www.ChiefIT.me | Sep/Oct 2016
Closing How willthe Australia SecOps Gap keep up?
AUSTRALIAN SECURITY MAGAZINE
Commercial UAV Show Asia - Review
Fortinetâ&#x20AC;&#x2122;s Continuous Improvement
Blockchain for everyone
Embracing Modern Technologies
Protecting Children from Cyber Bullies
T I G N I N HARDEST AGAIN PLUS TechTime, Quick Q&A, Cyber Security and much more...
Do we have IT right?
The Four Points Hotel - Darling Harbour National Conference 2016
From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI
Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.
LEARN MORE TODAY 1300 135 897 huntsmansecurity.com
Contents Editor's Desk 3 Industry Insights
Information Security Continuous Improvement
Executive Editor / Director Chris Cubbage
Closing the spec ops gap
Security industry must embrance modern technology
Director / Co-founder David Matrai
Block chain for everyone
Prevention is still better than cure
Insider threat can be eliminated with a proactive approach
7 ugly truths about compliance
Editor Tony Campbell
Frontline Art Director Stefan Babij
MARKETING AND ADVERTISING T | +61 8 6361 1786 email@example.com SUBSCRIPTIONS
T | +61 8 6361 1786 firstname.lastname@example.org
Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | email@example.com E: firstname.lastname@example.org All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
The safe city and its need for interoperability
Page 10 - closing the spec ops gap
Asia Pacific Region FORTINET FEATURE
Cyber Security How will Australia keep up
The non-IT expert’s guide to surviving a cyberattack
How has information technology become the latest security threat?
Fighting technology with technology
Creating a culture of security to defend against social engineering attacks
Are security vendors leaving your business at risk
UAV SHOW ASIA review - By Chris Cubbage
Page 22 - 7 ugly truths about compliance
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
Page 34 How will Australia keep up
CONNECT WITH US www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Page 46 - UAV show www.asiapacificsecuritymagazine.com
Jaqueline M. Hummel
4 | Chief IT Magazine
“with rapid transformation, comes an inherent risk”
he world is transforming faster than ever before. Nascent technologies seem to emerge and become industrialised in less than 12 months, fuelled by enormous investments from Silicon Valley venture capital firms. Furthermore, what were once underground technologies, such as P2P networking and digital currencies, are now leveraged by contemporary enterprises, such as the consideration of blockchain underpinning the future of international banking. The two most obvious shifts we’ve seen of late, however, are the emphasis on mobile computing and the shifting of enterprise IT into the cloud. But with rapid transformation, comes an inherent risk. The Internet of Things (IoT) is comprised of a massive collection of new devices that were once unconnected and standalone. These devices are now coming onto the grid with serious security vulnerabilities, that themselves lead to not just digital impacts, but also physical impacts that affect real world human safety. The race to get devices connected to the Internet is seeing products hit the market with security flaws that we thought we had eradicated over a decade ago, so something is going massively wrong in the race to market. At the heart of many of the latest technology developments lies advanced machine learning and artificial intelligence. This machine learning allows autonomous systems to actually modify its future behaviour, based on receiving feedback from appropriately located sensors. AI is helping in so many markets and industry verticals, from healthcare and digital marketing through to information security, as well as national security and defence industries. Analysts are predicting that machine learning will become the buzzword
of the information security industry, where vendors will be looking to use the pre-emptive pattern recognition of some of the most cutting edge security research to finally allow vendors to build defence systems that are one step ahead of the attackers. Splunk’s purchase of the machine learning technology, Caspida, is testament to this trend, since it’s using this acquisition to position itself as a leader in the Security Information and Event Management (SIEM) market, but like all security technologies, the proof will be in the thwarting of real attacks in the wild, where the attackers are using their cunning and guile to get around these developments. In this issue we’ve incorporated a variety of articles from the cross section of business, technology and security that are of interest to the Australian market. Sarah James’ article is the beginning of a series of articles we will be publishing on blockchain and its uses in international banking. Sarah has started at the beginning of the story with this issue’s article, explaining how digital ledgers work and how blockchain will transform the way banking works. Following on from a previous article we published by the internationally renowned Chris Hadnagy, we’ve included an interesting overview of deception detection using body language, from body language specialist, Sophie Zadeh. So if you are interested in what a one sided shoulder shrug really means when you are interviewing a prospective employee, take a look at Sophie’s article. Greg Singh looks at how security tools can help our cybersecurity teams focus on prevention rather than response, which will be music to the ears of beleaguered security operations teams, however, the article on insider threat reminds us that security has a holistic process approach
to managing threats, where those threats need to be well understood and evaluated prior to investing in technology – otherwise you might be investing in the wrong area. Our international correspondent, Jaqueline Hummel, discusses some of the biggest issues faced by chief compliance officers, in her article entitled, “7 Ugly truths about compliance: A primer for new chief compliance officers.” I hope you enjoy this issue of ChiefIT and we love to hear from our readers, so if you’ve got any comments or suggestions, send them in.
Yours sincerely, Tony Campbell Executive Editor
Chief IT Magazine | 5
Full conference program and registration: www.asisonline.org/shanghai
ASIS CHINA 2016 SHANGHAI, CHINA | 14–15 NOVEMBER 2016 Following a sell-out first event last year, the ASIS China conference is back again in Shanghai on 14–15 November 2016. The event is designed to provide senior security professionals with the knowledge and perspectives they need to excel.
Program Highlights Beyond Compliance, Live up to Security Risk Management Hanson Liu CPP, Greater China Security Manager, DuPont China Holding Co., Ltd, China Security Management in Global Operations Li Hongliang, Deputy Director of Security Management, BGP Inc., China National Petroleum Company, China
China Pakistan Economic Corridor (CPEC): Threats, Vulnerabilities and the Mitigation Measures from Pakistan’s Perspective Kaleem Ahmed, Chief Security Officer, Pak Arab Refinery Ltd., Pakistan Omar Safdar CPP, Security Consultant, Pakistan The Evolution of Rules of Evidence for Investigators in China Theodore Kavowras, Managing Director, Panoramic Consulting Limited, Hong Kong, China
email@example.com Tel: +32 2 318 57 51
2ND BIG DATA & CEM WORLD SHOW 1-2 NOVEMBER 2016 | JAKARTA, INDONESIA
#BIGITIDN16 www.bigittechnology.com/indonesia2016/ firstname.lastname@example.org
+603 2261 4227
VP Business Transformation Lazada Group
Dayu Dara Pramata
Co- Founder and Head Go-Life (Subsidiary of GO-JEK)
GM Uber Indonesia
OFFICIAL MEDIA PARTNERS
Â© 2016 Malaysia Digital Economy Corporation Sdn Bhd (389346-D). All rights reserved.
Big Data Project Director Telkom Indonesia
Country GM Indonesia iProperty Group
Follow us @ BIGIT Technology
Continuous improvement Network security, optimised networking and business continuity: Fortinet’s continuous improvement
N By Gary Gardiner Director of Technical Support, APAC at Fortinet
etwork security is moving beyond firewalls, advanced threat protection and data leak prevention into network optimisation and business continuity. Security is increasingly being seen as a business process enabler as opposed to simply an adjunct to your company’s IT infrastructure. And as more and more enterprises migrate mission critical applications into the cloud, business continuity and return on investment are becoming key considerations for executives as they evolve their infrastructure from cost centres into agile and elastic organisational assets. One company driving this transformation is Fortinet. Since establishment in 2000, Fortinet has been at the forefront of security innovation and delivery. It’s FortiGate firewalls have set the benchmark for comprehensive protection and speed since their introduction as UTM (Unified Threat Management) appliances in 2004; it’s FortiGuard Labs employ more than 250 expert researchers and analysts around the world and collects data from more than two million sensors to protect more than 270,000 customers every day. And its acquisition of security information and event management (SIEM) solution provider AccelOps earlier this year has expanded Fortinet’s functionality well beyond traditional security. Three key innovations Three innovations in particular set Fortinet apart: The FortiOS operating system, the FortiASIC architecture ‘system on a chip’ and internal segmentation. FortiOS operates in concert with your entire network environment to protect every component from the server to the client and into the cloud. The FortiASIC chip ensures low-latency operations up to five times faster than comparable solutions. Internal segmentation compartmentalises data and applications, either on-site or in the cloud, so that you can insulate individual groups of users, set multiple policies and contain and minimise the ramifications of any security breach. When combined with the operational and analysis capabilities provided by SIEM, enterprises now have unprecedented visibility into network traffic patterns and, by extension, all business processes. This granular level transparency enables organisations to optimise network operations, gain maximum value (indeed, it allows them to quantify IT spend versus performance, the ultimate benchmark for measuring ROI) and ensure that mission critical application services maintain maximum uptime for business continuity.
8 | Chief IT Magazine
Internal segmentation: Protection into the cloud Ensuring business continuity as enterprises move mission critical application services into the cloud can be problematic for risk management. Fortinet’s unique segmentation architecture isolates applications and data regardless of where (in-house or in the cloud) or how (physical, virtual or software-defined) they are stored and accessed. Indeed, Fortinet has been increasing its marketshare in the MSSP (managed security services provision) arena because internal segmentation is ideally suited for multi-tenant deployments. In addition, Fortinet’s granular-level visibility ensures that MSSPs can provide comprehensive traffic and activity reports for individual customers and groups of users. Continuous improvement Fortinet has evolved into a network optimisation and business continuity solution provider based on market-leading security technology, granular visibility and upstream and downstream SIEM analysis. Any security events can be immediately identified, contained (via segmentation) and mitigated resulting in minimal downtime, regardless of where on the network or in the datacentre or in the cloud they might occur. With real time traffic monitoring, including internal ‘east-west’ traffic inside the datacentre, you can see exactly which application resources use which data sets. And from there you can quantify how much resource each application service requires and correlate the costs to the benefits received. Cost accounting, risk reduction and maximising uptime are now functions of your network security infrastructure and no longer separate disciplines. This merging of governance imperatives is changing the way Boards look at their security profile. This transformation is being driven by a parallel convergence in network operations. And Fortinet is out in front on both counts. About the author Gary Gardiner, Fortinet’s senior security executive in APAC, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
TECHNOLOGY M A L A Y S I A
2 0 1 6
Anchor Event of the Big Data Week Asia 2016 19 - 20 September 2016 | KL Convention Centre, Malaysia
#BIGITMY2016 www.bigittechnology.com/malaysia2016/ email@example.com
+603 2261 4227
EVENT SPONSORS: TITANIUM SPONSOR
OFFICIAL MEDIA PARTNERS
Â© 2016 Malaysia Digital Economy Corporation Sdn Bhd (389346-D). All rights reserved.
Follow us @ BIGIT Technology
Closing the SecOps gap How to harden IT security against hackers and vulnerabilities
I By By David Carless Automation and Cloud Specialist, BMC Software Australia
10 | Chief IT Magazine
n 2015, headlines were rife with reports of cyberattacks stealing everything from government secrets to children’s birthdays. In 2016, the issue continues to generate story after story, so it’s no surprise security is now the number one priority in every boardroom around the globe. As constant change and the path to digital transformation continues at a rapid pace, it opens the door for hackers and exposes old latent vulnerabilities. The two parties inside organisations charged with protecting an organisation’s security and closing these doors are themselves facing a communication breakdown that’s only deepening the problem. Overlooked by many business leaders, it’s the widening gap between IT operations and security teams that is becoming ever critical in the age of the digital enterprise. BMC Software and Forbes Insights recently surveyed several hundred global executives to get their perspective on their organisation’s overall security health and find out what issues are critical to address. The results revealed the need for a clear framework that organisations can implement and follow to build their strategy for improved security and compliance. Startlingly, the survey showed that 97 per cent of executives expect an increase in breach attempts in the next 12 months, and 44 per cent of executives say breaches occur even when vulnerabilities and remediation techniques are already identified. These two statistics paint a sobering image – almost half of data breaches could have been prevented.
With the threat of attacks on the rise, what causes unimplemented remediation plans to sit on the shelf ? It’s a bit of a list: the lack of visibility between security and IT operations groups, the lack of automation and competing priorities all contribute to the issue, and on average, the time it takes to fix a security vulnerability is a staggering 193 days. This research confirmed what we had heard anecdotally - that security teams are doing everything they can to keep their organisations secure, while the IT operations teams continue to try to do more with less, and keep the business running in the face of constant change. The two organisations, central to the identification and implementation of security countermeasures, are disconnected though in every meaningful way - priorities, processes, requirements, tools, and vocabulary. While vulnerabilities are being discovered, the operations team doesn’t understand the context of these vulnerabilities, and they either fail to prioritise them, or worse, ignore them all together. These factors combine to create the ‘SecOps Gap’. With 60 percent of survey respondents stating IT operations and security teams have only a general understanding of each other’s requirements, it’s clear the SecOps Gap needs to be quickly acknowledged and addressed. To do so, companies must focus on three critical elements to ensure their security and operations teams are aligned on objectives, and share accountability for the security and
compliance of the organisation. These three elements are People, Process and Technology. A strong people strategy is the heart of an effective change management initiative. Start with setting a consistent vision for the security and operations teams. They need to see that they are interdependent and have shared goals in regard to the overall security of the organisation. They need to balance these goals together with the needs of the business to be agile and reliable. The processes need to be reviewed in light of the shared goals and objectives. Repetitive, manual workflows should be evaluated to see if they are candidates for automation. Handoffs between the organisations need to be tight and provide opportunities for feedback and learning. Technology should be deployed to facilitate the coordination and collaboration between these organisations. It is vital to be deliberate and to make sure that the technology you choose is built to solve the complete problem and not just portions of it. Many organisations implement point solutions which fall short of addressing the complete problem. Solutions must also be able to scale to handle the demands and complexity of your enterprise. Of the survey respondents, 60 per cent want tools for automating corrective actions and 59 per cent want a centralised view into vulnerabilities and remediation actions. A solid strategy to protect your organisation from attacks requires you to be vigilant, precise and relentless in not just finding but closing vulnerabilities. To do this effectively, it is imperative that organisations use automation to do the bulk of the work for them. BMC BladeLogic Threat Director works with BMC BladeLogic Server Automation to provide operations teams with prescriptive and actionable data to address vulnerabilities based on perceived impact, current operational plans, and policy, to enable the expedient remediation of risks and more focused activities by the operations teams to reduce the overall attack surface. For the first time, the BladeLogic Threat Director provides the security team with a security dashboard, allowing them to gain views into operational plans to address vulnerabilities and predictive service level agreements to assess the current security readiness of their organisation. Breaking down the wall between Security and Operations teams and arming them with critical data to make decisions will allow them to work together productively. It will help them make decisions impacting the delicate balance between uptime and availability commitments, and changes required to secure the organisation. The bottom line is that the flood waters of security breaches will continue to rise until something significant is done. The time for action is now in closing the SecOps Gap.
