Print Post Approved PP255003/10110
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct/Nov 2014
Robbery: an uncomfortable truth
Solving a cyber crime case like Sherlock Holmes
Wearables: what are the security risks?
IP Theft: emerging business risk of concern Top 10 Tips for Business continuity
NATIONAL SECURITY THREAT $8.95 INC. GST
INSIDE & OUT PLUS
TechTime | Movers & Shakers | Quick Q & A and much more!...
*VBH41 PTZ camera in beige from or black *VBH41 PTZcamera camera silveravailable orblack blackavailable available from nationaldistributors distributors *VBH41 PTZ ininsilver or national
• • • •
VB-M Series
VB-H Series
VB-S Series
HD Range
Full HD Range
Compact Full HD Range
VBM40 – PTZ w/ 20 X optical zoom VBM600VE – IP66 fixed dome w/ optical PTZ-R during setup VBM600D – Fixed dome w/ optical PTZ-R during setup VBM700F – Wide angle full body w/ optical zoom during setup
• • • •
VBH41 – PTZ w/ 20 X optical zoom VBH610VE – IP66 fixed dome w/ optical PTZ-R during setup VBH610D – Fixed dome w/ optical PTZ-R during setup VBH710F – Wide angle full body w/ optical zoom during setup
• • • •
VBS30D – Compact PTZ w/ 3.5 x optical zoom VBS31D – Compact PT dome VBS800D – Compact fixed dome VBS900F – Compact Full body
BECAUSE CLARITY MATTERS
The World’s smallest FULL HD PTZ (VB-S30D) & PT (VB-S31D) cameras. 1
CAPTURE EVERYTHING IN THE HIGHEST OF QUALITY Learning and listening to end users and integrators on what they want from an IP camera drives Canon’s innovation – And with over 75 years of imaging excellence our range encompass all of our expertise & knowledge in camera and lens design. When Clarity matters, choose the premium quality range you can rely on. 11
As at March2014 2014 As at1 June
For more information visit canon.com.au/networkcameras call 1800 021 167 or email specialised.imaging@canon.com.au
Contents Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Marketing Manager Kathrine Pecotich Art Director Stefan Babij Correspondents Sarosh Bana Kema Rajandran
MARKETING AND ADVERTISING Kathrine Pecotich T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS
T | +61 8 6361 1786 subscriptions@mysecurity.com.au Copyright Š 2014 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Editor's Desk 3 Quick Q @ A AISA National Director 4 Movers & Shakers 6 Cyber Security Feature Deter, Detect & Defeat Solve a Case like Sherlock Wear the danger: Security risks facing wearable connected devices IP Theft - Emerging business risk of concern The New Perimeter - Keeping data secure Women in Cyber Security The Great Con HACKED - Honeywell
8 12 14 16 20 24 26 28
National Security Fear and being the adults in the room Research and Security Professionals
32 34
Frontline Robbery Business Continuity - top 10 tips
36 38
TechTime - the latest news and products Gallagher Article BGW Article
41 46 48
Page 8 - Deter, Detect & Defeat
Page 16 - IP Theft - Emerging business risk of concern
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews,
events and other topical discussions.
Correspondents Page 30 - Fear and being the adults in the room
CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Sarosh Bana
Kema Rajandran
Contributors
www.youtube.com/user/MySecurityAustralia
www.asiapacificsecuritymagazine.com Joel John Fernandes Phil Russo
www.drasticnews.com
|
Other Contributors Mike Thompson Michael Brookes Matthew Curtis Michael Coole
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
2 | Australian Security Magazine
www.cctvbuyersguide.com
Fraser Duff
Rinske Geerlings
Bill Hicks
Read ASM Special Event E-Magazines online! www.asiapacificsecuritymagazine.com/e-mag/
Editor's Desk “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety’ - Benjamin Franklin, 11 November 1755 “Regrettably, for some time to come, the delicate balance between freedom and security may have to shift…” - Australian Prime Minister Tony Abbott, 23 September 2014
Australia has been ignoring the security challenge – until now, after the crisis begins!
A
lmost immediately following Australia raising the national terror threat level to high, to indicate a terror attack is likely, the Australian Government committed itself to the US led, Coalition War against ISIL and their declaration of an Islamic State in Syria and Iraq. The appropriate term of ‘War’ has been avoided and even to the casual observer, the sequence of events, in Australia and internationally has been predictable – as are ‘boots on the ground’. Other Islamic States have been declared in Nigeria and Sri Lanka. Radical Islamists around the world, including in Indonesia, Malaysia and the Philippines have committed themselves to the Islamic State. Some 80 countries have confirmed they have had fighters travel to the region. American, British and French nationals have, via Youtube, been publicly executed. In Australia, these events have been accompanied by terrorism raids in Queensland, Sydney and Melbourne, including two police stabbings and a fatal police shooting. Match all this with bigoted and racist reprisals towards the Muslim community, including from Federal Politicians. The Abbott Government has sped through new anti-terror legislation to accumulate over 40 Counter Terror laws. It should be a concern the Government was to abolish the Independent National Security Legislation Monitor earlier this year and Operation Bring Them Home and the search for MH370 are conveniently, it would appear, a distant memory. Of most concern is the political rhetoric regurgitating much of that ‘heard’ in the post 9/11 period. Note the terminology of ‘degrade and destroy’ is much akin to fighting organised crime with ‘disrupt and dismantle’. For the public they are asked to change slightly from ‘be alert but not alarmed’ to ‘be alert but reassured’. In contrast to these events is the sound advice from leading researchers and security professionals to have informed risk assessments and long term engagement with the Islamic Community
targeting misaligned youth, with the latter method being largely ignored or underfunded over the last decade. It is far easier politically and much closer for the media to put police with automatic weapons around Parliament House. It worked. The guards and guns were widely filmed and photographed but will eventually disappear without much fanfare. As seen in Queensland’s anti-bikie laws, the new draconian terror legislation has had limited public consideration or contemplation. There is now protection for intelligence officers to commit crimes while conducting operations, imprisonment for leaking and publication of information about secret operations, unlimited access to computer networks by ASIO and surprisingly not picked up before, it is made easier for Australia’s spy agencies to work together. If this is the new legislative environment then I call on the Government to give due attention to the needs of the private security sector and eliminate state frameworks and introduce a workable federal system. We have been asking for a decade – State Police Ministers don’t appear interested or are resigning over corruption allegations along with a plethora of their colleagues. Likewise, the blocking of terror group’s financial access will be fruitless without addressing organised crime financials. One arrest in Melbourne was first detected by the FBI, showing our Australian intelligence sources aren’t across it all. As observed post 9/11, the ‘shock and awe’ and ‘financial attack’ strategy will have ultimate results of further creating hybrid criminal groups and continually evolving terror models, yet on a much larger scale. Whilst Australian main stream media fed on terrorism and the odd suspected case of Ebola, of which Australia has committed a whopping $18 million in aid, the Australian Crime Commission confirmed that Mexican Cartels are now operating in Australia. This group, along with all organised crime, is a significant national security risk and responsible for beheadings also. Despite the recent national security and terror hype, in contrast, we all operate on a daily basis in
the cyber world and continue to see major breaches of financial, cloud and mobile systems. At least a quarter of all Australians will be impacted annually. To quote Jeff Schmidt presenting at the Australian Security in Government Conference in Canberra in early September, we are seeing a ‘sub-prime cyber risk environment’ around cyber security in which, those who own the risk are separated from those who control the risk. Coinciding with the Australian Information Security Association’s National Conference we focus in this issue on Cyber Security, including highlighting how Australia’s key federal agencies lack ‘mandated’ ICT security compliance and may still lack readiness to head off a major cyber-attack. Automatic weapons at Parliament House will be useless! Risk management is not just risk identification and awareness - it is much more about measured communication, monitoring and treatment plans. Security risk management is even more, with asset criticality and threat assessments determining the most appropriate mitigation strategies against the assets to be protected and the known intent and capabilities of adversaries. Sadly, the politics have gotten in the way and worse still, they have led the way. A deteriorating or actively heightened security environment, or both, is likely to be with us for some time and so there remains the opportunity and I hope, the politically motivated inclination to set about making changes so that national security reforms can be balanced and effective, for the security and safety of all of us within ‘Team Australia’. As always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor
Australian Security Magazine | 3
....with Arno Brok AISA National Director It took AISA just over 12 years to grow from a handful of likeminded information security specialists to a 1,000 members. Then over the last three years that number has swelled beyond 2,500 and still expanding. Maintaining that same growth trajectory sets AISA to surpass the 3,000 mark before the end of this financial year. AISA is fulfilling a need for an organisation that cares about information security and is on track to reach the vision of being the recognised voice of Information Security in Australia. More importantly, AISA needs the active participation of its diverse group of members across the nation. Since 2005 Arno Brok, AISA’s National Director and Managing Consultant for BAE Systems Applied Intelligence has given his time in this endeavour and strongly believes the association is right on track to deliver on its vision. How did you get in the security industry? I worked for an International Shipping company, and in the mid 1990’s, I made the suggestion that we should have security policies and controls in place. Shortly after this, the CIO appointed me as Head of IT Security. In the past 15 years, I attended many information security courses and focussed my work effort all in that field. I have worked in Information Security for Accenture, Deloitte and currently BAE Systems Applied Intelligence as an Information Security Specialist. How did your current position come about? I have been an Australian Information Security Association (AISA) member since 2005 and became the Sydney Branch Executive in 2008. In 2010 I joined (which was at that time) The Executive Committee as Membership Director. I took on the role as National Director of the board in December 2013. What are some of the challenges you think the industry is faces with? I believe there are many, however I will focus on the two main challenges as I see them and they are interlinked: 1. Education: Information security talent shortage will become a big challenge. Even when budgets are generous, organisations struggle to hire people with up-to-date information security skills. It is estimated that this year, the industry will encounter a shortage in excess of one million information security professionals across the globe. Chief scientist Ian Chubb urged universities at the start of 2014 to highlight this importance and
4 | Australian Security Magazine
encourage students to take-up information technology degrees; as lack of interest in the subject fuels fears of a skills shortage in a crucial growth sector in Australia. Information Security will be impacted as only a very small percentage (various studies show statistics around the 5%) of students graduating with IT degrees will choose Information Security. 2. Professionalisation of Information Security: As an industry, we urgently need to give information security specialists tools at their disposal, as we do for accountants and auditors. If you are an accountant and you become aware of dishonest activity, doing something about it is a requirement. There is an ethical framework that gives clear guidance. So the challenge is how do we get this sort of professionalisation into information security? By ensuring that Information Security is treated as a profession, with an accreditation as we know for accountants, we could find the solution to that problem. But it is a very complex problem and whatever solutions we finally agree on, this is quite possibly the toughest challenge in information security today. If we get it right, we won’t just professionalise information security; we will provide a template for a modern, open and engaging profession that will sustain us in the future. Information security and privacy matters. Right now, the world is redefining itself around us. We are answering the question of an every changing threat environment: what does the networked world mean for us, for our lives and for our expectations of freedom and privacy? Information security is the solution to that problem. We need to work on this together. Where do you see the industry heading? AISA has grown from a small group of likeminded information security specialists to the peak body for the information security industry in Australia. AISA’s mission is to promote an independent and unbiased perspective of information security and provide a wide array of personal and professional benefits to our members, the industry and the public. We are a not for profit volunteer organisation with over 2,500 members across the nation who run an average of 50 content meetings and two very successful security conferences per year. We have two part time staff and about 20 volunteers who
run the organisation to the best of their ability and time permitting. As volunteers, we have a significant workload across the organisation, but with the dedication and passion of its members, AISA is able to deliver impressive value to its members. Of course, we have many more ideas for adding value than we can handle, and we’re always looking for more members and volunteers to help deliver on our vision. AISA has strong connections to local organisations such as CERT Australia, AusCERT, iappANZ, ACSP and many others. We also have ties with global organisations such as SANS, ISACA, ISC2, EC-Council, IISP, Interpol and an ever growing list proving that AISA is globally recognised. We are collaborating with organisations such as the Australian Cyber Security Networks to get the message about cybersecurity across to Boards and Directors of companies. What do you do when you’re not working? My other passion (beside AISA) is scuba diving, which I have been doing that for over 30 years. I find it relaxing to be under water and only hear your own bubbles and to swim with the fish. I also like to read, enjoy photography and sailing with my wife.
with our customers as a strategic partner and not simply as a vendor focused on sales.” In Australia and New Zealand, Good Technology’s customers include Bank of New Zealand, Bank of Queensland, Bupa, Corrs Chambers Westgarth the Department of Environment, CUA, and Slater & Gordon, which David has been a key in bringing on board.
Good Technology Appoints David Balazsy as Vice President of Asia Pacific Good Technology™, the leader in secure mobility, today announced the appointment of David Balazsy to the role of vice president of the Asia-Pacific region, based in Sydney. In his new role, David will lead the management of Good Technology’s business in the region, as well as drive the company’s overall growth in the market, focusing on innovation and building strategic relationships. David is not new to Good Technology and, during his time with the company, has been instrumental in building stronger relationships with ANZ customers and channel partners that are redefining enterprise mobility in the region. David brings with him over 25 years’ experience in strategic business development, leadership, and relationship management to the new role. Prior to joining Good Technology, David spent six years at CA Technologies managing the Security, Service Assurance and Application Delivery Optimisation business units. He has also worked in several senior leadership roles during his career, including Managing Director of Serena Software and VP Sales at Marqui. “The IT landscape today is shifting, particularly with the explosion of connected devices, and Good Technology is proud to be at the forefront of helping organisations truly embrace mobility as a way to transform the business,” commented Bruce Pagliuca, senior vice president of Global Field Operations, Good Technology. “Given David’s deep understanding and experience in the technology industry across the APAC region, he’s an ideal fit to support and drive the business forward.” Commenting on his new appointment, David said, “I am thrilled to have the opportunity to lead Asia-Pacific at such an exciting time when mobility is front of mind for almost every organisation. Being part of an organisation that has innovation and a customer-first approach at its core, I look forward to driving the company’s vision to help organisations harness the power of the rapidly growing mobility landscape. My vision is to ensure Good Technology stands side by side
6 | Australian Security Magazine
here, as dedicated tokens, which are impractical in a number of respects, are still used in many places. But the tokenless SecurAccess solution is capable of doing very well in the market here, especially in view of its level of security and cost efficiency. We are extremely confident that tokenless two-factor authentication solution like SecurAccess will be the game changer in todays’ mobility security for enterprises and the way we approach to enhance mobility security. There are great opportunities for us to acquire a range of new distributors and business partners for SecurEnvoy in Asia to propel us into the next phase of growth. “
Head of Business Development Rodrigues Teh drives SecurEnvoy sales in East Asia & ASEAN Tokenless two-factor authentication is becoming increasingly popular in Asia. Security vendor SecurEnvoy are currently expanding ahead of expectations in this flourishing market as a result. Proof of this is the continued expansion from the inventor of tokenless two-factor authentication. Its sales in East Asia & ASEAN (Association of Southeast Asian Nations) will now be managed by Head of Business Development Rodrigues Teh. He is assisting organisations to review the protection companies need in the fight against the increasing IT threats originating in Asia: the introduction of the latest SecurEnvoy technologies allow employees to authenticate themselves securely and easily access their company networks using their mobile telephone. Rodrigues Teh’s geographical area of responsibility covers a wide region but one he is very familiar with: he is responsible for Hong Kong/China (divided into North & South), Korea, Taiwan, Japan, Thailand, Malaysia, Singapore, Indonesia, Philippines and Vietnam. He benefits from 17 years of experience in the Asian IT market. Rodrigues Teh previously worked for companies such as the prestigious value added distributor Malaysia Formis Group. His professional career has so far seen him work in the areas of IT security, communications security, IT process improvement, technology consulting focusing on financial sector, public sector, telecommunications, and large enterprises. “The Asian market is ready for tokenless twofactor authentication,” states Rodrigues Teh, Head of Business Development East Asia & ASEAN at SecurEnvoy. “This method is not yet very common
Gallagher announces new division Executive The Gallagher Group has announced the appointment of Steve Bell to the role of Chief Technology Officer - Security. Bell’s new role is an executive appointment and he now sits on Gallagher’s security division executive management team. Bell, who has over 25 years’ experience at Gallagher, will lead the company’s security product development and business analyst teams in driving long-term technology and product investment strategies. Bell has extensive experience in product development and senior R&D leadership in the security industry. “As Gallagher continues its growth in new technologies and new global markets we saw an opportunity to draw on Steve’s extensive technical experience” said Curtis Edgecombe, Global General Manager - Security, for Gallagher. “Steve brings to the role a deep technical knowledge of physical security, cryptography, identity management, new product development, and related fields”. Gallagher’s suite of Access Control and Perimeter Security technologies has been drawing significant international attention in recent years with a number of award wins for innovation. Gallagher’s security solutions are currently utilised in more than 130 countries around the world, and are employed in all major industries, including: education, ports and airports, military and defence, critical infrastructure, mining, prisons, finance, entertainment and healthcare. If you have an entry for Movers & Shakers please email details and photo to editor@australiansecuritymagazinecom.au
Good News:
this employee loves working in an open office environment.
Bad News: she’s working on confidential payroll information. Keep visual hackers in the dark. With today’s privacy concerns and regulations, organizations can’t afford to take chances. Help protect confidential data from prying eyes by requiring 3M™ Privacy Products on all your screens. Learn about all our products to prevent visual hacking at 3Mscreens.com/VisualHacking. Privacy is the best policy.
Privacy Solutions for Organizations 3M is a trademark of 3M. ©3M 2014. All rights reserved.
Regional
AISA PERTH AGENDA
2014
Start
Finish
9:00
9:15
Intro: “Welcome to AISA Perth Conference” Steve Simpson and Arno Brok, AISA.
9:15
10:00
Presentation1: “Changing the paradigm: Australia’s IT security revolution” Scott Ludlam, Senator for Western Australia
10:00
10:45
Presentation 2: “Developing a Strong Security Testing Service in the ATO” Leonard N. Kleinman, Senior Director of Penetration Testing and VM, ATO
10:45
11:00
Coffee Break
11:00
11:45
Presentation 3: “Incident Response: Law Enforcement’s Role” Special Agent, FBI, Assistant Legal Attaché, FBI in Australia
11:45
12:30
Presentation 4: “Implementing a Zero Trust model for Network Security” Joseph Green, Vice President, Systems Engineering, Asia Pacific Palo Alto Networks
12:30
13:30
Lunch Break
13:30
14:15
Presentation 5: “Challenges and Opportunities for the modern investigator” Troy Douglas and Dan Blackman, Computer Crime Squad, WA Police
14:30
15:15
Presentation 6: “Protecting Cisco - Integrating Passive and Active controls, including Trust” Gary Hale, Director, Cyber Security & Speciality Projects Security & Trust Organisation (S&TO)
15:00
15:15
Afternoon Break
15:15
16:00
Presentation 7: “Shedding light on the known unknowns” Christian Frichot, Principal Consultant, Asterisk Infosec
16:00
16:45
Panel: “Incident Response” Qualys, F5, Bluecoat, ES2, ATO Senior Director.
