Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2017
COAG’s security focus Commonwealth & Australian states single out ‘security’
DATA61: Taking the Nation’s lead on cyber research
Navigating the IT landscape of the future
Cyber security of assets in the interconnected era
A safe and secure Australia?
Women in security: Noushin Shabab, Senior Security Researcher, Kaspersky Lab
Psychology for surviving a violent attack
Securing your unified communications: Three key considerations
$8.95 INC. GST
PLUS Regional event reviews | Interpol World 2017 Cyber week in Singapore | Philippines Connect and Cyber security
SECURITY EXCELLENCE CALL FOR NOMINATIONS
#SecurityAwards 2017 g By
Natalie Shymko, Marketing and Communications Manager, Australian Security Industry Association Limited (ASIAL)
he vital role performed by Australia’s private security industry will be recognised later this year at a special awards ceremony in Melbourne organised by ASIAL. The 2017 Australian Security Industry Awards for Excellence and Outstanding Security Performance Awards will recognise excellence in the security industry. Nominations are open to all and provide an opportunity to recognise individuals, including frontline security personnel who have gone beyond what could reasonably be expected of them in providing a level of service that exceeds client’s expectations. Likewise, organisations and teams who have demonstrated leadership and innovation will also be recognised. Judging of the awards will be undertaken by an independent panel of judges, that includes Kate Hughes, Chief Risk Officer, Telstra; Damian McMeekin, Head of Group Security, Australia & New Zealand Banking Group Ltd (ANZ); John Yates, QPM, Director of Security,
Scentre Group; Chris Beatson, Director, PoliceLink Command, New South Wales Police Force; John Adams, Editor, Security Electronics and Networks Magazine; John Curtis, Director, IPP Consulting Pty Ltd and Vlado Damjanovski, CCTV Specialist and MD, ViDi Labs. Nominations are now open and close on 1 September 2017. Winners will be presented at a special awards ceremony to be held at Crown Melbourne on 19 October 2017.
Award categories include: • Individual Achievement – General • Individual Achievement – Technical • Gender Diversity • Indigenous Employment • Special Security Event or Project • Integrated Security Solution • Product of the Year (Alarm,
Access Control, CCTV – Camera, CCTV-IP System/Solution, Communication/Transmission System, Physical Security (bollard, gate, barrier)
Award categories include: • Outstanding In-house Security Manager • Outstanding In-house Security Team • Outstanding Security Training Initiative • Outstanding Security Partnership • Outstanding Security Officer • Outstanding Guarding Company • Outstanding Security Consultant • Outstanding Security Installer • Outstanding Information Security Companybarrier) For more detailed information on the award nomination criteria and process visit www.asial.com.au/ securityawards2017
Australian Security Industry Awards Nominations close 1 September www.asial.com.au
2017 EVENT Winners announced - 19 October 2017 The River Room, Crown Melbourne. The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals.
Lead dinner sponsor
Entertainment and centrepiece sponsor
Contents Editor's Desk 5 Q&A with Garry Barnes
National Security Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai
Taking the nation’s lead on cyber research
COAG’s security focus - Commonwealth & Australian states single out ‘security’
A safe and secure Australia?
Frontline Art Director Stefan Babij
Psychology for surviving a violent attack
Correspondents Fiona Wade Jane Lo
Navigating the IT landscape of the future
The ASX 100 Cyber health check report
Building a modern security operations centre
Cyber security of assets in the interconnected era
Page 8 - Taking the nations lead on Cyber research
MARKETING AND ADVERTISING T | +61 8 6465 4732 firstname.lastname@example.org SUBSCRIPTIONS
Women in Security Noushin Shabab, Senior Security Researcher, Kaspersky Lab
Cyber Security Securing your unified communications: Three Key Considerations
Page 12 - A safe and secure Australia
INTERPOL WORLD 2017 36 Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: email@example.com
Philippines Connect and Cyber Security
TechTime - the latest news and products
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Page 18 - Psychology for surviving a voilent attack
CONNECT WITH US www.facebook.com/apsmagazine
www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Page 28 - Cyber security of assets in the interconnected era
Correspondents* & Contributors
Jane Lo* Page 36 - INTERPOL WORLD 2017
4 | Australian Security Magazine
Additional: Fiona Wade*
"We need to ensure the personnel applying the security measures are highly trained and motivated. The days of using private security firms, lowly paid workers behind our security checkpoints are well and truly over." - Mike Carmody, ABC News, August 5, 2017. Mr. Carmody is former chief of security for the Federal Airports Corporation, Sydney Airport.
uly was a busy month. That was even before July 26, when Australian security agencies received intelligence from a ‘Five Eyes’ partner advising of “one of the most sophisticated plots that has ever been attempted on Australian soil”, according to Deputy Commissioner Phelan, Australian Federal Police. The information came eleven days after an alleged, failed attempt to get a bomb on an Etihad flight. It was to be another three days before search warrants were executed across Sydney from where four suspects were taken into custody. During those first three days, Australian police constructed a replica of the device and tried to smuggle it aboard a plane in order to test security. With “100 per cent success rate’’ of detection, it suggested the device would never have made it on to a plane. On July 30, travelling from Sydney to Perth I was aware of the counter-terrorism operation and Prime Minister Turnbull’s early morning warnings to expect delays due to enhanced screening. Yet, the national terrorism threat level continued to sit at ‘probable’, despite police confirming there was an active plot and only just commencing their investigation. They made it clear to the public that it was credible and serious. It is now apparent the Government had confirmed that a terrorist action was underway, yet did not raise the National Terrorism Threat Level to ‘expected’. It can therefore be concluded that ASIO or police never had an ‘expectation’ that an attack could occur. On August 3, eight days after the first report of the plot, the Prime Minister advised publicly, from Perth, that all was confirmed as safe and that the Director-General of ASIO had publicly advised that a threat level to aviation had been “downgraded from ‘probable’ to ‘possible’”. The Prime Minister was misleading in making this reference. The concern I raise here is that there was no public announcement that a change had been made. Indeed, nor is there a reference to a unique ‘aviation threat level' in National Transport
Security Plan guidelines or templates. Nor within the National Security Terrorism Threat Level System. However, if there is a distinct aviation sector terrorism threat level, how can it be considered lower than that of the national level? Aviation and public transport is a staple target of terrorist activity. Further, if they raise one level, should not all levels be raised accordingly? I’m not trying to be obtuse. As a long time security practitioner, if I don’t understand how the national terrorism threat level system is working, then how is the public supposed to know? As it happens, July was indeed also a busy month for other reasons. Namely, it was a month for major security industry events. Our very broad exposure to industry people and their many areas of interest and research, arms us with insight and knowledge beyond what many may hear in a year. Be it INTERPOL World, Security Expo, RSA APJ, PLuS Global Security Alliance, CIVSEC18 or Cyber in Business. These events lay out a human, technical, cyber and global threat landscape that is overwhelming in magnitude and despite being an island continent, is increasingly threatening Australia's national security and public safety. Yet, the intensity around generating nuanced and informed public debate, with the intention of building a societal resiliency is severely lacking. The political elite, including the Prime Minister is selling a ‘misleading’ message by assuring the public they are being kept safe. Security should be an enabler. Not a reason or cause for creating new or alternative risk or ignoring risk selectively. With airport security measures creating extended lines in airport terminals, the risk is simply displaced to the prescreening areas. With the new Crowded Places Guidelines soon to be announced by Malcolm Turnbull it will be interesting to see how they apply at airports, train stations and stadiums if the focus shifts to screening rather than efficient processing. In this issue, we cover COAG’s new focus on
security, Fraser Duff introduces 10 principles for defending yourself from an attacker, in addition to interviews with Data61’s CEO Adrian Turner, Kaspersky Lab’s Noushin Shabab, Garry Barnes and event reviews including for INTERPOL World 2017, PLuS Global Security Alliance and events highlighting Philippines' digital transformation. This issue highlights that the cyber-physical economy will be generated and underpinned by a digital economy, that will ultimately become seamless, providing a suitable and superior user experience. But there will be trial and error, as it will also need to be safe and secure. The digital government and digital economy will therefore need to be underpinned by trust. Trust needs to be a core design principle and security needs to be a forethought, rather than an afterthought. It is difficult not to be sceptical with our political leaders, including the likes of Donald Trump or the asymmetric hybrid warfare tactics being played out by China and Russia. When security policy is guided and dictated by politicians and military, not only is trust likely to be lost, but so is the legitimacy that the security discipline should be garnering for enhanced societal resiliency. Much is to be lost, including a free society. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Australian Security Magazine | 5
....with Garry Barnes
Editor’s Interview with Garry Barnes, Practice Lead, Governance Advisory, at Vital Interacts, Australia, and former ISACA Board Director According to Gartner, by 2019, 40 per cent of large enterprises will require specialised, automated tools to meet regulatory obligations in the event of a serious information security incident. Cybersecurity governance expert and former ISACA board director, Garry Barnes, presented at CeBIT in Sydney, about the business implications and benefits of automated cyber security defences, including current technology being used and best practice implementation. EDITOR: You outlined that you found it relatively hard to find proactive, supportive and enabling automation. Taking an InfoSec lens to business, you have created a credo that if you can eliminate the security budget just down to ‘your’ salary, then the business has embedded security. Can you expand on these concepts? Garry Barnes (GB): My research was not exhaustive, but the majority view was that cyber security primarily equated to threat detection and incident response and not “secure Internet-enabled business”. This means that security becomes a discrete function protecting the business against diverse threats. An information security lens, however, would highlight business value in information assets and information services and would seek to establish the appropriate control model based on those values. This means a CISO can better align security activities with the cost of doing business, and help product or service owners recognise these costs as a function of revenue, sales, growth, etc. This in turn means a security budget may be able to apportion those back into the business functions. In this way, the business is taking ownership of security and it enhances their learning about risks and opportunities and the acceptance of risk. The challenge is that there is danger in complacent acceptance of cyber risk, but the intent should be to have the business leaders making those decisions, rather than the CISO. Using a similar model to fleet management where corporate vehicle risk increases to an unacceptable level after 3 years and the fleet is replaced. Should this be a model for large enterprise to adopt with ICT Systems in total or just cyber security systems? GB: I think it is a model for ICT in general (and I have seen organisations which have a policy like this), however the challenges have been cost of upgrade and replacement, and the potential transformation activities that go with it. However, this should be assessed against cyber risk from aged technology and the economics of sustaining unsupported technologies. Automation advances anomaly detection and bad actor detection. You stated you want to shift the focus – to where exactly and in what time frame do we need it? GB: We’ve had automated tools for configuration management and systems monitoring for two decades
6 | Australian Security Magazine
yet these don’t often get credit as being key in the cybersecurity tool kit. I want to shift the focus to using automation as much towards enabling and maintaining secure architecture and configuration as threat detection and response. The former is good for business while the latter is risk mitigation. Threat actors also now have AI tools. Can good AI be trained to detect bad AI? GB: That’s a great question and I think the answer is yes. Certainly, we have tools today that can detect bad actors and potentially reconfigure systems to protect against the threat, but the AI and machine learning components are basic. It will be interesting to see how, for example, the technology in future Cyber Grand Challenge entrants evolves and what they are capable of. If we can get our language right the business leaders will better understand security. It is more difficult for the SMBs. But cloud providers may be good in this this regard to leverage their advanced architecture. Do you consider cloud computing platforms now offer a security solution than what was formally perceived as a security risk? GB: Absolutely, but there is still a need for sound controls: due diligence when selecting the provider; clarity regarding security responsibilities in contract clauses; monitoring and review of services; incident notification and response and effective exit provisions, for example. Automation is possible in asset discovery, security coding, metrics and reporting. As well as, data classification, risk data and aligning these equally to the four quadrants of protect, detect, recover, and respond. Given your 25+ years’ experience, where do you see AI and machine learning over the next decade and will the quadrants change?
GB: The broader IT (and IOT) industry has a huge role to play in building secure systems from the outset and investments in secure code, secure configuration, secure deployment, monitoring and correction will be just as critical as threat detection and response. Garry Barnes has over two decades of experience in information security, assurance, risk management and IT governance. He has worked with organisations across many industries, including the public sector, banking, health, education and transport. His achievements include delivering multi-year security partnerships, implementing numerous business-aligned security strategies, overseeing risk management during a substantial banking transformation, guiding organisations through to ISO 27001 certification, and overseeing multiple compliance, assurance and security testing programs. During his tenure in the NSW State Government, Barnes founded and served as chairman and committee member on a government forum for information security management. About ISACA ISACA® (isaca.org) helps professionals around the globe realise the positive potential of technology in an evolving digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive momentum for their organisations. Established in 1969, ISACA is a global association with more than 140,000 members and certification holders in 188 countries. ISACA is the creator of the COBIT framework, which helps organisations effectively govern and manage their information and technology. Through its Cybersecurity Nexus (CSX), ISACA helps organisations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers.
Looking to commercialise innovative cyber security or physical security related technologies?
GET IN TOUCH www.securityventures.com.au
Australian Security Magazine | 7
Taking the nation's lead on cyber research Editor’s insight interview with CSIRO’s Data61 CEO, Adrian Turner
By Chris Cubbage Executive Editor
8 | Australian Security Magazine
SIRO’s Data61, Australia’s largest data innovation group, is supporting the Government’s Cyber Security Strategy by developing partnerships between the public and private sectors, supporting home-grown cyber security capabilities and promoting international co-operation. In effect, they have their scientific, collective fingers in many pies. Enjoying the opportunity to speak with Data 61’s CEO, Adrian Turner, there was an opportunity to get some insight into a range of projects, but three in particular; the ‘legislation coding project’ titled ‘Regorous’, digital currencies and reports to Government in use of blockchain and smart contracts, and moving from a siloed ‘cyber security strategy’ to a more holistic, protective security strategy - to build a national resilience framework. Data61’s work statements outline how the group is applying core strengths in data analytics, trustworthy software systems and autonomous cyber operations to accelerate the national cyber security strategy. Expertise ranges from designing secure authentication for IoT devices, to innovating new data encryption methods and building trustworthy and resilient cyber systems. Adrian Turner highlighted, “by focusing on research and technology to catalyse cyber industry creation, the second order consequence is that there are more skilled people and new generations of technology to keep the country cyber safe. We are conscious to not over reach in describing what we do. Our role is in industry creation in partnership with others like
the Australian Cybersecurity Growth Network (ACSGN).” Editor: I’m interested in where the CSIRO’s legislation coding project has developed too. Can you provide an update? Adrian Turner (AT) Research for Regorous was led by a team of researchers that originated within NICTA (National ICT Australia), now a part of Data61. We are building an ecosystem of tools based on an open database of logic rules. Our goal is to make laws and regulation available in a digital, machine-readable format, enabling any third party to develop their own compliance application. The underlying technology is ‘Defeasible Deontic Logic’ which maps rules and regulations, as well as a company’s business processes, into equations. This means that from the planning stage onwards, Regorous compares processes and rules, enabling organisations to identify and fix process compliance issues before deployment; automatically report on compliance; and rapidly check compliance when processes or regulations change. Regorous is the only rule system that can handle obligations, permissions, and prohibitions, including the ability to reason with violations. As an example a successful trial with an ISP ensured compliance with consumer complaints handling processes. In the domain of digital currencies, we were asked to do a report on blockchain for the Department of Treasury and the underlining protocols and how mature the technology is and the classes of the applications. It also involved evaluating the use of ‘smart contracts’ and blockchain for asset management.
The reports are now available and this whole area is an excellent example of the role we play. As an objective and scientific based organisation, we can play a role to help the country transition to a digital currency based country. There is also a behavioural aspect and policy direction. It is an area we are going to continue to look at and needs to be global transition. Taking stock of the implications on Australia, we are also plugging into global frameworks.
