in AR/VR, gamification, blockchain and Internet of Things. Virtual Reality (VR) is an immersive technology and disconnects the person from real interaction. Augmented Reality (AR) is a display of information or audio whilst enabling interaction in the physical environment. The DXC case study on show at National Manufacturing Week concerns an excavator and how parts of the machine can be displayed in an augmented visualisation for damage and maintenance. The use of AR provides a level of insight that may not be otherwise readily available.

www.australiancybersecuritymagazine.com.au

Cyber Security

Applications of advanced data analytics : Cyber security challenges– an aizoOn approach

I By Daniela Traino and Federica Bisio

n the last few years, passive analysis of network traffic has become a challenging task due to the high variability of organisations’ IT networks. This often makes classical signature or even statistical detection approaches not sufficiently accurate in detecting potentially anomalous or malicious traffic, due to the lack of focus on network users’ behavioral analysis. For this particular reason, the disciplines of machine learning and data mining have become increasingly appealing in solving several types of cyber security problems. In fact, passively analysing network traffic in order to identify and assess potential anomalies can be greatly assisted by employing tools obtained from the Big Data world. In this case, network traffic analyzers provide huge amounts of data per second, that can be used to train machine learning algorithms to learn what can be defined as “normal” behaviour of a network and determine what, instead, is distant from this baseline and can therefore be considered potentially malicious. Machine Learning can be considered a powerful tool to extract meaningful information and build models of users’ behaviour but it does have some drawbacks. Data might in fact be corrupted or noisy and models’ creation may bring a high false positive rate. This limitation can be mitigated

68 | Australian Cyber Security Magazine

first by choosing descriptive features to be given to the algorithm, and second by integrating the contribution of different algorithms in order to make the structure more robust. Another possible solution is to create models not only of single network users but also of groups of users sharing some common behavioural characteristics. Nonetheless, the problem of false positives is particularly true when the models’ creation is unsupervised, i.e. no data labeling is required and no additional information is provided. In this case we might not know a priori if patterns are malicious or not. Although the supervised machine learning approach is usually more effective due to the additional information, the unsupervised approach enables identification of 0-day attacks and malware not seen before, for which no information can be provided. Therefore the unsupervised approach enables the creation of algorithms that self learn the behaviour of a network, spot unusual activity, and automatically detect patterns and relationships without a priori information or human input. In order to mitigate the false positives limitation with unsupervised machine learning, at aizoOn we employ an approach based on both the development of machine learning algorithms and the data mining techniques

Cyber Security

specifically tailored to the cyber security problem. We have defined “advanced cyber security analytics” as the threat knowledge that can be generated from the combination of three approaches (Fig. 1 below): •

Rule-based knowledge (or “white box approach”): we integrate open source intelligence (OSINT) sources and any other valuable information in order to create rules to detect alerts or warnings for the network under analysis. • Analytics knowledge (or “grey box approach”): using Data Mining techniques to automate, in a near realtime manner, tasks/ knowledge that the human in the loop would undertake ie the cyber security analyst’s knowledge and general approach. • Machine Learning knowledge (or “black box approach”): using machine learning algorithms to learn the normal behaviour of the network and hence spot possible deviations from this behaviour. In this article, we discuss how methods two and three above can be extremely useful when applied in two different real use cases: covert channel detection (our most recent research) and Domain Generation Algorithms (DGA) detection (recently published). While not discussed herein, aizoOn also published research into Fast Flux network detection techniques (to be presented in September 2018, London UK).

Covert channel detection Nowadays covert channels are becoming increasingly challenging and a significant threat for organisations. For example, in late 2017, Advanced Persistent Threats performed by malicious organisations (e.g. FIN7 ) employed covert channels, in addition to phishing techniques and remote access trojans, to maintain access and exfiltrate sensitive data from a number of US organisations, with particular focus on personnel that managed SEC filings. Covert channels can be defined as ways to exploit network resources never intended for the purpose of communication in order to transfer data. The aim of such a technique is to extract meaningful information from an

organisation’s network. There are currently two different types of covert channels: • Storage covert channels, where covert bits are strictly bounded to the communication protocols under analysis (e.g., DNS, HTTP, SMB, SSL); • Timing covert channels, based on the manipulation of timing or ordering of network events (e.g., packet arrivals). The state-of-the-art techniques applied to detect these two types of covert channels are different: • For the storage covert channels: Markov Chains, Descriptive Analytics; • For the timing covert channels: statistical tests of traffic distribution (e.g., Kolmogorov-Smirnov), regularity tests of time variations within the traffic, entropy and conditional entropy calculation, machine learning (especially Support Vector Machines or SVMs, and Bayesian Networks) are typically deployed. In this article, we discuss our cyber security threat detection research into the first type– storage covert channels, while borrowing some detection techniques from timing covert channels. Covert channels still represent a significant concern for defenders & threat hunters mainly because: • Conventional intrusion detection & firewall technologies frequently fail to detect covert channels; • The high variability of an organisation’s network traffic often makes traditional statistical approaches not accurate enough; • Distinguishing covert channels among legitimate communications is difficult due to an absence of focus on behavioral analysis; • Current efforts to date have been focused on tunneling techniques, and less on data exfiltration analysis. In order to mitigate these issues, the general algorithm we developed for covert channel detection employs machine learning techniques in two phases, where we: • Assess the network under analysis and we use machine learning algorithms to create models able to describe

Australian Cyber Security Magazine | 69

Cyber Security

•

DNS Covert Channel (3 samples)

the normal behaviour of the network (Training Phase) Validate whether something anomalous and/or potentially malicious is occurring in the network (Test Phase).

The training phase includes: • Feature extraction process: where we passively extract from the network all the valuable information able to describe the problem at hand. Information is extracted by a network analyzer and includes but is not limited to: machine source IP, machine destination IP, ports contacted, number of bytes transmitted, queries performed, user agents employed, cookies. • Training phase: whereby a classifier (or “machine learning engine”) is trained using the extracted features.