16:45
10 | Australian Security Magazine
Closure: Gifts and drinks
Traditional incident response strategies are no longer adequate to protect organisations against sophisticated targeted attacks. Are you prepared to guard against, identify, respond to and remediate an attack on your organisation? Learn how to improve your security posture and incident response strategy from leading local security experts at this year’s AISA Perth Conference. Confirmed speakers include: Arno Brok - AISA National Director Special Agent, FBI - Assistant Legal AttachÊ, FBI in Australia
Scott Ludlam - Senator for Western Australia Troy Douglas and Dan Blackman - Computer Crime Squad, Western Australia Police Leonard N. Kleinman - Senior Director of Penetration Testing and Vulnerability Management team, ATO Christian Frichot - Principal Consultant, Asterisk Infosec
Australian Security Magazine | 11
Regional
12 | Australian Security Magazine
Regional
Zoran Salahovic AISA Conference Interview How did you get into the security industry? I was always curious about how things work internally, even when I was a child I always tried to pull my toys apart to see what was going on inside. I really wanted to learn how things work, and that is something that I guess is just a part of my character. I studied IT by accident – I had always wanted to be an architect – but in the end I got my bachelor degree in IT. Back in 2000 I was a linux administrator in a large internet provider in Spain and in my first week of work (note, I still didn’t have credentials for any servers and was very bored reading the operational manuals and documentation) I heard our cache DNS servers got hacked. Since then I’ve worked on projects in Spain, Germany, UK and had the opportunity to be a part of international teams on very interesting and challenging projects. How did you first start with AISA and has it been rewarding? I joined AISA before I came to Australia. I sent an email explaining that I would be moving to WA with my wife and that I would like to get involved in the association. When I got to Perth I attended my first branch meeting, where Steve welcomed me with a very warm “Dobar dan, kako ste?” which basically means “Good afternoon, how are you?” in my mother tongue. That led to a friendly conversation and from then on I have always been happy to attend the branch meetings. Soon after joining I took part in the DLP discussion as a speaker on the panel. I also spoke about banking, and mobile malware at the Perth Conference a couple years ago and I helped with the CISSP study group in Perth. One day, at the committee meeting, I volunteered as a committee member to prepare the 2014 conference. I suggested a few ideas and my colleagues supported me. Very soon I was contacted by several people interested in helping me, and it has been a great support. Alan, Patrick and Kelly have done a lot for this conference. Thank you so much team. All in all, being part of AISA has been a great experience. What are some of the challenges you think the industry and AISA are faced with? The number of dedicated incidents is growing quickly across all different sectors and companies. The increase in breaches compared to previous years, has been concerning. Financial
losses are increasing as well and companies are not able to accept the risk anymore. Everybody has to invest in security today, it’s not optional anymore. The way we are using technology in the present, moving to the cloud, outsourcing, using mobile devices, etc, is making our job more challenging every day. Because of all this we should focus more and more on Incident Response. This is why I find our subject for the conference this year very appropriate. AISA Perth had about 100 members when I joined and at the conference in 2011 we had approximately 70 people. Recently, we achieved one of our goals of 200 members and became the third biggest branch behind Sydney and Melbourne. This year we are expecting more than 200 people, and we have speakers from over east and from overseas. A lot has changed since the first conference back in 2009 where we had 50 people and 1 sponsor. The challenge for us is to keep promoting security to more and more people and different audiences and to spread security awareness across WA. The future will be challenging with all the new threats and attacks that are getting more and more sophisticated, so we need people to bear security in mind and to be aware of the risks. Where do you see the industry/AISA heading? I would highlight that companies need to shift from security that focuses on prevention to a risk-based approach that focuses on an organisation’s most valuable assets and its most relevant threats, which are different in each company. Focussing on early detection and improving Incident Response means that all the information gathered during the incidents and attempts can be put in context and used in the future for a better and faster reponse. What do you do when you’re not working? I have many other hobbies apart form information security, which I enjoy reading articles about even when I’m not working. My other passions are music, photography and sports in general. I also enjoy working with wood and making furniture. I am a Rhodesian Ridgeback enthusiast and I love animals. I try hard to be environmentally friendly, to recycle, to collect grey water, to grow vegetables.
Australian Security Magazine | 13
Regional
AISA National Conference Wrap-up
M by Adeline Teoh Correspondent Australian Security Magazine & ChiefIT.me
8 | Australian Security Magazine
elbourne played host to the 2014 National Conference of the Australian Information Security Association (AISA) in October and, just like the weather, the presentations were a mixed bag of case studies, broad level discussions on emerging threats and solutions, and even a revved up keynote by special guest speaker Brad Smith, the young entrepreneur behind braaap Motorcycles. Themed ‘Incident Response’, the conference focused on how the information security industry could counter zero day attacks through a range of means. Many case studies gave examples of how companies are today reacting faster to attacks compared with a year ago, with some even preempting attacks before they occur. International guest Brad Arkin, chief security officer of Adobe, says his team have switched tactics from stopping attacks to making it more attractive for attackers to target someone more vulnerable by driving up the cost of exploitation. “There’s an opportunity cost to fuzzing and fixing and fixes have downstream problems,” he explained. “Mitigations appear to be enough of a deterrent.” Another take on pre-empting attacks came from Casey Ellis, founder of Bugcrowd. Bugcrowd is a platform for bug-
finders, a crowdsourcing model crossed with a bounty hunt. It rewards hackers for locating vulnerabilities, in many cases turning the bad guys into good guys by applying the right incentives. But it’s not just about fixing bugs. “How do you get developers to believe in the bogeyman? Just set it on fire,” said Ellis of the concept. “The value is not in finding the bugs but making security a priority for developers through using white hat hackers.” US privacy expert Rebecca Herold also made an appearance to discuss data retention, use and abuse. She expressed concern that the legal framework for securing data is so far behind technology that organisations which only comply with the bare minimum have inadequate protection against hackers and mistakes. “It’s not enough to say ‘we’re the good guys’,” she said. “Organisations need to have a vision of future use and they need to deal with possible consequences of that use.” Overall the conference was well-conceived, with more than 1,000 delegates attending over 16-17 October buzzing about the presentations and socialising with industry peers at the cocktail reception and AISA Awards gala dinner.
Regional
Background Image: AISA Conference Panel in Action
ASM Correspondent Adeline Teoh
Australian Security Magazine | 9
Regional
BuildTech Asia 2014
- Enhancing & Integrating Technologies in Value Chain for the Built Environment
B
uildTech Asia 2014, the region’s leading trade show for the built environment, ended on a high note with visitors experiencing the latest cutting-edge technologies that enable a more productive workflow in both the ‘hardware and software’ of the built environment sector. The three-day annual trade show was organised by Sphere Exhibits and hosted by the Building and Construction Authority (BCA), under the Singapore Construction Productivity Week. Culminating on 16 October, the threeday event took over 6,300 visitors on a hightech journey through various stages of the industry’s value chain – ranging from types of building materials to management of building facilities. Over 200 leading exhibitors from nine countries including Australia, China, Germany, Ireland, Hong Kong, Malaysia, Korea, Singapore and Taiwan brought the various cutting-edge technologies to life with impressive product displays, demos and workshops for the built environment sector. Mr. Chua Wee Phong, Chairman of Sphere Exhibits Pte Ltd, said: “We are extremely pleased with the interest that this year’s edition of BuildTech Asia has received from the industry. By bringing together the latest end-to-end technologies for the built environment in a very hands-on format, we are equipping the industry with the most relevant tools and techniques to pursue productivity gains that will transform the future of the built environment.”
14 | Australian Security Magazine
•
•
•
•
•
•
Australian company Lend Lease demonstrated the use of Cross Laminated Timber – a recyclable material that saves costs– in the construction process. Taiwan’s EPADA Inc. introduced Easy DIY Green Bricks (EDGB) – reusable building material that is especially suitable for DIY projects and greatly reduces time and labor costs. A robotic arm from Future Cities Laboratory (FCL) and Rob Technologies, demonstrated how it could lay of floor tiles without manual labour. Yamagen MT&T launched J-WAYVES, an ergonomically-designed set of wavy handrails that enable users (especially the aged and walking-impaired) 2 to pull their bodies up easily and provides support for their body weight while climbing up or down a flight of stairs or slope. Autodesk highlighted advancements in Building Information Modelling that identifies conflicts before construction takes place, preventing unproductive and wasteful use of resources. Every Easyup from Taiwan showcased their smartpower sockets and switches, embedded with wireless protocols and functions, such as Wi-Fi, Bluetooth, and ZigBee, which allow users to control their electronic devices remotely using a smart phone or mobile device from any location.
Bringing to life the hardware and software of the built environment.
Experiential Showcase
Following the government’s announcements on day one of the show that highlighted the push for integration of productivity improvements along the construction value chain, visitors were able to witness various technologies at work on the show floor:
A customised series of experiential tours were conducted for regional guests to visit and learn about some of the bestin-class construction projects in Singapore and around the world. Beginning with a tour of the exhibition show floor to understand about the technologies, the delegates then visited
Regional
the Singapore Sports Hub to experience a realistic feel of the technologies at work in the built environment. Ms. Do Thi Thuy Huong and Ms. Nguyen Thi Nhu Phuong from Vietnam Electronic Industries Association, said: “The site visit was an insightful experience and we were able to actually see the benefits that of the various building and workplace health and safety technologies bring to a construction project of such magnitude. We appreciate the hands-on nature of BuildTech Asia that gives us a 360 degree view of the technology not just on display but also at work.” With the two new Integrated Construction and Precast Hubs for automated manufacturing of Prefabricated Pre-finished Volumetric Construction (PPVC) modules set to be opened over the next two years, visitors had the opportunity to explore prefabricated rooms and toilets on the show floor from exhibitors Sembcorp EOSM, SEF Construction, Excel Precast among others. Fostering Business Partnerships Over 12 trade associations and business delegations from Indonesia, India, Malaysia, Myanmar, Russia and Vietnam attended BuildTech Asia 2014 to explore the latest technologies on the show floor, key project sites in Singapore and manufacturing facilities. In addition, local trade delegations also networked and established business relationships while pursuing commercial partnerships on the trade floor. Ms. Elena Lisina from the Russian Business Council, a delegation of 30 attendees, said: “BuildTech Asia is an all-encompassing trade show that has all the latest technologies for the built environment under one roof. It has given our members the ideal opportunity not only to keep up with the trending technologies but also to connect with potential industry partners in Southeast Asia. This trade platform has enabled our Russian businesses the first-mover advantage in some areas in the building construction sector and we are happy to be a part of this trade exhibition.” In a multi-million dollar deal, one of Singapore’s leading equipment providers JP Nelson signed a MOU with Civil Tech for the use of two Buma Casing Rotators that cuts through odd shaped boulders, hard rocks, steel and concrete up to 40 metres deep. The equipment is well-suited to challenging requirements such as the Thomson Line MRT construction project. Another MOU with an estimated value of S$500,000 was signed with Antar and Fuchi for one unit of Fuwa 65 tonne telescopic crane.
more sustainable, quieter and safer, resulting in deep thought provoking discussions that ensued well after the conference ended. In the opening keynote address at the Environment Sustainability Conference 2014, Guest of Honour Mr Desmond Lee Ti-Seng, Minister of State for Ministry of National Development shared the latest Green and Gracious Builder Schemes from BCA. Dr Teo Ho Pin presented on the Town Councils’ innovative and productive solutions to efficiently obtain residents’ feedback and reduce response time to the minimum at his keynote address at the Facilities Management Conference 2014. A comprehensive stakeholders’ engagement system, a telemonitoring system for realtime lift performance tracking and engaging citizens through the iTown@SG smartphone app are some of the solutions implemented by the Town Councils. The Facilities Management Conference also featured sessions on integrated estates management, workplace safety and effective manpower practices, among others. BuildTech Asia will return to Singapore Expo in October 2015, while the Facilities Management Solutions Expo will return for its first-time staging as a full-fledged expo in August 2015. Premium spaces are now available. Organisations which are keen to exhibit at either of these trade shows are encouraged to reserve their spaces early.
ASM Executive Editor Chris Cubbage presenting on Productivity & Security
Leveraging on a multi-disciplinary knowledgesharing platform Industry thought leaders shared their knowledge and expertise with over 300 delegates at the Facilities Management Conference 2014 and the Environment Sustainability Conference 2014. Attendees at the Facilities Management Conference 2014 and the Environment Sustainability Conference 2014 appreciated the latest insights, case studies and scenarios presented by leading industry professionals and technology experts in the field. Conference sessions were in tune with the government’s efforts to make the built environment sector more productive,
ASM Executive Director with the Singapore Building Institute Ltd (SIBL) with MC Sussie Ketit, President Peter Chua & VP Dr. John Min.