Adrian is the CEO of Data61, a CSIRO entity that is the largest data innovation group in Australia. He is a successful and influential Australian technology entrepreneur who has spent 18 years in Silicon Valley. He is also co-chair of the Australia Cyber Security Growth Network (ACSGN) and
Editor: With the rapid emergence of robotics and cyberrobotics, with an electronic security mix, does the cyber security strategy go far enough for Australia’s protection?
a member of the Board of Directors
AT: In terms of a protective security strategy, I can’t comment on Government policy but based on experience and the difference between IT and OT – where Australia does have opportunity to scale, is around the cyber-physical systems. We absolutely, have core strength in cyber-physical systems. There are two things that we need to move towards as a country. One is resilience and the ability for a graceful recovery, when things go wrong, and the other is the behavioural and human aspect of cyber. We are investing heavily in these areas and they are the difference between ‘mission critical’ and ‘life critical’. The needs are different and priority is different. One requires availability and resilience and the other needs the ability to gracefully recover. We do refer to the World Economic Forum’s risk qualification models and in cyber insurance, there is a global push to cyber insurance. But it is so difficult to quantify the risk and thereby insurance is starting to certify systems. We need to be cautious not to create a new financial instrument that undermines the risk quantification and creates a subprime set of circumstances. Data61’s focus is on industry creation versus keeping the country cyber safe. We are not involved in the new cyber warfare unit announced with the Australian military and others are better suited to keep the country cyber safe. Nor is our role to build a national resilience framework. We are working with the Defence Science and Technology Group (DST) and Data61 sits as part of DST Group with joint PhD researchers. These initiatives have been supported by a $9.3 million partnership between Data61 and the DST to establish collaborative research projects with nine Australian universities around cyber security. This Modernisation fund allows us to work on a multiagency data sharing platform, using monolithic analytics that can share encrypted data. We think we’re a generation ahead, despite using off the shelf products and older techniques. This is being led by Data61’s confidential computing team and the development of Platforms for Open Data (PfOD) is designed to enable data sharing, whilst simultaneously maintaining data privacy and integrity.
of Borondi Group. Prior to this, Adrian
Editor: What are the key runs on the board? AT: The Platform for Open Data (PfOD) NISA project is a central element of our NISA activities and to date has seen Data61 commence a total of eight collaborative projects with Commonwealth agencies. Four have been completed, with a further five projects commenced from 1 July 2017. The four
for the Australian eHealth Research Centre (AeHRC). Most recently he was Managing Director and Co-Founder was co-founder and CEO of smart phone and Internet of Things security company Mocana Corporation, had profit and loss responsibility for Philips Electronics connected devices infrastructure, and was Chairman of the Board for Australia’s expat network, Advance.org. Adrian was also author of the eBook BlueSky Mining, Building Australia’s Next Billion Dollar Industries.
projects completed to 30 June 2017, delivered on budget and on time, were: • working with Australian Bureau of Statistics to prototype software enabling public data platforms to interactively access aggregated data, confidentialised-on-the-fly from unit record datasets; • supporting the Department of Social Services (DSS) in generating a synthetic social security dataset, allowing data to be openly released and analysed, whilst maintaining data privacy; • working with DSS and the Australian Institute of Health and Welfare to develop and test software and a user interface to enable auditable data extraction and delivery into a secure environment for policy and research purposes by authorised users; and • Developing prototype technology for Department of Industry use in conducting web-based data analytics of BLADE data (business longitudinal), while preventing spontaneous recognition. Another highlighted example is the ASX launch on June 30 of Audinate, a Data61 commercialised spin out company which provides wireless audio and is now moving to providing industrial wireless audio systems. Audinate has enjoyed revenue growth at a 30 per cent annual compound rate since 2013, and is expected to hit $18.5 million in 2017-18. Audinate's Dante platform distributes digital audio signals over IP networks. In its first year of operation, Data61’s Year in Review reports making significant strides in support of the Government’s Cyber Security Strategy, with more than 70 cyber security research initiatives active across the network of universities, research institutions and government sectors.
Australian Security Magazine | 9
COAG’s security focus Commonwealth & Australian states single out ‘security’ By Fiona Wade Canberra Correspondent
10 | Australian Security Magazine
ational security has certainly taken centre stage during the Parliamentary winter break with a number of changes to the landscape being announced by the Prime Minister. It’s all in the timing. Just days after Somali-born Yacqub Khayre was killed by police after shooting dead a receptionist at Melbourne serviced apartment block, national security found itself at the top of the agenda of the 44th Council of Australian Government (COAG). Held in Hobart on 9 June, this was the first COAG meeting for NSW Premier Gladys Berejiklian and WA’s Mark McGowan, and had originally been expected to be dominated by a briefing from Chief Scientist Alan Finkel, who presented his report on energy security; however, recent events in Britain and Melbourne meant that terrorism took the spotlight. COAG usually provides a forum for states to jostle for prominence, but instead there was collegial agreement with the Prime Minister Turnbull winning support for a tougher approach to parole and bail, where people have had terrorist connections. Questions over why Khayre (who was on parole, had a violent history and known links to terrorism) was out in the community, helped to pave the way for federal and
state leaders to agree to the need for an improvement in information sharing across state and territory police, AFP and ASIO Joint Counter-Terrorism Team in each jurisdiction. During deliberations, First Minsters agreed that there will be a presumption that neither bail nor parole will be granted to those persons who have demonstrated support for, or have links to, terrorist activity. In short, this means that there was mutual agreement for the necessity to work towards nationally consistent and tougher parole laws in a move to keep violent felons with links to terrorist organisations off the streets. “We have agreed that states and territories will strengthen their laws to ensure that there will be a presumption that neither bail nor parole will be granted to those who have demonstrated support for or have links to terrorist activity,” said the Prime Minister at the post meeting news conference. “They belong in jail and this is a very important change and an indication of the resolution of the leaders of our governments, of Australia’s governments, to defy and defeat the terrorists.” He said. Federal and state leaders also agreed on ramping up their anti-terrorism strategies, calling for the improvement of information sharing across state and territory police, AFP and ASIO Joint Counter-Terrorism Team ( JCCT) in each
jurisdiction; though Attorney-General Senator Brandis, was quick to point release a statement following the meeting that intelligence sharing between ASIO the states and territories has been in place for many years and is common practise though the JCCT. Speaking at the post meeting news conference, Victorian Premier Daniel Andrews said that while civil libertarians were bound to be upset, the time had come to protect the community. “I think we are at a point in our nation’s history where we have to give very serious consideration to giving law enforcement some tools and powers that they don’t enjoy today,” he said. And while that might be unpopular with the civil liberties community, and involve curtailing the rights and freedoms of a small number of people, but “that is what will be needed in order to preserve and protect a great many more”. He said. COAG heard reports from ASIO, the Australian Federal Police, Turnbull’s cyber-security adviser, Alastair MacGibbon, and the counter terrorism co-ordinator, Tony Sheehan. Also on security, the leaders: • agreed to having security-cleared corrections staff as part of the counter-terrorism team in each jurisdiction. This is designed for better sharing of information; • agreed on the importance of close co-operation between all levels of government and with the private sector in protecting crowded public places; • discussed strengthening the security of public and private IT systems in the context of the WannaCry ransomware campaign, which locks computer files and demands payments to unlock them; • committed to governments continuing to work together and with industry to manage the security risks coming from foreign involvement in the nation’s critical infrastructure; and • ordered further work on a nationally consistent approach to organised crime legislation. The leaders also decided to hold a special COAG meeting as soon as practicable “to fully and more comprehensively review the nation’s laws and practices directed at protecting Australians from violent extremism”. One could assume that the new super agency of Home Affairs, announced by the government on the 18 July, will figure prominently on the agenda. Headed by the Immigration Minister Peter Dutton, the new Home Affairs portfolio will have responsibility the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP), the Australian Border Force, and the Australian Criminal Intelligence Commission and is based on the UK’s Home Office model. Meanwhile following a just-completed review of the Australian Intelligence Community by two former federal officials, Michael L'Estrange and Stephen Merchant, the government will set up an Office of National Intelligence, headed by a Director of National Intelligence. This will also mean that the Australian Signals Directorate will become a statutory authority within the defence portfolio. Speaking at a news conference, the Prime Minister
said that the changes were the most significant security and oversight reforms in four decades. “We need more enduring and better integrated arrangements for our domestic and border security – arrangements that will preserve the operational strengths and independence of our front line agencies but improve the strategic policy planning behind them,” he said. “We are taking the best elements of our intelligence and national security community and making them better. As terrorists evolve their methods, we have to evolve our responses.” Minister Dutton will have two junior ministers working with him. Justice Minister Michael Keenan will work on security while the other minister has yet to be named. Not all agree that a super agency is what the country needs. "I'd like to be convinced this is about national security, not Malcolm Turnbull's job security," said Labor leader Bill Shorten said this morning following the announcement, while the Shadow defence minister Richard Marles argued that neither ASIO nor any other agency has called for the change. The announcement comes off the back of the move by government to give the Defence Force (ADF) a bigger role and greater powers in combating terrorism. These changes, announced just one day before the birth of the super agency, are designed to assist in preparing for incidents, enabling a more comprehensive ADF response if needed, and improving the flow of information between the ADF and police during an incident. The measures – including specialised training by special forces for law enforcement teams – will provide more federal support to state police forces, which are still acknowledged as the appropriate “first responders”. For this to occur, The Defence Act is to be strengthened to remove some constraints governing the “call-out” of the ADF in terrorist situations. This includes removing the current limit on states and territories asking for defence force support and specialist military skills until their capability or capacity has been exceeded. In a joint statement with defence minister Maris Payne, the Prime Minister said that, “State and territory police forces remain the best first response to terrorist incidents, immediately after an attack starts. But Defence can offer more support to states and territories to enhance their capabilities and increase their understanding of Defence’s unique capabilities to ensure a comprehensive response to potential terrorist attacks.” He also wants ADF personnel to be placed within law enforcement agencies to assist with liaison and engagement between the ADF and police. The announcement addresses some of the coroner’s recommendations in the report on the 2014 Lindt cafe siege, in which two victims and the attacker, Man Haron Monis were killed. Parliament resumed on 8 August and we can expect that national security will take front and centre stage. And we can suppose that there will be a multitude of claims that the new super agency is all about politics and has little to do with national security. Needless to say it is now a waiting game to see how the new measures, initiated at both state and federal level to combat the heightened global terror threat, evolve.
"We are taking the best elements of our intelligence and national security community and making them better. As terrorists evolve their methods, we have to evolve our responses.”
Australian Security Magazine | 11
A safe and secure Australia?
Australians may never have been more insecure By Chris Cubbage Executive Editor
There is a deep divide and disparity between the Australian political message of ‘we will protect you and will keep Australia safe’ and the operational message from police and emergency services of “don’t count on us being there in your greatest time of need – we may not be coming as quickly as you may think.”
n July 18, Prime Minister Turnbull announced; “the Government will establish an Office of National Intelligence, headed by a Director-General, and transform the Australian Signals Directorate into a statutory agency within the Defence portfolio. The Government will also establish a Home Affairs portfolio of immigration, border protection and domestic security and law enforcement agencies. The new Home Affairs portfolio will be similar to the Home Office of the United Kingdom: a central department providing strategic planning, coordination and other support to a ‘federation’ of independent security and law enforcement agencies, including the Australian Security Intelligence Organisation, the Australian Federal Police, the Australian Border Force and the Australian Criminal Intelligence Commission.” This is claimed as the most significant reform of Australia’s national intelligence and domestic security arrangements in more than 40 years. The Prime Minister said, “These reforms are driven by serious threats to Australia’s security and the Government’s determination to keep Australians safe and secure.” The basis and timing of the reform was the central theme of the Independent Intelligence Review Report 2017, which states, “to provide a pathway to take those areas of individual agency excellence to an even higher level of collective performance through strengthening integration across Australia’s national intelligence enterprise. The aim is to turn highly capable agencies into a world-class intelligence
12 | Australian Security Magazine
community. The theme of establishing strong, enterpriselevel management of the national intelligence community to complement the strengths of individual agencies runs through our recommendations.” The report continues, “Our national intelligence community is facing imposing challenges that, in our view, will intensify over the coming decade. Some of these challenges derive from new forms of rivalry and competition among states, the threat posed by extremism with global reach, particularly Islamist terrorism, and the implications of accelerating technological change for Australia’s national security outlook. Other challenges reflect the changing nature of twenty-first century intelligence, and especially the new frontiers of data-rich intelligence and the risks to comparative technical advantages.” “Australia’s future security environment will demand greater levels of collaboration across traditional dividing lines and more cross-over points….progress towards this objective will require changes to the co-ordinating structures of our intelligence community, new funding mechanisms to address capability gaps, the streamlining of some current legislative arrangements, and measures to further strengthen the state of trust between the intelligence agencies and the Australian community of which they are part.” The report also recommends Government transform the Australian Cyber Security Centre (ACSC) to become, “the credible and authoritative voice on cyber security in Australia. The ACSC should aim to pre-empt or respond at speed to
incidents and bring a new level of inclusiveness and co-operation with the private sector. It should also drive the development of a nation that is resilient against cyber threats.” The report recommends, “The governance of the ACSC be provided by the current Cyber Security Board chaired by the Secretary of PM&C with its membership increased to include the Director General of the Office of National Intelligence and CEO-level representatives of critical national infrastructure sectors such as telecommunications, health care, financial institutions, other services, energy, water and ports. Private sector members of the Board should undergo appropriate security clearances to allow frank discussions about the ACSC’s capabilities.” This latter recommendation should stand out for the intent of inclusiveness. But nor does it account for the cost or reimbursement to these private organisations for provision of CEOlevel representatives. Who is to benefit from whom and are the costs to be shared? Global Security PLuS Alliance A day following the Prime Minister’s reform announcement, the Global Security PLuS Alliance was launched in Sydney. The culmination of research activities between the University of New South Wales, Arizona State University and Kings College London, the morning’s PluS launch symposium aptly captured the very serious, but more importantly, the very broad nature of the current global security landscape. Presented with a sufficient tinge of Australian context, for the Australian lay-person, the threat landscape is not a pretty picture. Amongst the complex natural world, which encapsulates many inherent risks, Australians appear to me, complacent, uneducated, ill-prepared and with a growing sense of bigotry and racism, grabbing hold of rising global nationalism and Islamophobia. Whilst all occurring within a changing climate, where water resources are being depleted and sea levels are rising. Australians, and humans in general, continue to be intent on adding additional layers of complexity and create wilful threats against this backdrop. Rarely are these all captured in a morning’s session, as they were at the PLuS Alliance Global Security symposium.
“We need to be aware of how terrorist groups use information. We need to understand the propagandists are trying to control the narrative. They don’t have to tell the truth and they don’t have to be accountable. This is the reality of the divide between propaganda and populism.”
Is nuance debate obsolete? The Australian Strategic Policy Institute’s Jacinta Carrol commenced with a paper titled, ‘Tweeting with Nuance’ and noted, as many are aware, that “information and knowledge is more accessible and avoidable than ever before”. The enduring challenges in counterterrorism is that government and the communities they serve achieve a balance between privacy and security. It has become the populist versus leftist debate. This is unpalatable and unhelpful to a broader and more nuanced debate. The political debate and public consultation is a matter of conceding to opposite positions, rather than achieving a balanced, informed and transparent outcome. With divisiveness, terrorist propaganda becomes a more serious threat facing the country. In Australia, a terror attack is considered ‘probable’, with five successful attacks and twelve (currently alleged to be thirteen) plots intercepted, including cases of a 15 year old Sydney girl sending money to help facilitate the Islamic State and the arrest in Canberra of a man providing highly technical assistance to the Islamic State. There have been over 100 Australians become jihadists, with 40 having returned home and 70 killed in combat. There is 200 active investigations underway. As Jacinta Carrol highlighted, “the largely overlapping and over tractable issues can quickly accelerate and suddenly appear overwhelming, as if we are trying to achieve world peace. There is no simple cause and effect. Radicalisation is a process, yet, it is a single narrative and is selfreinforcing. Though it is not a simple process. It involves ongoing nurturing and management. This is what terrorism is all about, propaganda.” When established, Islamic State created a formal information headquarters as one of its first steps. Yes. This included ‘Men sitting around tables and brainstorming on white boards.’ They then drafted and pushed this propaganda out online and continue to support the message by using bloggers in different languages and cultures. They create a product suited to the target market. Targeting all Muslims, all migrants – and anyone prepared to listen and engage. The Ideology is based on an image of a war being waged against the West and in support of an oppressed ideology. Jacinta confirms, “We need to be aware of how terrorist groups use information. We need to understand the propagandists are trying to control the narrative. They don’t have to tell the truth and they don’t have to be accountable. This is the reality of the divide between >>
Jacinta Carrol, Australian Strategic Policy Institute
Dr. Luca Vigano, Professor in Computer Science
Australian Security Magazine | 13
propaganda and populism.” An example? The debate which occurred around end to end encryption. An extremely important and topical issue. The leading news story and the standard debate was that the Australia Government is seeking a backdoor, whilst there remained a lack of nuanced understanding. The issue is not an open and shut case, with many complexities, rule of law and jurisdictions to consider, before getting to the technical elements. Many of these issues simply weren’t discussed or sufficiently canvassed. There remains serious issues to deal with and global security issues are always complex and too much for commentary to fit into a 140 character tweet. Twitter posts are not effectively dealing with the issue and only drives populist rhetoric. Research of 112 cases of convicted terrorists in the USA found that of the supporters of Islamic State, 83 per cent were American citizens. Thirty percent of those charged in the last three years were converts to Islam and not originally from the Muslim community. They were not a religious conversion but people converted by the link to the extremist ideology – they succumbed to the propaganda. Jacinta concluded, “Whilst we should be celebrating complexity, it is incumbent on security professionals and researchers to engage and help to understand the essence of these serious issues and articulate how they should be understood and interpreted.” Intertwining human and technical factors in cybersecurity Dr. Luca Vigano, Professor in Computer Science (Software Modelling and Applied Logic) at King's College London gave a highly engaging presentation with a focus on the formal methods for the human dimension of cybersecurity. By applying mathematics over the last 40 years, the world has been experiencing a digital revolution. The contrasts of technology is self-evident. It has led to cyberhijackers possibly able to get access and control of a plane, but also a worthwhile technical capability should authorities want to take control of a plane that has been hi-jacked. The same grapple with technology is occurring with drones, with the controlling capability demonstrated by Department 13. When considering the disparity between developers and users, Dr. Luca Vigano refers to the human aspects of cybersecurity, referring to Shakespeare’s only use of the word ‘security’, in Macbeth, Act 3, Scene 5 where the term actually implies having ‘over confidence’. The inherent human reaction to ‘security’ has been observed and studied before. Users are like water, seeking out the path of least resistance. References include Nietzsche’s Turkish fatalism, which is the attitude of resignation in the face of some future event or events which are thought to be inevitable. Thereby the adherence to security requirements is irrelevant and unnecessary. Or at the other end of the spectrum, that being against Freuds fiction of omnipotence, defined as the ‘infantile concept of reality’, in which one expects all of one's wishes to be instantly gratified. This translates to those who will bypass the need or consideration to security requirements over convenience.
