Print Post Approved PP255003/10110
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2015
Security 2015 Q&A ONVIF & COMPLIANCE
PART II Counter-Terrorism Feature Radicalisation, Role of the Media & ISIS Social Media Tactics
It’s all about Cyber Security
IMPROVED BORDER SECURITY The Holy Grail for airports
Security & Risk Management the next evolution
THREATS ARE MOUNTING ACROSS THE TECHNOLOGY LANDSCAPE
$8.95 INC. GST
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more...
Video: See Siveillance Vantage in action
Siveillance™ Vantage secures your critical infrastructure Siveillance™ Vantage is a command and control workflow engine, specifically designed to support security management for critical infrastructure. Using innovative software, Siveillance Vantage not only ties together all the sub-systems currently used to protect and manage your site, but it also allows you to customise and integrate security policies and procedures using workflows and automated actions.
Siveillance Vantage offers the desired level of security and provides peace of mind at any time for: § § § § §
Airports and ports Correctional facilities Government assets Campuses Energy infrastructure assets
For more information, contact us on 13 72 22 or visit our website www.siemens.com.au/bt-security
Contents Editor's Desk 3 Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Marketing Manager Kathrine Pecotich Art Director Stefan Babij
Security Survey Summary
Quick Q @ A Per Bjorkdahl - Chair of ONVIF’S Steering Committee
International ONVIF conformance and false claims
BAE Systems Applied Intelligence Feature 10 Cyber Security Its all about Cyber Security
The power of penetration testing in boosting cyber resilience
The best ways to fend of DDoS attacks
Correspondents Sarosh Bana Kema (Johnson) Rajandran
Page 12 - Its all about Cyber Security
Women in security ‘But you are a woman’ - with Michelle Weatherhead 22 Frontline
MARKETING AND ADVERTISING Kathrine Pecotich T | +61 8 6361 1786 firstname.lastname@example.org SUBSCRIPTIONS
T | +61 8 6361 1786 email@example.com
Security and risk management the next evolution
Critical Infrastructure Improved border security, faster border clearance and reduced cost.
Operating in Kazakhstan - What are the threats? 28 Counter terrorism feature Obstacles for winning the war on terror
Radicalisation process - A cultural and religious insight - Part II
Strategies used by Islamic State to recruit on social media 38 Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | firstname.lastname@example.org E: email@example.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
TechTime - the latest news and products
Page 26 - Improved border security
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews,
Page 38 - Strategies used by Islamic
events and other topical discussions.
State to recruit on social media
CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine
Correspondents* & Contributors
Nick De Bont
Dr Robyn Torok
Anooshe Aisha Mushtaq
Dr Keith Suter
Kema (Johnson) Rajandran*
2 | Australian Security Magazine
“In our age there is no such thing as ‘keeping out of politics.’ All issues are political issues, and politics itself is a mass of lies, evasions, folly, hatred and schizophrenia. ” - George Orwell
ver felt trapped in a cycle? Or worse still, a spiral? Though I’m not referring to a personal dilemma which should cause you to call a self-help hotline. I’m referring to Operation Fortitude. For the last weekend of August, Victoria Police planned to lead a multi-agency public safety operation in Melbourne. One of many thousands held by police in our cities each year, including regulatory and compliance operations. Indeed, the Minister for Immigration and Border Protection, Peter Dutton highlighted the real annual figure to be in the sum of 16,000 such operations. With this number in mind, Fortitude is indeed unique in igniting a “confected” protest in city streets and the operation was ultimately cancelled on the grounds of public safety. With a single media release from the Australia Border Force (‘ABF’), Operation Fortitude never got off the ground. What sparked national attention from what was the old ‘mundane’ Customs and Border Protection Service? What is this new ‘exciting and powerful’ law enforcement agency that was ceremoniously indoctrinated in July? Why did it instantly and controversially gain public attention over what was reportedly to be its handling of taxi driver visa checks? It was the media release? The one proud public statement the ABF intended to make about its involvement in a state police operation. The key statement proudly proclaimed that the Australian Border Force “will question anyone who comes across their path”. The tone
was suggestive of a police state mentality with a perceived legal entitlement and superiority. Most likely from a public servant in public relations, with no concept of the legal responsibilities and oath taken by sworn police officers. The reaction was near instant and maintained real time by a swelling social media interest. Victoria Police must have been fuming! As a former colleague of Roman Quaedvlieg, there was a natural cringe as he faced the cameras to concede that his agency over stepped the mark – thankfully without a ‘fatal’ consequence. But my concern remains. I’ve raised the same concern repeatedly. It is how a media release about the ABF’s involvement in a multi-agency police operation in a major capital city didn’t “strike any interest at all” and “that it was inconsequential” from the Minister’s office. It was just treated as ‘routine’. Much like the letter to the Federal Attorney General from Mans Monis before the Martin Place Siege, the routine ABF press release, according to Dutton, “has sparked a review into how press releases are handled by the department and we’ll see what comes of that.” It is disappointing to see Operation Fortitude represent another example of the Government’s very “clumsy” and “routine” handling of security issues. Much like that seen under the Howard Liberal Government, Abbott’s team has caused the broader politicisation of the public service. Whilst Ministers nationally ignore the private security sector.
The Melbourne reaction of protest to the ABF media release demonstrates how a combative, authoritarian approach is counterproductive and feeds directly into the narrative of the likes of Islamic State and fuels radicalisation. Whilst taking nothing away from much of their good work, the trouble is that police are structured and funded to initiate and respond. They do not seek or have the capability to consult with the wider community with the necessary empathy and interest for effective prevention - they have a budget to spend. With the amount of money given to policing, in the communication age, we should expect much higher standards from our national security agencies and none of their activity should be regarded as simply ‘routine’. Complacency is the greatest danger. And on that note, as always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Australian Security Magazine | 3
Security Survey Summary AUSTRALIAN RESEARCH: Attitudes towards breaches and data theft highlight role of law and penalties Websense, Inc has announced the results of a survey of 100 Australian security professionals. Nearly all respondents (98%) believe that the law should address serious data breaches that expose consumers’ data loss through punishments such as fines (59%), mandatory disclosure (65%), and compensation for consumers’ affected (60%). Twenty three percent even advocate arrest and jail sentence for the CEO or board members. Respondents feel that companies that are not taking action against data loss and theft have it as an agenda item, but it’s not yet a high enough priority (38%). Furthermore, 41% say the CEO should hold ultimate responsibility should a breach arise. And the pressure is mounting, as 72% of all respondents believe the advent of the Internet of Things will make companies even more vulnerable to data theft. Nearly three quarters (64%) of respondents say employees would connect to an unsecure WiFi to respond to an urgent request by the CEO or company executive; with even 42% of security professionals saying they would do so themselves. As data theft disclosures hit the headlines, it appears to be inadvertently helping companies address the issues. More than half (62%) of security professionals feel the publicity has helped other companies create a case for budget, focus and resources. But nearly a quarter (24%) believe that the headlines have hindered this as they make companies feel powerless to protect against these attacks. Bradley Anstis, ANZ Sales Engineering Manager at Websense explains: “Despite all of the large-scale attacks we’ve seen over the past year, many businesses still don’t recognise the risks they face and the potentially devastating impact of a breach. Businesses can no longer afford to ignore the risks or to waste time and resources implementing security solutions that aren’t tailored to meet their needs. It’s all about developing the right-sized security strategy for your business. But by taking a holistic, data-centric approach, IT security teams can gain visibility of their security gaps, identify the threats to their data and protect their critical information from data theft.” *
Australian Organisations Lack High Priority Data Security Practices as 31 percent of Workers Indicate that Corporate Confidential Information is at Risk LogRhythm, has announced the results of its Australian Workplace Security study which highlights the need for better enforcement of corporate data security measures. Nearly a third (31 percent) of respondents to the survey – 1003 employees and managers of medium to large organisations across Australia – reported that there has been at least one recent ‘security event’ at their workplace. When asked about vulnerabilities, a third (33 percent) of employees and 43 percent of managers said that confidential company information is susceptible to being stolen or accessed by unauthorised people. 72 percent of workers believe the greatest threat to data security is employee related due to them downloading infected files or malware, or simply not thinking about security. And 16 percent admitted to accessing documents that they shouldn’t really be looking at while at work. The extent of data security exposure that Australian organisations are facing can be seen when relatively small overall percentages are extrapolated into real numbers: the 12 percent of respondents who admitted to having accessed or taken confidential documents from their workplace without proper authority potentially equates to 719,000 employees across Australia. Of great concern too is that from that group of respondents, 7 percent did so after they had stopped working for the company – the main reason being to help them in their new job. This is a very real example of lost confidentiality and IP. Encouragingly, 95 percent of managers say that their company ‘is serious about the security of information’ and that the majority of its employees take information security seriously (40 percent say that ‘everyone’ takes it seriously and a further 46 percent say that ‘the majority take it seriously’). But LogRhythm is concerned by the 5 percent that say their company is ‘not very serious about the security of information’ as this figure extrapolates to 59,000 managers nationally. *
* For more information on these articles in Security Survey Summary check out our website at www.australiansecuritymagazine.com.au 4 | Australian Security Magazine
F5 Survey Indicates Growing Hybrid Deployments Across Asia Pacific F5 Networks has released findings from ‘The State of Application Delivery in APAC 2015’ survey, which found that enterprise applications are increasingly being moved into the cloud as organisations embrace the “cloud-first” philosophy. Based on survey data from 3,200 IT decisions makers across the Asia Pacific (APAC) region, the findings detail their current and planned use of application services. Growing number of applications and flexibility of cloud Findings further reveal that the use of applications by APAC companies is growing and shows no sign of abating. Amongst those surveyed, almost half (45%) currently deploy between 1-200 applications, while almost 10 per cent of organisations currently deploy more than 3,000 applications. The study also showed that at least 41 per cent of IT decision makers are open to moving up to a quarter (24%) of their applications to the cloud by 2016, while almost 24 per cent are keen to move between 25 to 50 per cent. “As applications continue to be a critical part of the business strategy, organisations are seeking the same confidence level in cloud deployments that they’ve seen in the data centre. Companies in every industry rely on applications to drive customer engagement, employee productivity and revenue today. In fact, our research revealed that mobile applications and big data analytics are considered more important trends than the Internet of Things. These findings suggest a growing hybrid environment across the region, with a mix of on premise and off premises solutions increasingly being adopted by enterprises,” said Emmanuel Bonnassie, Senior Vice President, Asia Pacific, F5 Networks. Obstacles for hybrid cloud adoption Despite the growing popularity of hybrid clouds, 29 per cent of organisations attributed slow adoption to the failure to identify a comprehensive identity and access management policy. Furthermore, another 35 per cent also admitted to the lack of internal knowledge of the scope of cloud usage as an impediment to adoption. *
If you have an entry for Movers & Shakers please email details and photo to firstname.lastname@example.org
See what once could not be seen. View an entire parking lot with crystal clear wide shots and see individual license plates at the same time. See how the Avigilon 7K HD Pro, the industryâ€™s first 7K (30 megapixel) camera, improves resolution by almost 4x over 4K cameras, all while minimizing bandwidth and storage consumption.
MINIMUM BANDWIDTH AND STORAGE
Learn more at http://avigilon.com/7K
Chair of ONVIF’s Steering Committee
At Security 2015 Exhibition in Melbourne, Australian Security Magazine Editor Chris Cubbage sat down with Per Björkdahl, Chair of ONVIF’s Steering Committee.
Workgroup. “With this initial release of the Client Test Tool, this brings ONVIF one step closer to a transparent and integrated process to achieve ONVIF conformance.”
Since its inception in 2008 and now with more than 500 members on six continents and more than 4,000 conformant products, ONVIF is the largest global standardisation initiative for IPbased physical security products in the world. In April 2015, the first Client Test Tool was released which tests clients for conformance to ONVIF’s Profile S for video streaming and configuration, Profile G for recording searches and Profile C for door/access point control specifications. The Client Test Tool allows hardware and software-based clients such as video management systems, building management systems, physical security information management (PSIM) systems to be tested for conformance to profile specifications. “ONVIF’s Client Test Tool was created to answer the physical security community’s call for increased interoperability and accountability,” said Hugo Brisson, Chair of ONVIF’s Client Testing
Editor: Given the importance of the ONVIF initiative, what is the degree of compliance checks on ONVIF conformance claims and is false conformance claims a problem?
6 | Australian Security Magazine
Per Björkdahl (PB): We do have non-members who implement the ONVIF protocol and make claim to be ONVIF conformant and this is obviously a problem for us as we’re a member based organisation and need members to pay their fees to maintain ONVIF and it is also a Trademark violation. The rate of violations of the ONVIF conformance is not a significant issue and is often related to particular countries of origin or lower range products and generally, you will often get what you pay for. There are similar problems with other product classes, such as HDMI, there will always be someone who is trying to take a shortcut. ONVIF maintains a list as to conforming products and the details of the declaration of conformance
includes the model numbers and the firmware that has been accepted, what features have been accepted and has been signed by a company representative. We have preferred this model of self-testing, because if we go to third party testing we create issues around certifying test labs and leads to greater costs and likely to be prohibitive to the development of ONVIF. Editor: Is the new Client Test Tool available to non-manufacturers? PB: The test tool specifications are available to members on the ONVIF website within the Developers’ Forum. We have also introduced a new ‘service’ level of membership which is for nonmanufacturers and you get access to the test-tool so if you’re uncertain or need a means of checking and if there is doubt or need for verification of the conformance, you can run the automated test, by connecting the device and running the test software. If the product happens to fail you can address the issue with the manufacturer or advise ONVIF of non-conformance. There are approximately 4,500 products listed as compliant and around 540 ONVIF member
There are approximately 4,500 products listed as compliant and around 540 ONVIF member companies and we have so far not received a complaint of someone falsifying or falsely claiming conformance. companies and we have so far not received a complaint of someone falsifying or falsely claiming conformance. The few issues we have found has been from us checking against the distribution lists and compliance product claims and generally relates to those companies not being members. To advertise your product as ONVIF compliant you need to be a member company. Editor: What is the ONVIF membership base and major drivers for the organisation? PB: Around half of all ONVIF members are from China and a majority of those members join for the purpose of getting ground in their domestic market, as the ONVIF standards is dominant in that market and is growing at a different pace than the rest of the world. ONVIF anticipates that into the future all security systems will share a common interface and be fully integrated but no one wants a standard that covers all aspects of the products as it will not allow innovation and competitiveness. So ONVIF looks to establish a solid foundation of a feature set. As an example, if youâ€™re a VMS manufacturer and you support around 250 different manufacturers and each manufacturer produces 50 different models, calculates to over 2,000 cameras and each year they do one or two firmware upgrades, results in over 2,000 new drivers that the VMS manufacturers constantly need to update, as well as server releases and this takes a large portion of their resources to maintain it. If they switch to relying on ONVIF Profile S standard, it saves them a lot of time and money in knowing that about 70 per cent of camera deployments are covered and they can focus on the remaining aspects of each product. The direction of ONVIF is up to the members and we are currently expanding the Access Control standards and we may anticipate that future profiles will address PSIM â€“ Intruder Detection profile following Access Control.
ONVIF conformance and false claims
H By Stuart Rawling Chairman, ONVIF Communication Committee
8 | Australian Security Magazine
ow do you know if a device or client is ONVIFconformant? What if a manufacturer makes false claims of ONVIF-conformance in its advertisements? Is ONVIF policing the market for fraudulent uses of the ONVIF brand? What exactly is ONVIF’s role in the industry then? These are all good questions and deserve good answers, and are a crucial part of ONVIF’s ongoing conformance and education campaign, which seeks to address false claims of conformance by manufacturers. After all, ONVIF plays an important role in the industry and the credibility of the ONVIF brand is crucial to its future success. Since its inception in 2008, it has created specifications that have made more physical security devices and clients from different manufacturers work together more successfully than ever before. With three different profiles currently available and two additional ones in development, ONVIF strives to meet the needs of the physical security market of today, developing profiles and adjusting its focus in response to industry trends and end user demand. ONVIF is the largest organization of its kind in the world and has seen its membership grow steadily each year since its founding, increasing between 24 and 50 percent each year. At present, there are more than 500 ONVIF members. There are currently 5,000 ONVIF conformant products and that number is growing. In the first half of 2015 alone, the number of conformant products increased by 15 percent. As an organization, the credibility of the ONVIF brand influences the adoption of standards, ONVIF’s future and how the organization is perceived. False claims do happen in every industry, varying from exaggerated technical specifications to questionable compatibility claims between products. As ONVIF profiles have increased in deployment and acceptance globally, we have seen a few issues with claims of conformance or misuse of our trademarks.