Precision 98.7% False Positive Rate 1.3%

HTTP Covert Channel (3 samples) 73% 27%* *few samples available to fully test algorithm

FN 1%

0.3%

RECALL 99%

99.7%

FSCORE 0.988

0.793

Fig 2. Average of initial results from our Covert Channel detection research

In our approach to this research, we integrated two well known start-of-the-art classifiers: Bayesian Networks and Support Vector Machines (SVMs). These techniques represent two different approaches in machine learning: the first is related to the probabilistic approach and builds a graph describing the probabilities between variables, while the second is related to the frequentist method and tries to maximize the distance between the classes that we want to separate (in our case legitimate and malicious).While bayesian networks can be used in an unsupervised way, SVMs are built to work as a supervised classifier, and hence we modified the algorithm (one-class SVM) in order to apply the algorithm in an unsupervised manner. Our test phase involved: • Filtering and white list removal (events that have known to be trusted). • An anomaly detection module: the previously trained classifier is applied to new data in order to validate whether they conform with the normal behaviour; where they do not conform, the patterns are assessed against the advanced analytics module. • An advanced analytics module: this is applied only to the patterns previously detected by the anomaly detection module as abnormal and employ analytics specific to the protocol under analysis (at this stage of our research, DNS and HTTP protocols). In the advanced analytics module, we considered selected anomaly indicators tailored to the protocol under analysis, and averaging them we built an anomaly index. If the anomaly index is highly statistically significant for an event, we report the event as potentially malicious. It is important to note than all our analysis was performed from a behavioural point of view: meaning that the event may not be necessarily malicious per se but it is abnormal compared to the models generated by the algorithm. This information could be useful not only for cyber security professionals, but also system operators in determining other non-compliant or inappropriate behaviour/ resource consumption.

Anomaly indicators used during our: DNS covert channel research • Number of hostname characters >=50

70 | Australian Cyber Security Magazine

• • • • • •

Percentage of numeric characters >= 20% Number of unique characters >= 27 High percentage of repeated consonants in hostname High entropy High distance from distribution of frequencies of monograms of legitimate patterns High number of hostnames per domain

HTTP covert channel research Cookie analyses (defined as key-value pairs): User agent analyses: • Malformed cookie (no pairs key=value) • High length • High length of the key field • Missing user agents • High entropy of the key field • Presence of unallowed or special characters • High distance of the key field from distribution of frequencies of monograms of legitimate key fields • High variability of user agent tokens in the same communication (same couples source-destination) • High distance of the key field from distribution of frequencies of bigrams of legitimate key fields • Unique user agents • High variability of cookie in the same communication (same couples source-destination) in a small amount of time Our research approach here leveraged a recent Akamai study titled “Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol ” and went further by contributing: • A refined feature extraction phase • Two classifiers combined in the anomaly detection phase in order to further reduce false positives • Extended analysis to include HTTP covert channels • Improved (speed and accuracy) analytics as a result of these contributions So far, our research has shown promising and positive results (Fig 2). The effectiveness of our proposed augmented approach was confirmed by several

Cyber Security

experimental sessions on a production-like network infected with real malware samples over a period of time. Our covert channel research is ongoing with plans to extend and publish the analysis of other protocols (eg. SMB, ICMP) and encrypted traffic (e.g. SSL). This is part of aizoOn’s continuous R&D mission to further codify new passive techniques to better detect cyber security threats in near real-time (reduced malware dwell time) and among other things, saving significant threat analyst time

Detection techniques for Domain Generation Algorithms (DGA) We continue to see botnets (ie networks of compromised computers, also referred to as zombies or bots) controlled by a remote attacker (‘’bot herder”) play an increased role in cybercrime. Botnets are usually highly distributed and highly changeable, making tracking and recovery of all the infected components very difficult. A common way attackers locate their Command and Control (C&C) servers is by dynamic generation of domains using a Domain Generation Algorithm (DGA), also known as domain-flux. Here, each compromised host automatically generates hundreds or thousands of pseudo-random domain names that represent candidate C&C domains. The bot sends DNS queries until it connects to the IP address associated to a resolved domain. The advantage of this technique is that if one or more C&C are identified and recovered, the bot will query the next set of automatically generated domains and it will eventually get access to a relocated C&C server. DGA detection is therefore of critical importance in cyber security. A consistent number of different approaches to DGA detection have been implemented to date, and many recent works have focused on the use of supervised or signature-based approaches to the analysis of DNS traffic. Nonetheless, the highly dynamic DGA realm has often made these approaches limited to certain particular scenarios. In late 2017, the aizoOn team presented our research contribution to Domain Generation Algorithms (DGA) threat detection techniques. The method we deployed was unsupervised and characterised by two steps (graphically depicted in Fig. 3 below). The first step is represented by

the detection of a bot looking for the C&C where it queries many automatically generated domains. The second step consists of the analysis of resolved DNS requests in the same time interval. The linguistic and semantic features of the collected resolved and unresolved domains are then extracted in order to cluster in groups and identify the specific bot. This experimental evaluation was tested on different malware families employing several DGAs and had led to very successful detection results. For example, we observed a 100% detection rate over 40 DGA snippets belonging to different malware families (in a real case scenario, the false positive (FP) rate: 0.01% on unresolved DNS requests, 0% on resolved DNS requests). Further details of our techniques and approach are available in our published research paper [1]. Parting words... It is clear that advanced data science together with cyber security expertise enables defenders, analyst and threat hunters across increasingly complex operating environments to better detect, contain and respond to the evolving cyber attack methods. While this requires continuous research & development by the cyber security community, aizoOn continues to contribute to this collaborative effort both government- and industry-wide. About the Authors At aizoOn Australia, Daniella is responsible for setting the strategy and leading the cyber security division across three areas of capability - product development, consulting and R&D for the Asia Pacific region.