Australian Security Magazine | 15
Cyber Security
Deter, detect and defeat Armed with this mission, cybercrime intelligence across the world is evolving ever newer tools to thwart the changing threat landscape of internet fraud and crime
by Sarrosh Bana ASM correspondent
16 | Australian Security Magazine
W
eb threats and frauds continue to increase in number and sophistication as the profitability of cybercrime transforms the nature of the game, with a fraud discovered just weeks ago likely to have compromised $3.75 billion worth of transactions across 30 Brazilian banks. The Washington-based Center for Strategic and International Studies (CSIS), in fact, sees cybercrime as a “growth industry” where the returns are great and risks, low. The 2013 Fraud Report of RSA, the security division of EMC Corporation, estimates global losses from phishing attacks alone last year at US$5.9 billion, a jump over US$1.5 billion in 2012. Phishing perpetrators send out emails that appear official and direct the recipients to legitimate-looking websites for the purposes of information or identity theft. The shift towards software-defined networks, cloud infrastructures and smartphones replete with apps has added complexity, posing challenges to companies like RSA and EMC in devising products that shield official and personal data and information from cyber threats. The worldwide smartphone market alone reached a new milestone in 2013 with one billion units shipped in a single year, up 38 per cent from the 725 million units shipped in 2012. Both EMC Corporation and RSA are headquartered in Massachusetts and have offices across the world, including in Australia. In its June 2014 report, Net Losses: Estimating the Global Cost of Cybercrime, CSIS estimates cybercrime to cost the global economy more than US$400 billion annually. “A conservative estimate would be US$375 billion in losses, while the maximum could be as much as US$575 billion,”
it notes. “Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.” The report avers that the most important cost of cybercrime is from its damage to company performance and to national economies, as it damages trade, competitiveness, innovation, and global economic growth. Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA, regrets that the international community has yet to establish acceptable norms of behaviour or rules of engagement for an interdependent digital world. In his inaugural address at the 22-23 July RSA Conference Asia Pacific Japan (APJ) in Singapore, the widely acknowledged sage of cyber security deemed information sharing as another area that needed cooperation. “Almost without government help, industries and verticals are sharing information about the latest attack methodologies, malware, and compromised IP addresses,” he pointed out. “The problem is that there are no set standards that allow us to organise the data in a consistent and coherent manner that make it actionable while eliminating redundancies.” Coviello also indicated that US-China relations were getting marred with both countries engaging in digital activities the other found offensive. Beijing complained about the digital intelligence gathering by the US’s National Security Agency, while Washington took umbrage at Chinese cyber-espionage for economic gain. He added that the nascent bilateral work on cyber crime prevention ground to a halt after the US Justice Department indicted five Chinese
Cyber Security
‘Not only is malware getting more sophisticated, even simple malware can cause unspeakable damage’ military officers in May for this type of activity. He added that even the long-standing relationships between the US and European countries had been strained by a growing cloud of distrust about each other’s digital agenda and activities. “Let’s begin to create the rules of engagement, the rules of the road for the digital highway,” Coviello suggested. “Let’s all come to the table and intentionally draw up the new norms of behaviour.” He hailed the recommendations enshrined in the US State Department’s draft report on a Framework for International Cyber Stability as a step in the right direction. There were over 3,200 registrations from countries across the Asia Pacific for this second annual edition in Singapore of the RSA Conference APJ. The event had 65 sessions spanning Cloud and Data Security, Cybercrime and Law Enforcement, Mobile Security, Security Infrastructure, and Threats and Risk Management, and featured more than 70 exhibitors and sponsors. Singaporean start-up Digify was adjudged the winner of the Most Innovative Company contest for 2014, among finalists that included AirSig, Capy Inc., and Stratokey Pty Ltd. Lucas Zaichkowsky, Enterprise Defence Architect of California-based AccessData that makes the world’s most advanced and intuitive incident resolution solutions, says small retail and hospitality businesses have their own share of risk in securing their systems and terminals that process customers’ payment card transactions. These retailers retain ‘point of sale’ (POS) providers to maintain their systems, but these dealers themselves are not security savvy, normally providing technical support in the form of elementary remote access tools and port-forwarding. A remote access tool is software for remotely accessing or controlling a computer. It can be used legitimately by system administrators, but also maliciously as it can perform key logging, screen and camera capture, file access, code execution, registry management and password sniffing. Port forwarding is the technique of translating the address or port number of a packet to a new destination. Jason Rader, Director of Cyber Threat Intelligence at RSA, says cyber defenders may at times be guided by their clients whether they wish to block the fraudsters right away to curb further damage or to continue monitoring their activity with a view to eventually track them down. The RSA’s chief security strategist finds conventional authentication unable to support the universal shift to mobile devices. “Even the most basic authentication methods like username and password fail to meet user requirements for convenience,” he explains. “Mobile is forcing user authentication to finally move into the Jetson-era when new unified authentication solutions will be developed in the next one to three years to support a range of methods that are built into smart devices, leveraging behaviour and biometrics.” Not only is malware getting more sophisticated, even
simple malware can cause unspeakable damage, says Rader. For instance, the Zbot or Zeus trojan horse computer malware that attacks Windows operating systems is not just being used for classic financial malware attacks, but also in fraud schemes such as referral abuse and SEO, or search, poisoning. SEO poisoning is an attack method in which cybercriminals use search engine optimisation tactics that prominently show up malicious websites they have created. Rader hence deems advance threat intelligence vital for improving defences. Vic Mankotia, Singapore-based vice president for Solution Sales, Asia Pacific and Japan (APJ), at mainframe software firm CA Technologies, based in Long Island, New York, says the starting premise is that as we live in a hyper-connected world, any mobile system is hostile unless secured. At the same time, developments would be throttled if security overwhelmed innovation. “Security needs to evolve round enablements, as it would thwart development if it preceded it,” he explains. “It is crucial to have data sovereignty built into a system, as technology has to be relevant in an application economy.” CSG Invotas Global President Michael Henderson says his company was borne out in February of its parent CSG International’s desire to fill a gap in how enterprises address security. “For 30 years, CSG has delivered solutions that accurately manage high volumes of complex network-based operations, from call centre to retail, to devices and the web,” he mentions. “But it recognised that enterprises typically focus their network and data security efforts around identifying attacks and threats versus dynamically addressing the threats at machine speed and the result has been CSG Invotas.” “Security analysts’ success hinges on their ability to rapidly investigate events, weed out false positives from real incidents, and enrich data from multiple feeds to deliver contextual and actionable information,” notes CSG Invotas Principal Security Architect Bernie Thomas. “Their efforts are hindered by manual and repetitive tasks, requiring them to log in to a multitude of disparate solutions.” He says his company helps save precious time and resources in an attack by unifying incident-related data and security technologies under a single management platform.” According to CSG Invotas Global Business Operations Chief Colin Troha, security orchestration minimises the time required to contain and mitigate security incidents as it blocks threats and attacks holistically, rather than solely through one-off sequential processes. “The ability to respond in minutes or seconds effectively stops the intruder in his tracks, limiting the damage and risk to the organisation,” he explains. In this regard, the company launched the Invotas Security Orchestrator for the first time in Asia at the RSA Conference. CSG Invotas Regional Sales Director (APAC Region) Kenedi Celik mentions that the platform delivers optimised response capability for large global organisations with security operation centres to unify security tools and information feeds, orchestrate defensive action, and automate repetitive tasks. Akamai-IDG Connect’s research white paper titled Under Siege from Web Threats: APAC [Asia Pacific] Countries respond in Patchwork and Tardy Fashion finds the APAC region beset by security threats and taking diverse
Australian Security Magazine | 17
Cyber Security
Celik, Henderson, Troha, Thomas: time is of the essence
routes in response. “Web applications appear to be the main target of attacks,” it says. “Denial of service, cross-site scripting, compromised authorisation process and domain name system (DNS) attacks formed the vast bulk of problems and these are forms of attack that can effectively take a domain offline or see the victim’s brand defaced.” The online research reports 45 per cent of the respondents experiencing a DNS Compromised or Amplified attack in the past year and 28 per cent, Distributed Denial of Service (DDoS) attacks. The study polled decisionmakers and executives at mid-sized and larger organisations (250-plus staff ) in Australia, Hong Kong, India, Japan, the Philippines, Singapore, South Korea, Taiwan and Thailand. Recalling the cyber attack a year ago on The New York Times (NYT), the report points out it was in part due to a DNS compromise in Australia. “Such attacks are difficult to defend against because, although they target a particular domain, the actual hack is carried out against the DNS server over which most organisations have little control,” it explains. The website of NYT, one of the world’s largest newspapers, and the image service of Twitter, a popular social networking website, were taken offline in August 2013 by hacking group Syrian Electronic Army (SEA) that supports Syria’s embattled President, Bashar al-Assad. SEA used phishing tactics to acquire log-in details to enter the IT system of Australia’s Melbourne IT that handles hosting for NYT and Twitter, among others. It then proceeded to change the DNS records of several domain names, one of which was nytimes.com. DNS is a virtual phone book that leads to the website required to be visited. SEA was able to reroute traffic to nytimes.com to its own address, taking the media company offline. The damage had been done by the time Melbourne IT could address the breach by changing DNS records back and locking them, while altering the affected reseller credentials to deny SEA further access. Stressing that cyber security is one of the Australian government’s highest national security priorities, Dr. Carolyn Patteson, Executive Manager at CERT Australia, says the 2013 Cyber Crime and Security Survey by the national computer emergency response team (CERT) reveals that cyber attacks are mainly motivated by a competitor seeking commercial advantage. “This aligns with the cyber threat of most concern to businesses, which is theft or breach of confidential information or intellectual property,” she notes. CERT Australia, which comes under the purview of the
18 | Australian Security Magazine
Australian Attorney-General’s Department, helps protect Australian businesses from cyber attacks and provides assistance on request. It received responses from 135 partner businesses for its latest survey, which reports that Australian enterprises have overall good cyber security measures in place, including policies and standards, as well as a range of technologies and mitigation strategies. The survey discovers, however, that only 27 per cent of those surveyed increased expenditure on IT security in 2013, a decrease of 25 per cent from 2012, while 16 per cent have no staff dedicated to IT security. Manatosh Das, Senior Analyst Serving Security & Risk Professionals in Asia-Pacific at Forrester Research, says that in the last few years the threat landscape has not evolved, but rapidly mutated. “The security gap between new attack methods and traditional controls continues to grow in favour of the attackers,” he remarks. “Hackers today are highly organised well-funded crime syndicates, or in some cases, state-sponsored agents.” Forrester sees few fundamental changes occurring, with attacks overall becoming more targeted, sophisticated and resourceful. Uri Fleyder, security researcher managing RSA’s Cybercrime Research Lab, points out that in early July, his team, through a coordinated investigation spanning three continents, uncovered a massive malware-based fraud ring that had targeted 30 Brazilian banks over the last two years. The ring had infiltrated the Boleto, the second most popular payment method in Brazil after credit cards. RSA Research discovered that the Boleto malware or ‘Bolware’ may have compromised almost 500,000 transactions. While no evidence could be gleaned on whether the fraudsters were successful in collecting on all of these compromised transactions, evidence did yield as regards their value, estimated at US$3.75 billion. “Often, a breach may not be discerned for months and may take even longer to resolve,” he says. Fleyder says that while this fraud is an apt instance of cybercrime that seeks personal gain, the internet is also targeted through hacktivism, which largely peddles a cause to gain it publicity, and through nation-state attacks, which are most sophisticated and complex, as also most costly in the harm they cause. A long-time hacktivist has been the international computer hacker network, Anonymous, that attacked many government and corporate websites in Brazil during the recent FIFA World Cup there to make a stand against corruption and the high costs (of US$11 billion) of holding this football championship. It had also sought to disrupt the World Cup advertising spend of companies to the Brazilian television network Globo. Dr. Hugh Thompson, Chief Security Strategist at Blue Coat, too notes that it is no longer just cybercriminals that have been behind the massive number of attacks over the past few years, but hacktivists and nation-state attackers as well. “It used to be that security was seen as black or white, either you’re breached or you’re not, you’re secure or you’re not,” he remarks. “But now we’re starting to see security for what it is, a constant continuum between those things.” “The persistent change in the threat landscape is what gives cyber defenders the passion to do what we do every day,” says RSA’s Jason Rader. “Nobody can ever call our jobs dull or boring, but at the same time, it demonstrates how difficult it is to truly predict and prepare for ‘what’s next’.
Making decisions that impact your organisation? Read these white papers first. 1 | Sharing the blame: How companies are collaborating on data security breaches Get exclusive insight into how companies in Asia handle cyber security issues - a special report by the Economist Intelligence Unit.
2 | Prolexic Quarterly Global DDoS Report Make more informed decisions with this global view of security threats, vulnerabilities and trends, as presented by the world’s largest dedicated DDoS mitigation network.
3 | Weighing Risk Against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? Learn how to calculate the potential impact of a data breach and how much risk it would pose to your business, using this comprehensive guide.
4 | Quick Wins with Website Protection Services Find out why websites are ‘sitting ducks’ for attackers and how to add measurable security to your web presence, in this brutally honest report by Securosis.
For more white papers, eBooks and videos on security, visit:
www.australiansecuritymagazine.com.au/akamai
Cyber Security
Solving a Cyber Crime Case like Sherlock Holmes
by Joel John Fernandes, Senior Product Marketing Analyst at ManageEngine
20 | Australian Security Magazine
I
T security managers lay a lot of emphasis on conducting log forensics investigations. According to the SANS 2013 Digital Forensics Survey, 57% of the respondents said that they conduct forensic investigations to “find and investigate incidents as they are occurring” and 75% of the respondents said they conduct forensic investigations to “find and investigate incidents after the fact”. Detecting the activity of hackers is never easy. Enterprises may have the best of network security solutions to detect network anomalies and threats, but critical resources still continue to get compromised. All IT security managers have to put themselves in the shoes of Mr. Sherlock Holmes to solve cyber crime cases. They have to think and act like the cyber criminals by finding out the ways in which the criminal could have accessed the network resources. The cyber criminal can be tracked easily by reconstructing the cyber crime scene in its entirety. Once the cyber crime scene is recreated, the IT security manager can get the criminal’s complete activity trail, which can answer the “what, who, when, where, and how” of all the security incidents that happened on the network. So the big question now is, how can IT security managers reconstruct the entire cyber crime scene?
Reconstructing the Cyber Crime Scene The only way IT security managers can reconstruct the cyber crime scene is by performing forensics investigations on the log data generated by the IT infrastructure. IT security managers need to conduct forensics investigations by searching and analysing their log data. All attackers leave traces, and the log data is the only thing that can help IT security mangers identify the cause of the breach. Log data contain the digital fingerprints left by everyone who accessed the network systems, devices, and applications. By effectively analysing log data, IT security managers can pinpoint the exact log entry that caused the security breach, find the exact time at which the corresponding security event had happened, who initiated the activity, and the location from where the activity originated. These digital fingerprints help in completely recreating the crime scene. Log data forensics analysis reports can also be used as evidence in a court of law. IT security managers should leverage the network security intelligence provided by the log data generated by their network infrastructure. Here are two critical prerequisites for effective log forensics investigations: 1. Collect log data in a central place All log data from network systems – e.g., Windows
Cyber Security
‘Once automated, the forensics investigations process can be simplified and accelerated. IT security managers can type certain keywords or some logic related to the cyber crime and get the answer in seconds.’ systems, Unix/Linux systems, applications, databases, routers, and switches – should be aggregated in a central place for effective reporting, security, and forensics analysis. 2. Archive log data for at least a year Log data collected from all network systems must be archived for at least one year, and the stored log data should be easily accessible for forensics investigations. To meet those prerequisites, IT security managers need to automate their log management. After all, manually collecting and archiving log data in a central place for forensics investigations is virtually impossible given the sheer volume of event records that are typically generated on a
daily basis. It would simply take too much time and too many IT staff members. Once automated, the forensics investigations process can be simplified and accelerated. IT security managers can type certain keywords or some logic related to the cyber crime and get the answer in seconds. They can easily dive into the log data and freely search across the entire network infrastructure within seconds. When they eliminate the painful process of manually searching through the logs, IT security managers are able to recreate the every facet of the cyber crime scene and crack the case. The efficient way to perform a forensic investigation is by equipping the IT security managers with a powerful log forensics tool to investigate log data and instantly generate forensic reports, which can be used as evidence in the court of law. The log forensics tool should let IT security managers collect and archive log data in a central place, so they can reconstruct the entire crime scene with ease. About the Author Joel John Fernandes currently works as a Senior Product Marketing Analyst for ManageEngine. He has thorough knowledge in the Log Management and Security Information and Event Management (SIEM) domain and has consulted on network security and log management for both large and small enterprises.
Security on the move
SRI SecuRIty congReSS, 1-3 DecembeR 2014 Over three days ECU’s SRI Security Congress will bring together all areas of security professions and disciplines as part of a holistic engagement with the wider security community. Scholars of the following disciplines are encouraged to participate: strategic studies, public affairs, communication studies, international politics, criminology, business and management, information and computer science, political science, social science, psychology and cognitive science, and security studies. All submissions will be subject to a double blind peer review process and best papers will be considered for publication in selected journals. The 2014 SRI Security Congress will host 5 security based conferences over 3 days 15th Australian Information Warfare Conference 12th Australian Digital Forensics Conference
12th Australian Information Security Management Conference 7th Australian Security and Intelligence Conference 3rd Australian eHealth Informatics and Security Conference
Venue
Contact details
Key dates
Edith Cowan University 270 Joondalup Drive, Joondalup WA 6000 Tel: +61 8 6304 5176
Congress Coordinator – Emma Burke Tel: +61 8 6304 5176 E: sri@ecu.edu.au W: http://conferences.secau.org/venue.php
Paper Submission Deadline – 31 July 2014 Acceptance Notification – 19 September 2014 Camera Ready Papers – 27 October 2014 Early Bird Registration – 2 November 2014
reachyourpotential.com.au
Tel: 134 ECU (134 328) E: futurestudy@ecu.edu.au
★★★★★ TEACHING QUALITY ★★★★★ GRADUATE SATISFACTION ★★★★★ GRADUATE STARTING SALARY the Good universities Guide 2015
ECUSRI Edith Cowan University Security Research Institute
303LOWE ECU10952A CRICOS IPC 00279B
Australian Security Magazine | 21
Cyber Security
Wear the Danger: Security risks facingwearable connected devices
W
earables – smartwatches and miniature electronic devices like Google Glass – are the new class of personal connected devices that allow access to the Web and applications with even greater convenience than smartphones and tablets. However, this plethora of new devices also brings several new security risks which users will have to address. Kaspersky Lab is preparing a series of articles on the risks of connected devices and our hyper-connected world in order to alert the public to the security implications of the ‘Internet of Things’. This time, the company’s researchers, Roberto Martinez and Juan Andres Guerrero, looked into Google Glass and Samsung Galaxy Gear 2, exploring how they could affect people’s privacy and security. Google Glass and the Man-in-the-Middle (MiTM) There are two ways to surf the Web from Google Glass; through Bluetooth pairing with a mobile device that shares its data network connection, or directly through Wi-Fi. The latter gives the user more freedom since it doesn’t require a separate mobile device in order to access the Internet. However, according to Kaspersky security researcher, Roberto Martinez, this functionality also means that the Glass is exposed to network vector attacks, particularly MiTM, where a communication between two systems can be intercepted. This was discovered in an experiment conducted by Kaspersky Lab researchers after attaching the device to a monitored network and checking the data it transmitted. The results of the captured data analysis showed that not all the traffic exchanged between the device and the hot spot was encrypted. In particular, it was possible to find out that the targeted user was looking for airlines, hotels and tourist destinations. In other words, it was possible to perform a profiling task through a simple form of surveillance. “We admit that it is not a very damaging vulnerability,
22 | Australian Security Magazine
but even so, profiling via meta data from Web traffic exchange could become the first step of a more complex attack against the device’s owner,” Martinez, who performed the investigation, said. A tool for espionage Dedicated apps for Galaxy Gear 2 are loaded onto the device with help of Gear Manager, a special app by Samsung designed to transmit an app from the smartphone to the smartwatch. As Juan discovered, when an app is installed on the smartwatch’s operating system, there is no notification shown on the watch display. This obviously makes targeted attacks involving silent app installation possible. “At this time there is no evidence to suggest that wearables are currently being targeted by professional APT actors,” commented Juan Andres Guerrero. “However there is a twofold appeal presented by wearables that make them a likely future target if they are widely adopted by consumers. In future, the data collected by wearable devices is going to attract new players to the cyber-espionage scene.” Galaxy Gear 2 and its spying potential As Kaspersky Lab researcher Juan Andres Guerrero discovered when he examined his Samsung Galaxy Gear 2, the device is deliberately designed to make a loud noise and warn people nearby if it is being used to take a photo. A deeper look into the software of Galaxy Gear 2 revealed that after rooting the device and using Samsung’s publicly available proprietary software tool ODIN, it is possible to enable Galaxy Gear 2 to silently take pictures using its embedded camera. This obviously opens the door to possible scenarios in which Galaxy Gear 2 could violate other people’s privacy. More information about Google Glass and Galaxy Gear 2 smartwatch security risks can be found on Securelist.com.