Of the survey respondents, 60 per cent want tools for automating corrective actions and 59 per cent want a centralised view into vulnerabilities and remediation actions.
Chief IT Magazine | 11
Security industry must embrace modern technologies
T By Magnus Hedberg CEO, GroupTalk
he global security industry is growing at a rapid pace. More professional and coordinated operations across disciplines and geographical borders among criminals, is one of the drivers of the increased demand for advanced security services. This calls for more intense surveillance and security, according to the Europol “Serious and Organized Crime Assessment Report”. Gartner puts the global security market at $86bn, with annual growth of close to nine percent, citing “growing complexity of attacks”. At the same time the security industry finds itself in a consolidation phase, adapting new technologies with a strong focus on digital services and offers as Security as a Service. Intense competition in the industry are also squeezing profits, forcing security companies to focus on more logistically efficient solutions, cost savings, and smarter and safer interactions between security staff. Out-dated communications routines An important factor for safe and efficient security monitoring is the successful coordination and interconnection between guards and security control centres while patrolling, especially when covering large areas such as shopping malls, hotels, airports, event venues, logistics centres etc. However, most security staff around the world still uses traditional and out-dated two-way radios (walkie-talkies) with a momentary button to switch from voice reception mode to transmit mode, when communicating. Building radio networks, programming and providing two way radios is complicated and time consuming. This is ancient and inefficient communication technology, not suitable for an industry with low margins that also needs to be in the technological forefront, aiming to be secure, flexible, efficient and profitable. Until now, development and deployment of efficient communication tools have been very costly and complicated. In some cases the technology has become out-dated before it
12 | Chief IT Magazine
has been completely rolled out. For smaller security companies this has not even been an option. For them it has been virtually impossible, for economic reasons, to get a modern communications solution with a good geographical coverage. Push-to-talk technology improves security company’s competitiveness But this is about to change, since there is huge potential to improve communication between the members of the security staff with more modern, yet simple and user friendly, technologies. An increasing number of security companies tend to abandon the ancient walkie-talkie communication solutions, replacing them with more modern communications solutions, based on digital models such as the push-to-talk (PTT) over cellular phones, a service that enables subscribers to use their phones as walkie-talkies with unlimited range over the existing mobile networks. PTT has several advantages: • •
• • • •
PTT enables simple and safe communication between employees through the push of a single button. It is a cost efficient cloud-based solution that allows communication directly through the users’ smartphones (and tablets/laptops). It is secure. It uses existing mobile networks, with no need to build and maintain your own network. The sound is much clearer than walkie-talkies, which reduces the likelihood of misunderstandings. The administrator easily controls the number of users, PTT groups (known as “channels” when using walkietalkies) and user access. The solution can include push-to-talk accessories such as acoustic headsets etc. Use of Bluetooth-based PTT buttons in combination with smartphones for instant voice communication.
Until now, development and deployment of efficient communication tools have been very costly and complicated. In some cases the technology has become out-dated before it has been completely rolled out. For smaller security companies this has not even been an option. • • •
It is fast; it just takes hours to roll out a cloud-based PTT service to companies with 10,000's of users. It is easy to connect different organizations with PTT. The flexibility to control who receives panic alarms and the routing of voice communication is "game changing" in relation to how traditional two-way radios and alarm solutions are working. The new technology-based smartphones can be easily integrated with existing communication radio systems so that you can benefit from the investments already made. With an IP-based PTT solution, services are no longer geographically limited. Now you can communicate with PTT services across borders, globally and also with users at sea and in aircrafts.
Many companies in the security industry has come to appreciate the flexibility in a solution that could be used on different staffing sizes, without having to make major new investments in communication systems. Being able to link staff in a communications network, gives them an opportunity to share information and resources in a way that they have not been able to do with their previous traditional communications systems. This is a solution that not only provides the user with a integrated panic alarm in the service, but it also saves them money compared to if they were to purchase separate personal alarms for each and everyone in the staff. “Substantial savings” Big security companies have the resources to be in the forefront and adopt new communication solutions, most of them are already rolling out smartphone based communications solutions. Interestingly, with the cloud based PTT services, the barrier to use the new solutions is virtually gone for companies of all sizes and the SMB (Small Medium Business) segment is a fast mover to leverage these solutions to get a competitive edge. A real life example of this is Norwegian security company, Telemark Sikkerhet, who in 2016 wanted to improve communication between the staff and making it more secure. The result can only be described as fantastic. The solution has
improved communication in the working process for Telemark Sikkerhet with results such as: • • • •
Improved security surveillance Improved competitiveness Reduced cost Dedicated staff and improved work environment
Smartphones are used to share information and status by both voice and text in order to improve accuracy, traceability and efficiency in communications. Text based communication ads traceability and clarity to PTT, creating an unbeatable combination. Automated machine-to-machine (M2M) communications is also gaining popularity as a supplement to PTT, e.g. in the airline industry for status updates like boarding and refuelling complete in aircraft turn arounds. Security companies can use status messages when they arrive at a destination, enter a specific area, have completed a task, etc. to keep guards in their team and the dispatch at the security control centre up to date with the latest status. Time limited and defined project tool Security is perhaps one of the industries that can draw the most obvious benefits from the new advanced PTT group communications solutions. But PTT has also gained interest from organisations in other industries where instant group communications are instrumental, such as aviation, construction/infrastructure, energy and retail. An increasing number of companies appreciate the fact that the new solutions are cost efficient, scalable and flexible, that allow staff of various sizes to communicate, without having to make major new investments in communication systems. Being able to link people working together in what can be described as ‘time limited and clearly defined short projects’ in a user friendly communications network gives them an opportunity to share information and resources in a way that they have not been able to do with their previous traditional communication devices. PTT solutions based on standard smartphones and tablets/laptops make task group communications faster, more flexible, secure – and, not least – more cost efficient. It might be the single most efficient and beneficial measure that the security industry can implement the solution in their quest for improved packaged services and lower costs. About the Author Magnus Hedberg is founder and CEO of the Nordic tech company GroupTalk and CEO of Satpoint. GroupTalk is a Swedish leading provider of enterprise push-to-talk (PTT) group voice communications services. Mr. Hedberg is a serial entrepreneur with decade-long experience of founding and managing tech companies and an expert in software, technical development and communications solutions. He was one of the founders of, Marratech, a Swedish company that produced software for e-meetings, later sold to Google. Magnus Hedberg has an MSc from the Luleå University of Technology in Sweden.
Chief IT Magazine | 13
Cyber Security Cyber Security
Blockchain for everyone
W By Sarah James Senior Consultant for CSC
ith every new day comes new headlines about the complex and mind-blowing technology of blockchain. It seems everyone, from established companies to venture startups, national governments to international agencies, is jumping into the arena and investigating ways to put blockchain to use. The possibilities for transformation in industries as diverse as energy, insurance, finance, retail and health are huge – but mainstream audiences, those readers outside the blockchain bubble, may be wondering: What is blockchain? To start, blockchain is the underlying technology for something you probably have heard of: Bitcoin, a digital-only currency. Blockchain enables peer-to-peer technology that permanently records transactions in a distributed ledger. Imagine writing a line in an old accounting book; now imagine that line taking digital form. A transaction or set of transactions (a few pages in your accounting book) constitute a “block,” which is placed in the blockchain in a linear and chronological order. Once the transaction is complete, the block is formed, and a new block is ready to be created. (Consider this the equivalent of having different accounting books for different purposes, clients, etc.) In order to remain connected with the previous block, the new block contains a “hash” (reference) of the prior block. The blockchain ledger is “distributed” because it resides across a network of servers, which can be served in the cloud, instead of a single server with multiple replicas. So instead of multiple copies of the same accounting books being held by multiple people, a single book can be accessed by everyone. Furthermore, in blockchain, the recorded transactions are not erasable. When a modification occurs for a particular transaction, another connected transaction is required in order to ensure the ledger is correct. In our analogy, this would be equivalent to finding the invoice and linking to the payment. Now, imagine if you had a way to record information with impeccable accuracy, keeping track of the digital transactions completed by all users of the system – and without the need for a central database. Think about the speed and value that drives. We’d all want to give it a try, right? Well, that is blockchain. Why is it useful? The technology (and our analogy) can be applied to any industry where data transactions are occurring. Blockchain creates a way to manage data much more simply and effectively, and in the cloud. Data can take many forms. For instance, in energy, there is the exchange of watts with the grid or the flow of oil and gas; in insurance, there’s the exchange of claims; in finance, currency; in cars, mileage. We could go on forever. Blockchain boils data down to the pure essence of a commodity and helps users make better use of it. It also opens up the marketplace whilst authenticating users. The source-of-truth becomes the chain itself, and trust is built into the technology. This idea turns the marketplace on its head and forces us to think about the way in which we do business very differently. The socio-cultural evolution
14 | Chief IT Magazine
bound to take place as countries and companies embrace this technology will be dramatic, and the consequences are not yet fully understood. My instinct tells me the disruption will be up there with Artificial Intelligence. What’s next for blockchain? The magic is in how really smart people will use blockchain to change the world. Bitcoin has thoroughly disrupted the way people think about currency. The same can happen with digital assets, identity authentication, claims, financial transactions, healthcare records, utilities, public records and more. Right now, most uses are in the pilot and exploration stages, but we’re likely to start seeing real-life use cases take shape in the near term. These will have to be scaled up quickly once they get past the proofing stage. And, after the technology finds a foothold in specific industries, the long-term potential of blockchain will certainly be very transformative. Where can I learn more? I encourage everyone to keep an eye on this exciting field as it promises to have an effect well beyond the technology space. This article presents an interesting CIO perspective: http://www.cio.com/article/3055847/security/what-isblockchain-and-how-does-it-work.html This video is pretty cool for understanding the technical details: https://www.khanacademy.org/economics-financedomain/core-finance/money-and-banking/bitcoin/v/bitcointransaction-block-chains Experts such as John Paul Farmer and Brian Forde are doing interesting work in the area of social applications, such as a fraud-free voting system, frictionless transfer of property and sales of property, and rapid response in wake of a natural disaster. Watch them discuss their ideas here: http:// livestream.com/internetsociety/blockchain And we at CSC have been considering uses of the technology in various industries including healthcare and banking. Want to get even more immersed? Shanghai is hosting a blockchain week this September: www.blockchainweek2016. org/index_en.html There are also the CSC blogs which are pretty useful including three references worth a read Blockchain in health Care SWOT Analysis - http:// blogs.csc.com/2016/01/22/blockchain-in-healthcare-swotanalysis/ Blockchain in healthcare from theory to reality - http:// blogs.csc.com/2015/10/30/blockchain-in-healthcare-fromtheory-to-reality/ Blockchain and Banking - http://blogs.csc.com/2015/03/17/ blockchain-and-banking/ Keep an eye out for what else we are up to as we plan to release a few more articles with the help of a few CSC friends of mine, we shall look at Industries to which Blockchain applications apply – especially beyond financial services, Blockchain (decentralized) vs traditional (centralized) applications and Blockchain security – lots of fuzzy knowledge about privacy, anonymity in future editions.
Integrated Security Fabric delivers business continuity Fortinet’s end-to-end Security Fabric delivers: •
Transparency at the granular level
Driven by industry-leading secure operating system FortiOS and powered by the thirdgeneration FortiASIC SOC3 (System-on-a-Chip) architecture, no other security vendor comes close to providing the depth and breadth of security solutions. With the lowest latency on the market and real-time security updates from the global FortiGuard Labs, Fortinet is the security solution of choice for enterprise-level data centres.
Fully-integrated Fortinet’s Security Fabric solutions work together seamlessly to provide trouble-free installation, centralised configuration and ‘single pane of glass’ management. Combined with the FortiGuard Labs’ real-time security updates, Fortinet’s Security Fabric will always be armed with the very latest threat intelligence and detection / mitigation algorithms.
Extending security to business continuity When you install Fortinet Security Fabric solutions, you are investing in business continuity. With Fortinet’s Security Fabric, nothing that happens on your network goes unnoticed. Intrusions, data leaks, DDoS attacks, system slowdowns or simply business
as usual. Fortinet gives you unprecedented visibility into your network’s performance and virtually eliminates the ‘window of vulnerability’ that can result in interruptions in service delivery.
Validated performance NSS Labs has awarded Fortinet’s Security Fabric their highest recommendation. NSS certified that Fortinet’s ATP solutions detected 100% of exploits delivered by social media and drive-by downloads. Fortinet has also received NSS Labs’ recommendations for the FortiGate data centre intrusion prevention system, FortiClient endpoint protection and FortiWeb web application firewalls, amongst others. NSS has validated Fortinet’s security effectiveness above 99%. That, combined with industry-leading performance, delivers what you need to ensure fast, secure operations and business continuity.
