THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 1, 2017
Building security into the change lifecycle
To Comply or Not Comply? That is not the question…
Changing the way we think about Cyber Security
Patching is critical for cyber security
10 Cybersecurity startups to watch in 2017
Building Singapore as the number 1 FINTECH-HUB
INFORMATION SECURITY: Not just for hackers
•
Majority of attacks target well-known Security patches close vulnerabilit ies. vulnerabilities that can be
exploited by hackers to gain access to machines and systems for multiple malicious purposes such as stealing personal information and stealing confidential files among other things. Vast research shows that unpatched software remains one of the most prevalent factors for cyber-attacks targeting organisations. So patching is more than essential! Take the recent “WannaCry” ransomware attack that took place. While many discuss whether their anti-virus could have stopped the attack, the plain facts are: • This attack used a vulnerability on a component of Windows and Windows Server that was patched by Microsoft two months before the attack happened! • The vulnerability was part of the recent NSA leak, a highly publicised scandal, and not an obscure vulnerability that no one had heard of before • Applying the patch would prevent any successful attack In line with the Australian Signals Directorate (ASD) The ASD indicates patching of applications and systems as two of the “Top 4” mitigation activities capable of stopping 85% of attacker techniques. These Top 4 mitigation strategies for targeted cyber intrusions are mandatory for Australian Government organisations as of April 2013.
•
The challenge of security patching If we all know patching is important, why do we continue to see security incidents and data breaches associated with exploitation of well-known vulnerabilities?
77.5% of vulnerabilities in the most common applications are in t he Non-Microsoft apps!
The main reason is the gap between IT Security and IT Operations. Normally, those in charge of scanning for vulnerabilities (IT Security teams) are not in charge of applying patches (typically done by IT Operations); therefore, it is common that both groups don’t understand each other’s challenges and the gaps in the technologies they use. Then technology integration is commonly poor so it is impossible to build reliable processes using disparate technologies. Lastly IT Operations teams often do not have performance measures associated with applying security patches, and do not have tools to support making the right decisions when it comes to applying patches.
85% of vulnerabilit ies have a patch available at t ime of public disclosure.
A strategic software vulnerability management solution is required to bridge the gaps in vulnerability management processes. The solution: Software Vulnerability Manager Software Vulnerability Manager empowers IT Security and Operations with intelligence to continuously track, identify and remediate vulnerable applications – before exploitation leads to costly breaches. It enables SecOps initiatives by providing verified intelligence by Secunia Research, timely vulnerability advisories, accurate assessment and security patches, all in a single console. This approach effectively reduces the attack surface for cybercriminals by accelerating identification of vulnerable applications, driving prioritization and reducing time to mitigation. To talk further about bridging the vulnerability gaps in your organisation or improving your patch management processes please contact us at www.flexerasoftware.com or at +61 3 9895 2000.
Hackers don’t need
ZERO-DAY
vulnerabilit ies. There are plenty of neglected unpatched vulnerabilit ies to target.
Reimagining t he way software is Bought, Sold, Managed & Secured
www.flexerasoftware.com
Contents
Editor's Desk 5
Welcome AISA members
Editor Tony Campbell
6
AISA Spotlight Q&A
10
Cyber threat landscape - With Eugene Kaspersky
14
Building security into the change lifecycle using Microsoft's SDL
18
Director David Matrai
To Comply or Not Comply? That is not the question
22
Gender diversity
24
Art Director Stefan Babij
Building Singapore as the number 1 FINTECH-HUB
27
Changing the way we think about Cyber Security
28
Patching is critical for cyber security
19
From student to pen tester - My journey into cybersecurity
34
The truth is like poetry...most people hate poetry.
36
Your mum & IoT security
38
INFORMATION SECURITY: Not just for hackers
40
CYBER SECURITY IN 2017
42
The feeling of digital identity management
44
PILLARS & PLANS: Up close with Australia's Cyber Security strategy
46
CISCO LIVE! TOP 10 TECH TRENDS 2017
50
RSA Conference Review Part 1
54
Fortinet - A guide to security for today's cloud environment
64
Journey to customers - Insights interview with Tammy Schuring
66
Director & Executive Editor Chris Cubbage
Correspondents Morry Morgan
Building security into the change lifecycle using Microsoft's SDL
Gender diversity: The key to success
MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au SUBSCRIPTIONS
T | +61 8 6465 4732 subscriptions@australiancybersecuritymagazine.com.au
Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com
Cyber Security in 2017
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher.
CONNECT WITH US
CISCO LIVE! TOP 10 TECH TRENDS 2017
RSA Conference Review Part 2
70
Modernising your security strategy
80
Y10 Cybersecurity startups to watch in 2017
82
FEEDBACK LOOP - Have Your Say
85
www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia RSA CONFERENCE REVIEW www.australiansecuritymagazine.com.au
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
www.malaysiasecuritymagazine.com
www.asiapacificsecuritymagazine.com
www.drasticnews.com
|
David StaffordGaffney
Samantha Liscio
Jodie Siganto
Jason Magic
Morry Morgan*
Anthony Langsworth
Ricki Burke
Guillaume Noé
Chris Cubbage
Tony Campbell
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
www.cctvbuyersguide.com
Peter Tran
Editor's Desk
W
elcome to the inaugural issue of the Australian Cyber Security Magazine. What, another security magazine, I hear you say? Yes, and it's filling a much-needed gap. Let me explain why. We already publish a variety of security-related journals, newsletters and video channels, covering a range of subject matter: information security, physical security, national security, defence and intelligence, policing, as well as conferences, vendors and products. But the world has changed significantly over the past five years. Large multinationals are hosting their entire IT infrastructure in the cloud, while our homes are becoming increasingly automated and connected to the Internet. The Internet of Things (IoT) has shown us that there are no limits to the services being conceived to support what were once standalone devices. Children’s toys are fully integrated and network-connected, while our cars, home appliances and our clothes all report their status back to online servers. Today’s attack surface is greater than ever, yet some of the most fundamental principles of information security have been overlooked in the race to be the first to market. On the flip side, criminal gangs are making more online cash than they are from traditional criminal endeavours, such as drug trafficking, robbery and extortion. Estimates have the cost of cybercrime rising to over $5 trillion by 2020, which is likely to be still short of the real global overhead since many attacks go unreported. With the so-called skills gap on the rise (that’s a debate for another day) and organisations finally understanding the need for executive support for security programmes, there has never been a more exciting time to be in the Australian cyber security business. Therefore, we’ve developed the concept of the Australian Cyber Security Magazine to give you a one-stop-shop for news, reviews, features and facts from around the Australian cyber security industry. Each issue you can expect to see news and reviews from the industry, both here in Australia and overseas, as well as feature articles from experts on a variety of important subjects. As usual, if you are interested in writing for one of our publications just get in touch – we are always keen to hear from our readers. Some of you may have noticed the recent passing of the privacy amendment bill through the Senate, meaning significant changes are coming on how businesses must deal with security, privacy and breaches. Failing to report a violation or protect the data you are the custodian of can lead to fines of up to $1,800,000, so you must be prepared to put the governance structures and security controls into your organisation. If
you have a turnover of more than $3 million or happen to be a federal government department, the new laws apply, and you will run the risk of being fined if you don’t comply. We’ll be covering privacy and security matters more in following issues, so keep an eye out for those articles later in 2017. You will also be aware that in April 2016, Malcolm Turnbull launched the Australian Cyber Security Strategy. This ambitious plan contained four strategic pillars explaining what the vision for Australia's cyber security is, which will allow us to become the economic hub of APAC. Australians will have a robust cyber security foundation, including the cyber readiness of government, industry, education and citizens. It's certainly an ambitious strategy, but we see the beginnings of the investment and structural changes within the federal government to realise this goal, so it shows the government will put its money where its mouth is. It's never been a more exciting time to be in cyber security. I hope you enjoy reading the first issue as much as we have enjoyed putting it together. Stay safe and keep secure. Tony Campbell Editor
Dear AISA Members We are pleased to introduce you to the inaugural edition of the Australian Cyber Security Magazine. This publication aims to provide you with a platform to connect with peers within the Australian information security industry, many of whom are AISA members, and to help educate and improve cyber awareness across the wider community. AISA continues to build relationships with all members, sponsors, the education sector, industry partners, government and thought leaders to help shape the role and direction of the association. From AISA’s perspective, our role is about connecting and facilitating conversations and, most importantly, setting a platform that enables members to take part in these discussions. Via the Australian Cyber Security Magazine, AISA members are welcome and encouraged to provide input and help create a consistent message of cyber security professionalism, best practice and information security innovation. In addition, AISA will be providing additional member communication opportunities through webinars and chapter events that attract international speakers, connect remote members and promote diversity of thought and opinions.
6 | Australian Cyber Security Magazine
It is an exciting period in the field of cyber security and AISA is proud to be supporting the launch of the inaugural edition of the Australian Cyber Security Magazine for members. To mark this occasion and encourage involvement, MySecurity Media is offering a free conference ticket give-away to attend the RSA Asia Pacific & Japan Conference, Singapore 26-28 July 2017. For those that miss out on the free ticket, the ACSM discount code 5A7MYSECFCD can be used to save $100 off a full conference pass for AISA Members. This is available for the first 50 registrants. For your chance to win the main prize and to contribute valuable insight into the focus for AISA and the Australian Cyber Security Magazine, please respond to the following questions and send to ACSM@aisa.org.au 1. When and why did you join AISA? 2. What role should AISA play or how should it contribute to the Australian cyber security landscape? 3. What are the top 5 cyber security issues that AISA should focus on in the next 12 months?\ *Terms and Conditions Apply Competition closes 21 June 2017. Winner announced 23 June 2017.