14 | Australian Security Magazine
Dr. Vigano highlighted that the cybersecurity threat is real for everyone. Be it the Heartbleed Bug, Wannacry or as recent as the Australian Medicare data breach. The solution is either unplug and power down computers or continue on working on creating formal validation methods that are traceable, provable and transferable. Heartbleed for example, remains a serious vulnerability in the popular OpenSSL cryptographic software library, the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. This allows stealing of information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. There are validation tools available. The Automated Validation of Trust and Security of Service-oriented Architectures, or the AVANTSSAR Validation Platform developed – ASLan++, the first formal language for specifying trust and security properties of services, their associated policies, and their composition into service architectures, at both communication and application level. This allows automated techniques to reason about services, their dynamic composition, and their associated security policies into secure service architectures. Migrating project results to industry and standardisation organisations will speed up the development of new network and service infrastructures, enhance their security and robustness, and increase the public acceptance of emerging IT systems and applications based on them. Other validation tools include ProVerif, a tool for automatically analysing the security of cryptographic protocols. Support is provided for symmetric and asymmetric encryption; digital signatures; hash functions; bitcommitment; and non-interactive zero-knowledge proofs. The Tamarin prover is a security protocol verification tool that supports both falsification and unbounded verification in the symbolic model. Maude-NPA is an analysis tool for cryptographic protocols that takes into account many of the algebraic properties of crypto systems that are not included in other tools. These include cancellation of encryption and decryption, Abelian groups (including exclusive-or), exponentiation, and homomorphic encryption. As Cyber Physical Systems grow exponentially with the Internet of Things, made up of sensors, actuators, controls, cryptography and humans, the components require differential equations, not just logical models. Security is interdisciplinary and there must be a joining of forces to achieve security. With Socio-Technical Systems, users may perceive security as a burden thus choose to ignore it or choose to bypass it. Anti-Terror Law Creep George Williams, Dean of Law for the University of New South Wales highlighted that prior to September 11, 2001, Australia did not have ‘any’ terrorism related laws. But the country has since developed a body of law in response to ‘The War on Terror’. However, at the time these laws were seemingly intended to be short term, transient and not to be with us for a long time. Yet, after 15 years of war, it hasn’t worked out that way. Having been introduced as a series of measures that is far from transient, these laws have now taken
on a feeling of permanence. What was exceptional is now becoming normal. In reality, these laws have actually become a long term change about how we are governed and has significantly reshaped Australia with a broad range of policy and legal outcomes. Law is often ill calibrated and in-effective when used against combatting terrorism. Despite a relatively lower threat prior to 2011, previously measured as low, medium and high, with Medium then formally defined as simply, ‘a medium risk’. Australia went from having no anti-terror laws to now having sixty-six separate statutes dealing with antiterrorism activities. Between 2001 and 2007, forty-eight anti-terror laws were passed, an average of one every 6.5 weeks, amounting to hundreds of pages. Never has Australia ever gone through such a sustained period of hyper legislation. The cycle has been, a successful attack provokes a political reaction and a new law. Some of these laws were entered into Parliament and passed in the same day, often passed with full bipartisan support and expedited measures. There has been limited opportunity to scrutinise and for legal engagement on laws that are extraordinary in scope. Now, politicians have run out of sensible things to do and without a clear criminal definition of terrorism, this empowers authorities to pick and choose how and to whom the powers of these laws apply. Some of the laws allows ASIO and the AFP to arrest someone without charge and who is not even a suspect. They can be forced to read a ‘script on arrest’ to advise family members that they are okay but cannot disclose where they are or why they have gone away. Other laws have allowed all Australian’s metadata to be captured and recently the Australian military has been empowered to assist police in terrorism operations. These are extraordinarily broad legal powers and go as far as stripping citizenship, mandatory meta data retention and jailing journalists for 10 years. It is largely accepted that the community demands action and politicians are responding to ‘vote for me and we will keep you safe’; yet with reference to Alexander Hamilton in 1787 who said: “Safety from external danger is the most powerful director of national conduct. Even the ardent love of liberty will, after a time, give way to its dictates. The violent destruction of life and property incident to war, the continual effort and alarm attendant on a state of continual danger, will compel nations the most attached to liberty to resort for repose and security to institutions which have a tendency to destroy their civil and political rights. To be more safe, they at length become willing to run the risk of being less free.” Without a national bill of rights, Australia has not been limited in the extent of how far Government can go and there is no obvious legal limits to how far these laws can continue to go. Some 60 per cent of Australians believe that they have a bill of rights and many even believe they can claim the 5th Amendment – an indication that Australians watch too much American television. The anti-terror laws are also creating riffs and division in the community and are potentially fuelling terrorist recruitment and alienation of young men but inferring that they are not welcome. The law is the front line with $13 million spent on Countering Violent Extremism (CVE) and community building strategies compared to the billions of dollars spent on counter coercive strategies. We can focus too much on the law and often the law is ineffective as a deterrent to terrorism and we need to be more holistic and nuanced. The question should be asked if our own strategies is fuelling more terrorism. The Independent Intelligence Review Report 2017 determined that the warrant thresholds across the various Acts, in particular the ASIO Act, Intelligent Services Act and the Telecommunications Interception Act (TIA), each employ slightly different tests. The Parliamentary Joint Committee on Intelligence and Security has recommended the TIA, which it considered to be “so complex as to be opaque in a number of areas”, be comprehensively reviewed. There is twenty different thresholds that can cause uncertainty for agencies in the performance of their responsibilities. Furthermore, frameworks to protect disclosure of sensitive capabilities in legal proceedings are coming under pressure due to increasing use of evidence derived from such capabilities. The review recommended a comprehensive review of the legal framework under which Australia’s intelligence agencies operate. Such a detailed and comprehensive review and re-evaluation of the legislative framework would help to harmonise and modernise the legislation that establishes and confers powers on Australia’s intelligence agencies and the major independent oversight bodies. Such a review would be a significant, complex and lengthy undertaking requiring thorough and in-depth examination, analysis and assessment of the current legislative framework and the interaction between various component Acts (6.9 – 6.11). >>
Professor Raina MacIntyre, Head of School and Professor of Infectious Diseases Epidemiology
Associate Professor Brian Gerber
Professor Anthony Burke, UNSW Canberra
Australian Security Magazine | 15
Conflict, Ethics & Security Governance Professor Anthony Burke, UNSW Canberra presented on Violent Conflict, Ethics & Security Governance. With global manifestations and global causation, such as the links between the Syrian war and climate change, there is a need for understanding of the processes that overwhelm the national security approach. There is a distinct need for a global security perspective, how global ethics, law and institutional action and capacity play key roles, as well as influences, and how the collective security system of the 20th century has failed us. Indeed, we are even less prepared for the 21st century. Professor Burke outlines the three key principles of global security responsibility, future security responsibility and the categorical imperative of security. To secure nation states, the world must be secured as well. Yet, we do not have a long term horizon in public policy. DURC - Dual Use Research of Concern Professor Raina MacIntyre, Head of School and Professor of Infectious Diseases Epidemiology presented on the ‘threat’ and ‘risk’ of infectious diseases and Dual Use Research of Concern (DURC). DURC is research taking place that can benefit humankind but can also result in the harm of human kind. Research areas within science and technology include biology, computing and artificial intelligence (AI). DURC has been controversial since 2011, when scientists sought to publish methods for engineering an avian influenza virus to make it contagious to humans. The harm from infectious diseases research can occur generally by two mechanisms, a laboratory accident or deliberate release. The risk of an unnatural pandemic is far greater than a natural one. There is often concern raised over terrorists becoming biologists, yet there should be more concern over a biologist becoming a terrorist. Today, there is Do-it-Yourself (DIY) labs that can create new threat vectors, there is insect sized drones and the biology is at or near the stage that specific bio-hazards can be created for specific people and delivered in a covert or subverted manner. The creation of precision medicine will enable precision harm. The Dark Web could also begin to be used as a nuanced way for looking for what is being sold and who may be seeking to buy. The market is global and therefore unable to be contained with a localised strategy. Despite this, agencies who are essential first responders continue to work in vertical systems, working vertically. The silo approach is no longer appropriate or suitable. Climate Change, Natural Disasters and Conflict Associate Professor Brian Gerber presented on natural disasters and conflict, with consideration to natural disasters being a causative factor in violent conflict. With limited scale and duration of incidents, these natural events often do not give rise to social unrest. The populations affected do not treat these events as a governance failure, and anti-social behaviour (ASB) does not tend to occur. Only limited cases of unrest
16 | Australian Security Magazine
have occurred but had specific antecedent conditions that gave rise to conflict. However, the disruption can tend to weaken critical institutions where there is resource scarcity and disruption creates a strategic opportunity for those seeking to challenge or replace a governing regime. There is limited empirical assessment, with Nel and Righarts (2008, ISQ) finding an increase in risk and Omelicheva (2011, Intl Interactions) found disasters do have a small effect in a narrow range of settings but still have a less robust relationship and likely to occur more so where prior instability existed. There can be acute disruption and chronic disruption. Acute disruption can be temporally and spatially discrete, though chronic disruption can have problem tractability and temporally and spatially diffuse, which are a less tractable set of circumstances. Global Climate Change is therefore likely to be a chronic disruption and therefore a catalyst for an increase in natural hazards and represents a catalyst for civil unrest and violent conflicts, with international and national systems unprepared. A 2015 US Department of Defence assessment made findings that Climate Change can lead to intra- and interstate migration and other adverse effects on security. Extreme weather events creates substantial demands on response resources for disaster relief, rising sea levels creates risk to ports and navigation systems and decreases in arctic ice creates new shipping lanes. The Arab Spring and Climate Change (2013) was linked by the Centre for American Progress. Their report from The Centre for Climate & Security made direct linkages between changing climate and the social unrest in Syria, Egypt’s food shortage due to a drought in China (hazard globalisation) and an immigration crisis in Europe with water scarcity in Middle East and North Africa – with further projected vulnerability foreseen. Climate change is therefore likely to be a catalyst for food shortages, water scarcity, and dislocating populations with a climate change diaspora. Conclusion It is therefore, important to see how these global security changes are being managed by Australian defence, security intelligence, emergency, health and law enforcement agencies. The time to be collaborating was yesterday and must include collaboration with the state police counterparts and local governments. In-turn, Australians must be asking how the national and state public fabric overlays across the private cyber-physical security sector. The author submitted that we should start with a Green Paper, discussing how all this should fit together or provide the road map for the 'collaboration' often called for, talked about, but so often missing or seen too difficult. Concerns that 'politics' continues to drive the 'security' agenda indicates that it is largely outside of the strategic and operational control of these agencies. A complex and interdependent public safety domain is one of greatest importance and worthy of continued, robust discussion and full transparency. A nuanced approach is the best way forward – and well worth tweeting about!
Australian Security Magazine | 17
1. PHYSICAL DEFENSE AND FIGHTING IS ALWAYS ‘THE LAST RESORT’
By Fraser Duff
• For a multitude of reasons, not the least of which is; the ‘consequential harm’ that can flow, not just to you, but extends to many others including; your family and friends and it means the physical, psychological, legal and social harm of fighting. That’s why it’s ‘the last resort’, where no other option currently exists to protect yourself. • Put aside your pride and keep your ego in check, seek to avoid fighting at all costs. A hasty withdrawal in a challenging encounter is a far smarter tactic. Quickly getting away increases your chances of survival and reduces a multitude of unforeseen risks. The only downside of this approach is that your sense of ego may take a hit. 2. WHEN DEFENDING YOURSELF EXPECT TO GET HURT
• It’s a reality any physical assault will result in physical harm/injury to you and your attacker. Expect to get hurt and be mentally prepared for this. Being attacked, hit in the head/face or other vulnerable areas will come as a sudden and great shock. The shock will affect your ability to; respond, think clearly and control your natural physiological responses and it may cause you to experience
18 | Australian Security Magazine
strong emotions like fear or anger. However a quick well practiced retaliatory response will help you enormously, it can return the shock and surprise just as equally. • Remember your attacker is also human and like all humans they experience pain and fear just like you. They may be physically bigger and stronger, but they can be hurt, experience doubt and lose confidence quickly through their poor judgment and an unexpected response. 3. IN DEFENSE - DEFEND YOURSELF VIGOROUSLY
• Physical defense is your last resort to either stay alive or to escape an attacker. Therefore defend with everything you have and don’t stop defending until you can safely get away. To ensure your attacker cannot pursue you, you may need to incapacitate them (physically stop them from pursuing you). Your goal is always to escape to a place of safety as quickly as you can. • The law (common law and in many cases/states; statue law) requires that the force you use in defense has to be ‘reasonable force’. Consider also the force you apply must be necessary and proportionate in the circumstance. Be prepared to justify your use of force always. The use of excessive force without justifiable reason can be a fine line and it places you at risk of the law.
‘People rarely rise to the level of their own expectations, but they will rise to the level of their training’ rear by an unseen member of the group/gang. Keep repositioning and striking back with whatever you can use and at whoever is attacking you. Again you need to find an opportunity to escape, even if you charge one of them with driving force, try to knock an attacker over as a means of creating an avenue of escape. 6. ALTERED STATES OF CONSCIOUSNESS
4. BASIC PROTECTIVE DEFENCE PRINCIPLES WHEN ATTACKED
• When defending yourself never turn your back, lower your guard or drop your head, this only increases your vulnerability and opens you up to further attack. Stay on your feet or get up quickly if knocked down. Remember your aim is to get away as quick as possible, use your legs. Look for the opportunity to escape and take it decisively. • If you can’t keep space/distance between you and your attacker, then get in close and reduce the strike range and force of an attacker. Have a simple defensive balanced posture that allows you to protect your face and head (i.e. cross frame, helmet, double elbow) etc. These postures protect your head and can quickly convert to a drive/dive into your attacker, unbalancing them and allowing escape. • Learn and regularly practice some basic defense techniques, the more basic the better. Simple well applied moves coming off a good balanced stance can make all the difference and may create an opportunity for you to escape. Focus on and practice how you might strike vulnerable areas i.e. (using a fist, open hand or bladed hand etc). 5. WHEN YOU ARE OVERWHELMED BY THE THREAT i.e. TO BIG OR TOO MANY
• Look for the chance to escape and don’t stop looking. Escape as early as you can and run as hard as you can. The longer you stay captive the more vulnerable you become. Time is of the essence, it might mean you are not fighting until an opportunity to escape presents itself or a diversion occurs. If you have any items i.e. bulky cloths, packs or bags that may slow you down, then leave them behind to quicken your escape. • If there is more than one attacker and you can’t escape, try and keep them in front of you and don’t let them manoeuvre behind you. You may be attacked from the
• Drugs and alcohol will affect your attacker as much as it will affect you. Coordination will slow down, judgment will be impaired, aggression will increase and pain tolerances may become higher i.e. less sensory feeling of pain. People will take greater risks when dis-inhibited by alcohol or drugs. ‘Don’t be this person’ and don’t fight when you are under the influence or fight someone who is under the influence. 7. FOCUS YOUR MIND IN AN ATTACK
• An attacker may not stop attacking you and your life may be in the balance, defend it vigorously at all costs as you may be seriously injured or worse if you don’t. Attackers often pick victims/targets who they believe they can overpower (unless they are under the influence). They may not be expecting a vigorous defensive response. When attacked, and in a desperate situation you have to do whatever it takes to survive. This concept of survival and ‘do whatever it takes’ may be foreign to you, but survival is what you must focus on. • Focus your mind away from fear and onto escape, fear is a strong inevitable human emotion that influences our behaviour/actions when attacked. Stay focused on protecting yourself; arms up, palms facing out protecting your face and head from any blows. Then strike back hard and fast anyway you can. • Once attacked, don't hold back, hesitation may lead to injury. Your mental conscious scripts must keep you going now. e.g., “I must survive…I must get away. Defend yourself…strike back hard. Keep striking…I’m going to survive. I’m fighting for my life now”. • Don’t fall for the ‘victims mistaken belief ’; ‘they won’t hurt me as much if I do as they want and don’t resist/fight back. You would only comply if it helped you to create an advantage to escape later. 8. SITUATIONAL AWARENESS
• Avoid unnecessary risks and reckless behaviour and avoid known trouble spots. People looking for trouble always seem to find it. Stay switched on and tuned into your surroundings. Monitor your friend’s behaviour particularly
Australian Security Magazine | 19
if they are under the influence. If they are attracting trouble or attention then extract them quickly, don’t hesitate. Monitor other people’s/groups behaviour as well, there may be early signs of trouble. Reduce the perceived opportunity for an attack, be the ‘grey person’ who blends in and doesn’t attract the wrong type of attention. Be friendly, confident and have a neutral attitude, not arrogant, loud and aggressive. Avoid/limit distractions like headphones or focusing too much on social media in public spaces as these reduce your sensory level of awareness. Keep your instincts sharp and position yourself so you have a good field of view and if needed a quick escape route. If someone is verbally challenging or physically threatening you, they may be mentally preparing for an attack, believing they can overpower you. Your efforts should be on communicating (use de-escalating language and gestures) and try to reposition yourself for an escape. Keep trying to talk a situation down as you move away. If attacked or an attack is inevitable, improvise and be resourceful in defending yourself. Use whatever you can in the environment. Consider; what is close at hand a set of keys, pen, torch, belt buckle, bottle etc. Look for any item or implement within arm’s reach or close by that can be used to keep an attacker at bay and allow escape. Adjust your posture so it’s more side on and keep your weight on both feet to balance yourself. Again your hands should be up in front of your face with palms facing out in a conciliatory gesture, ready to protect your head. Try and keep some distance (reactionary gap) between you, so you can see the attacker’s feet on the ground in your peripheral vision. Watch for movement of their feet and hands as this usually signals an attack. Try to reposition yourself so others can’t approach you from the rear or from a blind spot.