AT A GLANCE •
Advanced Threat Protection
FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 6000 firstname.lastname@example.org
FORTINET SECURITY FABRIC CORE SOLUTIONS Fortinet’s Security Fabric is built around a core set of solutions, anchored by the FortiGate firewalls, that provide security from the server to the smartphone, into the cloud and everywhere in between. •
FortiGate next-generation enterprise firewalls / data centre intrusion prevention
FortiSandbox, FortiMail and FortiClient advanced threat protection (ATP)
FortiWeb web application firewalls
FortiAP, FortiSwitch and FortiCloud secure access solutions
FortiSIEM, FortiManager security operations and network optimisation
FortiGuard Enterprise Service Bundle real-time subscription-based security updates
FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS
Chief IT Magazine | 15
Prevention is still better than cure There is still a defeatist attitude resonating through the industry when it comes to security however Greg Singh, Lead Technical Engineer for APAC region, Cylance argues that security tools should put the focus back on Prevention, rather than Response. After all, isn’t that what the customer expects?
D By Greg Singh
16 | Chief IT Magazine
r Jackie Craig, Chief of Cyber and Electronic Warfare at the Australian Department of Defence, spoke at the recent Australian Cyber Security Centre (ACSC) conference in Canberra. Classifying cyber security as a science, Dr Craig went on to say “If we had a big science approach to cyber security we could ... begin to educate people more deeply about the types of risks that they're taking if they don't have proper virus checkers." It all sounded so promising until she mentioned virus checkers. We were hoping that the speakers from the FBI’s Cyber division might come up with something more radical when they said: "Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]". The point being made that “all the best tools” are still no match for good old human intelligence. I might have agreed to some extent, were it not for the fact that the example given of “all the best tools” was IDS (intrusion detection systems). That, for me, summed up everything that is wrong with cyber-defence today: the emphasis on detection and response, instead of on prevention. Surely, when a company is forking out thousands for cyber security, they are assuming that they are paying to prevent cyber-attacks? And yet there was very little mention of prevention at this year’s ACSC conference. For example we heard from Latha Maripuri, News Corp, the global information and publishing enterprise in charge of leading brands such as The Wall Street Journal whose
presentation focussed on the attacker only, it was all about how to structure a security program to address modern day threats. So much for Big Science and Threat Intelligence – it sounded more like a reactive response to try and Protect Company Assets after the burglar has escaped! The fact that antivirus has failed is no secret. In May 2014, Symantec itself declared antivirus “dead”. Traditional signature-based AV simply cannot keep pace with hackers who can rejig their malware with a few cosmetic touches to make it unrecognisable. As a consequence, anti-virus industry giants have been desperately buying up new technologies to patch up their reputations. So what solutions are being proposed at the ACSC conference? The key words seemed to be “detect” and “respond”. In other words: having given up hope of being able to recognise malware in advance, the focus is now on detecting that something is suspicious and then using detonation or sandbox techniques to see how it behaves before letting it loose in the network. So a first line of defence is the traditional antivirus search for recognised malware signatures, then a virtual machine is started up with the target operating system (so typically a virtual PC) and the suspicious code is copied into that “sandbox” to see what it does given enough time (typically about 5 minutes). A report is prepared and the VM is shut down and cleaned up. So we should now know if the incoming code is dangerous.
Sandboxing is a powerful way to detect malware, but costly in terms of time and resources. How far do you go in virtualising the potential target? Should you not replicate the entire corporate network to test for a highly sophisticated attack? And five minutes is an eternity by today’s operating standards. What’s more, recent members of the Upatre malware tribe are using the Windows API GetTicketCount and will not activate unless the host has been running for more than 12 minutes. In other words, it recognises a sandbox VM and refuses to play in it. Artificial Intelligence is Golden The ACSC Conference was a disappointment, as no company seemed to offer a truly radical alternative to “detect and respond”. In the past, Antivirus has positioned itself as the solution but clearly this is not enough, what is needed is a Next Generation Anti-Virus that can identify specific attacks and speed the response to them once they are detected. For example instead of scanning vast databases of hashes, signatures and approved applications, CylancePROTECT makes real-time decisions by comparing against optimally trained statistical models that only need to be updated every few months. Looking for recognized malware signatures fails because cyber criminals simply alter the outer signatures – it is quick and cheap to simply recycle existing, proven malware by giving it a facelift. Instead NGAV recognition looks deep into the coding structure using sophisticated Big Data learning algorithms – and so a successful attacker would have to spend considerable time and money developing whole new coding structures – only to have the new attack promptly analyzed and registered in the NGAV system. This is not how cybercrime chooses to operate, because it relies on quick results with minimal investment before the authorities have a chance to catch up. But if the latest sandboxing solutions are already time and resource intensive, surely adding Big Data mining and artificial intelligence to the mix will bring the average corporate system grinding to a halt? Not so, because all of this heavy lifting takes place in the cloud, not in the client’s own system. The local software only has to analyze code in real time against a far smaller set of characteristics rather than an ever-expanding database of dubious signatures. The software for this approach occupies only 30 megabytes and typically uses less than 1% CPU making it practically invisible to the user, as well as being very easy to deploy and administer. Analogies should always be treated with caution, but try this. In 2003, a group of the world’s most dedicated scientists announced the completion of a 20-year project to map the entire human genome with 99.9% accuracy. Their work has led to many of the scientific breakthroughs we benefit from today. Effectively NGAV is unlocking the DNA of malware and applying artificial intelligence techniques, machine learning and algorithmic science to dissect the malware to almost a molecular level, before it is allowed to enter the network.
"Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]" confirming inbound attacks and intrusions nor the measures used to mitigate or neutralise them, a new “the gloves are off ” approach has been announced by Prime Minister Malcolm Turnbull. At the launch of the government’s new $230 million Cyber Security Strategy in Sydney he publicly announced that “offensive capability” is now a real live option. There is a lot of good and timely material in the strategy as published, but there is still too much evidence of that detect and respond mind set – witness the report’s heading “Detect, Deter and Respond”. The first four essential mitigation strategies are strongly focused on responses to recognised dangers, while the discredited signature based anti-virus approach has actually been moved up from position 25 (in 2012) to position 22 in 2014 in “effectiveness ranking”. This was perhaps the best takeaway from the ACSC conference this year, but it fell short in one respect. Let’s make Prevention once more our top priority – because ultimately that is what the IT user really expects from the industry.
Government gets serious The Australian Government’s recent announcement reconfirmed the level of commitment to cyber security. Instead of the old “keep it under the carpet” policy of not
Chief IT Magazine | 17
Insider threat can be eliminated with a proactive approach The media would lead us to believe that the greatest threats faced in today’s digital business world are that of ransomware and ID theft. While they may be right, there is an equally damaging malady lurking right under our noses that is often overlooked – insider threat. This article identifies what insider threats are and looks at some of the mitigation strategies we can use to address it.
J By Tony Campbell ASM Correspondent
18 | Chief ChiefITITMagazine Magazine
ust over ten years ago, I attended a conference in London run by the UK’s equivalent of the Australian Signals Directorate (ASD), GCHQ. The theme of the day focused on insider threats with myriad presentations explaining how UK industry and government agencies should be preparing to detect, defend and respond to this kind of insidious menace. As each of the speakers took to the podium, we were taken through a journey of fear, betrayal, espionage and human vulnerability that showed the audience just how real and pervasive this issue is. Indeed, for some businesses and government agencies handling particularly sensitive information, the threat from rogue insiders can
become existential if not adequately addressed. As I said, this conference was over ten years ago, but the world has changed incredibly over the last decade, with new threats becoming chic and newsworthy, while these kinds of attacker have dropped off the radar of public opinion. Starting with the 2013 Target attack, hackers made off with almost 40 million credit card and debit card accounts from Target’s systems. This was the first major media event of the new world, where large-scale data breaches made news – especially because of their far reaching impact on society. Since then we’ve seen dozens of big brands in the news, such as Sony, Home Depot, Talk Talk (in the UK), with David Jones
and Kmart also being hit here in Australia. We’ve also seen another peculiar trend emerge from the backrooms of security research companies, where new vulnerabilities are marketed with a sexy name, well-designed websites and sensationalist commentary to make them newsworthy. If the security team is not focusing on these two areas, then they aren’t doing their job right, while all the other threats fall by the wayside. But this approach is wrong. Managing security outcomes aligned with this kind of media sensationalism will only serve to protect one aspect of your castle, so you’ll have all your troops at the front gate, not realising your tunnels are unprotected and your streets are full of spies. The Internal Malady Security is a process and needs to be tackled in a methodical and sequential manner, where you start with a threat assessment, then conduct a full audit of your assets, classifying the assets against a scheme of labelling that allows you to a) determine the impact of loss of confidentiality, integrity or availability, and hence b) the risk to the organisation of this impact being realised. Your threat assessment will undoubtedly categorise a variety of threat actors, along with their attributes, such as likelihood of them attacking you, as well as their means, motive and intent. One such group is this insider threat actor category, which can be further decomposed into the following subgroups: • Current employee with standard system access rights • Current employee with elevated system access rights • Current subcontractor or partner with standard system access rights • Current subcontractor or partner with elevated system access rights
employee is a ‘plant’ and has been untrustworthy from the beginning. The majority of actions an insider will take are keenly planned and will attempt to cover their tracks as they go. Furthermore, no matter what the external influence is, something will have affected the internal threat actor to make them act: mounting up a gambling debt, an extra-marital affair or being addicted to illicit drugs. Once an external threat actor has leverage over a member of your staff, then they can be coerced into attacking you. The vulnerabilities that affect insiders are wide and varied. In some cases, it may simply be due because they have become disillusionment with the company or policy of your government. Edward Snowden, for example, has publically stated that he no longer believed in the U.S. government or trusted the motives behind their national security programs. He felt that their actions and leaders needed to be held to account under public scrutiny, which led to the massively damaging leak of highly sensitive data. It could be that your rogue insider wants to exact revenge on his boss, or the whole organisation, believing they have been overlooked for promotion or discriminated against. The other category of malicious insiders are those driven by personal or financial gain, who are looking for something that the organisation cannot or won’t give them, especially where they have a personal vulnerability, such as gambling debts or a drug habit. The point is, there is no typical profile for what an insider might look like or act like, which is the primary reason they are such a difficult threat to detect and a complicated one to deal with.
When you then consider the three elements of mean, motive and intent,
When you then consider the three elements of mean, motive and intent, you start to build a fairly comprehensive picture of what could happen if any of these threat actors were present in your business and had the associated rights to access information assets.
you start to build a fairly comprehensive
Who are these Insiders?
business and had the associated rights to
Reports of external actors recruiting members of staff to act against their own organisation are common, originating from foreign governments, competitors and organised criminal gangs, all with something to gain. In 2011, the results of a survey conducted by the U.S. Secret Service, the CERT Insider Threat Centre, CSO Magazine and Deloitte , showed that the most common crimes perpetrated by malicious insiders were: • Unauthorised access to or use of corporate information • Unintentional exposure of private or sensitive data • Viruses, worms, or other malicious code • Theft of intellectual property (IP)
access information assets.
History has shown us that few insider threats are acts of impulsive opportunity. Mostly, the crime is premeditated and the motive has come from a change of circumstance – unless it’s part of a longer strategy by an external actor, where the
picture of what could happen if any of these threat actors were present in your
Innocent Mistakes The one area of major concern that you can deal with relatively easily is that of innocent mistakes. If you have not trained staff on how they should behave and ensured they all know what they are doing, how they should act, and how they should interact with your systems, then there is little you can do if they do something wrong. A comprehensive security awareness program, with training, exercises, and regular communications campaigns, will ensure your security messages get heard. Review your induction program to make sure staff know what to do on the very first day of their employment, so that there can be no doubt of what is acceptable and what isn’t.
Chief IT Magazine | 19
Detecting Insider Threat Audit trails are useful when you know you need to follow an investigation into what someone has been up to. However, how can you get a notification into what that person has been doing that will initially raise suspicion? Firstly, audit trails need to be full of rich information that shows exactly what people have accessed, when they accessed it and for what purpose. If you have enough raw log information, you can pivot this data into an investigation tool and hunt down the evidence of a crime. It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team. You can employ tools that detect and intercept incidents, such as the legacy category of Security Information and Event Management (SIEM) systems, most often found in a SOC, however, if you really want to catch insider threats early and respond in as efficient a manner as possible, you need to be proactive. Look for a system that can provide an early warning of which users might turn bad, as well as one that can influence user behaviour before they do cause a breach, intentionally or by mistake. These kinds of systems are known as Insider Threat Management systems and if you are in the market for one you’ll need to make sure it covers all aspects of the threat management lifecycle: Education. Make sure the product provides the ability to educate staff in real time on what’s permitted and what’s not. Informing users whenever they do something that contravenes policy or could put the organisation at risk is a proven way of influencing and changing behaviour. You can use this to educate the careless, but well-meaning people in your organisation, while reducing the likelihood of someone taking advantage of unintentional mistakes. Deterrence. Deterrence is the process of informing the users when they are operating out of policy, which also serves to deter people with bad intentions as they see that the security team is constantly monitoring their actions. Prevention. Some tools are capable of intercepting and preventing incidents originating from insiders, while real-time education and deterrence can reduce the number of actual incidents that have to be managed by up to 50%. Investigation. Some tools provide a visual record of user sessions, offering incredibly useful insight into what a user has done, so investigations are resolved faster, which helps reduce the overall risk to the business. You’ll need to make sure your selection covers each of these stages, since they are all equally important. There must be a focus on real time education, such as informing the users whenever they do something which contravenes policy or could put the organisation at risk. By doing this, you educate the “good” people and reduce the likelihood of someone taking advantage of unintentional mistakes. This process can also serve to deter people with bad intentions, as they see that the security team is constantly monitoring their actions.
20 | Chief IT Magazine
"It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team."
Recommendation One company of note that is a market leader in this space is ObserveIT. Their technology is specialised in this area and is dedicated to identifying and eliminating insider threats. The product collects a plethora of user related indicators, from anywhere within the enterprise, including application metrics. The product has a dashboard that analysts can use to expose these kinds of insider threats, enabling security teams to coordinate responses to the business before the business is impacted.