International
Australian Security Magazine | 23
Cyber Security
IP THEFT:
Intellectual property theft is an emerging business risk of crippling concern. 24 | Australian Security Magazine
Cyber Security
U
sing today’s technologies, trusted staff, within a few short minutes, can copy, a company’s documentation, contracts ,ideas and even entire client database, that may have taken years and millions of dollars to develop. Once this information has been duplicated onto another device the staff can readily pass off the captured Intellectual property to a willing competitor or alternatively use that information to build a business in direct competition without the original company knowing their IP has been stolen, until all is seemingly too late. Intellectual property theft typically occurs when an employee is seeking other employment or planning their own business venture by copying their current company data onto USB thumb-drives or Cloud services or by using third party email accounts such as Gmail to send protected data offsite to be stored for later access. It is very easy to complete costing the offending staff member nothing more than the simple cost of a USB thumb-drive and a few moments of indiscretion. Often when I speak to clients about Intellectual property theft instantly they think ‘Intellectual property theft’...it’s a theft so Police will deal with it…but that would be a common misconception. Police do not readily deal with such matters, rather such occurrences need the attention of a Computer Forensic Investigator. As a computer and mobile phone forensic expert I am seeing this new trend in IP theft constantly. Unfortunately the discovery of such behaviour is usually not until after the fact and the damage has already been done requiring triage and reactive damage control. It almost seems the acceptable process or work right, that when leaving their current work position they take with them the current company secrets to share with their next employee. To combat such behaviors, some companies clumsily try to reduce this risk by walking resigned staff out the door, denying them access immediately to computer systems. In fact this is often too late. Typically the downloading of valuable company data has already occurred at least 2weeks prior or more (in once instance I recall an offender had stolen the data over 6 months prior). I have also seen an attempt to curb the problem of stealing data by USB by super gluing the USB ports on every company computer. This attempt was not effective either. Normal processes and security measures may eliminate some of the low hanging fruit ways of theft but the more determined employees may consider it more a challenge to circumvent traditional IT security measures, these employees will often come up with very inventive ways of extracting electronic documents. In once such inventive and interesting case the offending staff member used a retail pair of sunglass that had a USB mp3 player built into them as the device to complete the IP theft. Similarly to USB, the use of Gmail and other such free email accounts or Cloud network accounts easily facilitates IP theft. These vessels introduce further complexity of jurisdiction, passwords and privacy laws into the equation for post investigation and often requiring the necessity of lawyers and court orders to access evidence after the fact. In these instances, the forensic analysis of digital evidence in proving the use of USB and email accounts is essential in any such
IP THEF
by Phil Russo
Australian Security Magazine | 25
Cyber Security
‘Often the discovery of IP theft is not until many months after the fact. This often presents other difficulties in conducting an investigation, as to facilitate the forensic analysis process requires physical access to the offender’s computer or mobile phone.’ court action dispute. Today, mobile phones, (especially smart phones), can be quickly used as either a storage device or a camera and record important information. It may sound a little high tech and spy like, taken from the pages of a James Bond novel, but these nefarious acts are completed in such fashion daily. Within such investigations, the forensic analysis of such a device proves its worth, as not only may prove the time and date a photo was taken but what geophysical location it was taken from. In one instance I was engaged to investigate where a renowned chef was leaving his current restaurant employer. Her employee believed she had taken IP such as restaurant schedule plans, client information and other culinary secrets that they had developed and therefore all deemed as the company’s intellectual property. During this investigation, I completed a forensic review of the office computers finding not only data supporting evidence that information had indeed been whisked away (pun intended), but similar information from other from previous restaurants where this person had previously worked also was evident . Another case, a multinational company lost a number of key senior personnel over a four month period. A competing company is soon formed and the clients from the original company are being contacted directly. After a court search order was granted a computer forensic analysis was conducted on the premises of the newly formed company. I discovered an elaborate plan involving past and current employees of the original company. Evidence included emails, skype conversations, dropbox folders, USB data transfers, had all played a part in this litigious jigsaw. Clear evidence was identified of intellectual property theft including the client data base and even in-house developed sales forms and ordering systems. This was worth millions to the original company and when presented with the forensic evidence an arrangement was made to compensate accordingly. A third case example, an employee left a company to work for a competitor. This person was IT savvy. Before resigning from his original job he had a hidden false company employee account added to a mailing list which had access to all new incoming quotes. When he left the first company he took with him the access credentials to the mailbox account. As an employee at the new company, he was still able to download his old company’s emails. These emails contained
26 | Australian Security Magazine
quotes for business proposals which he was able to successfully underquote, time and time again, winning the work. Digital forensics has traditionally been used to assist lawyers in acquiring and interpreting computer artifacts as evidence in a court ready admissible fashion. Computer Forensics is a niche area that your usual computer security person should not dabble in as they are not experts and hold no certifications and therefor may not be eligible to present as experts in court. Even the basic process of collecting digital evidence in a non forensic process , eg switching on a computer can alter or destroy such evidence and may become inadmissible. Computer forensics investigators are trained to counter such difficulties. Often the discovery of IP theft is not until many months after the fact. This often presents other difficulties in conducting an investigation, as to facilitate the forensic analysis process requires physical access to the offender’s computer or mobile phone. These devices may no longer be viable as that company asset may have been distributed to other staff members, returned to a computer lease company or even sold off. Typically after an intellectual theft the forensic process is protracted and expensive. Coupled together with ongoing lawyer and court fees, the client is soon presented with a decision to make - is it all worth it? After all, not every company’s secrets are worth millions if stolen. Often then initial investigation is an emotional reaction and then when realized, the case is dropped. However with the use of proactive forensic technologies, there is a better and far cheaper alternative that if implemented correctly and may reduce the risk. The use of forensic network traffic interception, forensically journaled offsite mail depositories and proactive forensic acquisition strategies that will significantly reduce risk exposure to companies and small business alike are available at a fraction of the cost. Some insurance companies may even offer Cyber policies. Securing your information is becoming increasingly difficult and with the focus of some newer privacy legislation, the older and more traditional security ways may prove ineffective as it seems the rights of the employer are becoming weaker while the employee’s rights continue to grow. Whatever your thoughts on this, if you are running a business be aware there are potential large risks to your company. Without proper attention there is little risk to the perpetrator whilst being tempted with a big reward by stealing your IP. About the author Phill Russo is a world renown computer and mobile phone forensic expert, and is CEO of CIA Solutions in Perth, Western Australia. Russo also instructs in his specialty field to police, military, members of FBI, Australian Federal Police, Scotland Yard, Hong Kong Police, Nedbank, Westpac, Bankwest, KPMG, Deloitte, Boeing and other world class firms.
Cyber Security
The New Perimeter: Keeping corporate data secure in the mobility era By Bill Hicks Senior Consulting Director, Oracle
28 | Australian Security Magazine
G
artner expects that by 2016, there will be more than 300 billion app downloads annually from mobile app stores [Source: Managing Enterprise Mobility, a Gartner presentation by Monica Basso and Rob Smith, 2013], and that by 2017, 25% of enterprises will have enterprise app stores for managing corporate-sanctioned apps on mobile devices and PCs [Source: “Gartner Says that by 2017, 25 Percent of Enterprises will have an Enterprise App Store,” Gartner press release, Feb. 12, 2013. http:// www.gartner.com/newsroom/id/2334015]. This is hardly surprising given the benefits mobility offers organisations: mobility removes many barriers inherent in traditional business, enabling companies to reshape their organisations and processes for the digital data economy. However, the move to mobile is not without its challenges. Gartner recently revealed that biggest challenge companies are facing is not in creating mobile applications.
Instead, 85% of the cost and time enterprises spend deploying mobile solutions is on the integration of the application into the back end of the business and on security. In particular, mobility challenges the traditional security perimeter of a company. Historically, the corporate perimeter was the firewall at the network edge. Today, mobile applications are moving data in and out of the firewallprotected data centre and transmitting data to and from hybrid computing infrastructures that are accessible by the company, partners and customers on any mobile devices that these entities and individuals might use. This pushes the perimeter out to the device; to the end point where data consumption occurs. Businesses need to understand this change, the new risks involved, and protect the evolving and increasingly complicated perimeter that mobility creates. What makes this new ‘edge’ perimeter so complex is
Cyber Security
‘Corporations also need the ability to securely shred any data that belongs to the company. To do this, companies have used a variety of methods, such as virtual desktop infrastructure (VDI) and dual-boot or dual-persona access tools, to manage BYOD as well as corporate-owned, personally enabled (COPE) devices.’ that it is influenced by all the people, devices, and data – structured corporate information as well as unstructured data such as access credentials, documents, and local copies of intranet websites - that access the network. In addition, the device market is constantly changing with new devices, form factors, operating system upgrades, and software updates that influence how company data is accessed or viewed. The prolific app ecosystem is also populated with products that are vulnerable to malware and other attacks. Finally, the devices themselves can be lost or stolen. In addition to managing these risks, companies need to pay close attention to two additional and very important concerns: who owns the data and where is the data? Data ownership questions arise when corporate data is delivered on devices or infrastructure that is not owned by the corporation and when an employee’s identity-based corporate credentials facilitate access to corporate data yet the data is still controlled by IT. This can lead to corporations losing the ability to know precisely where their data is and who is using it. This is an increasingly challenging problem for companies today because smart phones, tablets and mobile apps make it extremely easy for employees to use and share data on their devices and the devices can store any type of data, from emails to proprietary materials to large graphics and video files. So what is required? First, the corporate perimeter needs to be extended to the end point where data consumption occurs. Second, companies must have the ability to connect an identity to every piece of data that is stored, used and transmitted, regardless of department, company, system and geography. One way of doing that is attaching an identity to all data, which will benefit companies because it puts identity at the heart of all solutions. In its most basic implementation, a company could use the identity associated with a device to assign a policy to data used by the device. This would give the company the ability to control the data as it is stored and transmitted and the capability to allow or prevent access to the data. Many types of business processes and proprietary information could be protected by this capability. Corporations also need the ability to securely shred any
data that belongs to the company. To do this, companies have used a variety of methods, such as virtual desktop infrastructure (VDI) and dual-boot or dual-persona access tools, to manage BYOD as well as corporate-owned, personally enabled (COPE) devices. However, first-generation approaches have not been able to effectively satisfy both IT and employee priorities. In particular, preventing the comingling of corporate and personal data on these devices has become a fundamental issue. Companies have tried simply limiting the use of personal features on devices, but this strategy is not friendly to employees who want to use their devices for personal email, applications and features during non-work hours. Indeed, such strategies can actually become counterproductive for companies if the security methods present a barrier to use and dissuade employees from taking full advantage of mobile enterprise applications and tools. Instead companies have turned to mobile device management (MDM), mobile application management (MAM), and other more specific techniques such as identity management, secure containers, secure-access and Single Sign-on tools. These are all gaining traction among corporations, but crafting a coherent security strategy with a variety of discrete products can be problematic for many companies and often is not viable for the long term. A piecemeal solution adds cost and complexity for enterprises as they seek to support, manage and maintain multiple management tools. Fragmentation also produces mobile security data silos, which generate fragmented views of data and services to the enterprise and create associated challenges for security auditing and compliance activities. Rather, security needs to become a business enabler. Because mobile security minimises risks, it gives corporations the confidence they need to exploit the many benefits mobility offers to their businesses. Analyst firms are noting the correlation between mobile security and business improvements and the impact can be substantial. PricewaterhouseCoopers, for example, asserts that companies can realise 25% improvements in business performance if they carefully prepare their businesses to address mobile security vulnerabilities. [Source: Managing Security in a Mobile World, report published by PricewaterhouseCoopers, 2012, page 5. http://www.pwc.com/en_us/us/it-risk-security/assets/ managing-security-in-a-mobile-world.pdf ] The next generation of mobile security strategies now emerging should enable enterprises to provide a comprehensive framework while minimising the fragmentation challenges associated with earlier technologies. Gartner, for example, is emphasising this shift and is advocating that enterprises focus instead on integrated enterprise mobility management solutions. [Source: Managing Enterprise Mobility, a Gartner presentation by Monica Basso and Rob Smith, 2013] As industry innovates new architectures to address emerging security concerns, enterprises can take fundamentally important steps today to reduce the security risks associated with the evolving perimeter. Step 1: Associate an identity with anything that connects to data that is owned or curated by the corporation
Australian Security Magazine | 29
Cyber Security
‘More and more corporations are using mobility solutions, cloud services and mobile applications to succeed in the digital data economy. ‘
Many companies overlook the importance of identity and as a result identity is often a gap in business IT security practices. But identity is a powerful tool. It can be applied to people, devices as well as data and therefore plays a vital role in securing the new perimeter.
Step 2: Create a clean boundary between corporate and personal data. Companies must isolate corporate applications and data from within personal devices and they must maintain a secure separation between the two in order to prevent the comingling of corporate and personal data. The most effective approach for creating and managing this boundary is to implement mobile application management in conjunction with secure containers. MAM separates personal and corporate apps, allowing personal and corporate information to coexist independently on the same device while preventing the intermingling of data. It achieves this by facilitating and managing a secure container for corporate apps and data. The container itself is a highly specialised app that runs on a device. It is not dependent on the device OS and also is both convenient for companies and employee-friendly, enabling employees to keep their personal apps and data when they leave a company even though the corporate workspace is deleted. Step 3: Make sure your security controls do not distract from the user experience. Companies should make sure the security solutions they adopt are frictionless to the end user and that all application policies and entitlements are clear to users. Companies must also recognise that today’s employees, and especially younger generations who will make up the future workforce, will not tolerate cumbersome processes that adversely affect the user experience. Step 4: Make sure the hardware accessing your network complies with your security policies Corporations need to know which devices their employees are using and make sure they comply with company security policies and that IT can secure each supported device as well as the applications and services that will operate on the device. IT should also make sure it has capability to block access from any device that is vulnerable, compromised or not supported by the IT organisation.
30 | Australian Security Magazine
More and more corporations are using mobility solutions, cloud services and mobile applications to succeed in the digital data economy. As these companies look for improved security solutions, they will need next-generation, unified approaches that can effectively secure the corporate perimeter by managing all people, devices and data that interact with the network. A flexible, integrated platform that puts identity at the heart of its solutions will give companies powerful new capabilities to address near-term mobile security challenges while positioning their organisations to confidently address future mobile security needs. In particular, an identitybased security model that incorporates mobile application management and containerisation tools will provide the rigorous, comprehensive framework needed to address key vulnerabilities while alleviating many of the challenges and fragmentation issues associated with traditional, devicecentric strategies. About the Author Bill Hicks is senior consulting director for Oracle Middleware for Australia and New Zealand. In this role he is responsible for helping customers understand the changing IT environment and how Oracle solutions can help them harness and gain business benefits from cloud and mobile technologies.
Women in Cyber Security
A six-pack of cyber security awareness
C By Kema Rajandran Correspondent
32 | Australian Security Magazine
onnie McIntosh, the woman who took out the Miss World Fitness and Miss Fitness Australia Championships 2000 and 2001 is more than just a model and fitness fanatic, she is also the Senior Adviser at CERT Australia – the national computer emergency response team. With a Bachelor of Communication (Honours) in Information Technology, a Diploma of Management and a Diploma of Government (Contract Management), it’s a wonder how McIntosh has fit in becoming a wife, mother of two children and a qualified personal trainer and fitness instructor; all within her early thirties. “I have been married for 12 years to my partner Graeme, we have two amazing, talented and beautiful children, one boy and one girl who keep me busy with Academic competitions, Soccer, Tennis, Acting and Modelling. I am an animal lover; I have two horses, a dog and cat.” “My hobbies are Fitness, I am a qualified personal trainer and group fitness instructor and I won the Miss World Fitness and Miss Fitness Australia Championships 2000 and 2001 - hobby taken to the extreme I know.” A self confessed lover of Ultimate Fighting Championship (UFC), Mixed Martial Arts (MMA), stand up paddle boarding, bushwalking, the beach and outdoors and above all having fun some may think the cyber world is a strange fit for McIntosh. “I have always been interested in computing and saw it as an exciting area which had many different opportunities. I knew it was a career that would never be boring and one which would allow me to continually learn which is something I love to do and it’s constantly evolving and always busy.” McIntosh said. “Security has been paramount throughout my career and it is one of the most exciting career choices you can make, the work is exciting, interesting and ever evolving.”
Connie McIntosh
CERT is part of the Federal Attorney-General’s Department and is the point of contact in Government for cyber security issues affecting major Australian businesses. “We also work in the Cyber Security Operations Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD).” In her first two years at CERT Australia, McIntosh’s’ role was Senior Technical Adviser. She assisted partners during incidents, liaised with partners on technical issues, analysed malware, actively identified vulnerabilities, provided technical guidance on mitigating threats and vulnerabilities, provided advice and assistance during an incident as well as worked with international partners to seek remediation of attacks originating overseas. McIntosh says that awareness of Cyber Security is on the rise amongst Australians however in general the number of incidents increases each year. “There are a number of factors that contribute to the rise of incidents, such as; increased use of internet and digital products, increase in the abilities and number of hackers, the sophistication of malware and targeted campaigns, software or hardware vulnerabilities, antivirus, antispyware, firewalls, lack of personal security around passwords (i.e. having different passwords for all your accounts online or sharing your password), computer sharing and non hardening of systems.” “Hackers are successfully using events such as G20 and MH370 to send phishing emails that attract attention and entice users to click on links which unbeknown to the user then installs malware onto their device, allowing hackers to gain access to the device.” As technology is ever changing and mobile devices are increasing in the workplace, McIntosh keeps up to date with topics of interest around the world through webinars.
Women in Cyber Security
“I really enjoy collaborating with International and National Partners on improving Cyber Security. The Cyber Security Community is a very positive one and are highly collaborative in an effort to achieve good outcomes.” “There is certainly more focus on security since September 11 and that is for the benefit of society.” “I am now a Senior Adviser focusing on engaging international and national partners, hosting information exchange events, signing up new partners, business analysis, liaising with government, industry and international networks.” “I really enjoy collaborating with International and National Partners on improving Cyber Security. The Cyber Security Community is a very positive one and are highly collaborative in an effort to achieve good outcomes.” But it’s not all desk-bound for this multitalented pocket rocket, last year McIntosh ran the 2013 Asia Pacific CERT (APCERT) Conference and Annual General Meeting. Hosting 19 countries for four days with over 100 delegates; something she truly enjoyed. “I am really lucky to have the ability to work in the technical and non technical areas being able to keep across issues affecting our Partners and being able to see the work we do making a difference.” Being treated as one of the boys from early on in her career, McIntosh admits security is very much man’s world
however loved it having grown up with brothers and being comfortable in a male environment. “A very memorable time was at the Department of Finance when I started my career in the Australian Public Service will always be a treasured time. The guys Barry, Andrew1, Andrew2, Owen, Wayne, Siggy and Pete all taught me so much and watched me grow up, get married have children, we were like family.” “Since then much has changed in gender diversity, in CERT Australia we have approximately 40 per cent females. Security is a real option for women as a wonderful career choice.” Having worked across three key Federal Government Department’s in her career thus far; McIntosh was not afraid to get her hands dirty and began at the Department of Finance in an operational role. “I was splicing fibre by hand, making pin cables, building and monitoring systems and networks. I worked in Parliament House which was great, I was in and out of the Prime Minister’s and other Minister’s offices frequently.” Four years later she moved across to Defence undertaking an IT role for two years before moving to the Attorney General’s Department where she worked in their Technical Operations environment. “I returned to the Department of Finance in the Government Fibre Network team, building fibre networks for the government, project managing installations and business relations.” It was only five years ago that McIntosh returned back to Attorney General’s Department working as Operations Manager in Networks and Systems before she joined CERT Australia in 2011. “CERT Australia is at the forefront of Cyber Security and we constantly work on actively identifying vulnerabilities and notifying our partners. We assist Critical Infrastructure in protecting their networks; we assist in incident investigation and information sharing.” “Our capabilities are growing rapidly and I highly encourage women and girls to seriously consider a career in security, IT and in particularly Cyber as it’s exciting, challenging, interesting and evolving.” “I have always worked in Security focussed roles and I have found throughout my career I’ve been fortunate to work with great managers who embody professionalism and I’ve strived to learn from them all.”
