Australian Security Magazine, Oct/Nov 2015 by MySecurity Marketplace

Print Post Approved PP255003/10110

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct/Nov 2015

SKILLS CRISIS FEATURE

SPECIAL EVENT WRAP UPS

The human element in information protection

AISA National Conference, Melbourne

The cult of the aware

Security in Government, Canberra

Why executives need to be much muchier

ASIS International Annual Seminar, Anaheim, USA

Taking business security sky-high

ISACA State Conference, Perth

$8.95 INC. GST

PLUS

TechTime l Cyber-TechTime

Radicalisation Process – Part III The paralysis over Syria

Contents Editor's Desk 3 International Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Marketing Manager Kathrine Pecotich Art Director Stefan Babij

ONVIF Profile for advanced access control configuration

The paralysis over Syria 6 Counter Terrorism Radicalisation process ‘a cultural and religious insight’

National Global logistics: Securing the supply chain

The big picture of security planning for major sporting events

We can all help to keep Australia safe from terrorism

Regional

Correspondents Sarosh Bana Kema Johnson

MARKETING AND ADVERTISING 2016 Media Kit Available T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

T | +61 8 6361 1786 subscriptions@mysecurity.com.au

The 61st ASIS International global security event, Anaheim USA

Highlights from the 2015 Security in Government Conference

AISA National conference Melbourne

BAE Systems Applied Intelligence Feature

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Looming large & long: Response to a cyber security skills shortage

The human element in information protection 32 The cult of the aware 36 Taking business security sky-high 38 Why executives need to be much ‘munchier’ 40 Women in security Techtime - the latest news and products

Page 18 - The future of unmanned aerial surveillance

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews,

Page 32 - Looming large and long: Response to a cyber security skills shortage - Cover Feature

events and other topical discussions. CONNECT WITH US

cultural and religious insight’

Cyber Security

Think like a criminal- with Melissa Wilkey 42 Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au

Page 8 - Radicalisation process ‘a

Correspondents* & Contributors

www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Leon Hill

Suresh Raman

Andrew Cooke

Mike Nisbet

Ilya Umanskly

Tony Hayes

Steve Simpson

Anooshe Aisha Mushtaq

Adrian Whelan

James Wootton

Kema Johnson*

Sarosh Bana*

www.asiapacificsecuritymagazine.com

www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

2 | Australian Security Magazine

www.cctvbuyersguide.com

Editor's Desk “The real problem today is the number of inherent vulnerabilities. Cyber espionage is at pandemic levels and we are fundamentally about reaction ” - Ashar Aziz, Founder and Chief Strategy Officer for FireEye, 14 November 2015

elcome to the concluding edition of the Australian Security Magazine for 2015 and we finish the year with a wrap up of a number of the industry’s key events and articles on the Syrian crisis, radicalisation, sporting events security, supply chain security, chemical security, emergency management, cyber security and our Women in Security interview is with the Head of Security for the ANZ Bank. Coincidently it was the ANZ Bank cyber security team who featured prominently at the AISA awards and we have a special AISA conference interview series, including an interview with Patrick Heim, the Head of Trust and Security for Dropbox. The key take away from speaking with people across the security industry is, as our cover suggests, a looming skills shortage in the cyber security domain. Like in the physical world, cyber security will remain subject to the human element and the development of cyber security skills is a long term issue that needs to be closely monitored and improved into 2016 and beyond. Indeed it is the development of ‘security skills’ into the future

that will require learning across the physical and cyber technologies and across disciplines to form a much more widely informed and multi-skilled security professional. As Patrick Heim confirmed there is a massive amount of abuse and attacks going on, with the pattern of attack highly centred against users themselves and focused on stolen passwords. He said, “There is a recurring pattern where companies get compromised on the Internet and criminals crack passwords from those compromises and then they test those passwords to see if they can get access. We see this activity on a massive scale.” The encouraging aspect to the year has been the appointment of Malcolm Turnbull as Prime Minister and an immediate move away from the divisive ‘Team Australia’ slogan and a change of rhetoric towards a more community engagement focus and most importantly engaging with youth at risk and across the education system, in particular in NSW and Victoria. The NSW Government has announced a $47m program, following Victoria’s $25m program aimed at identifying vulnerable

youth and providing support. At the same time, Police unions stood together calling for improved officer safety and the development of national, central case management databases. Interestingly, Queensland Police are subject to review for focusing more on bikies than paedophiles and in the west, WA Police are grappling with the challenges from the lack of technology, dubiously seeking the market to disclose their capabilities first, before deciding how to disparately connect CCTV systems together, from across the state. And on that note, as always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 3

Profile A for advanced access control configuration & features

rofile A, ONVIF’s newest profile released in September of this year, addresses physical access control features and configurations. Profile A is ONVIF’s second access control profile. ONVIF’s first access control profile, Profile C, was launched in March of 2014. Profile A was developed to expand the feature set and configurations related to credentials, access rules and schedules and to address broader use case scenarios and a larger segment of end users. Profile A aims to cover the most common day-to-day activities of an access control system and its access points. It benefits users, such as security guards, receptionists, human resources departments and security officers by expanding access to the system. Profile A conformant clients and devices allow the configuration of devices via a client such as an event/access management platform, which in part makes this broader access to the system possible. Configuration via the client saves time and simplifies installation for integrators. Profile A also makes video/access control integration with Profile S devices and clients much easier. Profile C extends the functionality of the ONVIF global interface specification into the physical access control arena, and enables interoperability between clients and devices of physical access control systems (PACS) and network-based video systems. Profile C targets integrator, specifier and consultant users. Its goal is to help the users more easily deploy an integrated IP-based video and access control solution using a variety of brands. The shared compatibility between edge devices and clients helps simplify installation, reduces the need for multiple proprietary monitoring systems and simplifies user training. As part of a physical access control system, Profile C conformant devices provide information about doors and access points. Profile C conformant clients monitor doors, access control decisions and alarms, such as an open door, change of state or an alarm generation, and provide basic door control functions, like granting access and locking/unlocking doors. When combined with Profile S for video and audio streaming, users can also group together and configure related access control and video devices. Profile C device configuration needs to be performed on the conformant device itself. Profile A was created in response to feedback from ONVIF members and the physical security industry at large, asking for a more advanced access control profile. It expands the feature set of Profile C to include the day-to-day

4 | Australian Security Magazine

operations of configuration of credentials, access rules and schedules, along with Profile S video management systems. Integration with video can be performed on the Profile A conformant client. With Profile A, human resources and other departments can add employees to the access control system, grant and revoke access, reset anti pass-back, and report stolen or lost cards. Departments can also provide temporary access, for example when an employee is temporarily working from a remote satellite office. Profile A features an employee leave feature for when an employee is on a long break, such as a leave of absence. His/her credentials can be temporarily disabled. Profile A is currently in Release Candidate status. ONVIF circulates new profiles first as a ‘Release Candidate’ for six months, allowing members and stakeholders a final implementation review. When that process is complete, the final profile is published and technology providers are able to test their products for conformance to the final version of Profile A. This process is intended to allow members to more quickly introduce conformant products when the final Profile A is released in early 2016. For more information, please visit ONVIF’s website. Suresh Raman of Siemens Technology and Services Private Limited is the chair of ONVIF’s Profile A Working Group.

By Suresh Raman

The worldâ&#x20AC;&#x2122;s most powerful, easy to use end-to-end security solutions.

Avigilonâ&#x20AC;&#x2122;s industry-leading HD network video management software, megapixel cameras, access control and video analytics solutions are reinventing security. Learn how at avigilon.com

International

The lysis para Syria r e v o

ed esolv r e b not t is can s i r c onflic e c e g ’s u a f e yri The r ling S k c a t ut witho

T by Sarosh Bana ASM Correspondent

6 | Australian Security Magazine

here is turbulence in the Eurozone and its disquieting genesis lies in the protracted civil war in Syria, some 1,200 km away to the east. As Europe’s demography and ethnicity are poised to be transformed by the relentless influx of those fleeing the conflict to seek refuge on the Continent, the international community needs to brazen out a resolution of the Syrian campaign as much as it will need to cope with the surging asylum-seekers. With the deadly impasse having endured for the past four years and nine months, rivals United States and Russia are now seeking to outmanoeuvre each other in gaining an upper hand on the crisis. The US-led coalition’s perceived ineffectiveness against both the authoritarian Bashar al-Assad regime in Syria and the Islamic State (IS) jihadi militants who now control half of that country finally emboldened Russia to move in briskly on 30 September, in its first military operation beyond the boundaries of the former Soviet Union since the end of the Cold War. Starting with aerial attacks against rebel forces ranged against Assad who is its staunch ally, Russia is now targeting IS encampments and already claims to have smashed the control and logistic network of the terrorist organisation. With the US’s 2,410 airstrikes against IS-held areas since 23 September 2014 seen to have had little impact, President Vladimir Putin is rallying other countries to join a Russia-led co-ordination centre that will share intelligence between his country’s armed forces and Syria, Iran and Iraq. While he seeks Assad’s ouster, President Barack Obama claims the US-

led coalition comprises 60 countries, with 24 of them actively participating in the military operations. The two superpowers will be queering the pitch as each will be loath to join the other’s coalition – to avoid submitting to the other’s command - and will also be hesitant to articulate their respective strategy in Syria. While the Americans see an end to the conflict through regime change in Syria, Moscow sees a solution in the annihilation of Assad’s opponents. The conflict in Syria swirled in January 2011 as another Arab Spring uprising against the autocratic rule of Assad and escalated into a full-blown civil war between the protestors and the Presidential loyalists as well as between them and IS. Over 220,000 Syrians have been slain in the internecine skirmish that has internally displaced 7.4 million inhabitants and sparked the mass exodus of 4 million others. As distraught migrants surge in primarily from war-torn Syria and occasionally from other conflict zones in the Ukraine, Iraq, Eritrea, Yemen, Afghanistan and sub-Saharan Africa, an alarmed European leadership is striving for a consensus on ad hoc measures that can at best contain this calamity. Challenged by the worst refugee crisis since the last War, leaders of the 28-member European Union (EU) have pledged €1 billion ($1.1 billion) for international agencies assisting refugees at camps near their home countries. The EU has also approved a plan to relocate 120,000 migrants across Europe, on top of the resettlement of 40,000 refugees who have arrived in Greece and Italy. The eventual costs of identifying refugees and integrating

International

them socially, linguistically and culturally within Europe, educating their children, and providing them jobs, medical aid and housing will be staggering as their numbers swell. The International Organisation for Migration estimates a record 522,124 people to have crossed over into Europe this year, more than 388,000 of them having entered via Greece. Syrians constituted over 181,710 of them, the largest single refugee grouping. While the US has resettled 140,000 Iraqi refugees in the six years since 2009, US Secretary of State John Kerry now says the number of overall refugees taken by his country will rise from 70,000 this year to 85,000 next year and to 100,000 in 2017. As the international security arbiter, the 15-member UN Security Council should have been seized much earlier of this Syrian conflict than have allowed it to fester so long. It has, however, been thwarted by Russia and China, two of its influential permanent members, which have all along safeguarded their ally Assad – who has been President since 2000 - by vetoing resolutions on four occasions to deflect action against his government, when the 13 other Council members have voted affirmatively. The UN-mandated Independent International Commission of Inquiry on Syria has found continued atrocities by both the Syrian government and terrorist groups such as the IS and the Jabhat al-Nusra, the al-Qaeda affiliate in Syria that is fighting against the Assad government. There was also evidence of the use of chemical weapons in the civil war. Other atrocities have included direct attacks against civilians, summary killings, systematic bombardments and prolonged sieges of predominantly civilian areas that have led to deaths from starvation and from lack of adequate medical care, and widespread torture and even rape of women and children in detention centres. Finding refuge in Europe would, however, disadvantage the asylum-seekers in the long term as they would be better placed to be assimilated in countries with which they are more ethnically, culturally, linguistically and traditionally aligned. An Amnesty International (AI) report notes that

Turkey, Lebanon, Jordan, Iraq and Egypt have hitherto together hosted 3.8 million refugees from Syria – a country with a population of 22.5 million and a territory measuring 185,180 sq km - with the first three countries having shouldered most of the responsibility. As a result, one in every five people in Lebanon is a Syrian refugee. There has been no offer whatsoever to resettle any Syrian refugees by the prosperous six-member bloc of the Gulf Cooperation Council (GCC) - Arab countries like Syria and comprising Saudi Arabia, Qatar, Kuwait, the seven United Arab Emirates (UAE), Oman and Bahrain. With an average per capita Gross National Income (GNI) of $68,702, these affluent countries with huge expatriate populations have a cumulative population of 48.6 million living across a total geographical area straddling 2.4 million sq km, making a population density of 20.25 persons per sq km. In contrast, with per capita GNI of $35,672, almost half that of the GCC’s, the 28-member EU has six times the population density, of 121, with a combined population of 508.2 million inhabiting 4.2 million sq km. The UN should be appealing to the GCC governments on humanitarian grounds to accept the refugees and to act in accordance with their international obligations, though they are not signatories of the UN’s 1951 Refugee Convention, the key international legal document relating to refugee protection. Russia and China are two other countries that should share the refugee burden, having impeded efforts towards resolving the Syrian crisis. While China is the world’s most populated country, with 1.39 billion inhabitants, it is also the world’s fourth largest, with a land area of 9.6 million sq km, making for a population density of 139.54 people per sq km. Russia is by far the world’s largest country, with an area of 17.08 million sq km, but a population of just 142.8 million, a density of 8.4. While the world has stood by as the Syrian disaster has unfolded, the resultant humanitarian crisis now compels a more definitive action to resolve it.

Australian Security Magazine | 7

Counter Terrorism

Radicalisation process “a cultural and religious insight”

sing her own experience as a case study, in a three part series, Anooshe Mushtaq explores the experiences of Muslim migrants and offers a perspective on the religious and cultural drivers of Muslim radicalisation in Australia. Anooshe identifies key Islamic teachings used by extremists to target recruits and argues that cultural patterns of behavior in the migrant community make some Muslim migrants more susceptible to these radicalisation messages. She observes the shortcomings of the recently adopted measures to combat radicalisation and why they are less effective than expected due to policy makers’ inadequate understanding of the interplay of religion and culture in Muslim communities. In conclusion, Anooshe argues that policies to combat radicalisation must be designed to address both its religious and cultural drivers best achieved by involving trusted members of the Muslim community in policy design and implementation. By Anooshe Aisha Mushtaq

Radicalisation Process I would like explain some of the messages promoted by the international Islamic militant groups. Though I will first discuss some important Muslim symbols and terminology. I will start with the five basic acts in Islam that are considered mandatory by believers and are the foundation of Muslim life. The five pillars of Islam are: 1. Shahadah: declaring there is no God except God, and Muhammad is God’s Messenger 2. Salat: ritual prayer five times a day 3. Zakat: giving 2.5% of one’s savings to the poor and needy 4. Sawm: fasting and self-control during the holy month of Ramadan

8 | Australian Security Magazine

5. Hajj: pilgrimage to Mecca at least once in a lifetime if one is able The most important out of all these pillars is the Shahadah (“the testimony “) because militant groups who are trying to radicalise moderate Muslims use this symbol to evoke an emotional connection and show power and authority. There are many discussion papers and news articles trying to explain the messages promoted by the Militant Groups to attract recruits via social media. I will share with you some thoughts about how Islamic State target their recruits based on my unstinting of culture and religion. Some of the key messages which the militant groups are promoting are “Simple” when it relates to the points I made earlier in my speech where I mentioned how “Imams and authority figures use the culture and religion to manipulate the moderate Muslims”

Counter Terrorism

‘la ilaha illallah muhammadur rasulullah’ ‘THERE IS NO GOD ONLY ALLAH, MUHAMMAD IS THE MESSENGER OF ALLAH’ This flag represents ‘’kalimat at-taiyibah”. Kalima (is the declaration of faith). In Islam it’s known as the first Kalima, “kalimat at-taiyibah. This is equivalent to the Shahada (“the testimony “) which is the first pillar of Islam. The “black flag of jihad” has been used by jihadist militants groups since the late 1990s. The Wahhabi religious movement has used the “Shahada” on their flags since the 18th century.

It’s was interesting to read the news article where Julie Bishop said that young women leaving the comfort of their homes to join the violent regime “defies logic”. It might defy logic for the western world but for Muslims moving towards radicalisation it’s pretty logical and it’s beneficial in the long run because it is linked to rewards in Jannah and the afterlife ( Jannah “heaven” after death). As Muslims we are taught to work hard in this life for those rewards and do whatever it takes to earn a place in Jannah. “Julie Bishop told parliament that “the Coalition government is committed to countering the propaganda that terrorist groups are spreading online, but family and friends are likely to be the first to see changes in young people who are radicalising”. As to the issue of “why” young women might leave the comfort of their homes in Australia to join such a violent regime, Bishop said that such a decision “defies logic”. I would like to examine some of the key messages which Islamic State is promoting via social media to attract the women and men form the west. In February 2015, these key messages convinced the three British schoolgirls who decided to join Islamic State militants in Syria. I will highlight some Islamic concepts and authority they hold in the Muslim community. • Islamic Call: A number of Islamist political parties and mujahideen call for the restoration of the caliphate by uniting Muslim nations, either through political action or through force. Various Islamist movements gained momentum in recent years with the ultimate aim of establishing a Caliphate. In 2014, ISIL/ISIS made a claim to re-establishing the Caliphate. (Source: http:// en.wikipedia.org/wiki/Caliphate#Islamic_call) • The concept of Ākhirah - “al-Qiyamah” (Arabic: the Islamic Day of Judgment). Akhirah lies in Jannah (heaven) and Jahannam (hell) on the basis of the weight of either ‘good’ or ‘bad’ deeds. The authority figures or the militant groups use this concept of Akhirah to convince the masses that “there will be no judgment for those who have sacrificed their lives for Islam and they will go straight to Jannah”. • The Concept of Khilafat (Caliphate): A caliphate

Why Islamic State (IS) is using Kalima Tayyiba on their flag? Kalima Tayyiba as I mentioned represents Shahada which is the first pillar of Islam. This is their “logo” and is powerful message in the Muslim world. Presenting this Kalima definitely attracts attention of the Muslims. Islamic State recruitment messages are highly polished, highly choreographed, and presets a highly persuasive message and one of them is the flag.