PRESENTING THE 14TH ANNUAL
National Security Summit
Policy, Surveillance, Interoperability
30 – 31 August 2016 | Vibe Hotel, Canberra PRESENTATIONS FROM: Chief (Ret’d) Mike Fisher, Former Chief of US Border Patrol, CEO, Scorpion Security Services LLC Colonel Tom Hanson, Assistant Chief of Staff, G-7, US Army Pacific Dr. Marc Siegel, Commissioner, Global Standards Initiative, ASIS International Lieutenant General Angus J Campbell, DSC, AM, Chief of the Australian Army Michael Pezzullo, Secretary, Department of Immigration and Border Protection Admiral (Ret’d) Chris Barrie AC, Former Chief of Defence Force, RAN, Adjunct Professor, Strategic and Defence Studies Centre, Australian National University Nicole Seils, Head of Government Relations, Lockheed Martin Australia & New Zealand Assistant Commissioner Wayne Buchhorn, Investigations Division, Australian Border Force Assistant Commissioner Neil Gaughan APM, National Manager Counter Terrorism, Australian Federal Police Jacinta Carroll, Head, Counter Terrorism Policy Centre, Australian Strategic Policy Institute Professor Peter Leahy AC, Director, National Security Institute, University of Canberra Dr John Moss, National Manager Intelligence, AUSTRAC Tony Antoniades, Head of Export Control and Security, BAE Systems Australia
Todd Smithson, Chief Security Officer & Technology Control Manager, Thales Australia
7 Ugly truths about compliance: A primer for new chief compliance officers
M By Jaqueline M. Hummel Managing Director Hardin Compliance Consulting, LLC
any compliance officers live in hope that if they ramp up their persuasive skills, engage employees with spectacular training presentations, and provide succinct and prompt advice, they will receive the respect and recognition that they deserve. Unfortunately, despite all best efforts, compliance officers will struggle to be heard. For those that have just received the dubious honor of Chief Compliance Officer, here are seven ugly truths you should understand on day one. 1. No one reads the compliance manual. Despite all the hard work compliance officers put into the regulatory compliance manual, no one reads it. That may be an overstatement, but, for the most part, employees remain blissfully unaware that the manual contains policies and procedures for many daily activities, until the Chief Compliance Officer discovers an issue, or a regulator points out a specific passage during an exam. My advice is to consider engaging employees in the drafting and revision of the compliance manual. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area. Revise the procedures based on input received, and require supervisors to review and approve them. Supervisors then have accountability for those procedures. Another approach is to read the manual to the employees by providing frequent training. Having short, focused training presentations can be very effective. (Free food is also a big draw.) Consider tailoring training to specific areas of the firm,
22 | Chief IT Magazine
and work with the supervisor to set the agenda and the best date and time for the presentation. Schedule training during periods when the attendees are generally less busy. Request input from the supervisor to ensure you cover topics that he or she identifies as problem areas, even if they may not necessarily be compliance related. Show your willingness to help advance firm-wide goals, as well as your own. Development of a good compliance program is a process; it takes time for everyone to understand their roles. By presenting yourself as a resource and taking the time to discuss the goals of the program, the more buy in you will get. This process can take years, so be patient. 2. Compliance officers don’t get any respect. Being challenged on your opinions or advice is a fact of life for most compliance officers. Executives, CISOs and Risk Managers require data and facts to support a recommended course of action. Unlike financial services professionals, compliance officers don’t tend to have a track record or a way of comparing services to an existing industry benchmark. To make matters worse, the regulatory rules are vague and advice from regulators is not always clear. Advice from experts may not be specific enough to deal with your firm’s situation. Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that
‘Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that your client understands.’ your client understands. My advice is to be prepared. In areas where you know you are going to get push back, read the underlying rule. Consult your firm’s policy and procedure. Read any materials from the regulators relating to the issue. Look through the materials from the last industry conference you attended. Search the internet for articles written by law firms and other industry experts. Call your contacts at other firms to see how they deal with similar issues. Even if you have dealt with similar issues time and again, it is still helpful to refresh your memory and to see if there are any new interpretations. There may not always be time to do the legwork, and even if you can, there may not be a clear answer. These are the times when you must go with your gut – provide your initial thoughts on how a regulator might view the situation and a recommended course of action. But be prepared to back it up. For high risk issues where there is no clear path, call in an expert. There are two benefits to this approach: first, you will find out whether the advocate of a particular action is serious enough to spend some money for advice from a knowledgeable law firm or consultant, and second, you will have proof for regulators that you acted reasonably under the circumstances by consulting an expert. At best, the expert will back up your opinion, or at worst, you will learn the options available. It also helps to keep up with regulatory issues on a daily basis. Subscribe to blogs, law firm newsletters, SEC updates and read the news. There are many free sources of information to help compliance professionals keep abreast of regulatory developments. Knowing your stuff adds to your credibility. Once you are ready to give your advice, boil it down to its essence, with specific action items and recommendations. Those seeking your advice generally do not want to read the regulations or understand all the legal and regulatory fine points. They want to know what they need to do to solve the problem. Giving constructive, actionable advice demonstrates that you can help the firm reach its goals.
3. No one reads past the first three lines of your email. This is a corollary to item 2 above, but is important enough to require further discussion. Many compliance officers love details and have difficulty boiling messages down to their essentials. But people get bombarded by emails, so it’s important to be clear and concise. When a response is required, say that upfront. I recommend using all caps in the subject line: RESPONSE REQUIRED BY JUNE 30, 2016. And then flag these emails with a reminder for yourself, and a reminder for the recipients, to follow up by the deadline. In the body of the email, make sure you get to the point within the first sentence or two. Resist the temptation to provide a detailed explanation. Readers often suffer from email fatigue and seeing more than a screen of text may cause them to hit the “delete” button. If you are responding to a question, the answer should be in the first line of the email. If you need approval or feedback, tell the reader that you need their input on the issue to go forward. Bullet points are also useful to make points without overwhelming the reader with text. You can always attach a detailed explanation to the email; just do not expect that the attachment will be read. 4. If it’s not important to the boss, it’s not important to the employee. This is a hard lesson. When firm management says compliance is important but takes no action to support this statement, the compliance officer’s job is much more difficult. If management is unwilling to put their money where its mouth is where compliance is concerned, the compliance officer’s only leverage are threats of potential repercussions in the event of a regulatory exam or potential lawsuit. For example, if compliance training is mandatory, but the executives do not attend, they send the message that it is not important. On the other hand, if the Chief Executive Officer says that failure to complete required compliance paperwork in a timely manner will result in a reduction in an employee’s bonus, employees will be knocking down the Chief Compliance Officer’s door in an effort to meet the deadline. Getting management to buy in to compliance initiatives is a topic that requires more space that I can devote here. It’s good for business because it can help limit liability and preserve a firm’s good reputation. By way of an obvious example, if the Australian Bureau of Statistics (ABS) were to adopt a number of compliance frameworks that can be used to show the general public they are putting all the required security systems in place to protect census data, that assurance would allay some of the fears we are reading about in the media. Perhaps a more chilling example is the Volkswagen’s recent scandal. In September 2015, the Environmental Protection Agency (EPA) found that VW diesel cars being sold in the United States had software installed that detected when the cars were undergoing emissions testing, and adjusted the car’s performance to improve the results. Ultimately, Volkswagen admitted to cheating emissions tests in the United States. Since then, the firm’s stock price has plunged, the CEO was forced to resign, the EPA plans to impose fines, and car owners and shareholders are lining up to sue. Although all the facts are not in, it’s entirely plausible
Chief IT Magazine | 23
'There will always be unpleasant surprises like these in the
life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the
smallest details to understand a process.' • that VW’s management approved the installation of the cheating software. And even if management was not aware of the details, the firm fostered an environment that encouraged cheating to boost sales. This is a worst case scenario and it demonstrates how management’s failure to support and encourage ethical behavior can lead to much more significant financial woes than disappointing sales. 5. You don’t know what you don’t know. Even the most experienced compliance officers can fall into the trap of making assumptions about a firm’s operations and processes. The truth usually comes out as a result of a trading error, client complaint, or, in the worst case scenario, regulatory action. There will always be unpleasant surprises like these in the life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the smallest details to understand a process. This means developing standard operating procedures for all areas of the firm, and understanding the root cause of failures. Although it’s not the compliance officer’s job to write all the standard operating procedures for the firm, you can review and test these procedures to see if they are sufficiently detailed and robust. The compliance officer can also listen and observe. Have the employee responsible walk you through the process step by step, and ask questions. Watching the process from start to finish, or even performing the task yourself, may help you learn what you don’t know. It’s also a good idea to leave your desk and walk around the office regularly. Attend other departmental meetings and listen. Build relationships with people from all levels of the organisation. By making yourself available and visible, people will bring their concerns to you. 6. If it’s not documented, it didn’t happen. This is a lesson learned from numerous compliance examinations. Although an investment adviser might do the right thing, if there is no documentation to show that it was done, for all practical purposes, it did not happen. Most advisers maintain a set of auditable records, but until Australia adopts compliance, even in the area of mandatory breach reporting, records will largely be down to local discretion and may not even serve the purposes of a compliance assessment, should one occur. The government will expect advisers to maintain a variety of records that will be evidenced at various stages of a compliance examination. Here are a few examples of records that are not collected by default, but should be considered: • A current inventory of the firm’s compliance risks that
24 | Chief IT Magazine
forms the basis for its policies and procedures. The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers. Information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed. Documentation of employee access controls (i.e. electronic key card entry, locks, security cameras and guards) to physical locations containing customer information (i.e. buildings, computer facilities and storage record facilities). Information about the oversight process the adviser uses for any remote offices and/or independent advisory contractors, and any policies and procedures with respect to such oversight.
Compliance officers should look for pre-existing compliance audit reports along with findings relating to the latest hot topics, which can identify what regulators will expect to see. 7. It’s easy to say no, hard to say yes. Most compliance officers are aware of this truth – this is a lesson for the rest of the firm. Saying no is easy; it requires no additional work or thought on the part of the compliance officer and eliminates risk. To say yes, a compliance officer has to think, research and provide options, which takes time and effort. If you always say no, however, firm employees will stop coming to you for advice and guidance. You will not be consulted when new products are being developed, new marketing efforts are proposed, new types of clients are being sought, and new technologies are being explored. If the compliance officer is not aware of what the firm is doing, then he or she is not going to be effective. My advice is to take advantage of ‘teachable’ moments. For example, take the situation where your marketing team asks if they can use back-tested performance for a client presentation. If they expect an answer immediately, you’ll almost certainly have to say no. However, if they are willing to wait a day or two while you come up with a way to get the same message across, using extensive additional disclosure or a slightly different approach, the results will then show the marketing team how a collaborative approach works for everyone. The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job.
The safe city and it’s need for interoperability
M by Per Björkdahl ONVIF Steering Committee Chair
ost people today who live in cities, particularly large ones, have become accustomed to a relatively high level of general and public surveillance, whether it is the police patrolling the streets, cameras in shopping malls or intelligent security solutions deployed in public transportation systems. Many feel that as long as these systems benefit them as citizens and keep them safe, general surveillance can be accepted and people feel safer as a result. It has become part of the fabric of 21st century life for many. Many of us value individual safety, especially in cities. Physical security systems are capable of delivering exactly that to citizens, though the management and operation of these systems can be challenging at times. Cities today often use video management systems or other platforms to view camera footage, protect citizens and property, analyze incidents, evaluate security and to help them determine appropriate responses to events such as natural disasters, disruptions to transportation and other municipal services, and other threats to public safety. They may also use intrusion, access control, building automation and fire detection systems in their management of a city’s security, in conjunction with video surveillance. Cities implementing this connected security approach have been dubbed ‘safe cities.’ Most safe cities share a common infrastructure and operate using sensors and/or cameras over a shared municipal network. Using these sensors and the data
from many different devices synthesized through one interface, government officials and law enforcement are afforded a total, holistic view of a city’s security. Integrating the Many Parts of a Safe City The integration of all of these systems enables a municipality to manage its security comprehensively and from a single point of view from the command center. If, for an example, there is a leak in a water main, the city’s command center can quickly review video footage from a camera positioned at the leak’s physical location, check access control data to see why and how the gate to the water main is open and determine who was the last employee to enter the restricted area. At the same time, the command center can use cameras on the street to monitor street flooding and assess damage to surrounding areas. There are operational challenges that accompany the many systems that are included in a safe city deployment. Interoperability continues to present one of the greatest challenges, particularly with video management systems, video recording devices and cameras. The most common scenario is that municipalities have several different management systems for city operations that were created by different manufacturers, each with proprietary interfaces for integration. In order to connect its different systems together, cities
Chief IT Magazine | 25
often end up employing a “build once and maintain forever” approach, in which the continuing cost for integration of the city’s systems becomes prohibitively expensive. In a world where technology and features change quickly, the ‘build once and maintain forever’ scenario is not practical or attractive, as it severely limits an end user’s ability to try new technology and/or different vendor’s products and requires a substantial financial commitment to those specific manufacturers and proprietary interfaces. Another approach that some end users and integrators take is to deploy products from a single manufacturer in order to facilitate systemwide integration. However, this approach can also have an undesirable result: it stifles an end user’s ability to add new products from other vendors and locks an end user into a long-term commitment with the manufacturer.
