THE MAGAZINE FOR SECURITY & TECHNOLOGY PROFESSIONALS | www.cyberriskleaders.com Issue 6, 2021
Turning cyber health scare into digital trust Market opportunities for 5G, IoT and edge compute Singapore cyber highlights: - ICW 2021 - ISACA GTACS 2021
Best practices for trusted third-party risk management Why organisational risk starts and ends with your people Beware of the return to office: How organisations can protect against pandemic sleeper threats
NETWOR K & DATA CE NT E R SECU R I TY PLUS
Tech & Sec weekly highlights
App now available
on iTunes & DOWNLOAD NOW!
www . Cy be r Ri s kLea d e r s . c o m Cyber Risk Leaders Magazine | 31
Elevated Intelligence For a Smarter, Changed World The world and the security industry have changed forever. Integrating physical security controls with advanced technology is top of mind worldwide.
Increased demand for video analytics, augmented reality, cyber security and robotics highlights just how important digital transformation and innovation is to the growth of the industry. So we’re transforming in 2021 to a virtual platform, to ensure these critical security conversations and connections continue. The new virtual Security Exhibition & Conference will showcase the development of new solutions to essential hardware and security needs; diving deeper into the technologies that are changing how we respond to and analyse future information with the latest industry insight and leadership. Security Virtual 2021 - Empowering industry for a smarter, changed world.
17–18 NOV 2021 VIRTUAL EVENT
REGISTER NOW securityexpo.com.au
Lead Industry Partner
High Security Locking Systems Expert Insight Series into Modern Locking Hardware & System Integration: High Security & Industrial Applications
REG IS HERTER E
3 PART SERIES
AVAILABLE NOW ON-DEMAND IN ASSOCIATION WITH
SPON S O R
S P O NS O R
I ND U ST RY S P O NS OR
Securing Remote Installations & Maintaining Hardware In Hostile Environments
Integration of Locking Systems (Security design for maximum security & access control)
SECURITY RISK & GOVERNANCE SPECIALIST, MAJOR QUEENSLAND UTILITY
SENIOR CONSULTANT, ACAD SERVICES
NATIONAL BDM, TECHNICAL PRODUCTS
EXECUTIVE BUSINESS MANAGER
TECHNICAL ACCOUNT MANAGER, GALLAGHER
Threat Assessment & Hardening through Physical Locking Systems (Techniques, tactics, and forensics)
Kurt Lozier CPP
SCEC APPROVED LOCKSMITH, AIRCRAFT ENGINEER & BUSINESS OWNER
TECHNICAL SALES MANAGER
SCEC ZONE CONSULTANT
NOVEMBER NOVEMBER 29 29 TO TO DECEMBER DECEMBER 1 1
th th st st
B O G O T A - C O L O M B I A B O G O T A - C O L O M B I A
BOGOTA, BOGOTA, INTERNATIONAL INTERNATIONAL HUB OF LATIN HUB OF LATIN AMERICA AMERICA AND THE CARIBBEAN AND THE CARIBBEAN FOR FOR SECURITY SECURITY AND AND DEFENSE DEFENSE
ATTEND ATTEND THE THE LEADING LEADING HUB HUB FOR FOR DEFENSE DEFENSE AND AND SECURITY SECURITY IN IN LATIN LATIN AMERICA AMERICA WITH THE NEWEST TECHNOLOGY IN LAND, AIR AND MARITIME DOMAINS. WITH THE NEWEST TECHNOLOGY IN LAND, AIR AND MARITIME DOMAINS.
exhibitors exhibitors from from 26 countries 26 countries
2 10,359 10,359 m m2
of of exhibition exhibition area area
75 75 official
official delegations delegations from from 24 24 countries countries
participants participants from from 47 47 countries countries 2019 figures 2019 figures
www.expodefensa.com.co www.expodefensa.com.co Supported by Supported by
Organized by Organized by
Cyber Risk Leaders Magazine | 5
LEADING IT FOR
TAKE YOUR CAREER TO THE NEXT LEVEL CISSP®, CISM®, CRISC®, SABSA®, CISA®, CCSP®, CIPM, CIPT, ISO 27001, CSF+P + MORE… World-class instructor led training keeping you at the forefront of Cyber Security alctraining.com.au
MY SECURITY MEMBERS SAVE 10% To redeem simply quote the following code: “ALCMYSEC10” & select the pay by invoice option.
NIST CYBERSECURITY FRAMEWORK PRACTITIONER ALC has recently introduced a new certification to its flagship line-up of courses, addressing the growing trend and need of practitioners in the region who either wish to use, or have been requested to use, the NIST Cybersecurity Framework. Emanating from Executive Order 13636 Improving Critical Infrastructure Cybersecurity signed by former President Barack Obama in February 2013, version 1 of the Framework was released one year later on 12 February 2014. Version 1.1, released in April 2018, added the supply chain or what we refer to as the Extended Enterprise. The benefit of using the Framework is that it provides guardrails and structure when assessing the activities and assets associated with the most critical parts of a business. As delegates discover, the Framework is not a standard, such as PCI DSS or ISO 27001, nor is it set in stone – it is extensible, allowing users to modify and adapt the Framework to the unique needs of their organisation, including the use of multiple protection profiles; adding, deleting, or customising categories and sub-categories; and adding in new informative references. ALC’s new course, NIST Cybersecurity Framework Practitioner, guides participants through the generic Framework, giving extensive in-depth examples of the theory. Even though NIST emanates from the US, the course does not have a US-centric orientation. Special effort has been made to ensure both a practical and a regional flavour by use of an extended case study throughout.
The case study and corresponding exams allow participants to better reflect on the virtues of the Framework, in that an organisation is part of what is referred to as critical infrastructure. Participants discover what sector the case study is set in, the reliance on other critical sectors, and where they are placed within their own sector. This allows a better understanding and a dialogue to be established for the cyber resilience functions used during and after an attack.
The first course ran 2-6 August 2021 using virtual, instructor-led training, and was enthusiastically received by delegates from Australia and Malaysia who were not only challenged with the theory and concepts, but performed well in the case study, mock exam and final exam. Well done to all of you! ALC looks forward to continuing on its journey from having successfully launched a new course to embedding it as part of the ongoing curriculum for meeting the needs of cyber security professionals. I look forward to the next course scheduled for November, 2021. Peter Nikitser Director, ALC Cyber
Celebrating 27 years of training excellence!
Director & Executive Editor Chris Cubbage
Turning cyber health scare into digital trust
Best practices for trusted third-party risk management
Deepening collaborations for cybersecurity - Highlights from the Singapore international cyber week 2021
Director David Matrai Art Director Stefan Babij
Singapore Cyber Landscape – Highlights at ISACA Singapore Network and Data Center Security
Chapter’s GTACS 2021 conference Network and Data Center Security
Market opportunities for 5G, IoT and edge compute
New Insights into The Devilstongue Spyware Impacting
MARKETING AND ADVERTISING firstname.lastname@example.org
Why organisational risk starts and ends with your people
How to empower your people to become your greatest risk
Copyright © 2020 - My Security Media Pty Ltd GPO Box 930 SYDNEY N.S.W 2001, AUSTRALIA E: email@example.com All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Journalists, Human Rights Defenders and Politicians
management asset Beware of the return to office: How organisations can protect President Biden Warns "Lock Your Digital Doors
against pandemic sleeper threats President Biden Warns "Lock Your Digital Doors"
Facebook’s network backbone breaks, causing six hour outage
Group-IB Chief Executive Officer facing treason charge 46
following arrest Famoussparrow APT Group spying on hotels,
CONNECT WITH US www.facebook.com/MySecMarketplace/ @MSM_Marketplace
governments and private companies
Irish privacy regulator fines whatsApp $359 million
SophosLabs publish technical insight into stealthy new Facebook’s network backbone breaks, causing six hour outage
ransomware, Atom Silo New PANW research highlights growth of supply chain
Famoussparrow APT Group spying on hotels, governments and private companies
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
New PANW research highlights growth of supply chain security threat
Migrating MPLS networks to the cloud age
Guillaume Noé Miryam Meir Jane Lo* Guy Matthews
Lisa Sisson Rick Vanover Kelly Johnson
"Every day, our adversaries are using known vulnerabilities to target federal agencies…we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors"
- Jen Easterly, Director, US Cybersecurity and Infrastructure Security Agency, November 3, 2021
s 2021 draws to a close, we consider what are the top security threats enterprises face today – amidst the uncertainty of what 2022 may hold. Changes in working patterns, in tandem with a rising tide of security threats have forced many enterprises to think about their reliance on legacy network architecture. With a majority of workers now working remotely from their home offices, we have an expanded attack surface, with some applications still in an on-premise data centre, others protected by SASE, many in multiple clouds, around the world, helping to manage employees and support customers. The threats extend to applications, the end user and the devices users are connecting from. Attackers are busily adapting to the new defensive measures that everyone is putting in place and there is no shortage of critical vulnerabilities being discovered and exploited at scale. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion. The White House confirmed approximately 150 US-based utility providers, serving some 90 million customers, had moved to fortify their cybersecurity defences in the last three months. The May 2021 ransomware attack on Colonial Pipelines highlighted the vulnerabilities of such critical infrastructure. Cybersecurity business Nuspire says ransomware activity spiked 55,239% in the early part of Q2 2021. Ransomware attacks have since trailed off, but
Nuspire says that’s no reason for complacency. They say a new ransomware gang called BlackMatter has risen from the “ashes” of the DarkSide and REvil cyber gangs. And to highlight the issue, two alerts were announced at the time of writing. A critical alert regarding a vulnerability present in certain versions of Microsoft Excel and the second, a remote code execution vulnerability present in certain versions of Palo Alto Networks’ firewalls utilising the GlobalProtect VPN component. Palo Alto Networks says they are not aware of any malicious exploitation of this issue discovered and disclosed by Randori. This vulnerability allows for unauthenticated remote code execution on vulnerable installations of the product, with numerous vulnerable instances exposed on internet-facing assets, with in excess of 10,000 assets exposed. The Randori Attack Team developed a reliable working exploit and leveraged the capability as part of their red team platform. The team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. With control over the firewall, they had visibility into the internal network and could proceed to move laterally, thereby being able to disrupt system processes and potentially execute arbitrary code with root privileges. The vulnerability is deemed critical with a Common Vulnerability Scoring System (CVSS) score of 9.8. The Microsoft Excel vulnerability (CVE-202142292) could allow an unauthenticated person to bypass a key security control. A bona fide user could be tricked into opening a malicious spreadsheet, potentially initiating a spearphishing campaign. The vulnerability scores 7.8/10 on the CVSS, seeing it ranked as a high severity threat. Microsoft notes the vulnerability is currently being exploited, with 18 versions of Excel impacted, although there is no indication that the Microsoft hosted Office365 Excel product is affected. Guillaume Noé has also contributed in this edition, with a look at the impact on the health care sector. The pandemic has put medical institutions under operational stress and the related cyber-attack surface increased with
new health-related targets arising from medical transport and supply chain service providers. The pandemic provided cyber-criminals with the opportunity to build targeted attacks against a disrupted workforce and a vulnerable population through campaigns including COVID-19 themed scams. Cyber security vulnerabilities do not only apply to technology. They also apply to people and even more so when stretched in an industry under stress. Miryam Meir for SecurityScorecard has appropriately focused on Third-Party Risk Management (TPRM). Across the supply chain, third parties are providing cloud services, storing sensitive data, and providing other important services, so are also a major source of cyber risk. Cybercriminals often target third-party providers to target their clients’ data and networks so there is a need to be able to trust third parties and their security posture. As an international edition, we have a Singapore focus, with Singapore Correspondent, Jane Lo reporting on the ISACA Singapore Chapter’s GTACS 2021 conference and Singapore International Cyber Week 2021 (SICW, 4th – 8th October 2021). The 6th edition of SICW opened to a global audience that saw more than 2,000 delegates and speakers participating globally, including government ministers, cyber principals and heads of agencies and leaders from industry and academia. In this edition, we also provide you the opportunity to deep dive into the cybersecurity domain, corporate risk management and throughout we have links through to our Tech & Sec Weekly Series and the latest Cyber Security Weekly podcasts. There is a lot here to unpack. On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Cyber Risk Leaders Magazine. Enjoy the reading, listening and viewing!