(Arabic: ‎ Khilāfa) is a form of Islamic government led by a caliph (Arabic: Khalīfah). Khilafat is a very powerful concept in Islam. Surat An-Nūr (Surat: Quarnic Verse), represents Khilafat in Islam. The verse below has a very powerful message for Muslims about Khilafat. “Allah had promised to those among you who believe and do good works that He will surely make them Successors on the earth, as He made Successors from among those who were before them; and that He will surely establish for them their religion which He has chosen for them; and that He will surely give them in exchange security and peace after their fear: They will worship Me, and they will not associate anything with Me. Those who disbelieve henceforth, they are the miscreants. (Surah Al-Nur, Verse 56)” This is known as the istikhlaf verse which means a promise has been made to the believer of succession. Some commentators have translated istikhlaf as ‘inheritance of power’. The words, “ Those who disbelieve henceforth, they are the miscreants,” signify that Khilafat is a great divine blessing. Muslims, who do not show proper appreciation of Khilafat by giving generous support and obedience to their Khulafa, will lose this great divine benefit and in addition will draw the displeasure of God upon themselves. Now based on the above Islamic concepts, I will present the formation of Islamic State and why their existence is important to some Muslims who decide to join them. On 29 June 2014, the group Islamic State proclaimed itself to be a worldwide Khalafat (caliphate) with Abu Bakr al-Baghdadi being named its Khalīfah (Caliph Ibrahim) and also renamed itself Islamic State (ad-Dawlat al-Islāmiyah) - Dawlat (Arabic: power or wealth). Therefore, Islamic State is using Khalafat as one of the tactics to attract the Muslims from all over the world. As described above, Khilafat is a very powerful concept and Muslims who disbelieve will punished. The points to note from “My Story” in this paper and some of the key Islamic concepts I presented, the messages which the Islamic State is using are based on the Islamic teachings and cultural values. These message are very strong as in Islam one should believe in the Hereafter and that the

Australian Security Magazine | 9

Counter Terrorism

life on this earth is temporary therefore the all the actions of a Muslim should be directed towards achieving Jannah (haven). Apart from the other messages these messages have a very strong impact on shaping the thoughts, opinions and behaviour of Muslims. The other issue is that the youth and western Muslims think that if they die during Jihad they will be “Given place in Jannah without any questions asked”. So if you are a child who is isolated and unsure of your place in the society, “heaven” is guaranteed if you join a cause that is all about a reward in the afterlife. As mentioned earlier in my speech, the message which I received during my visit to the Islamic Camp was to see myself as the “Chosen One” and an “Ambassador or Allah”. So coming back to the “three British girls” who left the comfort of their homes and joined Islamic State were convinced that this is the Islamic Call and if they want to be one of the “Chosen Ones” then they will join the “Khilafat” as “Allah has promised a place in Jannah for those who sacrifice their lives for Islam”. These messages have a great impact on young people where parents and children do not have an open relationship. Therefore, isolated and afraid of parental authority the young people don’t like to discuss what they are thinking for fear of punishment. Most of the time no matter what they do for elders it’s never good enough so they may feel they have to prove something to gain their respect and praise. We are raised not to question or disappoint parents. Therefore most of the children keep their thoughts and what they want to do to themselves. As Islamic State knows how this culture works they are able to convince the vulnerable people who feel isolated (especially women and youth) that the establishment of Islamic State’s Khalafat is the Islamic Call. Islamic State are able convince these people that no matter what the others think of them “They are the Ambassadors of Allah and the chosen ones”, and Allah has chosen them as one of his “Successors”. These “three British Girls” felt important and welcomed by Islamic State. The misguided Muslim youth feel “welcomed and accepted as adults” by Islamic State or other militant groups. The sense of “Empowerment” that this gives them should not be underestimated. Particularly when compared with the relationship they have with their family which is often strained and controlling. These youth are more receptive to the messages from Islamic State than the messages from parents. This aligns well with my experience and what I described earlier that cultural and family pressures make Muslims more receptive to radical messages. This is also identified in the demographics of Muslims leaving the west to travel to the fight in the Middle-East. Conclusion In Urdu there is a saying “Loha Lohe Ko Katata Hai” means that “Only steel can cut steel”. I am emphasising the fact that If Australians as a nation want to win the social media and radicalisation war then they need to get inside the minds of the Muslims and various school of thoughts with in Islam. There is a gap in the Government’s approach to

10 | Australian Security Magazine

combatting radicalisation. To tackle the rising issues of Radicalisation and Terrorism it is important to understand what strategy these militant groups’ are using and why they are so powerful. The communities that will be able to help understand and translate the messages from the militant groups (Islamic State) are Muslims. The “cocktail” of culture and religion is in their “DNA” therefore reaching out to progressive and modernised Muslims might help. Growing terrorism and especially “Home grown Terrorism” is a big issue but the bigger issue is how to minimise the risks of “Australian Muslims” moving towards the radicalisation process. What I have tried to present is a situation partly the making of the Islamic Community. Because of its traditional basis and poor integration into the Australian society the children are specifically removed from healthy cross cultural contact and isolated to the extent that their aspirations and hopes are forced into a “traditional” environment. That environment is at odds with the society that surrounds them and which they see every day. They are unable to join their outside world in any real sense, constrained by family and tradition, and so they look to another form of personal fulfilment – that of the promise of a meaningful life through the call of “Jihad and Khilafat”. The offers made by extremist media and extremist preachers are that of an opportunity where the youth feel important and can do something meaningful – Jihad – to attain real recognition. How Can We Counteract This In part it is to better equip and prepare Islamic schools to help kids and their parents come to grips with Australia’s multicultural society. Non Islamic schools need more teachers trained to recognise the problems Islamic children are likely facing and help them and their families to adjust to this new world they have chosen to live in. On a broader national level the Government needs to employ “moderate and progressive Muslims” who are able to help them understand the religious and cultural tactics of the “Radical Islamists and their use of Social Media”. Involving and perhaps “employing” trusted members of the Muslim community in policy design, intelligence and national security will improve our chances of success. There is a danger that policy designed in ignorance of the true drivers of radicalisation will be ineffective, or worse, may act to exacerbate the issue. About the Author Anooshe is a first generation Australian of Pakistani origin. She spent her early years in Pakistan and several years in Libya on posting with her family. Since her arrival in Sydney in mid-eighties Anooshe has experienced first-hand the changing cultural landscape of Australia. She is an Associate Member of the Australian Institute of Professional Intelligence Officers (AIPIO) and a Research Associate at the Australian Security Research Centre (ASRC). Anooshe’s research is based on Australian Muslim culture, radicalisation, Islamic State ideology and government policies. She has published several articles on the topics of radicalisation process, Islamic culture and religion.

National

Global logistics: Securing the supply chain By Andrew Whelan Author

nsuring the safe delivery of more than 308 million packages globally each year is no small task. The DHL Express network spans over 220 countries and territories worldwide, and over 500 airports. With more than 250 dedicated aircraft, 38,600 vehicles and approximately 34,000 service points, the need for systematic, robust and proactive security systems is clear. We live in a global society where the internet has opened up markets like never before. Consumers expect the products they purchase online will be received swiftly and securely. Businesses rely on the rapid delivery of products and supplies which in turn drives their revenue. The vast majority simply want fast access to goodquality, well-priced products. However, we have to be realistic that a small minority is looking to take advantage of a network that provides reliable international trade services to 2.6 million customers. Preventing breaches and preempting threats is where the global security team focuses our protocols and efforts. Adhering to the time-sensitive demands of global business that prides itself on speed and reliability is paramount. But we are very conscious that as aircraft operators and ground transport providers, stringent aviation

and air cargo security requirements must be imbedded into our processes and procedures. Securing people, facilities and freight Complying with international and national aviation and air cargo security regulatory requirements is essential for DHL Express. We operate fully automated tracking and tracing systems to provide a complete audit trail of all shipments, wherever they may be in the world. This is a key feature our customers rely on to determine when they will receive a parcel, however it also provides security data we can continuously monitor. Strict security protocols and procedures ensure our people, facilities and freight are protected â&#x20AC;&#x201C; with risk management measures and threat assessments constantly implemented. Our approach to security is proactive, aimed at preventing incidents before they occur. We have a large team of dedicated security professionals worldwide, led by respective Regional Heads of Security who provide expert advice and guidance on all matters relating to security. A significant portion of our team has

Australian Security Magazine | 11

National

come from a law enforcement background, such as my background in the Royal Hong Kong Police Force. This provides a better understanding of what is required from government authorities and how these can be applied to a commercial setting. Securing the Supply Chain Accurately defined and effectively implemented security measures are demanded by our customers – and paramount to our management. Providing a secure supply chain for shipments carried on our network is at our core. Achieving best in class standards of service, to ensure outstanding customer satisfaction ensures DHL Express maintains a competitive advantage. DHL Express promotes a global approach to membership of TAPA (Transported Asset Protection Association). Currently we have 265 key facilities certified globally – including nine in Australia and three in New Zealand. This makes us the global market leader in this regard. TAPA outlines a standard of security requirements that must be met. Customers know that if a site is TAPA certified it contains a high standard of security. By striving for independent certifications of this nature, we bring additional credibility to our security offering. Having the right tools are essential and our Global Security Incident Database (SID) allows us to monitor and manage all security incidents. We can track potential security breaches globally, and alert international colleagues to suspicious behaviour or occurrences. The network is our greatest strength, so we rely on it to protect our operations. People offer the greatest protection A key pillar in our security structure is to have trained people. DHL Express employees must pass a global induction training course, to grant them with Certified International Specialist (CIS) status. A key module focuses on security – and this mandatory global security training has been provided to 83,000 employees in 42 languages.

12 | Australian Security Magazine

Our people offer the greatest protection to our network. It is essential they are aware of the potential threats and be encouraged to monitor for any breaches. Our staff is trained to report any suspected security incidents to local authorities. Reward and recognition programs allow us to thank employees for their continued vigilance. We maintain close relationships with Police and Customs agencies. In many facilities we offer offices for various government departments so they can operate alongside our teams. For example, Customs officers regularly patrol our facilities with sniffer dogs to provide an additional safeguard. Terrorism in the new global economy Concurrent with the conventional security threats, there is also risk in today’s international security environment from global terrorism. The fact that we have an aviation element to our business means that we must be ever vigilant against the threat from terrorism. Consequently, there has been a growing demand from some government regulators to impose increased security requirements upon the logistics industry. The cost of compliance has grown exponentially, as governments and businesses respond to these threats. We invest considerable funds every year into applying stringent security measures, and to assure authorities that we offer a robust and secure supply chain.

DHL Express promotes a global approach to membership of TAPA (Transported Asset Protection Association). Currently we have 265 key facilities certified globally – including nine in Australia and three in New Zealand. This makes us the global market leader in this regard.

National

Installing to assist

Security first, globally

The improvements in security technologies have been of great assistance to identifying suspicious packages, essential in a world of growing threats. Globally there are numerous examples, but in Australia and our new Melbourne Gateway facility, we’ve recently installed state-of-the-art 180 degree thermal imaging detection systems. These are in addition to 100 CCTV cameras and Integrated High Speed Auto X-ray machines. DHL Express is doing everything we can to provide a first-rate security system the authorities can feel confident in. Another great example in the Asia Pacific region is Hong Kong. Here, our Central Asia Hub was built at a cost of US$210million, encompasses 35,000 square meters and has 300 CCTV cameras. A range of perimeter fencing has been installed and state-of-the-art screening technologies provide greater identification capabilities. Still we continue to evaluate new technologies in a constant effort to combat the evolving risks to our business. Terrorism might be an obvious threat, but another growing concern is the transportation of illegal drugs. In DHL we have an excellent record of locating narcotics and removing them from our network. Criminals will do everything they can to hide illegal goods; and the concealment methods are imaginative and varied, requiring constant vigilance. We work closely with authorities to identify and investigate such criminality. We don’t only concentrate on the goods themselves – it’s the people who are trying to send them. All customers paying in cash must provide photo identification before parcels are accepted, and our account customers are strongly vetted. Vigilance at every front is needed to maintain a secure network.

Ultimately, our goal as security professionals is to protect the people, facilities and assets that make up our network – and the shipments our customers trust us to deliver. While global connectedness means international borders appear to be becoming more transparent, the flip side is, there is always going to be those that seek to exploit any weaknesses. We rely on a strong compliant security network, stringent procedures and a highly trained professional team to offer peace of mind and protection. This ensures that our customers in 220 countries receive their 308 million packages each year securely, on time, every time. About the author Adrian Whelan is the Head of Global Customs and Security for DHL Express, a position he has held since 2010. Before joining DHL in 2000, Adrian spent eight years in the Royal Hong Kong Police Force as a Detective Senior Inspector. In his current role, Adrian is responsible for overseeing the security and customs policies and procedures at DHL Express, with the main aim of protecting the company’s staff, assets and customer shipments.

Australian Security Magazine | 13

National

The big picture of security planning for major sporting events: A holistic approach by Andrew Cooke

14 | Australian Security Magazine

ore than 135 major sporting events have been held over the past 100 years, equating to an approximate total of 400 years’ of security planning, yet there is no known standard security planning model available to base such security planning on. With every major sporting event – from a FIFA World Cup to a Summer Olympics – each host nation has to re-invent the wheel to determine their security strategy for their particular sporting event as well as the concept- and operational plans to execute it. This is a risky approach especially since securing a major sporting event should be aimed at reducing risk and minimising costs. At the very best, a host nation might be able to obtain some planning documents from the organising committee of a previous major sporting event. However, in the absence of a holistic model it may not always be clear whether the said planning documents cover all security functions, are integrated with other areas of event planning, possess quality content and cover the entire life cycle of the major sporting event. Whether a nation is in the bidding phase or has been

awarded a major sporting event, I constantly hears the questions; “What reference documents are available?” and “Where do we start?” Because of this, the ICSS has gathered some of the world’s top safety and security experts and developed such a model. Introduction Over the past 100 years we have witnessed over 135 major sporting events worldwide. The likes of which include: • 27 Summer Olympics • 21 Winter Olympics • 20 Commonwealth Games • 19 FIFA World Cups • 17 Pan-American Games • 15 UEFA EURO Championships • 11 Cricket World Cups • 9 Rugby World Cups Assuming that each organising committee spent an average of three years planning the security for their event, it equates to

National

approximately 400 years of security planning. Unfortunately very little of this knowledge has been made available for other major events to access. It also seems that no one has catalogued this knowledge on a continuous basis to keep track how major sporting event security has and is evolving. It is clear that security challenges will be constant, whether it is due to ever evolving technology or the dynamics of geo-political relations. Apart from the risk profile of each event, the great watershed for security planning was definitely the 9/11 terrorist attacks on the World Trade Centre. This can be seen by the growth in security budgets for major sporting events since the 2004 Athens Olympics. Although security budgets are challenging to obtain and difficult to understand what is actually included in them, the following is a general overview of the security costs for the past four Summer Olympics – mainly taken from public sources from organising committees, which would largely excludes government costs: Year

Event

Budget

Security Personnel

2000

Sydney Summer Olympics

$180 million

11, 000

2004

Athens Summer Olympics

$1, 5 billion

70, 000

2008

Beijing Summer Olympics

$6, 5 billion

110, 000

To place the above in context it is important to note the following: • The 2000 Sydney Olympics was pre-9/11 • The 2008 Beijing Olympics security was largely aimed at containing opposition to its political stance on human rights, which bloated their security budget • The 2012 London Olympics was more in line with the 2004 Athens Olympics cost, but government expenditure on hardware and other security aspects is expected to be extensive Bearing in mind that on average major sporting event security costs increase by an astounding 77%, one has to wonder about the effectiveness and impact of the initial security planning and what the reasons are for this phenomenon. Perhaps the lack of cataloguing the knowledge gathered the last 400 years’ worth of security planning and the lessons learnt were one of the main causes. Perhaps a well maintained and current security planning model could have decreased risk of failure, re-work and ultimately cost. That’s usually when one hears the question; “What reference documents are available?” Discussion The most common ‘reference documents’ that one might find are individual security plans (conceptual and / or operational) from some previous event. In the absence of a comprehensive security planning model that covers all sports and types of events, at the moment it is not clear whether security plans between events are integrated into other areas of the event, possess quality content and cover the entire life cycle of the major sporting event. Some may be of the opinion that one cannot develop

such a security planning model because every event has its own dynamics when it comes to security and risk profile. When it comes to planning security and identifying potential risks, every event is unique. As we have seen, a Summer Games in Sydney pre-9/11 is totally different to an Olympic Games post 9/11 in Athens. However, one must also acknowledge that the same range of security functions and activities have to be performed for every event. The only difference is HOW they are applied within the context of the different dynamics and risk profile of the particular event. It is clear that security planning for major sporting events can still be flawed in this modern day and age even with all the expertise and technology available to us. Take the recent 2012 London Olympics as an example. The British have pulled off an amazing feat, presenting what has been hailed as one of the best Olympic and Paralympic Games in its history and receiving outstanding reviews from administrators, fans, athletes and the world’s media. No small feat by any standards. But as can be expected with any major sporting event, the various organising bodies for London 2012 experienced their fair share of challenges, the most exasperating and most publicised one being the poor delivery of private security services for the Games. The fact that this issue arose in a country that has hosted so many major events in the past is surprising, but is not totally uncommon to major events in general as there is no ’one size fits all’ to arranging security for major events. There are however basic principles that must be understood and managed effectively. These basic principles are as follows: • Understanding the various dimensions that comprise the life cycle of a major sporting event, and where one is in that life cycle • Understanding what the requirements are for each dimension of the life cycle • Monitoring, reporting and communicating requirements with key stakeholders • Timing is everything In order to improve security planning for major sporting events it seems we need a reliable ‘reference document’. A ‘reference document’ that exhibits the following characteristics: • Provides the industry with a STANDARD to base its security plans on • Is FLEXIBLE to accommodate unique dynamics • Ensures CONTINUOUS IMPROVEMENT • Ensures a DYNAMIC and ROBUST model • OPTIMISES security plans and operations • Whilst MINIMISING re-work & security costs • Ensuring LEGACY for the Host Nation & Sport Sector In its desire to introduce the above characteristics and redefine the way major events think about security, the ICSS has developed such a ‘reference document’. A ‘reference document’ that is based on collating the most vital knowledge and lessons learnt from previous major sporting events – both tacit and explicit, extracted by means of research and consultation of major sport event experts. This has led to

Australian Security Magazine | 15

National

Conclusion

the development of the Security, Safety & Integrity (SSI) ModelTM. The SSI ModelTM serves as a master guide for the security planning of major sporting events. It consists of a Framework that covers all eight dimensions of an event life cycle and a Security Concept that addresses the entire suite of security functions that have to be managed during the Preparation- and Operations Phases to ensure a holistic and integrated security plan as illustrated in Figure 1 below.