Misuse/violation of ONVIF’s Brand ONVIF’s standards specify minimum operational requirements so the conforming devices can guarantee interoperability at the most fundamental level. So ONVIF’s role is to find the basic commonalities of the different offerings and provide an option for interoperability that meets the needs of a majority — maybe 75 to 80 percent — of the market. Our specifications are either adopted voluntarily by the market, driven by demand, or through international standards issuing organizations, such as the International Electrotechnical Commission (IEC) and the International Standardization Organization (ISO), can adopt the ONVIF specification into their own global standards or regulations. Later this year, false conformance claims will be able to be reported via our website. Consumers, integrators and anyone else will be able to contact ONVIF’s administrative office using a web form if they believe an invalid claim of conformance is occurring. Education Initiative ONVIF’s ongoing conformance and education initiatives have shown that a vast majority of ONVIF members are able to comply with the conformance process without issue. In the last year, we have found that the invalid claims are often the result of a lack of understanding and this is why we are working hard to communicate better with our members about what is required of them. For example, one area we need to educate the market about is regarding the use of rebranded OEM products. ONVIF certifications on OEM products are not transferable, and so members who OEM a product which already has a claim of conformance must retest and submit new documentation to show valid conformance. We did find a very small number of manufacturers who
‘When a misuse/violation is reported, ONVIF has official channels through which member complaints of non-conformance can and have been addressed. Thus far, we have seen an increase in reports of conformance issues.’ had decided to leave ONVIF were still using the ONVIF logo. In these cases, ONVIF notified the violating companies and instructed them to immediately cease advertising that their products are ONVIF conformant and from using the ONVIF logo. Additionally, ONVIF has reiterated the conformance process and Rules of Membership to member manufacturers that claim conformance without having submitted the requested paperwork to ONVIF to verify their conformance. However, to maintain the integrity of the brand going forward, we believe that ongoing education and communication with our members is crucial when it comes to accurately labeling products as ONVIF-compliant. The market will continue to see speaking engagements and educational sessions at major trade shows on ONVIF’s mission and conformance process, as well as media coverage to provide further education on conformance. When a misuse/violation is reported, ONVIF has official channels through which member complaints of non-conformance can and have been addressed. Thus far, we have seen an increase in reports of conformance issues. We are encouraged by this feedback because it confirms that the market values the standards and work of ONVIF. It shows the industry is taking an active role in helping to ensure the integrity of the ONVIF brand.
questions about the conformance process can be posted and addressed by the ONVIF community. Member companies can also test their products for conformance at our Developers’ Plugfests, which are typically offered twice a year, at different locations around the globe.
Additional Conformance Testing Tools
One of our stated goals with our educational campaign on conformance has been to reinforce and in some cases provide clarification on our existing policies and processes. In the year since the launch of our conformance education campaign, we have learned that this education must be continual and address all of the different constituent groups that ONVIF serves in the market. ONVIF will continue to focus on making multiple brands and technologies work together. Developing a specification together and adhering to it establishes basic ground rules for the industry and is an acknowledgement that the proprietary model does not necessarily work as well as it has in the past. ONVIF also will continue to solicit feedback from the security community and ONVIF members, continuing this dialog on how to keep false claims of ONVIF conformance small in number. When you see false claims of conformance, whether you’re an ONVIF member, a journalist or integrator, please contact ONVIF. Your help is integral in keeping the ONVIF name meaningful and will help lead the way toward increased interoperability. Please remember that the best source for determining whether a product is officially ONVIF conformant or not is ONVIF’s official website, onvif.org. To report a false claim of conformance, please email email@example.com with the details.
Two other important steps have also been taken to augment ONVIF’s enforcement efforts and allow for increased visibility and clarity of the conformance process. In April of this year, ONVIF released its first Client Test Tool to its members. The test tool was created in response to industry requests for increased accountability in the conformance of clients. The Client Test Tool is available to members and allows ONVIF to independently verify that clients, such as building management systems and video management systems, have been successfully tested with several ONVIF conformant devices for their conformance to ONVIF’s Profile S, Profile G and Profile C. Our new Observer member level was also created in response to feedback from members of the security industry. Observer membership lets non-manufacturers join ONVIF. This membership is important to ONVIF’s broader conformance education because it grants industry stakeholders, such as systems integrators, A/Es, consultants and product reviewers, access to ONVIF’s Network Interface Specification test tools and Client Test Tool. This gives Observer members the ability to independently verify conformance between two specific products using ONVIF’s test tools, including the Client Test Tool. ONVIF also hosts online member forums so that
Interoperability We continue to see an increased awareness of the importance of interoperability in general among end users in the industry, which in turns reflects the need for a broad acceptance for what ONVIF provides. ONVIF is playing an active role in shaping the dialog on and specifics of interoperability within the physical security industry. When it comes to ONVIF conformance, it is important to remember that ONVIF profiles ensure interoperability. ONVIF is a member-driven consortium that encourages its members to bring their best work to market and to maintain the integrity of the ONVIF brand. Ultimately, though, it is the responsibility of the manufacturer to ensure their products perform well. It is a bonus that sometimes our focus on interoperability can help reveal potential issues of quality for a manufacturer’s product. ONVIF Conformance in 2015 (and Beyond)
Australian Security Magazine | 9
BAE Systems Applied Intelligence Feature
The changing threat landscape: the rise of the Zero-Day attack and how to prevent them New data breaches are uncovered almost daily – any one of which can jeopardise your company, place your intellectual property at risk, and cause monetary and reputational damage in minutes. Cyber criminals are increasingly aggressive, well-funded and persistent, and these days, no company can ever be perfectly safe from the most determined attackers. As the threat landscape continues to evolve, and malware detection becomes more advanced, cyber criminals are forced to create ever more sophisticated and specialised malware. As traditional signature based anti-virus scanners evolved into traditional signaturebased and heuristic-based malware scanners, the amount of spam and viruses caught with signature alone has reduced, but the amount of total malware has increased. In 2005, seven ‘families’ represented 70 per cent of all malware activity , and the types of viruses were mainly mass-mailing ‘worms’ with backdoor capability, including for example Nigerian email scams. In 2014, 20 ‘families’ represented 70 per cent of all malware activity ; with today’s malware much more sophisticated and unique, including for example stealthy command-andcontrol botnet membership, credential theft, and often also including some form of fraud such as bitcoin mining. And now, with 70 to 90 per cent of malware unique to any single organisation , the most difficult attacks to defend against are Zero Day attacks – attacks that are unknown or have not previously been seen and therefore cannot be recognised and blocked by their ‘signature’. Email is the single most important entry point for malware insertion, as it is the centrepiece of business communications and is the most common egress and ingress point for information within most companies. It is also the single most important entry point for targeted attacks, spear phishing, ‘longline’ phishing, and advanced zero day exploits.
In fact, 95 per cent of cyber attacks start with an email message . ‘Phishing’ campaigns mostly target Common Vulnerabilities & Exposures (CVEs). These attacks can spread through an organisation like wildfire, with 75 per cent of attacks spreading from victim 0 to victim 1 within 24 hours, and 40 per cent of attacks hitting a second organisation in less than one hour .
Post-exploitation: Interrupting the command and control and actions on objectives phases
As malware evolves, traditional anti-virus software is struggling to cope. For example, sophisticated malware can now recognise when it is being ‘sandboxed’ by looking for files associated with the sandbox environment. Companies need a strategy that reduces their security exposure and protects them from reputational damage and intellectual property theft from cyber threats with fast and effective attack detection, containment, and response.
The technology solution Companies need a strategic systems approach to protect against today’s evolving cyber threats. A systems approach requires multiple layers of technology that help protect an enterprise at every phase in the Kill Chain. These components work together as cooperative, compensating controls to interrupt attackers as they attempt to move from one phase to the next. These technologies are appropriate before an attack succeeds (pre-exploitation) and afterwards (post-exploitation).
Pre-exploitation: Interrupting the delivery phase •
Email security: Strong, redundant anti-virus and anti-spam engines, with controls to throttle high-volume senders and detect directory brute-forcing
Web security: Inline web security filters to prevent visits to sites that are known to or likely host malware used in attack campaigns Zero Day Prevention: Heuristics, analytics and sandboxing to stop targeted attacks, spear phishing, “longline” phishing, and advanced Zero Day exploits that anti-virus and anti-spam controls can’t detect.
IDS/IPS: Monitoring and analysis of complex network traffic in real-time; blocking of malicious internal traffic and sophisticated attacks that cannot be prevented with firewalls alone • Security information and event management (SIEM): 24 x 7 monitoring of critical devices on the network by a trained security team. Log management: Regular reviews of security logs from critical devices to understand security events across the network, detect suspicious activity and respond quickly to prevent malicious attacks • Insider Threat prevention: Content aware policy filters to ensure that sensitive and protected information stay inside the organization - where they belong. A systems approach connects the dots and those connections ensure that information gets in the hands of those who need it as quickly as possible - whether it’s a system component or a human being.
The people solution The most insecure parts of any security infrastructure are the living, breathing human beings tapping on keyboards. Intentionally or not, we all make mistakes now and then. Phishing emails can masquerade as friends,
PROTECT AGAINST ONLINE QUOTE MANIPULATION How can Insurers address attempted fraud and dishonest manipulation at point of quote, while minimising friction for genuine customers?
For more information visit www.baesystems.com/ai
10 | Australian Security Magazine
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
BAE Systems Applied Intelligence Feature
or as a popular retailer or businesses. Phishing emails cloak their origins by using masked URLs that only show the true URL if you hover your mouse over it. Ultimately, phishing emails are designed to induce recipients to ‘click’ and visit malicious destinations controlled by the attackers. Phishing emails are hard to stop unless recipients are vigilant. While there are numerous tipoffs a user can employ to detect a phishing scam, employees must be trained to recognise them.
How to spot a ‘phish’ It’s not always straightforward, but there are a few steps employees can take to avoid being drawn in by a phish. 1. Looking for misspelled words and lousy grammar: Hackers are notoriously bad spellers. Some marketers are too, so it’s not always the case that that a typo-laden email is a phish, but it’s a good tipoff 2. Looking before they click: Before clicking, hover over a link to make sure it goes to the site you think it does. Often, a phishing email will spoof the URL of a well-known brand - or just camouflage a nasty IP address under that URL 3. Only opening the familiar: If employees receive emails from people they don’t know, or offers from companies they never subscribed to, they shouldn’t open them. And if you do open them, don’t click any links 4. Paying attention to ‘link bait’: Attackers want victims to click on their links and will exploit every human failing to get them to do it. The more strongly an email appeals to employees’ curiosity, charity, urgency, prurience or vanity, the more likely it is to be a phishing attack.
Protecting against zero day attacks
techniques that analyse unknown objects with malware engines while applying advanced techniques to detect and prevent attacks, even without signatures. 1. Stops sophisticated threats, including Zero Day Attacks and Advanced Persistent Threats 2. Arms CIOs and IT managers with new, comprehensive detection techniques to reduce their company’s attack surface and vulnerabilities 3. Provides protection at the time of click through real-time detect and block capabilities by rewriting URLs 4. Uses ‘in-line’ inspection and prevention techniques to stop payloads before delivery 5. Inspects all known and emerging malware contained in messages, headers, metadata, links, and all potentially malicious attachment types and returns minimal false positives 6. Provides a holistic view of incoming threats, so it can be rapidly assessed, evaluated and acted on by human analysts. If one component detects something, it alerts the other components. Putting everything under the same watchful eyes protects assets and helps a company understand the risks more acutely 7. Addresses the entire ‘kill chain’ by providing companies the support and intelligence they need, when they need it Cyber security is no longer just about keeping the lights on – businesses need to protect their corporate IP, their reputation, and keep the trust of customers, investors and the public. By developing a partnership with their supplier and combining that with ongoing training of staff, companies can increase their understanding of the threat landscape, and where they can’t prevent each and every attack from happening, they can increase their chances of dealing quickly and effectively with an attack, thereby minimising detrimental outcomes.
BAE Systems’ Zero Day Prevention leverages leading-edge statistical analysis techniques, static and dynamic analysis, machine learning and innovative exploit detection sandbox
So what are the stages of a ‘phishing’ attack and how does it work? 1. Spear-phish email with link Compromised enterprise servers are used to send the emails. This has the advantage of by-passing reputationbased spam detection filters as well as tricking the recipient with a recognisable sender domain. 2. Malware delivery The email asks the victim to click a link. These links send the recipients to compromised websites hosting zip files containing the malware payload. 3. Malware ‘Command and Control’ (HTTPS) Once the payload is downloaded and executed, the malware communicates over HTTPS to a compromised server hosting a PHP script which provides a gateway to a custom task/log database file. 4. Victim information and tasking The attackers access the Command and Control (C&C) server through the same gateway script. They can then retrieve logs of victims connecting back to the server, and add tasks which the malware retrieves. This can include general tasks like password stealing or taking screenshots, but also arbitrary commands and scripts to execute. 5. Document exfiltration The attackers will then extract the documentation from its location. Often, they make use of cloud storage service OneDrive (part of Microsoft’s Live service). The VBS script adds OneDrive as a mounted drive, moves the stolen documents there (where they are synchronised with the cloud), and then un-mounts the drive. 6. Document retrieval Using OneDrive is beneficial as it is free and anonymous for the attacker to setup, but also unlikely to be blocked from enterprise networks and has encryption by default. Once the stolen documents are synced with OneDrive, the attackers can log in and quickly retrieve the stolen data through an anonymous internet service such as TOR.
Sanjay Samuel General Manager APAC, BAE Systems Applied Intelligence
WHITE PAPER - THE DATA LAKE - READY TO TAKE THE PLUNGE? We live in a time of uncertainty for the traditional Enterprise Data Warehouse (EDW).
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Anatomy of a phishing attack
WHITE PAPER - 5 STEPS TO IMPROVED OPERATIONAL SECURITY In the modern world, for many of us working to tackle cyber crime, the goal of building effective operational security is not only to be able to identify, investigate and re-mediate cyber attacks and crimes conducted in cyber space which impact on the real world, but to prevent such attacks from occurring in the first place.
Australian Security Magazine | 11
It’s all about cyber security
By Sarosh Bana ASM Correspondent
12 | Australian Security Magazine
he threat to cyber security is mounting even as the technology landscape transforms across the world, with some of those either within or outside the organisation manipulating the changing technologies to their advantage. The shift towards software-defined networks, cloud infrastructures and smartphones replete with apps has added complexity as systems appear increasingly vulnerable to web threats and frauds that are only increasing in number and sophistication. The profitability of cybercrime is transforming the nature of the game. And in its relentless quest to stay ahead of the fraudsters, cybercrime intelligence the world over is evolving ever newer tools to thwart the changing threat landscape of internet fraud and crime in an effort to safeguard official and personal data and information. Mindful of these challenges, Amit Yoran, the President of RSA, The Security Division of EMC Corporation, both headquartered in Massachusetts, has given a clarion call to adopt faster detection and response to end the “vicious cycle” of prevention and remediation. Addressing government and private industry cybersecurity experts in Singapore at the recent RSA Conference Asia Pacific & Japan (RSAC APJ), the RSA chief urged companies and governments to re-think their traditional approaches to cyber defence as they increasingly turn to mobile and cloud technologies to store and access data and systems.