SPECIAL LAUNCH OFFER HAVE YOUR SAY & CHANCE TO BE AWARDED A FREE TICKET WITH AIRFARE & 2 NIGHTS ACCOMMODATION TO RSA APJ CONFERENCE, SINGAPORE 26 – 28 July, 2017*
Australian Cyber Security Magazine | 7
FOR INFORMATION SECURITY PROFESSIONALS
WHO ARE OUR MEMBERS Consultant 12.2% Sales Manager / Manager 10.8%
Head Of, Director & Partner 16.6%
Architect 4.6%
Analyst 4.6%
Engineer 4.2% Chief 3.4% Marketing 2.7%
Sales / Account Manager 18.3%
CEO / Founder 2.4% Risk & Compliance 2.4% Specialist 2.2% Other 15.4% Administrator 1.2% Advisor 1.2%
Officer 1.2% Lead 1.2%
Lecturer & Researcher 1.2%
Project Manager 1.0%
Legal 0.5% Recruiter 0.2%
VP 1.5%
Media 0.2% Privacy 0.2% Audit 0.2%
Sales Engineer 1.7%
Other 2.0%
GM 1.7%
FOR INFORMATION SECURITY PROFESSIONALS
MEMBER GENDERS
88%
12%
DISTRIBUTION ACROSS AUSTRALIA
Northern Territory 0.26% Queensland 11.99% Western Australia 10.18% South Australia 4.24% New South Wales 39.39%
Victoria 25.77%
Victoria
Australian Capital Territory 7.87%
Tasmania 0.30%
MANDY TURNER Branch Chair, AISA Brisbane
LOUISA VOGELENZANG Branch Chair, AISA Melbourne
SHARMILA PACKIARAJA Branch Chair, ASIA Darwin
STEPHEN KNIGHTS Branch Chair, ASIA Sydney
Spotlight on the team behind Australia’s leading information security association The annual AISA National Conference will be held on 10-12 October 2017 at the Hyatt Regency, Sydney. This year’s event theme will be Collaboration. Given the recent wide scale worldwide cyber attacks, this year’s event speakers will look to answer the following questions: • • • • •
How can all areas of industry, the public sector and academia work better together? How can we collaborate for greater ideas and efficiencies? How can we share information in a more meaningful manner? How can we train the workforce of tomorrow? How can we retain the workforce of today?
AISA is a non-profit organisation run for members, by members. For the next two issues, ACSM will run a spotlight feature on AISA state capital branch managers, who dedicate time and effort to ensuring that AISA members get value from the cyber security community and share ideas and learnings from their day-to-day jobs.
10 | Australian Cyber Security Magazine
What is your day job? LOUISA VOGELENZANG, Branch Chair, AISA Melbourne: My day job is in the security products team, part of Telstra Global Enterprise Services – our portfolio encompasses both Physical Security and Cyber Security. As National Manager for Security Solutions, my role is to be the voice of Telstra's clients within Telstra's security products team, making sure the products and services we are developing now and in the future, support their business goals and deliver exceptional customer experience. MANDY TURNER, Branch Chair, AISA Brisbane: I am currently in a cyber security role where I engage with Australian businesses to provide sector specific security briefings and promote awareness of good security practices. SHARMILA PACKIARAJA, Branch Chair, ASIA Darwin: I am currently ICT Cybersecurity Manager in the Northern Territory (NT) for Kinetic IT. We are an enterprise solutions provider, working with large complex businesses across industry sectors such as government, corporate, resources and utilities. In my current role as ICT Cybersecurity Manager, I work with our government clients to provide advice on policy and procedures in terms of cybersecurity. STEPHEN KNIGHTS, Branch Chair, AISA Sydney: I am Founder, Managing Director and Sales Manager for Commulynx an IT Security Consultancy company.
What are you hoping your local AISA branch will achieve this year? LOUISA VOGELENZANG: This year our overall goal is to increase member engagement and ultimately grow our membership in numbers and diversity. We plan to achieve this through the following activities: 1. Providing multiple opportunities for AISA members to engage with us - including monthly branch meetings with diverse speakers, Focus Groups, Study Groups, social opportunities and working with our national leadership to find ways to deliver branch content to those unable to attend branch sessions in person. 2. Providing opportunities for our local members to contribute back to #TeamAISA through; • Volunteering to run Focus Groups • Taking Part in Formal Mentoring Programs • Speaking at monthly branch sessions • Getting involved with Student outreach 3. Closely collaborating with other security groups in Melbourne such as ISACA, DOTM and others to find opportunities to share knowledge and collaborate. MANDY TURNER: The Brisbane AISA branch is committed to diversity and innovation. Our Innovation manager, Dr David Manfield has been working on several concepts, in collaboration with Committee members Aki Sihto, Mike Younger and Lani Refiti, to enhance the deliverables we provide to local members including innovation sessions, workshops, collaboration with other
associations and webcasts of meetings which we hope will all come to fruition in the next few months. As a branch, we are supporting an inclusive culture where all people with an interest in information security are welcome as members regardless of their work, skills, education or CALD backgrounds. We promote a supportive cohort who informally mentor and encourage people within the industry. We are breaking the stereotype of information security professionals as middle aged white men in suits and are proud of our contribution to a diverse and inclusive industry. Our conference Manager, Daniel Cox had great success with AISA Brisbane's local conference BrisSEC17 and is already planning our 2018 conference. We have a lot of exciting plans for the Brisbane branch and we hope to achieve these and more as we head towards 2018. SHARMILA PACKIARAJA: This year, the Northern Territory team is focusing on two major themes, collaboration and building cyber awareness. AISA launched in the Norther Territory just under a year ago so we are quite new to the area. As such, we are placing a strong emphasis on building the AISA brand and reputation locally. Cyber awareness across the community is of particular importance to us as this part of the world is very different to other regions such as Sydney and Melbourne. Our community faces many different challenges, so we are currently working with other industry groups within the NT to share knowledge and get people and businesses thinking about cybersecurity. STEPHEN KNIGHTS: In New South Wales, the local AISA branch is focused on maintaining high engagement with existing members, while boosting the attendance rate at our monthly branch events to 120 plus participants. The AISA Sydney branch also hosted a successful Technical Forum event in 2016. We are aiming to replicate and extend this event to be held three times a year to cater for our local technical members.
What does this year’s AISA National Conference topic of Collaboration mean to you? MANDY TURNER: Collaboration is an important aspect of information security, an individual could not stand alone against the onslaught of web defacements, SQL injection, ransomware, DDoS and other compromises or intrusions. Sharing and awareness raising in the spirit of united collaboration will strengthen Australia's security stance and improve the IT security space for governments, businesses and individuals. SHARMILA PACKIARAJA: I think an important focus when discussing collaboration is collective responsibility. We need to look beyond commercial competitions, politics and personal motives and share information. The security landscape can only improve if different organisations can come together to educate one another on their experiences and research. STEPHEN KNIGHTS: Collaboration in the form of data sharing is critical to enabling information security professionals to learn from the successes and challenges of their peers. The adage ‘a smart man learns from his mistakes; a wise one learns from the mistakes of others’ has never been truer than in the world of information security. But to be effective, data must be shared in a manner that does not expose sensitive information.
Australian Cyber Security Magazine | 11
What are some good examples of collaboration that you have seen in the cyber security space over the last year? LOUISA VOGELENZANG: The Australian government has shown us some excellent examples of collaboration over the last year. I personally took part in PM&C's Women in Cyber session at Cisco Live where approximately 70 women and men from across the cyber security industry, ranging from students to senior business leaders came together to participate in a series of round-table and panel discussions over three hours. The aim of the session was to identify and refine, the barriers to women and girls entering and staying in the cyber security industry, as well as determine practical actions government and business can take to address these barriers. The event report will be available on PM&C website (https://www.dpmc.gov.au/cyber-security) soon and I would encourage everyone to read this as it provides some excellent insights. A great example of collaboration I have seen is the work of the Security Influence and Trust Group (SIT). SIT is a group of industry professionals with a long history of building security aware cultures and they have come together as a community to collaborate on common, consistent messages across businesses. Their focus is on security awareness and driving the amplification of those messages to communities beyond their organisations.
How do you think the Australian cyber security industry can improve collaboration? LOUISA VOGELENZANG: One of the areas where I think we absolutely need to collaborate better is on nurturing the next generation of Security Professionals. According to the ACSGN Sector Competitive plan we will need 11,000 additional workers over the next decade. There is a lot of great work already happening in this space but I believe we can all do more individually to collaborate with the next generation - whether that be putting yourself forward to mentor or coach, opening the door for someone interested in joining our profession from another area, putting yourself forward to run a study group to share your knowledge and up-skill others or trying harder to bring security 'apprentices' into your team. If all 19,000 of us took one action, we could make a huge difference to the talent trajectory in this country and in turn, ensure Australia can prosper in the digital age. MANDY TURNER: I believe that constantly encouraging and facilitating innovative ways to overcome barriers to collaboration will help improve how the industry works together whether in threat sharing, mitigation or awareness.
12 | Australian Cyber Security Magazine
The Cyber Security Strategy released in 2016 by the Australian Government addresses this and supports closer collaboration with industry and government. This is a positive step to improving the way the industry works together. Additionally, private sector organisations are also encouraging better collaboration, you only have to look at the conference themes of both AISA National (collaboration) and AusCERT (united we stand) this year to see how improving collaboration is definitely a topic being encouraged. SHARMILA PACKIARAJA: The cybersecurity industry has now recognised that building trusted partnerships with their business counterparts is essential to building awareness and improving cybersecurity. Moving forward we need to work to nurture these relationships, articulating the importance of cybersecurity in business terms. Security professionals need to understand that this is a cultural change and it will take time but top down support from government cybersecurity initiatives will help. Another important step is building relationships with IT leadership and the IT workforce. We encounter a number of challenges with IT projects and initiatives where solutions that incorporate security best practice do not receive due consideration, and are regularly considered an unnecessary cost. We need to work to build relationships with IT professionals to demonstrate that customer data needs to remain secure and to educate them on how efficiently security breaches can be restored if you have cybersecurity contingencies in place. It is inevitable that businesses will be breached occasionally, especially with the use of malware growing in size and sophistication. We need to work with IT individuals on is how to gracefully recover those businesses. STEPHEN KNIGHTS: As important as industry collaboration is, it can be almost impossible to negotiate cross-enterprise information exchange as sources remain clearly identifiable. Trusted forums like AISA offer a great means for brokering information exchange among Australia’s cyber security community. At AISA, our key mission is to provide an ongoing forum to share learnings, knowledge, skills, experience, ideas and innovation in the information security industry. For instance, in New South Wales the AISA Sydney Branch is supported by close to 1,000 members and our monthly branch meetings bring together Sydney’s information security community for presentations, debates, panel discussions, and to hear from a wide variety of international speakers on best practice data and information security practices.
EVERYTHING CYBERSECURITY. ALL IN ONE PLACE. RSA Conference 2017 Asia Pacific & Japan is the only event you need to stay at the forefront of global and regional issues. Learn from the best and brightest minds in expert-led sessions covering all aspects of cybersecurity. Experience visionary keynotes and discover where the industry is headed. Fine tune your skills in immersive tutorials. And demo the most advanced products and solutions. Register now for the chance to save! Be one of the first 50 registrants to use discount code 5A7MYSECFCD and you’ll save S$100 off a Full Conference Pass. Go to www.rsaconference.com/ACSM and register today!