9. DON’T ASSUME ANYTHING ABOUT YOUR ATTACKER/S
• Once attacked don’t assume your attackers motives and intentions are anything other than malicious with intent to cause you harm. Don’t give them the benefit of the doubt, they are attacking you and causing you harm and they may not stop. • An attacker may have a weapon, hidden or otherwise which can be retrieved quickly so keep your focus on escape. If a knife is produced and you haven’t already escaped then escape now. Run as fast as you can to a safe position out of sight and hearing of the attacker where you can be physically protected i.e., in side a locked car etc. 10.WHEN DEFENDING - STRIKE VITAL AREAS WHERE YOU CAN
• When defending, keep your attacker/s in front of you, and stay slightly side on if you can. Keep moving your feet in an attempt to create distance between you. Resist the feeling/urge ‘not to fight’, this will only encourage your attacker and give them confidence. This is life threatening now and you are protecting your life, find the ‘will to survive’ and defend yourself. Many less able bodied people
20 | Australian Security Magazine
both male and female have fought off a much stronger and more able attacker, ‘so can you’. It’s sometimes said, that it’s better to deliver the first strike, land the first blow when an attack is imminent. This may give you a temporary advantage, but it may also be that you haven’t exhausted all efforts at de-escalating and now you’ve stepped up the situation and can expect retaliation. You must remember the law and the circumstances that confront you before you take this initiative, it can be double edged. Any strikes should be hard and fast; a closed tight fist or the open heel of your hand. Keep striking until you break away and don’t stop. Strikes to the head, face, eyes and ears with an open hand or to the nose, neck and groin are all considered vital areas of the body and they are vulnerable in an attack, as are yours. All your strikes may serve to psychologically degrade your attacker and cause them to rethink their perceived power advantage over you. Use your, elbows, knees and feet to make hard blows even your head can cause injury. Their shins or feet may be exposed and able to be attacked i.e., kicked, stamped or stomped etc. For more in close measures when you are grabbed or held; can include fingers into eyes, striking the throat, biting hard onto exposed fingers / flesh etc when grappling. These actions may cause them to release you so you can escape. Don’t produce an edged weapon in a fight, knives are lethal and many people die from knife inflicted wounds. Carrying an edged weapon in many cases is illegal and using one could be lethal even against your attacker. It’s a high price to pay and you could pay that price for the rest of your life if you do.
Remember your life may be in the balance, fight to escape as soon as you can.
See our website for details ma
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
rity in Secu ment, rn Gove anberra C
of cult The ware the a
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive Can a proac with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Australian Security Magazine | 21
Cyber Security Cover Story
Navigating the IT landscape of the future: The cultural shift your business needs
T By Dr David Halfpenny Course Coordinator – Bachelor of IT (Network Security), TAFE NSW
22 | Australian Security Magazine
he future IT landscape is scary for businesses of today, but it is certainly not insurmountable. Naturally, as the value of data to people and organisations grows, ransomware attacks, data theft and extortion will also continue to be on the rise. But the threats are not just perpetrated through stealthy backdoor tactics, in fact, according to Verizon’s latest Data Breach Investigations Report (DBIR) the vast majority (82 per cent) come straight through the front door via internal staff and contractors. Unfortunately, for the most part, organisations are not equipped to deal with the threat that employees pose to the ongoing viability of the business, particularly from a talent perspective. The disruption achieved by the underworld of cyberattacks has been quite significant over the past five years, and it isn’t likely to slow down any time soon. While we are quickly finding advanced methods of protection and defence against these attacks, businesses are generally not equipping themselves adequately to implement them. Big companies such as banks that understand the value of their data have moved quickly to action what is expected of them to protect it. The problem stems from businesses that aren’t big enough or experienced enough to handle their own security, and don’t have capital to invest in it being managed as a service. It lies in both a lack of technical investment and perhaps more importantly, a failure to address the vulnerabilities exposed by people in the business.
The BIG threat One of the most common (and perhaps more dangerous) preconceptions is that businesses attract most cyber-attacks from the outside. This couldn’t be further from the truth. The biggest threat is, and always will be, people. No matter how good your security infrastructure, processes and procedures are, employees will always provide the easiest attack vectors. While the technical solutions to the problem are certainly not simple, they can be implemented without too much disruption. However, equipping a company with a healthy culture and standards around cyber security is a challenge that many deduce is too complicated to do anything about. The issue with this is that technical solutions can only go so far to protect your company if you have malicious, or more likely, negligent or ignorant employees with access to business data. Just about every workplace now has a dedicated program of occupational health and safety, but very few have similar schemes for creating a healthy cyber security culture. Interestingly, the concepts of physical safety and well-being are very similar to the concepts of cyber security. They all begin with creating a culture that sees and understands the threats, and propagates a natural predisposition to take appropriate action. The government’s recent budget demonstrates a renewed commitment to protecting existing infrastructures and invest in training for the cyber security
Like earthquakes and floods, far too many businesses seem to think cyber-attacks are something they can’t do anything about. The advancing technologies of today are a testament to the fact that this is not the case.
experts of the future, but this practice needs to become a regular cultural fixture within organisations. Combatting threats, starting with culture So, you want to create a healthy culture around cyber risk practices? Culture can’t be cultivated overnight. It’s a shift that starts with a conversation, education and eventually, changed attitudes in the workplace. There have been numerous and much needed calls lately for Australia to increase its investments in cyber security training. The cyber security industry is seeing enormous growth and has begun to reach the limit of its talent supply. Many cyber security students are frequently offered work before they’ve even graduated from their degrees, paired with regular requests for internship and graduate placement arrangements with companies. Organisations from many different industries are learning the benefits of using “blank slate” specialists with cyber security training that allows them to hit the ground running. Despite this, the reality is that the majority of organisations do not have the resources to invest in “blank slate” candidates, and a cultural shift should not just be siloed within the IT department. If employees are the greatest risk to business data, they need to be treated as such – as simultaneously the most valuable and either knowingly or
unknowingly, most high-risk resource. Change across the board requires this investment to be directed toward training and upskilling of employees throughout the entire business. Even base-level training of employees can help them to identify and respond accordingly to cyber risk, which helps enormously to keep inadvertent risk exposure to a minimum. It is also important to note that security is and will continue to be an area of IT that is unlikely to be outsourced to another country. This is why it is so vital that businesses and government work together to develop our own local talent, and safeguard for the future. The more educated your employees are, the more this necessary cultural change will begin to take place. Ultimately, this cultural shift needs to become a standard and integrated part of working life – leaders need to be instigating these conversations around cyber threats and security. Normalising the cyber security discussion in the workplace, investing in education and training and implementing regular workplace practices that make it an integrated daily business precaution are all important elements of this changing business focus. Like earthquakes and floods, far too many businesses seem to think cyber-attacks are something they can’t do anything about. The advancing technologies of today are a testament to the fact that this is not the case. However, businesses can’t leave it entirely up to technology to protect them. For many organisations, it is now not only important but necessary, to invest in upskilling staff to protect the organisation. While the completion of a degree is a step in the right direction for developing cyber security experts, the biggest threat to organisations is, and always has been, its people, which is why upskilling staff in cyber security activities is vital for the businesses of the future. No matter how good the security infrastructure, processes and procedures, an organisations’ people will always provide the easiest attack vector. It’s time businesses equip themselves with the skills to navigate the IT landscape of the future. About the Author Dr. David Halfpenny is the course coordinator for the Bachelor of IT (Network Security) degree program at TAFE NSW. He has over 20 years of higher education teaching and IT experience. With his team of highly talented teachers, his program is producing graduates that are being snapped up by the security industry In its first year of operation, Data61’s Year in Review reports making significant strides in support of the Government’s Cyber Security Strategy, with more than 70 cyber security research initiatives active across the network of universities, research institutions and government sectors.
Australian Security Magazine | 23
- Australian Cyber Security Magazine
The ASX 100 Cyber health check report What’s next for your board?
T By Michael Trovato GAICD, CISM, CISA
24 | Australian Security Magazine
he Australian Stock Exchange (ASX) and Australian Securities and Investment Commission (ASIC) along with the “Big 4” accounting firms have released the ASX 100 Cyber Health Check Report ASX Report PDF to establish a baseline in cyber security via a high-level “health check”. I commend the ASX and ASIC and the other participating companies for the leadership they have shown. Efforts like these are real accomplishments of cooperation and collaboration towards a common goal of a resilient ecosystem. Although the arc of progress described in the ASX Report might be tilted towards goodness, it is also clear - much more needs to be done. After reviewing it and reflecting, I would recommend: 1. Make sure the board has sufficient cyber security expertise or advisors; 2. Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; 3. Use the results of the ASX Report for discussion at your next board meeting; 4. Commence or update your organisation’s detailed cyber security strategy and report on the security
transformation program regularly; 5. Include cyber security as a quarterly agenda item, or more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Today, I want to focus on the first item. Most importantly, expertise at a board level comes from knowing the that, how, and why of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or, as an advisor. In the ASX Report, they made a clear effort to survey persons like this – but in some cases companies struggled to find a person to answer the questions, or they feared sharing details, since 24% of companies did not respond. The ASX 100 Cyber Health Check Report, as a baseline The ASX Report says that it “can act as a baseline where companies can see how they rate against their peers and can take practical steps to improve their cyber security.” I would
Australian Cyber Security Magazine -
Boards must be able to ask “why?” They must be able to ask, “Why is this happening?” Or “Why is this getting worse?” In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers. caution using the ASX Report as a benchmark though – as it may reflect a perceived vs. an actual cyber security profile. Each company must do the hard work of learning where they stand and while baselines may be useful, they are a single data point or a vehicle for discussion. In the ASX Report, cyber security is often the domain of the board’s audit or risk committees (64% of respondents), allowing a subset of directors with relevant skills to focus on cyber risk. Considering the maturity of cyber security governance in Australia, this is the result I would expect and those committees are probably the most qualified to evaluate cyber risk. This is good, but is it good enough? The answer to is it good enough depends on your board’s capabilities and strategic industry focus… I recently read in The New Yorker that the ‘British philosopher Gilbert Ryle gave an influential lecture about two kinds of knowledge. A child knows that a bicycle has two wheels, that its tires are filled with air, and that you ride the contraption by pushing its pedals forward in circles. Ryle termed this kind of knowledge—the factual, propositional kind— “knowing that”. But to learn to ride a bicycle involves another realm of learning. A child learns how to ride by falling off, by balancing herself on two wheels, by going over potholes. Ryle termed this kind of knowledge—implicit, experiential, skillbased— “knowing how”.’ So, boards must know their organisation’s risk framework, risk appetite, regulatory or other stakeholder obligations, the data and systems that must be protected, strategy, and investments. But they must also learn how to apply this knowledge – thereby understanding how they impact strategy, financial results, risk, or compliance outcomes. The article went on to describe how the most powerful element of interaction was not knowing that or knowing how—not mastering the facts of the case, or perceiving the patterns they formed. It lay in yet a third realm of knowledge: “knowing why”. This is what is key for boards and their risk committees to be able do, it is critical to their success. Boards must be able to ask “why?” They must be able to ask, “Why is this happening?” Or “Why is this getting worse?” In some cases, their governance and business experience will guide these questions. But in others, a deeper cyber security experience is required to ask the right questions and can critically evaluate the answers. Cyber security is a pervasive risk and an arcane, deep, and fast moving area of knowledge, lacking for many board members. The 2016 Global Board Directors Survey by
retained search firm Spencer Stuart indicated cyber security was a weakness in most boards. Board and risk committee evaluations - identifying areas of board strength and weakness in skills, behaviours, meeting effectiveness, reporting, composition, and stakeholder engagement are required for cyber security. Further, cyber security experience at board level, through its members, committees, and advisors is required on an ongoing basis, across the entire board agenda to build skill and knowledge. Progress at board level may be happening more slowly than we need and as a result, government and the courts may end up driving the process. In the US, the Cybersecurity Disclosure Act of 2017, or S.536, is being deliberated. It would mandate that companies have a cyber security expert sitting on their board or explain why it is unnecessary in their industry. Australia may not follow this direction, but we would be advised to follow it in spirit. The Australian Institute of Company Directors (AICD), ISACA, and ISC2 and other professional organisations are positioned to promote this idea to boards and executives, with further support from ASIC and ASX. For most boards today, they are outgunned by cyber criminals. Getting the right knowledge and experience integrated into the board will be essential to achieve the desired outcomes of organisational resilience. There is still much work to be done. About the author Cyber security and technology risk advisor to boards, board risk committees, and executive management including CEOs, CIOs, CISOs, TSOs, and CROs. Helps key stakeholders understand the obligations and outcomes of effective cyber security. This includes solving an organisation’s greatest issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment. Key Australian and US roles: ICG, Global Cyber Practice Leader; Cyber Risk Advisors, Managing Partner; EY Cyber Security, Lead Partner; NAB Group, GM Technology Risk and Security; KPMG, Partner Information Risk Management; Salomon Brothers, Internal Audit; MasterCard International, Principal. Graduate Australian Institute of Company Directors (GAICD); ISACA Melbourne Chapter Board Member. Certified information Systems Manager (CISM); Certified Information Systems Auditor (CISA); PCI DSS Qualified Security Assessor (QSA). MBA Accounting and Finance and BS Management Science, Computer Science, and Psychology.