Figure 1: The SSI ModelTM

This brings us to the other question we hear so often; “Where do we start?” The SSI ModelTM Framework covers all eight dimensions of a major sporting event life cycle, whether one is planning to bid for a major sporting event or has already been awarded the hosting rights. The SSI Model adheres to the following quality standards: • A DYNAMIC and ROBUST model; • HOLISTIC & INTEGRATED; • FLEXIBLE to accommodate unique dynamics; • Based on CUMULATIVE KNOWLEDGE of previous major events; • Can be MANAGED EFFECTIVELY through the life cycle of an event; • To OPTIMISE security plans and operations; • Ensures CONTINUOUS IMPROVEMENT; • Whilst MINIMISING RISK of re-work and high security COSTS; • Ensuring LEGACY for the Host Nation & Sport Sector.

16 | Australian Security Magazine

Up until now there has been no known overarching model that can be applied by different major sporting events; especially a dynamic one that is based on historic lessons learnt and current research. In the absence of such a model, we still experience major failures in SSI operations as recent as the 2012 London Olympics. One would think that major event security experts would be able to cover all of the requirements of SSI operations by now and ensure that SSI plans are managed effectively. One would also think that the contents of the SSI ModelTM are common sense. Common sense however, is clearly not quite common practice. The SSI ModelTM aims to assist in making common sense a common practice for all major sporting events of the future! Key issues to remember A quality security planning model: • Must be Holistic and Integrated • Should be Dynamic and Flexible • Needs to be based on Cumulative Knowledge • Should Minimise Risk and Cost • Should Optimise Benefits for the event and beyond • Should be Managed Effectively through the event life cycle • Should assist in making Common Sense, a Common Practice! If you would like to learn more on how the SSI Model can assist your event or you would like to discuss other sport safety and security services offered by ICSS Security Operations please don’t hesitate to contact Andrew Cooke, Director Security Operations - International Centre for Sport Security. Email: andrew.cooke@icss.org About the Author Andrew is an internationally experienced Safety and Security Specialist with a career spanning over 25 years with multi-disciplinary sport security, risk management and law enforcement experience. Andrew in his current position leads the safety and security operations for ICSS on a global level. Prior to working at ICSS Andrew was the Head of Security for the Asian Cup 2015 in Australia and has managed and directed the Safety and Security operations for a large number of International Sporting Organisations across the globe. Andrew’s experience is strengthened by his expertise in Operational Management, Crisis and Emergency Management, Hostage Negotiation, Risk and Security Management, Event Security Management, Security Risk and Threat Analysis, Security Site Surveys and Close Personal Protection Operations. He is an effective leader who brings strategic and operational expertise in all facets of major sport safety, security and risk management on a local, national and international level. A highly commercial change agent who is able to shape, influence and inspire strategic thinking and innovation.

Frontline - Chemical Security Update

We can all help to keep Australia safe from terrorism

he threat from terrorism in Australia is real. Homemade explosives and toxic weapons can be made from chemicals many of us deal with in our everyday work. These chemicals have been used in terrorist attacks such as those in Bali, London and Mumbai. Closer to home, there have been several arrests involving suspected terrorists seeking to purchase common chemicals to use in bomb making. Currently there are 96 chemicals identified as being of concern. You will find some around your home such as common fertilisers, pool cleaners and bleaches. We can all contribute to keeping Australia safe and secure. Most importantly, you should trust your intuition. The sort of things you might want to look out for are: • stolen or missing chemicals, including discrepancies with stock or deliveries • unusual possession, storage, or dumping of chemicals • someone purchasing chemicals for which there is no clear purpose • someone asking unusual questions about the chemicals held on site • unusual interest in security arrangements at a site or during transport • suspicious behaviour around places where chemicals are kept. Remember, these are just some examples of what might be suspicious. You know when something just doesn’t feel

right—at work or in your community. Trust your instincts. A new series of animated videos have been produced to provide guidance on practical and inexpensive measures you can take to help keep chemicals secure in your workplace or property. The videos are available at: www.nationalsecurity.gov.au/ chemicalsecurity/resources Watch the videos and share them with your colleagues, staff, friends and neighbours. More information including a full list of the 96 chemicals of security concern and a copy of the code of practice are available from the National Security website: www.nationalsecurity.gov.au/chemicalsecurity Remember—report anything suspicious involving your chemicals to the National Security Hotline on 1800 1234 00 or hotline@nationalsecurity.gov.au Every piece of information helps, and you can remain anonymous. By applying practical measures from the voluntary National Code of Practice for Chemicals of Security Concern, businesses can help keep Australia safe from terrorism: • Ensure prospective, seasonal or casual employees are trustworthy. • Limit access to your chemicals. • Lock your chemicals up when they aren’t being used. • Keep track of your chemicals. • Educate and train your staff to be aware of suspicious behaviours.

Australian Security Magazine | 17

Regional

The 61st ASIS International global security event, Anaheim USA By Pascal Engler Ticon Solutions Pty Ltd

18 | Australian Security Magazine

he Anaheim Convention Centre in California was the location of this yearâ&#x20AC;&#x2122;s ASIS International 61st Annual Seminar and Exhibits (ASIS 2015). The event was conducted over four days and evenings from Monday 28 September to Thursday 1 October. Approximately 20,000 security professionals were in attendance. Delegates were assisted with an event innovative mobile app. The app provided all relevant information about the event including education sessions presented, program updates, show specials, and an interactive floor plan with a live Twitter feed. Attendees were also able to share their experiences of ASIS 2015 by tweeting pictures throughout the event. In addition to the 600 exhibitors who displayed a broad range of security products and solutions including the latest innovations in physical security and technology, there were a range of education and professional development sessions. In total over 250 operational and information security education sessions were provided. These sessions covered topics from counter-terrorism, cyber security to security-related solutions where there was political unrest, civil war and other threats to local, regional and global security. In addition to the education and professional development sessions, the event provided valuable resources for security-focused professional development including

the on-site bookshop, endless opportunities to network with security professionals from around the world, and an atmosphere where security leaders were able to engage in security-related discussions with like-minded colleagues. On the Sunday, many of the early arrivals to the seminar attended the First Time Attendees/New Members Reception, held in conjunction with the ASIS Young Professionals Reception. This was then followed by the Welcome Reception, a great start of the many networking opportunities to meet a diverse group of peers from across industries, as well as catching up with friends. The activities continued with Texas Night, held at Tortilla Joâ&#x20AC;&#x2122;s Downtown Disney and concluded late in the evening. The formal event commenced Monday morning with an opening ceremony. There ceremony included a formal welcome from the ASIS International President Dave N. Tyson CPP. The opening ceremony also involved a marching-band and a parade of flags representing the 100 plus countries in attendance. Delegates were also entertained by comedy duo The Passing Zone who performed juggling acts within a comedy routine. Before Mr Tyson officially opened the exhibit hall to attendees he addressed the audience on the evolvement of ASIS International. He explained recent initiatives and how ASIS International has become the global voice of the

Regional

security profession. Currently ASIS International has around 38,000 members world-wide. The exhibit hall was filled with the most innovative technologies, new products and services in the security market. Attendees were able to engage with companies showcasing technology that will shape the security industry going forward. There was a large presence of video manufactures, displaying new thermal security technology capabilities, security management systems and access control systems. While roaming the exhibit room floor, attendees were able sit in on a series of poster sessions to learn about security research, practice and innovative applications. More than 35 subject matter experts presented a wide range of topics from across the security spectrum. Throughout the week, there were various informative education sessions one could attend, which included Security Master Planning. This session explored how a master plan should work in conjunction with a corporation’s objectives and mission. There were also sessions on how to gain business value from risk, threat, and vulnerability assessments which gave an informative opinion on how to optimise the intelligence and information gained from assessments undertaken. There were also discussions about the evolving threat environment in the Middle East and the various operational challenges faced in that region. On Monday evening a network event was conducted in the immediate area outside the convention centre and well attended by many hundreds of delegates. The area was transformed for the President’s Reception into a festival of lights and music and lined with over 20 food trucks to sample various delicacies. Delegates moved between the food vans and bars until late in the evening whilst being entertained with live music provided by local groups. A key presentation during the event was provided by Raymond W. Kelly, former Commissioner of the New York Police Department. Commissioner Kelly explained the efforts taken to rebuild the safety and security of New York after the September 11, 2001 terrorist attacks, his resourcing requirements and re-building culture and resilience through his organisation. He also explained the challenges faced by the City generally and its extensive community. Kelly oversaw the creation of a specialist counterterrorism unit with the NYPD. This unit not only trains personnel on how to respond in the event of an attack, but also has operatives around the globe that gathers intelligence about plots targeting the City. On Wednesday a keynote address was provided by General Michael Hayden, the former Director of the Central Intelligence Agency and a former Director of the National Security Agency. General Hayden spoke of the growing dangers of terrorism and cyber-attacks. Within the event there were a number of presentations where outstanding performance, dedication and achievements were recognised. A number of members received awards including the Victoria Australia Chapter that received an award for best website. Three members of the Chapter Dr Tony Zalewski (Chair), Rachaell Saunders (Secretary) and myself were present at the event and accepted the Award. On Wednesday evening the ASIS Foundation provided a festive evening at The House of Blues in Downtown Disney.

This function also allowed for the making of more contacts and catching up with acquaintances and friends. Again, a late but enjoyable evening took delegates on a blues journey with live local entertainers. Thursday morning started the day with Galina Antova, Co-Founder of Team8 Industrial Security addressing delegates with a keynote address “Security Critical Infrastructure: Closing the Gaps.” This session highlighted the issues of integration between information technology (IT) and operational technology (OT) and the challenges that come with that convergence. This session was followed by a panel of senior security executives from the entertainment and high-tech sectors and their perspectives about “Lessons Learned from the Sony Hack.” Prior to lunch Zak Ebrahim gave an inside look into his new book “The Terrorist’s Son.” Zak told about his long journey to comprehend his past as the son of a declared jihadist who was responsible for the 1993 terror attack on the World Trade Centre. The conclusion to the 61st Annual Seminar and Exhibits involved a presentation by General James Mattis, former Commander of the United States Joint Forces Command. General Mattis gave an insight about his experiences and the lessons learned in leading troops within the wars in Afghanistan and Iraq. His presentation was well received and highlighted the impact of practical experience as part of life-long learning. Overall, attending ASIS 2015 was a great experience. I was able to learn a lot from the education sessions and keynote speakers as well as making valuable connections in the security industry. I recommend to anyone who is wishing to advance their career in security to become a member of ASIS International and attend the Annual Seminar and Exhibits.

Australian Security Magazine | 19

Regional

Highlights from the 2015 Security in Government Conference ‘This year’s theme was Risk management – getting it right! Conference speakers highlighted various aspects of effective risk management including understanding the vulnerabilities that underpin each of the critical points in the business model and what is essential to the running of the organisation. ‘

20 | Australian Security Magazine

nother very successful Security in Government (SIG) conference was recently hosted by the Australian Attorney-General’s Department in Canberra. Now in its 27th year the conference provides an excellent educational and networking opportunity for protective security professionals. This year’s theme was Risk management – getting it right! Conference speakers highlighted various aspects of effective risk management including understanding the vulnerabilities that underpin each of the critical points in the business model and what is essential to the running of the organisation. Speakers included the Hon Dr Brendan Nelson, Director of the Australian War Memorial and former Federal Opposition Leader, Chris Moraitis PSM, Secretary of the Australian Attorney-General’s Department, Dr Carl Gibson from La Trobe University and Andrew Annakin from the New Zealand Intelligence Community. Delegates at the SIG 2015 conference dinner were treated to an unforgettable and national patriotism building address by Dr Nelson. Dr Nelson’s address included entertaining anecdotes from his past experiences as an education minister But the heart of his speech was a moving, personal perspective on the purpose and mission of the Australian War Memorial. He sees the Memorial as more than a commemoration of the sacrifice of those Australians who have died in war, but a celebration of who we are and how it shapes our future. Mr Moraitis spoke on managing personnel security risk. He explained that a robust risk-management approach to personnel security requires an understanding of the risks and the ways to manage them at the individual, organisational and whole-of-government level. He also stressed the importance of embedding a ‘culture of security’ within organisations. Dr Gibson provided an insight into understanding the

risk environment and focused on the consequence and the probability of day to day events, as well as one-off events that often influence our approach to managing risk. Mr Annakin spoke about the introduction of New Zealandâ&#x20AC;&#x2122;s new Protective Security Requirements (PSR). The PSR framework provides clear guidance and support for New Zealandâ&#x20AC;&#x2122;s public service departments and the New Zealand Defence Force, New Zealand Police, New Zealand Security Intelligence Service and Parliamentary Counsel Office to achieve improved security standards in protecting its people, information and assets. Attached to the SIG 2015 conference was an extensive trade exhibition with over 70 organisations showcasing the newest cutting edge technologies, innovative protective security products and educational solutions available on the market. A range of industry sponsored workshops were offered to delegates with topics ranging from major incident capability assurance to government, industry and academic collaboration on cyber. For further information on the Security in Government conference visit: www.ag.gov.au/sig or contact SIG2015@ag.gov.au

Australian Security Magazine | 21

AISA National Conference, Melbourne

Seasoned Cyber Security Entrepreneurs and their latest venture Craig Searle and Nick Ellsmore, HiVint

Craig Searle: We were launched in February 2015 and quickly grew to a team of 12. The company was founded on a passion to create what we call “community driven security”. Using collaboration to get better outcomes for our customers, subscribers and the community in general. There is effectively two parts to the business; there’s consulting, which is the engine room for generating the content for the portal, which is our collaboration platform. In collaboration with clients we are able to declassify and desensitise content and allow collaboration to reuse that material. In terms of security, most organisations do not want or need to compete, and there is a significant macro benefit from sharing more widely. The portal is being generated by the market. There is a full cyber security strategy for one of Australia’s largest financial services companies, a whole range of incident response plans that we have built for an insurance company, a range of malicious code standards, network standards, risk lists, vulnerabilities we have found--a direct reflection of what we are working on with our clients. Nick Ellsmore: The benefit of that is to our subscribers who are seeing what else is going on in the industry. We have had plenty of examples where someone has logged in looking for a document type and discovered other important documents along the way. Knowing that a peer organisation has paid money to produce that document, and it is therefore top quality, is worthwhile and remains relevant to the Australian context.

Launch Special Craig Searle: For a launch special we are offering a 12 month subscription for under $2,000 and we are putting in 3-5 documents a week at the moment. Over the course of a year there will be millions of dollars of consulting output that will go in there, so it will not take much to return that value to the subscribers. Subscribers can take the content and do with it as they wish. The customer has the option of redacting and changing the content before it is made available, but to date, out of 100 jobs, 95 were happy to have that content made available in the colony. Indeed some clients have produced additional material that they were happy to provide for sharing amongst our other customers, hence getting involved in the community ethos. Primary client profiles are large corporates across a range of industries, who can save money and better

22 | Australian Security Magazine

The HiVint Team

utilise consultants. We have identified a skills crisis and are taking away the need for those mundane and standard roles that can be easily replicated and adopted. The consultants themselves will end up working on the high gaming, more challenging tasks, which is a bonus and more rewarding for them. As a benchmarking exercise it is useful and it is streamlining the process of checking against various measurements and requirements. Incident response is a topical element with good incident response plans and tested plans - including workshops, guidelines and deliverables to clients, so these aspects are constantly being renewed, updated and improved. Our key message is that if we compete on the 20 per cent of tailoring and updating and the high value material and focus less on the 80 per cent cut and paste then the whole industry is going to be better off.