Chris Cubbage CPP, CISA, GAICD
Turning cyber health scare into digital trust
he right arm up in a black splint. In pain. The left arm
By Guillaume Noé, Cyber Security Lead, Avanade Australia
10 | Cyber Risk Leaders Magazine
holding X-rays, an MRI report and other documents. My wife waited outside the hospital with the help of a medical staff. She had her second surgery within the span of six weeks following an accident. Three thoughts came to mind as I approached the hospital pick-up zone: I feel grateful. The surgery went according to plan. I couldn’t visit due to COVID-19 restrictions, but the nurse I spoke with the night before provided a good report. The surgeon is reputed to be the best in his field, and I truly appreciate the quality of care and the dedication of medical staff in Australia. Why is my wife holding so many documents? Surely there is a way to process all of these health data in a digitised form in 2021, and to do so securely. Five months ago, a ransom gang claimed responsibility for a cyber-attack against a healthcare provider in our city. Operations were impacted. The incident five months ago was unfortunately not the first. Healthcare service providers are increasingly an enticing target for cyber criminals looking for financial gains. The rise of cyber-attacks in the health industry is global. Cédric Hamelin, CISO of the Rouen University Hospital Centre (CHU) in France, shared his experience with the French National Cyber Security Agency, which was
recently published in a recent ransomware report: “On 15th November 2019, on the eve of the weekend, an emergency services intern reported a problem with access privileges to a business application. Shortly afterwards, the internal IT services noticed that a large number of the CHU’s workstations and servers were encrypted. The diagnosis came very quickly: it was ransomware.” Hospitals can be hurt and need specialist skills to protect their operations and patients’ data.
What makes healthcare such an attractive target? Attacks in the health industry are increasing, as reported by the Australian Cyber Security Centre (ACSC) in their 2020 Health Sector Snapshot. The ACSC identified the industry to be the subject of the highest number of reported cyber incidents outside of government and individuals. The ACSC also suggested the healthcare industry provides a very attractive target for cyber criminals because of: • its highly sensitive personal data holdings; • its valuable intellectual property on technology and research; • the criticality of services it delivers; • the pressure to maintain and, if disrupted, rapidly restore business continuity; • public trust in health sector organisations,
warning more broadly across industries. It estimated that there will be four times more supply chain attacks in 2021 than in 2020, with about half of the attacks being attributed to Advanced Persistence Threat (APT) actors. Finally, the pandemic has also provided cyber-criminals with the opportunity to build targeted attacks against a disrupted workforce and a vulnerable population through campaigns including COVID-19 themed scams. Cyber security vulnerabilities do not only apply to technology. They also apply to people and even more so when stretched in an industry under stress. Staff members become more susceptible to fall prey to scams and phishing attacks.
Boosting digital trust
particularly those linked to Government services. The prospect of a hospital operation impacted, whether by lack of access to urgently needed medical data, or worse by its tampering, is frightening. The COVID-19 pandemic has also amplified the issue because disruption breeds vulnerabilities to cyber security attacks and financial extortion. Firstly, the pandemic has put medical institutions under operational stress. They have been dealing with a pandemic while scrambling to quickly enable remote services for staff, patients, and the broader citizen population. This involved fast-tracking the deployment and further use of: internal collaboration tools to support corporate functions with many staff working from home; telehealth services for external consultations; and management systems to orchestrate a massive citizen vaccination program. The speed of digital service delivery can come at a security cost, particularly when security is not strongly and natively embedded at the core of IT solution development processes. Second, the ACSC suggested the cyber-attack surface has increased with new health-related targets including medical transport and supply chain service providers. Supply-chain cyber-attacks are widespread. The European Union Agency for Cybersecurity (ENISA) corroborates the
Health cyber security managers and security operation teams do not lack of a challenge, to say the least. They protect their organisations’ operations and reputation – implementing security in systems, processes, devices and connected medical equipment – to maintain the trust of citizens, patients, clients, and partners which are imperative. They also play a critical role in fostering the digital innovation and transformation that their organisations require to remain efficient, effective and competitive. The health care industry is very competitive, especially in the private sector. Attracting and retaining the best medical staff, including Visiting Medical Officers, and improving patient experience can hinge on modern and secure digital services. The choice of security measures, such as a method for authentication, can greatly impact user experience. Security and user experience are not exclusive, but they must be thoughtfully planned. The Australian government is executing a promising cyber security strategy, with a range of initiatives driving further investment, awareness, compliance, and collaboration in cyber security. However, health organisations must take ownership of their cyber security risks. They need talented cyber security teams, an appropriate governance, a security strategy that evolves with the health threat landscape, and the right support from the cyber security industry, as suggested by Cédric Hamelin (CISO Rouen CHU): “Today, it is important to remind organisations in the healthcare sector as well as others that we are not alone in dealing with this type of situation. Do not hesitate to seek outside assistance and advice.” The health industry is presented with an opportunity to harness the disruption forced upon them to amplify their digital services securely and to build a competitive differentiation. There is no better time to: • Review security postures and strategies in health; • Embed security in digital health services. This involves putting people at the core of cyber security programs and optimise their security awareness with innovative solutions; Maximise collaboration and user experience with secure services
Cyber Risk Leaders Magazine | 11
Best practices for trusted thirdparty risk management By Miryam Meir
hird parties are a necessary part of your enterprise. They are your vendors, your suppliers, your contractors, and your partners. Without them, you can’t do business. Third parties provide cloud services, store sensitive data, and provide other important services. Unfortunately, third parties are also a major source of cyber risk. Cybercriminals often target third-party providers to target their clients’ data and networks, such as the notorious SolarWinds breach at the end of 2020. To move your business forward and propel growth, you need to be able to trust your third parties and their security posture. For this reason, Third-Party Risk Management (TPRM) is critical for every organization.
What is TPRM? Third-party risk management, or TPRM, is the process of vetting your vendors so that you can understand the risks they may pose to your organization and the supply chain itself. Organizations with strong vendor risk management programs systematically identify, assess, and mitigate threats to their assets and data that might be caused by the organization's supply chain. Most organizations do business with a number of third parties, and those third parties fill many roles. In fact, Gartner found that 60% of organizations work with over 1,000 third parties. Some are vendors, but others fall into
12 | Cyber Risk Leaders Magazine
different categories, such as partners, contractors, and consultants. Therefore, TPRM is an umbrella that covers VRM as well as other kinds of third-party risk management, such as: Supplier Risk Management, IT vendor risk, antibribery/anti-corruption (ABAC) compliance, and contract risk management, among others. Why is third-party risk management important? It’s never good news when third parties are involved in a data breach; Ponemon’s 2021 Cost of a Data Breach Report found that if a software vulnerability at a third party causes a data breach, the cost tends to increase by more than $90,000. That’s not great; most data breaches are already steep at an average of $4.24 million. Third-party breaches are becoming increasingly frequent, however. According to InfoSecurity Magazine, 44% of organizations were found to have experienced a security breach in the last year. Of those companies, 74% said that the breach occurred because too much privileged access had been given to third parties. That’s the problem, however — often third parties need access to your systems and data to be effective, but you don’t have the same control over your third parties as you do your own employees. You can’t require the employees or contractors of another company to adhere to your own standards — but if your customers’ data is exposed because of a third-party, that breach is still your responsibility. So how can you trust your third parties with your data?
Best practices for third-party risk management 1. Know who your third parties are Before you can determine risk, you need to know who all your third parties are and understand exactly how much is being shared with each. This isn’t always easy. While some large vendors — like cloud providers — may be well-known third parties, some departments (and even some individuals) may be working with their own third parties, and may not have shared their vendor list with other departments. They might not even think of some contractors as third-party vendors, so you’ll have to work with each department to develop a list. Once you know who your vendors are, it’s important to know what data and networks they’re able to access. Do they need the level of privilege they have? If not, you’ll need to set some limits. Tip: Follow the money! One way to begin identifying your third parties is with your finance department. Third parties are typically paid service providers and if you follow the money you will probably uncover vendors you didn’t know about.
2. Prioritize your vendors Not all vendors were created equal, or at least they don’t all pose the same risk to your assets. Vendors that handle critical business processes will be a much bigger threat to
your data than a contractor who works with one department. You’ll want to be able to see, at a glance, which third parties represent the biggest risks to your organization. Risk ratings are a tool that can help you do this. Your first step is a risk analysis for each of your vendors. Use the following formula to understand each third parties’ risk: Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost Then, based on the results, prioritize your vendors by assigning a risk rating of high, medium, or low. Often the vendors who handle the most business-critical operations or the most sensitive data will likely be rated medium or high. Be aware that this method sometimes won’t give you all the information you need, because sometimes you can’t know the vendors’ likelihood of experiencing a breach. They may not be aware, either — some of their assets may be insecure, or they may have been breached and not yet know. 3. Monitor your vendors continuously Questionnaires and surveys represent one moment in time. These tools are static, and provide snapshots of a vendor’s security posture, but rarely the whole picture. In many cases, there’s no way to verify the accuracy of questionnaires, and you may simply have to accept a third party’s word that they are compliant. By using tools that allow you to continuously monitor
Cyber Risk Leaders Magazine | 13
Tip: Increasingly, regulatory bodies are mandating continuous monitoring of third parties and vendors. Make sure you’re up to date with your industry's mandates (NYDFS, CMMC, Executive Order on Improving the Nation’s Cybersecurity) and stay ahead of any potential changes that will require continuous monitoring of suppliers. the security posture of your vendors, you can avoid all of these issues, receiving a notification whenever a vendor falls out of compliance, and scanning for problems the vendor might not know about, like an Amazon Web Services bucket that has been mistakenly configured, chatter on the dark web about breached assets, or other assets that have been left unsecured. Tip: Increasingly, regulatory bodies are mandating continuous monitoring of third parties and vendors. Make sure you’re up to date with your industry's mandates (NYDFS, CMMC, Executive Order on Improving the Nation’s Cybersecurity) and stay ahead of any potential changes that will require continuous monitoring of suppliers. 4. Automate the process When it comes to reducing third-party risk, due diligence can be both tedious and labor-intensive. Large organizations often work with hundreds or even thousands of third parties, ranging from cloud vendors that serve an entire company to contractors that work for just one department. It’s a lot to keep track of — especially since many companies are still using spreadsheets and other manual tools to track TPRM. Estimates vary, but research from Ponemon suggests that 40% of organizations use spreadsheets to track issues with third parties’ risk. This is a manual process that takes a lot of time, and — as with any other manual data-entry project — can be prone to human error. Automated tools reduce the paperwork and strain on staff by offering a way to easily monitor third parties without having to manually create questionnaires, or update spreadsheets. It’s worth mentioning that vendors often have questionnaire fatigue — they have to fill out many security questionnaires for their clients and may simply be copying and pasting answers to save time. Automated tools can cut down on the administrative work on their end as well. Tip: Automating third-party risk management processes will not only save you time but money. Need help justifying the need for tools that will automate your TPRM process? We’ve seen that organizations reduced the vendor questionnaire effort by 83% and received an ROI of 198% through automation. 5. Collect consistent data Automated tools can also solve another questionnairerelated problem. Often, when presented with a questionnaire, third parties may choose to answer a question differently. Some may take a narrative approach to answering questions, some may answer yes/no, some may attach a
14 | Cyber Risk Leaders Magazine
screenshot. Those different kinds of data are going to be difficult to store or understand because in many cases you won’t be comparing apples to apples. Nor can a tool automatically process all those different kinds of data — instead, someone will have to manually review it. An intelligence security tool can collect the data itself, only collecting the sort of structured data you need to automatically assess risk. It will also save people on both sides of the client/vendor relationship time and effort on questionnaires and surveys.
How can SecurityScorecard help? You can never eliminate risk, but you can manage it, and that’s important when you need to trust your third parties. To reduce the amount of administrative time and effort spent managing third-party relationships, consider an intelligent tool that automates parts of the third-party management process. SecurityScorecard enables organizations to drive scalable and automated third-party risk management to drive a trusted third-party risk management program. SecurityScorecard is the only omni-directional security ratings provider of cyber risk ratings, questionnaires, a marketplace of integrations, and attack surface intelligence.
The Forrester New Wave™: Cybersecurity Risk Rating Q1 2021 The Forrester NewPlatforms, Wave™: report has recognized SecurityScorecard as Cybersecurity Risk Rating Platforms, Q1 2021 a leader in recognized cybersecurity risk ratings. report has SecurityScorecard as a leader in cybersecurity risk ratings.
SecurityScorecard earned a differentiated rating (the highest rating possible) in the following evaluation criteria: SecurityScorecard earned a differentiated rating (the highest rating possible) in the following evaluation criteria: Data accuracy
Breadth of use case
Breadth of use case
Download your report now to see the new
Cybersecurity Risk Rating Landscape Download your report now to see the new and how each provider measures up.