Australian Security Magazine | 33
Cyber Security
The Great Security Con By Mike Thompson Director – Information Security Products and Services Linus Information Security Solutions
How to Right-size your Information Security Investment
I
n a world of burgeoning threats and increasing organisational security demands, it has never been harder for a CIO to ensure they are right sizing their Information Security (IS) investment. Innovative CIOs are now going above and beyond traditional IS solutions. Throwing money at your IS investment with your fingers crossed is, quite frankly, an irrational way of ensuring you aren’t exposed to security risk. What if you haven’t thrown enough money? Or what if you were asked to justify your investment spend to your stakeholders? More security isn’t necessarily better. So, how do you ensure your IS investment is just right? Fear, Uncertainty and Doubt ‘FUD’ – the drug of choice for Security Vendors The aim of the Security vendor is to raise the level of fear and paranoia to sell you their solution. Sure, part of what they are doing is community awareness, but the potential threats are typically hyped. Security control vendors, in particular, make money out of selling protection gear, regardless of the actual need in a particular organisation. Firewall vendors, for example, will talk about the growing leagues of international criminal hackers trying to break into your system, and AntiVirus vendors will send virus alerts daily, creating a mind-set that, unless you buy their products, you are not protected. The well-organised marketing arms of these companies ensure a constant stream of press releases are always at hand. Of course, there is some truth in these community announcements that cannot be ignored, but we need to seek a balanced view rather than a knee-jerk response. Most organisations tend to be reactionary when they recognise a
34 | Australian Security Magazine
potential problem. Instead of analysing the situation there is a propensity to jump straight to the vendor-driven solution. Many organisations naively trust vendors as independent experts, when ultimately the only vendor agenda is that more security is better, regardless of your specific business needs. Without a clear business-driven model, security solutions will continue to be poorly targeted, increasing risks and costs. Technology Limitations If we take Biometrics as an example, they simply don’t work effectively for mainstream use. Contrary to misleading claims from vendors, the US National Research Council (NRC) published a report in 2010: “Biometric Recognition: Challenges and Opportunities,” which concluded, “no single biometric trait has been identified as stable or distinctive… which has placed doubt about the reliability of fingerprint, iris patterns, voice recognition and facial recognition systems.” Biometrics per se are not a bad thing, rather, they have been peddled as the panacea for a vast array of Security problems. In reality they are only effective in a small number of niche solutions. The public perception is that biometrics are better than a password, when, in fact, the opposite is more likely to be true. A strong password has potentially billions of combinations and is extremely difficult to break, but a fingerprint, for example, after adjusting for false acceptance and rejection rates in real world use, typically has a 1 in 20 to 1 in 601 chance of being unique. Even the most advanced finger-printing systems can be easily breached by taking a copy of the finger-print off a glass and using a gummy finger-print system to create a latex print equivalent which can be used to gain access. It is actually easier to hack many Biometric controls than a strong password and every
Cyber Security
‘The aim of the Security vendor is to raise the level of fear and paranoia to sell you their solution. Sure, part of what they are doing is community awareness, but the potential threats are typically hyped. ‘ biometric system that we have today is fallible, including some DNA testing. This is not a criticism of Biometrics, we just need to understand their limitations and only use them where they are an ideal solution. A Time-keeping system, for example, is a reasonable application for Biometrics. In this case, the finger-print system is not used for authenticating access to sensitive data, it is purely being used as a method of establishing a level of trust that the individual is physically present at a given point in time. In this context fingerprints are more effective than a signed ledger or clock card, assuming users are properly educated, enrolment and backend storage of credentials are properly implemented, and the ROI stacks up. Firewalls are another prime example. It is easy to visualise a firewall as an impenetrable moat around a castle, designed to keep the bad guys out. Unfortunately in a connected world, we need external access to key systems, so we need a draw-bridge across the moat to let the good guys in and out. The challenge is, how do we distinguish the good guys from the bad guys crossing the bridge? Vendors will tell you they use sophisticated packet inspection techniques, but in reality, the firewall is unable to distinguish between a good IP address and a bad IP address without business context. The real security takes place at the system or application level where credentials and business context can be established. If firewalls typically play only a small role in effective security for externally accessible systems, why do they receive such a disproportionate share of information security budgets? Ideally we need an independent rating system for Security controls that allows us to quickly and easily determine a control’s real-world effectiveness in a specific business context. Why build Fort Knox if you are not protecting gold? Organisations have limited budgets and must spend what little they have where it is needed most. Where there is an identified need, the organisation must be assured that the solution is optimal – no more, no less. It is often argued that more Security is always better. If there were options to improve Security at little or no cost and without hindering business processes, it would always make sense to implement them. In reality, those solutions rarely exist. There is always a price for Security, whether it is capital cost, the effort required to maintain and manage the solution, or simply the additional hurdles that the organisation must jump to perform their daily tasks. Keeping those costs to a minimum is essential for all organisations.
So how do you right-size your IS investment? Firstly, you need to know the sensitivity of your data as this will tell you the amount of Security required. At Linus we call this Data Sensitivity Analysis, or the “So what?” test, as in “So what if this data is exposed? What will the impact be on the organisation?” This step determines what data is worth protecting before investing in infrastructure or making Security design and management decisions. Obviously the more sensitive the data, the more protection is required. Conversely, data that is not as sensitive requires less security, resulting in potential cost savings for the organisation where controls can be reduced. Next you need to analyse the Access Environment to build a picture of the various data storage locations and the access methods and behaviour employed by users to access that data. From this information you can start to model the points where specific Security controls should be applied to protect sensitive data. Manage IS controls holistically The aim of right-sizing your IS investment is to determine the minimum, most cost-effective set of Security controls, combined across all control layers, to collectively reduce the exposure of data to an acceptable level which is commensurate with the data’s sensitivity (in terms of confidentiality, integrity and accountability). For example, a power utility located the IT application that controlled the region’s power supply on several workstations in a locked and secure room, on a closed network with physical access, which was only available to a select few people. An audit highlighted that passwords had not been changed on these workstations and that this posed a Security weakness. In isolation this concern seemed reasonable, but when combining the controls holistically, a different picture emerged: The main building required keycard access through a guard-supervised boom gate. Only a dozen or so staff were allowed access to the main operations area in the building. Only three staff were physically allowed access to the room housing the workstations. Put simply, there was no serious weakness, as physical controls ensured that only the three staff who required access to the workstations could enter the room. Holistically, the Security controls were adequate, even with a password weakness. The holistic approach not only provides a cumulative benefit, but also simplifies the selection process. The aim is to allow full utilisation of existing Security controls, and combinations thereof, and avoid additional or expensive controls wherever possible. In summary In this connected world, it is more important than ever to align security with specific business needs and carefully target investments where they are most needed in a holistic and balanced manner. This is a challenging process for organisations, but it can be greatly simplified with the right methods and supporting tools.
Australian Security Magazine | 35
Honeywell Building Solutions Feature
The Enemy within - Securing the business against the internal threat By Michael Brookes Honeywell Building Solutions
T
he news archives are littered with stories of organisations betrayed by trusted colleagues, including the most innocuous-looking workers. The trust that organisations place in their workforce can leave them vulnerable to malicious employees, who often use clever methods to hide their illicit activities. Attacks from the inside carry the potential for significant damage that can rival or even exceed the damage caused by external forces. Internal
attacks that continue undetected can cause serious harm to an organisation. Perhaps most significantly, they can expose the personal information of customers or employees. A breach of this kind — whether it is identity theft, inappropriate use of data or the sale of sensitive information — can leave an organisation legally liable for associated damages and subject to regulatory fines. In addition, a company’s competitive position could suffer if an insider uses intellectual property or
New EBI R430
Engage with
For current EBI customers, this is more than just an upgrade, it’s power in your hands. For more information visit www.ebi.honeywell.com/en-US/Pages/homepage.aspx
www.australiansecuritymagazine.com.au/hub/honeywell
Honeywell Building Solutions Feature
trade secrets for unauthorised purposes. Insider threats in particular present a unique problem for a physical protection system. Insiders could take advantage of their access rights, complemented by their authority and knowledge of a facility, to bypass dedicated physical protection elements or other provisions such as measures for safety, material control and accountancy, and operating measures and procedures. Further, as personnel with access in positions of trust, insiders are capable of carrying out ‘defeat’ methods not available to outsiders due to protective measures such as intruder detection and and access controls. Insiders have more opportunities to select the most vulnerable target and the best time to execute a malicious act. Therefore, securing the business against the insider threat requires firstly an assessment to understand what those threats might be. Insiders may have different motivations and may be passive or active, non-violent or violent. The term ‘motivation’ is used to describe the motive forces that compel an adversary to perform or attempt to perform a malicious act. Motivation may include ideological, personal, financial and psychological factors and other forces such as coercion. Insiders could act independently or in collusion with others. They could become malicious on a single impulse, or act in a premeditated and well prepared manner, depending upon their motivation. Anybody can pose a threat Insiders may hold any position in an organisation from security guards through to maintenance staff or even senior management. Others not directly employed by the operator but who also have access such as vendors, emergency personnel, including firefighters and first responders, contractors, subcontractors and inspectors from regulatory organisations should also be considered. It is vital that organisations understand normal employee baseline behaviors and also ensure employees understand how they may be used as a conduit for others to obtain information. Thus, one of the first steps must involve policy making — the definition of parameters for acceptable behavior within a peer group. These parameters will serve as the baseline for comparative analysis, so it is important to establish user profiles based on historical data or concrete experience — not just business expectations that may or may not be realistic. Building a baseline understanding of the personalities and behavioral norms of those previously defined as ‘insiders’ will make detecting deviations in these norms easier. Some general behavioral characteristics of insiders at risk of becoming a threat include: • Greed/ financial need • Vulnerability to blackmail
• • • • • •
Compulsive and destructive behavior Rebellious, passive aggressive Intolerance of criticism Self-perceived value exceeds performance Lack of empathy Predisposition towards law enforcement
Obviously, these characteristics alone do not mean that your organisation is at threat, and nor is it an exhaustive list, but it is important to realise that individuals that exhibit these characteristics may reach a point at which they carry out malicious activity. One of the best prevention measures is to train employees to recognise and report behavioral indicators exhibited by peers or business partners. Who should have access? Another common-sense recommendation for preventing security breaches is to restrict privileged access to as few people as possible and keep watch over those who do. Insiders may indeed have access to some or all areas of a facility, systems, equipment or tools, or possess intimate knowledge of the facility layout, transport arrangements and/or processes, physical protection, safety systems and other sensitive information. Too often, organisations give employees more access to systems and data than they really need to do their jobs. They also fail to monitor or disable accounts for thirdparty contractors when their work is done, or delete access privileges for ex-employees. Integrated Security Systems Most organisations will have at least some of the security elements needed to protect against malicious internal attacks: authentication systems, asset tracking software, device and Internet usage monitoring capabilities, to name a few. However, it is critical for these pieces to interact as seamlessly as possible. One of the difficulties in detecting insider attacks is the time it takes to analyse a vast amount of data coming from a wide array of devices, entry points and user accounts. Through the integration of a wide range of security components, both physical and cyber, systems can communicate in real time, enabling a faster response before data can be used for illegitimate purposes — and potentially even predict and prevent malicious attacks. Administrators should be able to access a central console that compiles messages and events from systems that monitor everything from door alarms through to network devices and application usage. This removes much of the effort normally required when trying to manually review historical logs and searching
Honeywell EBI
Why Integration Matters
S trategic control and optimized performance with Honeywell Enterprise Buildings Integrator. For more information visit www.ebi.honeywell. com/en-US/Pages/ homepage.aspx
L earn how integration enables positive business outcomes.
For more information visit www.ebi.honeywell.com/en-US/Pages/homepage.aspx
www.australiansecuritymagazine.com.au/hub/honeywell
Honeywell Building Solutions Feature
for complex relationships across systems. Integration enables events to be correlated across the Enterprise, for example, providing the ability to identify if an employee remotely logs on to an application without having passed through physical access points, such as a badge reader or an onsite workstation, can immediately identify the behavior as unusual and potentially harmful. Without this automatic, real-time correlation, the remote access may not be detected quickly enough. A delay of even a few hours can provide an ample window of opportunity for a would-be attacker. Similarly, an automated response to events can also help to prevent or mitigate damage. This may be alerting security personnel, automatically turning on CCTV recording, or even notifying emergency services; the systems themselves must be capable of acting immediately in response to unacceptable behavior. The overall approach of securing the business against the insider threat consists of implementing several layers of defence, including both administrative aspects (procedures, instructions, access control rules, confidentiality rules) and technical aspects (multiple protection layers fitted with detection and delay) that insiders would have to overcome or circumvent in order to achieve their objectives. Implementing preventive and protective measures to counter the insider threat is usually much more difficult than implementing measures to counter the outsider threat, due to the access,
knowledge, authority and attributes of insiders. Thus, although already partially addressed for the outsider threat, any elements that could provide protection against the insider threat should be considered. These elements include deterrence, detection, delay, and defence provisions. Their synergetic effect should be established and formally integrated within the comprehensive approach. Honeywell offers a range of solutions that allow organisations to keep pace with the dynamic security threats facing them today. By evaluating the impact of evolving vulnerabilities and business risks, an organisation can identify its strengths and weaknesses, and implement practical measures to effectively align security programs with specific business objectives. Our services include operational risk and security assessments, and design and implementation of security technologies to provide perimeter security, application security, enterprise authentication and access control. Our extensive experience, coupled with advanced technology provides superior knowledge and best-of-breed tools and techniques, enabling us to deliver tailored security solutions that integrate the right combination of hardware, software, and access and policy management platforms for our customers.
The Honeywell HUB is now LIVE! Learn more about what Honeywell can do for your organisation. Includes videos and case studies.
www.australiansecuritymagazine.com.au/hub/honeywell
w
w
w
.
c
h
i
e
f
I
T
.
m
e
CIOs, IT Leaders and decision makers • Big data • Communications • Cloud computing • Technology systems • Interviews with industry thought leaders plus much more.
National Security
Security threat, fear and being the adults in the room By Matthew Curtis Chair, Australasian Council of Security Professionals First Published Online 22 September 2014
40 | Australian Security Magazine
A
gainst the national security events of the last week, the Security Profession would like to offer some thoughts to those in the community who might be wondering what it all means. In the last few days, Australia’s national security apparatus disrupted plans by ISIL (Islamic State of Iraq and the Levant) sympathisers resident in Australia to select people at random and behead them. Since the rule of law applies in Australia, unlike in ISIL-occupied territory, charges laid against those arrested will need to be proven in court. The presumption of innocence applies. However, we should be encouraged that the police operation appears to have been an intelligence-led, well coordinated and professional security response involving State and Federal Police and the Australian Intelligence Community. Since then, we have been exhorted basically to ‘carry on and keep calm’, although the national terrorism alert level was last week raised from ‘medium’ (an attack ‘could occur’) to ‘high’ (an attack ‘is likely to occur’). This is correct, but it does not mean that we should stop thinking. The word ‘discipline’ needs to be added to the discussion.