Australian Cyber Security Magazine | 71

The internet of things is turning facilities management on its head A

ustralia’s army of tradespeople who monitor, maintain and fix the billions of dollars of

equipment that keeps offices, factories and shops open have become the new frontline in the advance of the Internet of Things (IoT). As the internet and smartphones become primary necessities over paper and landlines, trade services must embrace the next phase of business evolution in order to remain relevant in the market and to appear dependable, effective and cutting-edge for the modern customer. Though not a brand new concept, IoT has become the herald of this new chapter, facilitating unique connections with the latest job management and service technology and forever changing the way trade service facilities and professionals operate. The Internet of Things (IoT) IoT, has been defined as the concept of connecting any electronic device to the internet and to other connected devices. It works an application or service that uses information collected from sensors – or the “things” – and then analyses the data from the sensor to perform a specific function. Through IoT a giant online network is created which allows previously unrelated technology to speak to each other and combine forces to create new functions that generate new levels of convenience for the user. Many tech experts have used smart TVs or fitness watches that generate a tailored exercise plan as examples of IoT.

could take vibration readings, log them to your

business productivity and efficiency in real time, giving

database, and alert you when the vibrations fall out of

businesses the potential to grow, meet and exceed

a range.

their goals.

“Or, you have sensors in the fire detection or

New Zealand, and the United Kingdom, simPRO

reporting back the current state of the equipment they

provides global leadership for trade and specialty

are tasked to keep an eye on.

contractors worldwide.

“Then, when an event occurs that falls outside

growth capital as part of an aggressive product

notification is raised, a job is created to investigate, or

innovation and expansion strategy that has seen the

an alert is sent to your customer.

company enter the United States and the United

“How could this impact your SLAs, or your costs, for that matter? What will your customers think potential defects before they even can tell something is

from small contracting operations through to corporate

wrong, and in between maintenance cycles?”

enterprises with thousands of staff.

Thomson’s insight into the future of the trade service industry is why companies like simPRO are determined to add IoT to their repertoire. In June this year, simPRO introduced its new IoT solution which will be available to its 100,000 + users in Australia, New Zealand, the United States and the UK across 2018. simPRO IoT takes hardware, software and data from businesses in the trade and field service industries and integrates them into one platform, allowing previously separate programs and machines

and manufacturers. For these companies, however, it’s not about programming driverless cars or automatic toasters and coffee machines for the break room. Trade service companies are eager to get in on the IoT action because when their systems are all connected and talking to each other, they have the potential to improve their service delivery, considerably cut costs, and deliver an improved customer experience. “Think about the IoT in terms of field service applications,” Thomson said. “Say, for example, you have an accelerometer fitted to the cooling tower on top of a building that

72 | Australian Cyber Security Magazine

Hills appoints new Head of Security, Surveillance, IT and ATV business

to talk to each other and provide automated solutions ordinarily requiring extensive manual effort. simPRO’s IoT solution also includes machine learning, proactive action triggering and automation of field service activities, which significantly reduces the complexity of administrative tasks like selection, installation, integration and management, and can trigger field service activities for businesses in near real time. The company has already begun working with airport lounge operator Swissport and facilities (building plant and equipment) management group Thermacell to keep guests at Luton Airport in the UK warm in winter and cool in summer. IoT represents significant opportunity in the trade services market, with the number of connected IoT devices worldwide expected to jump 12 percent on average annually, from nearly 31 billion in 2018 to 125 billion in 2030, according to analysis from IHS

interact with one another goes far beyond allowing the

being actively rolled out by leading service companies

At the end of 2017, simPRO had more than 4,000 clients and 100,000 users globally, with clients ranging

According to Curtis Thomson, simPRO director, one

the initial trials and high-end proof of concepts and are

Kingdom over the last two years.

about this – your ability to log, report and respond to

Markit (Nasdaq: INFO).

companies, IoT projects have now moved well beyond

In 2016, simPRO secured AUD$40 million in

of a tolerable range for that piece of equipment, a

Why should trade services care?

of the world’s leading job management software

With customers in the United States, Australia,

sprinkler systems all constantly monitoring and

The ability for machines and data to connect and human race to live like the Jetsons. The trade service industry’s IoT-laden future signals effectiveness, everyone involved.

About simPRO

Zealand (ANZ).

efficiency, profitability and all-around satisfaction for

simPRO provides business management cloud solutions for the trade and specialty contracting industries; including security professionals, plumbers, electricians, HVAC, solar, data networking, and others. simPRO eliminates the hassle of field service management, reduces paperwork, refines office processes, streamlines field operations, increases profit, maximises your workforce, and enables more business growth. As it is cloud-based, it can be used anywhere, anytime to help improve streamlined

ills is pleased to announce the appointment of Roger Edgar as Head of Sales, Security,

Surveillance, IT and ATV across Australia and New Based in Sydney, Edgar will be responsible for leading Hills’ security, surveillance, IT, antenna and communication sales teams, and delivering on sales priorities across the region. He is also tasked with improving the customer experience across Hills’ network of branches, with a focus on end to end service delivery. Edgar brings over 30 years of sales and management experience to the role, having held senior positions in the wholesale electrical distribution sector in Australia, New Zealand and USA. He joins

Hills after three and a half years as General Manager

compelling to miss”.

for CNW Electrical NSW/VIC/TAS and prior to that, his

iCetana is a successful global organisation with

providing users both a detailed and yet seamless 180-degree panoramic view and a higher vertical field

distribution expertise was developed through senior

office locations across 3 regions including EMEA,

of view. This enables greater coverage not only on the

management roles with Rexel in New Zealand the

The Americas and APAC. iCetana has developed an

horizontal, but also on the vertical plane, capturing an

USA and Australia.