Cybersecurity Risk Rating Landscape and how each provider measures up.
Deepening collaborations for cybersecurity - Highlights from the Singapore international cyber week 2021 By Jane Lo Singapore Correspondent
Held in a hybrid format during the second year of the pandemic, the highly anticipated Singapore International Cyber Week 2021 (SICW, 4th – 8th October 2021) opened to a global audience that saw more than 2000 delegates and speakers participating globally, including government ministers, cyber principals and heads of agencies and leaders from industry and academia. The 6th edition of SICW continued the momentum of conversations on emerging digital opportunities and threats, cybersecurity policies and norms, Internet of Things (IoT) and Operational Technology (OT) security, and unveiled the latest Singapore cybersecurity strategy to address new and emerging cyber threats.
Singapore Cybersecurity Strategy 2021 – Consensus building and deepening collaboration. First launched in October 2016 by the Prime Minister Lee Hsien Loong at SICW 2016, the Singapore Cybersecurity Strategy 2021 was released by Mr Teo Chee-Hean (Senior Minister and Coordinating Minister for National Security) at SICW 2021. As global digital revolution and innovations accelerate, “connecting more people, bringing in new services, and rolling them out fast, bring added risks”, said Mr Teo, such as the exploitation of “vulnerabilities in what should be “high trust” components” in the recent high-profile SolarWinds supply chain attacks.
16 | Cyber Risk Leaders Magazine
While the updated strategy “articulates Singapore’s approach to safeguarding our wider cyberspace in an increasingly complex environment,” he said, it also “acknowledges the need for consensus-building and deepening collaboration.” The 2017 WannaCry attack encapsulated today’s era where the global nature of cyber threat means that no one can combat it alone. Threat actor groups have also recognised the benefits of working together by sharing intelligence and tools to stage attacks of ever-increasing sophistication. Cybercrime models such as ransomware-as-a-service or phishing-as-a-service point to a trend of increased collaboration between bad actors and coordination across specialities. Little if at all programming skills are required to launch an attack – a crucial factor behind the alarming rise of ransomware attacks. Moreover, such collaborations extend beyond the cybercrime ecosystem. The ease with which threat actor groups navigate between the Dark Web and surface web economy, commodity and customised malware, desktop, mobile and network attacks, have broken traditional attributions models. Targeted attacks are no longer the preserve of nation state actors - cybercriminals can just as easily disrupt a critical infrastructure with a ransomware attack. Recent Altdos incidents that targeted South-East Asian businesses ranging from electronics to furniture stores, and
DarkSide that compromised the U.S. Colonial pipelines leave no doubt that cyber threats are advancing to a mainstream consideration for organisations of all sizes and sectors across the world. The good news is that there has been great progress on international cooperation to combat cybercrime and build cyber norms. One example is the Interpol Global Complex for Innovation based in Singapore, where law enforcement and industry partners recent “Operation Night Fury” led to the arrest of three individuals running malicious credentials theft campaign. Another is the recent establishment of the United Nations “Open-ended working group on security and in the use of information and communications technologies”, to be chaired by Singapore from 2021 – 2025. SICW 2021 built on these experiences, with government ministers, cyber principals and heads of agencies and leaders from industry and academia sharing their perspectives on public-private collaborations. These are some highlights...
Ministerial Roundtable Sessions and the ASEAN Ministerial Conference on Cybersecurity (“AMCC”) Strong participation including ministers, cybersecurity coordinators, heads of cybersecurity agencies and top industry players from the United States, United Kingdom, Japan, European Union and Australia at the Ministerial
Roundtables underscored the common ambitions to strengthen international collaborations in cybersecurity. Regionally, since ASEAN’s (Association of SouthEast Asian Nations) subscription in principle to the UN’s 11 voluntary, non-binding norms of responsible state behaviour in cyberspace in 2018 - the first regional grouping to observe such norms – there had been further progress on ops-tech collaboration and capacity building.
Notably, announced at the 6th AMCC, these included: the establishment of the ASEAN CERT (computer emergency response team) and the ASEAN CERT Information Exchange Mechanism, and the official opening of the ASEAN-Singapore Cybersecurity Centre of Excellence (“ASCCE”, which was launched in 2019) to support cyber capacity building efforts in the region.
Within Singapore, collaborations between the government – through CSA - and the industry were stepped up. Initiatives announced at SICW2021 included the SG Cyber Safe Partnership Programme (where government and industry aim to encourage adoption of good cybersecurity practices by businesses and public) and the first national standard on Cybersecurity Labelling for consumer IoT (which aims to serve as a standard that can be adopted by manufacturers, developers, testing bodies and suppliers of consumer IoT devices globally).
Cyber Risk Leaders Magazine | 17
Mr David Koh, Chief Executive, Cyber Security Agency of Singapore (CSA) on stage, left. Ms Chong Shu Min (Assistant Manager, Strategy & Planning Division, CSA) on stage, right Top left clockwise The Honourable Dato Abdul Mutalib Yusof, Minister of Transport and Infocommunications, Brunei Mr Roberto Viola, Director-General, Directorate-General for Communication, Networks, Content and Technology (DG CONNECT), European Union Mr James Hatch, Director Cyber Security BAE Systems Applied Intelligence Lieutenant General Hinsa Siburian, Head, National Cyber and Encryption Agency (BSSN), Indonesia Mr Julian Cracknell, MD of BAE Systems AI Mr Michal Pukaluk, Director of the Digital Policy Department, Prime Minister’s Office, Poland Photo Credit: Cyber Security Agency of Singapore
Clockwise from Top: Anne Marie Engtoft Larsen (Tech Ambassador, Ministry of Foreign Affairs Denmark); Brandon Wales (first Executive Director, Cybersecurity and Infrastructure Security Agency, United States); Lu Chuanying (Research Fellow, Centre for American Studies, Institute for Global Governance Studies). Peter Moore (Regional Managing Director, Asia Pacific Public Sector, Amazon Web Services) Jane Lo (Singapore Correspondent, Mysecurity media) Photo credit: Cyber Security Agency of Singapore
18 | Cyber Risk Leaders Magazine
Governments & Tech MNCs: Regulate or Collaborate for Cybersecurity? Besides the building of international bilateral and multilateral ties and domestic initiatives, the recent supply chain attacks like the SolarWinds incident also put a renewed urgency to do more. Malicious actors by targeting a supplier integral to our digital infrastructure – whether it is a piece of software in a networking tool or in a cloud service or in a third-party application – can trigger a chain reaction that compromise multiple organisations and thus cause wide-spread disruption.
This multiplier effect means that larger global technology suppliers are highly tempting targets for attackers. With “big tech” – which some refer Tech MNCs as - in the spotlight as the number of supply chain attacks is expected to grow, combined with recent anti-trust actions making headlines, the SICW Conversation on “Governments & Tech MNCs: Regulate or Collaborate for Cybersecurity?” is timely. While trust in the supplier ecosystem is being further tested as the fully taxonomy of such attacks remains unknown, dialogues between government and suppliers are tangible steps towards finding common goals to combat such threats. Engagement models such as the recent US White House meeting with large technology companies were examples explored with Anne Marie Engtoft Larsen (Tech Ambassador, Ministry of Foreign Affairs Denmark); Brandon Wales (first Executive Director, Cybersecurity and Infrastructure Security Agency, United States); Peter Moore (Regional Managing Director, Asia Pacific Public Sector, Amazon Web Services) and Lu Chuanying (Research Fellow, Centre for American Studies, Institute for Global Governance Studies). Moderated by Jane Lo (Correspondent, MySecurity Media), the panel also discussed the trade-offs and gaps in governance in the areas of secure software development and information sharing. While there are regulations, namely, to protect personal data and critical infrastructure, the panel consensus (and a live audience poll) pointed to strong support for collaboration as key to meeting the real threat of cyber incidents. For examples, Ambassador Larsen noted the need for
democratic countries to join forces to shape a responsible, democratic and secure digital future and “to forge a closer and trusted partnership with the private sector”. Executive Director Wales emphasised the need to turn the discussion around information sharing into a discussion around operational collaboration: “how do we collaborate with the key stakeholders inside of the industry, who not only have the level of visibility to understand the modern threats we are facing, but also have the ability to take action at scale.”
a collective response is needed where actors across geographies, sectors, industries, backgrounds and experiences come together to share and act, and to defend against an ever-evolving threat landscape With time and productive dialogues involving high levels of regional and international participation, common grounds on effective cybersecurity programs can undoubtedly be reached.
“Cybersecurity is a team sport” - Mr David Koh (Chief Executive, Cyber Security Agency of Singapore). In less than 2 years, ransomware attacks have escalated into a massive, systemic threat, and supply chain attacks have manifested the full extent of its disruptive power. They are but stark reminders of the global interconnectedness of our digital infrastructure. “These shifts in our threat landscape over the past year underscore the diverse challenges in cybersecurity, which must be met by a whole-of-society effort and collective responsibility between stakeholders in the public and private sectors, “said Mr David Koh (Chief Executive, Cyber Security Agency of Singapore). To this, he added: “cybersecurity is a team Sport. In fact, it is an international sport.” Indeed, while nations and organisations will continue to chart their own journeys to meet these challenges,
From Left Ms Chong Shu Min (Assistant Manager, Strategy & Planning Division, CSA) Mrs Josephine Teo ( Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity, announced the official opening of the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) Mr David Koh (Chief Executive, Cyber Security Agency of Singapore (CSA)) Photo Credit: Cyber Security Agency of Singapore
Cyber Risk Leaders Magazine | 19
Recorded: 15th October 2021 (SGT 8.30am)
Episode 292 – CRITICAL INFO
Critical Info Infrastructure protection in Singapore Lim Thian Chin
INFRASTRUCTURE PROTECTION IN SINGAPORE WITH CYBER SECURITY AGENCY OF SINGAPORE Thian Chin is leading the Critical Information Infrastructure (CII) Division at the Cyber Security Agency of Singapore (CSA). The division is responsible for building the cyber resilience of the Nation’s essential services across 11 CII sectors covering government, utilities, transport and services clusters. 00:00
Director, Critical Info Infrastructure Division, Cyber Security Agency of Singapore Interview by Jane Lo, Singapore Correspondent
20 | Cyber Risk Leaders Magazine
Recorded 3rd September 2021, 4.30pm SGT/ 10.30am France.
Episode 283 – 6G A PARADIGM
6G A paradigm shift and physical layer security Dr Arsenia Chorti Professor at ENSEA (École Nationale Supérieure de l’Électronique et de ses Applications, Paris, France)
SHIFT AND PHYSICAL LAYER SECURITY Dr. Arsenia Chorti is a Professor at ENSEA (École Nationale Supérieure de l’Électronique et de ses Applications, Paris, France) and a Visiting Research Fellow at Princeton University. She is also the Head of the Information, Communications and Imaging (ICI) Group of the ETIS Lab.
Interview by Jane Lo, Singapore Correspondent
Cyber Risk Leaders Magazine | 21
Singapore Cyber Landscape – highlights at ISACA Singapore Chapter’s GTACS 2021 conference By Jane Lo, Singapore Correspondent
ingapore’s Cyber Landscape largely mirrors the global landscape” and “so any threats out there will spill over to Singapore”, said Dr Janil Puthucheary (Senior Minister o f State, Ministry of Communications and Information & Ministry of Health), at ISACA Singapore Chapter’s GTACS (Governance, Assurance, Security and Risk & Control) 2021 conference (2nd September 2021).
Ransomware For example, “crippling ransomware attacks are one of the top threats organisations and individuals around the globe face, ”Gregory J. Touhill (Chair, ISACA), pointed out in his overview of “Global Risk and Governance Landscape.” Like other countries around the world, Singapore also faces the rising threats of these attacks. In fact, earlier in August this year, a joint adversary on the ransomware operator ALTDOS was issued by the Cyber Security Agency of Singapore (CSA), the Personal Data Protection Commission (PDPC) and the Singapore Police Force (SPF), underscoring the pervasiveness of the threat faced by organisations in the region. By capitalizing on pandemic related fears, ransomware operators and other threat actors carefully constructed social engineering and phishing tactics using Covid-19 and vaccine-related news as lures. The severity of ransomware is highlighted by Mr Dan
22 | Cyber Risk Leaders Magazine
Yock Hau (Assistant Chief Executive, Cyber Security Agency of Singapore), at his Keynote address on “Cybersecurity Landscape in Singapore”. According to the Singapore Cyber Threat Landscape 2020 report, there had been a 154% rise in ransomware cases (compared to 2019). “At least 60% involved small medium enterprises, with almost half from manufacturing (~30%) and IT (~15%) industries,” he said. “These affected industries were in line with global observations,” he noted. “These industries are running 24/7 operations that cannot afford downtime, meaning more unpatched/ outdated systems and vulnerabilities to exploit,” he explained. Further, “the affected organisations comprised mainly SMEs, which are unlikely to have dedicated infocomm security officers,” he added. In fact, he noted, ransomware had evolved from an “isolated and sporadic risk”, and is becoming “targeted and impactful, hitting organisations providing key or essential services.”