Security is about ‘culture’. We have national and state law enforcement and security authorities, and security advisors with various roles, but a secure society is first and foremost one in which people are disciplined in their actions and words. As individuals, we need to understand security threats, which in turn requires us to weigh facts rationally and not resort to impulse or knee jerk reactions. Otherwise the radicals have won. Australians are well-placed here. We have evolved a highly sophisticated, inclusive and egalitarian society, with a long and proud democratic tradition. Consistent with this, we are bound to act with leadership, restraint, sophisticated strategy and unity of purpose. We are, and need to be seen to be, the ‘adults in the room’. Those of us with a public voice doubly so. What happened last week was not the first time that terrorist intent and planning in the community has been detected and thwarted. Alienated, angry men and women can be drawn to high-profile causes that offer simplistic answers to complex matters and that prey on their fears, insecurities and gullibility. Evil has always been done in the name of one dimensional ideologies – “four legs
National Security
‘Australia has been much more successful at integrating diverse immigrant populations than many countries. We can take great hope from this. It is amazing that a former Vietnamese refugee was installed as Governor of South Australia last month.’ good, two legs bad” as coined by George Orwell in Animal Farm, or “Christian/Muslim/Jew good, Christian/Muslim/ Jew bad”. Talkback radio is replete with such messages right now. Easy jingoism is not needed and the three word slogan should be put away. These are the reasons why: ISIL will not last in any semblance of order – it will be a failed state and will splinter. Yes, ISIL’s destruction must be hastened, but to what degree is this to be done by external parties (the US, Australia, UK, Middle East actors and others), and what interests exactly would external involvement serve? Remember, that the ‘Irish problem’ in the end was solved by the Irish themselves. Washington and Westminster got out of the way. In the ISIL context, Australia’s ultimate strategic interest is for the Middle East region to behave in accordance with our needs, and right now, we would be well served by espionage, sabotage and cultivating the authority of friendly elements. Australia tends to do these things quite well, but a slide into conventional military operations on the ground will cost us precious lives and treasure, and may make us a bigger target for extremism. And what about the ultimate stakeholders? When will Iran, Saudi Arabia, Turkey and others take a hand and rein in the sectarianism that has so cynically been fuelled in Iraq and Syria through their proxies? Effective action by these important participants would seem to be a necessary part of the mix. There is no sign of it occurring, which means that deep strategic consideration is needed in committing forces. Has this been done? Such considerations would be much simpler were the current situation purely a military problem. It is not. With or without our encouragement IS will pass, but angry, alienated youth will still be recruited by remnant splinter groups, which will still be supported by sympathisers in the Arab world, Iran and elsewhere. What we have seen in Sydney and Logan in recent days is the tip of a massively complex and tricky public policy problem – the mix of policy settings necessary to counter (over decades) the evolution of extremist home-grown elements, or CVE (Countering Violent Extremism). Despite the events of the last week, we must remember that Australia has been much more successful at integrating diverse immigrant populations than many countries. We can take great hope from this. It is amazing that a former Vietnamese refugee was installed as Governor of South Australia last month. Successive
governments have done a lot of work on CVE (http://www. ag.gov.au/NationalSecurity/Counteringviolentextremism/ Pages/default.aspx) and must continue to, although there appears to be an absence of discussion of these matters in the public domain. Also, despite recent announcements, funding is still much more scarce for this ‘softer side of counterterrorism’ than for the enforcement side. There needs to be more discussion, because the complexity of the mix of measures needed (health, education, employment, opportunity, public security, community policing) is substantial indeed, expensive and in need of longterm bipartisan political will to sustain. It requires community support, and because of that, high-level community awareness. Government will need to do better here, but at a fundamental level, this is an individual matter. As the peak representational group of the Security Profession, and as a key thought leadership group in security matters, we in the Australasian Council of Security Professionals make a plea: as members of the Australian community, you are responsible for your own security. You have a duty to educate yourselves properly on the facts of the security threats that confront you. You need to think rationally about these facts, not be blinded by the circus that will no doubt continue for some time around the activities of these few dysfunctional individuals. If we panic, and blame all Muslims, the radicals win. People, whatever the label you put on them, deep down want the same things – love, life and happiness. Health Professionals will exhort us to educate ourselves about personal hygiene and diet, but it is the individual’s responsibility to wash and eat properly. These professionals are committed to the health of the community. We in the Security Profession are similarly committed – to the security of the community. And our message is similarly clear: educate yourselves, do not be sucked in by three word slogans and simplistic answers to a series of problems that have been around at least since before WW1. Be rational and rely on evidence. Act, speak and think appropriately in the tricky years ahead. Further information on the Security Profession: • Australian Council of Security Professionals www.securityprofessionals.org.au • Security Professionals Registry, Australasia www.spr-a.com
Australian Security Magazine | 41
National Security
Research and security professionalism : The Nexus
Many new professions are emerging across society and security is purportedly one of them. By By Michael Coole Michael has worked in the Australian Defence Force, the correctional security environment and as a private consultant. In his current role Michael lectures in security studies at Edith Cowan University and is a PhD candidate with Curtin University. Michael holds an MSc (Security Science), BSc and Diplomas in Occupational Safety and Health and Management. Full References Available
42 | Australian Security Magazine
T
he embryonic development of emerging professions is challenging, with many barriers between their current standing and broad societal recognition as a profession. Professions are a social designation, from a sociological standpoint occupational groups engaging in self labelling do not define professions; it is the public and legal arenas through supported explicit jurisdictional claim which define them. The influential works of Wilensky (1964) voiced this very view, arguing that the lay public cannot accept the need for special competence in an area where everyone is an expert. A large body of literature exists to guide emerging professions through the professionalization process to become recognised as a group in charge of a body of knowledge that can be applied reliably to solve society’s problems. A review of such literature highlights that professional work is that which requires the use of discretion and judgement in making decisions backed by knowledge and skills and driven by values. For instance, Wilensky’s (1964) influential work expressed both cognitive and normative criteria for professional groups, stating the job of professional groups is technical-based on systematic knowledge or doctrine acquired through long prescribed training (cognitive); the professional adheres to a set of professional norms (normative). Consequently, a profession’s knowledge or doctrine represents its currency, its perceived value or worth in undertaking their role in society. Jacques (1989) works on the strata of labour supported Wilensky’s view, expressing that professional work relates to problem complexity, where such work relies on processed knowledge to engage in higher strata problem solving. A profession’s cognitive dimension is centred upon the knowledge and techniques in which this knowledge is applied (Larson, 1977). This knowledge according to Abbott (1988) is used to classify a problem, to reason about it, and to take
action on it. Or in more formal terms to diagnose, infer and treat an identified professional level problem. These tasks represent the three core elements of professional practice, and are undertaken accordant with the sciences or model of societal learning that underpins their application. Thus, professionals possess and use processed knowledge, tied to academic knowledge which underpins professional work. That is, its academic basis defines its jurisdictional boundary. The abstract knowledge required by practitioners to perform a profession’s work is what is meant by body of knowledge (BOK). This forms a resource, a professional knowledge system and is consistently taught to all members of the profession in order to prepare them for proper performance of their work. Reflecting on the sociological discourse, security does not stand up as a profession in the traditional sense as few outside the domain recognise its professional streams. This is not to say that individuals within the domain are not professional, it is just that in the group phenomenon security lacks professional recognition. Friedson (1973) explains this point through the professionals’ continuum. This sees two intersecting continuums, one encompassing a non-profession and profession end, the other a highly professional and unprofessional end. The first task is to locate where on the profession continuum your occupation lies, then where individuals within the category would sit in terms of their individual professionalism. According to Friedson (1973) doctors are professionals, but individual doctors may not carry themselves professionally. The opposite is true for taxi drivers, which is not a recognised profession but individuals within the occupational group may be very professional at what they do. Therefore, security practitioners may be highly professional, but they are not members of a recognised profession. Peterson (2014) clarifies security’s position well
National Security
stating traditionally common education (such as that found in medicine and law) is the seed to a profession. However, security in contrast draws its coherence through an informal community of practitioners rather than through a codified body of knowledge. Yet this does not need to be the case as all kinds of knowledge can be organised as common resources for such a body and this includes security knowledge. However, mapping a body of knowledge requires a clear research focus, as Horrocks wrote in 2001, identifying who or what delineates a security professional is vague, this point remains valid today. Security is well recognised as an occupational domain discipline, represented through a mosaic of complex tasks undertaken across various occupational groups, but few recognise what a security professional is. Such a state of ambiguity was recognised by the Australian Security Professionals Task Force (2008) stating, “this lack of comprehension is driven by ubiquitous understanding by security users of the difference between the quality and capabilities expected by those providing front-line operational services including manpower and technology, and those providing professional services security advice such as security advisors and risk managers. This position is exacerbated further by the lack of standards defining the expected knowledge, competencies and ethical behaviour of security professionals”. Before security as an occupational group can progress along its professionalization journey, there must be research undertaken with the aim of solidifying its academic basis. This basis must include a well-defined and inclusive yet clearly bounded body of knowledge, along with internal structure. However, security is a broad domain encompassing concerns including traditional (threats to sovereignty) and non-traditional (threats within a nation state-law and order) endangerments rendered across many organisations including government operations, military, law enforcement, emergency services and private security operations. Thus the development of sound bodies of knowledge within the security domain must be clearly focused, commencing within jurisdictional practice areas. Within the non-traditional domain Manunta (1999) associated the discourse’s focus towards managing those threats which pose a risk accordant with the functioning within a nation state, with roots spreading from disasters to crime prevention within the concept of law and order. Within this paradigm Talbot and Jakeman (2009) presented five salient, overarching, overlapping professional practice areas, including physical security, people security, the security of information systems (ICT) and information security, layered over by the broader category of security management. Thus the mapping of a body of knowledge within the non-traditional stream must focus on codification of these practice areas as a start. To commence jurisdictional understanding within the non-traditional stream my current research is undertaking a cultural domain analysis of the physical security sub-domain. The aim is to fuse through codification the diverse cultural domain of physical security in terms of desired knowledge areas and their supporting content along with its internal structure as an organised knowledge system for future physical security professionals. Cultural domain’s structure are based on isolating the fundamental units of cultural knowledge, represented through repeated themes, organised
‘The professionalization process in OS&H has seen salaries in this domain increase well beyond the salaries of many security professionals. Tooma’s works highlighted this nexus articulating their connection lies in the risk management approach.’ based on contrast and similarity in terms of hierarchy or other orderings. However, one of the barriers in conducting security research is gaining participation of those in the industry. Unlike domains such as medicine and psychology where evidence based practice and research informed teaching is valued, many in the security domain are unwilling or feel they are too busy to engage in research programs. As a result security’s progression through the professionalization process is impeded. This is in contrast with other emerging professions such as occupational safety and health (OS&H) who are enthusiastically progressing their body of knowledge. Unlike the security domain OS&H’s professional standing appears to be building, and many OS&H professionals are being assigned security oversight and responsibilities as perception exists that everyone knows security. The professionalization process in OS&H has seen salaries in this domain increase well beyond the salaries of many security professionals. Tooma’s works highlighted this nexus articulating their connection lies in the risk management approach. However, security risk management is a specialised form of risk management. In addition, security risk management is simply the means to diagnose the security or crime problem. Sitting under diagnosis are specific security theories and principles along with core jurisdictional knowledge that guide the selection of control or influence variables to treat the problem. For physical security professionals this embodies more engineering type knowledge including barriers and technology along with procedural controls which combine to achieve an effective protective system. This again requires additional learning. However, security will not be recognised as a specialised area at the professional level if it cannot demonstrate the requirement for a distinct knowledge base and what the fundamental elements of that base are. Thus, if security is to be recognised in the group phenomenon as a profession the industry must actively engage in security related research. This includes attempts to articulate its distinct body of knowledge within its practice areas and demonstrate the worth of the security professional accordant with their professional currency of jurisdictional knowledge. Engaging in domain research needs to be a role and priority of every security professional and practitioner. For security professionals and practitioners their value is tied to their public standing and their financial remuneration a product of that standing, which is tied to the perceived level of knowledge and skills necessary to undertake their work. My current research is commencing this structural mapping journey to show the detail and structure of technical knowledge required to diagnose, infer about and treat professional level physical security concerns.
Australian Security Magazine | 43
Frontline
Robbery…an uncomfortable truth By Fraser Duff
44 | Australian Security Magazine
F
or over two decades now there has been a common belief amongst safety and security experts that the best way to survive a critical incident and traumatic event such as robbery is to be compliant to a robber’s demands. The idea being that following this simple approach, it will, in the balance of probabilities, afford you the greatest opportunity of survival and minimise consequential harm. This approach is based upon a strong belief that there is a connection between victim resistance and victim harm. There are many examples of victims who have been non-compliant, predominantly driven by the goal of “social justice”, including; challenging, resisting, fighting, chasing and attempting to capture robbers in the commission of their crimes. Those victims have paid a high price, sometimes fatally for their error in judgment. So it seems the main premise behind compliance is the perception that victims have one of two options; to comply or not to comply. Since non compliance is construed as offering resistance, it is therefore naturally associated with increasing the risk. Having researched this traumatic event for many years domestically and internationally and conversed with many hundreds of victims, you start to question if indeed compliance does adequately address all foreseeable risks that can arise. When you challenge this assumption, as you should, you start to uncover some hidden truths, truths that really belie your beliefs about what is right in a circumstance that could cost someone their life. An incident some 6 years ago challenged my thinking significantly about what people really need to know about robbery. The victim and organisation will remain anonymous as I convey the events; however the details will reveal a grave situation. This was an incident in which
we were required to provide an opinion in relation to the adequacy of control measures taken to protect an individual whilst performing duties in a workplace setting. It involved a legal challenge at common law tort of negligence and statute law OH&S at the time. A young male person in his mid 20’s was working alone carrying out cash transactions with customers. During the mid afternoon he happened to notice three males loitering outside the building façade. He paid little heed to their presence given there were customers inside and he felt somewhat secure at the time. Later that evening however, around 8.30pm he started his night lock up procedure. Just prior to leaving, he put the internal alarm system on and then proceeded to exit the building. Whilst key locking the front door he was verbally challenged from across the street by three males some 40 meters away. They threatened him not to move as they raced across the road to accost him. They forced him to unlock the door and then pushed him inside threatening him with a small revolver. Once inside they demanded he take them to the time delay safe located at the back of the premises. Unknown to the assailants, the time delay safe was programmed to remain locked until the following morning at 9am. The assailants demanded the victim gain entry to the safe, regardless of the victim’s attempts to explain the procedure. The assailants didn’t believe him and continued to threaten him to open the safe making him repeatedly re-enter his access code. After continued failed attempts they accused him of withholding and denying them access. It’s at this point that their intentions changed and they started physically assaulting him, hitting him about the head with their fists and the butt of the revolver, near knocking him unconscious. Then the
Frontline
situation worsened, whilst on the floor after being beaten the assailants then proceeded to sexually assault him with the firearm. This attack was immediately followed up with a decision to abduct him. Now consider this! “What are their intentions; good or bad?” They grabbed him and forced him to walk down the street under the cover of darkness some 200meters to a location where their car was parked. The driver entered the vehicle via the driver’s side door, whilst the two remaining assailants attempted to force the young male victim into the back seat from the footpath. It was at this point that he felt his life was in danger and he believed that if he got into the vehicle then he would meet his end. With that in mind he lashed out breaking free from the grip of the remaining two assailants. He then fled down the street onto a main road and managed to hail a passing vehicle, which stopped and rendered him assistance. The assailants fled the scene and were never apprehended. It was two weeks after the attack that the young male victim finally told the Police the full story of his ordeal including the rape and abduction. The associated trauma of the event was so devastating for him and he felt such enormous shame and stress over what had happened that he couldn’t bring himself to tell anyone. As I examined this case a terrible thought crossed my mind. Given the methodology of; ‘be compliant’, what would have happened if he had followed these instructions explicitly? Operating on a belief that his only option was to comply and be submissive to the will of violent criminals. This unfortunately is not an isolated incident; there are many robbery incidents where assailants don’t just do what we expect them to do i.e., take the value and go. Robbery is a crime of violence that can combine with other serious crimes i.e., homicide, serious assault, grievous bodily harm, abduction, sexual assault and hostage taking. In July, 2014 in California, a gang of three armed robbers took three compliant female hostages as they left a bank robbery. In the course of their escape, they shot and injured two of the hostages, dumping them from their getaway car. The third hostage was killed in a final showdown with police. It is robberies like these that force us to rethink what is the best and safest way for victims to respond when the situation they encounter doesn’t follow the linear path expected. After two years of design, and with the support of a major progressive client, a more holistic based approach was developed, ‘Robbery CTRM’. The aim of this new approach is to provide a criterion based and recognition primed guide to decision making to enable victims to appraise their specific robbery situation and determine what actions are best in their circumstance. The ‘standard one size fits all approach’ needed reworking to better align with what the research evidences can go wrong. Compliance is still an integral part of the response however it needs to be considered in concert with contingency options and last resort measures to fully maximise victim safety in all arising circumstances. What was identified through thoroughly researching incidents, victim and criminal behaviour is that not all robberies are the same. Circumstance, environmental setting, other victim behaviour, criminal disposition and motivation and the affected state of robber’s varies greatly. The intention to carry out “just robbery” can and has changed during an
attack. Situations don’t always go as planned. Contingencies arise that exceed the boundary of current compliance based training approaches and inadequacies in this area can compromise safety. Consider the implications of the following circumstances should they arise. 1. You are attacked in a setting in which your whereabouts/ situation is unknown to others. 2. The robber is not satisfied with what they have received and despite compliant responses, demands more, with violence escalating rapidly or unpredictably. 3. You are compliant, giving them what they want, but it doesn’t appear to be quelling their violent actions. The nature, level and purpose of their violence seems increasingly disconnected with the needs of robbery. You now develop grave concerns for your ongoing safety. 4. A customer or someone similar attacks a robber and a fight for survival ensues in your presence. 5. You are behind a secure area with considerable protection and there is no forseeable way a robber can harm you. 6. You work in an area that has high levels of protection i.e., ballistic screens that can be deployed, but by doing so, staff and customers on the other side of the screen will be left unprotected. 7. You are confronted in the street, or in a carpark, or in your car and the car doors are either locked or unlocked. 8. The robber attempts to abduct you or is occasioning considerable violence upon you or someone with you. These situations require additional considerations around what’s best and safest in the changing circumstance. Consider the enormity of leaving victims to contemplate a range of options, and problem solve possible courses of action that they have never previously considered or discussed and to do so under actual traumatic conditions, with enormous stress and where their life is in the balance. Robbery is a crime of violence and the very nature of violence is that it can change what should otherwise be a ‘predictable’ course of events, resulting in a sometimes dramatic change in the risk profile. With greater access to information sharing and increased levels of understanding concerning the full ambit of risks that permeate this threat environment, there is a critical need to review current methodology. It requires us to consider more holistic approaches to a broader range of robbery circumstances so we can better serve the safety needs of all robbery victims. Fraser Duff is the Managing Director of Passmore Duff Pty Ltd, The Workplace Violence Specialists www.workplaceviolence. com.au. He has over 20 years experience in critical incident risk management, underpinned with a Diploma in Adult Education (UTS), Adv Dip Sec Risk Mngt. (CIT), MBA (AGSM) and 4th year Post Grad Psychological Science (ACAP). Together with colleague Peter Flannery, they have developed the Robbery CTRM (Counter Threat Response Model) methodology for critical incidents in e-learning competency based format to help better protect those at risk.
Australian Security Magazine | 45
Frontline
Top ten tips for business continuity
A By Ms Rinske Geerlings Managing Director of Business As Usual
re you a retail business, tourism operator, local council, accountants’ firm, manufacturer or other medium-sized or small business? Have you done anything to improve your readiness for the next flood, power outage, tsunami, fire or flu outbreak? Have your customers or regulators asked you yet for your Business Continuity Management (BCM) or Disaster Recovery (DR) Plan? If not - they will soon! ISO 22301… what is it? ISO standards are auditable requirements documents that enable organisations to achieve better control over their processes, better quality internally and improved services to their external stakeholders. ISO standards are accepted and encouraged across a wide range of industries and countries all over the world. ISO 22301 for BCM is one of the more than 18,000 ISO standards. Apart from organisations being able to obtain the ISO 22301 certificate (after being objectively assessed by an independent institute), individuals can obtain certification by passing relevant (PECB) exams, for example by attending a Business As Usual public or in-house training program (see also www.businessasusual.net.au). What are the benefits of ISO 22301 certification? Being certified in the standard ensures that the following activities are conducted in accordance with global best practice: • Identification and management of threats to your operations • Being proactive in minimising the impact of incidents on your time-critical processes • Continue to provide time-critical functions during times of disaster/disruption • Minimising downtime and shortening recovery timeframes • Achieving better (and/or cheaper) insurance arrangements – in particular business interruption insurance • Demonstrating resilience to your current and prospective customers, regulators, suppliers and partners. The top 10 (low cost) tips for SMEs Whether you need better preparedness for unavailability of your staff, suppliers, IT systems, buildings or facilities, consider actioning these tips for your organisation… no matter how big or small you are. 1) Have ‘dual supplier’ arrangements and/or manual
46 | Australian Security Magazine
workarounds in place. 2) Make all contact details available - including internal (staff, shareholders) and external (supplier, customer, media, next-of-kin) details - and make sure they are accessible from various sources (web, pre-populated SIM cards, hard copy, USB/thumb drive). 3) Know who in your business will make key decisions when an incident occurs.. and when the top manager is not immediately available. Be as efficient as possible in your crisis response, and have the courage to act ‘outside the square’ and completely change your business direction if need be. 4) Be proactive in your notification of customers, the community and the press... don’t wait for them to ring up and find out your business is no longer in normal operation. Ask your suppliers, banks, leasing company, landlord and/ or the Government (e.g. the tax office) for delayed payment terms, rather than them chasing you for money. 5) Know which are your key time-critical functions/ services/activities, and your biggest customers who bring in the largest chunk of your sales, and make plans to focus firstly on recovering activities related to those in case of a disaster, instead of wasting time on less important things. 6) Make plans for your staff to work from home - or alternate locations. Use a virtual/shared office as an affordable continuity solution if need be – or set-up a reciprocal arrangement with a business that has similar requirements to yours. Ensure you’re able to divert services remotely (e.g. IT, phone, supplier deliveries etc) and make sure you always have the necessary passwords and contact details available. 7) Ensure your employees are able to perform several roles in case of illness/resignation... in particular in medium sized or smaller organisations, you don’t often have multiple ‘extra staff ’ for every key role. 8) On the preventative side: Understand and mitigate your security weaknesses (e.g. theft of your mail server) and have proper hygiene and infection management procedures in place (e.g. in relation to a flu outbreak). 9) Take out insurances relevant to your business. Apart from fire/damage, general property, glass, accidental damage, money, liability, burglary, goods in transit, tax audit, equipment breakdown and fraud/dishonesty insurance, consider ‘key person’ insurance and business interruption insurance for your small business. 10) Use a smart best-practice template for your Business Continuity Plan (BCP) – it can save you weeks of preparation.
Australian Security Magazine | 47
Available online! See our website for details
1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE
6 print issues per year for only $88.00 SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, 6 issues (1 year). ☐ ☐
AUSTRALIA INTERNATIONAL
A$ A$
88.00
(inc GST)
1 YEAR
158.00
(inc GST)
1 YEAR
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag), 6 issues (1 year).