Follow us on: #RSAC Stay up to date on the latest news, special offers and updates about our worldwide events. Sign up at https://go.rsaconference.com/emailsignup
Cyber threat landscape What Australia can expect now and in the future AISA NSW Chapter Meeting with Eugene Kaspersky – Chairman and CEO, Kaspersky Lab
P by Chris Cubbage Executive Editor, MySecurity Media
14 | Australian Cyber Security Magazine
resenting at AISA NSW Chapter’s May member meeting, held in the aloft George Street offices of Ernst & Young, overlooking Circular Quay, Eugene Kaspersky, visiting Sydney for just a few days, gave an entertaining, upfront account of what we can expect in the cyber security future, based on cyber-attacks of the recent past. “All operating systems are under attack with malicious files”, confirmed Kaspersky, referring to the Kaspersky Lab malware database, as at May 2017. Showing malicious code unique to each OS, with Windows being the highest at 474 million, Android at 23 million, Mac at 53,000, Linux at 33,000, but set to grow substantially with continued deployment of IoT devices, being predominantly Linux based and iOS at just 600. According to Kaspersky, it is mostly state sponsored actors behind iOS attacks and related malware. “We count the malware in the hundreds of millions and everyday we collect and download 300,000 new unique malicious script attacks.” Kaspersky said, “Application scripts, office files, every day. Being in Sydney for three days, in my time here we will see one million new, unique pieces of malware. The good news is we do it mostly automatically. Many cybersecurity companies now automate their response and cybercriminals are also doing the same – it’s like a cyber robotic war. Interestingly, we see it slowdown during weekends, Chinese New Year, Russian New Year and during Eastern European football matches – cybercriminals are
human as well!” Another takeaway from these results, observed by Kaspersky first hand, is that Mac engineers are difficult to find. “We tend to use Linux engineers and convert them to Mac. The same could be true for the cybercriminals – they will also find it hard to find Mac Engineers.” Next, Kaspersky highlights the cost of Cybercrime, costing the equivalent of AU$600 billion per year, based on findings sourced from two independent studies. This is equivalent to being 40 percent of Australia’s GDP and referring to the recent announcement of the Australian government to build the new Western Sydney airport, Kaspersky boasts, “the cost of cybercrime would build ‘60’ new Western Sydney airports.” Some notable attacks? Kaspersky highlights the Bangladesh central bank heist, the Carbanak bank heist and the Mirai botnet as being the most notable. “The Bangladesh central bank heist was not a sophisticated attack,” Kaspersky said, “with the bank’s security low and the criminals having got access to Swift software, they were able to gain access. “Had it not been for the criminals making a famous and expensive typo of ‘Fandation’ instead of ‘Foundation’, the 31 orders valued at $870 million was blocked. “One of the most expensive typo’s in cybersecurity history” joked Kaspersky. But four orders did get through and the group stole $81 million, with 35 transfer orders transacted via the New York Federal Reserve.
Eugene Kaspersky – Chairman and CEO, Kaspersky Lab
"We have four ATMs in our head office basement, which we do tests on. But we don’t have enough parking space in the basement to test trains, but we’re near a small harbour so we may yet test how we can hack into a ship.”
Carbanak was a $1 billion bank heist carried out over two years, by targeting and infecting the front-end clerk computers to gain access to emails, allowing the crime gang to harvest intelligence. Then slowly and with no noise, they began integrating their malware into the system to ultimately provide controlling administration rights to the bank’s computers. Then they could do anything they wanted! They started paying fake accounts, fake employees, fake company suppliers and as Kaspersky said with a smile, created “magic credit cards, like a normal credit card but no daily limit and the balance is always the same – magic!” The cyber robbers were also managing the ATMs and it wasn’t until a bank called to report an infected ATM that the ruse was discovered, ultimately resulting in offenders arrested from around the world. But not all of them. This heist was organised by Russian and Ukrainian cybercriminals and despite the current geo-political conflict underway. Kaspersky emphasised, “For cybercriminals, business is business.” The key point Kaspersky makes, in his heavy Russian accent, was that all known offenders were Russian speaking. “Russian software engineers are the best, Kaspersky boasted, “Russian cyber criminals are also the worst! That’s the reality. The technical education in Russia is the world’s best. Sometimes the software engineers go to the dark side and bring new technologies to the region and now we’re seeing these attacks globally.” Kaspersky also described how cybercrime is now an economy unto itself. “There has been an economy develop where the malware is created and traded, others steal the data and trade it. We call it crime as a service. They behave like businesses and some even pay taxes.” Police even know of cyber gangs but unless there are victims in Russia or calls from overseas agencies, they may not have sufficient grounds to launch an investigation. Of increasing concern, Kaspersky highlights, is the internet
of things has been shown to be vulnerable. “In the past it was just computers and smart phones, but with the Mirai botnet, we are seeing attacks on CCTV Cameras and a number of IoT devices. Plus, despite the growth in the human population, the population of smart devices is now larger than the population of smart humans. Computers make less mistakes than humans, they sleep less, consume less. In the old days, the guard at the door was armed and standing with a security dog – it was secure but not safe. But today with computers, it is cyber that makes it safe but it is not secure.” Crime groups have started working together and now cyber and physical crime gangs are working to turn off physical security systems via cyber-attacks before breaking in or committing robberies. In Russia, a bank robbery was committed after the security cameras and alarm systems had been hacked and switched off. Digital SCADA systems are also vulnerable to cyberattack and SCADA systems also make mistakes. New criminal business models are targeting manufacturing and transportation – with cases of stolen commodities. Coal was stolen from a coal mine and facilitated by hacking the system and changing the weight of the coal weighing systems so the theft went undetected. Petrol was stolen from an oil refinery and by hacking into the system’s temperature controls they were able to alter the volume of petrol, which changes in volume based on temperature. Preventing attacks on critical infrastructure is a key challenge, with the most critical being the power grids. “Without power, it will be the end of our civilisation.” Kaspersky said. In the major power blackout in Northeast USA in 2003, the Blaster worm virus had damaged the network files in the unpatched Unix systems, which coincided with a technical system error which wasn’t detected because the Unix machines weren’t talking to each other and ultimately resulted in the blackout. The Blaster worm was therefore a contributing factor but not the cause. In 2015, it was a pure cyber-attack against the Ukraine power grid by the Russians which took out 200,000 premises. The attack involved wiping the network’s software, as well as the firmware, so it wasn’t possible to get the grid up again without sending engineers in to re-build. “So, we live in the age of cyber-blackouts,” Kaspersky declared. The next critical infrastructure concern is on transportation. Technically, it is possible to own a car via hacking the car’s computer. The WikiLeaks NSA files have also confirmed the CIA had been doing tests and discovered the vulnerability in modern vehicles. When we think of driverless ships, trucks, aeroplanes and trains which are all being made automatic, they will all be vulnerable. Kaspersky disclosed, Australian Cyber Security Magazine | 15
“We live in a dangerous world and there is a poisoned cyber environment but we can design in a better, safe and immune way – we can do it.”
Source: Kaspersky
Eugene Speaking to AISA NSW Members
Source: Kaspersky
“we have four ATMs in our head office basement, which we do tests on. But we don’t have enough parking space in the basement to test trains, but we’re near a small harbour so we may yet test how we can hack into a ship.” The next is telecoms, with it being possible to paralyse major networks, as the Russians did to Estonia in 2007 or the massive DDoS attacks which have occurred throughout 2016 and 2017. Financial Services should also be preparing for future attacks to the financial system. If the central bank came under attack it will be vulnerable, and despite being difficult, it could be possible to paralyse global or national financial 16 | Australian Cyber Security Magazine
systems. And there is more including health, government, online voting systems and city services – all cyber connected and this is good, but it is all vulnerable. “We live in a dangerous world and there is a poisoned cyber environment but we can design in a better, safe and immune way – we can do it.” Kaspersky Lab is working on a new architecture of operating systems and designed to be unhackable. The current OS and network architectures were all designed fifty years ago so there was no public access to these systems and no cybercrime. Compared to what we have seen with buildings and their construction. We have been building for thousands of years and we have made all the mistakes. Now we have strict building standards. Much like in the cyber world, we have made many mistakes but we need to have better defined standards and make regulations to control and protect cyber networks. For example, in Germany, if systems are being used by more than 500 million end users then they are classed as critical infrastructure and must be protected. “We have to redesign the world in a better way and I have a plan,” Kaspersky declared, “We need to protect everything, at the individual level, from devices, networks, and through to national critical security. This is the motivation for a new design for Kaspersky’s own Operating System and the launch of a new layer 3 network switch, “designed for networks with extreme requirements for data security.” Direct from Kaspersky’s own blog – eugene.kaspersky.com – “the operating system boasts several distinctive features. Let me run through the main ones briefly… First, it’s based on microkernel architecture, which allows to assemble ‘from blocks’ different modifications of the operating system depending on a customer’s specific requirements. Second, there’s its built-in security system, which controls the behaviour of applications and the OS’s modules. In order to hack this platform a cyber-baddie would need to break the digital signature, which – any time before the introduction of quantum computers – would be exorbitantly expensive. Third, everything has been built from scratch. Anticipating your questions: not even the slightest smell of Linux. All the popular operating systems aren’t designed with security in mind, so it’s simpler and safer to start from the ground up and do everything correctly. Which is just what we did.” Mr Kaspersky co-founded Kaspersky Lab in 1997, and celebrating it’s 20th year, is now one of the world’s largest privately held end-protection vendors and Eugene has earned a number of international awards for his technological, scientific and entrepreneurial achievements. It was great to see him presenting to the AISA NSW Chapter and thanks to Logrythm and E&Y for supporting the event.
SINGAPORE | 25 JULY 2017 Australian Cyber Security Magazine | 17
Cyber Security
Building security into the change lifecycle using Microsoft's SDL
T by Tony Campbell Editor
he golden rule that governs business technology is that it’s continually changing and evolving. Change can be introduced to better meet market demands, maybe to drive efficiencies or business agility, or simply to allow us to keep up with competition. Whatever instigates the change, businesses need a way to not only build the best and most feature-rich software and systems, there also needs to be robust security process that address today’s pervasive threat environment. Let’s look at how security can be integrated into the enterprise’s change process, irrespective of whether it’s infrastructure or software related, using Microsoft’s Secure Development Lifecycle. In 2004, Microsoft got serious about fixing its security problem. Redmond announced the that all their development programs from then on would follow a repeatable securityoriented development process, which became known as their Secure Development Lifecycle (SDL). This was to be a company-wide initiative and was mandatory for all programmers to follow, irrespective of how large or small their coding projects were. There’s no doubt about it, introducing a massive change in process such as this into a company like Microsoft would have been costly, Redmond needed to do something to fix its reputation as the most vulnerable and exploited code in the industry. Interestingly, 13 years on
18 | Australian Cyber Security Magazine
and the SDL is now used by many Microsoft development companies and has become an industry standard approach to building more secure and robust code.