Supply Chain and Data Breaches In addition, supply chain attacks and data breaches are also two other threats faced by Singapore organisations. Targeting the weak links continue to be means from which to launch attacks. For examples, Mr Dan noted in a supply chain attack,
“the compromise of a single trusted supplier can result in multiple victims,” and “in a data breach, threat actors are constantly probing for weak links to steal credentials to gain access into systems with sensitive data.” Indeed, data exfiltration (leak of personal data) tops security concerns in Singapore, in a study by Frost & Sullivan that surveyed responses from ISACA Singapore Chapter’s members. “86% responded that this was a high level of concern,” said Mr Kenny Yeo (Associate Director, Head of Asia Pacific Cyber Security Practice, Frost & Sullivan) at his keynote, “the Singapore Cyber Security Landscape: Learnings from the 2021 ISACA-Frost & Sullivan Survey.” With about 30% reporting increase in supply chain attacks, “Singapore enterprises must prepare for this growing risk,” he added.
Going forward What are some key measures proposed to counter these threats? “Practice good cyber hygiene, such as keeping systems and software updated, raising employee’s awareness on threats, having full visibility of their networks and detecting unusual activity in a timely manner”, said Mr Dan. “Cultivate a mindset of vigilance as cybersecurity remains the responsibility of all end users,” he stressed. Practical measures include understanding that
“information security cannot simply focus on technology, security practices need to be in place,” said Mr Yeo. These practices include “cyber security awareness programs, governance, risk and compliance tools, cyber drill and” he added. In addition to end users, “regular cyber risk briefings to management are crucial to change cyber security perception,” said Mr Yeo. In particular, according to the Frost & Sullivan / ISACA Singapore Chapter survey, more than 70% of senior management are becoming more concerned with cyber risk issues. Therefore, “senior management buy-in is crucial for enterprise information security,” he said. Steven Sim (President, ISACA Singapore Chapter) shared the need for “ecosystem of public and private partners to work closer together, to enhance the resilience of our business supply chain” in his opening remarks. Mr Touhill also emphasised “as a global cybersecurity community, it is imperative that we all come together to recalibrate how we hire, how we train, how we retain our future cyber leaders, to ensure we have a solid work force, that is evolving with cybersecurity needs.” Indeed, David Koh (Commissioner of Cybersecurity and Chief Executive, Cyber Security Agency of Singapore) noted in the Singapore Cyber Landscape 2020, that “Cybersecurity is a Team Sport. In fact, it is an International Team Sport.”
Cyber Risk Leaders Magazine | 23
SECURITY & SAFETY REIMAGINED – UNIFIED VOICE, VIDEO, ANALYTICS & SOFTWARE Interview with
Rhys Clare Director, Asia Pacific Channel Solutions
We speak with Rhys Clare, Director for Asia Pacific Channel Solutions, Motorola Solutions. Join us next week with leading industry experts from Motorola Solutions to discuss the implementation of actionable intelligence for Enterprise and Infrastructure sectors. Rhys Clare is a communication industry expert with close to 20 years experience in Voice Communication, Unified Communications and Contact Center services with leading companies including Ericsson-LG, Enghouse (formally Zeaom) and NEC. In his role at Motorola Solutions, Rhys works closely with Partners in APAC region to identify and develop digital transformation opportunities where customers can use Motorola Solutions’ converged Voice, Video and Software Applications to address their challenges, and further their business objectives by shifting to an open ecosystem platform that is critical to fix complex problems.
24 | Cyber Risk Leaders Magazine
SECURITY REIMAGINED- LEARN HOW TO IMPLEMENT ACTIONABLE INTELLIGENCE FOR EFFICIENT SAFE ENVIRONMENTS Interview with
Rhys Clare Director, Asia Pacific Channel Solutions
Better data, information flow and situational awareness is critical to business outcomes and profitability across all industrial operations. Increasingly, the Industrial Internet of Things (IIOT) components are incorporated to deliver better communication within sites, workgroups and operations. A fully connected communications ecosystem provides earlier alerts to incidents before they escalate, better predictive maintenance and situational awareness at the workplace. New technologies such as machine learning, analytics, and automated alerts now play a greater role more than ever before
in ensuring the Security, health and safety of employees at work.
Strategic Solutions Specialist, Motorola Solutions Inc
its SAFETY REIMAGINED unified ecosystem and methodology manufacturing,
In this webinar, we speak with the team at Motorola Solutions to understand how utilities and industrial operations to embed better intelligence, proactive incident responses, and ensure a higher level of operational compliance and best practices. By focusing on the 4 pillars of the Safety Reimagined program – DETECT, ANALYSE, COMMUNICATE and RESPOND – businesses will be more responsive to changing dynamics that could impact the safety of their people, or even grind their operations to a halt. Cyber Risk Leaders Magazine | 25
ER COAV TURE FE
Network and Data Center Security By Guy Matthews, Editor of NetReporter
26 | Cyber Risk Leaders Magazine
urviving the pandemic has tested everybody’s powers of endurance. For individuals, and for enterprises everywhere, it has been a troubling and disruptive time. For many businesses it has been a matter of adapting at light speed to ensure survival. It has also seen several tectonic shifts at the level of IT, either accelerating trends that were already in progress or creating fresh waves, the implications of which still unfolding. “Firstly there was a shift towards the cloud and enterprise digitalization as people dispersed to work remotely,” notes Mauricio Sanchez, Research Director, Network Security & Data Center Appliance, SASE Market Research, Dell’Oro Group. “We saw enterprises that hadn’t necessarily been particularly digital, as far as their clients and workers were concerned, suddenly having to dial that in. Then there was the conversation about every business's online digital experience from a security perspective.” It was an uncertain time even for seasoned security practitioners, he says: “Then this summer, ransomware hits the front pages with companies like Colonial Pipeline getting hit hard by a massive outage of their facilities. More recently we’ve seen Russia’s Yandex suffer one of the largest DDoS attacks in history. Cyber threats weren’t slowed down by the pandemic. In fact, they have probably accelerated in many respects.” Changes in working patterns, in tandem with a rising tide of security threats, forced a lot of enterprises to think about their reliance on legacy network architecture, believes Sanchez: “The classic hub and spoke model that has worked for many decades was in doubt. It was a tried and trusted model, good at protecting the inside of the corporate network, with everything backhauled to that data center at the heart. A lot of enterprises have started to understand that this architecture no longer fits what's needed, and that’s
led to a new class of architecture solutions matched by some new enabling technologies.” Not least of these has been SASE, or the secure access service edge: “We see this as the next wave in networking,” claims Sanchez. “The vendor community has responded to enterprise pressure with this intersection of networking and security, by providing a converged networking and security solution.” So what, wonders Sanchez, are the top security threats enterprises facing today? To help answer this he spoke to a panel of seasoned security professionals from around the world of commerce. Gail Coury, Senior Vice President and Chief Information Security Officer with security vendor F5 Networks, sees the challenge as multi-faceted: “At F5 we have moved so many of our applications out of our data centers,” she says. “One of our top goals is to be completely out of that business. If you look at how our workers do their work today, remotely from their home offices, they are very rarely getting on a VPN. But now we have an expanded attack surface, with some applications still in an on-premise data center, others protected by SASE, many in multiple clouds around the world helping us manage our employees and support our customers. We see threats to applications, threats to the end user, threats to the devices users are connecting from.” Attackers are busily adapting to the new defensive measures that everyone is putting in place, believes Jordan LaRose, Director of Consulting and Incident Response with security vendor F-Secure: “We have new technologies to stop classical attacks, like ransomware,” he says. “It's funny that I'm saying ransomware is classical, as it's only been around for a couple of years. But that's how quickly the industry is moving nowadays. I’d add that ransomware attackers are not just targeting computers anymore, they
also target key servers, key users on the network, exfiltrating intellectual property, or blackmail information, or anything they see as valuable that they can take and base a ransom on. They'll hold it hostage and say if you don't pay us this money we're going to leak this information to the public Internet. This is a big challenge for the industry because protection now needs to target the entire network.” There’s a need, he says, for the tech industry to increase security even more, to cover not just an enterprise’s ‘crown jewels’, but also to make sure that nothing unintentional goes in or out: “So not just your key database, but your CFO’s laptop that he's got sitting on his desk at home in Florida.” The nature of today’s highly distributed organisations makes the job of security much harder, notes Vivek Bhandari, Sr. Director of Product Marketing, Networking and Security Business Unit with VMware. “Apps are everywhere, users are everywhere, we have all kinds of devices,” he says. “Architectures are fundamentally changing with containerized applications, and with so many components spread across multiple clouds. It has created a field day for attackers because now the attack surface has exponentially grown. It's become so much easier now for attackers to find their way in.” Another source of worry for Bhandari is the area of Zero Day exploits: “Compared to the last two years, in 2021 alone we have seen more than two times the use of Zero Day exploits in the wild. This is something for which a lot of traditional security defences, that rely on signatures or known behavior, can't react to. It’s like somebody with a mask on masquerading as something they are not.” Dr Ronald Layton, Vice President, Converged Security Operations with Sallie Mae Bank, wants to see budgets for security expand in line with those for other tech services: “Law enforcers should adopt a more collaborative approach, just like we do in the private market where we'll pick the phone up and call a friend who's the CISO and ask what they are seeing,” he says. “We are all better when we collaborate, and the bad actors have picked this up rapidly. They've always been effective collaborators on the offensive side, better than on the defensive side which is where we all play.” Coury of F5 Networks finds it useful to leverage her experience as the former head of a business facing multiple security headaches: “Before I took the role of CISO at F5, I was general manager for one of our online security services business where we were protecting hundreds of customer environments against DDoS attacks,” she explains. “DDoSas-a-service is something that the hackers have gone into. I also want to mention bot traffic and credential stuffing traffic that is focused on applications.” So what are the solutions out there that enterprises should be thinking about, in the face of all these fast evolving threats? Bhandari of VMware is a believer in Zero Trust as a paradigm: “What we're beginning to see is organizations start thinking of securing end user traffic with solutions like SASE and ZTNA,” he says. “Look at all the stuff that's happening within the cloud and across clouds, with almost every organization now shifted to a multi-cloud strategy where applications are hosted. We have to secure workload access as well, and it's not only about user access.”