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
MY DETAILS
PAYMENT
Salutation: __________First Name: __________________________________________
Please find enclosed my cheque/postal order (made payable to MySecurity Media )
Surname:______________________________________________________________
for $ __________________ or debit my:
Job Title: ______________________________________________________________ Company: _____________________________________________________________ Postal Address:__________________________________________________________ Suburb: _____________________State: _________ Postcode: ____________________ Country: ______________________________________________________________ Email: ________________________________________________________________
48 | Australian Security Magazine
Card Holders Name: __________________________________________ Signature: _________________________________________________
Interested in our e-news service? Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
Expiry Date:________________ Todays Date: ______________________
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
Email subscriptions@mysecurity.com.au
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au
The new P39-R Network Camera
Latest News and Products Australian Security Magazine | 49
TechTime - latest news and products
Milestone Systems Adds Support for Offline Camera Recording Using ONVIF Milestone Systems, the open platform company in IP video management software (VMS), has just released its bi-monthly Device Pack 7.5 for the XProtect® portfolio of VMS products. The most significant feature in this upgrade is support for ONVIF Edge Storage: cameras with Edge Storage can record video directly on internal storage. Milestone XProtect® Corporate supports the intelligent use of camera-integrated Edge Storage as a complement to centralized
video storage. Edge Storage can be used as a safeguard function for uninterrupted video recording in the event of network or server failure. The flexible retrieval function in XProtect Corporate helps preserve network bandwidth when retrieving recordings from the Edge Storage in the camera. This ensures transparent operation, seen from a user perspective. Support of Edge Storage previously demanded dedicated driver programming by Milestone, working with the Camera Alliance
Partners (CaPs). Milestone XProtect Corporate, for example, has been supporting Axis and Sony implementations of Edge Storage using dedicated drivers since 2012. The new implementation of ONVIF Edge Storage in Device Pack 7.5, enables Milestone partners and customers to choose devices from any camera manufacturer supporting ONVIF Edge Storage.
Hills full year FY14 results in line with market guidance Hills Limited reported a statutory net profit after tax attributable to shareholders of $24.8M for the year ended 30 June 2014. In line with market consensus, the Company’s FY14 underlying NPAT was $27.3M (before acquisition transaction costs expensed during the period and before one-off income tax credits associated with business sales). This result was
achieved in very challenging market conditions across the building and construction sector with improvements in revenue from the Group’s continuing Hills Technologies Segment. Hills Group Managing Director and CEO, Mr Ted Pretty, said: “The FY14 underlying result is in line with guidance provided to the market recently and further reflects our success in
delivering on Hills new strategy.” “Our restructure of Hills by exiting businesses non-core to its future and closing unprofitable businesses is now largely complete. We continue to drive new initiatives and programs to improve group operations.” he said.
NEW Battery Testing Range Launched Ideal for the security and electrical industries, the new Intelligent Battery Tester range from ACT Meters Ltd offers a practical and accurate solution to testing lead acid batteries commonly used in back up systems. The new ACT CHROME Intelligent Battery Tester simulates a 20 hour (C20) discharge test in just 6 seconds and displays the DC Voltage and actual Ampere hour (Ah) capacity available within 12V SLA batteries between 1.2Ah and 200Ah. Also similar in design, the new ACT 612 Intelligent Battery Tester is designed for 6V/12V standby SLA, cyclic GEL and car FLOODED batteries between 1.2Ah and 100Ah. It too simulates a 20 hour (C20) discharge test in seconds and displays the DC Voltage and actual Ampere hour (Ah) capacity available. Both units are compact and robust in design and are free from complicated settings and functions. They provide fast and accurate results of battery Ah capacity and are an essential tool for security and electrical engineers who carry out routine checking of back up lead acid batteries. The ACT CHROME Intelligent Battery
50 | Australian Security Magazine
Tester and ACT 612 Intelligent Battery Tester will be launched this November 2014. Visit www.actmeters.com to locate your nearest distributor.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Senstar Announces RoboGuard Senstar, the world’s largest manufacturer of perimeter intrusion detection systems (PIDS) is pleased to announce RoboGuard™, a new firstof-its-kind autonomous perimeter surveillance robot. RoboGuard travels on a monorail and constantly patrols a secured perimeter. It conducts regular inspections of the fence line and can promptly respond to suspected intrusions. A complete system consists of autonomous robots, each covering up to 1 kilometer (0.6 mi), with a battery charging station for every two robots. Jim Quick, President of Senstar Inc. stated: “Senstar is very excited to bring this innovative technology to market. We see huge benefits for customers who wish to augment their perimeter security systems, especially in remote unmanned sites or where timely first response by guards is expensive or impractical.” RoboGuard has two primary modes: routine patrol, in which the robot scans and searches for perimeter anomalies such as holes in the fence or suspicious objects, and response mode, in which the robot acts as first responder and rushes promptly to an intrusion alert. Jim Quick added that “Senstar is also pleased to announce RoboGuard has been recognized as Security’s Best 2014 by ASIS (American Society of Industrial Security), as part of the annual Accolades program. We are honoured to receive this esteemed award and look forward to exhibiting at ASIS to show this solution to customers and partners.” RoboGuard will be showcased at the Senstar booth (705) at ASIS 2014 in Atlanta, from September 29 to October 1. Along with RoboGuard, Senstar will be demonstrating FlexZone™, its fence-mounted ranging sensor announced earlier this year, as well as their
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
cyber security line of products. The Senstar cyber switch has received Honorable Mention in the Accolades program. Facts about RoboGuard 1. Autonomous surveillance robot • Automatic and manual modes • Speeds of up to 30 km/h or 19 mph • Covers up to 1 km or 0.6 mi per robot • Powered by rechargeable battery • Wi-fi communication 2. Innovative, cost-effective solution for unmanned perimeters, remote sites and larger perimeters • Laser-based detection of fence damage and nearby suspicious objects
• Rapid response to suspected intrusions 3. Wide variety of payloads including • Laser scanner that acts as a short range 3D LIDAR (Light Radar) for perimeter inspection • Fixed camera with IR illuminator for short range perimeter surveillance and threats verification • PTZ camera with IR illuminator for medium range surveillance and tracking • Two-way intercom between the control room and a potential intruder
Australian Security Magazine | 51
TechTime - latest news and products
International reports reinforce need to redouble China anti-counterfeiting efforts, says global hologram trade body The international trade body representing the holography industry is urging China’s manufacturers and authorities to redouble efforts to stem the tide of counterfeiting in the light of new statistics which confirm the country remains the main source of fake goods. The International Hologram Manufacturers Association (IHMA) says reports from the EU, the Japan Patent Office (JPO) and US Department of Homeland Security (DHS) are all reminders of the ‘huge’ threat posed to
consumer safety by unscrupulous criminals. These reveal that while China is a leading supplier of goods to the world’s markets, it is also the primary source of supply for counterfeit items entering Europe, the USA and Japan. Of all counterfeits confiscated at the EU’s border in 2013, more than 79% had come from China. This amounted to almost 36 million items which, if they had been genuine, would have had a domestic retail value in excess of €768 billion. The top categories of items detained
by authorities were clothing (12%) followed by other goods (11%), medicines (10%), cigarettes (9%), packaging materials (9%) and toys (8%). In the US, the value of counterfeit and pirated goods from China confiscated by the DHS was $1.1 billion in 2013, representing 68% of all IPR seizures. Fake handbags and wallets were the main items seized followed by watches and jewellery, and consumer electronics and parts.
Australian small businesses spend $52k per year on IT, finds Trend Micro Australian small businesses spent, on average, approximately $52,100 on IT products and services over the last 12 months, according to recent research into the state of IT in Australian small business commissioned by Trend Micro. The study also found that nearly a quarter of Australia’s small businesses brought in help from external technology consultants and channel partners.
Small businesses with between 5 and 25 employees spent an average of $25,200 per year, while organisations between 26 and 50 staff had an average annual IT spend of $20,600 on all IT products and services. Those organisations with 51 to 100 employees spent, on average, $77,300 on IT in the last year. The Trend Micro study found that the way in which IT was managed across an organisation
depended heavily on the size of the business, with smaller organisations more likely to manage IT simply on an ad hoc basis, and those with more employees more likely to have dedicated IT support.
Payment Security Standards UL has published their latest white paper which provides a comprehensive overview of all the payment security standards involved in electronic transactions. This supports the understanding of what standards, industry organizations and payment schemes require for electronic payments to be considered secure. Future of Payment Standards In this year of 2014, the payment industry stands at a cross-roads. Change in payments is being driven from many different directions – EMV adoption in the US is picking up, the security of software is increasingly under attack, mobile payments are presenting a challenge to the existing status quo, and methodologies for enhancing card data protection are under active development. Payment systems security is founded through the payment industry and standards setting bodies – both of which are not traditionally recognized for their rapid evolution and ability to adapt to change. This is causing a disconnect as new actors in the payments market drive change at a pace that is hitherto unknown in this industry. It is
52 | Australian Security Magazine
fair to expect more change within the payment industry within the next 5 years than we have seen over the last 30, and the question of how payment security will be addressed by these new systems is an open question. With the growth of mobile Issuing (where a customer card may be managed within a customer’s mobile phone), and Host Card Emulation (where the details of a customer’s card may be stored within a ‘cloud’ based service) the concept of transactions where the card is not present is potentially becoming redundant. If my mobile phone can connect to the Internet, and at the same time act as my customer card, why should eCommerce transactions be processed as ‘card not present’? If my card can always be considered ‘present’ for a transaction, and can provide cryptographic authentication verifying this fact, do I still care about the security of my card details? To be fair, any such change will take a considerable time – even if run at ‘Internet speed’! Therefore, standards such as PCI DSS remain important even in the face of a complete
worldwide EMV deployment. The computer industry has a long history of swinging from thick-to-thin-back-to- thick client methodologies, and it appears likely that we are witnessing such a change in payments at this point with an increase in ‘cloud’ based payment kernels and thin-client mobile systems. Payment security standards must rapidly adapt to this changing environment, where the security of the software performing the payments is more important than the security of the hardware that is used to accept the card data, as vulnerabilities can be exploited remotely and instantly. Fortunately, the industry seems to be recognizing this fact, and creating new standards to address this issue. For those of us working and servicing the payment industry, we live in interesting times.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Apple all set to enter the payments space The long anticipated entrance of Apple into the payments space marks a milestone in payments regardless of the eventual outcome of its new services. Perhaps unsurprisingly given Apples proclivity for closed garden approaches, it’s new Apple Pay service follows a more traditional Device based secure element (SE) and avoids using cloud based HCE services. This will add to security and enable card
present transaction rates which will please merchants. Although much hyped, the Apple Pay service is likely to remain niche at the point of sale for some time as overall device penetration remains relatively low and the service remains US only. More critically the in store experience provides little major incentive for use at this point, and while Apple benefits from its iTunes membership, the lack of tie in to
loyalty or other features may at least initially limit consumer interest beyond early adopters.
Seagate Ships World’s First 8TB Hard Drives & Rolls Out New Cloud Systems and Solutions Strategy Australian small businesses spent, on average, approximately $52,100 on IT products and services over the last 12 months, according to recent research into the state of IT in Australian small business commissioned by Trend Micro. The study also found that nearly a quarter of Australia’s small businesses brought in help from external technology consultants and channel partners.
Small businesses with between 5 and 25 employees spent an average of $25,200 per year, while organisations between 26 and 50 staff had an average annual IT spend of $20,600 on all IT products and services. Those organisations with 51 to 100 employees spent, on average, $77,300 on IT in the last year. The Trend Micro study found that the way in which IT was managed across an organisation
depended heavily on the size of the business, with smaller organisations more likely to manage IT simply on an ad hoc basis, and those with more employees more likely to have dedicated IT support.
Geoff Webb, Senior Director, Solution Strategy at NetIQ, in cases where patch records are difficult to obtain or nonexistent, it is then time for “boots on the ground.” Security officers or administrators can perform a quick test on a server or appliance to see if it is vulnerable. The following simple script may be executed from a Bash command prompt. If the message “This system is vulnerable” appears, the server must be patched immediately or disconnected from the Internet until maintenance can be performed. In the example above, I have demonstrated a vulnerable system. If the system has already been patched, then it would report something like the following: 1. bash: warning: myvar: ignoring function definition attempt 2. bash: error importing function definition for `myvar’ 3. Test for Shellshock: The test above does not scale to hundreds of servers or more. This is where an investment in a patch management and automation system or vulnerability remediation tool pays for itself. Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender suggests while most operating system vendors have already issued a partial fix to make attacks more difficult to implement, this
is not a complete fix but rather a barrier to buy vendors more time to find a universal solution. “A significant part of the Internet is running a Linux or UNIX-based version of an operating system that includes the bash shell. These UNIXbased web servers often run CGI scripts that rely on bash for functionality, therefore any attack against these scripts could result in exploitation and subsequently, could allow a hacker to remotely own the machine,” says Mr Botezatu. “Additionally, attacks against web servers are very easy to implement and carry. The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent (a string that tells the webserver what type of browser is being used on the other end so that the server knows how to format data before sending it).” Bogdan advises that workstations (such as Mac OS X computers) and embedded Linux devices can also be subverted via bash attacks if specific prerequisites are met i.e. the attacker resides on the same network as the victim device. It is recommended that those with vulnerable systems update the operating system immediately and then check back to see if there is a complete fix available.
Shellshock According to the threat defence experts at Trend Micro, since Shellshock is related to Linux – it can effect both PC and Apple platforms. In short, this is potentially a “plaguelike” vulnerability that can exploit command access to Linux-based systems constituting approximately 51 percent of web servers in the world. Because of the pervasiveness, attacks against it could “grow” at a very fast pace. The recent Heartbleed vulnerability is similar in nature to Shellshock, but Heartbleed is dwarfed by the extent and reach of this new vulnerability. Due to the widespread nature of Shellshock – the action listed below should be taken for the following: 1. -End-user: watch for patches and implement them immediately 2. -IT Admin: if you have Linux, disable BASH scripting immediately 3. -Website operator: If BASH is in the script, patch asap, or rescript away from BASH 4. -Hosting co. customer: Ask your provider they’re doing to remedy and apply patches accordingly Security experts from NetIQ also strongly urge companies to identify all sensitive, Internetfacing servers and conduct a patch analysis in light of the Shellshock bug. According to
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
New Zealand’s Gallagher Group secured by leadership By Chris Cubbage, Executive Editor
Hot on the heels of a well-attended New Zealand Security Association Conference, Auckland in late August, the Australian Security Magazine took the opportunity to head south to Hamilton and visit the ‘World Headquarters’ of the Gallagher Group. With the hospitality of the senior management team and Sir William Gallagher himself, the doors were opened to the production plant and Sir William’s centre of operations. Unlike a majority of 73 year olds, Sir William, a Mechanical Engineer, is hardly thinking of retirement having played a large part in growing his father’s company, now 76 years strong and recognised as an international beacon for New Zealand business enterprise. Privately held and reaching NZD$200 million revenues, the company employs 850 staff and works with nearly 300 channel partners. A third of the business is generated by security technology but the majority of revenues remain planted in the agricultural sector and to a lesser part, petrol pump manufacturing. With its Hamilton hub, and a strong Australian market share, partners are present in key markets such as Europe, India, Saudi Arabia and increasingly the USA. Sir William’s willingness to travel, as much as 40 per cent of each year has been instrumental in the company’s success. As has been the Gallagher business acumen in dealing with bankers and competitors over the years, with Sir William’s personal business advice to “under promise and over deliver”. History worth telling The Gallagher business story is most worthy of being told for Australian and New Zealand historical value, spanning as far back as the 1840’s and the movement of ‘Fencables’, or military servicemen, in Tasmania retiring to New Zealand and given land to farm. Detailed in Sir William’s biography, ‘Legend’, the Gallagher clan grew to dominate the Hamilton area and the first electric fence developed around the story of ‘Joe the Horse’ in the late 1920’s. Despite the interruption of World War II, William Senior continued to develop his business into the 1960’s and in the 1970’s developed high powered electric fencing, using a moving switch to give a one second pulse interval of 5,000 volts. This opened up new and exotic markets and high powered electric fences were being used for grazing stock, African and Asian wildlife and the obvious security applications. The range of applications helped
54 | Australian Security Magazine
Gallagher Group World Headquarters, Hamilton NZ
Sir William Gallagher in situ
the company double in size, year on year for three consecutive years in the 1970s. Roll on to the modern day and the Gallagher Group has recently modernised further, introducing the ‘Gallagher Way’ of production across the four main process centres of Tools and Dies, Plastics, Hardware and Electronics. The production line was mapped in detail with a value stream reviewed against a Lean Programme and LMAC advisor’s methodology. The introduction of a competitive manufacturing model was designed to breakdown each stage of the manufacturing process and seek out areas for improvement and efficiencies. Some of the capabilities deployed as a result included a Maturity Model Development, KPI and Practices Assessment, Group Results and Maturity Benchmarking, Internal tool box development, development of Internal Subject Matter experts and maximisation of Brand Values
throughout the organisation. The numbers are impressive. The Plastics Factory produces 220,000 units daily, or 55 million annually, with 1,000 variants and uses 940 tonnes of plastic resin. The Electronics Factory has 70 staff producing between 10,000 – 20,000 components daily with 700 product variants. About a third of the components are security product related, with the remainder agricultural. One standout example is the production of the ‘Smart Fence’ which went from four subassemblies to one, 60 minute set up time to zero, reduced labour time by over 30 per cent from 26 minutes to 17.5 minutes and reduced staff requirements from six to two. Deliver those types of efficiencies on any production plant and you’re going to be more competitive. The other clear competitive advantages Gallagher focuses on is staff culture and
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Sir William Gallagher and ASM Executive Editor Chris Cubbage
training. Over half the staff working for the company have remained longer than 5 years and ten per cent of those have remained loyal for up to 25 years. This has been a fundamental business requirement for Sir William, stating “I’ve always focused on the customer, then staff culture and attitude, then shareholders. I see a lot of public companies have these priorities skewed today”. Security & Technical Support Since the company started formally tracking their training deliveries Gallagher have trained approximately 7,000 security technicians. There are currently almost 2,000 certificated technicians globally, of which 665 are in Australia. Training demand continues to grow and training is delivered to about 1,000 technicians each year with the training team travelling the world to deliver courses. All this is supported with a multi-disciplined 24/7 Technical Support Centre which receives upwards of 17,000 calls and 14,000 emails annually. A majority of the calls are from technicians in the field dealing with complex installations, new or developing technicians and common queries are fed through to the training programs for the benefit of those involved with the Certified Technicians Program. The Support Centre Operations are also involved with the R&D teams which includes fields in electrical, mechanical, electronics, software and embedded software development. Gallagher is clearly proud of the quality of the technical support, the reliability of the product range and measures success through the number of warranty claims and responsiveness
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
of the Support Centre. With daily management meetings, any feedback from the field is passed on for inclusion in product development and a focus on new products being compatible and technically reliable, as well as allowing for easier or refined installation processes. Scott Riddler, Manager of Technical Support confirmed “the technical teams bring a lot of practicality to the design process and our technical support is growing as the business grows.” Having recently achieved FIPS Certification in the USA, Gallagher also takes its own security extremely seriously. The company employs inhouse IT Security specialists to protect its own networks and that of the operating systems. Support and integration of its products with other systems needs to be relatively open, with Wiegand protocol and generic interfaces and Gallagher will integrate with any selected requests, such as Booking Systems (Syllabus Plus) to create new business functionality for customers and clients. One example is to integrate Syllabus Plus with the Gallagher access control system for universities to upload timetables and provide automatic and designated access to coincide with select lecturers and students to lecture rooms, recreational and leisure areas and other campus activities and controlled areas like labs and libraries. Other examples include new office work environments where buildings use hot desks to house 2,500 in a building with fire codes approved to only hold 2,000. Using integrated access control the building’s population can be controlled and re-directed, to specific floors and preventing access to floors once approved capacity is reached.