advanced AI-computer vision and machine learning

even greater field of view below the point of camera

solution for security and beyond security, to see

installation. Moreover, the internal tilt adjustment of the

that Edgar’s appointment was key to Hills’ strategy to

through the chaos and highlight abnormal events when

lenses of the MS9390-HV has been upgraded to 20°,

increase growth in its SMB business across ANZ.

they happen. iCetana’s software learns daily, allowing

allowing users to achieve the precise angle desired.

it to constantly adapt to new environmental and

Furthermore, the multi-sensor camera employs H.265

behavioural conditions.

compression and Smart Stream III technology to create

CEO and Managing Director, David Lenz, said

“Roger will be play a key role as we look to increase the accessibility of Hills’ offering across the region and continue to accelerate our sales momentum with our key brands,” Lenz said. “The consolidation of the antenna business under

“iCetana is exceptionally fortunate to welcome

the most efficient system, and resulting in remarkable

Mark Potts onto the Board. His vast experience and

savings in storage and bandwidth consumption while

knowledge within enterprise corporate strategy will

at the same time providing complete video security.

Roger’s leadership acknowledges his considerable

be a valuable asset as iCetana continues to solidify

experience in the electrical distribution space and aligns

its position as world leaders in AI-assisted video

robust IP66 and IK10-rated housing, enabling it to

will Hills’ strategy to offer integrated technology solutions.

monitoring software” – iCetana CEO, Chris Farquhar.

withstand rain and dust, as well as to protect against

“He brings extensive industry expertise and proven leadership abilities to Hills and will be invaluable as we build our sales team across ANZ,” Lenz added. Edgar said he was excited to join Hills as it continues its evolution. “I want to build a team that can operate in an agile way and think ‘customer first’. Delivering ongoing benefits to the customer and seeing the differences you make is highly rewarding and motivating for everyone.”

Former HP fellow, CTO & VP corporate strategy joins the iCetana board i Cetana is proud to announce that Mark Potts, former HP Fellow, CTO & VP Corporate Strategy at Hewlett

Packard Enterprises (HPE), has joined the iCetana Board.

During his time at HPE, a multi-billion-dollar global leader in technology solutions, Mark successfully drove the technology and business strategy. Mark holds a Bachelor of Science degree in Computer Science from Brookes University in Oxford, UK. Prior to HPE, Mark founded several successful, venture backed start-ups that have driven technology disruption and business innovation across numerous industries. One such venture was his successful web services management company, Talking Blocks, which was acquired by HPE. Mark Potts said that “The application of AI and machine learning to video analysis and event recognition is going to change the way we proactively manage security, health and safety, production processes and transportation. The business value iCetana have already proven with customers worldwide, across diverse industries, and the technology and innovation underpinning the offerings, made the opportunity to join and help grow the company to an industry leader, exciting and too

The new MS9390-HV is further armed with a

vandalism or tampering in outdoor surveillance

VIVOTEK introduces new multi-sensor panoramic camera with superior image quality, the MS9390-HV

applications. In addition, its wall mounted design

Following the success of previous 180° panoramic

global IP surveillance industry. Its comprehensive

network cameras, VIVOTEK has launched a brand new and even more efficient multi-sensor camera. The MS9390-HV, with its dual 4-megapixel wide-angle lens design, is unlike most traditional multi-sensor panoramic cameras which rely on 4 sensors. This newly released multi-sensor dome camera is also equipped with SNV (Supreme Night Visibility), WDR Pro technology, 180° IR illuminators effective up to 20 meters and delivers full resolution imagery at 30 fps (frames per second), making it the ideal camera to provide excellent panoramic image quality for both day and night surveillance. VIVOTEK introduces the brand new MS9390-HV under the strategy of its “See More in Smarter Ways” campaign. With its unique dual-sensor design, the camera is equipped with a video alignment feature,

ensures simple and quick installation, with an included sunshield to eliminate interference caused by direct sunlight. The panoramic camera was given an early test at the 2018 Taiwan Lantern Festival, one of the great events in Taiwan, that attracted over 10 million visitors. The MS9390-HV provided clear and full coverage throughout the day and night to secure the safety of visitors to the festival. For more information about VIVOTEK and its comprehensive product line, please visit www.vivotek.com.

About VIVOTEK VIVOTEK Inc. (TAIEX: 3454) was founded in Taiwan in 2000. The Company markets VIVOTEK solutions worldwide, and has become a leading brand in the solutions include network cameras, video servers, network video recorders, PoE solutions, and video management software. Through the growing proliferation of IoT, VIVOTEK aspires to become the Eye in IoT by drawing on its expansive technological capabilities in image and audio. The Company has established offices and subsidiaries in the United States (California), Europe (Netherlands), India (Delhi), Middle East (Dubai), Latin America (Mexico), and Japan (Tokyo) in 2008, 2013, 2014, 2015, 2016, and 2017 respectively. To create a sound industrial ecosystem, VIVOTEK has expanded strategic alliances with leading international software and hardware partners and works with over 183 authorized distributors across 116 countries. For more information, please visit www. vivotek.com

Cyber Security

The Gorgon Group: Slithering between nation state and cybercrime Palo Alto Networks Unit 42 researchers have been tracking a group of attackers, which they are calling Gorgon Group. In addition to numerous targeted attacks, Unit 42 discovered that the group also performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. Starting in February 2018, Unit 42 identified a campaign of attacks targeting governmental organisations in the United Kingdom, Spain, Russia, and the United States. Additionally, during that time, members of Gorgon Group were also performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations.

satellite, telecom and defence orgs

grew up on. If these questions sound familiar, it’s because they’re three of the most commonly used

Called Thrip, the campaign originated from machines based in mainland China. Worryingly, for, and infecting, computers running software that

the South Korean Winter Olympics, sophisticated

monitors and controls satellites with the aim of not just

attackers targeted ski resorts, organising committees,

spying but disrupting these critical systems in SEA.

and tourist boards with an apparent alert from South

Recently, ASEAN agreed to establish a regional

Korea’s National Counter-Terrorism Center. The email

infrastructure pipeline to match rising Chinese

contained malware which would give attackers remote

influence in the region, and there have been calls for

access to infected machines. Underscoring the trade

the Australian government to help ASEAN countries

craft of this campaign, the emails coincided with real-

design better infrastructure. In this environment, cyber

life terrorism drills.

espionage campaigns such as these offer a timely

can expect an accompanying phishing campaign.

operators in securing our nation’s first line of defence.