Getting Stated The SDL won’t help developers code applications, but what it does do is teach them how to decide what functions code needs to have, based on the paradigm of “cause and effect. “This means that the developer can model their code from the security perspective, allowing them to see exactly where the weaknesses could be, through a continuous process of improvement. This feedback loop ensures that applications are always being fixed and vulnerabilities are continuously being discovered, with a high percentage being found faster and earlier in the development lifecycle than before. This has the knock-on effect of meaning that far fewer vulnerabilities are making it into their production code. Furthermore, accountability sits at the heart of making the SDL work, since programmers need to adhere to the SDL, producing threat models and mitigation strategies as deliverables when they create anything new. Figure 1 shows the full SDL, from the up-front training focus of getting everyone up to speed with using the SDL,
Figure 1 Microsoft's Secure Development Lifecycle
understanding secure coding and understanding how hackers work, through to the incident response planning at the end of the cycle should there be a need to address something that’s been overlooked.
Training This aspect of the SDL means that all project managers, architects, developers and testers are aware of the requirements of the secure development lifecycle and they all know how to code defensively, as well as how to model security requirements and test for security related defects. Microsoft has provided a selection of training courses for each stage of the SDL. Even though you may have special requirements that are peculiar to your industry or market sector, this is a great place to start and will help accelerate your adoption of the SDL. Look at: https://www.microsoft.com/ en-us/SDL/process/training.aspx
Requirements A common way of discovering and documenting security requirements is based on the Universal Modelling Language construct known as the use case. Use cases describe a desired behaviour within a system, documenting how users interact with processes and systems, while showing how data is transmitted and processed within the task. Tasks are written as a single high-level interaction, such as “buy a Coke” or “put on your socks”. The developer then uses the use cases to build functions that deliver on these outcomes. However, the security problem is not so easily modelled. Security guys need to model what systems should not do, rather than what they should do, which is where the concept of misuse cases came from. Two Norwegian computer scientists, Guttorm Sindre and Andreas Opdahl, described misuse cases in their paper, “Eliciting Security Requirements with Misuse Cases” (SpringerVerlag London, 2004). There are three key stages to security requirements modelling in the SDL: 1. Establish security and privacy requirements 2. Create quality gates and bug bars 3. Perform security and privacy risk assessments Each of these stages are accompanied by reference material, downloads, tools and training so Microsoft has already provided all the material you need to introduce this into your enterprise.
'With any IT system, a focused attacker can take a relatively short time and with limited funds, sometime as low as $5,000 on the black market, to acquire the ability to break in.' Design This design phase of the SDL helps the business architects establish best practice around design and functional specifications and ensures that all the decisions that affect security are based on risk analysis. This ensures that the resultant code will mitigate security and privacy issues throughout the resultant system, while each individual security requirement is proven as being addresses and is capable of being tested. The design phase has three stages: 1. Establish design requirements 2. Perform attack surface analysis and reduction 3. Use threat modelling The core of the entire SDL relies on the ability for the architects or designers to use threat modelling. This is where the architect or designer will represent threat scenarios in a model that identifies vulnerabilities and hence determines risks from those threats. From that threat model, the architect or designer can then suggest the appropriate mitigations that the coder can build into the system, which again can feed into the test objectives for the release. To help with threat modelling, Microsoft developed a Visio based tool, creatively known as the Threat Modelling Tool, which can be downloaded here: https://www.microsoft.com/ en-au/download/details.aspx?id=42518 Implementation The implementation phase relates to working with the developers to help them make informed security decisions relating to the way their software is deployed. The SDL breaks the implementation phase up into three deliverables: 1. Use of approved tools 2. Deprecation of unsafe functions 3. Performing of static analysis To help automate security practices and put rigour around enforcing of controls, you should publish a list of approved tools and security standards for use in the development
Australian Cyber Security Magazine | 19
process – the example Microsoft gives is compiler/linker options and warnings. It’s important to maintain this list of tools, since using the latest version of a development capability will ensure your team is including the latest security functionality and protections the toolset offers. The second aspect of implementation relates to the removal of all unsafe functions within the development environment and resultant products. By analysing the functions in the system and forbidding inclusion of insecure ones in the final product, you should see less security bugs make it into the production code. The examples that Microsoft gives here are: use header files; newer compilers; and code scanning tools to check code. Finally, the last aspect of the implementation phase is to undertake source code review prior to compilation. This is known as static analysis, since the code is not running, instead it is reviewed for security bugs and vulnerabilities by someone well-versed in secure coding principles who can review code within the IDE (or on paper). This ensures your secure coding policies are being followed. Verification After implementation, we move to a testing phase, which, like the others, has been split into three constituent deliverables: 1. Perform dynamic analysis 2. Perform fuzz testing 3. Conduct attack surface review These three kinds of verification testing approaches are incredibly important to the SDL and, if undertaken properly, will dramatically improve the chances of delivering high-quality software with reduced security bugs. Dynamic analysis is the running of special tools that do real time verification of your code, looking for behavioural issues and memory corruptions, user privilege misuses and other operational security vulnerabilities. Fuzz testing is where the tester deliberately tries to force a programming exception or failure using malformed or randomised data, with the expectation that the failure will leave the application exposed or reveal securityrelated information to the attacker. And finally, the software should be checked again to ensure any changes made during previous phases have not resulted in the introduction of more vulnerabilities. At this stage, you should be going back to the initial design threat models and checking that the production system is still aligned with the initial objectives. Release The release phase is when your team prepares to deploy the system to the user base – this could be an internal release to enterprise users or a public release to your customers. Part of the service design aspect of release planning includes how your team will support the system in its production environment and how vulnerabilities will be managed if they are found later. The three aspects of release planning cited in the SDL are: 1. Create an Incident Response Plan 2. Conduct Final Security Review 3. Certify Release and Archive
20 | Australian Cyber Security Magazine
The Incident Response Plan is something that every team should have, but it’s vital if you are managing a system or software application that has real world impacts. You need to be prepared and ready to deal with new or nascent threats, ones that arise through no fault of your own – such as the big named ones that hit the press over the past few years, like Heartbleed and Shellshock. You’ll need to include all the emergency contacts that your team needs to notify if an incident occurs, and you’ll need to have both established and tested security maintenance plans for your systems, especially relating to code, modules or systems that are integrated into your solution from an external source. In the SDL, the Final Security Review (FSR) results in you having to re-examine your initial threat models, the tools you used to build and deploy the systems, the security outputs from testing and performance metrics against any quality gates you have established. Lastly, the act of certifying software through a formal accreditation process helps make sure that the requirements have all been met that were initially established. Then, once you are happy you have established a formal release of the product, you should archive it. As Microsoft states, this “includes all the specifications, source code, binaries, private symbols, threat models, documentation, emergency response plans, and license and servicing terms for any third-party software.” Response After the system or programme is released, it enters standard support. You need to ensure the support team (often comprising some of the developers) can respond to issues, bugs or security vulnerabilities and is aware of the incident response plan. Conclusion Microsoft’s Security Response Centre is the team that works closely with industry to help prevent security incidents in Microsoft’s product set. This is the team that security researchers call when they find a new vulnerability in a Microsoft product, especially if it’s an issue that could lead to a serious security breach. Microsoft has developed mature processes in the SDL that is now incorporated throughout their design lifecycle, across every development tower in their business. Yet, they are not slowing down in terms of their security investments and a recent public pledge to continue ploughing over a billion dollars a year into security research and development is a trend that others might want to follow. ( http://www.cnbc. com/2017/01/26/microsoft-to-continue-to-invest-over-1-billiona-year-on-cyber-security.html ) The SDL is a free, open source process model that anyone can use and it applies equally to software as it does to systems engineering. If you don’t follow a process today for putting security into your deliverables, the SDL is a great place to start, so why reinvent the wheel when Microsoft has done the hard work for you.
For 20 years, we’ve been helping organisations unleash the power of their apps to get where they want to go: Faster. Smarter. Safer.
Australian Cyber Security Magazine | 21
To Comply or Not Comply? That is not the question…
W by David Stafford-Gaffney
e place so much emphasis on being compliant and passing security audits and checklists that offer the board and executive a warm, fuzzy, feeling of being protected. This false sense of security leaves you a lot less protected than you might think. Whether it's compliance with a standard like ISO 27001 or PCI, the Australian federal government's Information Security Manual (ISM) 2016 or Office of the Auditor General's review, compliance is demonstrating that you have met the minimum requirements for that body. The key word in this last statement though is "minimum," and what you need to remember is that it's their minimum standard, not necessarily yours. The biggest mistake made concerning compliance is organisations trusting that someone else's minimum standard is their minimum. Thus, compliance becomes nothing more than mere box ticking on a compliance spreadsheet. The harsh lesson here won’t occur until you’re explaining to shareholders what the impact of the recent data breach will be because you were compliant, not secure. Take the following example, a hardware manufacturer gets a clean bill of health from a governing body through passing their audit and are therefore compliant. Over a period though, they realise that stock is going missing. Despite one investigation after the other, they cannot pinpoint the threat vector (how it leaves the organisation) nor who the threat actor (person performing the action) is. After months of investigation they recall that they have CCTV of their dock, they go back and review it and bingo, culprit found, and vector identified. But hang on, they were compliant, and that stated they needed to have CCTV of their dock, so why did this happen? It happened because the organisation trusted that being compliant meant being secure, what else could they have done then? Of course, they could have engaged a cyber-security professional to assist with their cyber security strategy which would align their business objectives with cyber security measures. You probably expected me to say that, but the fact here is that we engage a professional accounting firm for our financial arrangements, or hire an internal professional, why should this be any different? The cyber security professional will assist you to determine what security controls, procedural, logical and physical
compliance box and then was left out there to flap about in the breeze, literally doing nothing. Instead, review of the CCTV footage should have been part of the incident response plan, the plan that should also have been engaged each time an incident occurred. Is there even an incident response plan? Is there a box on the audit schedule for that? See what I mean? Another example is that of password management and specifically, complexity. The control out of the ISM states that where a passphrase is the only form of authentication used, then the password must be ten characters long and have at least three of the following traits: • Uppercase • Lowercase • Numerical • Special Now, that doesn't prevent someone from using Password123 as their password, which will be one of the first tries even a basic password attacker will try. Are you compliant? Yes, is it sufficient? No. There is a great deal more to consider in password management, but this demonstrates well that compliance with someone else's requirements should not provide you with that warm fuzzy feeling of being secure. So, please remember it is YOUR organisation, not theirs, you should determine what your security requirements are, based on the types of threats you face and the systems and services you have. I would strongly encourage you to invest in or engage a professional that can assist you with this process. If you are unsure where to start, perhaps consider contacting one of the professional bodies such as the Australian Information Security Association (AISA). It's your information and your business!
are required for you, to address the threats you face. In this instance, CCTV footage placed a green tick in the
passionate about leadership, Information Security and assurance and improving the industry as a whole.