Gallagher’s international markets appear matched by their projects and clients, including major banks and resource companies like Xstrata, Rio Tinto and Roy Hill Holdings. Others include major developments such as Steyn City, described as “a unique, visionary residential and lifestyle estate’, currently under construction along the Jukskei River in northern Johannesburg. Such an estate may be the way of the future with “security, freedom and functionality’ the promoted cornerstones of the 2,000 acre fenced community. Coinciding with the Gallagher Group’s support of the NZSA Security Conference 2014, aptly titled ‘Professionalism for Profit’, the company also received the ‘Innovative Security Product of the Year’ at the annual NZSA conference dinner. Gallagher’s Z10 Tension Sensor, an intelligent electronic perimeter security device, has been attracting significant attention for product innovation in the global security market and has already won awards in the United States, namely a Gold award for Integrated Perimeter Security Solution and Best Perimeter Protection Product/System. Taking yet another industry award in his stride, Sir William clearly has many productive years left to contribute and guide the company along its present path. With a detailed business plan set to maintain the family business, the succession plan involves leaving the reigns to a talented management team. It was apparent that there will remain enough longevity to reach the magic century milestone – and with the marvel of modern medicine and a healthy lifestyle, let us hope Sir William is around to see that day.
Australian Security Magazine | 55
TechTime - latest news and products
BGW Technology hits the high seas with a P&O Conference Cruise By Chris Cubbage, Executive Editor
On a pleasant but blustery September Saturday afternoon on the Brisbane River, under the command of Captain Salvatore Lupo, Australia’s first resident superliner, the Pacific Dawn “thrust off the berth” for a four day, 1,016 nautical mile return cruise through the Great Barrier Reef Marine Park to Airlie Beach, near the Whitsunday Islands. Amongst the 1,900 passengers were 120 international and national guests and business partners of BGW Technologies for what was to be a unique and memorable security technology conference. With representatives from choice channel partners from around Australia and the region, alongside manufacturing vendors, including S2 from Canada, Firetide (Unicom) from Singapore, Pelco, Tyco and distributors Allegion, BPT (Sfere Group), and TKH, with many accompanied by their spouses, each day comprised of well managed dinner arrangements, a seminar series, tradeshow exhibition and networking events. The conference cruise was designed to develop enlightened relationships, create
business opportunities and enhance product appreciation. It was clearly going to be a success from the start. Planning pays off The BGW Technologies Management Team, lead by CEO Laurie Murphy and facilitated by General Managers Ron Jackson and Joshua Simmons, supported by the State Managers Paul Kirby (Queensland), Chris Hancock (Victoria) and Paul Humphries (Western Australia) had clearly put a lot of thought into this event and what they sought to achieve from it. The outcomes were many and will continue to unfold for a majority of the suppliers and attendees. James Caldwell of Allegion found the event to be “quite intimate and there’s been lots of opportunities, particularly with the different groupings at the dinners and you’re able to have a conversation with different people and even with any down time you’re always running into someone who is at the conference and wants to ask a question. I found I’d had conversations
with about 50 per cent of the attendees by the time we held the trade show, which was great.” For Mark Hodby, President of Avtel Group, based in Tokyo, Japan, he “found it very worthwhile coming, quite enlightening, there was some products I wasn’t aware of and some technology I’d like to learn more about… You don’t get that chance to talk in depth with manufacturers if you go to some of the other shows and exhibitions held in Australia or elsewhere.” The Australian Security Magazine took the opportunity to sit down with CEO Laurie Murphy and get to the core of what’s driving the BGW Technologies company. As Laurie explained, “The core business is electrical and plumbing distribution, switchboards and UPS and we see the security and CCTV sector as important as the energy management side of the business. Likewise we’re involved in the elevator space and we appreciate how much security and video is becoming integrated into lifts and other building systems.”
BGW Technologies Conference Venue: The Pacific Dawn
56 | Australian Security Magazine
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
Building owners are looking to reduce the number of vendors they have to deal with and BGW Technologies has the capability to provide the end to end solution, whatever the project, including for mining, resources and the construction industry. With 110 Stores nationally, when asked how to describe the business model, Laurie says with confidence, “the model is based around people”. The company has grown revenues of AUD$700M but remains an Australian owned family business, but with the capability to offer global solutions. Recent annual growth for 2014 was 9.5% and buying power has been achieved by partnering with independent Co-Ops – GemCell Electrical Group, IMELCO and PlumTech. The company is involved directly and via international joint ventures with data centre construction,
hospitals, shipyards, prisons, major gas projects and unmanned mining operations. Remaining a family business still requires a professional management team. The company has put together an Advisory Board and a vision generally looking out to five years but always with a keen eye out for opportunities or adaptations for fast changing business circumstances. As Laurie warned, in electrical wholesaling, “if you’re just shifting boxes you’ll soon be out of business.” Technology Partners & Innovators TKH Security Solutions, represented by Sales Director, Brad Godfrey introduced the €1.5 billion company, founded in 1939 with its corporate headquarters in the Netherlands. TKH has been ranked the 12th
S2 Security’s Tim Smith (right) briefing delegates Mark Hodby (left) and Tim Grime (centre)
Cast and Crew of the BGW Technologies Conference Cruise - Hawaiian Night!
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
largest security manufacturer in the world and operates three main sectors set around ‘Connectivity’, including heavy cabling and telecom solutions, such as fibre optics and cable manufacturing, ‘building solutions’ with specialisation in parking guidance systems, and thirdly, ‘security systems’, with a diverse security portfolio offering six different product collections developed specifically for access control, intrusion detection, video management, and surveillance applications. TKH Security Solutions has strong application experience in critical infrastructure, resources and healthcare with end to end cabling, power and fibre optics for security systems, release of its new 3D, touch-screen security management platform, FlinQ 4.0 with a graphical user interface (GUI) applying touch-screen technologies to customize and centralise security management as well as facilitate system upgrades. In Australia the FlinQ platform has been installed at about 140 sites, operating 1200 cameras on the 3D display version. With an array of IP cameras, codecs, and recording equipment, Siqura provides intelligent and complete video surveillance solutions for IP connection, camera health checks, traffic monitoring and perimeter protection. The Eco-plug migration concept has also been developed to reuse coax cabling as well as fibre and UTP, though excludes power but usually not an issue with upgrades. TKH also provides a range of encoders and decoders, video wall configuration and advanced smart search with multiple criteria options for video examination. The DIVA has had a name change to Cents Fibre optic transmission with key installations including the Beijing public transport system and Palm Island Dubai, with 2,000km of cable laid in extreme temperatures. IP Protect is a Linux based access control system which integrates with parking systems and time in attendance. Latest new product is suitable for smaller access control systems up to 16 access control readers, 16 cameras, 9 intercoms, 1 intruder detection system, visitor management, 1,000 card users and up to 5 operators. The Commend intercoms have released a virtualised intercom system suited to Citrix and VMware. Dean Edwards, Sales Manager for Qld, NT, PNG and the Pacific Islands for Pelco represented the 1957 founded manufacturer which was acquired by Schneider Electric in 2007. Dean presented the Californian manufacturer’s end to end solutions for CCTV and IP video. Pelco offers 7,500 parts or line items amongst its range, including Fixed IP in the Sarix range, panoramic with its Evolution range and IP positioning video with the Sprectra range. Pelco is also making final preparations
Australian Security Magazine | 57
TechTime - latest news and products
to release the Esprit camera and digital Sentry IP VMS server offering 128 cameras per server and the free Pelco mobile application Endura. Enterprise IP VMS provides Raid6 arrays and suitable for mission critical surveillance systems and uses multicast technology. One project recently taking on the system is the Galaxy Casino in Macau. Highlights of the Pelco range includes the IP video accessories with capabilities to customise for extreme temperatures, hardened or fortified enclosures, colour matching, infra-red illuminators and provision of Pelco IP camera test tools. Jeremy Koh, Vice President of Sales for Asia Pacific, visiting from Singapore for Firetide was most impressed with the conference and the opportunity to meet and mingle amongst the Australian integrators. Firetide, having been acquired by Unicom Global in May 2014 is now part of Corry Hong’s global enterprise with Headquarters in Los Angeles and EMEA HQ in London. Unicom consists of three main divisions to encompass Technology, Real Estate and Merger & Acquisition Financing. Other recent acquisitions have include Memeo, iET solutions, Unicom enterprise US Robotics with 3G cellular integration and a recent announcement of 3G M2M solutions. One case study to watch out for is the Eagle ii contract. Firetide has acknowledged one challenge which is to improve the unit’s aesthetics for city street applications but it still excels for multipoint hopping installations. It has been able to cross pollinate across Unicom Group and win projects as far afield as the Western Australia mid coast. Firetide also has a clear software release strategy and roadmap with release 7.17 scheduled for Quarter 4, 2014 and Version 8 for Quarter 1, 2015. Version 7.17 provides linear mobility deployments and provides tools for planning, analytics, field diagnostics and heat map – hot view with licencing enhancements for easier license transfers. Version 8 will be next generation software with 600MPS with encryption and up from 15 hops, applied to a train mobility project in South Korea and able to handle 30hops without trade off on redundancy. For Todd Smith, Vice President of Sales for S2 Security and a seasoned traveller to Australia, getting to the Whitsunday’s was a highlight for the avid diver. With its base in Massachusetts and New Hampshire, S2 Security has 20,000 customers worldwide selling over 400 systems per month, complimented by its ability to provide 72 hour shipping and next day in Australia via BGW Technologies for the NetVR and Netbox. With true 3rd and 4th generation platforms emerging the third generation provides an open architecture whilst the fourth generation
58 | Australian Security Magazine
BGW Technologies Conference Tradeshow on the Pacific Dawn
will deliver industry changing video forensics, mobility tools, and scalability for distributed systems. As Todd explained, “Security is now part of the integrated business solutions platform - Microsoft is on the way down along with those on the Microsoft platforms, Google and Apple are on the rise. It is this thinking why S2 provides an embedded server connected over IP to a browser offering all the benefits of a browser based platform”. The S2 SMS is used for security management and the S2 VMS is for video management and a network appliance based infrastructure. The S2 Ecosystem converges the S2 Global and S2 mobile security officer to provide the capability of viewing cameras, controlling remote mustering, managing fixed muster stations and lockdown applications. For a ‘snap together enterprise’ the capabilities include alarm monitoring, access control, HR records and other logs, temperature monitoring, graphical reporting with standard user interfaces and an ‘as built’ configuration report. The S2 Global provides an integrated world system to one single platform and a free published application with open integration capabilities and data management tools. It is the open platform that S2 aims to overcome obsolescent risk and technology refresh. As Todd puts it, “technology is changing and accelerating and products aren’t keeping up, service levels are dropping, we still see proprietary systems with excessive upgrades costing as much as new systems. Much like you’ve seen with Google, security conglomerates are changing.” James Caldwell, Regional Sales Manager – Electronic Security for Allegion, introduced a number of fast emerging products, with the AptiQmobile being the most interesting.
AptiQmobile works with ‘Near Field Communications’ or NFC readers and applies smart phone devices instead of tokens. Lost access control cards are generally reported within 24 hours however research indicates that smart phones are noticed and reported lost within sixty minutes – and once the phone is locked it is unable to be used and can also be traced. Using the home screen or application screen users can request and create rules, receive access and instructions via email and rights can be allocated on mass or individually. Same applies for pre allocated credentials for visitors, contractors and temporary staff. There is naturally a range of uses including physical access, biometrics, transport, vending, logical access and cafeterias. Launching of Engage technology, Allegion also provides a new connectivity platform for internal wireless access control. Using a standard ND door preparation the free app can configure lock settings, has a cloud management tool and web based application or offline alliance partner software for NDE series wireless locks. Photographs published courtesy of P&O Cruises.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
LEADING INDEPENDENT SECURITY CONSULTANTS www.amlechouse.com Amlec House Pty Ltd Independent Security, Risk and Investigation Management Consultants
Security Design, Reviews & Auditing Services Studies, Investigations & Reviews Background & Criminal History Checks Due Diligence Services Specialist Technical Services Security & Risk Awareness Workshops Cyber Security, Online Safety & OSINT Workshops
Review by Chris Cubbage
Cyber Attacks - Securing Agencies’ ICT Systems
Have you recently published a security related book? Or have you just read a new, great security book? Please email us at editor@australiansecuritymagazine.com.au
60 | Australian Security Magazine
I
n 2014, the Australian National Audit Office undertook an independent performance audit across seven (7) federal government agencies, titled “Cyber Attacks: Securing Agencies’ ICT Systems”, conducted in accordance with the Auditor-General Act 1997 and delivered as ANAO Audit Report No. 50 2013-14. There is collective agreement that the challenge of cyber security is ever foreboding. In 2012, Cyber Crime was estimated to have cost the Australian economy $1.65 billion and touched 5.4 million Australian victims. For the same period the Australian Signals Directorate (ASD) recorded 1,790 cyber security incidents targeted against Australian Government Agencies, with 685 of those needing a response from the Cyber Security Operations Centre. The Centre, established by the ASD, provides coordination and assistance to cyber events of national importance. In 2013, the Government mandated elements of the national security framework in response to the rapid escalation, intensity and sophistication of cyber-crime and other cyber security threats. For some years, the Australian Government has established an overarching protective security policy framework and promulgated specific ICT risk mitigation strategies. The Attorney General’s Department (AGD) is responsible for administering the policy encompassed in the Protective Security Policy Framework (PSPF), outlining the core requirements for the effective use of protective security as a business enabler. The PSPF is further supported by the Information Security Manual (ISM) which is the standard governing the security of government ICT Systems. Since 2010, the ASD has provided 35 strategies to achieve desired level of controls over systems to mitigate the risk of cyber intrusions. With full implementation of just the top four (4) strategies, ASD advises that 85 per cent of targeted cyber intrusions to an agency’s ICT Systems would be mitigated. In April 2013, the PSPF issued a mandated amendment that all agencies will implement the top four ASD mitigation strategies – with a target date for implementation by July 2014. The strategies to be implemented include application whitelisting, patching applications, patching operating systems and minimising administrative privileges. Seven (7) agencies were audited, including Australian Customs and Border Protection Services, Australian Tax Office, Department of Foreign Affairs and Trade and IP Australia. Not only were none of the agencies achieving full compliance with the top four mitigation strategies
by the July 2014 deadline and further, none of the agencies were expected to achieve compliance within a reasonable timeframe following. While the audit established internal information security frameworks, some controls and some change management processes had been implemented, the degree of compliance did not reflect heightened government expectations in response to the risk of a cyber-attack. The overall ICT security posture was assessed as “providing a reasonable level of protection from breaches and disclosures of information from internal sources, with vulnerabilities remaining against attacks from external sources to agency ICT Systems. In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to.” The ANAO made three recommendations: 1. Complete activities to implement the top four controls and define pathways to further strengthen application whitelisting, security patching of applications and operating systems and management of privileged accounts. 2. To reduce the risk of cyber-attacks to information stored on databases, strengthen logical access controls for privileged user accounts by eliminating shared accounts, recording audit logs and monitoring account activities; and 3. Conduct annual threat assessments across the ICT Systems having regard to the ASD’s 35 mitigation strategies and implement periodic assessment and review of the agency security executive of the overall ICT security posture. In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to.”
The ANAO Audit Report No. 50 is worth a look over for any security professional, be they in the public or private sector. Whilst the Government has recently raised physical security at Parliament House in response to a direct threat, it seems the Australian Government continues to struggle to keep up with cyber security requirements. As we’re now at the end of the age of entitlement, imagine how Australian corporations and enterprises are faring. There is much work to be done!
REAL TIME
AUTOMATED, ACTIONABLE INTELLIGENCE Protecting your organisation’s information in a world of exponential information explosion is vital and the corresponding growth in threats is a never-ending battle. Deploying multiple SIEM solutions to secure specific parts of your business can also create security management challenges: • How to deliver a holistic picture of security - a single console • Vulnerability gaps resulting from no single point of insight • Costly administrative overhead • Difficulties collating, correlating and analysing Security and Compliance information • Problems centralising governance & oversight across independent silos The Tier-3 ‘Huntsman Unified Console’ delivers a single, defence-grade cyber security solution to address all of these challenges in real time.
VULNERABILITY TECHNOLOGIES SIEM SOLUTIONS THREAT INTELLIGENCE SOLUTIONS
HUNTSMAN UNIFIED CONSOLE
www.tier-3.com
REAL TIME AUTOMATED ACTIONABLE INTELLIGENCE
HUNTSMAN Intelligent Security. We Deliver It.
Visit AISA conference Booth 12 to discover how we can deliver you results
FOR SECURITY. FOR JOBS.
F-35 LIGHTNING II
FOR AUSTRALIA. Lockheed Martin’s F-35 Lightning II — the right security partner for Australia, its people, and its future. Providing thousands of high-technology jobs for Australia and billions of dollars in industry contracts over the next 30 years. SEE THE FUTURE IN ACTION AT: F35.COM/AUSTRALIA
AUSTRALIA
THE F-35 LIGHTNING II TEAM NORTHROP GRUMMAN BAE SYSTEMS PRATT & WHITNEY
LOCKHEED MARTIN