Exploiting the public interest in major events is an

Nick Savvides, Chief Technology Officer at

efficient and effective form of social engineering.

Symantec APAC, is available to provide expert

Australia during the last weekend of September.

espionage attacks in Australia and across the region.

Saturday will see the AFL final decided, while on Sunday, the NRL finalists will face off against each

Cup, the Royal Wedding, and the Winter Olympics are

Since TRITON was discovered, FireEye wondered provides insights into that. They reverse engineered a Triconex controller using legitimate software to learn the protocol, and built the malware speak in that language. FireEye has learned the development process was easier than previously thought. In light of this, the company expect other threat actors to take similar approaches in their development of tools to exploit ICS.

New cyber espionage group infiltrates 74 | Australian Cyber Security Magazine

Consider the fervor that will descend upon

commentary on the impact of targeted cyber

major world events to target their victims. The World

how the threat actor created the malware. This report

Any time these significant events roll around, we

warning for Australia’s critical infrastructure owners and

we’ve learned to avoid, cyber scammers are exploiting

targets Industrial Control Systems (ICS).

Organisers and contractors of these events are also frequently targeted via similar means. Before

Just like the old-fashioned pickpockets and scalpers

designed to manipulate industrial safety systems and

security questions.

Symantec has uncovered that Thrip has been looking

campaign cannot be denied.

organization where an attacker deployed malware

had to enter the name of one of their grandparents,

and defence companies in Southeast Asia and the US.

sophistication, but the effectiveness of this group and

team following an incident at a critical infrastructure

need to do to find out their ‘aristocratic name’? They their first pet’s name, and the name of the street they

Major world events a playing Creation of TRITON field for hackers malware – FireEye research release was identified late last year by FireEye’s Mandiant

their ‘aristocratic name’ was. And what did people

espionage group that has infiltrated satellite, telecom

phishing emails, both styles of attacks lacked overall

malware TRITON works and was created. TRITON

up key personal data by inviting them to find out what

Symantec has exposed a never-before reported cyber

Using numerous decoy documents and

FireEye has released research detailing how the

data mining scam. This scam tricked people into giving

recent events they’ve tried to benefit from in this way, and it’s an incredibly effective tactic. Usually, the cyber attacker modus operandi during these events is the tried-and-true combination of social engineering and phishing. Generally an email – along with a malicious attachment or link – is sent out in a spam campaign to thousands of potential victims. The body of the email will exploit interest in the event and point the user to the malicious element — alluding to a special offer or other detail related to the event. An interesting example occurred during the recent World Cup. Hackers developed a malicious scoretracking app, called “Golden Cup”, and convinced Israeli soldiers to download it from the Google Play store. The app in fact contained spyware which gave the attackers access to the soldiers’ GPS location, phone cameras and microphones, and revealed the locations of images and videos stored on their phones. The Israeli military blamed the Palestinian group Hamas. What made the malware especially dangerous, the Israelis said, is that the app looked legit — it was downloaded from an official app store. It’s not only sport fans that need to be wary. We

other. Fans and punters across the country will be eager for any updates in the lead up to both matches and could be seen as easy targets. If a spam email went out claiming to contain last minute injury updates or special odds from a betting agency, I think we all know someone who would open it. By feeding on the frenzy before these events, attackers know there’ll be enough people who can’t resist to make the campaign worth their while. This doesn’t mean you should live in fear any time an event of national or international significance rolls around. Basic cyber hygiene is enough to ensure you enjoy these events safely; only use trusted sites, only download official or verified apps, don’t click on emails or attachments from unfamiliar sources, and apply the latest patches as soon as possible. These are very simple steps one can take to level the playing field against attackers. Forewarned is forearmed, and knowing to expect such tricks can help even the most ardent fan think twice before entering their mother’s maiden name and favourite colour to find out their ‘footy nickname’.

Cisco start sets out to target the Australian SMB sector Over the last 18 months, Cisco has developed a purpose built portfolio called ‘Cisco Start’ which allows

witnessed another cunning tactic before the wedding

SMBs to adopt enterprise class technology at an

of Prince Harry and Meghan Markle, whereby cyber

affordable cost, that is reliable, simple and secure. The

criminals launched the “royal wedding guest name”

concept is they can subscribe to a managed service

The third scope is the alternative channel, such as retailers like JB HiFi and build a catalogue of services. An example shown was the Victorian Famers Federation. And the fourth route is alternative marketplaces, including an Australian pilot underway with a Cisco Start marketplace, with seven partners signed and the concept being as part of partner facing store front. In closing Samuel Lewinson, COO and co-founder of Jar Aerospace, received a AU$40,000 Cisco Start package as part of the Cisco Start marketing campaign. Winning from a pool of 60 competition applicants, Jar Aerospace is focused on advanced autonomous flight platforms and drone integration, which includes the supply of education programs to schools for coding and hardware for drone integration and engaging students in STEM. and pay as they grow for flexibility to adopt and scale as required. Opening with a briefing to media by Ken Boal,

“There is no such thing as small business, that is an economist term,” said Peter Strong, CEO of the Council of Small Business of Australia, “small

Vice President for Cisco ANZ, SMBs are the small to

business is people. So the process has to be simple

medium sized enterprises with 250 users or more.

and if you can’t communicate a process, like we say to

Cisco, along with its strong commercial focus, is

government about policy, it will fail.”

seeking to help Australian business accelerate and

Nor is there a compliant small business in

help the SMB market thrive. “We’re committed to

Australia. “It is impossible to be compliant in the

leading digital in whatever realm they play”, Ken said.

regulated environment in Australia,” Peter said. “So

With 2017 turnover reaching AU$1.9B in the last

don’t talk about the features, talk about the benefits

18 months, the SMB share of that grew from 9% to

– and cybersecurity provides stress management.