Australian Security Magazine | 25
- Australian Cyber Security Magazine
Building a modern security operations centre How to protect your organisation’s information
S By Jason Legge Head of Security Consulting, Huntsman Security
26 | Australian Security Magazine
ecurity Information and Event Management (SIEM) technologies are not new, but there remains plenty of misinformation and misunderstanding about how to use them. Critics focus on them being little more than log collector and storage tools, that due to their management overhead, gives little in the way of return on investment (ROI). What these critics fail to acknowledge is that by rethinking how security operations centres (SOCs) operate, SIEM technologies deliver significant operational benefits and efficiencies. Do you know what it takes to deploy a SIEM and upgrade your security to enable proactive threat hunting? By integrating a SIEM into the core of your SOC and re-engineering some of the processes, you can start to improve your cyber assurance and realise a highly favourable ROI. Let’s start with staffing; you might already have a security team looking after firewalls, antivirus products and intrusion prevention systems. That’s a lot of “security systems” to monitor and the addition of a SIEM may just add yet another thing to do. But what if you look at the SIEM from the perspective of a consolidation technology, which merges
information from all these systems into a single screen. Instead of going straight to security operations, start talking to your network, server and desktop teams, and maybe even your database team, to see which aspects of security operations would sit more naturally with them. For example, adjusting the rule-set on a firewall is not unlike changing the configuration on a router or core switch. Your network team almost certainly knows all about firewall administration already. Firewalls are simply another networking device. If you can move the operation and management of your firewalls to the networking team, you’ll have freed up the time for your security operations team to focus on threat management and assurance. A second example might be to consider reallocating responsibilities for your antivirus technology to your server and desktop team. That team usually manages the configuration and software build of operating systems, along with software distribution and general systems administration, so adding your antivirus technology to their portfolio makes logical sense. These small changes are starting to free up enough time for your security team to initiate
Australian Cyber Security Magazine -
'By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating change-related activities.'
proactive threat hunting practices and develop more rigorous vulnerability assessments. Reallocating workflows and IT management activities to other technical teams can free up valuable security resources to refocus on streamlining processes and making proactive improvements; but don’t stop there. Run the next phase of modernising security operations as a project. Appoint a project manager, set the scope and identify all the requirements of a contemporary security operations centre. Now you can focus on getting the best out of your SIEM platform. The scope of your operational activities includes maintaining compliance, detecting and reporting on threats, and incident response. To achieve these deliverables, you will be collecting and analysing significant amounts of data to allow your operations team to undertake two kinds of activities: 1. Historical log analysis used for audits and forensic investigations; 2. Real-time alerting, based on identifying threats from individual records or correlations that fire when a series of security events are detected. Your design team should produce workflows and process documentation for all the activities the security operations team will undertake, including any incident management and compliance reporting that the organisation needs to consider. Integration of operational security processes with the rest of your service management team’s processes is essential to optimise successful security outcomes. The security team needs representation on your Change Approval Board (CAB) so that they are aware of any changes to the infrastructure or network that might impact the SIEM application directly or indirectly. Security analysts can also use the CAB approval of a database update to trigger a proactive response, for example, to run exercises with the database administrators to identify any vulnerabilities in the new system (producing specific events when identified attacks occur). If you already have an effective incident management procedure, make sure you integrate security incident management processes into it so that first-line resolver groups (service desk) know how to handle all types of incident. Equally, if you have a problem management process, extend it to include resolution of security problems. All of
this becomes an extension of the SOC. Working closely with other operations managers from diverse areas of the business is critical to make sure security obligations and requirements are coordinated and delegated appropriately. Enlist them as stakeholders and train them to understand security requirements. In doing so, you will improve general operations and streamline the processes to deliver proactive security, as well as pushing security awareness throughout the IT management team. By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception, rather than simply indicating change-related activities. This shift in emphasis will take hold over a transition period as the number of incidents starts to reduce (cutting false positives). The quality of security reporting will also improve, and you’ll notice better collaboration between the SOC and the rest of your service management team. The establishment of formal processes and workflows will enable performance measurement and form the basis for continuous process improvement and ongoing refinement of your security capability. Now that you have installed your SIEM at the heart of the security operations centre, analysts can add the specialist oversight necessary to drive the delivery of new and improved outcomes. Continual improvement of analysts’ processes and training them in threat modelling and threat hunting skills will ensure cyber-readiness across the team. Your SOC now monitors the pulse, blood pressure and temperature of your organisation, and as soon as it gets sick, your analysts will know about it. Welcome to a modern security operations centre. About the author Jason works directly with customers, Huntsman’s channel partners and internal teams to provide solutions to cuttingedge cyber security challenges. Jason’s extensive experience in the areas of security threat analytics and incident response means he is well aware of the demands faced by analysts in quickly and accurately resolving cyber threats. Before joining Huntsman, Jason headed up the High Security Operations Centre for a UK government agency for six years. During that time, he advised business leaders, security accreditors and IT operations managers and analysts at a national level on IT and cyber defence threat mitigation strategies and SOC design and operation. Jason may be contacted at firstname.lastname@example.org Please visit the Huntsman Resources page at www.huntsmansecurity.com/resources/ for White Papers, Compliance Guides, Solution Briefs and Product Brochures.
Australian Security Magazine | 27
Cyber security of assets in the interconnected era Held at the Singapore Marina Bay Sands Convention Centre, the Smart Facilities Management Solutions (20th -21st July 2017), the International Association of Privacy Professionals (IAPP) Asia Privacy Forum (24th – 25th July), and the RSA Conference Asia Pacific & Japan (26th-28th July) shone the spotlight on By Jane Lo Singapore Correspondent
the pivotal role of CyberSecurity in technology-driven conversations today.
rom the world of Formula One ® racing to facilities operations and events management in the hospitality industry, at the heart of discussions centering around digital revolution is the question: how do we safeguard assets in a world underpinned by digital revolution and where data is increasingly viewed as an important asset, as a new commodity, as well as a currency? Cyber Security of Data Data analytics plays an extremely critical role in monitoring and optimizing the performance of Formula One ® cars. At the RSA Conference, Formula One ® and Indy-Car Series Champion Jacques Villeneuve and Formula One ® Senior Executive Mark Gallagher took delegates through the development of racing technology (from sardine-tin-can with pop-rivets to today’s heavily instrumented connected cars with hundreds of sensors on each car) and the importance of Data-Driven Performance, risk management, safety and security on the racetrack in the adrenaline-fueled, highoctane sport world of F1. Vital statistics such as tire pressure, fuel burn efficiency, wind force, GPS location, engine and brake temperature, are captured in real-time and analysed in a continuous feedback loop to the Team’s crew, data analysts
28 | Australian Security Magazine
and engineers on-site and back at headquarters. Performing at the highest level of competition where a difference of a fraction of a second could either win or lose the Team a podium finish, the technological ability to measure and react on such metrics culled from the chassis, tires, and throughout the engine to maximise the car’s performance, is crucial to the Team’s winning strategy. Alongside the simulations and the modelling that are as sophisticated as Aerospace industry technology in predicting the car’s performance and safety, the value of the gigabytes of data tracked and monitored during practice runs and race day is an important source of competitive advantage. This is seen through an example of cyber industrial espionage whereby a staff was leaving for a competing Team, deliberately copied statistical data with the intention to leverage off the analytics to the advantage of his new employer. He was subsequently disciplined and barred for life from the industry, highlighting that managing the risk of data leakages is not an element to be overlooked. WannaCry and Ransomware Beyond the fascinating world of F1, manufacturing, logistics, and a host of other industries around the globe are not
immune to the dangers of data breaches and leakages. Victims falling prey to WannaCry and NotPetya campaigns of the last few months who saw their data either being held ransom or completely wiped off, learned painful lessons. In many cases of data breaches (as the F1 example illustrated above), humans are the weakest link. User training and awareness to minimize opportunities for threat actors to launch/ reuse tactics such as phising attacks is one step towards plugging this aspect of the security weakness. User behavorial heuristics, not only to monitor for example anomalous login patterns, could also be adopted to test the effectiveness of user training. Another lesson is the necessity of well thought-out preparation plans - such as having established a digital wallet with an adequate store of bitcoins for (potential) ransom payment. Others include rigorous discipline on updating patches, escalation procedures, recovery plans, and well-tested and workable backups. Whilst backups could help restore and preserve the integrity of the organisation’s data and therefore potentially remove the need to pay ransom, the theft of valuable data leading to loss of intellectual capital is a risk that needs to be proactively identified and managed. WannaCry reportedly affected more than 150 countries, hitting critical infrastructures, and hospitals in UK. Within the region, according to the Singapore Computer Emergency Response Team (SingCERT) from the Cyber Security Agency of Singapore (CSA), “about 500 Singapore IPs could have been affected” by the ransomware attacks. “Global in Perspective - Regional in focus” In his Key Note “Australian Cyber-Engagement: Global in Perspective, Regional in Focus” at the RSA conference, Dr. Tobais Feakin, Australian Ambassador for Cyber Affairs, noted that the “Indo-Pacific is particularly vulnerable to CyberCrime”. According to some studies, the region is “losing 33% more revenue to cybercrime than Europe; 27% of ransomware targets are in the region, more than any other; Indo-Pacific Cyber incidences growing 35% annually”. “Cyber Affairs is about maximizing prosperity and an opportunity for the region, with data flows generating greater impact on GDP growth than Trade In Goods – but it is dependent on a free, open and secure internet,” he added. Indeed, converting the benefits of digitalization to economic growth and development works only when the Cyber Space is safe and secure. As technology allows organizations (public and private) to make use of data on an unprecedented scale in order to pursue their activities, implementing security measures for an organisation’s own data – to minimize data breaches and in turn surrender their competitive advantage – must be a key element of a Cyber Security framework. This includes ensuring privacy safeguards for the customers’ data the organisation collects, which in an event of a breach, could cause damage to both the organisation’s reputation and the society’s confidence in the use of Internet. To envigour trust and reputation, Governments have been drafting Data Protection and Privacy rules and guidelines. Much of the attention recently has been on the General Data Protection Regulation (GDPR) passed by the
Formula One ® and Indy-Car Series Champion Jacques Villeneuve and Formula One ® Senior Executive Mark Gallagher share the importance of data-driven performance, risk management, and security on the racetrack.
The APEC CBPR System: Growth and Opportunities panel (from left to right): Andrew Flavin, Policy Adviosr, International Trade Administration, U.S. Department of Commerce Josh Harris, Director, International Rgulatory Affairs, TRUSTe Raymund Liboro, Chairman and Commissioner of the Philippines National Privacy Commission Daisuke Nagasaki, Deputy Director, International Affairs Office, Commerce and Information Policy, Ministry of Economy Trade and Industry of Japan Huey Tan, APAC Senior Prviacy Counsel, Asia, Apple
Dr. Tobias Feakin
European Parliament and which is coming into force in May 2018. Specific in the region include the APEC Cross Border Privacy Rules (CBPR), Singapore’s Personal Data Protection Act 2012 (PDPA), and Philippines’s (The Republic Act No. 10173) Data Privacy Act of 2012. Data Protection and Privacy Acts in the region There are more similarities than differences between these rules. For example, whilst the detailed requirements may differ, Singapore’s PDPA and GDPR tackle the challenges of Principles around consent, access, rights of the data subject (such as erasure, portability), breach reporting, crossborder transfer. At the IAPP (International Association of Privacy Professionals) Asia Privacy Forum 2017, “APEC CBPR >>
Dr. Tobias Feakin: “We live in the most excitingly interconnected era in human history. Instantaneous communications, transactions and access to information keep our economies growing, infrastructure working, governments enabled and social flourishing”. Centering around six themes: digital trade, cybercrime, cybersecurity, international security, intent governance, human rights and technology for development, Australia’s international cyber-engagement recognizes that cyber-affairs have shifted from being technical, niche issues to a key strategic foreign policy issue.
Australian Security Magazine | 29
Mr Leonard Sng CPP, FCiiSCM Regional Vice President, ASEAN ASIS International (Singapore Chapter) presenting on the topic of Physical and Cyber security convergence at the SMART Facilities Management Solutions Exhibition 2017.
an event of a breach? - “it is everyone’s responsibility” stressed Commissioner Liboror. He underscored the importance of data protection in the Internet age – and with so many services online, and the majority of Philippines’ citizenry participating in Social Media, users also have responsibilities in self-education of the potential impacts of loss and/or alteration to their personal information, whether accidentally or unlawfully. These questions and dialogues reinforce views across the public and private sectors, that data is gaining recognition as a key asset in today’s digital world. With the advent of Internet-of-Things (IoT), as data is increasingly gathered from “physical” objects (i.e. F1 cars, CCTV, printers, mobile phones) in performing value-add analytics to gain a competitive edge, the challenge therefore, for security professionals is to rethink the environment which accesses, stores, processes, and transmits data. A rethink of “assets” in today’s interconnected era
System: Growth and Opportunities” panel, Raymund Liboro, Chairman and Commissioner of the Philippines National Privacy Commission, highlighted the Data Privacy Act, complemented by The Republic Act No. 10175 “Cybercrime Prevention Act of 2012”, which are directed towards enforcing a culture of treating the security of data seriously. These form a vital foundation for data protection as the Philippines embarks on revolutionizing its digital infrastructure. As with GDPR, the Philippines’s approach addresses financial and criminal penalties, and accountability of data controllers and processors (though the details vary). Commissioner Liboro pointed out, with more than 50% of data security breaches originating from internal users, whether negligent or malicious, the Data Protection Officer (DPO) has an important role to play in facilitating the organisation’s compliance with the Acts. This includes regular and relevant user awareness and compliance training for the organization, to instill a sustainable, resilient mindset towards data protection and privacy. To the question – and this is not unique to Philippines - will the DPO be held financially and criminally liable in
30 | Australian Security Magazine
Viewing security through two lenses: the cyber and the physical lens – is necessary in today’s digital world. At the SMART Facilities Management Solutions Exhibition, Mr Leonard Sng, Regional Vice President, ASEAN ASIS International (Singapore Chapter) presenting on the topic of Physical and Cyber security convergence, stressed the need for a re-think of Facilities Management, as “Manager of Assets”. That is, the term “assets” is not limited to the obvious physical objects such as static infrastructure assets of the building (such as doors, windows, gates), but rather, is a holistic system including people, computer centres, IoT devices, air-conditions, computer-controlled generators and pumps, and third-party dependencies. To effectively address the security concerns across these groupings, Mr Sng emphasized that cross-departmental communication is vital. “For example, we see this with The Shangri-La Makati and its lamination of its glass facade”. While a focal point of each guestroom is the floor-to-ceiling glass windows, this feature also presented twin challenges to the Security team and the Engineering team: the former with minimizing bomb-blast impact, and the latter with reducing the air-conditioning costs of 28-storey 5-star hotel. The approach both teams arrived at solved both challenges: a lamination layer on the glass not only reduced the “greenhouse” effect which contributed to lower air-conditioning costs, it also minimized the threat posed by an explosion or bomb-blast and shattered sharp fragments resulting in potentially lethal situations. … and a rethink of the security perimeter … Conversations at these events leave no doubt that data is increasingly considered as an asset in its own right which demands appropriate Cyber Security treatment. At the same time, it is also necessary, as the attack surface undergoes continuous expansion with the exponential growth of assets being added to the internet, for security professionals to continuously re-evaluate and re-draw the “security perimeter” of the organization they need to protect and defend.
C O L L A B O R AT I O N SYDNEY
National Conference 10-12 October 2017 Hyatt Regency Sydney
C O L L A B O R AT I O N PERTH
Perth Chapter Conference 17 November 2017 Crown Perth Australian Security Magazine | 31
Women in Security
First in reverse for Australia
Noushin Shabab, Senior Security Researcher, Kaspersky Lab
oushin is Kaspersky Labâ€™s first security researcher from the Australian and New Zealand (ANZ) region as a Global Research & Analysis Team (GReAT) member and is the first woman in ANZ that specialises in reverse engineering. With more than 5 years in the security industry, Noushin has been with Kaspersky Lab since July, 2016. How did you get into the Security Industry? I started my career in cyber security as a junior malware analyst a Windows antivirus team for a cyber security company called AmnPardaz. After a few years when I became more proficient in malware analysis and reverse engineering I moved to the companyâ€™s newly setup antirootkit team as a senior malware analyst and software developer. The last role I had in AmnPardaz was leading a small malware analysis team of the Android antivirus product which was again a new project. I have always been fascinated by solving problems, especially with puzzles and board games. I learned computer programming relatively early when I was in middle school and in high school I competed in a number of national programming contests. By high school I definitely knew that I wanted to pursue a career in computing, so I naturally did a degree in computing in university. After finishing university, I was not specifically thinking of getting into cyber security but then my first professional role happened to be with a cyber security company as a malware analyst. As I started to work in this field I realised
32 | Australian Security Magazine
itâ€™s something I really liked to do and I continued in this field since that time. How did your current position come about? I was looking for a job in cybersecurity specialising in my field of reverse engineering. There was a slim margin of jobs in that field. However, after a few months, Kaspersky Lab placed an ad offering a researcher role in cybersecurity. Unlike the other interviews I attended, Kaspersky Lab was the only company to actually examine my technical skills, especially with my niche in reverse engineering. A tough piece of homework was given to me to solve after my first interview. Although it was a malware written in a programming language I was not familiar with, I jumped at the chance. Vitaly Kamluk, my direct manager who previously worked for INTERPOL, said my results exceeded his expectations and that was how I landed my dream job! What are some of the key challenges you think the industry is faced with and what difference do women in leadership roles make to meet these challenges? We in cyber security industry are all fighting with cybercrime and a very important challenge in my perspective, is how to join our forces to win this battle against bad guys. Countless cases showed that cyber criminals are very skilled today and for the industry to be able to overcome their skillset, broad and diverse vision in this field is essential. This is where I believe women bring the solution by addressing this diversity in the point of views.
Women in Security
Where do you see the industry heading? Being in GReAT we often have to predict what will happen in the future to protect our clients and consumers. With our colleagues and company efforts, Kaspersky Lab launched Earth 2050 recently. We have brought together men and women of art and science, dreamers and innovators, to predict the world, technology and cyber threats of 2050. One of my favourites is the example in Shanghai. Once the experiments with spray-on fashion had proved to be successful, designers begin to consider the possibility of creation of similar clothes. Here are a few predictions - In Canberra, Australia, Kaspersky Lab predicted what we can expect in 2030: • Intellectual advertising is spreading everywhere: With Big Data, there is an opportunity for marketers and advertisers to change the content of the advertising message depending on the preferences of people who are closely matched. There is concern about the massive use of these technologies as personal information being involved in global project, threatens the privacy and protection of personal data. But business interests seem to override for now. • Cyber insurance becomes habitual: Accelerated transition to digital business makes cyber threats one of the major global problems of commercial companies. Big data enables real-time monitoring and evaluation of the level of danger and partial management of IT-risks of traders. All major insurance companies are now advertising cyber insurance. • Students are now going to the virtual space: Today, 80% of higher education takes place online, making physical space of universities and colleges a very questionable concept. However, the remaining 20% are adherents of traditional higher education system based on direct interaction with a professor, but it is becoming more elitist and expensive.