Boards getting on board Organisations have got to a stage where they have spent a lot of money on security technologies and implemented policies but they still don’t have the sense that they have got it all covered. On a Likert scale of 5, where 5 is beyond reasonable security and 0 is no security, most of the organisations we are dealing with are between 2-3 and trying now to get to the point of incrementally improving security services to a 3-4, which involves greater visibility of what is happening. The key message is that organisations are struggling to understand the metric involved in cyberattacks: “How are we doing compared to others? It has been suggested here at the conference that boards don’t care about cyber security, but in our experience that couldn’t be further from the truth. They want to know about it and often can even be fascinated by it, but they struggle to get a handle on it. They may not know what questions to ask and they are not necessarily given the information in a way that they need it. We have been discussing the concept of getting to a minimal viable security. For example you probably don’t need NSA level security if you are a Tier 2 bank, so what is the point of crossing the benefit versus

spend? And when reaching that point what does it look like? How robust is it and what have others done in comparison? Nick Ellsmore: The technology is continuing to evolve and will continue to evolve. The solutions look useful but whether they are all going to continue to provide benefit or work is open to change also. It is really about education, and how we engage users more and empower and enable them so they understand the value of their security behaviour. Craig Searle: If you look back even at the top levels, we have gone from IT security managers, to Information Security Managers, to Chief Information Security Officers, and say the wider tech industry, such as Ben Hayes at CBA, to Chief Trust Officers or Chief Trust and Security Officers, and its evolving to be that security is not the end point but a means to an end, which is trust and privacy and reliability. Security Colony has a free level of access so anyone can sign up and can download some documents and ask us questions. Community driven security--the more people getting involved, the better it is for everyone.

A single pane of glass Kieran O’Shaunessy, Managing Director, Asia Pacific , Accellion, Inc. Accellion is a leader in the secure enterprise file sharing space. We enable organisations and their users to share files securely outside of the firewall, or outside the organisation, for internal and external collaboration and without compromising on data security or manageability. We provide a user friendly interface and for all devices. It is an anytime, any device capability and generally empowers users to be more productive, in particular from a mobile perspective, and allows access when they’re outside the firewall and accessing their internal content sources like SharePoint or CIF file shares, or open text, as well accessing cloud sources of data.

AISA National Conference, Melbourne

Effectively it is a single pane of glass for users to access content across the divide, be it on premise, private cloud or public cloud. The system provides access over an encrypted connection and enforces authentication to get access to the content and ensures the only files being shared are those that are intended to be shared. The system is a standalone solution in its own right, but has integration points into Office 365, which is incredibly popular in its take-up, and integrates with existing enterprise infrastructure authentication and DLP protocols. There is a cloud hosted service, sitting within the Amazon Cloud and so a private-hosted service for each customer, not a consumer-grade cloud file sharing service. Eighty percent of our customers deploy in a private cloud and all our clients are struggling to deploy to the cloud in terms of getting the benefits of mobility and the increase in the size and value of data and we can help those organisations.

Providing Visibility The major issue around large consumer file sharing platforms when being adopted by corporates is that they don’t provide visibility, including company data and access information. Our system delivers very granular auditing and logging and integrates with the SIEM systems and analyses captured data. All file sharing is user based and established by user profile and rules. You can lock down users to have read only views, or download to certain devices or specific machines, or have collaborative rights and permission based access to content. We effectively track the IP address the file was uploaded from, and can audit, via logging activities, the path and user profiles around that file. Forensically we can provide proof of an activity around a file and action by a user. We can also enforce the policies which have been configured by the DLP system and prevent files, based on key word or tags, from leaving the organisation. Kiteworks—wherever the wind takes you--is the product rated as a leader in the secure file sharing space and in the magic quadrant rated by garter for enterprise file sync and share.

Attacks from the wild - the need for a DDoS portfolio Nick Race, Country Manager, Arbor Networks It’s an exciting time. Arbor Networks have launched a comprehensive portfolio of new DDoS products, which take us from supplying the small-medium sized business (SME) and all the way up to the carriers and large enterprises. We are now part of the security division of NetScout and the products take us from the virtual world and to multi-gigabyte protection from DDoS attacks.

DDoS protection has always been our primary technology and now we have expanded into the advanced threat protection market. We have the ability to detect and mitigate both the volumetric and the application based attacks. All of our products use our own threat intelligence and we have a community of ISP’s globally. Around 90 per cent of the world’s Telcos use our technology and have the ability to share information which involves about 40 per cent of the daily global internet traffic. Based on that visibility, we can actually see what the bad guys are doing. Our researchers then design techniques to detect and mitigate that activity, be that around parameters and thresholds or the target applications and application layer attacks, at the Layer 7 level which may be specific in a customer’s infrastructure, like back end servers, firewalls, IPS’s, and they are ‘stateful devices’, and one of the attack vectors the bad guys use is that ‘state’ exhaustion. So, typically, a firewall would be the first thing to fall over in a large scale attack. What we can do is have on premise technology which sits in front of the firewalls and other security infrastructure to protect those, as well as other assets. We are moving all of our products to the cloud environment and have software defined initiatives as well, but for the ISP’s working at high speeds it remains hardware based. For anyone who has an online business or has reputation risk, it also provides the ability to respond to what is a called a ‘flash crowd’ where publicity suddenly causes a spike in interest or visits to a website, as the system can determine the difference between good traffic and bad traffic. We have virtual systems that operate at 100MB per second which is suitable for the SME market. There are a number of physical and virtual appliances in the 1GB range and a part of the portfolio includes a relationship with Cisco, so we now have our technology as a Blade in Cisco routers, which means that customers who already have Cisco routers now have the ability to load our software on top of that physical hardware. For the really large volumetric attacks we have a global cleaning capacity which is known as Arbor Cloud, which is a service seen as a last resort when the client is being swamped, such as by hundreds of GB sized attacks. The Arbor Cloud has been increased to 2TB per second, four times the capacity of the largest attack we’ve seen in the wild so far, which was 500GB.

Is your password unique? Patrick Heim, Head of Trust and Security, Dropbox Dropbox is very much a global company, currently serving over 400 million world-wide, with 70 per cent of our users

outside the USA. Starting in 2007 the business has moved from an online storage facility to becoming a platform in its own right and with ongoing capability and collaboration developments underway, including a recent announcement with Adobe and storage of about 14 billion PDFs. We have more office documents than Microsoft has in their own cloud, (recent estimate is 35 billion office documents), so our storage volume is phenomenal. I mention this because it is the foundation--we have so many users collaborating and sharing information that it creates a pull. Currently all Dropbox data is stored in the USA. When Dropbox is used for personal use, it also brings in small business and the enterprises where they work, so our Dropbox for business product has become an offshoot designed to address the needs of these businesses. They see the value of Dropbox, their employees are using it on a daily basis, and it is crucial for them to collaborate inside and outside the organisation, but they need more visibility and control over what is actually happening. So the Dropbox for business gives them a lot more features in terms of security controls and monitoring capabilities. We have layered a richer set of APIs and invested heavily into security partners, so if you’re a large enterprise and you already have a sophisticated on-premises monitoring solution, there is a very easy pathway for that to be integrated with the Dropbox for business environment.

Don’t leave it to Jeeves I firmly believe that it is a losing proposition for most small companies, and even midsized ones, to maintain their required security skills in-house. As we start to rethink what it means to conduct a technology-based business, we have to identify the cloud providers that we want to partner with that are going to be providing the necessary specialised functions. If you try to do it yourself, you will fail in the long term, because you will not be able to secure it. The vast majority of all the major breaches have involved traditional technology environments where companies chose to maintain their systems in their own data centres.

Learning from the bad guys We are under continuous attack, and by very sophisticated threat actors, because we may or may not be housing, without our knowledge, content from dissident or criminal groups. There is a massive amount of abuse and attacks going on, and it is the cloud providers that take the bullets every day, so they have to integrate more and get better at protection and response to make themselves stronger. We have a number of API integrated security providers, such as Nuix, which is natively integrated with the Dropbox business platform. We have

Australian Security Magazine | 23

AISA National Conference, Melbourne

companies that provide the more monitoring-type tools that are tightly integrated and are also extending ourselves to the more established players as well and broadening out the number of partners that we have and providing more capabilities to companies using Dropbox. We have a built-in compartmentalisation within our architecture--we separate data from the metadata, for the file itself is the data and the meta-data is the ownership and related information about the file, and we split these into separate environments under the assumption that if any one is compromised there isn’t access to the other. We also encrypt the data and have customers that need to encrypt the data before it goes to Dropbox or any cloud environment, so we do have partnerships with companies like Sookasa and Encrypted Cloud. Although encryption is an important option, I will say that it is rather a hit button. Many see encryption as a magic silver bullet, but the problem of not getting hacked is much more complex. Nowadays almost every company, whether they know it or not, has had a breach. The question is: Were they able to detect it; were they transparent in how they handled it; and how did they learn from it and get stronger from it?

Password providence The pattern of attack is highly centred against our users themselves and is focused on stolen passwords. There is a recurring pattern where companies get compromised on the Internet and criminals crack passwords from those compromises and then they test those passwords against Dropbox and other cloud services to see if they can get access. We see this activity on a massive scale and we remain very proactive in blocking it. The Ashley Maddison breach is a case in point. We took it upon ourselves to investigate the email addresses of the 30 million individuals impacted globally, and found that 3 million of those addresses held Dropbox accounts. We then expired and forced a password reset on all 3 million accounts to proactively prevent those passwords from being compromised in case of the eventuality their passwords were the same as their Ashley Maddison accounts. We strongly advise our business customers to use SAML (Security Assertion Mark-up Language) which allows them to utilise their on premise authentication system, so there is no Dropbox password and they use a single gateway access that is inside the company to log into Dropbox, which is highly effective in managing the password theft risk. For consumers we offer three options for two-factor authentication for free, including SMEs codes to verify, a one-time password app running on the phone and a hardware based authentication using universal true factor U2F. This is a standardised protocol that enables the use of Ubico’s USB keys, where you have to insert that into the computer or device and physically touch it

24 | Australian Security Magazine

for authentication. The use of U2F is a step up in the quality of the authentication protocol. Once you have the 2FA, it sets a cookie of sorts that periodically needs to be refreshed so that is tied to that device, so if somebody was to steal your password and they’re coming from a new device they wouldn’t have that existing token cookie so the system will challenge them and request a second factor, which mitigates the risk of password theft. We continue to invest in security with multiple drivers pushing us. One of them is our own assessment of risk and the threat environment and responding to that to protect all of our consumers and customers globally. The other equation pushing us is the enterprise needs and what these customers need for compliance and certifications like ISO 27018, published SSAE 16, SOC 1,2 and 3 threat reports which provide audit inside so there are a number of areas that we have invested in that give our customers comfort. I would define it as a market driven evolution approach. We ourselves pay for three pen tests per year and we participate in a public bug bounty, where we have enough confidence in the quality of our product that if someone finds a bug in our system we’ll pay them for it. The other important aspect of security is agility, or quick response. When the Heart bleed bug came out last year we found, patched and remediated within 24 hours. The behaviour most strongly correlated with breach activity, both for business and private use, is people using the same passwords across multiple sites. It’s not about changing the password frequently, it’s about making it unique. We go to great lengths to protect the passwords and use a Becrypt algorithm with what we call salt and pepper to make it as infeasible as possible for someone to recover a password even if they were to hack into Dropbox. So the recommendation is not around changing passwords or password complexity, it is adopting password management tools, such as ‘Passwords Plus’, that really provide the ability to have unique passwords without the horrible user experience. Having complicated unique passwords for every website and making them easy to apply with a password management tool would be one key recommendation. The second one would be for consumers and businesses to adopt some form of 2FA whether it’s the SMS, or the one time password or the U2F token, and, as two of those are free, there is no excuse. So it is purely about awareness and even from a convenience perspective it’s not like you have to do this on a daily basis, it’s really more about: “Is your password coming from a system we haven’t seen before?”

Cisco Powers Up ‘Threat Grid’

Paul Davis, Director, Advanced Threats Solution Architecture Team, Cisco I came to Cisco as part of the Threat Grid acquisition and now head a global team based in Boston, focused on the entire Cisco security portfolio and how it inter-operates. Threat Grid is a high speed, high volume, highfidelity malware and threat intelligence platform. It is not just a sandbox, though that is part of it. The system performs detailed malware analysis automatically and uses behavioural analysis to determine if it is bad, even if it is an unknown threat, or a known threat that has changed its strategy. Threat Grid is a platform but before Cisco, we didn’t have the ability to collect files, so we didn’t sit on a network or at an end point, but we had a very powerful API (Application Programming Interface) which meant we could be integrated with virtually anything, and having files sent to us was possible via a web interface or an API, and then we would send the results back. Now we are part of Cisco, we have the complete portfolio, and I am like a kid in a candy store. I now have the entire architecture, from routers, to firewalls, to proxy servers, to network devices and endpoint, to net flow, to identity access management, so across the entire architecture but also up the stack to Layer 7, so now we have all the different aspects from collecting, having files submitted, from queries to enrichment. It is a very powerful platform, and we have years of malware analysis results, all indexed and correlated.

Angler Exploit Kit Talos is a group from the Cisco security team, combining with VRT which comes from SourceFire. This is a team focused on identifying sources of threat intelligence and malware trending data. They do campaign analysis. As an example, just recently Cisco announced with L3 --that they had taken down a cybercriminal gang using the Angler Exploit Kit! When you are providing incident response to a really nasty event, the Board and Chief Executives want to know three things: What is it? What is it doing? How can we kill it? Providing the answers can be very challenging. We provide continuous monitoring, which allows a visualisation of where the infection or attack is and a timeline of how it came in. We no longer need to review logs or initiate scans to find out. Inevitably, malware will get in and evade your defences. You need the immediate ability to go back and see what has been happening. Running vulnerability assessments are for

AISA National Conference, Melbourne

a specific moment in time, whereas this is continuous monitoring for changes and anomalous behaviour.

“I need visibility” Threat Grid takes an average of 7.5 minutes to scan a piece of malware and generate megabytes of data which is all indexed and gives you a threat score and the behaviours in plain English, but that’s still 7.5 minutes that has gone. NSS Labs’ latest Breach Detection report shows that we defeated all of the malware evasion techniques, a great success for the Cisco AMP portfolio. So even if it is taking us 7.5 minutes to respond to an incident, their ability to deliver the capability to efficient and effectively remediate, is a big difference from what has previously been taking days of analysis. Within this short timeframe. an event is seen, evaluated and triaged, and its impact is seen. Because you can see it, your root cause analysis is easier, accurately and eliminates the threat, whilst building yet further intelligence on anomalous behaviour. It is all about visibility. It is an amazing story and vision, with 5,000 people in Cisco focused purely on delivering security solutions and services--that shows commitment.

Building the executive relationships Sean Duca, Regional Chief Security Officer, Palo Alto Networks My role with Palo Alto Networks involves providing thought leadership for the company, across the Asia Pacific region, which means building the executive relationships with organisations (both customers and non-customers) and our partners’ and at the same time working with and collaborating with the industry. It’s about educating people that security has changed and the cyber security landscape has changed as well. So how do we educate people around the challenges that are out there and drive the awareness as high as we can within the organisation? Part of my role also has threat intelligence built into it, which means leading a team of threat intelligence analysts who work within our ‘Unit 42’ threat intelligence team across Asia Pacific, where they gather, research, analyse and provide insights into the latest cyber threats. We then share that intelligence with customers, partners as well as the broader community. Sharing information and putting it into action is one of the best ways to beat the bad guys. One they have been working on lately is ransomware, is

one such threat that is coming up consistently and if we look at specific threats like CryptoWall 3, we have been tracking about 4,000+ unique samples since January 2015, with more than 400,000 attempted infections.

A three-pronged approach In past years, we used to talk about not going to risky websites and we categorised these sites, doing URL filtering and controlled the ports and protocols used in our networks, which was great, but a very static way of looking at and reacting to the problem. Now the bad guys are creating brand new websites and sending emails and launching their attacks at users and applications where port based firewalls are no longer effective for protecting an organisation or controlling applications and users. Where we need to get to is to have visibility and securely enable all applications, for users and the devices on the network at all times. Full visibility at all times is the first step to prevent attacks that might utilise non-standard port, protocols, or encryption such as SSL for evasion. It is ludicrous to suggest that prevention is dead, and we should now focus solely on detection and monitoring. The job of a network defender is to prevent a negative material impact to their organisation that results from the successful execution of a cyber adversary campaign plan against the defender’s networks. Network defenders prevent material impact to the organisation by concentrating on three equal and essential tasks: threat prevention which is preventing all known threats, threat detection which is detecting new unknown threats quickly and thirdly threat mitigation, which is acting quickly to disrupt an attacker’s activities. Using that mindset of a network defender, I would say my countermeasures need to be applied to these points according to the attack life cycle and that’s how I start to prevent the threat. If I can make it fundamentally harder to get in and if they do get in and find it hard to move around and execute their campaign plan such as stealing IP, they will at some point stop and move on to someone else. Some have made claims that everything is a zero day exploit, but zero day exploits can cost hundreds of thousands of dollars in some instances--they can’t keep on cutting these things every single day. In some cases it can take six to nine months to create a zero day, so instead of cutting code, these organisations repackage, repurpose and resend and get it back out and do the same thing over and over again. So what’s a known threat, a known exploit, is zero day malware-and move away from the model that we’ve had which simply relies on the signature, the fingerprint of what it looks like, and focus on what is the payload, what are the fforensic artifacts that describe an attacker’s methodology and link that attack life cycle.