13% of the business and the aspiration is to grow to

The personality traits of small business is they

20% and beyond with AU$15M growth per annum.

are optimistic – if you’re a pessimist you go into

Referring to the Deloitte Access Economics report, Connected Small Business 2017, sponsored

government.” “Communications is vital. If you don’t get that

by Google, there remains significant opportunity in the

right you will fail. Selling to small business needs to

SMB segment of the market. “This report finds that

be clearly and simply communicated. We have to trust

Australian SMB’s are increasingly digitally engaged,

people. In the main, big business and small business

and that their take-up of digital tools has been

get on pretty well. SMB need the likes of Cisco but

accelerating over time.”

likewise, Cisco needs SMB. We need to work and trust

Ken highlighted, “With headlines every week and even today of news of a breach against a SMB

each other.” “Within the Supply chain, you’re only as strong as

provider to regional airports, and the recent Pageup

your weakest link. We have to work together and we

breach, shows that cybersecurity is equally important

can’t have big business saying ‘get your act together’

for SMBs as it is for larger companies. All sectors need

without assisting.”

to think about cybersecurity.” Partnering with the Business Council of Australia

Nykaj Nair, Head of SMB, Distribution and Channels at Cisco is providing the strategic approach

and the Council of Small Business of Australia, Cisco

to the SMB market through simplicity, affordability,

is seeking to provide clarity, standardisation and

trust and scalability – so as a SMB grows, the

requirements of expectations for cybersecurity. A

technology scales with them.

security capabilities benchmark study (links to previous

A portfolio has been purpose built for SMBs,

report) showed that many SMBs given up in trying to

which involves building capability and capacity for

keep up with the threat landscape. The study showed

routes to a diverse market segment and building trust.

many of the 100 surveyed had experienced a 17-25

A key area of investment is digital communication and

hour outage due to a security breach. Cybersecurity

marketing, to educate SMBs on the importance of the

compromise is laying dormant in small business for at

digital network environment.

least 100 days. Ken said, “With Cisco Start, for cybersecurity,

The four key routes to the SMB market involves reaching out to the system integrators and Cisco has

it will provide a validated design and a reference

trained over 1,000 system integraters, to build trust

architecture to industry, so security is fully integrated

with their customers and have reached over 50,000

vertically. What we will do is provide best practice

customers over the last 12 months.

architecture, however user behaviour and culture is a

The second market route is via the telcos and

big part, where we are working with the BCA on the

managed service providers, which have a unique ability

technology aspect”.

to provide technology as a service. It is easier for Cisco

Ken confirmed, “Our play is therefore, simple, smart and secure.”

to provide a catalogue of technology as a service, leveraging Cisco Start as a platform.

Mimecast unveils second-annual State of Email Security report More than 90 percent of global organisations reported the volume of phishing attacks have increased or stayed the same in past 12 months Mimecast Limited has released its second-annual State of Email Security report. The report identifies the latest email-borne threats facing organisations of all sizes and industries globally. Cyberattacks are on the rise. In fact, more than 85% of Australian organisations reported seeing the volume of phishing attacks increase over the last twelve months, while 41% said they saw the volume of impersonation attacks rise. Making cybersecurity a priority should start from the top, yet this isn’t always the case: 33% of respondents said their C-level executive sent sensitive data in response to a phishing attack, and 58% admitted that their management teams aren’t knowledgeable enough to identify and stop an impersonation attempt. “Email-based attacks are constantly evolving and this research demonstrates the need for organisations to adopt a cyber resilience strategy that goes beyond a defence-only approach. This is more than just an ‘IT problem,’ said Peter Bauer, chief executive officer of Mimecast. “It requires an organisation-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defence.” Mimecast conducted the research with Vanson Bourne on the state of organisations’ cybersecurity, their expectations and needs and what attacks they’ve seen increase. Findings within the report are based on responses received from 800 IT decision makers and C-level executives globally and reveals attitudes, behaviours, confidence and preparedness levels of security professionals – and the C-suite – when it comes to dealing with these threats.

Australian Cyber Security Magazine | 75

14-16.11.2018 | Hotel Fort Canning, Singapore

Join us at The 4th ASEAN EXEC-IT, THE leading information technology event of the year! Themed; Disruption for Digital Differentiation, the event will cover cutting-edge topics such as The Transformational CIO, The Digital Business Model, The Convergence of AI and IOT, Rethinking Cyber Security & Privacy as well as The Digital Business Capabilities. Attendees will beneﬁt from keynote presentations, real-life case studies and interactive workshops! DISTINGUSHED

SPEAKERS INCLUDE:

Luvleen Sidhu

Pedro Sttau

Jesper Toubøl

Co-Founder President and Chief Strategy Ofﬁcer BankMobile, USA

Chief Information Ofﬁcer iCar Asia Ltd, Malaysia

Vice President Business Unit LEGO, Denmark

David Mathison

Vicky Abhishek

Kirill Petropavlov

Chairman, CEO & Founder CDO Club, USA

MANAGEMENTEVENTS.COM

Group Chief Technology Ofﬁcer Asia Paciﬁc The Coca - Cola Company, Singapore

AI and Data Analytics Head Standard Chartered Bank, Singapore

REPORT REVIEW | by James Jordan

Review of the Department of the Prime Minister and Cabinet’s Security Procedures, Practices and Culture

March 2018

REVIEW OF THE DEPARTMENT OF THE PRIME MINISTER AND CABINET'S SECURITY PROCEDURES, PRACTICES AND CULTURE www.pmc.gov.au/resource-centre/pmc/reviewdepartment-prime-minister-and-cabinetssecurity-procedures-practices-and-culture

The missed opportunity that is the report into PM&C security procedures, practices, and culture

s many of you are aware the long-awaited report into the circumstances behind the loss of many Security Containers that were subsequently found at an auction site and when opened were found to contain a range of sensitive and classified material. If you are not aware of the full story the report handily provides a summary in the first chapter, which in my opinion reads like a ‘Fawlty Towers’ episode. While I am sure there is more to this report that has not been released and has led to the sanctioning of members of the APS there are a significant number of lessons that can be taken from this report. As someone who has spent the better part of 20 years working in Government Security I see this report as a mixed bag of both good, bad, and stupid and as a result see it as a missed opportunity.