authorities often receive exported video material in a multitude of formats with a multitude of players for playback. Here, a standardized approach for both file format and associated players, which ONVIF’s specification provides, increases the efficiency of the process and also adds the potential of including meta data in exported materials and reports, which determines the exact time and location of the recorded incident. ONVIF has also released an export file format specification that outlines a defined format for effective export of recorded material and forensics. These specifications together make it possible not only to integrate devices in multi-vendor video security system deployments in safe city environments but offer an effective common export file format that can streamline a post-event investigation where authorities are trying to react as fast as possible to apprehend suspects or to diffuse an ongoing situation. Enter Standards Other standards organizations outside the physical security industry have identified the need for standards in This is where the need for robust effective Safe City deployments, and well-defined standards such as the International ‘Cities today often use video comes into play, particularly for Electrotechnical Commission video surveillance, which is most (IEC) and Institute of Electrical management systems or other commonly at the heart of safe city and Electronics Engineers (IEEE). deployments. Standards, such as IEC has initiated a Systems platforms to view camera those from ONVIF, an industry Evaluation Group - Smart Cities, alliance that offers standardized SEG 1, a group that will evaluate footage, protect citizens and interface specifications for video relevant works and propose a security systems and physical standardization roadmap for property, analyze incidents, access control systems, provides the smart cities, a term often used common link between disparate synonymously with safe cities. The evaluate security and to help components of these systems. group will also provide a mapping Designed specifically to overcome of closely related activities in them determine appropriate the challenges in multi-vendor cooperation with the International environments, ONVIF’s common Organization for Standardization responses to events such as interface facilitates communication (ISO) and other organizations, between technologies from different going forward. natural disasters, disruptions manufacturers and fosters an ONVIF has been working interoperable system environment with the IEC on standards for to transportation and other where system components can be the physical security industry for used interchangeably, as long as the several years. In 2013, the IEC municipal services, and other devices conform to the ONVIF included an ONVIF specification specification. in its IEC 62676 standard for threats to public safety. ‘ Since 2008, when ONVIF Video Surveillance Systems, the was founded, the organization has first international standard for published a number of specifications video surveillance systems to be and profiles for effective integration of devices and clients in established. The ONVIF specification for video, which defines the physical security industry. For Video Security systems, video transmission protocols for communication between ONVIF has released Profile S for Video streaming and Profile network video clients and video transmitter devices, is based G for storage and playback. Currently, Profile Q for easy on Web Services and is referenced in IEC 62676 Part 2-3. deployment is in its release candidate state, scheduled for final This year, IEC will include an additional ONVIF release in July this year. specification in an IEC standard, this time with ONVIF’s In a safe city scenario, much of the recorded video from specification for Electronic Access Control, in the IEC video security systems is used to conduct post-event forensic 60839-11 System and components requirements standard investigations, where operators analyze a specific incident or for Alarm and Electronic Security Systems, based on Web series of incidents and determine suitable actions, which often Services. The specification includes minimum functionality, requires coordination with local, county, state and sometimes performance and testing methods for electronic access federal law enforcement officials. Video clips are exported to control systems and components used for physical access. provide authorities identification of suspects or for evidentiary The inclusion of ONVIF’s specification in the two standards purposes during prosecution. mentioned above indicates a steady continuity in the use of The challenge in a multi-vendor environment is that standards in the industry.
26 | Chief IT Magazine
ONVIF Members’ Safe City Solutions Several ONVIF members are using ONVIF’s specifications in the large-scale deployment of video surveillance systems. Two of these, Meyertech and Huawei, have used ONVIF prominently in safe city deployments in large cities. In 2014, ONVIF member company Meyertech helped the city of York, U.K., to deploy a safe city solution for the city’s public spaces and transportation system. Using a Meyertech video management software and information management software, the city was able to integrate IP cameras with the many legacy systems for its York Travel and Control Centre command center. The city’s control room monitors more than 150 cameras from different manufacturers in the city and city representatives say the new system has had an immediate impact on crime rates. The integration of legacy and new IP cameras with the new VMS, which interfaced with the information management software, was made possible through ONVIF’s video specification. Another ONVIF member, Huawei, is considered a leader in smart city solutions. Huawei has deployed smart city solutions in Nairobi, Kenya, and in China in the cities of Nanjing and Shanghai. Huawei’s video management system was used in the Shanghai project as part of the Chinese Ministry of Public Security’s safe cities construction initiative. One of the key challenges of the project was to integrate old and new technology. Huawei’s VMS used ONVIF to integrate the cameras from manufacturers Dahua, Haikang, AXIS, SONY and other brands. A Multi-discipline Physical Security Standard? At present, physical security’s role in safe cities is
primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution. ONVIF’s vision is that all physical security systems will eventually have the same interfaces for interoperability, and is dedicated to facilitating the work of its members in developing a multi-discipline standard. Such an all-encompassing interface would provide a comprehensive approach to interoperability that would satisfy the core elements of video surveillance, access control and other essential operations of a safe city command center. Because safe city deployments and the Internet of Things concept operate on the same principles of connecting disparate systems and devices together, a multi-discipline physical security standard would no doubt also play a role in the further development of the Internet of Things. Many of those in the technology industry at large see standards as an important component in both safe cities and the IoT. The IEEE (the Institute of Electrical and Electronics Engineers) is already working on IoT standards for technology-based industries and some even predict that we may see global IoT standards in place by the end of this year. If an IoT standard is developed, this will likely have an influence on safe city deployments. As standards and industries collaborate even further than they already have and establish minimum interoperability standards together, the need for a multi-discipline physical security standard may present itself. A day will come when it makes the most sense to do so, rather than creating proprietary multi-discipline systems. We’re not at that point yet, as an industry, but a multi-discipline physical security standard is certainly somewhere on the proverbial horizon.
‘At present, physical security’s role in safe cities is primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution.’
Chief IT Magazine | 27
CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING Frontline
• FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)
FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION
SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS
w w w. am l e ch o u s e . co m
28 | Chief IT Magazine
I N V I T A T I O N
EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR
5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com
MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors
Some of the main topics:
PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:
Email: email@example.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting
• • • •
IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities
• • • •
Robotics Unmanned/artificial intelligence Face recognition Forensics
“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK
Express interest in joining us at this exclusive event firstname.lastname@example.org
Chief IT Magazine | 29
29-30 November 2016 Australian Technology Park, Sydney, Australia
Building the Digital Utility
Free to attend includes: Focus Startup Innovation Technical 8 Groups Zone Zone Zone
Track 1 of the conference on both days Maintenance & Operations (Day 1) & Intelligent Buildings (Day 2)
REGISTER YOUR FREE EXPO VISITOR PASS NOW email@example.com | +65 6590 3970 | www.australian-utility-week.com
EXPLORE. EXCHANGE. EXCEL.
Boost Your Cyber Security Knowledge Join the Experts at CSX 2016 Asia Pacific
Cyber threats affect your enterprise every day. Threats don’t take holidays and they are becoming more intrusive and potentially devastating. Stay ahead of the most critical issues, meet global colleagues and find effective solutions to the ever-changing security landscape at the must-attend event of the year—CSX 2016 Asia Pacific Conference. Build your cyber security knowledge and leadership skills as you learn about new tools and trends from globally renowned speakers. Test your skills and compete in the innovative new CSX Cyber Challenge. Hosted by ISACA’s Cybersecurity Nexus (CSX), this event brings together many of the brightest minds in information systems and cyber security. Take the next step in protecting your enterprise and boosting your career.
Earn up to 32 CPE hours.
Register by 4 November 2016 and Save! 14 – 16 November | Singapore Presented by ISACA®’s Cybersecurity Nexus™ (CSX).
By Gary Gardiner, Director of Engineering & Services, ANZ at Fortinet
Building a national security fabric:
The Fortinet approach ‘If we don’t hang together, we’ll surely hang separately.’ Benjamin Franklin’s (the face on the American $100 dollar note) quote is as valid today as it was 240 years ago. Building a strong national response to network security has to be a coordinated, nation-wide effort. Otherwise Australian organisations are sitting ducks. Right now Australia’s national security landscape is comprised of thousands and thousands of discrete, individual networks that, in effect, operate in a network security vacuum. There is no significant nationwide policy to share expertise, identified threats, work-arounds or even to alert organisations of the latest malware infections. We have thousands of organisations each duplicating efforts, playing catch-up and, unfortunately, leaving the doors and windows open for cyber criminals. Technology in-place It doesn’t have to be this way. The technology is in-place to share network security information in near realtime. The challenge is, that for far too long, organisations have viewed their network security policies and practices as their own intellectual property. And fair enough. Businesses have invested significant resources into developing security policies, buying, leasing or subscribing to cloud-based security infrastructure and training up their IT staff. But they haven’t been able to take advantage of the efforts of their peer organisations that are doing exactly the same thing. There shouldn’t be competition around network security. There has to be cooperation. Of course many organisations see their network security as a competitive edge,
32 | Chief IT Magazine
especially in the managed security services market. We’re not advocating a wholesale ‘open source’ security policy. What we are promoting is the real-time sharing of threat intelligence across all sectors. We’re not asking how an organisation identified a fast-moving ‘zero-day threat’ – that is and should be proprietary. All we’re saying is that once that threat is detected and analysed to create mitigation procedures, there should be a mechanism to release this information to the public. Extending the reach Fortinet, amongst other leading security vendors, has these capabilities already in place. Right now these capabilities are available to our client base as part of our Advanced Threat Protection (ATP) and FortiSandbox solutions and we are extending these capabilities to the endpoint, access layer, applications, the cloud and event into IoT-enabled devices. What we really want to do is expand this process so that any malware that we detect and the mitigation procedures that we develop are pushed out to the wider community. While we would like to see a wider adoption of Fortinet equipment in the marketplace, we fully understand that there are other players on the market and that many organisations have invested heavily in their security solutions. Indeed this is the whole idea behind a national security fabric. Our clients could benefit immensely if they were alerted to malware picked up by a competing vendor’s security solution. There is a time and place for competition. But there is an equally compelling rationale for cooperation, especially if it results in
the rapid dissemination of mitigation procedures for zero-day threats. Supporting a national Cyber Security Strategy Fortinet isn’t alone in advocating such an approach. Australia’s recently released Cyber Security Policy advocates strong cyber defences with a specific goal of ‘establishing a layered approach for sharing near realtime public-private threat information through joint cyber threat sharing centres, initially piloted in a capital city and an online cyber threat sharing portal.’ The need is clear. The tools are in place. The benefits are manifest. What it will take is coordination. Fortinet is in initial communications with various government agencies to extend reach of ATP, FortiSandbox and the hundreds of researchers at our international FortiGuard Labs to a wider audience. We call on other security vendors and private industry to join us to work together on these initiatives. Our combined resources can and will overwhelm the resources that the bad actors can employ. It’s a strategy that we must adopt. Otherwise we will always be in react mode instead of leading the charge. About the author Gary Gardiner, Fortinet’s senior security executive in ANZ, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
Working together towards a Cyber Smart Nation There is no shortage of hackers, cyber criminals and rogue operators. And why not? The hours are short, there are no dress codes nor long commutes and the pay is great. Legitimate network security specialists, on the other hand, are in short supply. Indeed, finding people who understand simply the basics of network security is a tough ask for many Australian businesses. And once a business trains up their security staff they are lured away for more pay to a company with deeper pockets. No wonder network security is one of the key concerns of CIOs across the country. This lack of network security specialists and practitioners is made abundantly clear in the recently announced Australian Cyber Security Strategy. It states that “the information security field is expected to see a worldwide deficit of 1.5 million professionals by 2020,” and calls for “programs for all people at all levels in the workforce to improve their cyber security skills and knowledge starting with those in executive level positions.”
By Allan Mouawad, Fortinet Network Security Academy Project Manager
Work in progress
FNSA across the region. “We have developed a curriculum that has proven successful overseas,” says Jon McGettigan, Senior Director Australia, NZ & South Pacific Islands at Fortinet, “and have a number of highly experienced and qualified trainers who have the technology transfer skills to fast track the program once it gets started. What we need now are educational partners.” Ideally the FNSA curriculum would be incorporated in already existing STEM (science, technology, engineering and mathematics) programs but that is in the future. “We can roll out our FNSA course work almost immediately,” says McGettigan. “We offer short courses, workshops, more advanced course work and certifications either at a learning institution, business or conference venue. There will be no shortage of prospective students. We are looking for educational partners who can take our initial material and build on it for their particular stakeholders.” An added advantage of the FNSA is that students who complete the program will have a globally recognised certification. “The training is fully certified,” notes McGettigan, “so that graduates will be able to advance their careers. This particular aspect is a powerful incentive for people to take advantage of the FNSA offerings.” Fast track deployment
Right now Fortinet is in discussions with a number of learning institutions to roll out the
Fortinet is in a position to fast track deployment. Most of the development work is done and
Introducing the Fortinet Network Security Academy Fortinet takes these concerns seriously. Over the years Fortinet has offered a wide range of training and certification programs in Australasia for Fortinet staff, Partners and clients. But as the requirement for more security-aware staff in government, industry and education has grown exponentially, Fortinet has recognised the need to expand training and education offerings to a much wider audience. As a result, Fortinet is introducing its industry-recognised training and certification program, called the Fortinet Network Security Academy (FNSA), into Australasia. Woking in tandem with TAFEs, tertiary institutions and private training facilities, the FNSA is designed to give students a firm understanding of the dynamics at play in network security, training in developing and deploying network security policies and handson knowledge of techniques to enforce network policies in the workplace.
Fortinet has a team of ‘train the trainer’ experts on staff. “It will not require a huge build up,” concludes McGettigan. “There is a pent up need for this type of network security training. But it does take a certain commitment on the part of educational institutions. We are a hardware vendor, not a training organisation. We have developed the programme. But now we need partners to roll out FNSA as far and as wide as possible. If we are to build a ‘Cyber Smart Nation’ we need to move quickly.” Both Fortinet and Australian Security Magazine are actively soliciting feedback and partnerships with TAFEs, tertiary institutions and private security and training firms. If your organisation wants to be part of the solution, please contact Fortinet on anztraining@fortinet. com. We look forward to hearing from you. About the writer Allan Mouawad is Fortinet’s senior technology transfer specialist in Australasia and is spearheading the Fortinet Network Security Academy initiative. With more than a decade of hands-on experience on a wide variety of security-related systems and the holder of many advanced industry certifications, Allan is focussed on technology transfer and building a broad base of cyber security awareness across the region.