Coury of F5 Networks wants more done to integrate security: “I’m talking about API security, and how micro services connect to each other. How do you secure the data? The data itself should be independently protected. How do you secure the user, how do you have positive strong identity, and then how do you make sure you authenticate the device? You must know that device is healthy before you allow that connection to occur, and this is all because we don't have that perimeter anymore. This is why we have to change the way we think about security.” By way of conclusion, LaRose of F-Secure notes that he always says to clients who are either in the middle of or recovering from a cyber-attack, there is no silver bullet for security. “There's no one piece of software that's going to solve all of your problems,” he concludes. “I wish there was, it would make my job a lot easier. But, unfortunately, it's all about understanding all of the different levels of technology, all the different levels of risk, and identifying the right solution for each one of those individual pieces.” Featured Speakers: Analyst Chair: Mauricio Sanchez, Research Director, Network Security & Data Center Appliance, SASE Market Research, Dell’Oro Group www.delloro.com Gail Coury, Senior Vice President and Chief Information Security Officer, F5 Networks www.f5.com Jordan LaRose, Director of Consulting and Incident Response, F-Secure www.f-secure.com Dr. Ronald Layton, Vice President, Converged Security Operations, Sallie Mae Bank www.salliemae.com/banking Vivek Bhandari, Sr. Director of Product Marketing, Networking and Security Business Unit, VMware https://www.vmware.com/
Cyber Risk Leaders Magazine | 27
Market opportunities for 5G, IoT and edge compute By Guy Matthews NetReporter
28 | Cyber Risk Leaders Magazine
There is an increasingly important link between 5G, IoT and edge compute, with each having implications for the success of the other. So believes Jeremiah Caron, Global Head of Research & Analysis with the Technology Group of independent analyst firm GlobalData. “IoT has been around for a while now, enabled by existing networking technologies,” he explains. “But now there are a number of different elements coming into play on the network side, and also on the compute side. We have analytics and AI entering the mix. It all means that IoT is complemented by new solutions such as 5G network services and edge computing capabilities, together driving a more highly automated, cleaner, safer, and more productive industrial and business world. We’re on the cusp of something faster, more real-time, more embedded into all business processes.” After a bumpy start for 5G, Caron thinks that momentum is picking up, with work ongoing in the area of standards, as well as with auctions around the world for spectrum: “The next standard from the 3GPP is going to be 5G-Advanced, which will take things to the next level, to that place that we've been talking about for four years on the enterprise side,” he says. “And there's been a lot of effort on private 5G networking to match.” The other big 5G topic that Caron believes people are increasingly focused on is edge computing, with many different types of solution in development: “There's massive
ecosystem diversity around edge,” he notes. “There are lots of different players, from hyper-scale cloud providers to network-owning operators to compute providers to multiple types of software company and integrator. We're starting to see models emerge that feature some consistency. There are still questions that remain. What are the consumption models for edge compute? Who do you buy it from? How do you buy it? When it comes to service models, enterprises are still pondering about what to do here. Their supplier partners are more than happy to help them think about that. The market is looking for early successes, actual implementations that can be said to have really made a difference in automation, or in real-time business activity, and when we see more of those that will drive a lot of confidence and encouragement.” To broaden the discussion, and get testimony from the front line on 5G, IoT and edge issues, Caron tapped the views of a select panel of experts. He started by asking for an explanation of what they are seeing in terms of practical enterprise use cases, with particular regard for the business value that is being created. “Think about the convergence that's happening, with data coming from sensors, being fed over cellular networks into large hyperscale environments, with software, services and AI capabilities running on top of that, driving business value,” enthuses Shamik Basu, Director of IoT Products with Verizon Business, the major US carrier that is running
a number of 5G deployments in the US for the benefit of enterprise customers. “Just look at pop-up locations and branch offices, where our customers want to take Fixed Wireless access as they look for alternatives to regular broadband connectivity. An example would be crowd management, with the need for constant measurement of foot traffic in the building. Then there’s cashless retail, and the ability to use visuals and cameras to support asset protection in retail locations. Think about functions that have traditionally required intense human engagement, now moving over to robotics and automated guided vehicles with the use of object recognition. The edge is a perfect use case for that. Also, 5G is one of the things that is getting mixed reality off the ground.” From the vendor side, Mikael Bäck is Vice President and Corporate Officer, Group Function Technology with Ericsson. He says the company has been experimenting with 5G use cases since the technology’s early days, in verticals like manufacturing, automotive and transportation: “We’ve recently seen a lot of interest in private 5G networks in manufacturing plants and in remote locations,” he says. “There’s network slicing which gives the end user their own network, instead of building it yourself. Fixed Wireless is another case with the logistics sector early to adopt here. We’re seeing a lot of experimentation and early use cases coming live. We’re at the start of a journey that will be as big as the smartphone revolution in 4G.”
Stephen Spellicy is Vice President of Solutions & Product Marketing, Service Provider & Edge with VMware. He is seeing a lot happening in industrial IoT, with developments like smart meter infrastructure: “This is pushing operators to look for that next network solution, which is 5G,” he believes. “Modernization of 5G infrastructure is key to the customers we're working with today so they can go out and deliver on the promise of these advanced use cases.” Terence McCabe, Chief Technology Officer for Asia Pacific and Japan with Nokia, believes that private 5G might well be key to the mobile market’s future at enterprise level: “Private networks give you a more controlled environment that can be dedicated to specific use cases and can iterate through the standards more quickly,” he claims. “We have a combination of carrier customers and private customers who've rolled out 5G standards. And there will be early adopters for ultra-reliable, low latency use cases as we move forward.” McCabe says the next couple of years will see a whole new range of deployments: “Getting use cases refined and tuned to rollout at a mass scale is a lot easier to do with private networks today than it is to use a general purpose sliced 5G network that's serving a whole range of other use cases,” he points out. “By starting with private networks, you give yourself the opportunity to build new use cases
Cyber Risk Leaders Magazine | 29
without having to transform entire networks to do so.” Spellicy of VMware agrees that private networking is the first real 5G footprint: “It all starts with private networking and it moves from there to edge computing,” he believes. “For more advanced use cases in areas like manufacturing or healthcare and smart medicine, that is going to require an additional network. Of course, 4G provides quite a bit of capability for some of the more basic services. But when bandwidth and latency become constrained, 5G will be the ‘go to’ network. Consider also verticals like mining and exploration which use automated guided vehicles. These require very low latency communication in order to control them. In other industries, like manufacturing, you're going to need maybe more bandwidth, but you can get away with higher amounts of latency.” The communications service provider, he says, has an opportunity to help bring such capabilities to the customer. Saratendu Sethi is Vice President of AI with GEP, a specialist in the field of procurement and supply chain solutions. His company is building use cases that take technologies such as 5G, IoT and edge compute to customers to solve specific supply chain problems: “Even before the pandemic, the supply chain was undergoing a whole process of digitalization,” he says. “At the core of a digital supply chain, what's important is data and end-to-end connectivity. And this is where 5G comes in. The promise of 5G in terms of accelerated data speeds to reduce latency, in connecting significantly more devices, in enabling IoT, is phenomenal. For example, we are directly working with customers who are using IoT to enable ‘just in time’ manufacturing by tracking parts in real-time as
30 | Cyber Risk Leaders Magazine
they are moving from the assembly line, rather than waiting for a scheduled arrival. We are building opportunities to keep these manufacturing processes running throughout. 5G allows us to connect more and more devices, so we can actually track goods at SKU level as they're being manufactured and as they are moving across warehouse distribution centers.” By way of conclusion, Nokia’s McCabe considers web scale players and what they are doing with deployments in this area: “It isn't a simple competitive dynamic,” he explains. “There's a lot of cooperation going on, and there's real ambiguity about the roles that the ecosystem players will take in the long run. We see many examples where web skills are partnering with CSP companies at a national level and working together to deploy edge data capabilities to host applications. There are other cases where the web skills are actually working to develop telco cloud solutions to support the workloads of the CSP themselves. When we talk about the role of the web scale, it's very much a space to watch. The dynamics are not fixed and are going to change a good deal over the coming years.”
Live & Virtual Show
Wednesday 23rd - Thursday 24th March Sands Expo & Convention Centre, Marina Bay Sands, Singapore
Geospatial & Location Intelligence Solutions for Asia - Underground, Land & Sea to Sky Geo Connect Asia (GCA) has established its position as the regional gateway for world leaders in the geospatial technology, location intelligence and remote sensing markets. The in-person show and series of conferences will be staged in Singapore on the 23 rd & 24 th March. The two-day event mixes thought leadership with practical and innovative solutions:
Exhibition Showcases - Geospatial Technologies, Satellite & Remote Sensing, Digital Construction, PropTech & Unmanned Aerial Vehicles Conferences - GCA Main Stage, Expert Stages (Smart Agriculture, UAV Asia, Digital Construction Asia, Digital Underground Connect), Tech Talk & Start-up Sessions Business Meetings - Industry Professionals, Government Agencies and Start-ups Plan your participation in Asia’s showcase and build your market position and visibility at Geo Connect Asia 2022! Key Industries Climate Resilience Construction & Infrastructure Disaster Response
Leverage on the unique business opportunities & vibrant networking platforms Reach out to more than 2,500 professional visitors
Take advantage of tailor-made publicity opportunities
Showcase your full range of solutions
Strengthen your brand position and develop partnerships
Insurance & Risk Assessment
Ports & Maritime Precision Agriculture
Proptech & Innovations in Real Estate
Meet leaders and specialists from targeted industry groups
Recommend thought leadership focused speakers
Achieve your marketing objectives with bespoke packages
Utilise the interactive activities to enhance your company’s profile
Rail & Road
Retail & Logistics
Smart Cities Utilities
Hybrid options are also available. Contact us today to find out more.
Keen to exhibit with us? Scan to Enquire About Your Participation
International Mr Rupert Owen firstname.lastname@example.org
Asia Ms Mei Shyan Boo email@example.com
AUDITING AI & EMERGING TECHNOLOGY Interview with
Tuan Phan Founder, Zero Friction LLC representing ISACA from the USA.
We speak with Tuan Phan, Founder, Zero Friction LLC representing ISACA from the USA. In the lead up to a new AI whitepaper being released by ISACA later in November, Tuan will cover the the AI related findings from ISACA’s recent survey report – The Pulse: Emerging Technology in 2021 and beyond. We will also talk about trends in AI and his perspective on AI related challenges as we head into 2022. Importantly this also includes how we will audit AI driven applications. Tuan Phan is a partner with Zero Friction LLC with over 20 years of strong technical and management expertise in the implementation and management of emerging technologies, cybersecurity and information assurance programs, technical projects and operations, and risk management across several industries including government, software, drug and medical device manufacturing.
Helping Critical Infrastructure Secure their Assets The Role of Lock Systems in our Protecting Nations Critical Infrastructure Download our latest whitepaper
CONTACT US SYDNEY • MELBOURNE • BRISBANE • PERTH • ADELAIDE • AUCKLAND
1300 722 311
+64 (0) 9 368 4802 WWW.EKACYBERLOCK.CO.NZ
MySecurity Marketplace: Updates & Recent Highlights
New Insights into The Devilstongue Spyware Impacting Journalists, Human Rights Defenders and Politicians By MySecurity Media Courtesy of ESET
SET has released its T2 2021 Threat Report highlighting several concerning trends that were recorded by ESET telemetry, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns. That is those targeting people working from home who have gotten used to performing many administrative tasks remotely. Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline. That is the largest pipeline company in the US. As well as the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry. Both cases appeared to pursue financial gain rather than cyberespionage, with the perpetrators of the Kaseya attack setting a USD 70 million ultimatum. That is the heftiest known ransom demand so far. “Ransomware gangs may have overdone it this time: the involvement of law enforcement in these high-impact incidents forced several gangs to leave the field. The same can’t be said for TrickBot, which appears to have bounced back from last year’s disruption efforts, doubling in our detections and boasting new features,” explains Roman Kováč, chief research officer at ESET. On the other hand, the final shutdown of Emotet at the end of April 2021 saw downloader detections down by half compared to T1 2021 and a reshuffling of the whole threat landscape.
Password-guessing attacks, which often serve as a gateway for ransomware, saw further growth in T2. Between May and August 2021, ESET detected 55 billion new bruteforce attacks (+104% compared to T1 2021) against publicfacing Remote Desktop Protocol services. ESET telemetry also saw an impressive increase in the average number of daily attacks per unique client, which doubled from 1,392 attempts per machine per day in T1 2021 to 2,756 in T2 2021. The report also found highly targeted was DevilsTongue spyware (see page 12&13 of the report). It is used to spy on human rights defenders, dissidents, journalists, activists, and politicians; and a new spear phishing campaign by the Dukes APT group, which remains a prime threat to Western diplomats, NGOs, and think tanks. A separate section describes new tools employed by the highly active Gamaredon threat group targeting governmental organizations in Ukraine.
Cyber Risk Leaders Magazine | 35
Why organisational risk starts and ends with your people By Lisa Sisson
here is not one organisation that can afford to ignore risk. We must plan for the possibility of things going wrong. Whether risk comes from environmental threats such as floods and fires, human-based threats such as workplace violence or cyber-attacks, or health threats - as the world has recently learned through the global pandemic. The thing about planning for risk is that it can make us fixate on potential threats. To protect what we value most, we can become so worried about the things that might happen that we introduce systems of protection, that are themselves sources of risk. The introduction of processes to reduce risk or human errors, can create overhead that slow down our businesses. Not to mention frustrate our employees and even create a culture of suspicion and mistrust. At times this can been seen to cause more harm than the original threats we hoped to protect ourselves against.