This third APJ edition of the annual RSA Conference, the world’s leading information security symposium and exposition, elicited a record turnout of over 4,900 registrants, a 50 per cent increase from 2014, attending 60 track sessions, keynotes and tutorials featuring more than 90 speakers. The track sessions were split across the seven tracks of Cloud and Data Security, Cybercrime and Law Enforcement, Governance and Risk Management, Mobile Security, Security Infrastructure, Threats and Threat Actors, and Sponsor Special Topics. The Conference also saw more than 90 exhibitors and sponsors, an increase of 35 per cent over 2014. Participating companies included Cisco Systems, Australian Strategic Policy Institute (ASPI), Fortinet, Barracuda, MITRE, Certes Networks, Ernst & Young, Akamai and RSA that showcased the latest technologies designed to secure and protect organisations against cyber threats. The closing keynote address was delivered by Kailash Satyarthi, the Indian national who won the Nobel Peace Prize in 2014 for his children’s rights advocacy and activism. Yoran discussed how the rapid growth of mobile and cloud technologies presents a boon to organisations and industries, but also a significant threat to their legacy security operations. As mobile and cloud technologies decentralise organisations’ digital environments, the perimeter on which traditional cyber defences are based is disappearing. “Despite the disappearing perimeter, businesses around
the world continue to rely primarily on perimeter protection technologies like firewalls, anti-virus, and intrusion detection systems to prevent breaches, only to see those tools invariably fail under the onslaught of today’s advanced attacks,” Yoran said. “Compounding that failure is the current practice of relying on SIEM and other signature-based tools that require historical experience to detect advanced threats, which oftentimes have no precedent.” He added that this combination of antiquated technologies and misguided practices is the root of the vast majority of today’s security failings. Yoran concluded by reminding the audience that the technologies already existed for companies to move to a more effective approach to security focused on faster detection and response to security threats. What was lacking was the will. “This is not a technology problem,” he said. “This is a mindset problem.” Citing nation-state attackers as the biggest challenge to internet security today, RSA’s Chief Technology Officer, Dr Zulfikar Ramzan, remarked, “The good news is that they are still relatively few.” Ramzan, who works out of Santa Clara, California, said that attackers were generally getting more sophisticated and what was considered a sophisticated attack five years ago was today viewed as a mainstream one. Enhancing preventing measures at times was no use, he said, because good adversaries would find ways around them. The issue was often not that a major breach had occurred, but to get to know the full scope of the breach and what happened from that point onward, he averred. The key to managing these incidents was getting knowledge of them in time so as to contain their impact, he added. He maintained that this was a problem area that more vendors were addressing, and more companies needed to think about. Indicating that most of the recent data breaches were compromises in legacy IT systems and not in cloud services, Ramzan maintained, “We need to get over the idea that cloud is somehow inherently insecure, for it may actually be more secure for your needs.” He pointed out, however, that though it was cheaper and more efficient for the cloud provider to secure the infrastructure for all the customers than for each individual company to handle security themselves, there still were issues cloud providers needed to improve. “They need to provide customers visibility and control for data governance, as well as to help understand compliance risk,” he said The departure from perimeter-defined security was a key theme at the RSA Conference and Munawar Hossain, director of product management for data centre security and content security at California-based networking solutions giant Cisco Systems, Inc., said that the state of data centre security had also evolved from the paradigm of a selfcontained operation with a well-defined perimeter. “The data centre has evolved in three distinct ways: the aspect of virtualisation, the dependence of the data centre on optimised resources, and the dependence on services not housed in the data centre,” he noted. Stephen Dane, Cisco’s Hong Kong-based managing director for Security for APJ and Greater China, mentioned that was no longer a matter of “if ” cyber attacks would happen, but “when” and “how”. “Security concerns everyone in a business environment, and is now a persistent business risk,” he noted. “Many companies are still underserved by
This third APJ edition of the annual RSA Conference, the world’s leading information security symposium and exposition, elicited a record turnout of over 4,900 registrants, a 50 per cent increase from 2014, attending 60 track sessions, keynotes and tutorials featuring more than 90 speakers. point product solutions that lack continuous advanced threat protection and it is not unusual to find organisations with 40 or more different security solutions that don’t and can’t work together.” Attackers were taking advantage of the gaps in visibility and protection. According to him, not only did security need to evolve to meet new demands, but a new approach to security was also required. Dr Tobias Feakin, Senior Analyst, National Security, and Director, International Cyber Policy Centre, at the Australian Strategic Policy Institute (ASPI), based in Barton in the Australian Capital Territory, explored the concept
Australian Security Magazine | 13
“Smart cities represent the risks posed by the Internet of Things on a large scale, as the attack surface is huge and complex” of cyber-maturity, noting that Asia-Pacific countries had different levels of security understanding and readiness. “The Asia-Pacific region was home to some of the ‘least networked’ as well as the ‘most networked’ countries,” he remarked. “Australia has a more mature conversation around national security threats, for example.” Web-based fraud is a growing problem in Asia-Pacific. IBM Security’s George Tubin described how the Dyre malware family combined phishing and malware to steal login credentials for online banking systems and then initiated wire transfers for large amounts of money. His colleague, Tal Darsan, gave details about Tsukuba, a banking Trojan which specifically targeted Japanese Facebook users and customers of 20 Japanese financial institutions. Organisations should quantify and prioritise risks associated with customer Web sessions and transactions, the speakers said. Feakin discussed how organisations could apply cybermaturity concepts, such as looking at how growth in the digital economy in the Asia-Pacific affected potential growth, and identifying risks. “When making policy decisions, look beyond your usual horizons and try and assess how they will be affected by political trends, legislation, and societal considerations,” he recommended. Referring to a spike over the past five months in offensive cyber activities by groups claiming association with the Islamic State, or ISIS, Feakin indicated that the Twitter and YouTube accounts of the United States Central Command (CENTCOM) - a theatre-level Unified Combatant Command responsible for US security interests in 20 nations, stretching through the Arabian Gulf into Central Asia - were suspended in January after CyberCaliphate, a group claiming to support ISIS, had hacked into both, defacing them with pro-ISIS messages. “While the hacks had no direct impact on CENTCOM’s operations, they were certainly embarrassing and akin to acts of ‘hacktivism’ we’ve seen from groups like Anonymous,” he mentioned. “In February, the same group hacked into Newsweek and, of all things, Taylor Swift’s Twitter account, defacing both with pro-ISIS messages and sending threatening messages to US President Barack Obama.” In March, a group claiming to be the IS Hacking Division published on JustPaste.it a list of photos, names, addresses and branch of US service personnel, which it claimed was taken from US military data servers. Accompanying the data was a statement from the group: “With the huge amount of data we have from various different servers and databases, we have decided to leak 100 addresses so that our brothers in America can deal with you…kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking
14 | Australian Security Magazine
WEBINARS UPCOMING WEBINARS:
Protecting critical value data from the inside FEATURING Keith Lowry
NUIX Senior Vice President, Business Threat Intelligence and Analysis
NUIX Senior Vice President, Business Threat Intelligence and Analysis
MORNING SESSION: Date: Thursday 17th September 2015
Time: 9am AEST
Duration: 45 mins + Q&A
Security requirements for critical infrastructure FEATURING Peter Bartzios
SIEMENS Technical, Sales and Management
SIEMENS Product Manager and subject matter expert
AFTERNOON SESSION: Date: Thursday 17th September 2015
Time: 1pm AEST
Duration: 30 mins + Q&A
To register for these webinars, visit:
The power of penetration testing in boosting cyber resilience
By Dave Jarvis National Practice Lead, UXC Saltbush
It seems that every week there is another zero day exploit doing the rounds. Software patching and updates are becoming increasingly frequent, and the rise of mobility is further weakening the business world’s cyber attack surface. Traditional defences can no longer provide the protection needed. Organisations need to become resilient to adapt to these new and emerging threats. Cyber security resilience involves more than just the prevention or response to a specific attack. It also takes into account the ability to operate during, and to adapt or recover, from such an event. This goal requires cyber risk management, and not one, but many cyber security measures. Traditionally, companies have focused on protection against specific cyber attacks. In today’s digital environment, however, a resilience-based approach to threats is more effective for organisations wanting to adapt to change, reduce exposure to risk, and learn from incidents when they occur. Due to the growing interconnectedness that comes with new and emerging business technology, improving the resilience of one organisation can be a small step in improving the cyber resilience of all. The same goes for the disparate departments and operations within a single business. Once a unified, company-wide approach to security is established, there will be fewer points of vulnerability to exploit. According to CERT Australia, the government’s national computer emergency response team, modern organisations must layer security defences for their IT systems to reduce the chance of a successful cyber attack.* * Australian Cyber Crime & Security Survey Report, CERT, 2013.
16 | Australian Security Magazine
While the installation of traditional security software, including a firewall, anti-virus, and anti-spyware remains an essential first step to cyber security, these safeguards alone are no longer enough to adequately protect an organisation from potential threats. Instead, businesses should manage risk with multiple defensive strategies, so that if one layer of defence turns out to be inadequate, another layer can step in to help prevent a full breach. This is known as ‘defence-in-depth’. The multiple defence mechanisms layered across an organisation’s network infrastructure can protect data, networks, and users. A well-designed and implemented defence-in-depth strategy can help system administrators identify internal and external attacks on a computer system or network. Building organisational resilience to cyber security incidents also requires constant awareness and action. For an organisation to be prepared before an incident occurs, cyber security needs to be part of its risk management, resilience structures, and planning, and staff need to be trained to use good cyber security practices as part of their daily work. Steps on the path cyber resilience There are many ways to protect an organisation’s networks and confidential data at multiple levels. For starters, businesses should make sure they keep their software patches up-to-date and use versions of software that are still supported by such updates. This should include all operating systems and applications, as well as email, database, and
web servers. Make sure systems are configured to update automatically where possible. Given today’s regulatory regime around handling sensitive or private customer information, it is vital that companies develop a backup strategy for critical or sensitive data. A good strategy includes daily backups, an additional weekly or monthly backup, with both offline copies as well as offsite storage of at least the weekly backup media. Companies should make sure to test that they can recover with backup data. A sound backup strategy will ensure access to information in the event of a cyber security incident. Having an offline backup also reduces the impact of ransomware attacks. Sometimes the simplest solutions can often be overlooked, yet taking the basic step of creating nonadministrator level accounts can do a great deal to help guard against the threat of a security breach. New computers usually have, by default, a single user account with administrator privileges. Split this into two, and the opportunity for an attacker to gain control of a system can be reduced. Use the non-administrator account for all day-to-day activities, in particular for accessing email and web browsing. The retention of network and computer event logs has become best practice for most industries in which IT plays a vital role. The reason for this is that it can help organisations better detect malicious activity. This is important, as it is still the case that most security breaches go unreported simply because they remain undetected. Implementing sound logging practices improves the chance that malicious behaviour will be detected by highlighting any changes to the normal behaviour of a network, system or user. Logs can show how a cyber security incident came to pass and, therefore, what can be done to prevent similar occurrences in the future. With mobile devices playing such a large part in business technology, it is important to keep in mind that users with remote access can be targeted by attackers to attempt to gain unauthorised access to an internal network. Organisations should have systems in place that can ensure any remote access services are secure. This might involve disabling remote access if it is not needed, or using strong passwords if remote access is required. It is also important secure all other public-facing services, like a web server, through independent website penetration testing for vulnerabilities. The importance of penetration testing Another vital element in establishing cyber security resilience is regular penetration (or ‘pen’) testing. Without pen testing, there is no way of knowing how protected a company is from known threats in the wild. Undergoing pen testing for IT security defences can sometimes be a bit like going on a first date: those involved are a bit nervous that the results might be embarrassing and everyone will find out about it. Nevertheless, pen tests are an essential element of any information security risk assessment. They can provide proof of potential vulnerabilities and help deliver actionable information to support executive decision-making and priorities for investment. It is important to be honest and
open about systems and processes when it comes to pen testing, even if this seems counter-intuitive to the natural reaction of self-preservation and protection. Before embarking on a pen test, here are five tips for getting true value from a pen test engagement: 1) Be careful in defining scope How much should be divulged on a first date? Unless the objectives from a pen test have been carefully considered and defined, it is likely to drift into areas that are not necessarily where the organisation wants it drift. Two key questions to ask and answer truthfully, are: “What are our security objectives?” and “What outcomes are we looking for?” 2) Create rules and manage expectations A pen test engagement will likely involve limited time, tools, and resources. However, most determined hackers can mount a sustained offensive using multiple tools and exploits over a long period of time. As such, it is important to remember that a pen test is a point-in-time activity, so treat it accordingly. While pen testing is not a public spectacle for uploading to YouTube, make sure that relevant third parties, such as hosting providers, are managed so they can brought in on the act as well. This will help with greater overall insight. 3) Put pen testing into proper context Given the time restrictions that pen testing is often subject to, different testers can potentially deliver varied results, depending on the different tools and tactics they deploy. Despite this necessary limitation, pen testing is crucial within any risk framework with the prerequisite of a robust information security framework. Don’t analyse it in isolation; it’s a one off event just like a date, not a silver bullet or ticket to the altar. 4) Go for quality Generic self-testing and self-assessment has its place if the risk profile is low enough. However, doing it all alone is no substitute for the real thing. To get value for money, take the precaution of selecting a reputable company with respected accreditations. One approach could be to look for the internationally recognised CREST stamp of approval, which is hard to achieve. It also assures that individual pen test operatives have the necessary skills, and that their employing company has appropriate quality assurance procedures to avoid any slip-ups. 5) Get executive buy-in upfront Get approval early on. Executives must fully understand the reasons for the exercise and its potential consequences. Too many organisations budget for a pen test and not its outcomes. However, a ‘test and forget’ approach is not a mature option. Paying lip-service by just having regular pen tests is not an inoculation against real attacks. While it may not be possible to fill all potential gaps, accept that some remediation may be required to satisfy a risk profile. Get commitment upfront from management that a treatment plan will be actioned.
Australian Security Magazine | 17
The best ways to fend off DDoS attacks By Martin Ryan
18 | Australian Security Magazine
hen Australia’s largest wireless broadband provider Cirrus Communications suffered a distributed denial of service (DDoS) attack in July 2014, the attack had hit Cirrus’ core network, rather than the radio equipment on the edge, knocking out half of its network. Following the incident, the broadband provider admitted that it had experienced “struggles” in the wake of the event, and further reports suggested that the attack had disrupted communications to other carriers that use Cirrus’ services. It would be naïve to think that DDoS attacks are rare. In fact, many reports indicate the opposite. According to BT Global Services, 64% of Australian organisations were hit by DDoS attacks in 2014, which was the highest out of all 11 geographical areas measured in the report. Not only are DDoS attacks common, the ones seen in Australia are shorter and more aggressive. According to ARBOR Networks the attack length in Australia during the first quarter of 2015 was 22 minutes, versus 46 minutes in Asia Pacific (APAC). The average DDoS attack was 1.25 Gbps, compared with the APAC average of 483.65 Mbps—a dip from the last quarter of 2014 where the average DDoS attack in Australia was 1.34 Gbps and the average APAC attack size was 500.68 Mbps. Considering the statistics, organisations should already have a solid plan in place to counteract such attacks, but in reality, only 24% of Australian organisations said that they
have sufficient resources in place to counteract a DDoS attack, according to the same BT Global Services report.
It Pays to be Prepared Due to the growing ease of launching DDoS attacks, the demand for DDoS prevention solutions is also on the rise. IDC has forecast that the worldwide market for DDoS prevention solutions will grow by a compound annual growth rate (CAGR) of 18.2% from 2012 through 2017 and reach $870 million. DDoS attacks are not only obnoxious to deal with, but they can be a great detriment to your company. Companies that have undergone DDoS attacks have experienced the following: Loss of income: For ecommerce giants, just a second of downtime could mean thousands in lost revenue. Even if your company isn’t as large as Amazon or eBay, any amount of profit loss due to downtime should be cause for concern. Not only do you miss a potential sale in real time, that customer is less likely to come back and try to purchase from you again in the future. A recent study by Kaspersky Lab and B2B International estimated that a DDoS attack on an organisation’s online resources might cause losses ranging from $52,000 to $444,000.
Brand damage: If potential customers are trying to reach your website and are greeted with an error message, they probably will not immediately assume that the site is under a DDoS attack. They will most likely assume that there is something wrong with the development of the website itself and may feel that it is unreliable, making them less likely to return. Press surrounding DDoS attacks can also paint a bad picture for your brand. If the driving force behind the attack was based on political or moral agendas, your brand could acquire a negative image because it was one of the attacker’s targets. Loss of customer confidence: Just as your brand image may deteriorate in the public eye, your customers may also lose confidence in your organisation. If you have a web servicebased company (think web hosts) and if your servers go down due to an attack, all of your customers’ websites go down as well. It can take only a few moments of downtime a year to provoke a customer to move to another service provider. Personnel cost: The time spent by your personnel to investigate and mitigate an attack can be costly. Time spent by your operations team dealing with an attack only takes away from their regular work. Similarly, your helpdesk will also see an influx of calls and tickets due to questions surrounding access during downtime. All of these extra hours can massively add up over the duration of an attack.