Chief IT Magazine | 33
T By Tony Campbell ASM Correspondent
34 | Chief IT Magazine
he UK’s National Crime Agency (NCA) has recently published its Cyber Crime Assessment 20161, highlighting the enormous amount of cyber-attacks targeting the UK. Unsurprisingly, the report says, “A cyber attack that poses an existential threat to one or more major UK businesses is a realistic possibility.” Over the past twelve months, over 2.46 million incidents were reported, including 700,000 cases of fraud, all originating from just a few hundred criminal gangs. The volume of attacks endangering UK businesses is staggering – and we’ve certainly not seen statistics like this in Australia. So, does this mean the threat we face here at home is a lot less? If we look at the threat actors, it’s the same selection of Russian, Chinese, European and American cyber criminals who are perpetrating the majority of the world’s cybercrime. These organised criminal gangs are the most successful and wellfunded cybercrime operations on the planet, all of which are threatening Australian businesses just as much as they would threaten any other nations. Nevertheless, it’s our government’s response to the threat that I find the most interesting. The NCA says the UK government will spend £1.9bn (approx. $3.5bn AUD) over the next five years to help bolster the nation’s cyber-defences. Prime Minister Turnbull has pledged $33 million AUD in the recent launch of Australia’s Cyber
Security Strategy to address the problem here at home. That’s less than 1% of the UK’s budget to fight exactly the same threat. Furthermore, the majority of the Australian budget will be used to swell the ranks within government departments, such as ASD, as well as to move the ACSC into new accommodation, so the investment left to improve our nation’s defences and create a “Cyber Secure Nation” is somewhat unimpressive. The existential threat referenced by the NCA is also mentioned in the ACSC’s Cyber Security Survey2 (albeit a year old). The ACSC recognises that, “the cyber threat facing Australia is undeniable and unrelenting.” In the period covered by the ACSC’s survey (2014-2015) CERT Australia was called in to deal with 11,733 cyber security incidents affecting Australian businesses, of which 218 were related to attacks on national critical infrastructure and government systems. Compared to the 2.46 million incidents in the UK this seems like a much smaller problem, but we know that under-reporting is a massive issue everywhere, so these numbers need to be considered as a mere fraction of the real attacks, so the threat is real and persistent. The NCA says that under-reporting of cyber-related incidents is prohibiting them from understanding the full extent of cybercrime in the UK. This has a knock on effect
of hampering law enforcement agencies in being prepared to counter the threat, since there is still not enough information on the operating models the cyber criminals use. Unlike Australia, the UK has had mandatory data breach notification laws in place for many years, so it’s little wonder why underreporting is even more of an issue here. We know that here in Australia under-reporting is a massive problem, which is why the ACORN website3 was set up by the AFP as a national policing initiative of all states and territories to allows anyone to securely report instances of cybercrime. With the statistics gathered through ACORN, the government can then decide just how real the problem is, and hopefully invest enough money to start allowing our law enforcement agencies to tackle some of these big, international issues. Who are the bad guys? Russia is home to some of the most successful organised cybercrime groups. Some reports suggest their aptitude for cybercrime stems from the cold war, with ex-KGB spies now commercialising their tradecraft for black market profit. The so-called Russian Business Network (RBN) has shown incredible resilience to international law enforcement attempts to take it offline. Journalist, Brian Krebs’s account of the RBN in his book, Spam Nation4 is an eye opening account of just how corrupt Russia is and how it shows just how Russian cybercrime groups continue to profit. If you want to know more about Russian cybercriminals, read Krebs’s book. A variety of very capable cybercrime organisations also operate out of Africa. Ghana and Nigeria are the two biggest hacking exporters, with Ghana being extremely advanced in terms of its technical capability. Nigeria on the other hand is not as technologically advanced as Ghana, but is certainly rife with cybercriminals looking to target Western countries. The so-called Nigerian 419 scams have been in the press many times before, but the origin of this comes from the Nigerian criminal code, where it reads, “any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.” For more details on the extent of Nigerian scams, take a look here4 The last aspect of cybercrime worth looking at, from the perspective of the threat actors, is the state-sponsored attacks originating from China. Unlike the previously mentioned Russian and African cybercrime gangs, much of the hacking undertaken from China has a state-based economic intent, with links to both industrial and international espionage. In 2015, for example, it is believed by the Federal Bureau of Investigation that the Chinese government was behind the massive attack on the US Office of Personnel Management. This attack saw the
perpetrators make off with over 21.5 million U.S. government workers’ records, including 5.6 million fingerprint records. The Government Standard Form 86 was the basis of what was stolen, which is the form used for government clearance applications. Each record comprised of a complete historical record of the employee’s life: friends, family, run-ins with the law, sexual preferences, history of drug or alcohol abuse, medical conditions, as well as copies of every kind of identification document the employee owned. This is a true treasure trove of information for both cybercriminals, from the perspective of ID theft, as well as from the perspective of international espionage. Clearance details for staff with up to and including access to TOP SECRET information was taken. This problem will affect the U.S. government for the next 30 years, until all those people have retired and can no longer pose a threat to national security. Fighting Back at Cybercrime In the 2015 Strategic Defence and Security Review, the UK Government made building cyber defences a Tier 1 priority, doubling the investment from previous years. This included building a National Cyber Security Centre to perform a similar function to that of the ACSC, along with myriad support for businesses, including two new innovation centres to support talent and drive growth. The Australian Cyber Security Strategy also shows that Australia is raising the bar in an attempt to fend off this global scourge, albeit with limited funding. However, is there more that can be done? The reality is that individuals and corporations need to assume that their systems have already been compromised. Only then will industry and government’s focus be on protecting the national infrastructure we all rely on. There is no easy way to combat cybercrime and it’s as much about educating individuals as it is about putting in technical controls, such as firewalls, IPS’s and content checkers. People are usually the weakest link in the chain, so unless we educate people not to click on the links they receive from the Russian spammers or the Chinese spies, we’ll always be acting on the defensive. Adopt a security framework and make sure it’s been operationalised rather than just documenting a lot of processes that are ignored until audit time comes around. ISO 27001 is a good place to start, since it’s an international standard and one that’s well respected and widely adopted. But don’t stop there – you need to make sure that your staff are living and breathing security in their everyday activities. It just takes one slip of attention, one double click while running on autopilot after lunch, for your whole organisation to be compromised, so regular, immersive training and awareness programmes are needed, with cyber drills showing staff what can go wrong and just how easy it is for them to be the weak point in the company.
Website Refrences links 1) www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016 2) www.acsc.gov.au/publications/ACSC_CERT_Cyber_Security_Survey_2015.pdf 3) www.acorn.gov.au)4) http://krebsonsecurity.com/tag/russian-business-network 4) www.geektime.com/2014/07/21/millions-of-victims-lost-12-7b-last-year-falling-for-nigerian-scams
Chief IT Magazine | 35
The non-IT expert’s guide to surviving a cyberattack
C By Lex Drennan
36 | Chief IT Magazine
yber-crime is one of the fastest growing industries in the world. In the last year, it is estimated that cybercrime costs business over $400 billion, including reputational damage, costs to remediate breaches and interruption to normal business operations . There is no doubt that the real figures are higher due to under reporting and it is projected to reach a staggering $2 trillion by 2019 . The risks arising from cyber-crime are clearly top-ofmind for the C-suite and those concerns are only likely to increase as the cyber-crime industry grows increasingly sophisticated. This rising level of concern reflects awareness that cyber-crime is no longer “just an IT issue”. The mode of business interruption may be through information technology, but the impacts are organisation-wide and have the potential to destroy businesses. The most common types of cyber-attacks fall into the categories of ransomware, data theft and malicious interruption. Whilst the technical details of these attack modes are relevant at the operational level, at the board-room it is necessary to understand the type of attack mode as it has significant bearing on your response options and the management strategy you implement. The following scenario will call on the skills of all the executive team to address it – whether you consider yourself an IT expert or not. This is the nightmare scenario – compromised systems, breach of privacy, harm to customers and significant reputational damage. Nonetheless, an executive team can take immediate and critical steps to minimise the extent of this breach.
1.) Establish Management Control With a sudden-onset critical incident, employees and customers will naturally look to the business’ leaders to see who is in charge. There is often a grace period where customers and the general public will sympathise with a business as the victim of an attack. However, this grace period does not last long. The absence of clear, strong leadership by the executive team can be taken as a sign of incompetence, rapidly turning a potentially sympathetic audience into a hostile one. For organisations that have pre-defined Crisis Management Plans, this is the time to implement them. Often businesses take a ‘wait and see’ approach to activating these plans, fearing that they may be crying wolf. However, any time lost at the commencement of managing a crisis cannot be regained, and will immediately place the business on the back foot. It is essential that the management team rapidly assemble to assess how serious the incident is, its potential for escalation and, most importantly, to communicate these actions to staff and customers. 2) Address the Technical Issues Whether or not you understand the technical aspects of a cyber attack, you cannot back away from building a strategy to address it. If your business is large enough to have inhouse IT staff, call on them. They may not be cyber-crime experts but asking questions is the best and only way to
establish the perimeters of what you know and what you don’t. From there, you need to determine if you will call in outside help. Many businesses specialise in providing cyber-attack support in addition to the advice available to businesses from the Australian Government’s Cyber Emergency Response Team (CERT). Regardless of the choice to in-source or seek out-sourced expertise, your next priorities are to: • Confirm the validity of the data leak - Knowledge is power. If the data is valid, this will shape a very different management response strategy to false claims of data theft. The process of validating the data may take some hours so rapid commencement is vital. • Identify and block the breach - This process may take days to many months to complete. It is methodical, detailed and painstaking. This ongoing exposure will pose a continued challenge to the business and the management team as it seeks to reassure staff and customers that the issue is under control. 3) Assess the Extent of Business Interruption Again, knowledge is power. To build an appropriate response strategy, you need to understand what parts of the business have been affected. In part this is a question about what data has been leaked. It is also a question of what other parts of your business’ IT systems have been affected. Anticipate that clearly establishing what has been impacted and what has not may take some time. The picture will become progressively more clear over a period of hours, and potentially days. In the meantime, it is necessary to plan and act on the basis of what you do know. This is where ensuring you have the right people in the room to assist decision making is essential. Whilst the incident may impact IT systems, this has the potential to cripple a business. It is important to consult with operational teams to truly understand the impacts of system outages on productivity. The business may be able to continue working almost as usual, suffering only productivity reductions due to delays and inconvenience. Or, if critical systems such as CRM’s, billing or logistics, are compromised it may be necessary to revert to paper-based work arounds supported by extensive customer outreach. Understanding the criticality of individual systems and developing work around options will enable your business to continue to function whilst the technical aspects of the incident are resolved. 4) Communicate Early and Often Communicating all of this complex and continually evolving information to staff and customers is a difficult challenge. In a rapidly moving media environment, poorly managed or ineffective communication can allow a media firestorm to evolve, leaving the business with two major issues to manage – the cyber attack and the media fire storm. Following a breach resulting in the release of personal data, a business has very few communication options available to it. As Symantec noted in their 2016 Internet Security Threat Report, “Transparency is critical to security”. Efforts to hide the extent of the hack, to shift blame or deny
“Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 monthstwo years and the price of computers would halve every 18 months-2 years.” responsibility will only compound the difficult circumstances faced by the business. Once you have confirmed the data leak is real, your response strategy needs to focus on minimising further harm to customers. This should be supported by your communications strategy. You can expect that every communication channel available to the public, from twitter to snail mail, will receive a major spike in activity. One of the biggest mistakes businesses make is failing to anticipate this deluge, not preparing key messages for rapid response and consequently responding slowly, inaccurately or not at all. Although the situation will change rapidly, and at the outset the business may face many unknowns, it is important to lead the communication process rather than reacting to mounting customer anger. Given all the uncertainties, your communications must be regularly updated. Further, as the incident runs into days, then weeks and months, your communication strategy must evolve to reflect the organisation’s changing objectives. In the immediate term, communications should focus on sharing known information and dispelling rumours. In the short term you should focus on communicating the extent of damage and reassuring customers that you have a clear strategy in place to address the issue. Over the medium to longer-term, your focus will shift to rebuilding your brand and customer confidence. Honesty, and communications centred firmly in your organisation values, is the only path that will allow a business to survive a cyber-attack and salvage its reputation. A major hack will cause disruption to normal operations for weeks to months and will occupy a disproportionate amount of the executive team’s time. However, beneath all the noise, the business must continue to operate, serving its customers and sustaining its revenue and market share. Strong leadership, regular communication and clearly articulated values provide the basis for an effective management strategy. With a clear understanding of the nature of the attack, its current and future potential impacts, an executive team can successfully lead a business through a cyber-attack. About Lex Drennan, B. Bus Mgmt, M. Public Admin. About the Author Lex is a Senior Specialist in risk consulting for CGU, one of Australia’s largest insurers. She has an extensive background in crisis and emergency management, planning and training, complemented by experience in operational response to events spanning bomb threats, natural disasters to counterterrorism operations. In her spare time, she is also an Adjunct Research Fellow at Griffith University where she researches disaster resilience, adaptation and government policy.
Chief IT Magazine | 37
How has information technology become the latest security threat?