Trends - Sharing, not hoarding, including with the Board I think ransomware is going to continue and cybercrime as a service is going to continue, as it has been a nice cottage industry for criminals. For government and law enforcement, there has been a lot more discussion around information sharing but they’re still working out how to do it. We at Palo Alto Networks actively have dialogue with Law Enforcement Agencies (LEAs) and we need to get to the point where we are sharing active campaign plans. There may only be 5,000 play books or adversary campaign plans out there, which is manageable. We need to start sharing these play books, put context around them, and then we can start to work together to start to disrupt some of these people. Because each time, as we catch it, they are going to have to change their and techniques. The challenge for government is that they find it hard to declassify. There are pockets of emerging success. Interpol in Singapore, for example, which is focused on cybercrime, not cyber espionage, are set up to share information, as they don’t have the ability to do enforcement but they can reach out to the agencies that can. Industry should also be sharing. For example 18 months ago, our CEO suggested that we needed to break out of this model of vendors hoarding the information as the threat intelligence is not IP; the IP is what you do with that intelligence. So Palo Alto Networks, McAfee Intel Security, Symantec and Fortinet came together as founding members of the Cyber Threat Alliance and in real time shared a 1,000 net new samples of malware that had never been seen by the industry before. I think there will soon be a point where there will be near 50 vendor technologies that can be deployed as required to prevent and defend against common, as well as, emerging threats. Think about the role of the CISO in an organisation. What are you presenting to the board to raise the profile of risk and where does the role sit? Does it report directly into IT? A lot of the times security sits with the CIO, whereas I think they should be peers. The CIO should innovate for the company and the CISO should help the CIO secure that innovation. When the CIO gets too far out in front of security, the CISO should bring the CIO back to reality. When the CISO goes too far in saying “no” to every innovation project that comes up, the CIO should pull the CISO back to reality in terms of trying to understand the real risk to the business. They should both report to the CEO, as only the CEO owns the risk to the business. That should provide visibility to the board around risk. As a corporate defender my role should be to prevent a negative material impact to the organisation that results from the successful execution of a cyber adversary campaign plan against the defender’s networks. Not all adversary groups can have a detrimental impact to every organization. If my

Australian Security Magazine | 25

AISA National Conference, Melbourne

organisation sells widgets from a web page, a nation state adversary group that steals state secrets is not my concern. Even if that adversary group did breach my network for whatever reason, the odds that the results would materially impact the business would be minimal. If a cybercrime adversary group that seeks credit card numbers breached my network that is another story--The loss of customer trust may materially impact the future of the business and so that is where I should focus my efforts and adjust my controls. The Palo Alto Networks’ Traps system is focused on advanced exploit capability, which concentrates on prevention and identifying the ways they are looking to ‘get in.’ There are over 30 different techniques that may be used, some of which can also be chained together to form a range of techniques. The logic behind Traps is that we understand all of those different exploit techniques and every time a new process comes up. So each time someone tries to bypass the inherent or security controls of a system, we trap it and can choose to look at it forensically, in particular if it’s new, and we can also look at what they may have been targeting and renew the controls around that. The launch of Traps into the Asia Pacific has only been recent and we are having some very interesting conversations with our customers.

Cyber Reveal Investigator – don’t drink from the fire hose

Adrian Blount, Sales Director, BAE Systems Applied Intelligence Cyber Reveal Investigator is our threat intelligence and threat analytics platform, based on big data analytics with advanced threat detection rule packs (or sets of analytics) – which we can extend to insider analytics and web-based analytics. This is absolutely advanced threat detection. What we saw in the market was a gap in capability beyond the traditional detection platforms out there. A product that looks for malware and incursion and can achieve detection for the longer-running, more subtle types of attacks; circumstances where you don’t know what the malware is, where it’s coming from, or what they’re trying to do. These are the type of attacks picking off the larger organisations. This is a highly effective tool for security operation centres and organisations with any large scale online trade and reputational risk that may be subject to complex attack. It provides wholly effective information for security analysts to quickly get across an attack. One of the differences is we’re not just learning of a new sinister IP address for example, we’re doing

26 | Australian Security Magazine

behavioural analytics, so it doesn’t matter where the IP address is—we are looking at the behaviours throughout an attack. We use machine learning to baseline risk ratings on connections, using the cyber kill chain to break down the analytics in our Advanced Persistent Threat (APT) pack, to look at behaviours for example such as infiltration and persistence, which might then pivot to different parts of the network to broaden the attackers’ foothold, and then perhaps beacon for command and control, and ‘phone home’ to let the malware take instructions. In each of those areas we have identified traits or behaviours that indicate the activity may be taking place so that is what our analytics is looking for.

Infiltration and iSight Infiltration is an interesting example, which generates a list of alerts and is ranked according to set algorithms and rules. An example is a phishing hit -- we can drag this into our visualisation pane and it will show a visual representation of the different pieces of information and actors around this phase of an attack. So a phishing email aimed at people in an organisation may be detected by various systems, but the Cyber Reveal Investigator provides the analyst with the necessary context around the attack to help them be more accurate in diagnosing it, reducing the time needed to work out the response component. There are additional elements, such as drive-by alerts which indicate when people within an organisation have already downloaded the executable file, as well as where the email has come from. At the RSA Conference in the USA we announced a technology partnership with iSight Partners. This allows CyberReveal to leverage customer’s existing investment in iSight threat intelligence within CyberReveal visualisation. If iSight has identified an email address or other Indicator of Compromise (IOC), the system will pop up the piece of threat intelligence held on that email. We can also ingest other types of threat intelligence into the platform allowing the analyst to see the alert, associated threat intelligence and related alerts in one place. For example, a phishing alert, an associated ‘drive-by download’ alert and some related threat intelligence about that email all in one place. The analyst can then drill down into each of those to establish the full context, connections and behavioural activity of the attack, including which machines were involved and which users were logged into those machines. BAE Systems obviously has a broad range of customers across many different segments of the market. We see a variety of attacks around the world and what we do is incorporate that into the threat intelligence that we gain, and into the analytics. So the analytics is more about understanding the behaviours than it is necessarily looking for a specific threat actor.

All of the information we collect can be used to hone the accuracy of the analytics, and as patterns change, we update the analytics to reflect that, which is another way the customer benefits from the system.

The Big Data Approach The platform was built in the BAE Systems Security Operations Centre and is relatively new to the broader market. As an alert comes in from a detection platform, like malware detection, antivirus, or IDS, a SIEM aggregates and correlates it, which is critically important. Its real time, finger on the pulse, and very focused on looking for more advanced threats. But, imagine if someone has an attack against an organisation that runs over several months. It is very difficult for a SIEM to try and aggregate the disparate events and try and tie them together within a smaller window of time because it is looking at real time events. If you take a big data approach to that and run analytics over data you have collected over a long period, then keep running analytics over all the new data coming in, you are able to pull together those individual disparate pieces of information and tie them together into longer running patterns, and match that to baseline data generated from machine based learning. It is about using the data the organisation already has about the events that are happening and giving your analysts a faster way to work it out and interrogate it, in addition to other analytics that are built to detect anomalous behaviour. There are a lot of threat intelligence vendors in the market, all providing completely valid, useful and important intelligence; who the threat actors are, what tools they’re using, where they’re coming from, who they’re attacking and when they’re doing it. All that information is generally available. The problem customers have is they are drinking from the fire hose as far as information flow. What we are doing is acknowledging all of that information, but giving customers a way to bring the information together and consume it in a way that makes sense to them and can be meaningfully applied and worked with.

AISA National Conference, Melbourne

Australian Security Magazine | 27

BAE Systems Applied Intelligence Feature

BAE Systems supporting Australia’s next generation of cyber security professionals W

ith cyber security becoming a core concern for businesses and playing an increasingly important role in the everyday lives of Australians, supporting the development of local cyber security skills is paramount. The importance of promoting Australia’s cyber security skills was highlighted in November 2014, when former Prime Minister, Tony Abbott, announced the launch of the government’s Cyber Security Review, with a key objective of the review being to ‘look for ways to better address Australia’s cyber security skills needs’. BAE Systems Applied Intelligence has been actively involved in industry working groups as part of this Review, working closely with the Australian Government to determine how we can better protect ourselves as a nation, within industry and in our homes. In its formal submission to the Review, BAE Systems Applied Intelligence called for Government to invest in building cyber security capacity, including providing seed funding to support a cyber apprenticeship scheme as part of the National Cyber Security Strategy, arguing such a scheme would deliver muchneeded capacity and lower the cost of accessing cyber security advice entry for SMEs and larger organisations. Increasing Australia’s cyber security skill base will also be a strong driver for substantial future economic growth: Australia can be a consumer of cyber security goods in the future digital world, or it can be a supplier. There is a substantial economic benefit to creating an environment which encourages investment in cybersecurity research and development to produce cyber products for the world, the submission argued. Following the Victorian Government’s announcement of $4.7 million in Back to Work

funding for Box Hill Institute’s Jobs Engagement Team (JET) initiative in June, and in anticipation of the release of the Cyber Security Strategy expected later this year, BAE Systems Applied Intelligence has been working with the Box Hill Institute to develop the first Australian Cybersecurity Apprenticeship Scheme program. Malcolm Shore, Technical Director Australia, BAE Systems Applied Intelligence, said, “There is an increasingly worrying lack of cyber skills being developed in Australia and a growing dependence upon overseas sourcing of skills. Industry needs to support the development of Australia’s cyber security skills capacity. “This cannot wait any longer – the time for talking is over. Action is needed now, and we believe the Cyber Apprenticeship scheme is one way BAE Systems Applied Intelligence can contribute to the future security, wealth, and growth of Australia.” The Australian Cybersecurity Apprenticeship program will be launched as a pilot program in 2016 for 20 to 30 apprentices. It will have a similar structure to the successful Trailblazer scheme BAE Systems Applied Intelligence has been involved with in the United Kingdom. The apprenticeships in the program will be open to both school leavers and adults wishing to re-skill into the cyber security field. “As with any industry, the cyber security industry needs a range of skill sets to fulfil market requirements. While there’s a requirement for investing in many years of training to deliver graduates who can then embark upon a career leading eventually to positions as senior security managers, there is a substantial foundation of technician level skills which can be achieved through a blended work/study arrangement such as the Certificate IV apprenticeship course we

are developing with Box Hill Institute of TAFE.” “Now, more than ever, Australia needs to substantially boost its cyber security capacity and capability. The best way to do this is to build a strong local cyber securities skills-base. BAE Systems Applied Intelligence’s partnership with Box Hill Institute will provide an important template for achieving this goal across Australia,” Dr Shore said. The launch of the Government’s review into Australia’s cyber security standing followed comments in March last year by Australia’s Information and Communications Technology Research Centre of Excellence, NICTA, warning that Australia could miss out on the chance to build an internationally competitive cyber security industry if it doesn’t foster an agile ecosystem to create opportunities and challenging careers locally. Supporting apprenticeships has long been a tradition for BAE Systems Applied Intelligence, where in the UK it will be taking on a record 710 apprentices this year, a number of which are being taken into the UK e-skills Cyber Security Apprenticeship Scheme. Other recommendations BAE Systems made to the Cyber Security Review around skills development in cyber security included: 1. Encourage existing academic programmes to invest in more research through establishing a Cybersecurity Research Centre, supported with an incubation scheme to move successful research into private industry, 2. Invest in research internships, and 3. Provide incentives to encourage businesses to employ and train first-job graduates.

THE NEW ERA OF FRAUD; A CYBER-ENABLED APPROACH Modern cyber attack techniques are being applied to traditional frauds, from insider trading to basic confidence tricks. And these attacks are becoming more and more sophisticated as new techniques are added to traditional fraud campaigns by criminals.

Engage with

For more information visit www.baesystems.com/ai

28 | Australian Security Magazine

www.baesystems.com/ai

BAE Systems Applied Intelligence Feature

Protecting your company’s IP A

s online threats become more ubiquitous and damaging, protecting sensitive data such as intellectual property (IP) is becoming increasingly difficult. Firming up network and system security weaknesses can go some way to protecting sensitive information but employing data loss prevention techniques should also be considered to help protect data in the event that it is stolen or lost. The ever increasing list of significant breaches around the world has made companies aware they must take steps to mitigate the risks posed to their critical information assets. Intellectual property, including creative content, saleable commodities and design details, now sits on corporate risk registers, having been identified as critical to ensuring organisations maintain consumer trust and stability in today’s uncertain economic climate. Motivated groups including suspected statesponsored groups, industry competitors and criminals looking for financial gain are carrying out online attacks aimed at extracting IP for their own gain or to disrupt competition. No company, regardless of size or industry, is immune. Adrian Blount, Director Cyber Solutions ANZ at BAE Systems Applied Intelligence, said, “IP theft can result in substantial commercial losses and, in some cases, may even put lives in real danger if critical infrastructure is compromised. The secondary impacts of data loss events, such as reputational damage, legal action or regulatory intervention, can continue to manifest themselves well beyond the incident response and clean-up period.” However, despite the risks, few organisations consistently and effectively identify and protect all of their IP. The commercial reality is that security controls cost money and companies

must find the commercial balance between the cost of implementing a control and the consequences of a successful attack. Although there is no single solution to safeguarding IP, some security solutions and products are maturing and simplifying the task of tracking and controlling usage of digital assets. Data is generally defined into three groups; data in motion (DIM) such as data being transmitted across a network or via email, data in use (DIU) such as data presented within an application, and data at rest (DAR) such as data stored in a database or file repository. While there are many examples of data loss in each of these groups, by far the most common is DIM, particularly data contained within emails. Therefore email data loss prevention (DLP), involving content filtering policies and the blocking, encrypting or flagging of emails containing suspicious or sensitive data, is a necessary ingredient of any data protection strategy. Companies can use DLP measures to prevent and detect the use and transmission of data such as financial information, sensitive documents or intellectual property. From a compliance point of view, this can help companies comply with regulator requirements around credit card data transmission or protected health information, for example. While trying to prevent the leakage or loss of sensitive data is important, it is a requirement of doing business that sensitive data is exchanged with business partners, customers, shareholders and a range of other entities. The use of encryption technologies to protect these data transfers can ensure messages falling into the wrong hands doesn’t have to mean the content it is exposed.

THE RETURN OF PHISHING AND MORE: WHY OLD ATTACKS ARE MAKING A COMEBACK BAE Systems is seeing a re-emergence of old fashioned security threats.

www.baesystems.com/ai

“Email encryption ensures privacy of sensitive communications, meaning you can send sensitive data to trusted parties securely. New technology allows messages to be automatically encrypted based on policy, or on demand,” added Adrian Blount. Historically email encryption has been cumbersome to implement; requiring complex public key networks to underpin it. This has limited its uptake due to the burden it places on end users. “To ensure ease of use doesn’t put people off using email encryption, it is important that both senders and outside recipients don’t need unmanageable keys, add-ons or external programs; allowing recipients to read and reply through a simple and secure web-based interface overcomes this “It is inevitable that we will see further attacks on, and new vulnerabilities in, the defences we put in place today. However, having systems in place to protect your data and flag suspicious activity, can go a long way to giving you peace of mind,” Mr Blount concluded.

SIEM RELATIONSHIP ADVICE: FOUR TIPS FOR PARTING ON GOOD TERMS WHEN THE TIME COMES Like breaking up, transitioning away from reliance on legacy technology is hard to do. But affording a dignified departure from the reliance on Security Information and Event Management (SIEM) capabilities has to be planned. For more information visit www.baesystems.com/ai

Australian Security Magazine | 29

Cyber Security

Looming large & long

The board room’s response to a cyber security skills shortage ISACA Perth Conference, 21 October: Editor’s interview with Tony Hayes, ISACA Board Member and Mike Nisbet, ISACA WA Chapter President By Tony Hayes and Mike Nisbet

he Internet of Things for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020. According to the consumer segment of ISACA’s 2015 IT Risk/Reward Barometer, 65 per cent of Australian consumers are confident they can control the security on the Internet of Things devices they own. Yet according to over 7,000 global IT and cybersecurity professionals who responded to a parallel survey, only 22 per cent feel this same confidence about controlling who has access to information collected by Internet of Things devices in their homes—and this number is even lower among Australian IT professionals, at 19 per cent. Globally, 72 per cent of IT and cybersecurity professionals say manufacturers are not implementing sufficient security in Internet of Things devices. A nearly equal proportion (71%) don’t think current security standards sufficiently address the Internet of Things and believe that updates and/or new standards are needed. Privacy is also an issue; 90 per cent believe that device makers don’t make consumers sufficiently aware of the type of information the devices can collect. Tony Hayes: ISACA is at the table at various levels of government, be it State or Federal to put a voice forward. We have groups of people who are established on government advisory groups who are examining the Government’s legislative programs and influencing that worldwide and we have a similar group here in Australia. We have a lot

30 | Australian Security Magazine

more work to do in Australia but the voice is there and the input is there and we are going to become more and more sophisticated, learning from our colleagues overseas. Mike Nisbet: My role as a local chapter board member is to carry the vision of ISACA and give support to the members, so I’m demand driven and respond to what the membership needs, as well as trying to respond to what ISACA is trying to achieve. It is also leveraging the membership and programmes we have and speaking with government and saying you’re making really fundamental and important decisions at a state level, have you considered what ISACA can do to support you. Not to be part of policy making or legislation but ensuring there is awareness that there are people who will enable those decisions and they need to have the right capabilities. ISACA is the organisation that should be considered as one of those organisations that is supporting them. Tony Hayes: One of the unique characteristics of what ISACA is offering is that we are one of the few, if not only business and IT professional organisations that has a global certification and with a footprint and recognition across the world. And in the Information and Technology industries, they are global so how you function across countries and regions, you need to have the tickets that go with that. And no one is doing business these days without some exchange with the global environment.