Reducing The Threat of DNS-based DDoS Attacks Domain Name System (DNS) based DDoS is a common network traffic attack used by malicious attackers to impact business operations and critical IT applications. The attacks are designed to bring down DNS servers and consume network bandwidth, thereby impacting critical IT applications. There are three ways such attacks can happen, and three common techniques used to redirect traffic through compromised DNS servers: •
for typically 86,400 seconds, or a full day. Solution: Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed.
The Way Forward The best way to avoid any disruption from a DDoS attack is to be prepared for it. Talk to your DNS provider and ask about their mitigation techniques, and if you are currently doing everything in-house or are relying on your ISP or a firewall, evaluate your situation. Do you feel confident that what you have in place can successfully mitigate an attack? If you are having a hard time deciding whether or not you actually need to invest in a stronger mitigation technique, figure out the impact it would have on your company financially if it were to happen. Although it may not be an apparent risk, the cost associated with being attacked is usually much higher than the cost to take safeguards. If you are not prepared, then you might have to be prepared to pay for it—significantly. About the Author Martin Ryan is the VP Managing Director Asia Pacific at Dyn. He is responsible for leading Dyn’s business strategy in the region as well as increasing the company’s market penetration. Martin holds a postgraduate MBA from the Macquarie University Graduate School of Management and a Bachelor of Electronic Engineering and Bachelor of Business from the University of Technology Sydney.
The first is to perform a cache poisoning attack. Basically, attackers attempt to inject malicious DNS data into the recursive DNS servers that are operated by many ISPs. These DNS servers are typically the “closest” to users from a network topology perspective, so the damage is localised to specific users connecting to those servers. Solution: There are effective workarounds to make this impractical in the wild, and good standards like Domain Name System Security Extensions (DNSSEC) that provide additional protection from this type of attack. The second method is to take over one or more authoritative DNS servers for a domain, and change the DNS data. If an attacker were to compromise authoritative DNS, the effect would be global. Solution: Good security practices like strong passwords, two‐factor authentication, IP Access Control Lists (ACLs), and good social engineering training are effective at thwarting these attacks. The third technique can be the most difficult to undo. The attacker takes over the registration of a domain and changes the authoritative DNS servers. What makes this attack so dangerous is the Time To Live (TTL). Changes of this nature are globally cached on recursive DNS servers
Australian Security Magazine | 19
Mobile messaging Company reputation and security risks rise as business mobile messaging usage increases
By Horden Wiltshire
20 | Australian Security Magazine
hone hacking was once thought of as News of the World type media spying on the private calls of royals and celebrities. That’s rapidly changing because any phone user, right now, could be under the watchful eyes of forces far more malevolent than a gossip sheet. Consumer messaging phenomenon, WhatsApp disrupted the highly profitable SMS market and forever changed the power and potential of IP messaging. Consumers flocked to the service and businesses are jumping on the bandwagon to apply it commercially. Soon, business use of IP messaging will outstrip that of consumers. In the $50 billion world of enterprise messaging, businesses of all sizes use mobile to communicate with clients and customers. In addition to exposing personal data, those messages often contain sensitive information such as intellectual property, classified legal documents, medical reports, investment intelligence, and other financial information.
been hit with expensive breaches. US health insurer Anthem was targeted in late January where attackers tried to get private information about individuals on health plans – their names, addresses, birth dates and income data. Morgan Stanley also reported a major breach after an employee stole data from around 350,000 brokerage accounts and posted it for sale online. However attack patterns change quickly and criminals are turning to less protected ecosystems such as mobile devices. The most common exploit is malware contained within apps - often downloaded from third-party app stores or from unknown links. Those behind these hostile invasions want to exploit personal data, audio, and screenshots. It’s unthinkable to connect a PC or laptop to the internet without up-to-date virus protection, but workers do it every day with phones and tablets. And while companies spend considerable sums securing desktop systems, little thought is given to securing mobile information.
Criminals change their attack patterns quickly
Top management failing to see mobile risks
Attacks on traditional IT systems for such information are not new. This year Healthcare giants to financial stalwarts have
In fact management of many of our top companies either doesn’t seem to be aware of the mobile vulnerabilities, or don’t think it will happen to them.
Research undertaken at a workshop on enterprise messaging with some of Australia’s leading CIOs earlier this year found only 25 per cent of participants thought secure messaging on a phone as being very important. More than half of the CIOs thought it was not important at all believing people use email to communicate important matters, not mobile devices. The reality is critical communication is being conducted outside traditional channels, and increasingly via mobile messaging. Security weaknesses of devices – from non-passwordprotected phones to unencrypted Wi-Fi transmissions - are magnified further as employers opt for BYOD. With BYOD, businesses are tempted to ‘lock down’ the entire environment with costly mobile device management (MDM) solutions which typically create a work/personal split on a device. However for many businesses MDM is overkill and as much of what businesses do is in a messaging context, a securing messaging solution is suitable and much less expensive. BYOD users can also be required to use anti-virus programs – and that’s best practice - but it won’t stop a hacker trying to crack into app software code or the device’s software code, it just slows them down. Hackers want people to fall for phishing scams so they can install the malware that helps them do their dirty work. There’s also evidence in these scams that a mobile user’s identity may be spoofed by an unknown source (disguised as a user known to the receiver), no amount of securing the communications channel alone would be of any benefit. Multi layer encryption changes the game
confidence to a business to innovate and be agile in the way it interacts with customers and knowing it’s completely safe to do so. There are certain communications when a business either can’t or won’t use messaging due the nature of the conversation. Encrypted messaging means any message classified or highly confidential – can be delivered via mobile platforms. Industries such as health are fast movers in this space given the obvious sensibilities of patient and case information. This sector is already looking at the huge benefits of doctor to doctor and doctor to patient secure messaging. Secure enterprise messaging market is ripe for disruption, but it won’t be led by the ‘free’ consumer based apps such as WhatsApp, as they don’t meet the specific needs of the business market. These apps fall short of the necessary compliance, security, integration and performance capabilities required for most businesses, particularly large enterprises. While business gets up to speed on how to deal with the risks of mobile messaging there’s a critical first step: at the very least organisations should have secure messaging for crisis management teams and senior executives to communicate effectively and securely on a daily basis. About the Author Horden Wiltshire is CEO of Soprano Design, the creators of GAMMA and world’s leading secure mobile messaging technology provider to international mobile network operators.
Some IP solutions say they have secure networks but securing enterprise mobile messaging involves considerably more than simply encrypting the channel. A key component is guaranteeing/verifying the identity of the sender and the recipient to truly thwart attackers. Enterprises that have already adopted SMS or consumer-grade IP messaging solutions, without this important validation are at risk, particularly as hackers begin to more aggressively target known security limitations. To close the gap CIOs must focus on securing their entire messaging ecosystems. The starting point is to audit a company’s internal and external business workflows, processes, and use cases to understand whether a secured ecosystem or secured mobile solution would better meet their needs. Developing solutions with high and multiple levels of encryption and auditing capability is where the game is changing and there’s immediate relevance for Australian hospitals, government organisations and financial institutions. For those in highly regulated environments – banking and finance in particular - the ability to track all communications gives CIOs a bird’s eye view of all mobile messaging communications for auditing purposes. Secure information a springboard for innovation However being able to ‘protect’ information is more than a security concern - it’s a springboard to providing
Australian Security Magazine | 21
Women in Security
‘But you are a woman’
T By Kema (Johnson) Rajandran Correspondent
22 | Australian Security Magazine
o some, being in financial crime may seem like an area where you’re deskbound, staring at a computer screen and crunching numbers, but to Michelle Weatherhead, the variety couldn’t be more interesting. As BAE Systems Applied Intelligence head of financial crime ANZ, Michelle manages eight consultants and works primarily with financial institutions across the Asia Pacific. Her role takes her from Australia to Singapore, Malaysia, Indonesia, Thailand or the Philippines at any given time. She says the appeal of working with BAE Systems Applied Intelligence is the ability to work with military grade technology; cutting edge and sophisticated solutions to combat a variety of problems in security – from cyber and fraud to terrorist financing. “We help our clients detect fraud, comply with AML legislation and combat cyber crime through data, software solutions and professional services,” Michelle says. “I really enjoy the variety of the work. One week, I am doing a presentation in Manila for one-hundred employees and the next week I am working with a client in Singapore helping them to solve a complex and high profile financial crime problem,” she says. With an abundance of highlights to date, Michelle says she’s been very fortunate in her career so far and shares some memorable and noteworthy parts with us. “In July, BAE Systems Applied Intelligence hosted a women in cyber security and financial crime networking
event. Twenty women from a variety of roles across the industry attended and it generated a lot of positive conversations.” “As a networking evening, we placed an emphasis not on technical learning but on essential career and development skills and shared discussion. It demonstrated what the impact is of a positive mindset and the importance of networking.” Michelle shared a very personal story at this event about working as a woman in this industry and the difficulties she encountered. “Over the past ten years, I have worked in many countries and it hasn’t always been easy being a woman in this industry.” “Prior to working at BAE Systems Applied Intelligence, I was sent to on a financial crime consulting engagement in the Middle East. When I turned up, the head of IT looked at me and said: “I thought you were Michael, but you are a woman!” “Being a little naïve, my innocent response was: “Yes I am Michelle and I am a woman, but I am the best consultant to write your detection rules. Do you want the best consultant to solve your fraud problem or would you like to wait for Michael?” “He waited for Michael, his loss of course…” Ouch. “That was ten years ago and many things are different
Women in Security
“Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.”
now, but it’s still an indication of the struggles we sometimes have in a male-dominated environment.” She never let these moments deter her from what she enjoyed and ultimately to an incredible career. Working with the best and brightest in their field has been very rewarding for her, saying it’s the people that make the job. “I love meeting new people, getting to know them, helping them with issues and becoming lifelong friends. People in this industry are very practical. They get the job done and I appreciate that. It’s also very close knit – the people I met in my first job are still in this industry.” This is one of the reasons why she says collaboration and relationships are so important. “Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.” She also points out that she has two mentors that she uses as a sound board. “A mentor must have your best interests at heart. As a mentee, you must feel safe to share your heart and soul, tell them how you feel and ask for advice. If you can’t be yourself and are scared to ask questions because you’re afraid of being judged, I don’t think it’s the right fit.” “Both of my mentors have seen me at my worst, but they believe in me and guide me. They know my strengths and weaknesses, when to push me, which is important to me.” “It is so important to have a mentor that has your back,
but also knows when to push your boundaries. My mentors encourage me to do things that I would otherwise not do and it always turns out well and feels good afterwards.” But mentorship isn’t everything, and Michelle nominates two other key things in a company that help women climb the ranks: flexible and supportive working conditions and female role models. “Everyone needs someone to look up to, so if you can’t relate to someone in a leadership position it can be hard to encourage yourself and aspire to be one of them. Having a female role model also subconsciously affects others, as it influences their perception of women in power.” With hopes of being a mentor herself, Michelle definitely has a wealth of work and life experience to be a good role model for others and fuel the fire of change in the industry. A wife and mother, who wanted to be a clinical psychologist when she left school and ended up in IT without regret, offers the advice to women starting out to think about what you’re good at and reach out to people in the industry. “Join an association and decide where your strengths lie. If you love being surrounded by people then perhaps a front line fraud investigator may be a good option. If you’re inquisitive and like delving into data then perhaps Cyber Crime Analytics is right for you.” “Those who succeed in this industry are willing to take risks, give things a go and also know when to reach out and collaborate. Big networks rule.”
Australian Security Magazine | 23
Security and risk management the next evolution By Dr G Schneider CPP, FAIM, FIS (SA)
24 | Australian Security Magazine
n the ever evolving worlds of safety, security, health and emergency management (SSHE) the regulatory and best practice approaches continue to get more onerous and complex. The evolution of specialist areas within this spectrum has been inevitable. We have also seen a process whereby the areas of the SSHE spectrum, sometimes referred to as ‘Hard Risks’ (as opposed to soft risks such as currency risk) have become classed as grudge spend areas. This is especially true for the field of security risk management which historically has not had the driver of legislative consequence that the safety sector has had. As organisations or companies grow we have also seen the evolution of a diverse range of organic organisational and corporate structures. These structures have become so diverse and range from no direct allocation of SSHE activities to mass duplication. There is the ongoing reality that no one model can be applied across different sized organisations that are in different sectors, operating in vastly differing risk environments. However, in many cases organisations are suffering from wastage due to duplication and inefficiency or intolerably high risk exposure due to lack of resource allocation to ‘hard risk’ management. In many cases organisations are exposed to both of these realities simultaneously, specifically if they have become silo’d based on size, specialisation, management control or geographic complexity. The evolution of organisational silo’ing whereby hard risk management activities are broken up into various categories as organisations have grown and expanded is now the common reality not the exception. Whilst in principle, silos for large organisations are a necessity, when it comes to managing hard risk the reality of issues such as duplication
of activities, denial of incidents and risk exposure, transfer of blame and lack of authority all become potential issues. These issues are highlighted in the various versions of Workplace Health and safety legislation which in most cases does not differentiate between the employees and subcontractors and places the responsibility at all levels of an organisation (low level worker right up senior executive). The need to move away from the decades old checklist type Hard Risk management approaches utilised by most organisations has reached epidemic proportions. The harsh consequences of security incidents resulting from crime, (internal and/or external), fraud and terrorism including death, business disruption, reputational damage, fines and jail time are ever-present realities for modern business. The ability to subrogate and de-risk via insurances is no longer as robust as it once was based on the evolution of non-payment clauses for regulatory non-compliance and other complexities. The ability to de-risk via subcontracting has now been legislatively closed off and it is now well established legal precedent that all parties (top to bottom) involved in the supply chain are responsible for the identification, mitigation and management of foreseeable risk in a reasonably practicable manner. The complex mapping, rating and referencing systems that proliferate through the hard risk management world have actually reached a point where they are now no longer practical tools for risk management but merely academic routine and/or just another additional non-profit, nonperformance enhancing function that organisations “Have To” do. In addition the neglect of hard risk education for most of today’s business leaders who are often the product
of academic education which specialises in conventional modelling and has contributed to two of the biggest issues facing organisations from a hard risk perspective today, namely DENIAL and REACTIVE APPROACHES based on ignorance and negligence. It is human nature to avoid systems that either do not show a direct reward, have a consequence which is deemed harsh enough to force compliance or have an effective ‘policing system ’in place to ensure compliance. One only has to look at traffic and road safety and imagine the carnage that would ensue without a set of rules that had harsh enough consequences for non-compliance and no enforcement to apprehend offenders. At various levels I have seen this happening in 100s of organisations we have come across in the last 15 years of business. This is not a unique issue to first world or emerging markets but the focus of hard risk management based on reactivity, sentiment and anecdotal behaviour seems to be the driver. Limitations on the way we view risk continue to be a propagator for reactivity and denial. In many cases this stems from the following core problems: • Consistent viewing of hard risk management as a grudge spend area • Failure to apply proactive budgets based on a dynamic risk based approach • Lack of understanding of actual vs perceived risk from a hard risk perspective • Inefficient use of internal resources • Inefficient use of external expertise • Lack of understanding of internal limitations • Lack of alignment of hard risk management understanding at senior executive as well as lower levels (middle management mayhem) These issues are further complicated by two realities: • The human factor • The use of technology (in terms of limitations or over reliance) While there is no doubt that we have come a long way in improving technology and people management systems we are missing some fundamental principles in the way we make things happen. Unfortunately, I have seen this over and over again where senior executive teams believe an issue has been resolved by creating and attempting to enforce a policy which has no real chance of being embraced at ground level and thus often becoming a purely academic exercise in futility. In fact the organisation may actually make themselves more vulnerable by having a policy but not adhering to it. A side effect of policy setting without effective implementation and take up, results in the executive believing that hard risks are under control, middle managers being frustrated that there are insufficient resources to implement and lower level never even being made aware of issues and or solutions. This reality is not new ground and many executives and managers live with this ongoing problem. So what can be done about these issues – here is a brief list of actions and concepts which could each be an article in their own rights: • Educate at all levels – understanding hard risk management in context at all levels of an organisation is critical as a starting point. One of the simplest ways
‘It is human nature to avoid systems that either do not show a direct reward, have a consequence which is deemed harsh enough to force compliance or have an effective ‘policing system ’in place to ensure compliance.’
to do this is get everyone talking the same hard risk language and not get too caught up in silo or specific jargon • Assess and understand realties in a dynamic way – we tend to want to ignore bad news and as such it is often hidden from the people that need to know until a crisis occurs. Regular health checks using internal and external resources is critical for more robust discussion making • Leverage internal resources – often there is internal expertise and knowledge that is not tapped as a result of corporate segregation and legacy, the creation of internal ‘kingdoms’ and the biggest problem – lack of internal cross silo forums and structures to leverage capabilities and sharing. This often comes down to HR based limitations tied back to KPI’s which sometimes create performance measurements that is silo specific and ignores the core objectives of the organisations on a macro level • Leverage external resources – it is important to know when external help is required and how it should be utilised. Not only are external assessments considered to be more impartial but they bring fresh eyes to issues that may have been taken for granted as being ‘just the way it is’. The challenge is to act once solutions are identified and not be demotivated by what may appear to be a mountain of issues with no clear start, end and implementation approach. • Invest in people – the biggest resource for mitigating risk is a ‘switched on’ staff and contractor base. We need to motivate people using both stick and carrot approaches in a balanced manner to gain their ‘buy-in ‘otherwise systems will fail and good intentioned solutions will not go anywhere. • Incorporate technology – it is important to find the balance between human trust and having sufficient checks and balances. We can’t forget that the battle ground of the future is in cyber space and organisations face ongoing vulnerability in managing the ‘hard risk’ realities of data and IP protection along with the physical safety and well-being of their staff. In summary, the core ingredients to implement a better security risk management approach stem from striving to eliminate denial via education and ongoing assessment and implementing a proactive approach which requires more than just paperwork and lip service. In essence the driver should be a move to change, improve and sustain an enhanced level of security and safety culture by aligning hard risk management to culture and core organisational objectives it is truly possible to turn risk to opportunity.