E By Keith Suter Global Directions
38 | Asia ChiefPacific IT Magazine Security Magazine
veryday there are security stories which involve information technology (IT). This article provides three explanations for how we have been taken by surprise by the IT revolution: the IT revolution is a “black swan event”, the IT developers were too optimistic and too trusting, and government is being overwhelmed by the IT revolution. The bottom line is that humankind is still on a steep learning curve as it copes with the new IT era Information Technology as a “Black Swan” Event “Black Swan” events are high impact/low probability. They are very difficult to predict because of their rarity. The phrase originated with US financial expert Nassim Nicholas Taleb who lived through a financial crisis. His book is called The Black Swan: The Impact of the Highly Improbable. Europeans thought that all swans were white and then they reached Western Australia and found black swans. “Black swan” events challenge the dominant paradigms of their day. People get taken by surprise people because they extrapolate from current conditions rather than “think about the unthinkable”. Three big technological inventions are Black Swan events: computers, Internet and lasers. They were all unplanned,
unpredicted and unappreciated initially upon their discovery. Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 months-two years and the price of computers would halve every 18 months-2 years. This is the most profound prediction to haunt us this century. The prediction was clear but few could believe the mathematics. People were unwilling to “think about the unthinkable” – the implications of such drastic increasing IT power. The Internet was not designed for all the purposes for which we are now using it. No one predicted how it would come to dominate our lives. No one evidently thought about how vulnerable it could be from people with malicious motives; there are too many points of vulnerability. Meanwhile older senior people at the top of organizations and companies may have been out of touch with all the IT developments. For example newspapers carried stories of how IT was changing society but newspaper board members were slow to ask “what will all this mean for the newspaper business model?” Consequently the old newspaper business is broken and there are no new clear business models. Additionally IT personnel may have had
difficulty in explaining IT matters in plain language, and so there was a communications problem: the experts who could see the coming changes could not communicate the gravity of the situation. Therefore society has been caught by surprise.
that the power of computers would double every 18 months-
IT Developers Were Too Optimistic
two years and the price of computers would halve every 18
IT developers forgot that there is always a hidden cost for convenience. The Internet was designed to survive a surprise Soviet nuclear attack. The developers were permitted to use a version of it to communicate rapidly between university campuses. Evidently no one thought about the risk of millions of people (including fellow Americans) having malicious motives. The initial development community was small and people knew each other – but it soon expanded and malicious people could become anonymous. (The first major Internet worm was made by Robert Morris – the “Morris worm” - in 1988; after serving time in prison he is now an honoured member of the US IT profession). Although the Internet was developed via US Government money (ARPANET: Advanced Research Projects Agency Network), the US Government did not subject it to US regulation at the time (ARPANET ceased to exist in 1990 when the Internet began as a public network). Perhaps in retrospect, the US Government should have insisted in a more controlling role (certainly China does so within its borders). No one is in charge of the Internet and so who is overall responsible for IT security? Meanwhile, some of the crimes that get committed are based on exploiting a person’s sense of greed (such as the Nigerian scams informing the recipient that a distant relative has left them money in Lagos bank account). Perhaps they are naïve in hoping to get money for nothing. Employers thought it would be a good idea to have a BYOD policy (“Bring Your Own Device”); it saved money for the employer, and it was “staff friendly”. But it can make the company’s IT system vulnerable to cyber-attack. It was well-meaning but perhaps naïve.
IT Challenges for Government Government is on steep learning curve. First, many governments are under siege from different categories of cyber-attack: (i) hostile governments (ii) criminal groups (iii) politically-motivated “hacktivists” (iv) “script kiddies” (younger people who want to see what they can get away with) (v) terrorist groups. Each group has its own motivations. They have different motivations. Second, the technique of nuclear Mutual Assured Destruction (MAD) does not work with groups which have a suicidal apocalyptic mindset. For example, if there were a destruction of the civilian communications network handling financial transactions, Islamic State would not be too worried if it could take the rest of us with them. Third, there is a wide range of “soft” targets: transport infrastructure, water and sanitation, fuel supplies, distribution centres, computer-controlled ground stations, mass deletion of government data, hacking hospital IT systems to murder
“Gordon Moore (a founder of Intel) predicted on April 19 1965
patients on life support systems (“hacked to death”), carjacking. This is new era of conflict because the targets are no longer military ones. Fourth, the full extent of the problems may be obscured because some financial institutions may prefer to keep quiet rather than admit to having problems. This means that there is not necessarily as much learning from experience as one would like (people need to share information on their problems as a way of creating a “learning society”). The Bigger Picture for Government Governments are too concerned with immediate, short-term issues and so get taken by surprise. The issues raised in this article, for example, were not raised in the recent general election. Perhaps politicians may lack the knowledge base with which to consider technological issues (much the same could be said about company directors, who will agree in minutes to spend thousands of dollars on an IT project, while arguing for a long time over the location of a bicycle shed). Therefore: how do governments make sure that the staff are not part of the problem, such as on BYOD? There is a need for new ways of conducting security checks: for example, security problems may arise from idealistic staff becoming disenchanted when they learn about how operations are being carried out (such as Daniel Ellsberg and the Pentagon Papers, Bradley/ Chelsea Manning, Edward Snowden). IT has made government more vulnerable to “leaks”. Meanwhile the complexity of IT developments and the slow response by government, gives the impression that government is out of touch with events: “reputational risk”. Citizens seek reassurance that government is somehow in control but the threat is now possibly faceless and borderless; potentially disruptive IT knowledge itself knows no boundaries and so may be acquired by anyone. Another challenge is how to make the most of “surveillance capitalism”? This is the growth of the technological monitoring industry. It has already had an impact on reducing some crime because criminals now fear they will not get away with their crimes (such as every lamp post is a set of eyes looking over the street). Certainty of punishment rather than length of sentence is a key factor in deterring crime. There is still far more that can be done in this area but it is a positive development. To conclude, IT represents a new frontier for security considerations. The IT industry is making great progress and transforming many areas of our lives. We have to make sure that the security industry keeps up with all the changes and be willing to think about the unthinkable.
Chief IT Magazine | 39
Fighting technology with technology: protecting children from cyber bullies
T By Kim Maslin
40 | Chief IT Magazine
echnology has altered the way we live. This goes for both positive interactions with technology, such as keeping in touch with family overseas, as well as the negative aspects, such as cyber bullying, cyber stalking and cyber terrorism. Cyber bullying is no different to traditional bullying, aside from it leveraging technology. Cyber bullies use of technologies, such as email, text messages and social networking sites to hurt their victims, prowling the common platforms used by teenagers, including Facebook, Instagram, SnapChat and Skype. But how do we adapt our anti-bullying strategies to deal with cyber bullying, given its innate ability to invade not just our children’s school lives, but also their home life? The answer is that we all have a role to play in combating cyber bullying. Leading the way are our schools. Australian schools have already developed a number of measures to help combat cyber bullying, minimising the impact on our children. These measures include formulating policies that outline how the school will deal with cyber bullies; educating the student cohort about the impact of cyber bullying; responding to cyber bullying complaints; and providing support through counselors and pastoral care programmes for those who have been victimised. Technical measures have also been introduced in the form of content filtering and monitoring. These approaches draw upon digital technologies to filter out communications that may be deemed inappropriate, as well as monitoring the websites students visit and their behaviours while on school networks. This enables schools to collect evidence of cyber bullying incidences and hold those responsible to account. School ICT departments play a critical role in managing these filtering and monitoring systems, ensuring they stay one step ahead of today’s technically savvy teens. This approach goes a long way in minimising the number of cyber bullying incidences reported in schools, but it also aligns with the bigger vision the Australian Federal
Government outlined in the Australia’s Cyber Security Strategy (https://cybersecuritystrategy.dpmc.gov.au). Underpinning the success of this strategy is the development of a ‘cyber smart nation’ – a country complete with highlyskilled cyber security professionals, as well as a nation of citizens who understand the threats from cyberspace. While information security professionals are undoubtedly required to address a broad range of cyber threats – from terrorism to financial scams – protection of our children must remain a high priority. Research has found that one in five Australian children from the age of 12 to 17 have been victims of cyber bullying over the past year. Furthermore, the adverse effect of cyber bullying on our children’s mental health has been shown to be profound, ranging from selfesteem issues all the way through to suicide, so it’s vital that we keep it front and centre in people’s minds as we develop these national plans. As a community, we need to maintain the momentum that is building to tackle cyber bullying. Schools need to continue monitoring and educating our children, while parents need to do wake up to these threats (and their indicators) at home. In order to keep up with the everchanging digital landscape, Australia needs to invest in the future of anti-bullying technologies and professionals. We hope the government hears our call and invests in the future of Australia, which lies in the hands of the children of the digital age. About the author Kim Maslin is an entrepreneur, educator, cybersafety expert, social media enthusiast and founder of 3103 Communications. She is most importantly a ‘digital native’, who has grown up with the Internet and has been around social media for the better part of her life. Her expertise in communications, experience as a Technologies Teacher and Digital Learning Integrator and her passion to empower the community with digital literacy skills are the forces
Creating a culture of security to defend against social engineering attacks
T By Christopher Hadnagy
he Fifth Annual Benchmark study on Privacy and Security of Healthcare Data by Ponemon Institute (https://www2.idexpertscorp.com/fifth-annualponemon-study-on-privacy-security-incidents-of-healthcaredata) has recently revealed what others have long perceived: There has been a shift in the root cause of data breaches from accidental to intentional. While 90% of healthcare organisations represented in the study had experienced a data breach, for the first time, criminal attacks are the number one cause of these breaches. Criminal attacks are highly targeted. When it comes down to it, attackers will stop at nothing to break into an organisation. They will use whatever means necessary to infiltrate, especially if those means are low risk. It’s far easier for attackers to bypass technical controls and exploit human nature to breach an organisation than to compromise a network surrounded by technical controls. Unfortunately, there is plenty of overlap between the proactive criminal and the unsuspecting employee that really adds fuel to the fire. Despite the balance of breaches shifting to criminal activity, organisations are beginning to recognise the importance of starting with employees first. According to Ponemon’s study, the data backs this up, as healthcare organisations rank employee negligence as a top concern when it comes to the exposure of patient data. Employee negligence goes far beyond the occasional lost or stolen laptop. What about when an employee accidentally discloses confidential data? A whopping 70% of Ponemon survey respondents admitted that careless or negligent employees are responsible for the most concerning security incidents impacting their organisation, but what can be done to help? Also, in Australia, the Australian Signals Directorate has openly acknowledged that Social Engineering tops the list of threats to Australian businesses, so it’s a true concern and one that doesn’t have an easy answer. To add to complication, organisations are gradually increasing their budgets and resources to protect both their data, however, not enough investment is being made in human capital to address the evolving threat landscape. It’s time for organisations to start investing in a culture of security that makes employees the first line of defense. Ask yourself, do your employees know what a phishing email is? Is there a process in place for the verification of a caller’s identity? Do you have a process in place to report security incidents? If you’re unsure of the answers to one or more of these questions, odds are you are not engaging in a culture of security.
What does a culture of security look like? A culture of security begins with active testing and training of employees for security awareness. Employees who know they are being actively tested have heightened awareness for security initiatives and are more apt to shut down an attempt to exfiltrate information or breach confidential client data. Buy-in for the culture of security should start at the top of the organisation and build down: this makes it the responsibility of each and every employee to contribute to this culture of security. Exposure, exposure, exposure! Not only should organisations implement continuous training initiatives, but they should also work to publicly reward employees who successfully respond to or report security incidents. Try publishing regular blog posts, try sending out organisation-wide emails, post your messaging on the corporate bulletin board, try handing out gift cards as prizes for staff who demonstrate they understand the security needs of your business and publicly recognise those who embrace it and live these values. A bit of positive reinforcement goes a long way. About the author Christopher Hadnagy, is the founder and CEO of SocialEngineer, LLC. Chris possesses over 16 years experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. Chris established the world’s first social engineering penetration testing framework at www. social-engineer.org, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.
Chief IT Magazine | 41
Are security vendors leaving your business at risk?
A By Tony Campbell ASM Correspondent
42 | Chief IT Magazine
n issue that I’ve been mulling over for some time relates to the fundamental nature of customer security engagements, especially concerning product vendors and their place as trusted advisors. This issue led me to a couple of conclusions. Firstly, there is a mismatch between what’s best for the client and what’s best for the vendor. And secondly, the security threat environment is so badly defined that vendors could be peddling "snake oil" and customers would still buy their products if it took away their fear. Today’s security industry is almost entirely product focused and driven by fear-mongering. I’ve even seen some of the big consultancies pitching up at client sites with software products dealt as the cure for what ails them. Every week, another new security vendor hits the news, riding on the back of the venture capitalists' love affair with our industry. And with each new product comes a new story of data mining, artificial intelligence and predictive analytics, which is more and more baffling for the poor old customer who needs to make a risk-balanced investment decision to address their
risks. In part, I blame the media. Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market. What the media has successfully managed to do is play right into the hands of the security product vendors, who are more than happy to sell software that can detect and defend against these kinds of remote attack. However, how many organisations, before having a discussion with AntiThreatWare Inc. have undertaken an actual threat assessment? Consider this. Cyber criminals are not the only category of threat actors that want to attack your business. Moreover, threat actors have a variety of different means, motives and intentions, so you need to understand all of those factors to assess the risk accurately. For example, if you run a medical scanning business, your patient data will be at risk from cyber criminals, that’s a given. But you will also be under attack from foreign nation states who might want the patient data for espionage purposes, who will very likely use different
'Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market' techniques to hack you than the simple malware drops used by the cyber criminals. What if your patients include celebrities? Now you might be attacked by journalists, so again, you need to be on the lookout for that threat group again acting with an entirely different set of means, motive and intent. Further to these threats, you must always consider the potential of threats originating from inside your network boundary – this can come from employees, contractors, partners, customers, and even the casual staff who empty the recycling bins once a week. Security breaches attributed to insiders can be from two perspectives: unintentional and intentional. No single security product will address all your risk. Instead, you’ll hear a lot about cyber criminals attacking you through malware drops, using phishing campaigns to deliver their malware to your users' desktops. But this vendor won’t tell you that their technology can do nothing to support you if the attacker is a rogue administrator recruited by your competitor to steal your company's IPR. Even if you have a comprehensive threat assessment, are you now able to determine where you most at risk? Do you have data classification or at least some means of determining the value of your data? Are the emails in your corporate Exchange server all of the same classification and if not do you, therefore, treat that data with the security requirements of the most sensitive email it contains, or do you consider the entire Exchange service database entirely benign and without value? Are there even any rules over what can and should be sent using the corporate email system, and what if legitimate users with unfettered access email corporate documents out to a third party. Would you know or even know to care? If asked the question you might say, “But they know not to do that,” but I ask you this. Are you confident that no user has ever accidentally hit reply all to an email that included third party recipients outside the business, unintentionally sending an attachment meant for only corporate eyes? Even if you have the very best approach to classifying and valuing data (which frankly is one area of security management that most businesses are shockingly bad at) without a full and accurate threat assessment, it’s impossible (and I mean impossible) to determine risk. Without a full understanding of the information risks you are attempting to mitigate using new technology, how can you ever hope to measure the benefits of your investment when you can't measure the risk reduction? Businesses need to pause and reflect on what security is and what it means to them. If you think about the word itself, security is simply a state of being where it’s all good unless you have information to the contrary. If you are blatantly ignoring the threats, then, of course, when you are breached is when you'll start to care. Once you become aware of the problem, this is when you can choose to hire and expert
who knows how to navigate the security industry, someone who knows what security is and can manage expectations effectively. If you can’t afford to hire someone directly, it's time to call in a consultant. But you need to make sure the consultant isn't just another product junkie, out to push the latest and greatest cyber security gadgetry. If they immediately jump into pitching products before they've looked at your business and assessed your architecture, frankly, ditch them and look elsewhere. There is certainly a place for security technology in our enterprises, but it's time to start letting the security requirements lead the architecture, and it's this level of planning that will lead the design. At this stage, we can make considered, sensible technology investment decisions based on them meeting real business requirements and we can build test cases to prove they work. It's time to stop vendors leading the market and start basing security decisions on strategic thinking, a true understanding of threats, vulnerabilities and risk, and an architecture-driven approach that drives real security value into the enterprise.