Cyber Security

Mike Nisbet: Having used my ISACA certifications in Europe and South Africa before coming to the Western Australia, they have enabled those moves in my career. What I have found is that there are similarly certified members who have also come to Perth and the same enablers were there for them. It is also that Perth is an international business environment and wants to be internationally competitive. Having international certifications is well recognised here also, which is an advantage to our members. Even our chapter members, I would say less than half of them are Australian born and bred and the ISACA certification was an important part of them being able to demonstrate their capabilities and professional standing. Tony Hayes: ISACA has a group that looks at the emerging technologies and the nature of how they will impact on business and the professions that we stand for, so they have the charter to look at both current technology and over the horizon technology. Naturally they are focusing on the technology which will impact on the professions, not just fads at the time but we do need to remain aware that we are not necessarily the entity that is about shifting or changing the industry. It is about preparing the membership and the professionals in the industry and giving them the tools and preparedness to work well in those changing environments. What we’re seeing now is CIO’s are starting to become more ‘innovation officers’, with a more of a bridging role. The technology is tending to be more business driven, the CIO’s backyard is less technical, it is more ‘click and drag’, software as a service and application based systems, and they are basically airlifting their people and dropping them into the business where they are becoming more visible.

would be absolutely a disaster, and also if another Agency like the police or education departments, who have feeds to our systems, if they were breached would likewise be a disaster, so just in my own space, this is a serious and very important issue. The situation is going to get more complex, it is not going to get easier, the continuum we are seeing will remain complicated, and if you think of where you have anything of value in the organisation, be that in the form of IP assets, or competitive advantage or reputation, it is not a matter of if, it is a matter of when. Indeed the industry skills shortage is something we will be seeing for some years, and to have in the order of millions of unfilled cyber security positions around the world is a growing concern, internationally. In the context of cyber security, you need to have a plan, have perfected that plan and need to build on experience over time.

Mike Nisbet: History is repeating itself in a sense, this is a cycle of centralisation and decentralisation and the CIO’s as the ‘Chief Innovation Officer’ is putting the people into the business and they are the ones sourcing and buying the Apps and new technology and the CIO is the one controlling and figuring how it is all brought together. Tony Hayes: I’ve been watching CIO’s priorities for about 20 years and seeing how they have shifted over the years. Currently, and with reference to a survey by the Wall Street Journal earlier this year, three of the top five issues faced by CIO’s involve cyber security. It highlights CIO’s are seeking to make security everyone’s business, cyber risk and business risk being an outcome from that and certainly being a change agent and having a business centric vision. About 86 per cent of CIO’s in the survey said that the sophistication and pace of attacks are increasing more quickly than they can themselves and more than what they can deal with and prepare their workforce for. The actual cost to the organisation as a result of breach has been in the order of about $9.3M to $16M, in terms of retrieval and repair but that does not go near the cost of public confidence and brand name and goodwill that is also affected and destroyed. In the case of my own organisation, if all the child safety records and all the family records for the State of Queensland were exposed to the general public in an inappropriate way and privacy and confidentiality breached it

Mike Nisbet and Tony Hayes

Australian Security Magazine | 31

Cyber Security

The human element in information protection By Ilya Umanskly and Leon Hill

32 | Australian Security Magazine

ocial engineers are experts at exploiting behavioral cracks in otherwise sound policy and procedures for information protection. And their methods are not limited to computer hacking, phishing and other digital tactics. They know easier ways in. For example, how many times have you seen company employees courteously hold open a door, allowing strangers into controlled spaces? Being polite trumps a company’s clear requirement to authenticate every person entering internal office spaces. Despite ever-accelerating technological progress, the weakest link in information protection practices remains human behavior. A robust policy and control framework for information protection isn’t worth much if personnel across the organisational structure maintain excessive discretion, have low risk awareness and engage in behavior that can jeopardize and defeat protection controls. Companies that seriously want to protect their proprietary information must ensure that protection measures on the computer systems and networks are matched by a corporate culture that encourages information

control awareness and enforces consistent compliance with information security practices. What exactly are you protecting? And what are you missing? Information is available everywhere, each in its corresponding domain — physical, verbal and digital. Today’s ubiquitous networks that interconnect most operational functions along with Internet-based platforms make it tempting to consign “information” exclusively to the digital domain. Most discussions about information security automatically presume this association. This mindset has resulted in physical and verbal information being increasingly ignored and routinely neglected by information protection professionals and information owners. The time-honoured WWII maxim “Loose lips sink ships” has been replaced with the mantra “Change your password every two weeks.” People may incessantly text message each other, but they still like to talk, too, and may well routinely over-disclose sensitive physical

Cyber Security

The fact is, all forms of digital domain protection measures are installed and used by people and accordingly, are subject to human error and sabotage. and verbal information. These days people also tend to indiscriminately publish both personal and also work-related information online without necessarily thinking twice about it. Software is easier to buy than common sense Why is so much more attention paid to the digital domain compared to the physical and verbal? Perhaps because it is so much easier to protect digitally stored information. Robust digital information protection tools are abundantly available, and professional education in network security is well established. Companies are happy to earmark funds to protect their secrets, and software is easier to buy than common sense. And yet, nearly every week, information compromise incidents hit the headlines. The victim organizations then have difficult, heated, internal discussions about how these incidents occurred and what the root causes were. The answers wonâ&#x20AC;&#x2122;t always be found only on their IT networks. The fact is, all forms of digital domain protection measures are installed and used by people and accordingly, are

subject to human error and sabotage. Certainly, organizations could disable all their server connections to the Web, VPN and desktop-based external programs to better protect their internal network and the information stored on it. But this isnâ&#x20AC;&#x2122;t a reasonable option. Market competitiveness is not built upon secrecy alone. Efficiency, productivity and accessibility along with collaboration and mobility also contribute to commercial success, so a balance needs to be struck. Operational security directly impacts security in the digital domain and needs to be integrated into the balance. The key is to resist complacency outside the digital domain. Instead, information security should be approached from an organic perspective that considers organisational culture; the role of human resources; governance; enforcement; and management â&#x20AC;&#x201C; all in addition to tools that exist for protection of information on IT networks and computer workstations. In this way, risk management professionals can prioritize the protection of information as a valuable asset across all three domains. Simply buying digital software without having the right people in place to run it may be worse than buying

Australian Security Magazine | 33

Cyber Security

Seven ways to help employees channel discretion toward compliance It is quite common for employees at all levels to circumvent protection. Humans are wired to use discretion when making decisions, and discretion oftentimes directly conflicts with control measures. The following best practices, based on hundreds of organisational assessments and responses to incidents conducted by Kroll’s experts across several regions globally, can more directly guide and support employees through the decision-making process: 1. Establish comprehensive, organization-wide asset management systems that help identify, categorize, rate (by criticality) and manage assets (information being one of them). 2. Spend enough time designing and validating functional processes in relation to desired asset protection controls. 3. Create centralized and properly automated incident reporting systems. 4. Develop detailed incident management plans that carefully specify who and why will compose the response team (other than by seniority), formalized role assignments for strategic and tactical levels, individual responsibilities assigned to specific individuals through procedures, and frequent (at least quarterly) desktop and hands-on training. 5. Base organization-wide command and control capabilities on KPIs tied to asset protection requirements. 6. Extensively and frequently train employees on risk, compliance and ethics. 7. Create and socialize actionable and enforceable documents (like procedures and standards) beyond token posted policies.

Human Resources function has the most potential to promote awareness and training It is easy to think of organizations’ security departments being solely responsible for protection of assets. However, the one department with the greatest potential to influence employees, from pre-hire assessments to performance management throughout the entire employment period, is Human Resources (HR). The HR function in most organizations has responsibility for educating employees (both newly hired and existing) in various operational, functional and administrative areas. It also has the capacity to set and maintain the tone for the organization’s culture — one of the key factors in compliance and good corporate citizenship. By engaging with other departments that collectively manage governance and compliance, HR can help channel the sense of ownership for the organization’s well-being to all employees, fostering a more vigilant culture. HR can also help develop and apply administrative sanctions for policy, procedure and control violations. Additionally, it can organize ongoing training to preempt them. Finally, HR professionals are very often grounded in organisational psychology, which helps examine the root causes of compliance and non-compliance in the workplace. Effective governance models help minimize risks and vulnerabilities

nothing at all if the people within the company who are implementing, running and using the systems are neither competent nor well managed and trained. Organisational culture should be continually primed and reinforced for compliance The World Intellectual Property Organization has repeatedly admonished that insiders (maliciously or accidentally) cause most intellectual property breaches. We at Kroll have observed many breaches while performing subtle penetration tests. One of them occurred at a model police station, where unauthorised visitors were able to enter restricted areas, including the control room, interview spaces, holding cells and personnel quarters, because one of the police officers simply let them in through the back gate without asking for any credentials. So what drives humans to make poor security decisions or knowingly violate security and asset protection controls? Is it a sense of politeness, need of convenience, poor understanding of risks or a premeditated plan? Each factor represents a valid concern and must be addressed at its most fundamental level. The difference between a violation and compliance depends on: • Consistent awareness of assets and their level of importance (criticality) to the organization • Robust governance with frequent oversight • Frequent awareness education to foster a sense of individual responsibility for asset protection (See sidebar for best practices: Seven ways to help employees channel discretion toward compliance)

34 | Australian Security Magazine

When it comes to governance, too many organizations try to simply comply with various regulations and standards in the least costly way possible. Their strategies are frequently based on assumptions that it may be less expensive to address incidents rather than prevent them. Enhancing governance to reduce risk exposure and mitigate vulnerabilities can be a painful and challenging process that requires a senior change management team that is skilled and committed to following through on resolving issues. Outsourcing the task to an external team can be beneficial. The worst thing to do is to sweep issues under the rug, create a PR façade and continue to be ignorant of most risks while utilizing significant managerial discretion that conflicts with anticipated compliance controls. After a recent vulnerability assessment, one senior risk manager recently commented, “Perhaps it is better not to know the risks you have just identified.” Considering the high-placed source, it’s safe to say that organizations have a long way to go. Case Study A global R&D and manufacturing company suffered a loss of its intellectual property (IP) and were informed by a whistleblower that this loss was caused by a former employee. This former employee, prior to separating from the company, had downloaded a product manufacturing package from the corporate network. After separation, he began to offer this manufacturing package to various competitors. The company asked Kroll to investigate this loss and to help prevent the illegal sale of their IP. The company also asked Kroll to assess their current information protection internal controls and to

Cyber Security

help develop a more robust information protection program. Upon successfully completing the investigation and the assessment of their internal controls, Kroll found particular vulnerabilities in the client’s governance and compliance measures. For example, there was no senior management team to work collectively on identifying and classifying intellectual property assets based on their criticality. This contributed to insufficient restrictions on information management, internally and externally. Having identified various information protection vulnerabilities, Kroll collaborated with the company’s senior management to establish improved management structures, asset identification and classification controls, incident management processes and follow-up assessments.

must become more robotic or rigid — not at all. We all know that a healthy dose of innovation and risk-taking is one of the core drivers for most organizations. Information protection awareness and good information control practices need to be established, followed and enforced from the top down, with management setting a good example. At the same time, positive reinforcement (from a pat on the back to a bonus increase) should be applied in parallel with control application. Finally, in an ideal application, everyone in the organization should have a strong sense of ownership and responsibility for all assets, including reputation. If some companies’ products have “Built With Pride” stickers on their products, why can’t the same level of pride be instilled and advertised internally?

Enforcement requires commitment of senior management

Conclusion

A policy, procedure or standard is only as good as the KPIs and compliance controls that support it. Yet, many organizations often do not tie information protection and security policies and procedures to corporate compliance measures. This leaves enforcement to the Security function that is often perceived as having limited reach and being disconnected from corporate strategy and culture. It is no secret that enforcement requires commitment of senior management across the entire governance spectrum, starting in the C-suite. Enforcement should also be paired with rigorous and regular training (at least quarterly) as well as incentives for good organisational citizenship consisting of compliance with set controls and prompt responses to potential and/or actual incidents. Almost all organizations (many international and recognizable brands) that we have assessed fall short when it comes to the frequency of compliance training. The highest frequency of training observed was quarterly. Comparatively, one would consider this frequency to be above average, but it may well be inadequate depending on the nature and urgency of a threat. Infrequent training typically lacks a control of measuring information retention among participants. Information retention (direct human memory, not the asset) is key to consistent awareness, and deteriorates very quickly over time without frequent reinforcement. The longer organizations wait between training efforts, the less information is retained. Training frequency should be closely tied to risk ratings. Higher risks in a particular area should warrant higher training frequency on related risk reduction controls. Training can be delivered in a variety of ways: lectures, email reminders, posters, web-based modules and as agenda items in normal business meetings. Management is the cornerstone One of the greatest challenges for managers is the diversity of human character and behavior. Managers at all levels (from C-suite to line management) have their individual styles and idiosyncrasies that, if not properly shaped through governance, compliance and process design controls, can negatively affect consistency of actual compliance, reporting and enforcement. This is not to suggest that management

The protection of information cannot be achieved solely by digital technology and policy reviews. Rather, we have two options for the future: Continue to believe that existing organisational culture affords sufficient information protection, or begin a slow but ultimately rewarding process of honestly and continuously looking at internal control mechanisms, cultures and assets to identify vulnerabilities to developing risks and threats. Recognizing that people are the weakest link in risk management and asset protection is an integral part of effectively protecting information and assets in organizations. About the authors Ilya Umanskly, Associate Managing director in Kroll’s Security Risk Management practise based in Hong Kong. he is responsible for leading all risk advisory, security, preparedness, intellectual property protection and technical design projects in Asia. With vast experience in the industry. Ilya has worked with a variety of corporate, industrial and government clients to assist them with development of comprehensive strategy and plans for mitigation of operational risks and enhancement of global security, incident response and emergency management controls. iumanskiy@kroll.com Leon Hill is director with Kroll’s Security Risk Management practice, based in Hong Kong. Leon has worked in operational intelligence in the public and private sectors since 1980. Since expatriating to the far east in 2003. Leon has served as principal consultant for a Hong Kong based investigations/due diligence firm and as corporate counsel for diverse businesses. He has trained lawyers. law enforcement officers, forensic accountants, bank executives and other professionals. Additionally, he has designed and delivered customized training programs and lectured at law firms, universities and trade schools in Hong Kong and Mainland China. leon.hill@kroll.com

Australian Security Magazine | 35

Cyber Security

The cult of the aware By Steve Simpson

36 | Australian Security Magazine

s there anything that is treated more apathetically in corporate education processes than finding out that you have to do the Security Awareness module? Having been an information security professional for many years now, I still get a sinking feeling when I receive that message telling me click on the link to undergo the awareness training. Even my passion for this topic does not help me look forward to this event. I recall one time where I was reduced to taking a series of screen shots for every page displayed so that I could just go to the quiz at the end and then review the screenshots of the scenarios to answer the questions. There is no way that I am the only person to have come up with this solution, which does nothing for me (or other users), nothing for the company and causes no improvement in the awareness of security aspects. For me the lack of enthusiasm could be just because itâ&#x20AC;&#x2122;s a basic part of a topic that I know and love so well, but that does not help to account for why it is such a common reaction and I believe it may be the way that such learning modules are presented to us that results in such an unhelpful attitude. As a security professional, I find that I am quite jealous of the way that Work, Health and Safety (WHS) has become

such an accepted and noted part of corporate education. WHS has actually become an integral component of corporate culture, everyone seems to know their role as part of the big health and safety picture. In the resources industry this is taken to the extreme, where some companyâ&#x20AC;&#x2122;s even forbid staff (and contractors!) to cross the road except at a designated crossing, but I see more realistic evidence in most organisations whatever their industry vertical. Why is it that information security is not currently seen to be an equally integral part of corporate culture? Surely this is the Nirvana of all security professionals, to have information security become an integral part of the culture of a business. I suspect that at least part of the reason for failure to date is in the history of our profession. For many years security was about blocking bad things and sometimes the link to bad things was a pretty tenuous thing. Reporting always had a negative overview and rarely included detail of how threats would impact the business as a whole. The security manager made the decision to say no to certain practices and everyone else had to go along with that. Luckily, this attitude in security professionals is greatly reduced these days. The vast majority of us have a greater understanding of our role these days

Cyber Security

and advise on risk rather than just saying no. However, we still have not changed security awareness to a level where it becomes a positive cultural component, and we are still often clinging to our scare mongering roots.