Australian Security Magazine | 25
Improved border security, faster border clearance and reduced cost â€“ the must have holy grail for airports By John Kendall Director of security programs, Unisys Asia-Pacific
26 | Australian Security Magazine
he recent focus on improvements in border security is hardly surprising given the very real terrorism threat of foreign fighters and the growing socio-economic dangers posed by individuals attempting to enter Australia under false pretences. As a result the demand for improved border security means airports must do more to ensure the safety of Australian travellers. The significant projected growth in international cargo1 and passenger2 volumes (on which the Australian economy is highly dependent), has amplified the demand for great speed and efficiency in border clearance. On top of these demands, budgetary pressures and resource limitations at our airports and seaports are now mandating dramatic cost efficiencies in the way Australia handles passenger and cargo clearance. For airports, an important first step in tackling these issues has been the establishment of a single department responsible for Immigration and Border Control and the creation of the Australia Border Force as the operational arm of that Department.
This gives airports and border agencies the opportunity to actively take steps to improve border security, achieve faster clearance and create greater efficiency. However, organisational and personnel change alone are not sufficient, and failure to overcome all three issues, security, process efficiencies and budget constraints, is not an option. Not in Australia. Not in any growing economy. Australia will only succeed in tackling these challenges through the use of enabling technologies. The future of improved border security One such enabling technology is the automated clearance eGate. eGates reduce queuing and speed traveller clearance. While eGates have been deployed and available to some arriving air travellers in Australia for years, it is only now upgrading and expanding its fleet of eGates to process more travellers. Another key enabling technology uses advanced biometrics to positively identify individuals who enter or
depart Australia. Again, Australia was an early adopter of biometrics for border security, and facial biometrics is used by eGates to verify travellers against the biometric data stored in ePassports. Fingerprint and face biometrics are also used with some visa applications to detect fraud and check against watch lists of known criminals or visa offenders. However, other countries like the US, Singapore and Malaysia have taken this further by capturing biometrics of travellers at the point of border entry/exit and conducting realtime searches of biometric databases to identify individuals on watch lists (e.g., known criminals) and to detect individuals who are using multiple identities or travel documents. In the past, real-time “one-to-many” biometric matching of this scale was often expensive, inaccurate or both. The enabling technology that now makes real-time biometric matching cost effective and accurate is iris recognition. Iris recognition uses a picture of the eye to match the detailed patterns in the coloured part of the eye surrounding the pupil. Iris recognition is faster and less expensive than other biometrics (enabling real time matching against millions of records) and highly accurate (akin to fingerprints and far more accurate than facial recognition). While there were few implementations of iris recognition a few years ago, today it is the biometric of choice for large scale biometric identification (such as the 100M person Mexico national ID and the 1.1B person Indian national ID). These large scale deployments have resulted in significant improvements in the technology and significant reductions in the cost. The introduction of iris biometrics into the traveller clearance process would contribute to all three objectives – improved security, faster clearance and greater efficiency. But the enabling technology that arguably offers the greatest potential benefit is advanced targeting analytics. Targeting analytics enable the automated identification of low risk travellers and cargo that can - and should - be cleared with little or no manual intervention, and higher risk travellers and cargo for which additional analysis or inspection is appropriate. While biometrics addresses the “identity” of the traveller and provides the ability to identify individuals who are on existing watch lists, targeting analytics looks at the underlying “intent” and can be used with both travellers and cargo. Australia currently employs a basic automated targeting analysis system that uses pre-defined rules to identify travellers and cargo that represent a potential risk. But advanced targeting analytics go much further and are characterised by three particularly significant capabilities: allsource, self-learning, and forward-looking. All-source analysis systems need to handle the explosive volume of unstructured or poorly structured data from many different sources with different levels of accuracy and authenticity. Advanced targeting systems, such as that used by the US Customs and Border Protection, draw upon a suite of tools to ingest such data and accurately identify, extract, assess and associate the information therein so that it can be properly analysed. Predictive analytics enable advanced targeting systems to “learn” from past experience and emerging information patterns to more accurately identify high-risk travellers and shipments. In essence, the system continually refines and revises the
‘While biometrics addresses the “identity” of the traveller and provides the ability to identify individuals who are on existing watch lists, targeting analytics looks at the underlying “intent” and can be used with both travellers and cargo.’ rules to achieve significantly improved targeting accuracy. This translates to fewer false alerts (i.e., shorter queues and fewer manual interventions) and fewer misses. Advanced targeting solutions also employ sophisticated forward-looking modelling tools to provide insight into the impact of proposed changes in the targeting system parameters and rules. Such models are able to project the resulting traveller/cargo queues, resource requirements and costs before changes are even implemented. For example, what is the impact of requiring an inspection of all cargo containers on ships that transit Sri Lanka? The forward looking models enable fine tuning of the system to improve clearance accuracy, speed and cost-efficiency. Advanced targeting analytics is not limited to a physical border clearance, but is used early and repeatedly beginning with the earliest indication of a potential travel/shipment and subsequently as additional information is received – in some cases even after entry. For travellers, this may start with the visa application or ticket booking – with additional analyses performed as more information becomes available (e.g., travelling companions, method of payment, amount of luggage, prior locations visited). In this way, potential risks are identified and resolved as early as possible – resulting in significant cost savings. By leveraging these enabling technologies and partnering with evolving the travel and trade ecosystems, Australia can achieve the golden triad: improved border security, faster clearance and greater efficiency. 1 – Australian Government Department of Infrastructure and Regional Development: Trends – Infrastructure and Transportation to 2030 (page 11) - https://infrastructure.gov. au/infrastructure/publications/files/Trends_Infrastructure_ and_Transport_to_2030.pdf 2 – Australian Government Department of Infrastructure and Regional Development Trends –Transport Security Outlook to 2025 (page iv) - https://infrastructure. gov.au/transport/security/pdf/Transport_Security_Outlook_ to_2025.pdf About the Author John Kendall is the Director of Security Programs for Unisys Asia-Pacific and has a 30+ year career assisting governments worldwide achieve dramatic improvements in efficiency and service through the innovative application of advanced technology.
International Critical Infrastructure
Operating in Kazakhstan - What are the threats? by Andy Davis
azakhstan is a former soviet state located to the East of the Caspian Sea and directly south of Russia with China to its east and the ‘Stan’ countries directly to its south, obtaining independence from Russia in 1991. By land mass it is the 9th largest country in the world and although based in Central Asia prefers to describe itself as an Eurasian country due to the western regions being located in Europe. President Nazarbayev has been repeatedly elected since independence and recently polled 90% plus in elections this year. Kazakhstan is viewed by many as a calm stable democracy who is friends with all and enemy to none. So why is it of interest to security professionals? Simply put, oil and gas! The oil and gas industry is the main reason for Kazakhstan’s economic success over the past 20 years and in order to maintain its effectiveness joint ventures have been created with international partners. The international providers have to rely upon the expertise of expatriates and therefore in order to protect them there is a need to understand what ‘real’ threats actually exist. The following are what I believe to be the real threats that exist when operating in Kazakhstan. Corruption Corruption is described as endemic and spreads from the highest levels of government to lower level civil servants and police. There is anecdotal evidence to support this and Transparency International ranks Kazakhstan as the joint 126th (out of 175 declared countries) most corrupt countries in the world. Although there has never been any direct accusations of
28 | Australian Security Magazine
corruption levelled at the President many of his family and wider associated have been implicated in corruption and with political positions being given through patronage as opposed to competency the opportunities and ability for corrupt practises not only exist but flourish. Organised Crime Whilst organised crime goes hand in hand with corruption it is not as visible as in other countries; however that doesn’t mean that it doesn’t exist. Kazakhstan sits on the northern supply route for heroin leaving Afghanistan destined for Europe and China ($20 billion dollar p.a.) but as it falls on the old ‘Silk Route’ other commodities are also smuggled including people, electronic goods and minerals. Where heroin reaches the Kazakh markets there is an increase in drug related deaths, street crime and gang violence, although this is similar to many UK cities. Whilst there is an active sex industry it does not appear to be controlled by particular groups and many prostitutes operate with a ‘roof ’, which is a form of protection offered by police; indeed in recently publicised cases brothels disguised as ‘saunas’ have been run by police officers. Climatic Probably one of the biggest threats that can directly impact upon safety and security in Kazakhstan are the extreme climate swings, from +40⁰ in the summer to -40⁰ centigrade in the winter. Whilst most international organisations provide suitable protective equipment to handle these
extremes they do directly impact upon operational abilities whether through an increased risk of dehydration or sunstroke through to frostbite and the cancellation of flights and ground movements. Crime and Violence The Kazakhs are a tolerant society and whilst violence exists it does not normally target expatriates. Where violence occurs it is, in many cases due to cultural insensitivities; notably towards the Kazakh females or in the course of street crime which exists, but no more so than in western countries. Bureaucracy Although many aspects of the Kazakh nation is forward thinking many of the governmental procedures and processes are embedded within the soviet mentality (much as India is still referred to having a colonial civil service). Until December 2017 UK citizens can visit Kazakhstan without a visa, although stays must not exceed 15 days. For working in Kazakhstan different rules exist. (For further visa information visit http://ow.ly/Qw0Xw) There have been a lot of recent cases where expatriates visas have not been renewed due to the expatriate/national employee ratio being out too high in favour of the expatriates. Supply Chain Risks Apart from limited access via the Caspian Sea Kazakhstan is landlocked and as such the choice of supply routes is limited to a few land routes, air transportation or the Russian inland waterways. All supply routes are threatened by the weather with the freezing of the water routes for between 4-6 months of the year and land/air routes being affected by the extremes of weather +40 to -40 centigrade. The infrastructure (roads, drainage, and rail networks) varies throughout Kazakhstan with areas in the east being well maintained whilst other parts of the country suffer from potholed roads, lack of drainage and closures of airports, especially during the winter months. Terrorism This might be an area where others disagree but using the UK governmental threat levels for terrorism I see the threat level falling somewhere between Substantial and Moderate. My justification for this is that although Kazakhstan experienced terrorist attacks in 2011 at the hands of ‘Jund al Khalifa’ (Soldiers of the Caliphate) these were relatively unsophisticated and limited in sustainability. Since the robust response to the attacks there have not been any successful attacks against targets within Kazakhstan. The security services have a robust approach to managing terrorist risks which appears to have served them well, to the present time. But….. Future Threat – Terrorism Without sounding contradictory, the present threat is as it is because of a number of factors including, security service
approach, social non-acceptance of terrorism and economic benefits previously experienced. Two main factors cause me to believe that in the future the terrorism threat is going to increase; these are the economic downturn and ‘blowback’ of Kazakh Islamic fighters. The economy never truly recovered following the global economic downturn of 2008 and with the price of oil being at around $50 per barrel there is clear evidence of a massive slowdown in the development within the extractives sectors. This has resulted in increased unemployment or at least a lack of employment opportunities; this in turn has the potential to lead to increased social unrest, and the opportunity for that social unrest to be exploited by radical elements. The second factor revolves around the number of Kazakh fighters presently classed as foreign fighters (believed to be over 400). These fighters are active in Afghanistan and within the newer combat zones of Syria and North Africa. It is anticipated that these fighters will return home and bring with them newly acquired skills and experiences that can be used against the Kazakh government and international targets. Future Threat – Succession Kazakhstan has not known life without President Nazarbayev and there are no clear succession plans in place. Whilst Kazakhstan is a democracy the ruling political party has no clearly identified future leader, and many who have been previously favoured have either been found guilty of corruption or have fled the country. With this uncertainty a void may be created that could be exploited by individuals or organisations and leads to civil unrest and internal feuding. Without addressing the succession issue whilst President Nazarbayev is in relatively good health, the chances of a smooth transition of power will be reduced. Conclusion In comparison with many former soviet states Kazakhstan has few threats that represent high levels of impactive risks and there are genuine opportunities to bring new operations and projects to Kazakhstan. This is mainly thanks to the stability and control that President Nazarbayev has brought to the country and regionally. The future does hold a number of uncertainties that are only likely to increase the threats faced by those operating in Kazakhstan. However, as long as the government does not fragment and is able to continue juggling the needs of the population and its relationships with Russia, China and the West the threat based risks remain manageable. About the Author Andy is the owner and managing director of Trident Manor limited, a specialist security, risk and crisis management consultancy based in the North of England. Andy holds a Master’s of Science (MSc.) Degree from the University of Leicester, is a Certified Protection Professional (CPP), a Chartered Security Professional (CSyP) and a Fellow of the Security Institute (FSyI).
‘The economy never truly recovered following the global economic downturn of 2008 and with the price of oil being at around $50 per barrel there is clear evidence of a massive slowdown in the development within the extractives sectors.’
ENTERPRISE AGILITY OBTAIN COLLECTIVE INTELLIGENCE AT THE FSI LEADERS SUMMIT
JOIN US IN SYDNEY How is your organisation adapting to digital; what is your mobile strategy? The FSI Leaders Summit will influence discussion around enterprise agility in today’s constantly evolving workplace within the financial sector. The Summit is invitation only and intended for Australia’s most senior Financial
leaders including CIOs, CTOs,
Heads of Technology, SVPs and many more to gather for a strategic two day event in order to exchange knowledge and interact as one over a range of important issues facing the industry.