What are you really achieving through risk management? Even with our best of intentions and our decisions to provide structure and control to reduce the effects of certain types of risks, we find ourselves being exposed to other types of risks through this process. One of those risks is ‘disengagement’. Many executives’ associate disengagement with productivity and don’t consider the risk exposure. When employees are disengaged, they are at best satisfied with the bare minimum level of productivity and focus. Which is why statistic shared from Gallup’s recent State of the Global Workplace: 2021
36 | Cyber Risk Leaders Magazine
Report, that 80% of workers are not engaged or are actively disengaged, is incredibly concerning. When it comes to disengaged employees in the context of risk, there are three concerns: 1. Lack of attention leads to errors, and ‘unintentional’ insider threats which is the most common type, making up two-thirds of incidents. 2. A lack of situational awareness, they don’t even see there is a risk. 3. A low ‘care factor’ if they do identify a threat or vulnerability, they see it as “someone else’s problem.” This is why disengagement is so important and why you need to take a person-centric approach to reduce your organisational risk profile. We need more than a traditional approach There are many global risk management standards that provide organisations with a structure, to help them understand the types of vulnerabilities and threats they need to protect against. These Standards provide frameworks and processes to manage risk, but as they are not designed with people at the centre. Risk management is more than processes and systems, it is an artform that centres around your people. Because here’s the thing. When it comes to executing the organisation’s risk management plan, who is really executing? It is your people. It is no longer with the original handful of decision makers who created the plan. The plan execution now delegated to others within the business. Managers may play a part, but the real responsibility for the execution and day-to-day management of risk, is your employees. Which
is why it is imperative to have an engaged workforce and avoid the three concerns relating to disengagement. The Royal Commission’s findings within the Finance Services sector highlighted that accountability resides at the top. It is senior executives that are accountable for the poor behaviour, decisions, and actions/inactions of all of their employees and the systems within their organisation. This drives home the importance of understanding why organisational risk starts and ends with your people. That the organisation will win or lose as a team when it comes to managing risk. That there are heavy costs for the organisation, and personally, in penalties and reputational damage when getting this wrong.
disengagement. Often disengagement comes from a lack of connection to the business, its purpose, or a lack of trust with leadership, or not feeling valued and heard. Look through the lens of your people, truly understanding their needs to create a connection and alignment between employees and the organisation. This will allow employees to find their sense of contribution, meaning and motivation to protect your organisation. It is only by focusing on risk with and through your people, that are you going to truly solve your organisational risk exposure and drive transformational change.
A change in perspective is needed It is time to rethink how we approach managing risk and to ask the question, how do the processes, policies, procedures and technology affect our employees? After all, they are the ones who interact and navigate challenges with your work environment. Does your organisation’s risk management strategy help and support them to be successful? Or does impede their ability to perform their fundamental roles? Are some employees getting creative to find work arounds to be successful? The answer to the question plays a factor in your organisational risk profile. So, it is certainly worth asking the question. If your efforts are impeding employees, this can lead to
Cyber Risk Meetup E V E N T S A N D R O U N DTA B L E
ADELAIDE - NOVEMBER MELBOURNE - TBC SYDNEY - TBC
M E D I A PA R T N E R S
Cyber Risk Leaders Magazine | 37
How to empower your people to become your greatest risk management asset By Lisa Sisson
o you think about the ‘power of your people’? After all, your employees touch every aspect of your business; from day-to-day operations, engaging with customers, utilising technology, creating your processes and policies, to making decisions and taking action (or inaction) that affects your business daily. Your people are literally the heart of your business. Harnessing the ‘power of your people’ Employees tend to be drawn to organisations where they believe there an alignment in values and a sense they are heard and can contribute to the business. It gives employees a deeper reason to show up every day and take pride in their work. Whereas employees who feel trapped in their organisation’s rigid structure of rules, reporting and penalties, can find themselves becoming slaves to the numbers. Creating a workplace where people are afraid to come forward, and where risks can be buried, only to surface in negative outcomes. By harnessing a different perspective on risk, a personcentre approach, you can provide a pathway for developing your organisation and its culture, being ready to adapt and adjust when you hit unexpected obstacles.
Start with a ‘safe zone’ You can optimise your work environment with a ‘safe zone’. The best way to create a safe zone is to build an environment that allows people to feel safe to succeed without fear of failure. Treat your people’s growth and progress as a learning tool and encourage and support
38 | Cyber Risk Leaders Magazine
them, especially when they are stepping into new fields or responsibilities. Because it’s only when people feel safe to fail, that they truly feel safe to succeed. In a safe zone there are no scapegoats, there’s no blame-shifting and no one gets thrown under the bus. This must be demonstrated from the top down, through all levels of your organisation. According to Harvard Business Review leadership analyst Roger Jones, ‘CEOs should actively encourage all team members to speak up without fear of consequences. That fosters honesty, debate and better decisions.’ Forming connections with your people is a foundational component of the safe zone and helps tap into your employees’ desire to protect your organisation. Employees become proactive in notifying you of potential threats as soon as they are identified. This is when employees can become your organisation’s human ‘risk sensors’.
What are human risk sensors? People naturally become aware of threats to the things that are important to them, often instinctively. Their desire to protect what is important can also apply to the organisation they work for. Engaged employees want to protect the wellbeing of the organisation and their colleagues. This desire to protect can provide the opportunity for employees to become human risk sensors – proactively sensing risk. A team of human risk sensors is a team in which everyone is looking out for threats to one another and the organisation. They are monitors and intervene when required to ensure the organisation is protected from
threats and vulnerabilities. Your people are in every corner of your business. They are communicating with customers and working intimately with every process and technology. They are often the first to notice a potential threat and can act as your early warning system. If your people are not engaged, they might see a potential threat and think, ‘Oh, that’s someone else’s problem.’ But if they are engaged, they are far more likely to come to you and say, ‘Hey, look – I’ve noticed something doesn’t seem quite right here. I just wanted to raise it and see what you think about it.’ These conversations can sound out areas of potential harm and are among the most effective ways to reduce organisational risk, if captured and responded to appropriately. The benefits of this approach extend well beyond risk mitigation. It will positively impact your reputation and revenue and improve your workplace culture. By engaging your people, the right way, you can empower your people to be your organisation’s greatest risk management asset. It is only by focusing on risk with, through and by your people, that you are going to truly solve your organisational risk exposure and drive transformational change. Lisa Sisson, author of ‘Risk Starts And Ends With People: Demystifying risk for executives and leaders’, is a soughtafter speaker, mentor, consultant and author who helps executives and leaders who have become distracted and overwhelmed with ‘managing risk’, by demystifying and tackling risk within their organisation. To learn more, visit www.unearth.com.au
"If your people are not engaged, they might see a potential threat and think, ‘Oh, that’s someone else’s problem.’ But if they are engaged, they are far more likely to come to you and say, ‘Hey, look – I’ve noticed something doesn’t seem quite right here."
TH RO U G H O U T N OV E MB E R 2 0 2 1
Cyber Risk Leaders Magazine | 39
Beware of the return to office: How organisations can protect against pandemic sleeper threats By Rick Vanover, Senior Director for Product Strategy and Dave Russell, Vice President of Enterprise Strategy
40 | Cyber Risk Leaders Magazine
s organisations get closer to implementing returnto-work plans, most employees are excited about getting back into an office routine. They miss their colleagues, their favourite lunch spots, and the on-site corporate culture that can’t totally be replicated over Zoom. IT administrators have a slightly different view. They miss all the in-office benefits, too, but for them the prospect of having employees all get back on the network after a year of remote working is a scary thought. The admins worry that, after a period of being lax about security, employees will bring compromised devices back to the office and expose the company to new threats. They may have a point. Work on computers have played many roles during the pandemic – hosting everything from social gatherings to workouts, online learning sessions, home shopping and Netflix streams. Family members have borrowed Mom’s computer to play online games, and passwords have been passed around. Cyber diligence has taken on a lower priority than it should have. Cyber criminals are aware of how insecure employee environments have been. They struck with a round of phishing attacks during the 2020 lockdown period. Now, administrators are concerned that hackers might implant vulnerabilities in unsecure laptops and unleash them once employees reconnect with a wider array of resources inside the corporate network. Some companies did a good job getting ahead of security threats. When remote working became standard practice, some were able to issue company standard devices with regularly patched antivirus security. But the majority found themselves scrambling to enable quick and
adequate working-from-home setups that didn’t require regular updates, patches and security checks. A cybersecurity survey conducted in February reflects just how unprepared enterprises appear to be for the return-to-work security threat. Of those surveyed, 61% used their own personal devices – not work-issued computers – at home. Only 9% used an employer-issued antivirus solution, and only 51% received IT support services while transitioning to remote workstations. Administrators are bracing for trouble. They’re bringing large numbers of potentially unsecured devices back into the fold at the same time they’re preparing to accommodate a new normal based on hybrid home/office staffing. According to Veeam’s Data Protection Report, 89% of organisations increased their cloud services usage significantly because of remote work, and the trend is expected to continue, meaning there will be more endpoints to protect. So, how can organisations prepare for this transition? Below are a few steps they can take.
UNDERGO RIGOROUS RETURN-TO-WORK PREPARATION This is essentially the step where IT administrators physically go through all the affected resources and ensure they’re ready to re-enter the game. Start by carrying out risk assessments for each employee and each device. Which devices have been patched and regularly maintained? Computers used for remote working are likely to have confidential company
up guidelines for using public wi-fi and for downloading materials. As employees return to work, it’s up to the administrators to refine IT practices, one by one, to protect against the top threats in the organisation.
MONITOR ALL ACTIVITIES The best way to spot problems is to set up a system to flag them as they happen. This practice can be applied to workers’ tools – and behaviors – as they reintegrate themselves with all of the company’s applications. Take advantage of monitoring tools that track changes in usage and applications. If an employee makes a change in an application, you’ll want to know. It could be a bug altering a piece of code. Or it could be a change that you made – purposefully or inadvertently – that you’ll want to reset. Get in the habit of checking your monitoring tools at least a couple of times a day. It takes a minute, but it allows you to continually reassess your cybersecurity footprint.
ENSURE CLOUD DATA MANAGEMENT AND BACKUPS ARE SOUND
data on them; where has the company data been saved, and under which account? These checks need to be performed to minimise risk and make sure compliance standards like General Data Protection Regulation (GDPR) is being maintained. Also, check to see if employees have given away passwords to family members using work computers. Did employees change their passwords? Did they use the same passwords across work accounts and personal accounts? Did they install any new software or remove any during the remote work period? Administrators need to know before they let employees back on their networks. Next, make sure to scan all relevant devices for unauthorised apps and software. Employees needed to get creative with work solutions, so they may have tapped resources that help them get through everyday tasks but aren’t up to security standards. Run endpoint detection scans on all returning devices to uncover any hidden vulnerabilities. Cybercriminals often target endpoints, so IT teams need to scan all corporate and personal employee devices that will be brought back to the network.
This is a time for IT administrators to make sure all data management and backup services are in good order. If a rogue device does put any data at risk, you’ll want to make sure to have backups in service and programmed with practices that will ensure that the data in question is protected and fully available. Keeping the so-called “3-2-1 rule” in mind: Make sure to maintain at least three copies of business data, store critical business data on at least two different types of storage media and keep one copy of the backups in an off-site location. To that, in the ransomware era, we’d expand 3-2-1 to 3-2-1-1-0: Adding another one to the rule where one of the media is offline, and ensuring that all recoverability solutions have zero errors.
Conclusion While IT administrators are looking forward to water-cooler talk and on-site collaboration as much as anybody else, they’re understandably concerned about the cybersecurity implications of a more broad-based return to work. It could be a challenge. But with proper planning and followthrough, enterprises can manage the risk and solidify their strategies for protection going forward.