78 | Australian Cyber Security Magazine

BSc (Security); DipGov (Security); MEmergMgt | Protective Security and Resilience Consultant Integrity2Resilience Services Pty Ltd

The biggest concern that I see from the report is in the recommendations which in many cases seem to make great motherhood statements, that all make very good common sense, which makes you wonder why they were not in place to begin with. Interestingly there are a number that contradict elements elsewhere in the report that indicates everything was found to be in order. Such as the very first recommendation regarding PM&C needing to consider its ‘complex operation environment’ (the way they are not all that unique, nearly every other department is in multiple buildings and has lots of structural changes) and the related vulnerabilities within its risk management. Interesting that in Chapter 2 it goes on to say that there was an external audit of PSPF compliance was undertaken and found that they were compliant with all but 5 elements of which they were partially compliant. The foundation of the PSPF is based around an effective risk management process to drive the performance standards which shows that the audit was compliance and not performance based. This critical issue seems to have been missed across the report, even though it’s in plain sight, in that recommendation after recommendation indicates that while policy and procedures were in place there had been no performance measuring to confirm that risk mitigation were achieving the levels of reduction that you expected. How can you base a Protective Security environment on risk if you don’t know if your controls are effective? The next area of concern is the use of the term 'culture'. This buzzword gets thrown around in government circles, especially when it comes to Protective Security, and to be honest I don’t think the majority have any idea what it means. My favourite in this case is the term ‘Security Champion’, what is meant by this term is a left up to the imagination of the reader as it’s not explained in the report. From experience I have a fair idea what will occur during implementation, each area will find some poor EL1 or 2 whom will get the tag either because they were too slow to run or because they have some belief that they know what security is and will put up a bunch of signs and it all make everyone uncomfortable for a short period before it all gets all but forgotten. I would also like to point out that you will NOT achieve an effective culture based upon fear, which is exactly what you will get from a focus on ‘breaches’ as a performance metric coupled with a policy that tells everyone that every time you get one you will have to front Senior Leadership and may lose your job. What you do get is a culture of avoidance where no one will own up to anything, incidents that hidden till they fester and explode. There is a great emphasis in the report on the need to do training and quite few recommendations about how more was needed and how the methodology of delivery needs to change but nothing regarding what that ‘training’ was meant to achieve. You do not just get effective training, regardless of the method, if you don’t have a

goal that you want to achieve and then measure performance against that goal. In this they at least got the former aspect right. As a final comment I would like to point out a couple of gems that I found in Chapter 5 which talked about what the whole of the APS could take from the report. The comment around Attorney Generals Department (AGD) providing benchmarking against compliance reports to share ‘best practice’. Which is great but to do this the self-reporting that agency perform every year needs to stop going into the ‘black hole’ into the PSPF policy area within AGD. In all the years that the PSPF has been in existence I have never seen any feedback or comment on a departments submission. I suspect that’s because as was noted at the last Security in Government conference by a representative from AGD that they could not compile anything from the reports as most provided no value due to a lack of consistency in the responses. I would also note that self-reporting only works if there is a process by which the confidence in the value of information can be confirmed. In the immortal words of Ronald Reagan in December 1987 after the signing of the INF Treaty with Mikhail Gorbachev ‘Trust but verify’. AGD has lots of trust in in departments because they have never verified. My concern is that this report missed linking the fundamental problem within Protective Security, even though it talked about it in the recommendations in the final chapter. The level of capability development in those responsible for the development of effective risk analysis, policies and procedures does not exist and has only been lessened since the closure of the PSTC. While what it provided was useful in the development of the effective controls it was never encouraged to do more. The current PSPF only recommends a Diploma level qualification for an ASA, name one other EL position in department with the same level of responsibility that is currently placed on an ASA that is only expected to have a vocational level qualification. One last thought for everyone out there, why did the report never discuss whether the Security unit of PM&C had sufficient manpower resources to achieve all the tasks that it was asked to undertake? James is a recognised leader in the Protective Security Profession as a deliverer of governance and practical solutions and as a leading educator and mentor. His experience has been gained over 13 years specifically providing effective and deliverable solutions in the governance aspects of protective security guidance to all levels of government. James has specialises in managing the relationships in developing resilience and its relationship with emergency/crisis and business continuity management. in Training and Assessment and a Certificate IV in Government (Personnel Security) and is a research associate with the Australian Security Research Centre.