Noushin Shabab Senior Security Researcher, Kaspersky Lab
Are you an active mentor or being mentored and how important has a mentoring framework been to you?
in cybersecurity, I believe that women are getting more
When I start working on a research, I try my best to complete it in the most efficient manner. However, as we see new challenges every day in this field, we are constantly learning and seeking assistance from colleagues especially from those who are more experienced. A 100 per cent of my cases are worked on by myself. However, being in a junior role compared to my peers who have had extensive experience, the occasional assistance is needed from them. Are women sufficiently or increasingly being recognised and respected? Although at the time this field is almost dominated by men and in cyber security events you can barely see women, but with increasing number of events which intend to engage more women in cybersecurity, I believe that women are getting more recognition and respect in this industry. A very good example is that we in Kaspersky Lab hold these sort of events from time to time. There are lots of experienced women or at least interested in this area and it’s important to encourage them to show up and be more active.
"... this field is almost dominated by men and in cyber security events you can barely see women, but with increasing number of events which intend to engage more women
recognition and respect in this industry." What has been some of your recent highlights? This July, my latest report on a resurgent threat actor targeting South China Sea going by the name Spring Dragon was presented at my biggest event to date at INTERPOL World, Singapore. It was also shared at the upcoming Cyber in Business Conference 2017 held in Sydney at the end of July 2017. I’ve also been invited to present my research at the ARN Edge Conference 2017 to target the channel which I’m quite excited about. For more information, SECURELIST is our go-to for all published reports the public can read and anything further can be found on the Kaspersky Lab website. What do you do when you're not working? I actually quite like going to the theatre. I was also raised in a family with a great passion for literature. Every piece of work from Persian literature has had a great impact on my world view. For those poetry lovers out there, I highly recommend The Shahnameh Ferdowsi.
Australian Security Magazine | 33
Securing your unified communications: Three Key Considerations
I By By Kevin Riley Chief Technology Officer and Senior Vice President of Engineering, Sonus Networks
34 | Australian Security Magazine
n the last couple of months, cyber-attacks have been making headlines almost daily. Most recently we’ve heard about a worldwide ransomware attack that affected some well-known corporations. Earlier this year a complex attack cut access to some of the world’s best-known websites. While most businesses globally have some sort of cyber security protection in place, such as firewalls, web application firewalls, intrusion detection and prevention, these tools don’t seem to scare the cybercriminals away. Companies need to start thinking ahead and ask a question, “If I am the next target, is my infrastructure protected properly? Are all infrastructure endpoints appropriately secured?” Surprisingly, attacks against unified communications (UC) are some of the fastest growing and most misunderstood threats organisations face today. As more enterprises in the Asia Pacific region are coming to the peak of their digital transformation journeys, they are increasingly adopting IP-based voice, video and instant messaging services to support their global workforce. However, some of the communications services have never operated over IP before, meaning there is a new IP application that organisations must protect. The three main threats against UC security leaders must start paying attention to are a denial of service, toll fraud, and data exfiltration. Each of these attacks presents its own set
of challenges, but a zero-trust security posture dictates that security strategies must address all three. When organisations take control of their security posture and protect UC as vigorously as any other application on their infrastructure, they’ll be on the path to a more secure network. Here are three key considerations organisations should consider to keep their communications flowing: •
Think Beyond the Traditional Firewall: For the most part, organisations are using firewalls to protect their network. Unfortunately, firewalls don’t have the awareness to protect complex SIP services such as voice and video calls from application layer exploits. In other words, UC applications exceed the IQ of the standard enterprise firewall. There is no one solution that is going to completely secure the enterprise, but in terms of UC, session border controllers (SBCs) are the firewall for real-time communications. SBCs have inherent security features, such as per-session state awareness, protocol filtering, topology hiding, encryption and service awareness that enables granular enforcement of application usage and dynamic blacklisting when application abuse is detected. This functionality enables SBCs to protect UC applications from SIP-based attacks in a way that firewalls – and even advanced next-
“How would my security posture change if all of my tools and solutions worked together?” As organizations usually use different security solutions for different end-points, they don’t work in synergy." generation firewalls – simply can’t. Beyond that, they also provide intelligent routing, signaling interworking and media services to ensure the quality of UC experiences. •
Don’t Forget About BYOD: Organisations should consider the impact of BYOD. We’ve all heard how BYOD has given rise to Shadow IT and other threats, but it also presents a fundamental change to how organisations have historically protected devices. For years, organisations were only concerned with making sure their employees had access to desk landline telephones (i.e. a closed system). Employees never used personal devices for corporate work. Today, the number of devices organisations need to protect are unbounded, expanding across home computers, mobile phones, tablets and more. And from a UC perspective, those applications are being used across all those devices, making the attack surface even larger. End-users have to do their part too, especially when their devices may be used to connect to corporate networks. Users should keep their software updated, secure their devices appropriately, ensure that all UC access transits a SBC and exercise caution while using public Wi-Fi networks.
Make Your Security Solutions Work Together: The most important question that security leaders can ask is “How would my security posture change if all of my tools and solutions worked together?” As organisations usually
use different security solutions for different end-points, they don’t work in synergy. Each device does exactly what they’re good at, and passes off issues to other devices in the conga line if something arises that they are not equipped to handle. Think about it – once devices start sharing security information with each other, the overall security posture of the entire network strengthens. A simplified way to think about this synergy is through the lens of a neighborhood watch. Once a homeowner informs their neighbor of an attempted break-in, the rest of the neighborhood is on higher alert for similar activity from the same burglar. A multi-faceted attack, which is increasingly common, is more effectively mitigated. The same collaborative approach should be taken when protecting UC. For instance, if an SBC detects potentially anomalous behavior across UC applications it can shut down the questionable session. Once this happens, the information can be shared with other devices, like firewalls, routers or other SBCs, who can be on the lookout for similar anomalous behavior on other applications. By taking a collaborative communication approach to security – where each device across an enterprise shares information, data and policies – the trust level of communications and the overall security posture of the enterprise is increased. Ultimately, this provides a better way to address today’s increasingly sophisticated and advanced threat landscape. New threats – like attacks on UC applications – will continue to emerge and evolve as organisations and networks expand and digitalize. A holistic security strategy and risk management are essential. While the challenges may seem insurmountable, by collaborating with experienced and innovative vendors, businesses can continue to grow while offering and using secure services.
COLLABORATION National Conference 10 -12 October 2017 Hyatt Regency Sydney
Australian Security Magazine | 35
Cyber Security INTERPOL WORLD 2017
INTERPOL World 2017
World Economic Forum’s Cybercrime Dialogue ‘Cybercrime Dialogue’ In the company of Jurgen Stock, Secretary General, INTERPOL, Cheri McGuire, CISO, Standard Chartered Bank, Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank and William Maheu, Senior Director, Qualcomm Cyber Security Solutions. Moderated by World Economic Forum’s Dr Jean-Luc Vez, Head of Public Security Policy and Security Affairs.
What measures are you taking around resilience and information sharing? It is just one aspect. We need to create resilience for mutual aid and collective response. People, process and technology are all critical components and go out to the broader ecosystem. People involve skills, culture, awareness and beyond just employees to customers, clients and vendors. Process involves legal mechanisms for sharing information, privacy and Secrecy Acts. Technology is more of information sharing systems, data forensic systems and public private partnerships. - Cheri McGuire, CISO Standard Chartered Bank
36 | Australian Security Magazine
We are target number 1 for hackers and are subjected to thousands of attacks against our systems and yet we have to remain secure. We have a model of threat and build our protection system against that threat. This involves the protection of our core systems from a special operations centre and the KPI (key performance indicator) is zero successful attacks. The second core focus is protection of our clients. We see fraud and anti-social media methods which involves contacting clients and tricking them to handing over credentials. We use such things as AI and machine learning in protecting clients. The third point is building a Security Operations Centre (SOC) with IBM support and using AI cognitive models, beta testing and Watson AI system and we are having very, very good results. Trust is also very important and also responsibility. We have to have reliable products and know more about the current and emerging cybercrimes. - Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank Security is everyone’s responsibility. If we do the architecture correctly and connected devices become sensors for alarms, rather than vulnerabilities, with hardware based
security this will be tremendously powerful. It is incumbent on security professionals to demand an end to end hardware and multi factor authenticated ecosystem. - William Maheu, Senior Director, Qualcomm Cyber Security Solutions Crime fighting involves prevention and investigation. There is nothing new, but the level of threat is expanding at exponential growth and this also provides unprecedented tools. Much of this cybercrime is not being reported to police and we need the information to prevent and investigate. We expect 85-95 per cent is not being reported to police. We need to encourage the reporting to police. The professionalism in the darknet and underground economy which is growing. Anonymisation and encryption is a massive challenge for us and our law makers. Freedom and security is a very important discussion but for law enforcement, it is a problem that we haven't had to have in the past. The nexus between cybercrime and terrorism is still something that needs to be in our focus. Police can be successful in fighting cybercrime and using regional and international platforms like INTERPOL but
INTERPOL WORLD Cyber2017 Security we need to ensure the crimes are reported, evidence preserved and investigation supported. We can be tremendously successful. No nation can fight cybercrime in isolation. We need a global approach and this is what INTERPOL is about. We have a new user alert system. We are tracking global information sharing trends and alert platforms are used for releasing intelligence reports. We are also capacity building and training police to become cybercrime fighters and in cooperation with the private sector. We provide a global platform for cooperation with the private sector for information sharing and coordinated response, as well as in researching new solutions. From the recent ransomware attacks, there is a message to do more to protect systems and much of the damage was preventable, had systems been kept current and updated. We need trust, as well as rules to guide our cooperation. INTERPOL provides a global system to join together global systems to fight and coordinate cybercrime efforts. - Jurgen Stock, Secretary General, INTERPOL
Is the public sector doing enough? It varies. Global capability, platforms and reach is critical for capability building and to raise the bar globally, nationally, regionally and locally for development of people, policies and architectures. Unless there is a deterrence we will see a continued explosion of criminals in cyber. - Cheri McGuire, CISO Standard Chartered Bank The bad guys have unlimited funds, unlimited resources and will spend those to break whatever we put in place. - William Maheu, Senior Director, Qualcomm Cyber Security Solutions Law enforcement should be able to investigate in cyber, as it does in physical. We need the tools to investigate but we also need the crimes to be reported. Law makers need to understand there is limits to our cyber capabilities around encryption. Law enforcement needs to educate the victims in the private sector as to what police will do when seeking evidence. We have to overcome the silo mentality. - Jurgen Stock, Secretary General, INTERPOL We need to educate many people to achieve a new level of cyber security culture - this >>
Australian Security Magazine | 37
Cyber Security INTERPOL WORLD 2017 includes new legal foundations including a UN convention. - Stanislav Kuznetsov, Deputy Chairman of the Executive Board, Sberbank Banks have come together under the cyber security alliance to build cases before handing to police. We have many restrictive laws on sharing information but it can be done. - Cheri McGuire, CISO Standard Chartered Bank Is law enforcement ready to share? We can be self-critical and sharing information should not carry legal or litigation risks. We are also building through the United Nations a legal platform to share information and global conventions are important. This continues to be a work in progress. It is not just law enforcement but also the judiciary. We can take some risks but we still have to act within and be on a solid legal basis. - Jurgen Stock, Secretary General, INTERPOL How can AI facilitate information sharing? We start with what we can share and let that knowledge base grow and neural learning is going to be an amazing development. If we can prevent the ‘bad guys’ from being successful and making it so difficult for them to achieve their goals, that will be the real success. The power in the smart phone today is more than that which put man on the moon. It’s not just the bits and the bites but it’s the processing power. We should be working to have the system identify attacks as soon as they occur and can automatically stop or attack back, as well as report and share. Then it will be a powerful, secure system. William Maheu, Senior Director, Qualcomm Cyber Security Solutions
Moderator Interview’ The World Economic Forum’s Dr Jean-Luc Vez, Head of Public Security Policy and Security Affairs spoke with the Australian Security Magazine about end-to-end encryption and the state of cybercrime worldwide: “The ICT industry wants to go ahead fast but is facing competition and the fact is that criminals are using the same technology. The discussion around encryption will remain a major hurdle in the fight of cybercrime. As a lawyer, I understand the conflicting interests of the right to privacy and the effective protection of citizens from cybercrime. The World Economic Forum does not
38 | Australian Security Magazine
INTERPOL WORLD Cyber2017 Security have a position on encryption. We are a facilitator and a global platform. I do believe, however, that we need to find the right balance between privacy on one side and the fight of crime on the other side and it needs to be rapidly addressed. There are states worldwide who are not interested in the protection of peopleâ€™s privacy. The diversity of the legal systems worldwide wonâ€™t facilitate the search for a global, implementable solution. Brad Smith, President of Microsoft, presented the concept of a Cyber Geneva Convention and Cyber Accord in San Francisco at the RSA Conference in February. I think this is a very good idea and probably a very good trigger for enhancing the awareness of the world community. Action is needed. The question is how to implement such a convention? It seems like one half of the world believes such a convention is necessary while the other half is convinced it is not and that existing regulations are enough. The idea for the creation of an international cyber agency is also a good idea, like the IAEA (International Atomic Energy Agency) with the difference that, in cyber you need to call out the offenders more directly. Would INTERPOL take on that role? The International Committee of the Red Cross is an example for not naming and shaming countries and institutions, but they are still taking action in visiting prisoners. I think there are elements from this initiative that are very good, such as more information sharing, between the governments to the private sector, and I am convinced that this is the key to success.
Australian Security Magazine | 39
Cyber Security INTERPOL WORLD 2017
Policing of the future in global cities As the programme shifted from cybersecurity to Future Cities on the second day of INTERPOL World 2017, Anselm Lopez, Singapore’s Ministry of Home Affairs, proposed in his opening address “There have been more new cities built in the last 10 years than in the last century.” Jamie Wylly of Microsoft outlined that “if cities become smarter they should also become safer. Microsoft has the concept of a city as a sensor but nothing remains more important than police on the street.” Koh Hong-Eng, Global Chief Public Safety Expert for Huawei Technologies countered this, saying, “you have to be a safe city before you can be smart city.” and highlighted the key issues involved with developing ‘future cities.’ These include the silos still operating within systems and agencies. Another issue is that ‘cyber’ gives new capabilities to all, so anyone can start a taxi service as an Uber driver, or anyone can become a hotel operator with Airbnb, and likewise, anyone can become a terrorist or hacker. The next issue is police budget and the need for collaboration – law enforcement needs to find ways to do more with less and this includes new collaboration concepts, such as, collaborative policing, collaborative surveillance and collaborative communities. “The ‘bad guys’ are evolving and they know what ‘we’ (police) are doing. ISIL is developing its own platform for communication and using blockchain
40 | Australian Security Magazine
technology. For communication, one of the world’s largest organised crime groups, Italian Mafia ‘Ndrangheta’ is creating their own language. With 60,000 members and revenues of over US$4 billion, groups like these don’t need to call for tenders like police and government agencies do” said Koh Hong-Eng. Michael Hersham, CEO of the International Centre for Sport Security outlined the three key societal pillars; government, private sector and civil society and that each has a responsibility to reach out and form a better form of trust between them. Michael said, “Civil society must trust the police, as success will always rest, based on this level of trust.”
Law enforcement ‘Darknet’ case studies A cyber investigation is not too different from a physical investigation. An objective and tenacious approach, along with collaboration is critically important. For police, it is not just about detection, it is about securing a criminal conviction. With Darknet markets allowing people to remain anonymous, illicit drugs remains the most dominant commodity being traded. One of the most common drugs being traded is MDMA (Methylenedioxymethamphetamine), which can be easily posted and in high volumes, using different types of parcels, predominantly coffee and protein related products. In response, the Dutch National Police
(DNP) started a separate Darknet unit, specifically in response to trades in MDMA. Nils Andersen-Roed, Head of the Darkweb Team for the Dutch National Police (DNP) presented Darknet investigation case studies, Operations #Lancashire and #Nyack. The Lancashire case study highlighted a range of identification methods used that ultimately led to the arrest of a 55 year old man. Identification came with the interception of 100 parcels and 7,600 messages on Silk Road. With analysis and assessment of the messages, it was found within these messages there were mentions of the offender’s personal description, city of origin and his partner’s first name. With this skerrick of information, police were able to track down the offender, who was convicted of trafficking and sentenced to six years imprisonment. Operation Zyack involved a 25 year old man, who was consistently sending packages from the same post office. Police were surprised to learn the post office did not have a CCTV system. However, there were other CCTV systems operating near the post office and with patience, the cameras were able to be used to systematically track the suspect to his car, and included fortunate footage of capturing the vehicle registration number…the young man happened to be using his own car. Anish Prasad, of the Central Bureau of Investigation (CBI) India presented Operation Fire Cracker which involved an ‘email hacking as a service’ criminal enterprise facilitated out of India and Romania. The group had developed an active database of 1,900 email accounts, which has been
INTERPOL WORLD Cyber2017 Security
compromised and were accessible. The group had comprised 6,600 emails over a three year period. The group’s IP address was pointing to Pune, one of India’s most populous cities and the second largest city in the state of Maharashtra. The IP address was then tracked to an address and a young man was ultimately arrested and charged under the Information Technology Act of India, but Mr. Prasad also highlighted there was a money laundering aspect to the case.