IMPROVE EMPLOYEES’ DIGITAL HYGIENE While employees may have let their proverbial hair down during remote work, they’ll need to rededicate themselves to proper digital hygiene. Push them to use separate passwords for home and work devices. And make sure they’re using conventions that are complex and hard-tocrack. Bring back regular trainings to ensure that they’ll be able to spot phishing emails and other threats. Set
Cyber Risk Leaders Magazine | 41
President Biden Warns "Lock Your Digital Doors" By Staff Writer MySecurity Media
42 | Cyber Risk Leaders Magazine
S President Joe Biden is accelerating his war against cyber attackers, recently announcing an initiative to bring together 30 countries to improve joint lawenforcement efforts and combat cyber threats. A statement from The White House detailed the President’s plan and builds on his ongoing interest in cybersecurity. “I am committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace,” said President Biden. The statement marked the start of Cybersecurity Awareness Month, another Biden initiative. The month is designed to increase awareness of cybersecurity and the threats bad actors pose. President Biden’s interest in cybersecurity coincides with a spate of high profile cyberattacks in the US and elsewhere this year. On Friday, The White House confirmed approximately United States-based 150 utility providers serving some 90 million customers had moved to fortify their cybersecurity defences in the last three months. The May 2021 ransomware attack on Colonial Pipelines highlighted the vulnerabilities of such critical infrastructure. Cybersecurity business Nuspire says ransomware activity spiked 55,239% in the early part of Q2 2021. Ransomware attacks have since trailed off, but Nuspire says that’s no reason for complacency. They say a new ransomware gang called BlackMatter has risen from the “ashes” of the DarkSide and REvil cyber gangs. “Threat intelligence reveals that BlackMatter is actively seeking access to organisations in the US, Canada, Australia and the UK by offering payment to initial access brokers to gain access to networks and begin launching campaigns,”
says a statement from Nuspire. “Ransomware continues to be a plague on organisations and with the arrival of the BlackMatter ransomware gang, activity will likely increase to the end of the year.” President Biden did not outline specific details about his proposed multi-nation meeting, other than saying he will “bring them together” this month. While both the Australian Cyber Security Centre (ACSC) and Assistant Minister for Defence Andrew Hastie have noted Cybersecurity Awareness Month, Australia is condensing its awareness campaign into one week at the end of the month. “Cybercriminals are constantly on the hunt for poorlysecured devices and accounts to exploit, including for major attacks such as identify theft, ransomware, and business email compromise,” said Mr Hastie on Tuesday. The ACSC says turning on automatic software updates, activating multi-factor authentication, regularly backing up devices, using passphrases, securing mobile devices, and watching out for cyber scams are good cybersecurity starting points. The messaging out of the United States is more robust. The White House says it will harness every capability available to disrupt cyber threats and bad actors. President Biden says businesses and individuals must “lock their digital doors. The President also says he will hold cyber attackers “to account.” “The Federal Government needs the partnership of every American and every American company in these efforts,” he adds. While the message is pitched at a US-based audience, the ramifications of cyberattacks are global. President Biden argues his proposed coalition of nations can help minimise the risk.
Cyber Risk Management Made More Efficient & Agile Powered By Artificial Intelligence
Uplift Your Cyber Security Maturity in Just Hours! Bespoke assessments to meet your needs
Connect your relevant standards, laws and regulations
Conduct cyber security risk assessments with ease
And for Australian Government Departments & Agencies...
Use 6clicks for Government
Securely & More Efficiently Meet Your Australian Government Information Security Requirements In line with the information protection standards and requirements of the ASD
Aligns with federated model for complete supply chain risk management
IRAP Assessed against the ISM at the PROTECTED level
Runs on Microsoft’s Azure Australia Central (Canberra) trusted cloud infrastructure
Cyber Risk Leaders Magazine | 43
Facebook’s network backbone breaks, causing six hour outage By Staff Writer MySecurity Media
44 | Cyber Risk Leaders Magazine
six-hour outage left more than 3.5 billion Facebook, Messenger, Oculus, Instagram and Whatsapp users offline early on Tuesday the 5th October, 2021 (Australia time). Despite early fears of a cyberattack, parent company Facebook soon confirmed the cause was closer to home. The outage, which occurred during the Monday business day in the United States and early evening in the UK and Europe, was Facebook’s most serious disruption since March 2019, when a 14-hour outage cut off users from Facebook’s various social media platforms. Web monitoring company DownDetector said this week’s outage was the biggest it had seen. Facebook quickly denied systems had been compromised, instead saying a “routine maintenance error” as the cause of the outage. The outage was specific to users of Facebook’s many social media apps, including Instagram, WhatsApp, Messenger and Oculus apps, which began displaying error messages. There was a cascade effect because many people use Facebook to sign into other apps and services. Consequently, many users could not log into retail websites or sign into their smart TVs, air conditioning systems, and other internet-connected devices. “This outage was triggered by the system that manages our global backbone network capacity,” said vice-president of engineering at Facebook, Santosh Janardhan. Facebook’s data centres span the globe and are connected by fibre-optic cables. Janardhan notes the date centres come in all shapes and sizes, from big buildings that handle the grunt work of big computational loads to smaller centres that connect critical Facebook infrastructure to the broader internet and users.
When a Facebook user opens the platform to upload data, be it a message or multimedia, their device generally accesses the closest data centre. That data centre then communicates over what Facebook calls its “backbone network” to a larger data centre where the user’s request is processed. Facebook inadvertently broke its backbone network. While routine maintenance work was underway at a data centre, technicians issued a command intending to assess the availability of global backbone capacity. This unintentionally took down all the connections in Facebook’s backbone network, disconnecting data centres worldwide. Sources outside Facebook identify the outage as stemming from a data centre in Santa Clara, California. With the backbone network down, DNS servers went offline, complicating the problem. Internal systems at Facebook also went offline, adding further complexity. “Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command,” said Janardhan “The outage brought our reliance on Facebook, and its properties like WhatsApp and Instagram, into sharp relief,” Professor of Communications at Cornell University, Brooke Duffy, told The New York Times. “The abruptness of the outage highlights the staggering level of precarity that structures our increasingly digitallymediated work economy.” Six hours after the outage began, Facebook had its systems up and running again. CEO Mark Zuckerberg subsequently apologised to billions of his app’s users. Santosh Janardhan was sanguine, calling the outage “an opportunity to learn and get better.”
# TO PWO M ENI N S E C U R I T YAS E A N WO MENINSECURITYAS E A N R E G I O N .C OM
NOMINATIONS OPEN ON 8TH MARCH 2022* *IN RECOGNITION OF INTERNATIONAL WOMEN'S DAY
his initiative has been established to recognize women who have advanced the security industry within the ten countries of the Association of Southeast Asia Nations (ASEAN). The Top Women in Security ASEAN awards follow similar initiatives in India, as well as Africa, Europe and Canada and form part of a global campaign by the Women in Security & Resilience Alliance (WISECRA). This initiative is open to all ASEAN countries following very successful Top Women in Security Awards held in 2020 & 2021.
We have gathered unique industry partnership arrangements, bringing together key chapters of premier, global security industry associations and professional women in security groups in Singapore. Malaysia, Indonesia, Philippines, Thailand and including the ASEAN Region Women in Security Network. We thank them for their support. REGISTER The awards will take place in August 2022.
CLICK HERE TO SPONSOR OR SUPPORT THESE AWARDS O R GANI S E R S
M E DI A PART N E RS
SUP P ORTING PA RTNERS & ASSOCI AT IONS
Group-IB Chief Executive Officer facing treason charge following arrest By Staff Writer MySecurity Media
46 | Cyber Risk Leaders Magazine
ussian law enforcement agencies arrested the chief executive officer of a top cybersecurity company. Ilya Sachkov, the founder and CEO of Group-IB, was arrested on treason charges on September 27 while searches of Group-IB’s Russian offices were underway. Group-IB’s business is detecting and preventing cyberattacks and online fraud. First established in Moscow 18 years ago, Group-IB now has a well-regarded track record and partners with Europol and Interpol. In 2018, Group-IB moved its headquarters to Singapore. Many viewed the move as an attempt by Group-IB to put some distance between themselves and the Russian Government. Sachkov has met Russian President Vladimir Putin several times. But he has also been critical of the Russian Government and active in targeting hackers, including Russia-based ones. The Group-IB CEO is the latest in a line of high-profile Russian figures charged with treason offences. According to Russian state news agency TASS, the 35-year-old is accused of “working with foreign intelligence services and passed on cybersecurity data that constitutes a state secret.” The treason charge attracts a punishment of up to 20 years’ imprisonment. Last week, Moscow’s Lefortovo district court ordered Sachkov be detained for two months. “Group-IB’s team is confident in the innocence of the company’s CEO and his business integrity,” says the company in a statement. “The decentralized infrastructure of Group-IB allows us to keep our customer’s data safe, maintain business operations and work without interruption across our offices in Russia and around the world. “Group-IB’s communications team refrains from commenting on the charges brought and the
circumstances of the criminal case due to the ongoing procedural activities.” Group-IB now generates half its revenue from customers based outside Russia, including Barclays Bank. The cybersecurity business operates in some 60 countries. However, several top Russian banks and companies, including state-run ones, remain Group-IB customers. But along the way, Group-IB’s focus on hackers has reportedly attracted some antipathy. Aside from assisting in breaking up several foreign cyberattacker syndicates, Group-IB helped expose Russian cyberattack outfit MoneyTaker. Russian news outlets report law enforcement officials searched the company’s St Petersburg offices at the same time as the Moscow offices. Materials were observed been loaded into a vehicle by men at the Moscow offices. The Kremlin acknowledged last week’s arrest but denied having specific details on the matter. “We have seen this information in media reports. We have no details,” Kremlin spokesperson Dmitry Peskov told TASS. “Sachkov’s arrest has nothing to do with the business and investment climate in the country. You see that the accusations do not relate to the economy but to high treason.” According to the Kremlin, Sachkov’s arrest should not deter Russian IT companies from working with either foreign or Russian state agencies. But Mr Sachkov is one of Russia’s best-known IT industry figures. Observers say his arrest will concern many Russian IT professionals, undermining confidence in the industry and its independence. Group-IB says chief technical officer Dmitry Volkov will assume the company’s leadership while Ilya Sachkov remains in custody.
RANSOMWARE – IT’S JUST GETTING WORSE Interview with
Tony Anscombe Chief Security Evangelist for ESET
and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit (CIS). He is regularly quoted in cybersecurity, technology and business media, including BBC, Dark Reading, the Guardian, the New York Times and USA Today, with
This presentation covers how ransomware techniques and attacks have changed, the business model behind the attacks, and how they are impacting all sectors and industries around the world, including Australia. ESET Australia monitors the latest ransomware techniques and attacks seen
broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS. Anscombe is a current board member of the NCSA and FOSI. Tony discusses why paying a ransom is not the right course of action, and the need to regulate cryptocurrency on a global basis.
around the world. Payment of ransoms internationally is driving an increase in cybercrime and giving resources to cybercriminals that will fuel further attacks on companies and governments alike. Tony Anscombe is the Chief Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger
Cyber Risk Leaders Magazine | 47
Famoussparrow APT Group spying on hotels, governments and private companies By Kelly Johnson Country Manager, ESET Australia
48 | Cyber Risk Leaders Magazine
SET researchers have uncovered a new cyberespionage group attacking mainly hotels worldwide but also governments, international organizations, engineering companies and law firms. ESET has named this group FamousSparrow and believes it has been active since at least 2019. FamousSparrow’s victims are located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). The targeting suggests that FamousSparrow’s intent is cyberespionage. Reviewing telemetry data during its investigation, ESET Research discovered that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that ESET reported on in March 2021. This remote code execution vulnerability chain was used by more than 10 APT groups to take over Exchange email servers worldwide. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3, 2021, the day following the release of the patches, meaning it is yet another APT group that had access to the details of the ProxyLogon vulnerability chain in March 2021. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” advises Matthieu Faou, ESET researcher who uncovered FamousSparrow along with his colleague Tahseen Bin Taj. “FamousSparrow is currently the only user of a custom
backdoor that we discovered in the investigation and called SparrowDoor. The group also uses two custom versions of Mimikatz. The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow,” explains ESET researcher Tahseen Bin Taj. Although ESET Research considers FamousSparrow to be a separate entity, there are some connections to other known APT groups. In one case, the attackers deployed a variant of Motnug, a loader used by SparklingGoblin. In another case, a machine compromised by FamousSparrow was also running Metasploit with cdn.kkxx888666[.]com as its command-and-control server, a domain related to a group known as DRDControl.
Irish privacy regulator fines whatsApp $359 million By Staff Writer MySecurity Media
reland’s Data Protection Commission (DPC) has concluded a long-running investigation into breaches of European Union General Data Protection Regulations (GDPR) by WhatsApp Ireland Ltd, fining the popular messaging platform AU$359 million. The investigation found WhatsApp breached GDPR transparency obligations regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp. Facebook purchased WhatsApp in 2014 in a $16 billion cash and stock deal. Now the most popular messaging app worldwide, WhatsApp has over two billion active monthly users. But the DPC’s investigation established that WhatsApp failed to provide information on how data is collected “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” The investigation also found WhatsApp did not inform users about where they stored data and how to access that data. The app also failed to notify users when third parties obtained and used their personal data and where this data came from. The DPC concluded its investigation in late 2020 and submitted it to the European Data Protection Board (EDPB) for approval. According to the three-year-old GDPR, companies are regulated by the laws of the country that serves as their European base. Like many other tech companies, Facebook is based in Ireland due to low corporate tax rates. Ireland’s DPC became the lead agency in a pan-European investigation into WhatsApp privacy breaches. Under GDPR law, companies can be fined as much as 4% of their annual sales. The privacy agencies of eight other EU nations lodged objections to the DPC’s December 2020 draft submission to the EDPB.