BOOK REVIEW | by CHRIS CUBBAGE

Five Anchors of Cyber Resilience: Why some enterprises are hacked in bankruptcy while others easily bounce back, - PHILLIMON ZONGO Broadcast Books (www.broadcastbooks.com.au)

Five Anchors of Cyber Resilience: Why some enterprises are hacked in bankruptcy while others easily bounce back, Phillimon Zongo Broadcast Books (www.broadcastbooks.com.au) “Enterprises cannot afford to delude themselves about the current state of affairs – protecting against the oaring threat of cybercrime has never been more important. Discounting cybercrime is not just negligent; it’s dangerous.” In addition to an accurate, growing and obviously concerning list of case study cyberattacks to underline the context and importance of this book, Zongo provides the origin of their predicament lies in many factors, but particularly the following five; Limited executive buy-in into cybersecurity programs; a growing list of poorly secured business partners; a gullible or poorly trained workforce; heavily diluted, one size-fits-all strategies; and a consistent failure to bake security into digital transformation programs. The Five Anchors of Cyber Resilience details, in key chapters which details the manner in which enterprise build their cyber security strategy centred on high value assets. Rather than start with a predefined set of controls, and then build security controls based on best practice, cyber resilient enterprises think differently – they lace the customer at the centre of everything they do. The next key anchor is putting people’s hearts and minds, not technology, at the centre of their cyber security strategies. The third key anchor is baking cyber security into innovative programs. They are constantly thoughtful and diligent about security decisions they embrace disruptive technologies, anticipating major pitfalls early and embedding security deep into design work. With the fourth key anchor, cyber resilience enterprise implement a risk-based assurance program over suppliers, but they don’t enter these alliances blindly, the major of debilitating cyber attacks have emanated from poorly security third party environments. Finally, the fifth anchor is they create highly effective, lean and efficient governance structures, with a consistent message throughout the book being there is no one size fits all- there is no universally right cybersecurity strategy. Zongo continues to deliver the insight as the chapters roll through, including insights into cloud computing, artificial intelligence, blockchain; and as businesses move into adopting these technologies, or merge and acquire unrelated entities the task of protecting high value digital assets ‘becomes complex and daunting, particularly if those entities were smaller organisations without the capabilities to defend themselves. “In the end, there is no such thing as a risk free innovation.” There are solutions, despite the challenges. Rethink the cyber governance models, and if needed, a dedicated role to reduce vulnerabilities within suppliers and supply chain stakeholders, maintain an inventory of business partners,

segregate suppliers based on risk, implement differentiated assurance controls and apply suitable standards to measure and benchmark against. The primary aspect that leaped out from this high quality body of work was the encouragement of greater and deeper board-level cybersecurity conversations and the important questions boards should be asking. In addition to the conversation, the board should also be monitoring the cyberrisk metrics to inform about the organisation’s vulnerabilities as well as the strength of its defences. In conclusion, Zongo cleverly casts back to 1864 and the attack by the 1,700 43rd British regiment solders against 235 New Zealand Maori warriors. The span of technology and tactics has not been lost in time, and with reference to the Art of War, “in warfare there are no constant conditions” and in today’s technology environment, quoting the World Economic Forum, “the speed of current breakthroughs has no historical precedent.” This book is superbly written and crafted, thereby sufficiently enticing and insightful, written with the enterprise executive and board front of mind. With publications such as these, there really is no excuse for a company director not to be cyber-informed and cybersecurity aware. It is their fiduciary duty to be so. Well done Zongo. Highly recommended read!

Download the MySecurity Media App and go in the chance to WIN 1 of 10 copies of 'The Five Anchors of Cyber Resilience'

DOWNLOAD NOW!

App now available on iTunes & Google Play

Australian Cyber Security Magazine | 79

October 24- 25, 2018 | Singapore

â&#x20AC;&#x153;an ounce of prevention is worth a pound of cureâ&#x20AC;?

Collaborate. Add Value. Build Relationship

To register or for more information, contact: +65.6914.2697 | Email: ailaclemente@cxo-project.com https://www.cxo-project.com/ciso-elite-asia-2018

80 | Australian Cyber Security Magazine

IA r ED ith t fo M : ,w n , Yrs te rs ET RIT to on to e. K bi c ec or TIC ECU hi ed s S ex s lic m E e cu ub s & RE /MY or fo P e F m & e, vic R OM % ed nc er OU A.C 30 nd ina g S R Y ASI pa I, F tin O PO ex CI os R F EX H E Y T IT IS UR EG C R SE D U LO .C W W W

In a world of predators, cyber defence is your top priority Safeguard your future and master the skills you need to navigate the depths of the dark web and cyberthreats at Cloud & Cyber Security Expo.

On 10th and 11th October 2018 at Marina Bay Sands, Singapore, arm yourself with the most practical solutions and gain invaluable insight from leading cyber security experts and practitioners to PROTECT, SECURE and DEFEND your business. You cannot afford to wait and see. Register for your FREE ticket today at www.cloudsecurityexpoasia.com/My-Security-Media

CO-LOCATED WITH

ECOMMERCE EXPO 10 â&#x20AC;&#x201C; 11 October 2018, Marina Bay Sands, Singapore

www.ecommerceexpoasia.com

EVERY EMERGING TECHNOLOGY. ONE DIGITAL TRANSFORMATION JOURNEY.

ORGANISED BY

PLATINUM SPONSORS

GOLD SPONSORS

THEATRE SPONSORS

Australian Cyber Security Magazine | 81

RISK MANAGEMENT INSTITUTE OF AUSTRALASIA

RMIA Annual Conference 2018 RISK +

= THE NEW NORMAL Sheraton Grand Mirage Resort Gold Coast 31st October - 2nd November 2018

Keynote Speakers

Major Matina Jewell Paul Chivers Risk Advisor - “I’m a Celebrity... Get (Retired) CSP Me Out of Here!”

Dr. Hilary Lewis Deborah Goldingham

Division Director, Head of Risk Culture - Macquarie Group

Marketing & Communications Strategist

8 Topic Streams Over 60 Speakers Thought Provoking Panels Networking Opportunities 30 Sponsors & Exhibitors @ The Gold Coast

Robb Eadie

Chief Risk Officer - BHP

Chris Gatford

Director & Founder - HackLabs

David Piesse

Global Insurance Lead & Chief Risk Officer - Guardtime

FULL DETAILS @ WWW.RMIACONFERENCE.COM.AU 82 | Australian Cyber Security Magazine

Australian Cyber Security Magazine | 83

84 | Australian Cyber Security Magazine

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au

Australian Cyber Security Magazine | 85

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au 86 | Australian Cyber Security Magazine