22 | Australian Cyber Security Magazine
About the Author David Stafford-Gaffney is an information risk and security professional with over two decades in the ICT sector in roles ranging from hands on technical, to operational management and business development. He has established two businesses from scratch and his strong business acumen enables him to understand acutely the need to align security with business requirements. He is
26-28 JULY 2O17 ICC SYDNEY DARLING HARBOUR
THE INTELLIGENCE OF SECURITY The Security Exhibition & Conference returns to Sydney this July to reunite the security industry for three days of business networking and intelligence sharing. Offering inspiration and innovation to tackle your operational security challenges, you can source products from leading electronic and physical security suppliers whilst learning from the experts and connecting with industry peers. Plus at Security 2017 the Cyber Security Zone launches, showcasing solutions to protect your vital data from threat of breach.
REGISTER FREE ONLINE AND ENTER PROMO CODE: ACSM SECURITYEXPO.COM.AU
PRINCIPAL SPONSOR
LEAD INDUSTRY PARTNER
ORGANISED BY
Gender diversity: The key to success Recruiting and retaining women in information technology: a CIO’s perspective
M By Samantha Liscio Senior Vice President, Enterprise Planning & Reporting at eHealth Ontario
ost IT people would admit that women are underrepresented in generalist IT roles, but it’s especially noticeable in IT leadership and cybersecurity positions. I personally know a number of competent and tenured female IT leaders who have carved out exciting and fulfilling careers in our industry, so what’s attracted them to the industry and keeps them engaged while so many of their peers have elected to leave? At this year’s Gartner Symposium and IT Expo in Orlando, it was apparent that the ratio of men to women hasn’t changed since I first attended back in 2008. Gartner’s Symposium is the preeminent gathering of CIOs and IT Executives and, interestingly, it’s the only large-scale event I attend where the line for the men’s room is longer than that of the women’s room. Published statistics confirm my observations. The proportion of women in technology has effectively stalled and, in some roles, even declined. In the U.S. in 2008, women held 25% of IT jobs – this has dropped from 36% in 1991. In information security, women represent a meagre 11% of the profession. Furthermore, women in information technology careers who are aged between 25 and 34 are increasingly reporting dissatisfaction with their careers. 56% of these women are leaving their jobs at, what would seem, the highlight of their career, which is twice the quitrate for men. According to a Reuters study, 30% of 450 technology executives said that their teams had no women in leadership positions at all. So, it seems that women are being left behind in the technology sector, while the sector itself continues to grow and flourish. The U.S. Department of Labor has estimated 1.8 million IT jobs will be created
24 | Australian Cyber Security Magazine
by 2018, so something needs to be done to draw from that talent pool that makes up 50% of the population. While it can be argued that academic and professional interest in technology is waning across both genders, the reduction we’re seeing is way more pronounced in women. For example, in 2008, 57% of all bachelor’s degrees in computer and information science were in technology, while only 18% were awarded to women. This is a significant decrease from the mid-1980s, when the number of technology degrees awarded to women was 37%. Furthermore, the employment situation no better. In 2008, 57% of all jobs were held by women. 25% percent of these were IT-related jobs, which was a drop from 36% in 1991.
Challenging Times The challenge we have is how we encourage more women to participate in the growing field of technology and, especially, how we convince women to apply for higherlevel management roles. The Anita Borg Institute analysed a number of Fortune 500 companies who have at least three female directors. Interestingly, these companies all reported a higher return on sales of at least 42%. So, what would there be such a gender gap? We all know that unconscious bias and discrimination exists across all industries, but it seems to be more visible in the industries that are underpinned by the Science, Technology, Engineering and Math (STEM) subjects. This negatively impact motivation and productivity and leads to women eventually exiting from the industry and going into more traditionally female-oriented jobs.
'57% of all bachelor’s degrees in computer and information science were in technology, while only 18% were awarded to women. This is a significant decrease from the mid-1980s, when the number of technology degrees awarded to women was 37%.' Convincing the Next Generation to Sign Up Those of us in executive IT roles know that there is more to information technology and information security than coding in a dingy basement. Almost every day we are tacking the most difficulty of business problems, with our decisions based on science, engineering and technology, but taking into account business strategy, marketing and customer satisfaction. So, what’s caused the perception gap with all of these young women who choose not to pursue careers in IT, where they don’t see what the industry has to offer? The paradox is that most of the successful female IT leaders that I know have not come from a software development background and their undergraduate degrees and experience are more varied than they are similar. Furthermore, these female leaders have arrived in their roles through often complicated and circuitous journeys with a variety of IT, business and customer facing roles under their belts. Attend any women’s leadership event and you’ll hear this same paradox discussed: successful women in IT (like their male counterparts) bring a variety of skills to the table and a perspective to problem solving which benefits their companies and corporations; they find the work interesting and fulfilling once engaged in it, but often very different and more positive than the perceptions they may have harboured prior. It is interesting to look more closely at the journeys of successful women in IT, to see some of the shared perceptions of the IT industry before joining the workforce and during their developing careers and contrasting this with their current perceptions as IT leaders.
Summary of Samantha’s career journey. Samantha Liscio, BSc (HONS), PhD, PMP With a PhD in geosciences, my education was academically focused rather than specifically in information technology. I had a ‘O’ level in Computer Science but had not considered it as intellectually stimulating as other subjects and steered more to science and geosciences and compelling ‘big’ ideas that the laws of physics and chemistry posed. Through school and university IT to me was something more pedestrian, more binary - programming nested IF statements to reproduce algorithms – it was reasonably interesting but nothing I could get passionate about. However, my PhD supervisor sparked a renewed interest for me in IT through exposure to the possibilities of the Internet and the application of IT to the research
and teaching practices in academia. This was back in the mid ‘90s and I was able to see a role for IT in the solution of bigger business problems. After my postgrad I actively sought to develop IT skills in application development and systems administration after emigrating from the UK to Canada. By then I could see that, information technology was a more progressive and enabling than simple coding had seemed back in school. Becoming an entrepreneur helped me build my business skills. I ran my own small IT consulting and support business, which showed me the essential elements of managing a business and helped me understand how IT enabled business success, which proved invaluable in the longer term in my management career. Working in IT the public sector showed me how government really works and how public policy relies on the promise of IT as an enabler and agent of change. During this time, it was imperative for me to be as flexible as possible, stretching the boundaries of job descriptions, blurring the boundaries between business and IT, with a consistent focus on problem solving and team collaboration. This helped me move into increasingly senior and more accountable management roles. Not saying “no” helped with that too. As a female CIO under the age of 40 working in government I unfortunately had to learn to deal with the inevitable criticism and comments such as, “you don’t look like a CIO.” I found that anchoring my views in the science of the subject matter, coupling my decision making with good business and organisational sense, this negativity didn’t intimidate me. Being tough is probably one of the most important traits that has helped my career advance the most. So far, I’ve spent time as a Managing Director in a global IT professional services company, I’ve been a CIO and an IT strategist in government, and now I am the Senior Vice President of Strategy, Reporting and Planning in a health agency within the Ontario provincial government. In all of these roles I’ve been exposed to stimulating and demanding IT work and have had my competencies and attitudes valued.
Summary of Adina’s career Adina Saposnik, P.Eng., MBA, PMP My father was a very successful mechanical engineer who encouraged me to pursue my passion for mathematics. Towards the end of my high school years, I realised that I would like something more than ‘just’ a theoretical endeavor and that creating something with my own hands will be much more rewarding.
Australian Cyber Security Magazine | 25
This led me to computer engineering, where I started with hardware design. But then I realised that software development was actually far more exciting, as it bridged between an intellectual pursuit and the applied science. Fast forward and another avenue opened up: people management, with an emphasis on technology and process development. I seized that opportunity with both hands and found it extremely rewarding. Fast forward again and a desire to better understand the underlying cogs and wheels of what makes business tick led me to taking an executive MBA. Technology, planning and engineering remained my passion, but now with a solid background in business management, it became clear that there is one area of explosive growth: Information Security. The threats became ubiquitous, yet they are always changing; the threats are persistent, as they are sophisticated; the pace of ’harmful’ innovation is increasing at dramatic speed, yet there is a need to address them in a thoughtful and pragmatic way. Perfection is unachievable, yet there is an absolute requirement to protect the information. The answer is to focus on prevention and detection, which requires a programmatic, risk-assessment based approach. In other words, what a better way to bridge between pure technology capabilities and a solid business sense, focused on outcomes and demonstrating the value to the business? As I travelled forward through the executive ranks, I started to wonder were all my female colleagues were. After some reflection, I decided that I have to do something about it, so I became involved in the “Women in Business” programs at my business Alma Mater and then at grass-root level activities in schools through professional engineers’ associations. The key is to build confidence by showing girls that math is beautiful; that there is art and creativity in numbers and that by mastering these skills, it can open up so many doors and possibilities in careers associated with science, technology and engineering. In a way, I am trying to emulate what my father instilled in me, so what goes around, comes around across generations. From very different cultural, academic and work-related backgrounds, both Samantha and Adina’s stories mention characteristics of seizing opportunities, focusing on the business outcomes and having the confidence to articulate technology value in business terms. It is noteworthy that their perceptions of what IT is and does were very different at the outset of their careers than those they share now. While they both have a background in information technology, science or engineering, they did not set out focused on an IT career. Yet through both of their journeys they have recognized the appeal of IT and as a result, have supplemented foundational skills with the multi-disciplinary attributes and perspectives necessary to make the impactful risk management and business decisions that can unleash the true potential of IT as an exciting business enabler. The teams that report to these IT leaders have been shown to benefit from exposure to some of the characteristics common in both career journeys. Skillset diversification and understanding the value of complementary capabilities is fundamental to success and
26 | Australian Cyber Security Magazine
can help sustain organisations during times of change. Women in senior and executive positions in IT can act as agents of change — as they often do, by virtue of their own personal journeys — as long as they maintain the mindset, skill and conviction that is essential to lead transformation. Progressive companies and governments are beginning to recognise the value that women bring to the IT workforce and it can be a true differentiator in terms of business and organisational success. In many organisations, we are also seeing the businesses take active steps to recruit and retain female talent. More needs to be done in recruitment efforts aimed at young women, in university and college but also in high school and elementary school to show girls what’s possible if they embrace IT as a career path. More can and should be done by IT professionals themselves, especially women in IT. Disavowing negative perceptions early is fundamental in ensuring that young women see the diversity and challenges associated with IT careers. Talking to young women about the nature of IT as a business enabler and agent of change, in commerce, in society and in every industry sector broadens its appeal. Having young women see other successful females who share this passion for IT is also a key point of influence. Breaking down the masculine stereotypes in technology will be a lengthy process, but the payoff for encouraging a greater gender diversity in IT executive leadership will be well worth the sustained effort.