“The DPC was unable to reach consensus with the Concerned Supervisory Authorities on the subject matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021,” a statement from the DPC reads. Included in those objections was the DPC recommended penalty of $59 million. Other EU nations said it did not reflect the seriousness of the breaches. At issue was not just the severity of the privacy breaches but the number of breaches. In late July, the EDPB adopted a binding decision and notified the DPC. “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.” The handling and length of the WhatsApp investigation has seen the DPC heavily criticized. The agency has 28 privacy probes underway but is reportedly underfunded and under-resourced. Ireland’s Parliament recently accused the DPC of failing to protect Irish interests. Meanwhile, WhatsApp had set aside nearly $124 million to pay any fines. That amount is now a significant shortfall on the final fine. “We disagree with the decision today regarding the transparency we provided to people in 2018,” WhatsApp said in statement. “The penalties are entirely disproportionate. We will appeal this decision.” Friday’s DPC announcement capped an expensive week for WhatsApp in Europe. On Friday, Turkey’s Personal Data Protection Authority also fined WhatsApp $310,000 for unrelated privacy breaches.
Cyber Risk Leaders Magazine | 49
SophosLabs publish technical insight into stealthy new ransomware, Atom Silo By MySecurity Media Courtesy of Sophos
50 | Cyber Risk Leaders Magazine
Sophos has published new research describing techniques and tools used by Atom Silo. This recaps a sophisticated attack that took place over two days and leveraged a recently revealed vulnerability in Atlassian’s Confluence collaboration software. Sophos researchers also found that, concurrently with the ransomware attack, the Confluence vulnerability was exploited by a crypto miner. The ransomware that the Atom Silo group used is virtually identical to LockFile, but their intrusion stage involved several novel techniques and complex manoeuvres to evade detection and complete the attack. • For instance, once they had gained initial access via a backdoor into the Confluence server, the attackers were able to drop and install a second, stealthy backdoor. This backdoor used an executable from a legitimate third party software product that was vulnerable to DLL “side-load” attacks, to execute the backdoor code • The ransomware payload included a malicious kernel driver designed to disrupt endpoint protection software • The backdoor connected to a remote command-andcontrol server over TCP/IP port 80 and allowed for remote execution of Windows shell commands through the Windows Management Interface (WMI) The attackers then moved laterally through the network and compromised additional servers, installing additional backdoors through the WMI interface, using a compromised administrative account. For the most part, the attackers
avoided installing these backdoors as services. Sophos researchers believe the attackers did this to avoid detection by security controls. The attackers also used remote desktop services (RDP) to find, copy (using RClone) and exfiltrate data to Dropbox. The ransomware executable was released after exfiltration, at the same time as the release of another file designed to disrupt endpoint protection “The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultrastealthy adversary was unknown a few weeks ago. While similar to another recently discovered ransomware group, LockFile, Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques and procedures that were full of twists and turns and challenging to spot – probably intentionally so. In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware. This incident is also a good reminder how dangerous publicly disclosed security vulnerabilities in internet-facing software are when left unpatched, even for a relatively short time. In this case, the vulnerability opened the door to two simultaneous, but unrelated attacks from ransomware and a crypto-miner” said Sean Gallagher, senior threat researcher at Sophos.
ZERO TRUST APPROACH: US$13 BILLION MARKET OPPORTUNITY Interview with
Eva-Maria Elya Senior Director Worldwide Channel Sales
We speak to Eva-Maria Elya, Senior Director World-Wide Channel Sales with Lookout on the market opportunities for MSPs and MSSPs who choose to partner with Lookout. To get the most of your countless cloud apps without risking your data, you need to know exactly what’s going on. You also need to be able to detect and respond to threats and have the ability to dynamically control access. Lookout Cloud Access Security Broker (CASB) provides full visibility into the interactions between users, endpoints, cloud apps and your data. It also enables you to dynamically dial in Zero Trust access controls. With continuous monitoring of user and entity behaviour analytics (UEBA), you can detect and respond to insider threats and advanced cyberattacks. Lookout provides advanced data loss prevention that can classify, encrypt and restrict sharing of your data on the fly so that only authorized users have access. They also perform automated assessments of all your cloud apps and infrastructure to ensure they are properly configured.
Cyber Risk Leaders Magazine | 51
New PANW research highlights growth of supply chain security threat
nit 42, the Palo Alto Networks Security Consulting Group, has released new research that illustrates how supply chain security in the cloud continues its growth as an emerging threat. Key findings from the report include:
SUPPLY CHAIN FLAWS ARE DIFFICULT TO DETECT Unit 42 conducted a red team exercise with a large SaaS provider (a Palo Alto Networks customer who has a mature cloud security posture) and within three days discovered critical software development flaws that could have exposed the organisation to an attack similar to SolarWinds and Kaseya.
THIRD-PARTY CODE POSES A HIDDEN RISK Based on global analysis, Unit 42 found that 63% of thirdparty code used in building cloud infrastructure contained insecure configurations and 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. If an attacker (like an APT) compromises third-party developers, it’s possible to infiltrate thousands of organisations’ cloud infrastructures.
ORGANISATIONS NEGLECTING DEVOPS SECURITY Believing that code scanning at the end of the development lifecycle is sufficient, many organisations have a false sense of security in the cloud. This has led to development environments becoming the vector of choice for APTs. This was the case with SolarWinds.
52 | Cyber Risk Leaders Magazine
The MySecurity Marketplace gives you the tools you need to grow as a security professional. Join our growing member base today.
EV EN TS Access to events, locally and globally
E D U CAT I ON Access certified courses, webinars and labs
SOLUTIONS Access an eco-system of security and technology services, software, trials and demos
P R OF E S S I ONA L D E V E LOP M E NT Join a growing hub of security professionals.
Cyber Risk Leaders Magazine | 53
Join us for the ASITII Festival of Space that will take place
Satellite Manufacture, Space Launch Environmental Standards,
and Investing in Space.
Throughout the festival you’ll get to hear from incredible
Build your network, gain knowledge and meet like-minded
speakers on the most intriguing topics in Space, including
people, business and policy experts, academic researchers
National Space Update, Space Licensing, Rocket Technology,
and students interested in the growing Space industry both in
Spaceport Australia, Space Tracking and Mission Control,
Australia and Internationally.
40+ Speakers 4 Countries 17+ Sessions R UNNI NG T HROU GHOU T NOVEM B ER
54 | Cyber Risk Leaders Magazine
w w w. a s i t i i . s p a c e
w w w . a s i t i i . s p a c e
F E ST I VAL OF S PACE S ES S ION HIGHLIGHTS YOU’RE INVITED TO A VIRTUAL PANEL
NextGen Space Friday 5th November
Associate Professor Marta Yebra
12pm – 1pm AEDT
Dr Philippa Ryan Mission Specialist, The Australian National University Institute for Space & Senior Lecturer, ANU College of Law
Mission Specialist, The Australian National University Institute for Space & Director of the ANU Bushfire Initiative
Associate Professor Francis Bennet
Catherine Ball MODERATOR Associate Professor of Practice: Engineering, The Australian National University
Mission Specialist, The Australian National University Institute for Space
PROUDLY PRODUCED BY
National Space Capabilities YOU’RE INVITED TO A VIRTUAL PANEL
Space Innovation for Defence and National Security Wednesday 10th November
12pm – 1pm AEDT
Dr Carl Seubert
Dr Nick Stacy
Chief Research Officer, SmartSat CRC
Coordinator, Defence and National Security, SmartSat CRC
Senior Principal Scientist, Space, Defence Science and Technology Group
STaR Shot Leader, Resilient Multi-mission STaR Shot, Defence Science and Technology Group
Chief Technology Officer, Innovation and Strategic Research at Defence Science and Technology Group
AI and Space Robotics
PROUDLY PRODUCED BY
Space Innovation for Defence and National Security YOU’RE INVITED TO A VIRTUAL PANEL
NextGen Space Friday 5th November
Associate Professor Marta Yebra
12pm – 1pm AEDT
Dr Philippa Ryan
Mission Specialist, The Australian National University Institute for Space & Director of the ANU Bushfire Initiative
Mission Specialist, The Australian National University Institute for Space & Senior Lecturer, ANU College of Law
Associate Professor Francis Bennet
Catherine Ball MODERATOR Associate Professor of Practice: Engineering, The Australian National University
Mission Specialist, The Australian National University Institute for Space
PROUDLY PRODUCED BY
Future of Work YOU’RE INVITED TO A VIRTUAL PANEL
Space Innovation for Defence and National Security Wednesday 10th November
12pm – 1pm AEDT
Dr Carl Seubert
Dr Nick Stacy
Chief Research Officer, SmartSat CRC
Coordinator, Defence and National Security, SmartSat CRC
Senior Principal Scientist, Space, Defence Science and Technology Group
STaR Shot Leader, Resilient Multi-mission STaR Shot, Defence Science and Technology Group
Chief Technology Officer, Innovation and Strategic Research at Defence Science and Technology Group
PROUDLY PRODUCED BY
Women in Space
w w w. a s i t i i . s p a c e
Cyber Risk Leaders Magazine | 55
Search and find all upcoming featured security events
Plus many more! 56 | Cyber Risk Leaders Magazine
FRAUD TRENDS & FRAUD PREVENTION FRAMEWORKS FOR MERCHANTS ClearSale’s statistical technology and in-house fraud analysts have combined to create card-not-present (CNP) fraud prevention that reduces chargebacks and false positives. As the pandemic shifted consumers in many regions from in-store to
David Fletcher Senior Vice President
Australia Country Manager
online shopping and fraud attacks on ecommerce merchants increased, ClearSale’s 2020 net revenue grew by 65.7%, compared to 2019 growth of 35.5%. ClearSale has announced its July 30 initial public offering on Brazil’s B3 stock exchange generated the equivalent of US$254 million (R$1.3 billion) following the company’s historic revenue growth in 2020. The company’s 2020 net international revenue grew by 132.7% to comprise 11% of the total. Account takeover (ATO) fraud is big business for criminals, and it’s on the rise. One study found that ATO attacks on ecommerce retailers selling physical goods increased by 378% during the second quarter of 2020, compared to the same period in 2019. What’s driving this increase? In many cases, it’s personal data that’s all too easy to find online, and it doesn’t even need to be sensitive information like passwords in order to fuel ATO attacks.
Cyber Risk Leaders Magazine | 57
Managing Director at Aerometrex
The future of learning
Managing Director and served as Chairman of the Board from 2011 to 2019
58 | Cyber Risk Leaders Magazine
Mark Deuter is Aerometrex’s Managing Director and served as Chairman of the Board from 2011 to 2019. Mark is a graduate of the University of Adelaide and has a B.Sc.(Maths) degree with majors in Computer Science and Geography. Mark joined Aerometrex in 2005 under the previous ownership as Aerometrex’s General Manager, overseeing the expansion of Aerometrex as it introduced digital aerial camera technology. He established Aerometrex’s aerial operations and managed human resources, sales and marketing. He also set strategic directions for Aerometrex’s growth in Australia. On the change of ownership under MBO in 2011, Mark was appointed Managing Director and Chairman of the Board. Under his direction, Aerometrex has experienced a period of sustained growth and corporate innovation. Prior to joining Aerometrex, Mark worked in airborne geophysics data processing for 13 years as General Manager and later Managing Director of Pitt Research Pty Ltd, a small airborne geophysics data processing consultancy servicing the requirements of the mineral exploration industry throughout Australia.
RESOURCES - PRODUCTS - EVENTS
EXCLUSIVE SECURITY & TECHNOLOGY OFFERINGS register as an industry professional to gain access to our exclusive content or promote your brand to feature your content to a global market across all our channels. REGISTER FOR ACCESS PROMOTE YOUR BRAND
www. m yse cu r itym ar ke tp lace . co m Cyber Risk Leaders Magazine | 59
CYBER RISK LEADERS
“This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI
“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.”
“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC
ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.
GET YOUR COPY HERE! Proudly Published by
60 | Cyber Risk Leaders Magazine
VIRTUAL AND IN-PERSON
INDUSTRY NETWORKING OPPORTUNITIES Don't miss the chance to hear from industry experts and connect with security and technology professionals around the globe REGISTER FOR ACCESS PROMOTE YOUR BRAND
www . m yse cu r itym ar ke tp lace .c o m
ENGAGE WITH LEADING INDUSTRY BRANDS
Access exclusive and curated content from the startups to the top brands: Products, resources, events, webinars, updates, interviews & podcasts. REGISTER FOR ACCESS PROMOTE YOUR BRAND
THE HUB Everything about your favorite companies in one convenient place.
T OU ST K ECLATE TS H C C E DU THRO P
www. m y se cu r itym ar ke tp lace . co m