Robotics on show Officially launched in late 2015, the patented I-Man Facility Sprinter (or “IFS”) is essentially a mobile command and control centre equipped with advanced monitoring and wireless communication equipment managed by a team of 3 Intelligent-Man (I-Man). Wirelessly connected to a cluster of buildings, IFS provides security surveillance to these building and responds immediately to any security incidents. The drone and robot deployment is currently engaged in a project which unfortunately remains confidential until October 2017.
Oneberry Robot The Oneberry Roboguard™ made its debut at INTERPOL World 2017. Oneberry Technologies, a security and surveillance technology provider in Singapore, developed this solution to address the security manpower shortage in Singapore as well as
to increase productivity and raise the level of security of its clients. These robots, which are powered on fuel cell technology, are able to operate autonomously up to a month without any downtime. They can be deployed to conduct surveillance checks and monitor large remote areas, freeing existing security personnel from foot-patrol duties and allowing them to perform higher value skilled tasks. Security information gathered by the RoboGuard™ can be sent via triggered alerts to a command centre that can also take over control of the robot remotely if required. With the new Public Order Act announced in March 2017 by the Ministry of Home Affairs entailing tighter security rules for largescale events and for commercial buildings in Singapore, the Oneberry RoboGuard™ could be an additional security measure that promotes productivity for property owners. They can be deployed in commercial or industrial buildings for 24-hour surveillance and inspections, to complement security officers on the ground. These security robots are integrated with robust high resolution IP cameras from MOBOTIX that have inbuilt video analytics and activity sensors, and will proactively send alerts to patrolling officers, or to a central command centre in the event of an alert or emergency. One command centre staff can operate up to ten robots, which is more productive than having ten static security officers on site. Also, a key highlight of the RoboGuard is its unique power source - direct methanol fuel cell technology from SFC Energy, which will provide reliable, green and autonomous power that lasts up to one month without
any maintenance; requiring just a simple 10 second hot swap of the methanol cartridge when it is depleted. “There are a lot of solutions and technologies in the market, but without power, the solution is useless. Having to change batteries every few hours or to get a robot to change “shifts” to recharge is unproductive and less effective than a security officer on a 12-hour shift. A reliable and autonomous power source is key to deploying any solution, especially for surveillance where having downtime is critical.” said Ken Pereira, CEO of Oneberry Technologies. Oneberry asserts it is currently in discussions with several partners in industrial and commercial sectors to deploy this solution, and aims to roll out 20 RoboGuards™ by the fourth quarter of 2017 via a flexible leasing model. The company hopes to encourage more companies to adopt such innovative solutions to increase productivity in the security industry.
Australian Security Magazine | 41
Philippines connect and cyber security The newly-formed Department of Information and Communications Technology (DICT) of the Philippines has been directed to craft a National Broadband Plan (NBP) to further improve the connectivity in the Philippines, with proposed plans for better internet connections and free WiFi. Co-organised by DICT and CommunicAsia 2017, the half-day Philippines Connect seminar on 24th May 2017 at the Singapore Marina Bay Sands Convention Centre addressed the upcoming opportunities and changes for the nation. We sat down with Mr Monchito B. Ibrahim (Undersecretary, DICT, Operations and Management), and Mr Allan Salim Cabanlong (Assistant Secretary, DICT, Cybersecurity and Enabling Technologies) to understand the Cyber Security considerations of these initiatives to achieve the country’s sustainable development goals through information and communication technologies (ICTs).
O By Jane Lo Singapore Correspondent
42 | Australian Security Magazine
pening Philippines Connect at CommunicAsia 2017, Antonio A. Morales, Ambassador of the Philippines to Singapore invited Singapore businessmen to partner with Philippines in pursuing development of innovative, job-generating and inclusive growth in the country before an audience of major technology and information system service executives, professionals and startups. “The continued positive economic performance of the Philippines has renewed the sense of vigor among industries, with emphasis on ensuring ease of doing business and allowing for efficient delivery of government services backed by technological innovations. It is with this commitment that the Duterte administration has directed DICT to develop the National Broadband Plan (NBP), which will serve as a blueprint to accelerate the deployment of fiber optic cables and wireless technologies, and improve the internet speed in the country,” he said. Studies cited in the NBP draft, approved by President Rodrigo Duterte in early March, point out that the Philippines ranked 110 out of 187 countries when it comes
to active fixed broadband subscription; and 89 out of 179 for active mobile subscription. Additional statistics on digital, social and mobile usage further support the call to action in making connectivity available and affordable, which has the benefit of stimulating economic activity. As part of the NBP, The Philippine Government aims to increase broadband take-up and usage through measures such as the promotion of the use and production of local contents and applications; and the introduction of conditional fiscal incentives to broadband users. What the NBP envisions, said His Excellency Ambassador Antonio Morales, is “a resilient, comfortable and vibrant life for all, enabled by open, pervasive, inclusive, affordable and trusted broadband internet access.” However, converting the benefits of digitalization to economic growth and development works only when Cyber Space is safe and secure. The Philippines Republic Act No. 10175 [“An Act Defining CyberCrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties Therefor and For Other Purposes”] states:
considerations of these initiatives to achieve the country’s sustainable development goals through information and communication technologies (ICTs). Cyber Security is an active part of the conversation in the development of the National BroadBand Plan (NBP)
“The State recognizes the vital role of information and communications industries such as content production, telecommunications, broadcasting electronic commerce, and data processing, in the nation’s overall social and economic development. "The State also recognizes the importance of providing an environment conducive to the development, acceleration, and rational application and exploitation of information and communications technology (ICT) to attain free, easy, and intelligible access to exchange and/or delivery of information; and the need to protect and safeguard the integrity of computer, computer and communications systems, networks, and databases, and the confidentiality, integrity, and availability of information and data stored therein, from all forms of misuse, abuse, and illegal access by making punishable under the law such conduct or conducts”. We sat down with Mr Monchito Ibrahim, and Mr Allan Cabanlong from DICT, to understand the Cyber Security
Mr Monchito Ibrahim, speaking at Philippines Connect on the government’s ICT initiatives to gear up as a digital nation, noted that the IT sector is the second largest contributor to the Philippines economy. NBP will further strengthen its IT sector, as the platform enabler of the state’s e-government plan to have one digitized network for its online services for citizens, businesses, and government. To support NBP, Mr. Monchito Ibrahim also highlighted key “Acts” enacted by the Senate and the House of the Philippines in Congress: The Republic Act No. 10175 “Cybercrime Prevention Act of 2012” (as mentioned above), and the No. 10173 “Data Privacy Act of 2012”, and accompanying initiatives, including the establishment of “The National Cybersecurity Plan” and “The National Privacy Commission”. It is now imperative to operationalise these plans to raise awareness about the importance of digital security. Specifically, given the high levels of engagement on social medial (there are approximately 48 million active social media users in the Philippines and 41 million of this access social media via mobile), he expressed the importance for users to understand the privacy implications of sharing personal data on social media, and the challenge for users to filter out the fake news from facts. Data breaches are also occurring on a more frequent basis, the most recent being the WannaCry virus that infected information networks and computers in more than 150 countries during May. With the appropriate (physical, legal and regulatory) infrastructure and policy in place and awareness raising events, he said, users can be made to feel safe and confident in the Cyber world, which further encourage digital adoption in the country. One such awareness raising event is the National ICT (Information and Communication Technology) Month in June 2017. In recognising that technology has “the power to foster inclusivity, enable security and efficiency, as well as strengthen connections between individuals, communities, and sectors”, the theme for this year’s ICT Month is “ICT for a Better and Safe Philippines.” It was also timely that the National Cybersecurity Plan (NCSP) 2022 was finalised just recently. National Cybersecurity Plan (NCSP) 2022 Drafted last December, the final version of the National Cybersecurity Plan 2022 was officially launched on 2 May 2017. It incorporates the strategies, programmes, and imperatives that the government need to create a cyber safe Philippines, said Mr Allan Cabanlong. The four key strategic imperatives of the National Cybersecurity Plan 2022 are: “Protection of Critical Infostructure (CII)”, “Protection of Government Networks”, >>
Australian Security Magazine | 43
Ms Emmy Lou Versoza-Delfin (Program Manager, ICT Industry Development, Republic of the Philippines, Department of Information and Communications Technology - DICT) introducing the panel at Philippines Connect 2017, co-organised by CommunicAsia 2017 and DICT. Joining the Ambassador was Mr. Monchito B. Ibrahim, Undersecretary – Department of Information and Communications Technology (DICT), and the representatives from The Philippine Government trade and investment center, IT-BPM (Information Technology – Business Process Management) and the telecommunication giant (PLDT). From Left: Mr. Jonathan de Luzuriaga, President-Philippine Software Industry Association/ Board Trustee Information Technology and Business Process Association of the Philippines On “Philippine IT-BPM Industry Roadmap 2022” Mr. Glenn Peñaranda Philippine Trade & Investment Centre – Singapore On “Doing Business in the Philippines” Mr. Monchito B. Ibrahim Undersecretary – Department of Information and Communications Technology On “Philippine Government ICT Initiatives” His Excellency Ambassador Antonio A. Morales Ambassador of the Philippines to Singapore Opening Address Mr. James L. Melon PLDT Enterprise, Country Manager, SIngapore On “PLDT Singapore
44 | Australian Security Magazine
As Philippines accelerates its broadband connectivity plans and prepares its users to new challenges posed by the evolving digital ecosystem, there is also an awareness to prevent another catastrophic incident like the 2016 Commission on Elections (Comelec) breach where millions of voter biometric profiles were harvested. “Protection of Business and Supply Chains”, “Protection of Individuals”, to enable Philippines to become a cyber resilient nation. To strengthen the Cybersecurity of private and public sectors, DICT will establish a National Computer Emergency Response Team (NCERT) which will serve as the focal agency for computer emergency response. NCERT will work with Government Computer Emergency Response Teams (GCERTs), Military CERTs, Sectoral CERTs, and with partner International CERTs. This will facilitate the centralization of the collection of actionable intelligence, enabling early warning systems and digital analytics, and conducting incident response Increase the Pool of Cybersecurity Experts NCSP 2022 also sets out progams to building the cyber skillset within the educational, public and private sectors, and international collaborations to exchange knowledge with Regional (for examples, CyberSecurity Working Group of
ASEAN Defense Ministers) and international agencies (for examples, Interpol, Europol, US FBI agency), through: • Establishment of Cyber Training facilities and Certification Programs • Promote National Cybersecruity R&D Program to attract and cultive Cyber Experts • Trainings to Develop Cybersecurity Specialist • Promote Communities of Practice In particular, within the educational sector, DICT looks to integrate cybersecurity into the academic curricula of senior high school and undergraduate and graduate levels. For example, foundational work with one of the Universities in Pampanga City, for the first offering of a Master in CyberSecurity, covering aspects of cybersecurity, risk management, forensics, and incident response, had already begun. To successfully incorporate cybersecurity into schools, DICT will implement a Training of Trainers (ToT) project, and partner George C. Marshall Centre (GCMC) — a centre for security studies — on the acquisition of relevant skills by trainers, in order to teach Cybersecurity and deliver on this objective. In the public sector, the CICC is “mandated to do capacity building and to support law enforcers in combating cybercrime.” DICT is also offering training programmes to law enforcement officers. Mr Cabanlong stressed that it’s imperative to equip law enforcers, lawyers, judges on technical investigation, such as network forensics and digital analytics, to better understand cyber-related cases and facilitate resolution. Looking ahead As Philippines accelerates its broadband connectivity plans and prepares its users to new challenges posed by the evolving digital ecosystem, there is also an awareness to prevent another catastrophic incident like the 2016 Commission on Elections (Comelec) breach where millions of voter biometric profiles were harvested. This attack which occurred right before national elections was one of the largest ever done on a specific country.
Looking ahead, as Cyber attacks become increasingly transnational, where an attack originating in a different part of the world have cross-jurisdictional impacts (an example being Philippines’s well-regarded business outsourcing sector, which hosts data of global organisations including financial institutions), we see that NCSP 2022 and the NBP clearly demonstrate serious efforts by The Philippine Government to protect itself, the country’s internet use, its citizens, and businesses from cyber attacks.
Mr. Monchito B. Ibrahim, Undersecretary – Department of Information and Communications Technology, speaking at Philippines Connect, on “Philippine Government ICT Initiatives”, and noting Photo Credit: CommunicAsia 2017
Mr Mohamed Abulkheir,
Mr. Allan Cabanlong, Assistant Secretary, DICT and Executive Director, Cyber Crime Coordinating Centre (CICC)unveiling the National CyberSecurity Plan 2022. Photo Credit: DICT, CICC
Australian Security Magazine | 45
TechTime - latest news and products
To have your company news or latest products featured in our TechTime section, please email email@example.com
Latest News and Products
Codelocks continues its wave of innovation with two new affordable mechanical locks Leading lock manufacturer Codelocks Asia Pacific has introduced two new additions to its range of easy-to-install locks, with the announcement of the CL50 and the CL160. The new locks follow a raft of product releases, as Codelocks continues to invest heavily in research and development. The CL50 and the CL160 are affordable mechanical push button locks that provide a comprehensive range of functions for light duty entry control. The CL50 is a light duty mechanical push-button lock with tubular latch. The CL160 is the latest edition to the CL100 product line up with a range of additional benefits. Compact CL50 A highly flexible addition to the Codelocks portfolio, the mini mechanical lock is a latch bolt with ‘anti-shim’ plunge and is well suited to low traffic uses. The small size of the lock makes it very versatile, suiting a wide range of applications. There is a 10-button keypad – nine buttons for code selection, offering over 500 possible combinations, plus a ‘C’ button used to reset the chamber. There are three choices of latch size and a ‘hold open’ function allowing free entry when required without operating the code. The lock is ideal for internal applications that require a smaller footprint. Other key features include: • • • • •
Easy action internal lever Thumb turn handle Suits right or left hand hung doors Limited lifetime warranty Retrofit CL160
and is ideally suited for applications where regular code changes are required. The second requires the lock to be removed, providing robust management control. The lock has a 12-button keypad. Ten buttons are used for code selection, with over 1,000 possible combinations; the ‘C’ button used to reset the chamber and the ‘A’ button can be used to change the code. The lock is easy to install and can even be retrofitted to the existing lock prep holes from the CL155 and similar locks. Other key features include • • • •
Simple convenient control On door code change Suits right or left hand hung doors Suitable for internal and external applications • Limited lifetime warranty
locks for organisations that need to control access within their buildings. The product range includes stylish push-button mechanical locks, digital electronic and wireless ‘smart’ locks that are easy to manage and can be operated using a keypad, card and smartphone. Convenience is at the heart of all of Codelocks’ products. Our user-friendly approach enables building and facilities managers to have complete control over who is entering and exiting. The locks are costeffective, easy to fit and programme, can be retrofitted and do not require complex wiring or external power. We offer full access to expert technical advice and customer support. For more information, visit www.codelocks.com.au
“Following their success in our UK and US markets, we are delighted to welcome both the CL160 and the CL50 to our portfolio,” said Mark Samuelson, General Manager for the Asia Pacific region. “The diversity of the locks provides both home owners and businesses with a full range of options to suit all purposes and budgets, and further demonstrates Codelocks’ commitment to servicing the needs of the access control market.” For more information on the new CL50 and CL160 visit: CL50 - www.codelocks.com.au/cl50/cl50mortice-latch.html CL160 - www.codelocks.com.au/cl50/cl50mortice-latch.html About Codelocks Asia Pacific
The CL160 follows on from the CL155. The mechanical lock provides two different coding methods – QuickCode and EasyCode. The first allows for simple on-the-door code changes
46 | Australian Security Magazine
Codelocks Asia Pacific designs and manufactures a wide range of innovative, standalone keyless door, locker and cabinet
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Senstar introduces the Flare real-time locating system at the security exhibition and conference Senstar has introduced the Flare Real-Time Locating System to the Australian market at the Security Exhibition and Conference. Flare instantly identifies and locates personal duress alarms at the touch of a button. Designed for reliability in institutional and industrial environments, Flare uses patented, proven, cost-effective technology to help keep staff safe. “The technology behind Flare has been in continuous use in high-threat environments for over 20 years,” said Product Manager Todd Brisebois. “Senstar has used this experience to design the architecture and feature set required for a mission critical real-time locating system while offering one of the industry’s lowest Total Cost of Ownership.” In the event of danger, the user activates a Personal Protection Device (PPD) on his or her belt. The PPD emits an RF signal that is detected by a network of sensor units concealed throughout the facility. Flare immediately locates indoor emergency alarms to within 6 m (20 ft) and displays the location, status, and identity of the PPD on a map-based display in the control room. Pull-pin and mandown (tilt activated) options are also available, and the system can be optimized for outdoor use. Flare operates in protected frequency bands that use dedicated spectrum, avoiding the potential for interference. Key features of the Flare Real-Time Locating System include low sensor unit density, scalable architecture, IP connectivity, and ruggedized components. Flare is also easy to install and maintain, and requires minimal user training.