Building Singapore as the number 1 FINTECH-HUB
M
r. Ravi Menon, Managing Director of the Monetary Authority of Singapore (MAS) and Mr. Sopnendu Mohanty, Chief FinTech Officer of MAS were in Sydney in March and took the opportunity to announce developments about the FinTech ecosystem and the upcoming Singapore FinTech Festival #SGFinTechFest, to be held 13 - 17 November 2017. Mr. Menon provided insight into Singapore’s ‘Smart Nation’ vision and the government’s efforts to drive innovation in the Financial Sector as part of this vision. Singapore is one of the world’s leading financial centres, and has an established and thriving FinTech sector. The integration of banking services and data, including electronic and digital payment data, is moving quickly along with greater use of technology for smart banking and across the finance industry. The development of FinTech so far, had focused on digital payments, the application of blockchain and distributed ledger technology as well as open platforms and APIs to augment how financial services can be accessed and delivered has become more prominent. Tasked with leading developmental efforts in FinTech, MAS set up its Financial Technology and Innovation Group and appointed its own Chief Fintech Officer to oversee its efforts to build Singapore as a Smart Financial Centre, where technology is applied pervasively to create new opportunities and improve people's lives. Mr. Mohanty said, “In just the last two years Singapore has seen a lot of innovation efforts across the sector especially in banks. He added that the MAS will focus on four key areas in the next phase of FinTech development: establishing an open architecture, facilitating cloud computing, enhancing cybersecurity and creating a national digital identity.” Beyond developing its own FinTech infrastructure, Singapore is also working closely with its counterparts and banks across the ASEAN region to explore ways to tap the power of FinTech to increase market access, enhance financial inclusion and propel the growth of financial services within the region. Singapore also has a mature venture capitalist ecosystem and good capital pool for start-ups to tap into.
The MAS acts as both the regulator and market developer is also very supportive of the growth of FinTech. They have put in place the necessary infrastructure and tools to facilitate the development of Singapore as a FinTech hub including a Financial Sector Technology & Innovation grant scheme, various outreach platforms and a regulatory sandbox for the industry to test out innovative ideas. Their efforts have paid off as Singapore is now home to close to 30 innovation labs, and has thriving FinTech hubs, such as Lattice80. Mr. Mohanty added that the growth of FinTech in Singapore does not come without challenges as the industry faces a talent shortage. He said that cybersecurity skills are in great demand, but this is not limited to the FinTech industry.
By Chris Cubbage
Figure 1: Mr Ravi Menon, Managing Director of the Monetary Authority of Singapore and Mr Sopnendu Mohanty, Chief FinTech Officer of the Monetary Authority of Singapore (MAS) speaking in Sydney
Changing the way we think about Cyber Security We need to change the way we think about and practice cyber security, and we need women and others from a more diverse professional background to help us do that. By Jodie Siganto
T
he low number of women in cyber security, and ways that we might encourage more women into the field, has been receiving a lot of attention recently. This led me to ponder why I think it is important that more women become cyber security professionals. There is certainly little doubt that women are underrepresented in cyber security. Research released in 2015 found that, globally, 10% of information security professionals are women. The 2017 version of this research indicates little change with the current percentage at 11%. This latest research also notes that more of those women have advanced degrees but get paid less. Information from AISA puts the number of female members slightly higher at 12%. From the various industry events I attend and my networks of information security colleagues, these numbers are about right. Upping the number of women in cyber security is often linked to the cyber security skills shortage. Presumably the idea is that more women will increase the total number of cyber security workers and reduce the so-called shortage. This seems to assume that the cyber security skills shortage is a simple problem of supply versus demand: if there were more people in ‘cyber security’ (and that would include women if we could just get more of them interested), they would all be employed because of the pervasive shortage
28 | Australian Cyber Security Magazine
of skilled staff. But is the cyber security skills shortage as simple as that? Recent research I did with AISA suggests that the problem is as much with demand, and the way organisations recruit and develop cyber security specialists and the barriers to entry into the profession, as it is a problem of supply. But bringing more women into cyber security is much more than simply a solution to the supply problem. Women and others from diverse professional backgrounds have an important role to play in re-positioning cyber security to make it fit-for purpose for the 21st century. This is because the challenges faced are not confined to recruiting more people into the industry to strengthen our defences, but go to the heart of cyber security practice. The current framing of cyber security as a defensive war against aggressive, sophisticated enemies not only amounts to an exclusionist narrative which turns women and others way, it is also out of step with the modern world. Women can introduce a much-needed change in thinking and new approaches to information security which will help our profession keep up with the changing needs of the community we serve. A new perspective and change in approach to cyber security will also make the profession attractive to a more diverse group of people, naturally opening it up beyond the domains currently
'In short, current information security practice and its supporting language, both based on a negative security construct, are not engaging to many women and are not appropriate in the borderless, complex, inter-connected, individualised world we live in.' inhabited by computer scientists, engineers, cryptographers and mathematicians bringing broader skills and different knowledge to the profession ultimately improving the quality of the solutions we can offer the community
Moving away from negative security My main issue with information security as most practitioners currently understand it, is its positioning as a ‘negative security’, relying almost entirely on technological controls and operating on the basis of exclusion and inclusion. This positioning is reflected in the language and narratives we use when we talk about cyber security and in the way that we have developed the standards that shape our practice. The current narrative of cyber security is centred on the need to protect organisational assets from sophisticated, well-resourced and determined adversaries. Military terminology has been appropriated by the cyber world so we have offensive and defensive security, strong perimeters, defence in depth, ‘kill chain’ and advanced persistent threats. “Users” are regarded as inept at best and hopelessly incompetent at worst, who need to be protected from their own stupidity and lack of care. This view of cyber security, as ensuring freedom from attack and protecting the assets and values of a particular group (usually organisational management), is a negative security (to borrow from national security theorists). Current practice which relies on this negative role of security does not resonate with many women. Women largely do not want to go to war, they do not want to be involved in building or manning the barricades to repel attacks, nor do they want to be involved in taking offensive action. A technology company called Buffer used to advertise software developer positions as “hackers.” After noticing a dismal rate of female applicants – 2% - the company experimented with using “developer” instead. The company hired its first female engineer soon after making this changed and shortly after had two full time developers who were women. Other research has found that women don’t like jobs that require traits such as ‘independent’, ‘aggressive’ and ‘analytical’. Women were more attracted to descriptions containing ‘dedicated’, ‘responsible’, ‘conscientious’ and ‘sociable.’ Arguably, this may just be about the language used in information security. But language is important. And the language of information security to the extent it supports a negative security, does not attract women. Perhaps what is more important is that this narrative of negative security, where ensuring cyber security is an ongoing and ever-escalating war and where distinctions are made between those who are inside the defences (who are
included) and those who are outside (who are excluded) is engrained in and underpins most accepted standards based information security management practices. Modern information security practice has its genesis in the military and defence (which focuses on ‘protection from’ rather than the ‘freedom to’) and cryptography, the domain of engineers, scientists, mathematicians and technologists. These antecedents support the technological and process based foundations of standard information security practice. They rely on the use of a largely command and control structure where security is a matter of policy and process, decided by management based on risk assessment outcomes, supported by largely technical controls and closely monitored as part of an on-going continuous improvement process. From this perspective, security is best achieved via technology rather than, for example, building social networks of solidarity, examining every day practices or working on making people feel secure or empowering them to develop their own solutions. This command and control structure works for organisations that can directly control all of the people and technology that are ‘inside’. It is a model that suits government agencies, the military and the Catholic Church. It leaves little room for innovation, empowerment or individual goals and is unsuitable for most modern organisatons. In short, current information security practice and its supporting language, both based on a negative security construct, are not engaging to many women and are not appropriate in the borderless, complex, inter-connected, individualised world we live in. Although broadly accepted and widely used, there is little evidence that the traditional negative and exclusionary constructs of cyber security are any more effective than others. There is no research that demonstrates that organisations that have adopted traditional standardsbased approaches to information security are any better off than those that have not. In fact, we as the people who peddle this stuff don’t believe in most of the most commonly used standards ourselves. Few information security practitioners think that compliance with a standard makes an organisation secure. So, what are we doing about it? Where are those challenging the standard view of information security as a negative concept, disputing the idea that security is a predominantly technological construct, insisting that the social context is relevant and important, that security is a value-laden term that we need to understand and be able to contextualise Where are the people looking to re-define what we mean by ‘information security’, when most of us acknowledge that traditional concepts like ‘confidentiality, integrity and availability’ are no longer of any use or relevance. Diversity of thought and diversity of opinion are
Australian Cyber Security Magazine | 29
incredibly important for innovation. We need people with different backgrounds, interests and perspectives to be involved in our world and help pull together a new narrative that is more fitting for current security challenges. We need people who are interested in social solutions: in looking at ways that people can be made to feel safe and secure, in building human resilience, in working with people to see how security can help them do their jobs rather than get in the way. There are glimpses that this new thinking is happening already. The Security Influence and Trust group adopted the theme ‘Ask Out Loud’ for Safer Internet Day 2017 (#AskOutLoud). Rather than technology, they adopted a social solution, promoting the idea of asking someone else if you’re not sure about an email or other message. Recent (ISC)2 research also notes that women in management positions in information security have a wide variety of educational backgrounds as contrasted with men who ‘overwhelmingly have engineering or computer science backgrounds.’ The research states ‘their wider variety of backgrounds reflects the different skillsets that women bring to their roles, and highlights the values of their interdisciplinary skills.’