Chief IT Magazine | 43
27-29 November 2016 Phuket, Thailand
DID YOU KNOW? ■
75bn USD - is how much the worldwide cyber security market is currently worth and expected to grow two fold by 2020
$32.95bn USD is how large the Asian cyber security market is expected to grow by 2019
$200bn USD is the forecast for connected devices by 2020
$30bn USD is the predicted growth for the global managed security services market by 2020
MAJOR TOPICS TO BE COVERED AT CYBER SECURITY EXCHANGE ASIA
1 Detecting an attack, how to and how not to address a data breach 2 Discussion of the Asian regional cyber security policy 3 Ransomware – best practice risk assessment, prevention and response role of the Chief Risk Officer in an organisation’s cyber security strategy 4 The 5 How to get the most out of your systems using your staff for implementation with the convergence of IT, OT and physical 6 Strategies security SOUNDS INTERESTING? WE WANT YOU! Come be a part of Cyber Security Exchange Asia 2016, 27-29th November 2016 in Phuket, Thailand, as we bring together 45 CIOs, CISOs and Heads of Cyber Security from across Asia, to discuss the challenges faced. Visit www.cybersecurityexchangeasia.com to find out more information on this unique event.
If you would like to request an invitation to see if you qualify to attend this event, email firstname.lastname@example.org referencing code CSCDM_Del
If you would like to have 30 minute pre-scheduled meetings, to offer your solutions to these CISOs and Head of Cyber Security, email email@example.com to find out what opportunities are available referencing CSAPSM_SX
+65 6725 9921 | firstname.lastname@example.org | www.cybersecurityexchangeasia.com
6 SCADA th
WORLD SUMMIT ■ ■
Main conference: 9 & 10 November 2016 Post Conference Workshops: 11 November 2016
“MYSECURITYMEDIA” to qualify for extra
10% discount*! *discount applicable to 2-day summits,
Pre-conference Workshops: 8 November 2016 Venue: Kuala Lumpur, Malaysia
What Makes 6th SCADA World Summit 2016 A Must-Attend Event! Recipe for Success Hear from Cross-industry SCADA Professionals and Project Owners share their experiences in managing SCADA system integration, upgrading and maintenance within an energy efficient environment through various large scale projects globally Interactive Discussions Join exclusive panel discussions featuring SCADA industry experts as they share their challenges and perspectives in eliminating cyber security threat and adopting smart applications to elevate SCADA system operational efficiency Eye-opening Presentations Gain strategic insights from over 20 industry experts on overcoming major challenges in managing SCADA system including Cyber security risk, complicated SCADA system integration and upgrade, achieving accuracy on real time data acquisition, improving connectivity between MTU and substations, data management and protection, reducing human errors in SCADA operation and amongst others In depth Workshops Attend the 6 Expert-Led Pre-Summit Workshops to grasp the nuts and bolts in achieving effective SCADA system management
Researched & Developed by:
PHONE: 65 6376.0908 EMAIL: email@example.com WEB: http://www.equip-global.com/6th-scada-world-summit-2016
EXECUTIVE EDITOR’S SHOW REVIEW COMMERCIAL UAV ASIA SHOW AND IOT CONFERENCE, SINGAPORE
espite a very busy and somewhat problematic registration process, though taken as a sign of success, once inside and underway this was a great event. Well attended from across Asia and show casing drone technologies from around the world, the attendees represented all facets of industry, academia, business, technology and large enterprise. Having first written about the emergence of drones entering into the civil sector in 2009, it is obvious now that drone technology has become main stream and is now in full flight. Literally! It remains only government regulation restricting much wider commercial use, and with companies like UniFly (www.unifly.com) these regulations can be easily referred to and evaluated. Others have much more ambitious plans, like Daka Technologies which reports to be progressing fast with the concept of installing drone delivery pods in all high rise apartments. To help alleviate any safety concerns, ParaZero drone safety systems, an Israeli company used the show to introduce an innovative pyrotechnic parachute and autonomous triggering technology. Fundamentally, drones continue to do the 3'D's - the dirty, dull and dangerous work, but the technology has expanded into ‘dronetainmant’ (unless told otherwise I'm coining that phrase) with drones being used for stage show productions and drone racing is also increasingly popular. Infinium Waders have developed performance drones, specially engineered for the entertainment industry. With in-house proprietary algorithms, complex swarming of UAVs indoors and outdoors is possible for live and novel entertainment showcases. The exhibition included mini drone races, drawing an enthusiastic crowd around a confined safety
46 | Chief IT Magazine
Altura Zenith from www.Aerialtronics.com
net protected centre stage on the expo floor. Races saw drones crashing, smashing and even completing the small course, in what was a challenging mini event for the pilots. One of the key technologies I was seeking out was automatic response drones, which deliver operational security capabilities for responding to alarm events, or being used for perimeter inspections or first deployments to signs of movement or suspicious activity. Only two systems claimed success in this area with developments underway fast and more announcements still to come by SmarmX and DroneBox. But others are also getting there, if not already and I would envisage well within two years we will see these systems deployed in much wider circles. H3Dynamics, a member of the Intel IoT Alliance, has developed the DroneBox as a specialised IoT
product. A Singapore-based, fast-growing robotics technology company, H3Dynamics also specialises in high performance hydrogen-electric energy propulsion systems for UAVs, integrated field and aerial robotics systems, and data analytics solutions across a number of industry sectors. The multi-national team, including based in Melbourne, consists of technologists, engineers, scientists from multiple disciplines, entrepreneurs, and industry leaders who have a wealth of technical and business expertise from their respective fields. Swiss drone manufacturer, senseFly, used the show to launch the eBee SQ fixed-wing agricultural drone. Built for the Parrot Sequoia multispectral camera, this system can cover up to 10 times more ground than small quadcopter drones. The eBee SQ builds on senseFly’s eBee platform, which has so far recorded over 300,000 successful customer flights over seven continents. The Parrot’s Sequoia camera
International claims to be the smallest, most advanced multispectral sensor on the market. The eBee SQ combines precise crop imaging with large ground coverage flying for up to 55 minutes on a single battery charge. This performance enables it to cover up to 500 acres (200 ha) in a single flight at 400 ft (120 m) above ground level* up to 10 times more ground than small quadcopter drones. Founded in Hong Kong in 1999, Yuneec International manufactures over 1 million units a year and includes the Typhoon brand of multi-copters. The Company’s achievements include the introduction of the hobby industry’s first “Ready to Fly” radio control electric powered airplane and the design and manufacture of market leading radio controlled helicopters and micro-copters. The Wingcopter, developed in Germany, is a Hybrid Vertical Take-Off and Landing (VTOL) UAV, with the advantages of a multi-rotor and a fixed-wing using a patented tilting-rotor mechanism. The new innovation provides a solution to cover large areas of land without the need to find take-off and landing areas that are difficult in tough terrains. The system has a maximum flight time of over 2 hours, a range of up to 100km, a maximum payload of 2kg and the ability to cover up to 2,000 hectares in a single flight. AeroLion is a spin-off from the Unmanned Systems Research Group of the National University of Singapore. The company has specialised in UAV autonomy, formation and navigation in both indoor and outdoor environments for more than 10 years. AeroLion Technologies provides custom solutions and has developed the BlackLion-168 and BlackLion-068, both with rugged design for harsh environment applications, high payload, long endurance flight, multi-sensor based, GPS-less indoor navigation, obstacle avoidance and provides intelligence analytical features. Silvertone, established in Australia in 1958, proudly displayed their new Mark 3 Flamingo, a 25kg class RPA capable of carrying up to 8kg of payload for more than 12 hours. The unit was designed to provide a 65% increase in payload volume (3kg capacity increase) and an additional 4 hours of flight time while remaining within the 25kg maximum takeoff weight. Finally, UCON SYSTEMS, a manufacturer of UAVs for the Republic of Korea Army and Marine Corps displayed a range of surveillance, reconnaissance, industrial and agricultural UAVs. Alongside the Commercial UAV Asia Show was an IoT Conference with Innovation Hubs displaying a wide array of sensing devices, delivery and control Apps and plenty of other new ideas for budding entrepreneurs. This will hold us in good stead as we head to Silicon Valley later this month for the Net Events IoT and Cloud Innovation Summit and Innovation Awards. Stay tuned!
Thermal Imaging sensors at the Yuneec.com stand
Auto take off and landing system by SwarmX.com
Wingcopter Hybrid Speed Drone - wingcopter.com
By Chris Cubbage
Chief IT Magazine | 47
Tarot Racing Drone Kit - sells for around AU$200 online at tarotrc.com
â&#x20AC;&#x153;Asia is expected to be the largest regional manufacturer of UAVs in the world over the next decade.â&#x20AC;?
DroneBox by H3Dynamics.com
48 | Chief IT Magazine
Typhoon 4K by Yuneec.com
SkyeIntelligence Orbit - www.sky-intelligence.com
Chief IT Magazine | 49
Intense discussions about ORION Drone Proection Systems, multisensor detection and tracking system
Multipurpose flying platform with wingspan of 2.95m, payload of up to 7kg fully autonomously over a distance of more than 1000 km within 10 hours flight
Typhoon H by Yuneec.com
50 | Chief IT Magazine
Ruggedised Flight Controller Unit from Tarotrc.com
Wingcopter -Editor Chris Cubbage with Tom Pluemmer, CEO - wingcopter.com
X-Star Quadcopter in action AutelRobotics.com
Mark 3 Flamingo RPA by Silvertone.com.au
Chief IT Magazine | 51
CumulusOne Fixed Wing Drone by IFCON Technology - www.ifcontech.com
X-Star Quadcopterand controller by AutelRobotics.com
52 | Chief IT Magazine
SkyDroner 1000 by TeleRadio Engineering - www.skydroner.com
Drones Robotics Automation Security Technology Information Communications
www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews Chief IT Magazine | 53
See our website for details ma
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
rity in Secu ment, rn Gove anberra C
of cult The ware the a
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
54 | Chief IT Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Chief IT Magazine | 55
including Critical Information Infrastructure Protection
5th-6th October 2016 Bangkok, Thailand www.cip-asia.com Co-Hosted By:
Save with the Early Bird Developing resilient infrastructure for a secure future Confirmed speakers include: - Peter Oâ&#x20AC;&#x2122;Neill, Chief of Transport Policy and Development Division, UNESCAP - Thomas Wuchte, Head of Transnational Threats Department/Action Against Terrorism Unit, OSCE - Kamal Thalib, Head of Financial Crime & Security Services, PT Bank DBS Indonesia - Shamika Sirimanne, Chief of Division, Information and Communications Technology and Disaster Risk Reduction Division, UNESCAP - Dr. Peeranan Towashiraporn, Director, Asian Disaster Preparedness Center - Kumpol Sontanarat, Director, Information and Communication Technology Department , Securities and Exchange Commission (SEC), Thailand - Air Chief Marshal Somneuk Swatteuk, Senior Expert, National Disaster Warning Center, Thailand - Zahri Yunos, Chief Operating Officer, Cybersecurity Malaysia - Dr. Mohammad Shahir, Senior Consultant, THALES E-Security, Malaysia - Hansen Chan, Product Marketing Manager, Nokia, USA Discover the latest challenges, stratgies and solutions for protecting ASEANs critical national infrastructure Critical Infrastructure Protection and Resilience Asia will bring together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Asia. Book your delegate place today and save with the Early Bird delegate rate - Early Bird deadline 5th September 2016.
Register online at www.cip-asia.com/onlinereg Securing ASEANs critical national infrastructure
Owned & Organised by:
Department of Disaster Prevention & Mitigation
Ministry of Interior
How to Exhibit Gain access to a key and influential audience with your participation in the limited exhibiting and sponsorship opportunities available at the conference exhibition. To discuss exhibiting and sponsorship opportunities and your involvement with Critical Infrastructure Protection & Resilience Asia please contact: Suthi Chatterjee Exhibit Sales Manager (Asia) PRMC Thailand Tel: +66 2 247-6533 Fax: +66 2 247-7868 Mobile: +66 (0) 87-060-5960 E: firstname.lastname@example.org Paul Gloc Exhibit Sales Manager (UK & Europe) T: +44 (0) 7786 270820 E: email@example.com Jake Addison Exhibit Sales Manager (ROW) T: +44 (0) 7545 977741 E: firstname.lastname@example.org
Australian Security Industry Awards
Call for Nominations
2016 RECOGNISING EXCELLENCE
Awards Ceremony & Dinner:
20 October 2016 The Westin, Sydney
the peak body for security professionals.