SEPTEMBER 16 - 17, ANZ STADIUM, SYDNEY WWW.FSILEADERS.COM
FURTHER SUMMIT TOPICS INCLUDE
For more information contact Tyron McGurgan e. firstname.lastname@example.org
30 | Australian Security Magazine
www.mediacorpinternational.com.au p. 02 8188 8508
Obstacles for winning the war on terror - And recommendations for action By Dr. Keith Suter
his a part two of two-part article series based on a presentation to the 2015 ASIS NSW Conference. This series examines three obstacles to winning the “war on terror” and it finishes with some ideas on how to build up national resilience. The three obstacles are: (i) recognizing that we are in a “long war” and that quick fixes will not work (ii) seeing terrorism as a “black swan” event (dealt with part one), and (iii) the role of the media in “providing oxygen to terrorists”. THE ROLE OF THE MEDIA The media are vital to terrorism. “Kill one and scare a million” – there have to be mass media to do the scaring. In a sense there is no “terrorism” in a dictatorship (such as the old Soviet Union or present day North Korea) – the government can keep the lid on any adverse publicity. Margaret Thatcher (then the UK Prime Minister) set out this matter in 1985 when dealing with the IRA: And we must try to find ways to starve the terrorist and the hijacker of the oxygen of publicity on which they depend. In our societies we do not believe in constraining the media, still less in censorship. But ought we not to ask the media to agree among themselves on a voluntary code of conduct, a code under which they would not say or show anything which could assist the terrorists’ morale or their cause while the hijack lasted? Mrs Thatcher’s suggestion was not that outrageous. The media do follow a self-limiting code when dealing suicides. Unless the person is very famous (celebrities are famous in death as well
as life), no publicity is given to a suicide (such as a school student) for fear of triggering “copy cat” deaths. If anything, the situation has become even worse in the last three decades since her speech. For example, the current Islamic State leader wrote about the “management of barbarism” in 2004, where he foreshadowed executions broadcast via the Internet. He knew that executing foreigners in a barbaric way would attract attention and add to his international status. Three developments have added to the media’s significance for terrorists. First, there is the use of emotions in the media. In the old days journalists asked: “What happened?” Now we live in a “tabloid media era”; we have moved from facts to emotions: “How did you feel when you saw what happened?” This increases public anxiety. Second, life in many developed countries is easier now that (say) in the 1930s; there is less public interest in “serious” stories, and so the audience is found and retained via entertainment. Therefore the language of war has entered sport, and the language of sport has entered politics: people are less interested in who is right or wrong - but who is going to win. It is more difficult to explain the background (say) to Middle East politics. People don’t want too much “serious” stuff. Finally, there is the rise of 24/7 media coverage, driven initially by satellite communications and the rise of CNN. We no longer “feed” on the news (such as the traditional 6pm and 9pm news programmes); we “graze” on it, moving in and out of news coverage. The continuous news cycle means that news programmes have to be tweaked every few minutes to keep the existing viewers interested and to attract new ones. But what happens when there is no “news” to report; no new
Australian Security Magazine | 31
‘Infrastructure needs more redundancy built into it (for example the Sydney Harbour Bridge could carry far more vehicles that it does; redundancy used to be a standard architectural idea decades ago’ developments? 24/7 media coverage is wonderful for breaking stories and deadening if there aren’t any: just endless (and often pointless) anxiety-making speculations (as with the December 2015 Lindt Cafe tragedy for the first day of the siege). BUILDING UP NATIONAL RESILIENCE “Resilience” is the capacity to recover from a shock and to adapt to the new situation. We can’t always control what happens to us – but we can control how we react. Prevention may not always work but much can be done in terms of reaction and recovery. A “resilience” mentality requires individuals and organizations to be on the “front foot” and ready for action – and not just be passive victims of events. Unfortunately, we have become lulled into a culture of risk avoidance. We have become too complacent; our easier way of life compared with previous eras has lulled into an assumption of safety. A risk avoidance culture and the publicity given to the expertise of the intelligence/ security agencies have created a culture of learned helplessness: an expectation that the state will do everything and so little is expected of individuals. For example the family of a Glasgow woman suspected of encouraging three London girls to join the Islamic State said
32 | Australian Security Magazine
officials “failed” to stop them leaving the UK – but the family also still has responsibilities. It should know what its children are up to with their computers. We need, instead, a resilience culture. Here are some examples: (i) infrastructure needs more redundancy built into it (for example the Sydney Harbour Bridge could carry far more vehicles that it does; redundancy used to be a standard architectural idea decades ago); (ii) be wary of “just in time” supply chains (they may save money in the short term but increase the vulnerability to disruption); (iii) be willing to “think about the unthinkable”, for example, Australia’s supply line of oil is vulnerable to disruption and so we need to think about how to safeguard our supplies by thinking about “black swan” events; (iv) more money for hospitals/ healthcare systems: even if they are never used in a terrorist attack, the investment will be worth it because there will be other disasters.; (v) journalists need to acknowledge that it is wrong to ask a politician/ police officer for a guarantee that this tragic terrorist event “won’t be repeated”: the journalist ought to know that no such guarantees can be given and should not be sought. Finally, to use a World War II phrase, we need to be able to “keep calm and carry on”. About the Author Dr Keith Suter is the Managing Director of the Global Directions think tank. His first PhD was in the international law of guerrilla warfare. He is broadcaster and management consultant at www.global-directions.com and email email@example.com
Australian Security Magazine | 33
Radicalisation process “a cultural and religious insight” By Anooshe Aisha Mushtaq
sing her own experience as a case study, in a three part series, Anooshe Mushtaq explores the experiences of Muslim migrants and offers a perspective on the religious and cultural drivers of Muslim radicalisation in Australia. Anooshe identifies key Islamic teachings used by extremists to target recruits and argues that cultural patterns of behavior in the migrant community make some Muslim migrants more susceptible to these radicalisation messages. She observes the shortcomings of the recently adopted measures to combat radicalisation and why they are less effective than expected due to policy makers’ inadequate understanding of the interplay of religion and culture in Muslim communities. In conclusion, Anooshe argues that policies to combat radicalisation must be designed to address both its religious and cultural drivers best achieved by involving trusted members of the Muslim community in policy design and implementation. My View of the World Now I would like to give an overview of how I see the division of the world with the current issues. I want to clarify here that this is only my view. There is the extreme west to one side, there are radical Islamists on the other, and in the middle there are everyday people who are busy living their own lives.
34 | Australian Security Magazine
With the current and past involvement of the West and Islamists I have divided the world into 3 categories. • On one side of the equation there is the “extreme west” who blames the radical or fundamentalist Islamists for the issues in the middle-east and the terrorist attacks. They see the Muslims as the biggest threat and want to find ways to fight them. In doing so they blame Muslims collectively and Islam for being the cause of extreme actions (terrorist attacks). • On the other side, there are “radical Islamists” who are intent on establishing a “Global Khilafat” (Caliphate). The radicals are against west and the western culture and see them as a threat. They also see the moderate and progressive Muslims as a threat because they do not follow “Traditional or Wahhabi Islam”. • In between these two extremes there are “everyday people”, people like you and I, who are busy living their lives and are not least interested in going to extremes of any sort. They are linked via news and social media that affects the way they see the west or the east. While everyday people aren’t ideologically invested in either side of the argument, it is becoming increasingly difficult for them to stay on the sidelines. In our increasingly connected society social media is pervasive. Many of us have a minute by minute update of friends’ and families’ thoughts
“Now, I’ve often heard Western leaders describe Islam as a religion of peace. I wish more Muslim leaders would say that more often, and mean it,” Abbott said upon announcing the new laws. being delivered to us directly by some social media platform. As the ideological war spills out across social media everyday people are exposed to the arguments and exaggerations of both sides. Even when everyday people remain passive observers of the conflict on social media, the messages unavoidably start to influence their views, however subtly. This is not to say that it is only a matter of time before everyone ends up picking a side. Most people will continue with their day to day lives without taking any extreme measures. It does, however, still expose a greater number of ‘uncommitted’ everyday people to strong ideological messages from both sides of the debate. Greater exposure increases the chances of ‘uncommitted’ people to pick a side and take their chosen ideology to the extreme. The picture and the table in the top right show how the everyday people are affected by social media and the war of words and information: The Social Media War So what is social media? Social media is our window into the minds and lives of others. Sometimes we know these people and sometimes we don’t, but we are aware of their thoughts and their views from our smartphones, tablets or our laptops. Everything is at our fingertips. We read, we post, every second and it’s a powerful way to circulate powerful messages in real time at no cost. Social media is particularly powerful because Muslims and Non-Muslims can reach audiences who were not even searching for or interested in these messages. We can see when others have commented on a message that is shared by someone we are connected to. Most of the time we are not interested in the average posts, but then if the topic is interesting or ‘radical’ it attracts our attention. Messages can go viral in no time whether it is via Facebook, Twitter or YouTube. They can reach people beyond the target audience in a matter of seconds. As I mentioned earlier, my experience growing up in Australia in the eighties was that while these messages were still doing the rounds, they were spread slowly through face to face or phone contact, such as through Muslim Youth Camps. It was much slower for messages to get across to people and the parents had more control over who their children interacted with resulting in slow or limited dissemination of messages. Today, we have more mobile phones than the world’s population. Most of us are multi-screen junkies with either a laptop or a tablet or both along with a smartphone. The bigger issue is the children age 14-18 who have easy access
to social media. They see and read everything that appears on social media. There is no control over what they access and who they are in contact with. The migrant parents are not tech savvy and are unable to identify what the kids have been accessing. Therefore, the control is lost. Now let’s examine how different viewpoints are interacting in the media and social media and how everyday people are being affected. I will present an example of the show “The Project” which is hosted by Waleed Aly on Channel 10 in Australia. Waleed Aly interviewed Joy Hockey recently in light of the new anti-terror laws. The reason for presenting this specific example is how the extremist Muslims may use this, otherwise very constructive debate, to exploit the minds and views of other Muslims. News – 25th February 2015 (Source: http://www. mamamia.com.au/news/the-project-joe-hockey/) Waleed Aly has served Joe Hockey a dose of reality about the Australian Muslim community. Waleed Aly drew the treasurer’s attention to comments made by Prime Minister Tony Abbott: “Now, I’ve often heard Western leaders describe Islam as a religion of peace. I wish more Muslim leaders would say that more often, and mean it,” Abbott said upon announcing the new laws. Aly went on to debunk this statement, listing the multitude of statements made by prominent leaders in the Islamic community. Aly said “I could literally go on and on and on, I don’t have time. What more exactly do you want from the Muslim community?” According to Hockey, the government wants the Muslim community to do “as much as they possibly can.” The Other Side of The Argument Based on the news and the debate between Aly and Hockey, let’s examine how the Muslims and everyday people are getting affected. Also I will present examples of how extremist organisations via social media can communicate quickly and effectively presenting their views on similar discussions. The other reason why I have selected this specific debate is because I have had personal experience in discussions with
‘The vast majority of Muslims, nationally and internationally don’t support terrorist organisations and their extreme views. However, there are people in all religions who take it further than others. Radicalisation is not a new trend. With or without the internet it has been present in all religions throughout the course of history.’ my family and friends regarding Hockey’s comments. The extremists will take what Tony Abbot said “Now, I’ve often heard Western leaders describe Islam as a religion of peace. I wish more Muslim leaders would say that more often, and mean it” and exploit the situation. These Extremists will present to the Muslim Ummah that this comment is directed at Muslims and now the “Australians” are labelling all Muslims as terrorists. This is creating negativity and conflict in the community. The bigger issue is the information that is circulating on social media and comments negatively influencing people. Response from Hizb-ut-Tahrir (HT) regarding New Anti-Terror Laws Hizb ut-Tahrir present themselves as a Party of Liberation. Hizb ut-Tahrir is a 60 year old Muslim organization which operates in various parts of the world. They say their main aim is to implement and promote “Sharia Law” not by force but by Da’wah (Arabic: Invitation). I would briefly discuss one of the posts from Uthman Badar’s Facebook page and one from HT’s website. Uthman Badar is a writer, activist, student of economics and media representative of Hizb ut-Tahrir Australia. Most of Uthman’s Posts are about putting a spin on what the “West is saying about the Muslims”. Regarding the new anti-terror laws, Uthman had following to say on his Facebook page: “The Community has had enough of the Prime Minister using national security as a way of scapegoating Muslims”. “I’m starting to feel for Tony now. Poor chap’s getting an all-round hiding! It’s not helpful. It’s divisive. It labels our community as being responsible for the actions of few” Kattan said. “It’s not helpful for anyone to make these statements.. How much more can we condemn? The head of the Lebanese Muslim association, Samier Dandan said the community “has had enough” of the Prime Minister using national security as a way of “scapegoating” Muslims. He said the community had done everything it could, other than getting a “tattoo imprinted on our forehead” to condemn violent extremism” Also HT’s website argues against the speech the Prime Minister Abbott delivered at the National Press Club. In his speech, Abbot made mentioned of banning Hizb ut-Tahrir. In response, Hizb ut-Tahrir Australia said that if they can ban us they can ban other Muslim organisations and target Muslims directly. HT is also against progressive Islam as they want to implement “Sharia Law” which is associated with
36 | Australian Security Magazine
the “Traditional Islam”. They disagree with any progressive version of Islam as it translates Sharia Law according to the changing times. How These Messages Affect Muslims These kinds of negative messages on social media start promoting negativity amongst Muslims. The discussions between Muslims when they are addressing these messages further fuel the resentment they have towards the Government who they feel is specifically singling out Muslims and labeling them as terrorists. Mainstream media does not help the situation either when they associate the word ‘Muslim’ with the word ‘terrorist’ almost by default. Social media is fueling discontent in the Muslim community. Even moderate Muslims who would not be normally receptive to HT’s messages are being impacted through the sheer volume of negative comments. It is important for those involved in public debate to understand that any public comments about the new antiterror laws or Muslims will provide organisations like HT an opportunity to inflame the situation. No matter how uncontroversial a comment may seem to us, organisations like HT sit ready to put their slant on our comments. They feel this is justified as they fight against biased comments in the Media regarding Muslims. To combat this we need a better strategy and a systematic approach which I will discuss in my “Conclusion”. Islamic State Ideology and the Government Policies It is clear that the issue of radicalisation is of national prominence, but how well do the government, commentators and the general public understand radicalisation? If we are to have a reasoned debate about radicalisation then we collectively need a better understanding of what drives radicalisation and what its effects are. The vast majority of Muslims, nationally and internationally don’t support terrorist organisations and their extreme views. However, there are people in all religions who take it further than others. Radicalisation is not a new trend. With or without the internet it has been present in all religions throughout the course of history. Therefore, we first need to understand why some Muslims are more susceptible to Islamic State’s ideology and how we can control this growing issue which seems to be spreading like a plague. In the Australian context, a discussion on radicalisation needs to start with Islamic State. Currently Islamic State is the main driver of radicalisation in the Australian Muslim community. To understand why Islamic State are successfully radicalising Muslims in Australia and internationally, we need to understand what their underlying purpose is. There has been extensive research seeking to better understand Islamic State’s ideology and to explain why some Muslims are moving towards radicalisation. Graeme Wood’s insightful piece in The Atlantic “What ISIS Really Wants” observes that “Islamic State is no mere collection of psychopaths. It is a religious group with carefully considered beliefs, among them that it is a key agent of the coming apocalypse”.