simple awareness which needs to be

Education is the Key

comprised of a cocktail of employee

All those working in the information security field know the difficulty in selling security without also selling fear and this is probably the key to security awareness. We need to encourage good practice rather than just concentrating on the bad things and their consequences. It is frequently quoted and always true that people are our biggest asset and our weakest link, so why not educate this asset to do our job for us. I have on a number of occasions met security professionals who simply do not believe that security awareness can work but I have witnessed it first-hand in some levels of Government and Defence where security is such an integral part of the culture that it is highly transparent. The key is in education rather than simple awareness which needs to be comprised of a cocktail of employee empowerment tempered with enlightenment rather than fear of the consequences of certain actions. Most organisations look for ways to automate this as a means of reducing cost but this can have unwanted side effects in the case of awareness programs. WHS is more often than not taught verbally through briefings and backed up with computer based reminders. Security is also best learned through verbal means. Briefings and lunch & learn sessions allow the audience to take part in the learning, asking questions to clarify their understanding of the material. It will have a greater chance of being remembered than a slide on a screen. A good presenter will also add far more interest into a learning session than could ever be achieved through video or interactive computer based learning, especially where the presenter is able to call on experience and provide examples. These still have their place of course especially where remote work staff are unable to attend briefing sessions but also as a backup means of confirmation and for refresher/reminder training. Part of the success of WHS is of course the potential impact and penalties for a company that fails to support the health and safety of their employees and contractors. Until recently this has provided a greater board room impact than security. There is currently an increasing awareness of board room responsibility towards the protection of information, so maybe now is the time we have been waiting for to get support for information security awareness initiatives.

empowerment tempered with

The key is in education rather than

enlightenment rather than fear of the consequences of certain actions. likely to have a positive security benefit to the company and therefore doing their part to reduce corporate security risk. Awareness is only achieved through education as previously stated, it needs to be part of a program rather than a project, with continual effort put in to maintain just the right level of alertness for staff. A steady stream of warning emails is likely to have a negative effect so balance must be maintained to avoid spamming staff. A key part of this is for an organisation to appoint a ‘single point of truth” who has the responsibility for releasing warnings appropriate to the target audience and always researching the warnings first to assure their legitimacy. There are of course more ways than emails to spread the word such as careful use of posters to relay the message. Having a single page flyer that folds away like a takeaway menu is a great way to ensure that staff have a summary of the acceptable use policy with contact details for reporting security incidents or weakness in a form that is easily kept in a desk drawer or laptop bag. Outside the corporate box

Employee Empowerment

One way which is effective that empowers users to make best use of security awareness components is to give them information that helps them in their home use of computers as well as office use. Awareness of security at home will aid a company as this is how we start to form our security culture – by protecting work assets the way we protect our own. Staff members with children using the Internet at home are particularly receptive to home based security advice. This way forward goes somewhat against the current trend to automate as much as possible and I think that in this case the benefit is greater. As a parting note for readers. “Invest in your people and they will look after your business interests and assist in reducing the overall risk in your organisation”

Empowering the workforce is a powerful means of achieving awareness. All employees have a part to play in maintaining the security of information owned by or entrusted to their organisation. Ensuring employees that employees understand the important concepts like them having the right to question anything that they see which does not appear right or does not conform to accepted norms is a positive benefit to any organisation. I believe that if this is verbally explained at the very least as a part of the induction process then those attending will have a better understanding and be more

About the Author Steve Simpson is an information security consultant and the Security Principal for ES2 based in their WA office. Steve has broad ranging experience having spent over 30 years in the fields of communications and IT with half of that specialising in information security. Much of that time was working in defence and government coving some very interesting projects and occasionally security in arduous conditions.

Australian Security Magazine | 37

Cyber Security

Taking business security sky-high By Phil Caleno Senior Manager NetScaler, Citrix ANZ

38 | Australian Security Magazine

he notion of being able to immediately respond to a security breach meaning your business has the luxury of being safe is flawed. While it’s not wrong and such approaches to security do deal with the issues at that you know of, the solution is only a temporary fix. After all, if this is your IT security strategy it’s only a matter of time until you will need to resolve your next breach. As the English metaphor goes; “the goalposts are always shifting”. In the context of business, few things shift more quickly than security threats. As we find ourselves increasingly surrounded by smart and connected technologies – from consumer devices through to integrated business networks – the reality is the number of IT security vulnerabilities is growing. For instance, an organisation looking to enable mobile working must empower its employees to work from multiple devices and locations, meaning the IT department must make the network available to those outside of the office. A great way to think about business security is to think of the protocols we encounter at the airport. Generally speaking, airports around the world have systems in place to significantly reduce their risks. From CCTV cameras and metal detectors to x-ray machines and sniffer dogs – airports take a holistic approach to security. Business needs to do the same, because being reactive to security threats is no longer enough. Especially given the crucial role technology plays within business today.

Identify who is who Knowing who is in your network is a critical first step to security. It’s a luxury airports have, given the majority of people passing through their network have a pre-existing booking. A recent PwC report revealed despite the majority of infamous security incidents being driven by external agents, a third of businesses said accidental or unwitting breaches by employees were more damaging. As such, with mobility and BYOD strategies being rolled out across Australia (giving employees the power to access almost any business resource remotely), it’s essential businesses focus their efforts on implementing end-to-end security solutions and increasing their awareness of who is accessing the network. Looking at the BYOD model and the variety of devices used by employees to access the network, one of the biggest challenges businesses need to overcome is taking back access control. Since ownership and maintenance of devices is the onus of employees, IT departments must have a firm understanding of which users are connecting to their network, and how they are doing so. Implementing Application Delivery Controller (ADC) technology is one element to address this challenge. ADCs provide a single point of control and visibility in front of the applications. The insight they can yield provides crucial information to IT managers allowing them to identify vulnerabilities, non-compliant users or unprotected devices that are at risk of being exploited. What’s more; with ADCs

Cyber Security

In a similar fashion, businesses should

To help IT decision makers choose the right solutions, industry and government certification can also be a good guide. Specific to those businesses working in the financial and public services sector, certification of product solutions typically means that these can be adopted and integrated into existing infrastructure. The reason for this is it is a prerequisite for vendors to have their solutions approved against the relevant security classifications.

consult with specialist partners in

Plan for tomorrow today

securing their applications and data

Despite having regained oversight, IT departments should not sit idle and rely on a single solution to prevent or detects threats. Rather they should have a reiterative approach to security by building a more effective security program -- one that proactively identifies gaps and weaknesses, secures the channels where data is exchanged, and ensures solutions can work together as a barrier. What this doesn’t mean is to leave firewall and process evaluation upgrades for every five years. Much the same as connectivity and security threats don’t work on a five yearly timeline, neither should businesses. There is much businesses can learn from airport security, and while it might be a detail-orientated and ongoing process, it’s always better to be safe than sorry.

“Once travellers have checked-in at the airport, the next step is to pass through the x-ray and metal detectors.

within the datacentre. This offers heightened security as access to corporate systems and data is controlled through secure tunnels and portals.” the responsibility of security across all access points reverts back to the business, instead of being in the hands of the user. Secure your channels Once travellers have checked-in at the airport, the next step is to pass through the x-ray and metal detectors. In a similar fashion, businesses should consult with specialist partners in securing their applications and data within the data centre. This offers heightened security as access to corporate systems and data is controlled through secure tunnels and portals. This might sound like a business fortifying itself and restricting employees, but ADC technologies can integrate with mobility suites to multi-task, sandbox and containerise applications for secure deployment on mobile devices. This approach to security gives staff the flexibility to continue working on their terms. In conjunction with this, the IT department can use ADCs as a vulnerability management tool to observe critical changes and track systems that drift out of compliance. One for all, and all for one For an airport’s security process to work effectively, all of the elements described above need to be integrated. The same applies to business, especially as businesses increasingly move to cloud services – there’s no use in having all of these systems only for them to operate in silo. To support any device, businesses need to ensure the technology used is compatible with all the main platforms – Windows, Mac, Android, iOS and Linux. This guarantees the tunnel is secured from where both the users and applications are located, as well as the controls inside the datacentre. Even better, having a system that allows for applications to be rendered and have tailored security solutions built around it fosters an integrated approach to IT and rapidly establishes a solution.

Australian Security Magazine | 39

Cyber Security

Why executives need to be much ‘muchier’ In the following article, Protega’s Technical Director, James Wootton, discusses who is really to blame for today’s every prevalent security breaches in our cyber world. With a novel take on this discussion, are executives truly at fault?

By James Wootton

40 | Australian Security Magazine

f the Queen of Hearts became the arbiter of all cyber security failings, would we be in a poorer state than we are now? At least there would be decisive action, all be it potentially fatal, one people are likely to heed! But in all seriousness, are we at the stage where some form of appointed legislative body should investigate the perilous business of cyber security? Maybe it is time for individuals to be held accountable, rather than permitting farcical public resignations of senior executives to mitigate the bad news, focusing the blame elsewhere. After the initial shock of the exposed systemic failures and an organisation’s attempts to ‘come clean’ regarding the actual quantum of the breach or data loss, who should be held accountable? The CSO? The CEO? The entire board? Opinions differ, but all have been cited as probable candidates, either through negligence or ignorance, conscious or otherwise. With executives such as the US Director of OPM falling somewhat messily on the mighty sword of public opinion, what is it that creates the huge disconnect between business leaders and their senior security officers, particularly where a CIO or CISOs have played a major part? Why are the executives of numerous organisations getting it so terribly

wrong? Is it really down to them, or are we, the security community at large, playing a major role in the creation of this information gap? I suspect the answer will be a sizeable chunk of each. If we, as an industry can’t articulate the risks in terms that the business leaders understand, then we aren’t in a position to moan when our advice is poorly received, or no heeded. Conversely, if we’ve clearly articulated the risk, remediation and mitigation steps, and the board chooses to balance cost/risk in favour of profits, then you have two choices. 1. Continue to bang your head or 2. Seek alternative employment for a company not ‘paying lip service’ to security. As a wiser man than me once said, “It’s their train set, you can either join in and play, or find your own.” “I wish I hadn’t cried so much!” said Alice, as she swam about, trying to find her way out. “I shall be punished for it now, I suppose, by being drowned in my own tears!”

Don’t get me wrong, I appreciate that balancing cost and budget is no mean feat and often constraints prevent all but critical vulnerabilities being fixed in a timely fashion. In my opinion, the head of OPM deserved to go, for the arrogance

Cyber Security

of knowing the security failings of her enterprise and not bothering to raise the flag, combined with the pure ignorance of consciously not understanding the level of risk attributed to her organisation’s computer systems. At best, it could be said that conscious ignorance ultimately led to her demise. This and other high profile breaches should stand as a warning. Business leaders don’t need to delve into the nitty gritty of cyber security, but the risk attributed to business activities by their ICT, and the impact, must be understood not ignored, especially where it’s being raised as a concern, time after time. Equally, mad scrambling, pushed down usually from the very top, after a competitor is breached makes no sense economically. It’s an inefficient, knee-jerk reaction that costs many times more in terms of resource, time and disruption than a planned programme of risk-based assessment, upgrade and enhancement. “But I don’t want to go among mad people,” Alice remarked. “Oh, you can’t help that,” said the Cat: “we’re all mad here. I’m mad. You’re mad.” “How do you know I’m mad?” said Alice. “You must be,” said the Cat, “or you wouldn’t have come here.”

Picking back up the stick of culpability, who within the security community believes that an individual who possesses a macro view of their organisation at best, could solely be held to account for such a detrimental loss of sensitive information? I’m relatively convinced that in many of the breaches, there are senior IT and security managers making odorous squeaks whilst moping their brows thinking, “Sheesh! Close call...” Of course, not all seniors got away with it, ask the CIO of Target! In the future, I doubt it’ll remain the same, so it’ll definitely be in all our interests to know that we’ve got our houses in order and offered appropriate and timely advice to our respective leaders, perhaps to the point that the board signs off that they have read and understood the risks, as they are presented. “Speak English!’ said the Eaglet. “I don’t know the meaning of half those long words, and I don’t believe you do either!”

Whether we like it or not, in the security profession, we need to understand why the message is misunderstood, or ignored and shoulder some of the responsibility. There is critical analysis required, distilling the information available from the many major breaches. That way, lessons will be learnt, or at least common mistakes, trends or misconceptions highlighted. Is it only the risk managers who truly understand the information they compile for the executives? Or perhaps, they don’t understand the relevance of the relatively new ICT based ones? Tongue in cheek, perhaps this assessment should be equated to a simpler “layman’s” version: “Dear CEO, The level of risk we are ‘enjoying’ as an organisation is way past what you and the board understand. If you don’t sort out this big basket of ICT vulnerabilities, which will cost $xxk, we will be right, royally f@#$%d to the tune of $xxM. On the plus side, at that point, you’ll not have to worry about it because you’ll be looking for a new job! the CISO.”

“Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”

I’ve been around a few blocks, hit by a few blocks and indeed built things with a few blocks, but I understand that in this ever moving, ever evolving world of ours, it takes an awful lot of time, resource and money to manage an enterprise’s risk profile, with ICT risks being only one of many juggled at board level. But, I’ll bet, that as far as risks go, there aren’t many that are quite as ‘juicy’ and eventually open to both the public and media’s scrutiny. There’s nothing like the loss of credit card information or personal sensitive data to get a mob stirred up! I’m still amazed, neigh dumbfounded, that large organisations spend a fortune on traditional controls (fences, guards, CCTV etc.) and yet, computer security is still seen as an expensive, complicated process. For many traditional organisations I don’t think the computer has evolved, it’s still seen to be a replacement for the calculator, physical mail and the typewriter (for the younger generation, that’s a mechanical device that helped write letters!). If you want to work out how critical computers are, work out whether business as usual can be conducted without the use of one – I’m struggling to think of many examples! Whilst I’m on a soapbox, let’s not forget the Human Factor! People are and will remain the weakest link in all security processes and without investment in training creating awareness, many organisations will remain at risk of unconscious ignorance. One day Alice came to a fork in the road and saw a Cheshire cat in a tree. “Which road do I take?’ she asked. “Where do you want to go?” was his response. “I don’t know,” Alice answered. “Then,” said the cat, “it doesn’t matter.”

I believe that many organisations are at a fork. One way leading to the recognition of your threats and vulnerabilities, allowing time for an informed decision, based upon realistic strategies and an understanding of the risks that your organisation faces. The other direction, however, caters to those willing to travel the path of blissful ignorance, leading to the mire of public condemnation. Whether the later was chosen consciously or not, I offer these words: “Turn back, it’s not too late!” About the author With over 18 years frontline cyber security experience, James Wootton, is a leader in his field of expertise. As the Technical Director at Protega, one of Australia’s top security specialist consultancies, James continues to expertly display both his cyber and interpersonal/presentation skills. He embraces the reality of an ever-evolving threat and vulnerability landscape, making use of existing tools and techniques or developing new and innovative ones to mitigate them. With an endless list of cyber skills and experience, he finds himself equally at home in the boardroom, data centre, pen test lab or classroom.

Australian Security Magazine | 41

Women in Security

Think like a criminal She works for one of the ‘Top 50’ global banks with operations where there is almost always a state of emergency somewhere in the world; but Melissa Wilkey says this isn’t her most challenging role.

T By Kema Johnson Correspondent

42 | Australian Security Magazine

he Manager of Group Security at ANZ says being a parent has been the most challenging, perplexing, intense but also the most rewarding role she’s had. “My greatest achievement is remaining happily married for the last 20 years - and during that time, David and I have produced two bright and precocious children, Emma, aged seven and Max, aged five,” said Melissa. With a penchant for dissecting mechanical and electrical household items as a child, and after a ‘foundation stone’ conversation her grandad, at the age of 14 Melissa researched and identified the Mechanical Engineering degree at Canterbury University in Christchurch and set her mind on completing that. Fast forward a few years and she indeed graduated with an honours degree in Mechanical Engineering and went on to work in a large engineering consultancy firm in Auckland where she was introduced to the world of construction. “I spent a couple of years designing and overseeing construction of air conditioning, ventilation, heating, escalators, lifts, plumbing and drainage, and other building services systems, and then began project managing contractors, engineers, and leading business discussions with

clients,” she said. “My consulting work covered a number of industry sectors including government, education, banking and finance and corrections. I have the dubious privilege of having worked on 14 of New Zealand’s 18 prisons!” Through her years of construction, contract and project management she casually but professionally slid her way into security risk consulting, where she met Jeremy Eggleton, Principal -Security for Opus International Consultants Limited. “Jeremy became my teacher, my mentor and my friend. Amongst other things, he taught me to think like a criminal,” she said. “Effective security design incorporates a significant amount of behavioural analysis – this was never as clearly demonstrated than when we were designing prison complexes.” “Inmates have 24 hours a day to figure out ways to escape, hurt other inmates or correctional officers, or even hurt themselves. As a designer you have to anticipate how the building can be used, and how emergency response plans will unfold within them.”