We need to work out what matters I’ve been working in cyber security for over 15 years but I often feel I’m not really accepted by many of my more technically credentialed colleagues. I firmly believe that it’s time for cyber security to mature and add a new ‘social’
dimension. I believe that women and others from a broad range of backgrounds, can help re-formulate some of the fundamental principles of cyber security, so we can answer in a meaningful way some of the big questions such as ‘What is it that information security enables organisations and people to do?’;’What are the values we hold dear that information security supports?’; ‘What freedoms can we create through cyber security?.’ Without this new thinking, we will continue to rely on the language of war, the fables of the strong attacker and the weak user. We will use outdated practices based on technical controls directed at asset protection; praying for a cyber event so catastrophic that it will make cyber security professionals important and relevant, while heading towards oblivion. Bring in women and social scientists, creative designers, psychologists, philosophers, organisational and learning specialists and educators. Let us have a broad, inclusive, innovative conversation and see if we can agree on how information security can help us achieve what matters. If we do that, I am sure more women will see cyber security as something with which they want to be involved. From the Author With many thanks to my friend and colleague Dr Lizzie Coles-Kemp and the many conversations we've had over the last few years about negative and positive security, information security practice, the importance of diversity, the human experience and the future.
ISSUE #2
DUE OUT IN JULY Want your brand here? Get in touch today! Discount applies to AISA Sponsors. T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au 30 | Australian Cyber Security Magazine
Patching is critical for cyber security There’s no excuse for poor cyber hygiene
W By Tony Campbell Editor
ith Oracle releasing 270 critical patches, many of which need to be applied to its E-Business Suite (EBS), it’s a good time to look at your operational security posture and see if you’re cyber hygiene is as good as it should be In case you weren’t aware, the Australian Signals Directorate (ASD) has said that there are four mitigation strategies that businesses can adopt that introduce basic cyber hygiene into their IT operations and will thwart 85% of the intrusion techniques that the Australian Cyber Security Centre responds to. Known as the “Top 4 Strategies to Mitigate Targeted Cyber Intrusions ( https:// www.asd.gov.au/infosec/top-mitigations/top-4-strategiesexplained.htm ),” if you insist that your IT team gets these basic operational security countermeasures working properly within your IT environment, you’ll likely not hit the headlines as the next big breach story. The top four strategies are: • • • •
Application whitelisting Patching applications Patching operating system Minimising local/administrative privileges
With two of these mitigation strategies relating to patching and, interestingly, application patching ranking higher than operation system patching, this is something that absolutely needs to be done well if you are to remain safe. Oracle’s latest set of patches contains 121 critical security patches for its E-Business Suite (EBS), so you can see why ASD ranks application patching so high, especially when 97% of the EBS vulnerabilities are remotely exploitable without any authentication. A chain is only as strong as its weakest link. This analogy is used to explain why vulnerable, unpatched applications are the chinks in your security armour that will be targeted by an attacker. Now that Oracle has released these patches, most of the modern vulnerability scanners will be able to detect if you’ve applied them to EBS. This kind of vulnerability audit is one of the first things an attacker does when trying to figure out how to compromise your systems. So, patches should be applied as soon as they are released from the manufacturer, right? Well, kind of. There are reasons to be cautious, some of which are real and some of which are myth. It’s true that sometimes patching can go catastrophically
wrong. There have occasionally been patches that have caused availability issues with operational software, where the patch breaks the application. These are costly to remediate and the service provider almost certainly gets the blame for the loss of productivity. This makes IT managers err on the side of caution, especially since service level agreements are often focused on system and application availability. Patch testing is the obvious answer – put all patches through the change management process, thus rolling them out in the normal change windows, with appropriate testing and pilot deployment prior to enterprise roll out. This approach is fine, until you consider critical patches in the context of normal changes and the timeframes for packaging, testing and piloting complex updates, such as the 121 patches required for EBS. Every day that goes by without those vulnerabilities getting plugged is another day when you could be attacked. But if you apply 121 untested patches to the EBS servers and something breaks, you could be liable for the business’s loss of revenue. There must be a better solution. Most businesses have backup and recovery plans that allows them to roll back to a last known good state. Instead of running prolonged pre-production tests, roll the patches out to a set of pilot servers, with an agreement with the business that you may need to roll them back if there is a problem. Base your decisions on a risk assessment and take your executives on the journey with you – to patch or not to patch should not be an IT only decision. In some cases, of course, you won’t be able to patch immediately, since the patch might break something that your bespoke application needs to carry on running. If this is the case, look at compensating controls, such as firewalls, load balancers, protective monitoring and application whitelisting as ways of mitigating the risk of not patching. However, even if you’ve decided not to patch for a good reason and introduced those compensating controls, you need that risk to be recorded on your corporate risk register and to be re-evaluated on a regular basis. Just because you controlled it today doesn’t mean it will remain acceptable in the future. Someone once said that patching is like car maintenance; it will continue to run, but driving becomes increasingly dangerous the longer leave it. It’s time to view patching as a critical security function and something that is top of the list of things that need to be done properly.
Australian Cyber Security Magazine | 31
AUSTRALIAN & NEW ZEALAND DELEGATION TO INTERPOL WORLD 2017
Cyber Security
INTERPOL World 2017 is a biennial exhibition and congress event that connects
www.interpol-world.com
law enforcement, government bodies, academia, international security professionals and buyers with security solution providers and manufacturers. This event provides a strategic platform for the public and private sectors to discuss and showcase solutions to evolving global security challenges.
ABOUT INTERPOL WORLD 2017 “We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” - Ian Readhead National Police Chiefs’ Council, UK
The mandate of INTERPOL World, a global exhibition and congress platform, encapsulates the vision of a safer world through using innovations and engaging government, organizations, and strategic think tanks in a multi-stakeholder approach. INTERPOL World 2017 showcases innovations and solutions from 300 international suppliers and manufacturers. More than 10,000 public security professionals and commercial buyers from around the world will convene in Singapore to find and forge mutually beneficial alliances leading to faster and more accurate responses to global security threats. INTERPOL World is an event owned by INTERPOL, supported by Singapore’s Ministry of Home Affairs, World Economic Forum and Singapore Exhibition and Convention Bureau.
CONGRESS TOPICS 4 July 2017 - Shedding light on the “Dark side”– Cyberspace and the future of security. Managing cyber threats to society from the “hidden” Internet.
6 July 2017 - Identity management and detection in a borderless world. Law enforcement, migration and border management in an age of globalization.
5 July 2017 - Prevention – Getting smarter, faster and more precise. Preparing policing strategies, approach and tactics for managing urban centers and global cities of the future.
Please visit www.interpol-world.com for more information about the Congress and Exhibition in Singapore, including the current Congress agenda.
FOSTERING INNOVATION FOR FUTURE SECURITY CHALLENGES
IMPORTANT INFORMATION 5 – 7 July
Dates Suntec Singapore Congress 4 – 6 July 2017 Exhibition 5 – 7 July 2017
Location Suntec Convention & Exhibition Centre, 2017SINGAPORE
Convention & Exhibition Centre Apply by 31 May, 2017
WHO SHOULD PARTICIPATE
-
Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators from: • • • •
32 | Australian Cyber Security Magazine
Homeland Security Departments Law Enforcement Agencies Regulators and Policy-makers Critical Infrastructure, including Telecommunications Airports/Ports/Harbours Public Transportation Public Utilities
• • • •
Sports Stadiums Commercial Sectors Including: Banks & Financial Institutions E- and M-commerce Data Centres Hotel Chains Pharmaceutical Oil and Gas Brand owners Commercial, Residential & Industrial Property Developers R&D Institutions Academia Media
WHY YOU SHOULD PARTICIPATE
Cyber Security
Sourcing Platform - Source for the latest
Networking Platform - Industry networking
information communication technologies,
receptions allows you plenty of opportunities to
public safety and security products, vehicles,
expand your business contacts.
robotics and unmanned systems and gears and accessories and many other innovative solutions
Business Platform - Look out for our Online
that will address your security challenges.
Business Matching to schedule meetings with exhibitors, delegates and speakers prior to
Knowledge Platform - Learn from security think-
your visit.
tank and best practices from various government agencies and commercial companies at the
REGISTER NOW AT
INTERPOL World Congress.
www.interpol-world.com/visiting-delegation
CONGRESS FEES MySecurity Media will coordinate your participation in the program as a member of the official Australian and New Zealand delegation. Participants are required to arrange their own flights.
PRIVATE SECTOR PARTICIPATION Group of 5 and more up to 31 May 2017
Early bird up to 31 May 2017
3-day pass
S$1,275
S$1,512
2-day pass
S$935
S$1,152
1-day pass
S$612
S$720
PUBLIC SECTOR & ACADEMIC PARTICIPANTS 3-day pass
S$230
2-day pass
S$160
1-day pass
S$90
ACCOMODATION PRICE OPTIONS* Star Rating
Est time to exhibition & venue
Room rates (Single)
Room rates (Double)
Internet access
12 min walk
SGD 310++
SGD 340++
Yes
9 min walk
SGD 275++
SGD 305++
Yes
12 min walk
SGD 260++
SGD 290++
Yes
15 min walk
SGD 190++
SGD 210++
Yes
15 min walk
SGD155++
SGD 170++
Yes
*List of Hotels available on request REGISTER NOW AT www.interpol-world.com/visiting-delegation IMPORTANT INFORMATION If you are considering this delegation, MySecurity Media recommends that you consult ‘Smartraveller’, the Australian Government's travel advisory service, which is available at www.smartraveller.gov.au. Travel advice is updated regularly on this site.