Woods writes persuasively about how Islamic State differs from Al-Qaeda which many see as having essentially political aims. By contrast Islamic State is devoutly religious and its core strategy is based on its understanding of Islamic teachings on the Apocalypse. Karl Vick shared this view in his Time Magazine article “Don’t take the Bait”. Woods argues that attempts to label Islamic State as “not-Islamic” – a tactic frequently used by politicians attempting to express solidarity with mainstream Muslims – fundamentally miss the point. Islamic State is very Islamic. Islamic State follows the Wahhabi sect of Islam. Broadly speaking, Wahhabism can be described as an ultra-orthodox sect which insists on a literal interpretation of the Quran and a literal implementation of its teachings. Wahhabism originated in Saudi Arabia in the 19th century has been the dominant religious force there for two centuries. Strict Wahhabis believe that all those who don’t practice their form of Islam are infidels and enemies. Islamic State has taken this principle to its logical conclusion, persecuting not only non-Muslims, but slaughtering thousands of Muslims who don’t share their fundamentalist beliefs. Islamic State’s actions need to be evaluated with their Wahhabism in mind. Rather than having worldly aims, Woods argues that Islamic State is committed to restoring civilization to seventh-century Islamic ways as a precondition to bringing about the Apocalypse. Islam shares the concept of the Apocalypse with Judaism and Christianity. In Islam, the concept revolves around the final judgment in which Allah will punish sinners and bless the faithful. As strange as it sounds to us in Australia, Islamic State’s belief that the Apocalypse is imminent is key to its appeal and the success of its radicalisation messages. Islamic State propaganda and radicalisation messages are based on Islamic teachings and cultural values, particularly those related to the afterlife and the Day of Judgment. These messages are very strong as Islam teaches that life on earth is temporary and all the actions of a Muslim should be directed towards achieving Jannah (Heaven). Of all teachings, those of al-Qiyamah and Khilafat (the Caliphate) have the strongest impact in shaping the thoughts, opinions and behaviour of Muslims. Islamic State propaganda draws heavily on the concept of the Apocalypse described in key verses of the Quran, in particular the 75th Sura of the Quran, “al-Qiyamah”. There are twelve major signs of the Apocalypse in Sura al-Qiyamah. At the time of judgment, terrible corruption will rule. One of the major signs of the last day is the arrival of Masih ad-Dajjal (Anti-Christ). The Mahdi (spiritual and temporal leader) will be sent and with the help of Isa ( Jesus), and will battle Masih ad-Dajjal. The Dajjal will cause confusion by making people think he represents ‘good’ when he is actually evil. Sura al-Qiyamah also talks about resurrection of the dead, a final tribulation and eternal division of the righteous and wicked. The righteous are rewarded with pleasures of Jannah (Heaven), while the unrighteous are tortured in Jahannam (Hell). Islamic State propaganda seeks to convince the Muslim diaspora that the Apocalypse is near and they should return to the Caliphate lest they be judged unrighteous on the Day of Judgment. The concept of a last Caliphate is so strong
amongst Muslims that the mere existence of a Caliphate draws attention and an audience for Islamic State’s messages. Islamic State propaganda is laden with religious symbolism and hidden meanings, drawing on teachings from the Quran and cultural traditions dating back a thousand years. Every word and act is carefully chosen to convince those raised in the Muslim tradition that the Caliphate is true and the Apocalypse is coming. What seems medieval, or even pointless to non-believers, is designed to demonstrate to Muslims that Islamic State is legitimate and believers should return before the Day of Judgment. Understanding the nature of Islamic State’s appeal is critical to designing and implementing policy to combat radicalisation. It is not clear whether those involved in designing Countering Violent Extremism (CVE) programs have sufficient understanding. Have our policy writers been brought up in the Islamic religion and culture, integrated in the Muslim society? Do they possess an understanding of the underlying issues? The Government works closely with academia to seek a better understanding of Islam, however there may still be gaps in a deep understanding of the current sources of the radicalisation issues if the Government’s advisors don’t live and breathe Islamic culture every day. It may take a nonMuslim a lifetime to understand the intricacies of Islamic culture and religion. Our track record in combatting extremism is unclear. The government has funded Countering Violent Extremism (CVE) programs for years. The Parliamentary Library publishes a summary of previous Government efforts in this field showing that specific CVE programs have been funded since at least 2010. The most recent budget allocated and extra $1.2B in funding for national security, of which $450m will be used to strengthen intelligence capabilities, support the new metadata retention legislation, and counter extremist messaging. Of this, $22 million is committed to combatting terrorist propaganda and countering violent extremism, with a particular focus on the internet and social media. Have these policies been given the best chance of success? Policies to combat radicalisation must be designed to address both its religious and cultural drivers. Policies are more likely to be effective if they are informed by a deep understanding of what drives radicalisation on the ground in our communities on a day-by-day basis. About the Author Anooshe is a first generation Australian of Pakistani origin. She spent her early years in Pakistan and several years in Libya on posting with her family. Since her arrival in Sydney in mid-eighties Anooshe has experienced first-hand the changing cultural landscape of Australia. She is an Associate Member of the Australian Institute of Professional Intelligence Officers (AIPIO) and a Research Associate at the Australian Security Research Centre (ASRC). Anooshe’s research is based on Australian Muslim culture, radicalisation, Islamic State ideology and government policies. She has published several articles on the topics of radicalisation process, Islamic culture and religion.
Australian Security Magazine | 37
Strategies used by Islamic State to recruit on social media The second part of this article looks at the risks posed by the strategies used by IS outlined in the previous article. Strategies on dealing with the issue are also discussed.
T by Robyn Torok Security Research Institute, Edith Cowan University, Perth, Australia
38 | Australian Security Magazine
his article (Part 2) is a continuation from Part 1 which looked at strategies used by Islamic State (IS). Part 1 explored a number of Neuro Linguistic Programming (NLP) Strategies used by IS in order to recruit individuals. These strategies included future pacing, anchoring and association/disassociation. This article will focus on the risk posed by these strategies as well as how they can be addressed. As clearly stated in the previous article, NLP strategies are not brainwashing strategies, they aim to persuade and direct an individual. NLP strategies are most effective when an individual is willing to undergo change and hence subject themselves to these techniques. In the case of IS recruiters, they are continually searching for individuals which they can influence. While individuals are often unaware of the NLP techniques being used, if they show a propensity toward the ideologies or discourses of IS then the probability of influence and subsequent recruitment increases. Any person in marketing knows that it is ultimately
a numbers game. Consider if IS target one thousand individuals and they are only successful in 0.2% of cases (just a small fraction of 1%) then two new recruits have joined Islamic State. While this figure is purely hypothetical it is aimed at demonstrating that even the most limited level of success poses a risk. As far as targeting a large number of individuals, this is not difficult for IS given their large online presence as well as their large number of sympathisers. Furthermore, the risk posed by recruitment is two fold and includes both travelling overseas to join IS as well as domestic acts of lone wolf terrorism. The more important question is what can be done about tackling this issue. Firstly, there is a need to better understand the discourses and recruitment process of groups like Islamic State. Not all individuals are equally at risk, those disengaged from society and disaffected are at a higher risk. This goes well beyond disaffected muslims to include anti government supporters, hackers, those attracted to violence, individuals who feel betrayed and isolated and so
â€˜...there is a need to better understand the discourses and recruitment process of groups like Islamic State. Not all individuals are equally at risk, those disengaged from society and disaffected are at a higher risk. This goes well beyond disaffected muslims to include anti government supporters, hackers, those attracted to violence, individuals who feel betrayed and isolated and so on.â€™ on. These types of groups need to be also monitored on social media especially for the presence of recruiters. Secondly, there is a need to challenge these discourses and techniques with counter discourses. Any measures used by the government in dealing with this issue will be turned into propaganda, especially highlighting the grievances of Muslims. Such propaganda can in many cases be preempted and addressed. The only issue with this approach is that many times individuals are well isolated from such counter discourses unless they can be identified and targeted early. Once individuals show adequate affiliation, they tend to be redirected to specific pages or sites to better engage and more importantly isolate individuals with the necessary discourses of jihad and martyrdom. Thirdly, there is a need to deal with the broader issue of the success of the Islamic State. The development of an Islamic Caliphate under Sharia Law is the goal of Islamic extremism and such an ideal is seen as worth joining. Clearly, this complex geo-political situation must also be addressed which is beyond the scope of this article. Nonetheless, events on the ground are reflected on social media with virtually unlimited scope for the production of promotional video material for YouTube. Most importantly, based on the current situation, most political scholars agree that this is going to be a long term process and at this stage the risk posed by Islamic extremism will not subside in the foreseeable future. Fourthly, the work of the government in dealing with this issue must also be acknowledged. The tough line drawn sends a clear message that joining or supporting an organisation like Islamic State is not acceptable in Australian Society. Airport screening and cancelling passports, challenging the notion of citizenship and enabling new legislation all provide greater scope in tackling the issue. While it is acknowledged that these measures will not always serve as a deterrent given that many who travel over are prepared for martyrdom, it has significantly increased the chance of stopping those wanting to go over and also serves to prevent further radicalisation of others if these individuals try to return. The final point covers the broader issue of online radicalisation and extremism. While the number of Australians who have joined IS is alarming, what is more concerning is the significant number of online sympathisers of Islamic State. These are individuals who in most cases would not travel overseas or be a part of a terrorist plot themselves, yet they play an important role in online radicalisation and recruitment. Essentially, these individuals
provide the framework for an online institution in which radicalisation and recruitment take place. In addition, they create a sense of solidarity amongst IS supporters especially in relation to key events including both IS setbacks and victories in Iraq and Syria. More concerning is the fact that many of these are young people are still in the stages of identity formation. While intelligence agencies are working hard to monitor potential threats, the voluminous nature of online material on social media makes it extremely difficult to focus on everything but the most pressing threats. Consequently, it is important for all Australians to watch out for our young people especially those who have spend a great deal of time with them. Whether formal monitoring programs arise or not, there is a need for everyone to watch for signs of withdrawal, radicalisation, intolerance and intent. Most importantly, this is not limited to Muslim populations, it is an Australian issue where those from any background are potential recruits especially marginalised individuals. Hence a top down approach is also needed. Even highly educated professionals such as doctors and engineers are joining IS to help the State to function. The Muslim community are already playing a critical part in educating young people about the dangers of extremism with bottom up community approaches. What is challenging is that radicalised individuals tend to disengage from mainstream society and therefore early identification and intervention stemming from those who work closely with them is critical. In conclusion, the threat posed by IS appears to be a fairly long term threat and includes recruitment to travel overseas or to conduct lone wolf attacks. The Federal Government has already taken a number of very significant and effective measures aimed at preventing individuals from travelling overseas as well as increased monitoring and surveillance of potential threats. Better understanding of radicalisation processes and a broad approach to watching the risks posed to young Australians from all backgrounds is also needed for long term management of this issue.
Australian Security Magazine | 39
Available online! See our website for details
1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00 SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, 6 issues (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag), 6 issues (1 year).
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
40 | Australian Security Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
Antaira Technologies 8-Port PoE+ Gigabit Unmanaged Switch Line
The IronKey H350
To have your company news or latest products featured in our TechTime section, please email firstname.lastname@example.org
Latest News and Products Australian Security Magazine | 41
TechTime - latest news and products
Honeywell digital video manager helps improve operator efficiency and mitigate business risk The Latest release of smart surveillance software helps boost reliability and enhance operator efficiency with mobile and voice control. Honeywell has announced enhancements to Honeywell Digital Video Manager (DVM). The latest release, DVM R600, will enable organisations to more efficiently manage their security system with enhanced mobile capabilities and voice command, and mitigate business risk via support for current IT platforms. Major updates to DVM include enhanced system access and usability, which are designed to improve operator efficiency and reaction time. Security personnel now can access high-definition, full-frame-rate video on a mobile device, for example, enabling continuous monitoring from almost any location. Operators can also control DVM using voice commands to more easily manage multiple video feeds and request near-real-time system updates. “Every second is important to an organisation when an incident occurs and security staff must take immediate action if there is a threat,” said John Rajchert, president of Honeywell Building Solutions. “The latest update to DVM helps operators quickly identify and react to an issue to help mitigate the impact to safety and business continuity — no matter if they are in front of a central workstation or on the opposite side of a campus, connected with a smartphone.” Along with an improved user experience, DVM R600 promotes IT integration and compliance with support for current Microsoft operating systems and databases, including Windows Server 2012, Windows 8.1, Internet Explorer 11 and SQL Server 2014. (Windows Server 2003 is not recommended because security systems running on the platform could be vulnerable to breaches since it’s no longer supported by Microsoft, as reported, and will not receive further updates.) In addition, DVM R600 allows customers to deploy and intelligently group multiple back-up servers to boost system robustness, which helps protect surveillance systems from failures. Other DVM upgrades focus on: Speeding data collection — Security operators can export footage from multiple camera feeds in unison to streamline incident response and workflow, and quickly collect and archive forensic data in the event of an incident. Reducing storage requirements — Dynamic
42 | Australian Security Magazine
recording enables the system to capture critical video under higher frame rates, while collecting less important footage at lower frame rates, trimming storage requirements and costs up to 40 percent. “Our surveillance system has always been robust, utilising hundreds of cameras throughout both our facilities to promote visitor safety and security,” said Tom Owen, operations manager for Brookfield Global Integrated Solutions, which manages the Melbourne Convention and Exhibition Centre in Australia. “However, the IT infrastructure required large storage capacity and as many as 15 standalone PC servers. We have cut our costs significantly with DVM R600 by using the system’s singleserver virtual machine environment, and intelligent redundancy of storage, processing and memory. The new architecture has also helped lower life-cycle and maintenance costs.” DVM is a component of Honeywell Enterprise Buildings Integrator (EBI), an awardwinning building management system that ties all aspects of a security solution together,
including video surveillance, access control and intrusion detection. EBI also integrates comfort, life safety, energy and other core facility controls providing users a single point of access to the essential information and resources needed to monitor, manage and protect a facility, campus or multi-site operation. As a result, security operators have optimised visibility and intelligence, and the ability to deploy their staff and resources more efficiently and effectively. For more information, visit buildingsolutions. honeywell.com, follow HoneywellBuild on Twitter and join the Honeywell Connected Buildings group on LinkedIn. Honeywell (www.honeywell.com) is a Fortune 100 diversified technology and manufacturing leader, serving customers worldwide with aerospace products and services; control technologies for buildings, homes and industry; turbochargers; and performance materials. For more news and information on Honeywell, please visit www.honeywellnow.com
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Senstar’s perimeter intrusion detection sensors now certified with lenel Onguard 7.0 Senstar has announced its Network Manager alarm reporting system has been certified with Lenel’s OnGuard 7.0 access control security system, as part of Lenel’s Open Access Alliance Program (OAAP). Network Manager is a software gateway which allows communication with a wide array of Senstar sensors, including FlexZone, FiberPatrol, OmniTrax and UltraWave. The interface provides two-way communications, with the OnGuard system receiving alarm and status information from Senstar sensors and enabling the control of local lighting and audible alerts by managing device relays. Using the alarm information, the full range of the OnGuard system’s security responses can be initiated, including commanding camera actions and providing visual and audio alerts. Network Manager’s interface with OnGuard eliminates risk of software incompatibilities
arising during site commissioning. It also reduces equipment costs by eliminating the need for relay cards and alarm panels. Stewart Dewar, Senstar’s Product Manager, said: “Interfacing Network Manager with OnGuard allows both Senstar and Lenel to provide a robust offering for customers with options to create a security solution that best meets their needs.” Senstar has been part of the OAAP since 2013. Network Manager / OnGuard interfaces now cover versions 7.0, 6.6, 6.5, and 6.4.500. About Network Manager Network Manager is a powerful IP-based alarm reporting system for Senstar’s sensors. Senstar’s perimeter intrusion detection systems (PIDS) have an integrated sensor networking capability that provides a two-way communication channel between sensors
and the control room. The software provides a common interface through which third party head-end security management systems (SMS), perform communication to the sensors. About Senstar Corporation Senstar, the trusted innovator safeguarding people, places and property, has been manufacturing, selling and supporting the world’s largest portfolio of perimeter intrusion detection sensor technologies for more than 30 years. Senstar is also a leading provider of life safety / emergency call solutions, as well as of a new line of solutions that protect security networks against cyber threats. Senstar’s products and solutions can be found around the world in more than 80 countries, in tens of thousands of sites including borders, ports, military and government, correctional facilities, and other critical sites.
Antaira Technologies extends 8-Port PoE+ gigabit unmanaged switch line Antaira Technologies is a leading developer and supplier of industrial device networking and communication solutions for harsh environmental applications and is proud to announce its expansion in the industrial PoE networking infrastructure family with the LNP0802C-SFP and LNP-0802C-SFP-24 series. Antaira Technologies’ LNP-0802C-SFP and LNP-0802C-SFP-24 series are 8-port industrial PoE+ gigabit unmanaged Ethernet switches, with a 48~55VDC high voltage power input (LNP-0802C-SFP) and a 12~36VDC low voltage power input (LNP-0802C-SFP-24). Each unit is designed with 6*10/100Tx on ports 1-6 that are IEEE 802.3at compliant (PoE+) with a power output up to 30W/port, and two gigabit combo ports (port G1~G2: 2*10/100/1000Tx RJ45 and 2*100/1000T SFP slots for fiber). Each series supports MDI/MDI-X functions, which makes it ideal for applications that demand high bandwidth and long distance communication. These product series provide a high EFT, surge (2,000 VDC), ESD (6,000VDC), and reverse polarity protection to prevent any unregulated voltage and can support the power redundancy feature using a dual power input design. There is also a built-in relay warning function to alert maintainers when power
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
failures occur. Antaira’s new LNP-0802C-SFP and LNP0802C-SFP-24 have been designed to fulfill special needs within industrial automation, outdoor applications, and extreme ambient weather environments. The IP30 rated LNP-0802C-SFP and LNP0802C-SFP-24 series are backed by a five year warranty. These units are compact, fanless, and DIN-Rail/wall mountable. Each unit is built to withstand industrial networking hazards
like shock, drop, vibration, electromagnetic interference (EMI). The unit also has temperature extreme version options for either a standard temperature range (-10 to 70°C) or an extended operating temperature range (-40 to 75°C). The LNP-0702C-SFP-24 model has dimensions of 46mm (W) x 142mm (H) x 99mm (D) and a unit weight of 1.5 pounds. For more product information please Contact: Elyse Wang email@example.com
Australian Security Magazine | 43
TechTime - latest news and products
ITS – Canon corner adaptor for safe custodial detention ITS Products has released an innovative flush corner-mount adaptor for the Canon mini dome series that allows the cameras to be installed in environments where there is a likelihood of physical attack. Locations such as police interview rooms, custody suites, secure mental hospitals and immigration centres make special demands of integrators with the twin challenges of ensuring maximum room coverage and factoring out possible ligature points for self-harm. ITS-S-CM-001 - CORRECT the triangular design of the new unit, combined with Canon’s wide-angle lens, deliver as complete a view of the room as possible and outperform more traditional solutions by eliminating the blind spot usually found immediately below the camera. ITS Products are aware that there are no Europe-wide standards on performance of cameras in these circumstances but individual countries and organisations such as health trusts, police, and border control forces impose stringent criteria on optical performance, flushness of mounting and resistance to impact. In the UK for example, the ACPO guidance on safe custodial detention emphasises the importance of designing out possible ligature points in any custody suite. Installers working in high-security environments will know that engineers are regularly accompanied on site by overseers to minimise the risk of tools being mislaid and appropriated by inmates. This is combined with laborious counting in and out of every item in an engineer’s toolbox. The new adaptor is installed by fitting a mounting frame complete with an IP-rated seal in the corner of the room. The installation can be enhanced by using anti-pick mastic that further prevents any risk of ligature points. The normal outer cover of the dome is discarded so as not to produce a second lens effect and safeguarding Canon’s market-leading optical performance. Installation is completed with three screws to secure the camera in place. Now fully integrated, the clamping bracket and dome are fitted back onto the front panel and fitted into the frame. The whole installation process takes a matter of minutes which is a great advantage compared with traditional offerings in facilities that are occupied by vulnerable or potentially disruptive residents.