Women in Security

“Effective security design incorporates a significant amount of behavioural analysis – this was never as clearly demonstrated than when we were designing prison complexes.” In 2002 Melissa was Runner Up in the Institute of Professional Engineers New Zealand Young Engineer of the Year Award and it was at this stage of her career she decided she was going to swap her steel capped boots for high heels and jumped across into corporate risk management world. Being part of ANZ since late 2002, Melissa says her job gives her a sense of making a difference every day. “I am at heart a ‘protector’ and ‘builder’, so the role of providing or improving safety and minimising risks to people is very satisfying.” “I love that every day working in security is different – every incident, event, and issue is unique.” As my curiosity gets the better of me, an example of a unique issue, Melissa explains, is a blended attack. What’s that you may ask? To put it simply, a blended attack is a threat scenario, which can play out in the both the physical world, and in the digital world or cyber space as one may call it, either consecutively or simultaneously. “Blended threats require an enterprise-wide response for prevention, detection, recovery, and business resilience. Blended threats may be global or domestic in both source of origin and sphere of influence,” she said. “An example of a blended attack is an event that occurred in October 2014 – a number of affiliated issue motivated protest groups planned in the digital space a co-ordinated physical occupation of ANZ Centre, the global headquarters in Melbourne.” “Unlike previous events, this protest action was not advertised in social media which would have enabled proactive security preparations to be made.” “More than 50 protestors entered the public foyer of the building in pairs, or individually – some wearing casual clothing, others dressed in corporate attire, others as tradesmen – and gathered in a ‘flash mob’ style in the centre of the building foyer.” “The protestors remained there all day, and were ‘live streaming’ to a local radio station; various Twitter feeds, and Facebook posts. Digital and physical protest; simultaneously.” “It was a very stressful day at the office, but delivered successful management of the security risks to our staff.” Giving credit to her mechanical engineering background, Melissa says her engineering consulting experience gives her strong problem-solving skills, structured and methodical approaches to getting things done. “My corporate experience has given me the ability to make an omelette without breaking all of the eggs in the carton.”

“Whilst technology can be incredibly liberating, it can also open up another field of vulnerabilities. There is now an even stronger drive to integrate the various speciality risk management areas to more effectively treat the new and emerging threats.” A stellar career path riddled with achievements, learning’s, hurdles and successes, Melissa is set for a fresh challenge, transferring to a new role at ANZ in the Global Payments and Cash Operations team in the near future. “The role has a mixture of business continuity management, crisis management and process improvement responsibilities and is a great opportunity to flex my risk management skills in another direction.” While she does believe it’s harder to climb the ranks as a woman, mostly because of the pressure women place on themselves to have it all, she says, “you can have it all - just not all at the same time.” Her advice is to be tenacious, and be yourself – clearly speaking from experience.

Australian Security Magazine | 43

Available online! See our website for details

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00 SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, 6 issues (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag), 6 issues (1 year).

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

44 | Australian Security Magazine

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.

Panasonic VL-SWD501AZ Video Intercom Kit

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products Australian Security Magazine | 45

Cyber TechTime - latest news and products

Mobile attacks more vicious than ever Uptick in insidious and malicious attack types turns mobile device users into cyber hostages among other manipulations; sounds alarm for both individuals and organisations to strengthen defences As mobile devices become more deeply woven into the fabric of our personal and work lives, cyber criminals are taking increasingly vicious and disturbingly personal shots at us, according to the 2015 State of Mobile Malware Report from Blue Coat Systems, Inc.. Cyber blackmail (mobile ransomware attacks) leads the way as a top malware type in 2015, along with the stealthy insertion of spyware on devices that allows attackers to profile behaviour and online habits. The new Blue Coat report, available here, describes the latest trends and vulnerabilities in mobile malware, provides advice for

strengthening corporate defences and educating mobile device users, and offers predictions about the future of mobile threats. “As we sleep, exercise, work and shop with our mobile devices, cyber criminals are waiting to take advantage of the data these devices collect, as evidenced by the types of malware and attacks we’re seeing,” said Dr. Hugh Thompson, CTO and senior vice president, Blue Coat. “The implications of this nefarious activity certainly carry over to corporate IT as organisations rapidly adopt cloud-based, mobile versions of enterprise applications, opening up another avenue for attackers. A holistic and strategic approach to managing risk must extend the perimeter to mobile and cloud environments—based on a realistic, accurate look at the problem—and deploy advanced

protections that can prioritise and remediate sophisticated, emerging and unknown threats.” Summary of Findings: • Pornography returned as the number one threat vector after dropping to number two last year. • The three top types of malware in this year’s report are Ransomware, Potentially Unwanted Software (PUS), and Information Leakage. • The mobile threat landscape is becoming more active.

3 new reflection DDoS attack vectors

Akamai Technologies has published a new cybersecurity threat advisory. Akamai has observed three new reflection distributed denial of service (DDoS) attacks in recent months. The advisory details the DDoS threat posed by NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection in full, including payload analysis, a Snort rule, and system hardening best practices. It is available for download at www.stateoftheinternet.com/3ddos-reflection What is DDoS reflection? In a reflection DDoS attack, also called a DrDoS attack, there are three types of participants: the attacker, victim servers that act as

46 | Australian Security Magazine

unwitting accomplices, and the attacker’s target. The attacker sends a simple query to a service on a victim host. The attacker falsifies (spoofs) the query, so it appears to originate from the target. The victim responds to the spoofed address, sending unwanted network traffic to the attacker’s target. Attackers choose reflection DDoS attacks where the victim’s response is much larger than the attacker’s query, thus amplifying the attacker’s capabilities. The attacker sends hundreds or thousands of queries at high rates to a large list of victims by automated the process with an attack tool, thus causing them to unleash a flood of unwanted traffic and a denial of service outage at the target. “Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP

services open to the Internet for reflection DDoS attacks is staggering.” The attack tools for each of the new reflection attacks are related – they are all modifications of the same C code. Each attack vector requires the same basic recipe – a script that sends a spoofed request to a list of victim reflectors. The command-line options are similar. NetBIOS name server reflection DDoS attack The NetBIOS reflection DDoS attack – specifically NetBIOS Name Service (NBNS) reflection – was observed by Akamai as occurring sporadically from March to July 2015. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources and to find each other over a local area network. This attack generates 2.56 to 3.85 times more response traffic sent to the target than the initial queries sent by the attacker. Akamai observed four NetBIOS names server reflection attacks, with the largest recorded at 15.7 Gbps. Although legitimate and malicious NetBIOS name server queries are a common occurrence, a response flood was first detected in March 2015 during a DDoS attack mitigated for an Akamai customer.

Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

Cyber TechTime - latest news and products

2016 threat predictions forecast an uptick in online extortion and hacktivism Trend Micro Incorporated has released its annual security predictions report, “The fine line: 2016 security predictions”. Next year, continued growth in online extortion, hacktivism and mobile malware is expected, as well as a shift to an offensive cybersecurity posture for government entities and corporations. “We anticipate 2016 to be a very significant year for both sides of the cybercrime equation,” said Dhanya Thakkar, managing director at Trend Micro Asia Pacific. “Government and the private sector will begin to see the benefit of cybersecurity foresight, with changes in legislation and the increasing addition of cybersecurity officers within enterprises. In addition, as users become more aware of online threats, attackers will react by developing sophisticated, personalised schemes to target individuals and corporations alike.” According to the report, 2016 will also mark a significant turning point for malvertising. There has been a 41 percent increase in consumers

globally using online ad blocking software this year. As a result, advertisers will seek to alter their approach to online ads and cyber criminals will attempt to find other ways to obtain user information. Online extortion will be accelerated through the use of psychological analysis and social engineering of prospective victims. Hacktivists will be driven to expose even more incriminating information, impacting targets, and facilitating secondary infections. “Hackers consistently evolve to adapt to their surroundings, just as online ads are declining, we see ransomware is increasing,” continued Dhanya. “Despite the growth in security investments and legislation, these changes will inevitably bring new, more sophisticated attack vectors.” The growing popularity of smart devices in Australia and New Zealand is accompanied by challenges such as a diversity of operating systems and lack of regulation for these

devices. These challenges are likely to lead to device failure in some instances and at least one incident causing fatality, in turn triggering a conversation on creating regulations on device production and usage. “We’ve already seen hacking in devices ranging from baby monitors to smart TVs and connected cars, and as consumers in Australia and New Zealand rapidly embrace smart devices, we need to be aware of the potential dangers,” said Tim Falinski, consumer director, Trend Micro Australia and New Zealand. “As more drones operate in public air space, more devices are used for healthcare services, and more appliances are internet-enabled, the more likely we are to see device malfunction, hacking and misuse.”

Palo Alto networks revolutionises security in Asia Pacific Palo Alto Networks has announced the availability of Traps in Asia Pacific. Traps is a revolutionary and unique Advanced Endpoint Protection offering designed to prevent sophisticated cyberattacks on endpoints, sparing IT security teams from cumbersome remediation, patching, and often futile recovery scrambles. Despite major advances in security, endpoints remain vulnerable to many advanced attacks, especially as mobile work forces are increasingly moving outside of protected networks. Legacy endpoint security products require prior knowledge of a threat in order to prevent it, or worse, use an approach that only identifies a new threat after it has compromised the endpoint. This reactive model results in a neverending chase after the thousands of new malware attacks that emerge each day, as well as the expanding number of software vulnerabilities that can be used to exploit an endpoint. These approaches offer little hope or possibility of recovering data that has already been hijacked by an attacker. Putting an end to the reactive run around, Traps proactively prevents attacks on the endpoint, including unknown malware and zero-day exploits, before

Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

they do any damage. Since the acquisition of Cyvera and the technology behind Traps, Palo Alto Networks has expanded global support and services operations to meet its customer needs, and completed several key enhancements, including: • Integration with Palo Alto Networks WildFire – Traps blocks malware by leveraging the full knowledge of Palo Alto Networks Threat Intelligence Cloud; • Added exploitation and malware prevention modules – extends Traps support to include the latest attack techniques; and • Enhanced forensics – provides a rich set of reporting for better visibility and understanding of attacks that were prevented.

generation security platform, and delivers unparalleled security and automated threat prevention capabilities, reducing risk across an organisation at every stage in the attack lifecycle. It also eliminates management complexity and myopic point product-related security silos that can leave gaping holes in an organisation’s security posture. Availability Traps, offered as a subscription service, is available now from authorised Palo Alto Networks channel partners in Asia Pacific. The offering is inclusive of all functionality including exploit and malware prevention through WildFire integration, forensics, and premium support.

Natively integrated platform extends protection at every stage in the attack Llfecycle The integration of Traps with the Palo Alto Networks Threat Intelligence Cloud brings security of the network and endpoint together under a single common architecture, known as the Palo Alto Networks next-

Australian Security Magazine | 47

TechTime - latest news and products

Panasonic releases convenient wireless video intercom system for the home Panasonic has released a video intercom system that allows homeowners to easily monitor visitors via the LCD screen of a portable wireless handset with crisp and clear image quality. The Panasonic VL-SWD501AZ wireless video intercom system uses a camera and intercom mounted outside the front door or gate, and a fixed monitor station and wireless video handset inside the home. Via the handset or the fixed monitor, users can view and speak with visitors and open the door. It is more flexible and convenient than traditional fixed systems, as the DECT-based wireless handset lets you see who’s at the door as you move around your home. Key features 501 video The VL-SWD501AZ wireless video intercom system includes a door station with camera for seeing and hearing activity outside the front door; an indoor monitor station with a 5-inch colour touchscreen that allows the homeowner to zoom in on the visitor if a better view is required; and a wireless video handset with a 2.2-inch LCD screen. The distance between the main monitor station and the wireless handset is up to 100m and is expandable to up to 300m with an optional DECT repeater. 501 video2The system is designed to be fast and easy for a professional installer to

set up in the home and can be expanded as required, for example in multi-storey homes with outdoor entertaining areas. Adding additional components later is simple as connection to the main monitor station is done wirelessly. A single monitor station can support two door stations, six handsets, and four wireless sensor cameras. The optional wireless sensor camera features motion and heat sensing capabilities for added security. In addition, the door station can automatically record video images of visitors onto a SD card while you’re away from home, and these can be played back later via the built-

in touchscreen or a PC. The Panasonic VL-SWD501AZ wireless video intercom system is available now from Panasonic Intercom distributor EOS Australia and associated dealers. The system comes as a kit comprised of an outdoor camera door station, a fixed touchscreen main monitor station, and a wireless video monitor handset, priced at $999 RRP. Panasonic offers two other models in the range, the VL-SW251AZ, priced at $549 RRP, and the VL-SF70AZ, priced at $299 RRP.

RiskMap 2015: The New World Disorder Key Security and Political Trends for 2015: Nationalism is rediscovering its voice and becoming more influential in shaping the environment for international business. As a result, conflicting interests will arise between business and the political worlds. Nationally focused governments and globally minded companies will operate increasingly out of kilter. Economic nationalism will continue to tilt the competitive landscape in favour of domestic players. Evolving political-regulatory risks demand fresh approaches to anti-corruption risk management by international companies. The overall direction of legal and regulatory reform in China suggests that tougher enforcement against foreign and local companies will continue. “Companies will see little relief from the government’s anti-corruption and anti-monopoly crackdown in 2015; maritime disputes in the South and East China will remain the main source of geopolitical friction; China will continue to challenge the status quo on these issues”

48 | Australian Security Magazine

says Jason Rance, Managing Director, Australia Pacific, Control Risks. Limits of political power as illustrated in the Middle East. The dramatic spillover of the Syrian conflict into Iraq illustrates the limits in ability of both the regional and global powers to impose their will. Transnational terrorism continues to be an increasing threat. Competition for leadership of the global jihadist movement between al-Qaida and Islamic State (IS) will drive further fragmentation and increase the likelihood of high-profile attacks. Counter terrorism efforts in Syria and Iraq may provoke attempts at retaliation against participating countries, including Australia. Intelligence and security agencies will be concerned by the threat of attacks posed by returning foreign fighters, and will be severely challenged by the emerging threat of lone wolf attacks. Jason Rance, Managing Director, Australia Pacific, Control Risks commented “The recent Martin Place hostage incident in Sydney

demonstrated that disgruntled or unstable individuals may seek to link their criminal actions to one of these movements in a search for legitimacy, however groundless. Australian government institutions and businesses will need to ensure they have plans in place to respond to this evolving security environment”. Cyber threats continue to grow. Despite contrasting goals of attackers, a prevailing trend will be the continued spread of capability among the different types of attackers. Advanced tools and techniques will increasingly be shared between nation states, cyber criminals and cyber activists. Weak law enforcement in many parts of the world is encouraging cyber-crime. Multinational companies’ supply chains are likely to be a more prominent target of cyber-attack. Technology is changing the face of kidnapping and extortion, through so-called virtual kidnapping, social media reconnaissance and cyber extortion.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Antaira releases 6-Port industrial PoE/PoE+ managed switches (LMP-0600-24 Series) Antaira Technologies has announced its expansion in the industrial networking infrastructure family with the LMP-0600-24 series. Antaira Technologies’ LMP-0600-24 series is a 6-port industrial PoE/PoE+ managed Ethernet switch, with a 12 to 36VDC low voltage power input support with a built-in voltage booster to support a full 48VDC PoE power output for each PoE port. These units are designed with 6*10/100Tx Fast Ethernet ports, of which 4 ports are IEEE 802.3at/af compliant (PoE+/PoE) with PoE power output up to 30W per port. This product series provides high EFT, surge (2,000VDC) and ESD (6,000VDC) protection. In addition, all units have a dual power input design with a reverse polarity protection and a relay warning function to alert maintainers when any port breaks or power failures occur. The LMP-0600-24 series also has a high performance for remote field sites’ edge devices data transmission and management within any harsh environment application. Antaira_PI_LMP-0600_FR_09-1114Antaira’s new LMP-0600-24 series has been designed to fulfill industrial automation application needs in harsh or outdoor environments, such as, ITS (transportation) for high density traffic control equipment, telecommunications for remote PoE wireless radios, security for building surveillance infrastructure networking, and factory automation for GigE vision systems/quality inspection systems. This product series is pre-loaded with “Layer 2” network management software, of which, it supports the ease of use Web Console or Telnet using a serial console by CLI configuration. All Antaira managed switches provide the ring network redundancy function with RSTP and the ITU-G.8032 support, which eliminates the compatibility issue for any existing network concern. The built-in SNMP, VLAN, IGMP, and QoS features support network planners when increasing data transmission performance within a network. Also, the advanced PoE ping alarm software function allows users to recycle power to any remote powered device (PD) through PoE ports. The external USB2.0 port allows users to export and save all the configuration settings. In addition, the flexible “customs label” feature allows network planners to name each connection port. This allows for easy remote management by being able to easily recognize field devices.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

The LMP-0600-24 series is backed by a five year warranty and the units are IP30 rated, compact, fanless, DIN-Rail and wall mountable. Each series is built to withstand industrial networking hazards like shock, drop, vibration, electromagnetic interference (EMI) and extreme temperatures. There are two operating temperature version models for either standard temperature (-10 to 70°C) or extended temperature (-40 to 75°C). The models have the dimensions of 46mm (W) x 99mm (D) x 142mm (H) and a unit weight less than 2 pounds. For more details about Antaira Technologies’ industrial managed switches, please feel free to visit www.antaira.com.tw ; or contact Elyse Wang at sales@antaira.com.tw.

About Antaira Technologies Antaira Technologies is a global leading developer and supplier that provides highquality industrial networking and communication product solutions. Since 2005, Antaira has offered a full spectrum of product lines that feature reliable Ethernet infrastructures, extended temperature tolerance, and rugged enclosure designs. Our product lines range from industrial Ethernet switches, industrial wireless devices, Ethernet media converters, and serial communication devices. Our vast professional experience allows us to deploy a wide array of products worldwide in mission-critical applications across various markets, such as, automation, transportation, security, oil & gas, power/utility, and medical.

Australian Security Magazine | 49

PROTECTING BUSINESS AND GOVERNMENT WORLDWIDE. • • • • •

Cyber Security Solutions Advanced Threat Intelligence and Investigation Sophisticated Cyber Analytics Managed Security Services Cyber Security Consulting Services

For more information, contact us at learn@baesystems.com

baesystems.com/ai twitter.com/baesystems_ai linkedin.com/company/baesystemsai