Visit Senstar at booth L29 at the Security Exhibition and Conference from July 26-28 to learn more about Flare and to check out our perimeter intrusion detection products including the FlexZone ranging fence-mounted intrusion detection sensor and the FlexZone Wireless Gate Sensor, and the OmniTrax ranging buried cable intrusion detection sensor, as well as the Tungsten cyber security appliance for the edge of a network. Also at the Senstar booth is Aimetis, a Senstar company, which combines the most scalable and easy to use video management systems with integrated analytics and centralized management in the cloud. Learn about Symphony, the new benchmark for intelligent video management software.
About Senstar Corporation Senstar has been manufacturing, selling, and supporting the world’s largest portfolio of perimeter intrusion detection sensor technologies for over 35 years. Senstar is also a leading provider of personal duress solutions. Senstar products can be found around the world in more than 80 countries, in tens of thousands of sites including commercial, borders, ports, military and government, transportation, oil and gas, correctional, and other critical sites. www.senstar.com | www.YouTube.com SenstarCorp Twitter: @SenstarCorp
Updated NIST Guidance for Bluetooth Security NIST’s Information Technology Laboratory has published Special Publication (SP) 800 -121 Revision 2, Guide to Bluetooth Security, to provide an updated overview of Bluetooth wireless technology and to discuss related security concerns. The publication will help guide Bluetooth implementers, such as systems engineers and architects who design and apply Bluetooth wireless technologies and will also help those who oversee and review use and security of Bluetooth within their organizations. This article provides an overview of Bluetooth wireless technology and highlights key information from Special Publication (SP) 800-121 Revision 2 about Bluetooth’s security features, its vulnerabilities, and ways to address
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
these vulnerabilities and make this technology more secure. Overview of Bluetooth Wireless Technology Bluetooth is a technology for short-range radio frequency communication that is used primarily to establish wireless personal area networks WPANs). Bluetooth has been integrated into many types of business and consumer devices, including cell phones, laptops, automobiles, printers, keyboards, mice, headsets, and, more recently, medical devices, and personal devices (such as smart watches, home appliances, and fitness monitors). Thanks to Bluetooth technology, a wide variety of devices
can be connected to the Internet. Devices that are connected to the Internet – whether through Bluetooth technology or another technology – form what is called the Internet of things Bluetooth is a low-cost, low-power technology that provides a mechanism for creating small wireless networks on an ad hoc basis, known as piconets. A piconet consists of two or more Bluetooth devices in close physical proximity that operate on the same channel using the same frequency hopping sequence. An example of a piconet is a connection between a cell phone and a headset using Bluetooth wireless technology.
Australian Security Magazine | 47
TechTime - latest news and products
Cisco 2017 midyear cybersecurity report predicts new 'Destruction of Service' attacks
The Cisco 2017 Midyear Cybersecurity Report (MCR) uncovers the rapid evolution of threats and the increasing magnitude of attacks, and forecasts potential “destruction of service” (DeOS) attacks. These could eliminate organizations’ backups and safety nets, required to restore systems and data after an attack. Also, with the advent of the Internet of Things (IoT), key industries are bringing more operations online, increasing attack surfaces and the potential scale and impact of these threats. Recent cyber incidents such as WannaCry and Nyetya show the rapid spread and wide impact of attacks that look like traditional ransomware, but are much more destructive. These events foreshadow what Cisco is calling destruction of service attacks, which can be far more damaging, leaving businesses with no way to recover. The Internet of Things continues to offer new opportunities for cybercriminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact. Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-
48 | Australian Security Magazine
reaching, highimpact cyber-threat event that could potentially disrupt the Internet itself. Measuring effectiveness of security practices in the face of these attacks is critical. Cisco tracks progress in reducing “time to detection” (TTD), the window of time between a compromise and the detection of a threat. Faster time to detection is critical to constrain attackers’ operational space and minimize damage from intrusions. Since November 2015, Cisco decreased its median time-todetection (TTD) from just over 39 hours to about 3.5 hours for the period from November 2016 to May 2017. This figure is based on opt-in telemetry gathered from Cisco security products deployed worldwide. Threat landscape: What’s hot and what’s not Cisco security researchers watched the evolution of malware during the first half of 2017 and identified shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques. Specifically, Cisco saw they increasingly require victims to activate threats by clicking on links or opening files.
They are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts. Finally, adversaries are relying on anonymized and decentralized infrastructure, such as a Tor proxy service, to obscure command and control activities. While Cisco has seen a striking decline in exploit kits, other traditional attacks are seeing a resurgence: • Spam volumes are significantly increasing, as adversaries turn to other tried-andtrue methods, like email, to distribute malware and generate revenue. Cisco threat researchers anticipate that the volume of spam with malicious attachments will continue to rise while the exploit kit landscape remains in flux. • Spyware and adware, often dismissed by security professionals as more nuisance than harm, are forms of malware that persist and bring risks to the enterprise. Cisco research sampled 300 companies over a four-month period and found that three prevalent spyware families infected 20 percent of the sample. In a corporate environment, spyware
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
can steal user and company information, weaken the security posture of devices and increase malware infections. • Evolutions in ransomware, such as the growth of Ransomware-as-a-Service, make it easier for criminals, regardless of skill set, to carry out these attacks. Ransomware has been grabbing headlines and reportedly brought in more than $1 billion in 2016, but this may be misdirecting some organizations, who face an even greater, underreported threat. Business email compromise (BEC), a social engineering attack in which an email is designed to trick organizations into transferring money to attackers, is becoming highly lucrative. Between October 2013 and December 2016, $5.3 billion was stolen via BEC, according to the Internet Crime Complaint Center. Unique industries face common challenges As criminals continue to increase the sophistication and intensity of attacks, businesses across industries are challenged to keep up with even foundational cybersecurity requirements. As Information Technology and Operational Technology converge in the Internet of Things, organizations struggle with visibility and complexity. As part of its Security Capabilities Benchmark Study, Cisco surveyed close to 3,000 security leaders across 13 countries and found that across industries, security teams are increasingly overwhelmed by the volume of attacks. This leads many to become more reactive in their protection efforts. • No more than two-thirds of organizations are investigating security alerts. In certain industries (such as healthcare and transportation), this number is closer to 50 percent. • Even in the most responsive industries (such
as finance and healthcare), businesses are mitigating less than 50 percent of attacks they know are legitimate. • Breaches are a wake-up call. Across most industries, breaches drove at least modest security improvements in at least 90 percent of organizations. Some industries (such as transportation) are less responsive, falling just above 80 percent. Important findings per industry include • Public Sector – Of threats investigated, 32 percent are identified as legitimate threats, but only 47 percent of those legitimate threats are eventually remediated. • Retail – Thirty-two percent said they’d lost revenue due to attacks in the past year with about onefourth losing customers or business opportunities. • Manufacturing – Forty percent of the manufacturing security professionals said they do not have a formal security strategy, nor do they follow standardized information security policy practices such as ISO 27001 or NIST 800-53. • Utilities – Security professionals said targeted attacks (42 percent) and advanced persistent threats, or APTs (40 percent), were the most critical security risks to their organizations. • Healthcare, Thirty-seven percent of the healthcare organizations said that targeted attacks are highsecurity risks. Cisco’s Advice for Organizations To combat today’s increasingly sophisticated attackers, organizations must take a proactive stance in their protection efforts. Cisco Security advises: • Keeping infrastructure and applications up to date, so that attackers can’t exploit publicly known weaknesses.
• Battle complexity through an integrated defense. Limit siloed investments. • Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints. • Establish clear metrics. Use them to validate and improve security practices. • Examine employee security training with rolebased training versus one-size-fits-all. • Balance defense with an active response. Don’t “set and forget” security controls or processes. For the 2017 MCR, a diverse group of 10 security technology partners were invited to share data from which to jointly draw threat landscape conclusions. Partners that contributed to the report include Anomali, Flashpoint, Lumeta, Qualys, Radware, Rapid7, RSA, SAINT Corporation, ThreatConnect and TrapX. Cisco’s security technology partner ecosystem is a key component of the company’s vision to bring security that is simple, open and automated to customers. About the Report The Cisco 2017 Midyear Cybersecurity Report examines the latest threat intelligence gathered by Cisco Collective Security Intelligence. The report provides data-driven industry insights and cybersecurity trends from the first half of the year, along with actionable recommendations to improve security posture. It is based on data from a vast footprint, amounting to a daily ingest of over 40 billion points of telemetry. Cisco researchers translate intelligence into realtime protections for our products and service offerings that are immediately delivered globally to Cisco customers. For more information, visit www.codelocks.com.au
Ten top defence-tech startups selected for Techstars Adelaide Techstars Adelaide, the first Techstars accelerator in Asia-Pacific has announced the official launch of its 13-week intensive program in which 10 startups from different parts of the world will gain access to high profile mentors, the Techstars global network, a newly renovated work space in the Adelaide CBD and a cash investment of up to US$120,000 in their respective companies. After reviewing applications from 49 different countries, Techstars Adelaide selected the Top 10 to take part in its accelerator
program with founders hailing from Australia, India, Israel, Italy, New Zealand and the US. The selected teams work on a very wide range of defence and security related technologies including big data and analytics, sensors, unmanned aerial systems, rocket propulsion, cyber and physical security, and performance improvement. Out of the 10 finalists, six startups are from Australia, with companies from Melbourne, Brisbane and Adelaide joining the program. “The selection process was not an easy >>
Additive Rocket Corporation
San Diego, USA
New Delhi, India
Auckland, New Zealand
Australian Security Magazine | 49
TechTime - latest news and products
one due to the large volume of very strong applications. We were hugely impressed by the depth of innovation coming from the defence and related sectors. We were particularly excited to see that so many of the applications that really stood out from the crowd were from our home base of Australia,” said Gold. “From drones to data analytics, from virtual borders to rocket science – we’ve assembled a group of the most exciting technology startups working in and around defence today. By bringing these teams together and linking them with startup experts and industry specialists we will help them rapidly scale up their businesses.” Over the course of the program, the companies will relocate to Techstars Adelaide’s new bespoke workspace on the city’s North Terrace and receive hands-on mentorship from Techstars mentors. They will also receive guidance and support from the corporate partners and global defense sector leaders Boeing, Codan Defence Electronics, SAAB Australia and Thales. All
participants will benefit from lifetime access to Techstars resources, connections to investors and the Techstars global network of over 5,000 entrepreneurs, alumni and mentors as well as over US$1million worth of perks all aimed to provide the companies with all the resources they need to achieve their goals. David Cohen, Founder and Co-CEO of Techstars commented, “It was a promising experience to launch our first accelerator program in Asia Pacific in a relatively niche sector. The calibre of the applications we received is a true testament of the immense potential both within the region, but also of startups targeting the global defence sector. “We are excited to have such a great class of founders apply to join the Techstars Adelaide program, and look forward to seeing where these startups can go. To date, our program has helped companies raise an average US$3.5 million in venture capital once they’ve completed the program, and we look forward to offering the same opportunities to our Top
10 companies for our first program in APAC,” added Cohen. The South Australian Government welcomes the Techstars Adelaide accelerator program to its home. Acting Innovation Minister Susan Close said, “Techstars helps entrepreneurs to succeed and today’s announcement further strengthens South Australia’s reputation as the epicentre for smart, new companies to make their start. “The State Government congratulates the first round of participants announced today for Techstars’ Asia Pacific program. “With a focus on commercialising innovative technologies in the defence and security sectors, these start-ups will work closely with global companies such as Boeing, SAAB and Codan who have existing operations in South Australia.” For more information about Techstars Adelaide, please visit www.techstars.com/ programs/adelaide-program/
Australian businesses are resilient yet need to improve breach prevention mindset Palo Alto Networks has released a new cybersecurity report that reveals Australian organisations are generally resilient when it comes to their cybersecurity posture and habits, despite the general belief that the local IT security professionals are finding it difficult to combat growing threats and savvier cybercriminals. The report, entitled ‘The State of Cybersecurity in Asia-Pacific’, also confirmed that the battle against cybercriminals is far from won as Australian organisations appear to have a misplaced sense of confidence when it comes to cybersecurity. While Australian organisations are experiencing some success in mitigating cyberthreats, it remains an ongoing problem. Data breaches are still costly, with 36 per cent of respondents losing at least AU$ 130,000 (US$100,000) due to incidents in the 2015-16 financial year. Worryingly, that number rose to 40 per cent in the 2016-17 financial year. Other key findings in Australia revealed • Australian organisations are complacent: According to the report, 34 per cent of Australian businesses have a low average adoption rate for advanced security measures, yet almost three-quarters (74 per cent) of respondents said they were
50 | Australian Security Magazine
confident in their security measures. In addition, 59 per cent of respondents said they believe their organisation is not a target for cyberthreats, despite growing anecdotal evidence that no company is safe regardless of size or industry. • There is a lack of awareness of the seriousness of cyberthreats: Just 70 per cent of Australian respondents agreed that cybercrime has become increasingly sophisticated in the last three years, compared with 86 per cent of respondents in China. • Australian organisations aren’t spending enough on cybersecurity: Only 50 per cent of Australian organisations reported an increase in cyber spend, which was lower than all other markets surveyed. And, while 60 per cent of Australian respondents allocate between 5 and 15 per cent of their IT budget to cybersecurity, just over half (55 per cent) of respondents agreed it is easy to convince management to invest in cybersecurity solutions and technology. Furthermore, 36 per cent of Australian companies cite a lack of budget as the main barrier to keeping up with evolving cybersecurity solutions. • Focus should shift to prevention: Clinging to outdated security approaches can put businesses at an even greater
disadvantage. Instead, organisations should shift their focus away from mitigation and towards breach prevention. Better threat intelligence sharing can help achieve this. By sharing information about threats in time for organisations to protect themselves, businesses can collectively save time and money, and avoid complacency. There may be some work to do to achieve this: Almost half (46 per cent) of Australian respondents said that, in their organisation, detecting and responding to cyberthreats is more important than prevention. Australia is heading in the right direction when it comes to a breach prevention mindset, but organisations need to implement the right systems and measures to stay ahead. • A framework is required: Most IT decisionmakers agreed that reporting breaches to regulators should be mandatory. There needs to be a framework around the types of information shared so that businesses feel comfortable sharing cyberthreat information with each other. This is the only way Australian organisations will be able to implement a cybersecurity posture oriented around prevention rather than the far more expensive cure. • Cybersecurity awareness and policies are crucial: Just 56 per cent of Australian respondents agreed that all employees/
TechTime - latest news and products
departments in their organisation understood safe cybersecurity practices. Interestingly, not one of the government respondents in Australia said they review their policy and/or standard operating procedure for cybersecurity more than once per year. This is in stark contrast to the financial industry, in which 56 per cent of respondents review policies and standard operating procedures more often than once a year. At the same time, 44 per cent of respondents in Australia said employees in their organisation don’t check with the IT department before introducing new devices or installing software on company devices. Companies must develop, communicate and, importantly, enforce clear security policies to prevent vulnerabilities as much as possible. Educating employees about safe cyber practices is just as important as putting the right security measures in place. ‘These survey results highlight that every organisation is a potential target for cybercriminals. If businesses don’t put the right measures in place, they may be exposed to financial losses and reputational damage after just one successful breach. Failure to take a strong preventative mindset, which includes implementing advanced, nextgeneration security measures and policies, puts these organisations at risk.’ – Sean Duca, vice president and regional chief security officer for Asia-Pacific, Palo Alto Networks Management Buy-In Is Key Good cybersecurity practices, like any cultural behaviour, must be modelled from the top down in an organisation. It’s vital for senior leaders to understand the cyber risk the business faces, as well as their own roles in combatting that risk. IT and security teams can make this visceral and relevant for senior leaders by defining clear business metrics for cybersecurity. This could include involving them in readiness exercises to test cybersecurity processes so they can understand and become engaged in the issues and risks. It’s also important to emphasise how new regulations, such as the Privacy Act in Australia and the General Data Protection Regulation in Europe, will affect the business. Cybersecurity is not a set-and-forget exercise: It is an ongoing battle that requires constant vigilance and regular technology updates. Learn More ‘The State of Cybersecurity in Asia-Pacific’ report features analysis, practical strategies and tips that can be implemented to help companies in Asia-Pacific keep up with rapidly evolving cybersecurity technologies. About Palo Alto Networks Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Find out more at www.paloaltonetworks.com
Australian Security Magazine | 51
ASIS International Australia Conference 2017
Conference program and Registration : www.asisvictoria.org.au/events Join conference leaders and innovators as they address real issues in security. Avoid disappointment | Register NOW
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...
Published on Aug 15, 2017
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...