44 | Australian Security Magazine
Installers will also appreciate that the mounting frame has a degree of flex which accommodates the fact that few corners form a perfect 90-degree angle. The minimal requirement for tools will appeal to any facilities manager securing a building where there is a potential for appropriation and misuse of tools by residents or inmates. The corner unit’s dome and the camera itself remain concentric so the optical performance is not compromised and there is no change to the focal point if a PTZ camera is being used. The dome is certified to be optically correct even when used with cameras of up to 5MP. ITS Products have anticipated the likelihood of casual vandalism and sustained physical attack on the unit by making the cast acrylic dome with a scratch-proof coating and the ability to withstand an impact specified by the IK10 rating. Installers will be aware of the need for optically correct corner units for quality control in machine vision applications. There is also provision for an integrated audio system within the unit’s design which requires local power. A flying lead is supplied ready to connect directly to the mini dome. Austin Freshwater, Pro-Imaging Director at Canon UK, said: “At Canon, we strive to work with partners to develop solutions that meet specific industry needs. Our mini dome range offers customers superior image quality
and functionality, within compact and discreet designs. Partnering the camera with ITS provides a solution for use in demanding niche verticals that offers a greater angle of view and greater protection for users.” Designed and manufactured by ITS Products in the UK, the new Corner Adaptor for the Canon Minidome is available through Canon authorised resellers.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Zaplox mobile key services integrated with SALTO hospitality access control solution Global provider of advanced access control systems integrated to Zaplox’ streamlined cloud-based Mobile Key Services Zaplox has integrated its solution with SALTO Systems, providing hotels and their guests with unmatched convenience and superior satisfaction. As a result, Zaplox will be the first Mobile Key Services company to announce its integration with SALTO Systems. This strategic global partnership allows any property with SALTO BLE (Bluetooth Low Energy) enabled locks installed to easily implement mobile access functionality for their guests, while experiencing the unique operational benefits that Zaplox Mobile Key Services provide. Through the new technology integration with Zaplox, guests of properties with SALTO access control systems will now be able to use their smartphones for guestroom access, while allowing hoteliers to offer and promote revenue creating smart services with full customization and hotel branding on the Zaplox Mobile Key Services app platform. This wide range of ancillary services, which can be made available in the app, includes mobile check-in and checkout, room upgrades, restaurant bookings, room service, special offers and more. The user-friendly Zaplox Mobile Key Services app is easily downloaded and available for all major smartphone platforms. With recent industry research indicating that more than 70 percent of travelers would opt to use their smartphones as a check-in alternative, Zaplox Mobile Key Services allow guests to bypass the front desk altogether, saving them valuable time. Additionally mobile keys are highly secure, since a guest’s smartphone is less likely to be misplaced than a plastic keycard and typically is password protected. Should a guest lose their phone, mobile keys can easily be revoked and reassigned in real time by hotel staff. In less than 10 years, SALTO has become one of the world’s top five manufacturers of electronic access control systems. SALTO has a strong tradition of delivering the latest in guestroom access technology and has launched a series of innovations since it’s founding, raising the bar of guestroom security to new heights. By combining SALTO smart locks with Zaplox Mobile Key Services, hotels benefit from enhanced cost efficiencies through streamlined operations and revenue opportunities, allowing front desk staff to focus on other aspects of guest service and communication.
“We are thrilled to serve as the first mobile key app provider for SALTO Systems, as a result providing the company and its clients with an integration ready solution that is instantly available for commercialization around the globe,” says Magnus Friberg, CEO at Zaplox, “This is a very important collaboration for Zaplox, since it opens up new market possibilities together with an industry-renowned partner. We strongly believe that mobile keys and the additional services included will improve both guest loyalty and enhance the guest experience by making it smooth and comfortable.” “Research shows guest demand for the use of smartphones and apps as part of their hotel experience is increasing” says Jennifer Stack, Vice President Marketing SALTO Systems, “So this integration with Zaplox is perfectly placed to deliver an exciting range of benefits enabling them to enjoy all the advantages provided by integrated smart technology to maximize the flexibility and enjoyment of their hotel stay.” For more information on how Zaplox and SALTO Systems are revolutionizing mobile key services for hotels, please visit www.zaplox.com or www.saltosystems.com About SALTO Systems We’re driven by innovation. Guided by our insights into customer needs, we deliver industry-leading, next-generation electronic locking solutions without wires and without mechanical keys. Since 2001, SALTO has been redefining the access control world by continually being first to anticipate market needs in a rapidly
evolving marketplace. We set new standards in security, manageability and scalability. SALTO’s pioneering SVN platform provides stand-alone networked locking solutions. With its online and real-time technology, our marketleading XS4 platform enhances the usability of every building environment by securing virtually every door and enabling the monitoring and control of every user. Salto hardware and software can be networked without wires to provide real-time intelligence and instant control, whilst enabling integration with existing systems to improve manageability and enhance end-user experience. Having revolutionized access control around the world in sectors where security is critical – from airports and healthcare to government education and hotels – we continue to deliver the most advanced and flexible electronic locking solutions in the market. About Zaplox Zaplox operates globally, offering hotels and other commercial facilities efficient and secure mobile key services for opening doors with smartphones, in combination with revenue making services, all in one app and service platform. It is easy to use and works on all major smartphones, in both Apple and Android platforms. The Zaplox solution can support major locks, hotel systems and access systems, and can replace or coexist with key cards, code locks and physical keys. Zaplox was founded in 2010 in Ideon Science Park, Lund, Sweden, and is established in Europe and North America. For more information, please visit www.zaplox.com
Australian Security Magazine | 45
Cyber TechTime - latest news and products
Akamai Q2 2015 state of the internet – security report The Number of DDoS attacks has more than doubled compared to Q2 2014 and are megaattacks on the rise. An aggressive, multi-week Shellshock application attack, targeting a single customer, was responsible for 49% of web application attack alerts in Q2 2015. Akamai researchers uncover 49 new WordPress plug-in and theme vulnerabilities Akamai Technologies, Inc., has announced the availability of the Q2 2015 State of the Internet – Security Report. This quarter’s report, which provides analysis and insight into the global cloud security threat landscape, can be downloaded at www.stateoftheinternet.com/ security-report. “The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,” said John Summers, vice president, Cloud Security Business Unit, Akamai. “Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated. By analysing the attacks observed over our networks, we’re able to identify emerging threats and trends and provide the public with the information to harden their networks, websites and application and improve their cloud security profiles. “For example, for this report, we not only added two web application attack vectors to our analysis, we also examined the perceived threat posed by the onion router (Tor) traffic and even uncovered some new vulnerabilities in third-party WordPress plugins which are being published as CVEs,” he said. “The more you know about cyber security threats, the better you can defend your enterprise.” DDoS attack activity at a glance For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favoured less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). Very few organisations have the capacity to withstand such attacks on their own. The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Peak bandwidth is typically constrained to a 46 | Australian Security Magazine
one to two hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs). DDoS attack activity set a new record in Q2 2015, increasing 132% compared to Q2 2014 and increasing 7% compared to Q1 2015. Average peak attack bandwidth and volume increased slightly in Q2 2015 compared to Q1 2015, but remained significantly lower than the peak averages observed in Q2 2014. SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter – each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internetconnected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011. Online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. China has remained the top source of non-spoofed attack traffic for the past two quarters, and has been among the top three source countries since the very first report was issued in Q3 2011. At a glance Compared to Q2 2014 • 132.43% increase in total DDoS attacks • 122.22% increase in application layer (Layer 7) DDoS attacks • 133.66% increase in infrastructure layer (Layer 3 & 4) attacks • 18.99% increase in the average attack duration: 20.64 vs. 17.35 hours • 11.47% decrease in average peak bandwidth • 77.26% decrease in average peak volume • 100% increase in attacks > 100 Gbps: 12 vs. 6 Compared to Q1 2015 • 7.13% increase in total DDoS attacks • 17.65% increase in application layer (Layer 7) DDoS attacks • 6.04% increase in Infrastructure layer (Layer
• • • • •
3 & 4) attacks 16.85% decrease in the average attack duration: 20.64 vs. 24.82 hours 15.46 increase in average peak bandwidth 23.98% increase in average peak volume 50% increase in attacks > 100 Gbps: 12 vs. 8 As in Q1 2015, China is the quarter’s top country producing DDoS attacks
Web application attack activity Akamai first began reporting web application attack statistics in Q1 2015. This quarter, two additional attacks vectors were analysed: Shellshock and cross-site scripting (XSS). Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9% of attacks were over HTTPS; this quarter 56% were over HTTPS channels. Looking beyond Shellshock, SSQL injection (SQLi) attacks accounted for 26% of all attacks. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18% of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7% of web application attacks. The analysis showed that 99% of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs. Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
26 - 28 April 2016 | Sands Convention and Exhibition Centre, Singapore
AUSTRALIA AND NZ PAVILION
LIMITED SPACE AVAILABLE Back in its third year, SMART Facilities Management Solutions is the region’s most comprehensive trade event servicing the facilities management industry. SMART FMSE 2016 provides an arena for suppliers, end users and professionals to network, exchange knowledge, share best practices and stay updated on the latest industry needs for future readiness, advice
PREMIUM EXHIBITION SPACES AVAILABLE! My Security Media in partnership with the SMART Facilities Management Expo are pleased to offer you prime exhibition space at next year’s event. This dedicated pavilion space is specifically for Australian and New Zealand companies. If you wish to participate and exhibit at a prominent international security event – this is your opportunity. The space is available as a whole (120m²) or as 10 pavilion booths (12m² each) – whatever you require. As an exhibitor you will obtain more than just visibility during the Expo: • Increased brand awareness and recall • The opportunity to leverage pre and post event media coverage with My Security Media • Be part of the print and online campaigns in our Magazines and Trade publications • Be part of our public relations campaigns through press conference – gain press covered through our strong relations with local and regional media
on all aspects of the aftercare and maintenance of facilities, and background in design and construction for better integration.
Please call or email us to book your space at this exclusive event: 08 6361 1786
WHITE PAPER PICKS
NUIX WHITE PAPER
PROTECTING CRITICAL-VALUE DATA FROM THE INSIDE Designing and implementing an insider threat program
by Keith Lowry and the Nuix Business Threat Intelligence and Analysis Team
WHITE PAPER Protecting critical value data from the inside Bakuei Matsukawa David Sancho Lord Alfred Remorin Robert McArdle Ryan Flores Forward-Looking Threat Research Team NUIX WHITE PAPER
INFORMATION GOVERNANCE: Building business value from dark data Using powerful new technologies and defensible processes, information managers can comprehensively search, understand and govern the vast volumes of unknown, unstructured data their organisations store. This reduces storage, eDiscovery and investigation costs, fixes records management shortcomings, de-risks organisations and opens up new sources of business value.
Information Governance Building business value from dark data www.nuix.com
48 | Australian Security Magazine
his first white paper by the Nuix Business Threat Intelligence and Analysis Team provides how your organisation can develop a proactive insider threat mitigation program that combines three key elements: • Understand and Focus • Protect and Disrupt • Deter and Detect More than one-third of all cybercrime incidents and security breaches are caused by insiders. Insiders have many motivations, including financial, political or emotional. But no matter the reason, insiders inappropriately access an organisation’s critical value data. For example, in May 2015, the US Justice Department filed charges against six Chinese nationals who had taken jobs at Silicon Valley microelectronics companies to steal trade secrets relating to acoustic filters for mobile telephones. They used this stolen technology to produce their own filter circuits which they sold to military and commercial customers in China. Although there are few publicly known examples of insider breaches in Australia, it does not necessarily follow that such events are uncommon. Australia has no mandatory data breach notification laws so it is likely many incidents go unreported. Organisations can become more proactive by broadening the scope of cybersecurity activities from traditional perimeter defences to a set of policies and processes that limit opportunities for insider breaches and make it easier to identify threat actors. The focus is on mitigating insider threats by quickly and efficiently answering the question of who within the network intends on doing us harm and to combine ‘understand and focus’, ‘protect and disrupt’ and ‘deter and detect’ elements to create an organisation-wide environment focused on defending against insider threats. INFORMATION GOVERNANCE: Building business value from dark data Data means different things to different groups within an organisation. • Content creators see data in the context of productivity. They want to generate material quickly and re-use it where they can, so they can generate revenue or save costs. • Executives’ main concern is making shareholders and other stakeholders happy by reducing costs, increasing profit margins and keeping the organisation safe. • Compliance officers – legal and records managers – aim to protect the business. Their main concern is if something goes wrong, how they can demonstrably put it right.
IT departments have no idea what storage systems contain, but are concerned about getting enough budget to keep storing it.
These differing viewpoints lead to conflicts. For example, solicitors often believe it is safest to retain all data in case it is relevant for current or pending litigation. They are mostly driven by a fear of court sanctions for spoliation. However, they don’t recognise that keeping so much data stretches IT department budgets to breaking point and makes information management dramatically more difficult. Approximately 80% of the data organisations store is unstructured – email, social media, instant messages and other communications, documents, images, audio and video. This data has been growing faster than the ability to manage it. As a result, organisations cannot say for sure how much information they have, where it is or what secrets and risks it contains – it is effectively ‘dark data’. This pressing issue affects most organisations today. However, they rarely make an effort to resolve it until they face a ‘trigger event’ such as major litigation or regulatory action. Only then do they find they cannot respond quickly, thoroughly or cost-effectively to information requests. Addressing this situation requires a change in approach. Organisations must realise they cannot rely on content creators or records managers to classify all content. Instead, they must embrace advanced technology tools and processes to enable information managers to search and govern all their unstructured data consistently and repeatedly. This takes place in four stages: • Providing visibility into the volume, location, format, ownership and content of all data stored across the organisation. • Using this visibility to thoroughly analyse the data in selected repositories using a variety of powerful and defensible techniques. • Acting on this analysis by flagging, connecting, quarantining, copying, migrating or disposing of the data identified. • Re-using the technologies and processes that enabled the first three stages to manage the ongoing creation of data and maintain an ‘evergreen’ state, and then leveraging these investments to conduct further information governance exercises. Organisations store so much legacy data, it is not practical for information managers to manually apply policies to it. Rather information governance is about building systems and rules to remediate legacy data and applying those policies to all data created in the future.
CIOs, IT Leaders and decision makers • Big data • Communications • Cloud computing • Technology systems • Interviews with industry thought leaders plus much more.
PROTECTING BUSINESS AND GOVERNMENT WORLDWIDE. • • • • •
Cyber Security Solutions Advanced Threat Intelligence and Investigation Sophisticated Cyber Analytics Managed Security Services Cyber Security Consulting Services
For more information, contact us at firstname.lastname@example.org
baesystems.com/ai twitter.com/baesystems_ai linkedin.com/company/baesystemsai
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...
Published on Sep 4, 2015
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...