KEY CONTACT To discuss your participation options further, please contact: Chris Cubbage Director, MySecurity Media ph | +61 (0)432 743 261 e | INTERPOL_World2017@mysecuritymedia.com Australian Cyber Security Magazine | 33
From student to pen tester My journey into cybersecurity
I Jason Magic
was 17 and still in high school when I first discovered the computer hacking scene. One of my computing teachers at the time stated that no one could get access to any of your accounts following the condition that it’s password protected. I disagreed, did some research, and wished to prove to my teacher that this statement was false. After reading many articles, and learning about the different attack vectors and exploitability techniques I managed to gain elevated access to the school’s network. I have been in love with hacking ever since. At the time, I didn’t realize how such a small statement from that teacher would shape my passion and the future of my life. Each day after school, I was fired up to gain more knowledge and experience, so I joined lots of hacking related forums, IRC channels, participated in capture the flag competitions and spoke to security researchers on both sides of the fence. When I graduated high school, it was time to decide what I wanted to do and who I wanted to be in the future. I followed my passion and enrolled into a Bachelor of Science in Cyber Security. This in conjunction with the additional self-mentoring provided a deeper understanding of the field and enhanced my skillset. While studying at university I was eager to begin a career in the industry as soon as possible. I applied for lots of junior entry roles, however, I constantly struggled to obtain an interview for an opportunity. Even for junior roles,
34 | Australian Cyber Security Magazine
I found that many corporations were seeking an asset with demonstrated experience, or a practical qualification I had not yet obtained. In saying that, I wanted to take my practical and theoretical knowledge outside the academic environment and into the wild. I aspired to do so in a manner that couldn’t reflect as being detrimental to my future in the security industry, especially before it even begun. Therefore, at 21 years of age, I decided to put on the white-hat and began doing freelance work followed by bug bounty programs. This was not purely for monetary benefit. At the time, learning more, establishing a portfolio, testing my gained abilities, and obtaining some form of experience was of greater value. Therefore, I initially began freelancing for nothing in return to discovering bug bounty platforms. I would report low, medium to severe vulnerabilities to the appropriate directorates associated with the affected corporations, and high profile government agencies. Following the above, I then signed up to an array of bug bounty platforms, of which proceeded to many vulnerability disclosures associated with the affected vendors public program. Within just three months, I had discovered and responsibly disclosed exploitable vulnerabilities affecting Government establishments, including, but not limited to; a South Asian Police agency, the US Army, NATO, NASA, Asia-Pacific Space Cooperation Organisation, Australian
"Nowadays, as a white-hat hacker, you can make good money, work on interesting projects, and still get the same thrill as what you’d get as a black-hat. Private and public corporations are now widely beginning to recognize a need for us computer hackers, and the rewards are endless." Signals Directorate (Signals Intelligence Agency), Eskom, an electricity public utility (critical infrastructure) and more. Within this same period, I had also identified web application vulnerabilities within Uber, Australian Securities Exchange, Sony, Cisco, Juniper Networks, Vodafone, Optus, Standard Bank, Universal Studios, Woodside Energy, Fedex, as well as, universities in Australia, USA and New Zealand. As a freelancer, and a bug bounty hunter, I had both positive and negative experiences. The outcome of responsible disclosure was predominantly positive when associated over bug bounty platforms. However, when it came to dealing with the vulnerable vendor with no intermediary, some companies didn’t like an external entity testing their Internet perimeter. My worst outcome was when one vendor I had reported a severe vulnerability to, tried to ‘hunt me down’. Two months had elapsed since my initial report was submitted to them, they had not fixed the vulnerability and a cyber-attack was launched against them. They assumed I had exploited the vulnerability for a direct system breach. However, this was not the case, nor was it evident in their logs. In saying that, I have had a great many positive experiences from many vendors. From receiving letters of recommendation, references, my name listed in hall of thanks, t-shirts, services, products, and so forth. However, for me the greatest reward of them all was that I now had a portfolio that displayed some experience within the security
industry as a penetration tester. This gave me a key to open a door to the future, and provided the foundation of what I required, to secure a career in the industry I had formed a passion in. After applying for an employment opportunity, I was contacted by the man himself, Adam Broadbent. Adam provided me with many opportunities to speak with companies that were looking for junior penetration testers. I followed the process, and was offered a motiving career as a penetration tester for a global consulting firm. Nowadays, as a white-hat hacker, you can make good money, work on interesting projects, and still get the same thrill as what you’d get as a black-hat. Private and public corporations are now widely beginning to recognize a need for us computer hackers, and the rewards are endless. If you’re reading this and you have the desire to become a penetration tester. My suggestion to you is, get involved in bug bounty programs. This will give you some experience and insight into the industry. Additionally, it would be advisable to complete a practical qualification like OSCP, which is highly regarded in the industry. I am currently building a blog associated with security bugs I had discovered during my time as a bug bounty hunter, this is still a working progress, though if you’re interested, stay tuned at: http://ret2eax.pw/ Thank you for reading, www.linkedin.com/in/jason-magic/
Australian Cyber Security Magazine | 35
The truth is like poetry... most people hate poetry. Prevention is possible and defence is doable
H By Chris Cubbage
aving been at Cylance since the beginning, Eric has been at the forefront of a stunning journey along with founder Stuart McClure and the inaugural team, setting out to shift the economics of cyberwarfare and force attacks to be highly targeted and thereby, expensive. Speaking in Canberra at the Australian Cyber Security Centre Conference this March, Eric made it clear at the outset “I want to make a rant against the Cybersecurity industry. I think we are all brain washed by all this stuff that is continually thrown at us. Defence is doable – but like putting Man on the Moon, you first have to believe it is possible. If the cybersecurity industry does not believe it is possible then what are ‘we’ all doing for a living. Though one size does not fit all and one person’s security is different from another.” As a proud product of the US Government, Eric was an exploit developer and coder, and after a 12 year Federal Government career, was appointed as Department of Homeland Security’s Deputy Director and Chief Technical Analyst for the Control Systems Security Program. “Most organisations will already have 80 per cent of what they need in terms of security – it is a case of the more you know the less you need. The process of assessment should be based on the business case of ‘annualised loss expectancy’.” With a reference to a concept of operations, Eric recommends, “ask what is the minimal path to the maximum damage.” Similar in process to red teaming, “identify the task of bringing the organisation down and the most likely method that would be taken to achieve that mission. It is not going to be just one exploit. Most vendors are only solving individual pieces of the problem. By taking several exploits and chaining them together, in a kill chain or attack tree, the security practitioner can build a concept of operations to determine what impact these attack chains would have on the business if they were to occur. This is the singular loss expectancy. The next question is how many times per year would this event likely to occur, what is the likely cost impact and what is the likelihood of it reoccurring
36 | Australian Cyber Security Magazine
if we don’t defend against it. Security practitioners are often very bad at articulating the value of the return on investment in security, in a business context. The solution is in the math. We should automate as much as humanly possible.” Eric outlines the key steps in gaining a measured security posture. “The first step is to do a good job with the asset inventory and know all your devices and end points. All the Window’s devices will be easily found on a passive network tap and any of the devices that are unknown are likely to be found by an adversary and exploited. Architecture network diagrams should be kept current, in order to protect the data, being the ‘Operation crown jewels’. Data has different values so it is up to the individual business to know what data is important – generally the data that is making the business money is the data that the attackers will be after. Once the data is identified you need to understand where it is and then the paradigms of protection – be it all the machines equally or the machines housing the data to be kept at a higher level of security.” Most importantly, people are not well trained. “If I had $10 to spend on security, I would put $8 into my people. I’m not talking about just a phishing campaign - people need to be compelled and empowered. People have to believe in the security program and understand their actions have impact.” “Next are such concepts as ‘indicators of compromise’. This is a fancy phrase for signatures and is not a suitable approach to rely on. By the time a signature is detected it is already too late. By the time the exploit has been detected and analysed, it receives an indicator and goes up the food chain to be shared and into expensive threat intelligence feeds. That process can take up to 500 days. It is at least 100 days stale. This is not good, because in that 100 days, the attacker knows they’ve been found, have pivoted and not using that exploit anymore. SIEMs and SOC tools are only ever looking for old stuff. What is the point of that? This entire paradigm is broken and the entire way we are looking at security is inherently flawed.” “Why do we accept from security practitioners that we
“Humans are at the core of every cyber security problem. Use people for things that they are good at and use technology for when technology is good at it."
Eric Cornelius Director of Critical Infrastructure and ICS, Cylance Inc. ‘are’ going to get hacked? It is like accepting from your dentist that despite brushing your teeth you will get cavities or from your mechanic, that your car will break down, despite changing the oil – you would sack your dentist and sack your mechanic but we accept this from the security practitioner. Why do we accept this? Because it is hard – my Dad used to say there will be aspects of your job that suck – that is why someone will pay you to do it!” “The detect and respond paradigm must have been invented by some IT guy who wanted job security. It is ambulance chasing. When I go into environments I can often narrow down their two key priorities to focus on. But they ignore this advice because they’re ‘hard’ – they would prefer to spend money on a flashy toy that appears to make their job easier. Prevention is totally possible. Almost all attacks happen the same way. Attackers are people too. Do you think I am going to write a zero-day attack just so I can use it on you? No. I am going to use MS08-067 because you don’t know how to patch.” “There is only two ways to get into your environment. One – you invite it. For example – you create and email a file, called ‘For your eyes only - 2017 salaries’ but that file must enable macros to view salary numbers. The attacker is in! Or you don’t invite it. This requires the attacker to find a way in using some type of exploit. The thing to remember is the attacker is human too – he probably hates his job but hates you more. APT or advanced persistent threat, should be referred to as the ‘adequate’ persistent threat, because the attacker is only going to do the least amount required and will do just enough in order to succeed. Attackers are only as affective as they have to be. “Humans are at the core of every cyber security problem. Use people for things that they are good at and use technology for when technology is good at it. People, process and technology - it is an algorithm. These are not three independent pillars. People need to be trained in processes which uses technology. Know thyself - no shame in saying we are not the best – but the more you
know the less you need. Vendor products are good at solving one thing, so this is a defence in depth approach. Have a security roadmap and know where you are going. Compensating controls are not solving the problem but can reduce the risk. If an in-house capability is required, look to hire at least one ninja and then build a team around them.” There are four pillars of cybersecurity. The endpoint, the network, the user and the data. Between these four areas you cover all aspects of cybersecurity. Start with the network. The approach should be to have a well-designed architecture and effective endpoint security solution that is matched to your requirements. Have good network awareness, ideally inline. Then have a mechanism to identify the user, preferably something more effective than just a user name and password. For Data, have some sort of DLP, or enclave architecture. Machine learning turns out to be much more effective of classifying data in business clarification than humans. Cylance Identity, based on behavioural analytics, is scheduled for release in July. With the promise to be more accurate than a fingerprint, Cylance Identity will be mapping user behaviour across a wide range of metrics, including key strokes, the ‘flight time’ between key strokes, the way you interact with your applications, the way you use your mouse and even to the way your phone moves in your pocket. Others include the proximity to other devices, geography, time of movement and access. These metrics will determine a ‘confidence score’ which will be user configured – so if the user works for a Government agency the score may be as high as 97 – 99% and if it’s a SMB then 47% may suffice. Ultimately, Cylance intends to continue its impressively rapid growth and will reach out to the consumer market. But first it will continue to be deployed across the enterprise sector and as it builds a robust support infrastructure, it will roll out, in particular for malware detection and may come to consumers as soon as the end of 2017. Stay tuned!
Australian Cyber Security Magazine | 37
Your mum & IoT security
O By Morry Morgan IoT & Technology Correspondent
n October 21, 2016 the USA suffered one of the largest cyber attacks of its kind. But this wasn’t the Russians. The culprits were much more terrifying. Thanks to the boom in Internet of Things (IoT) devices and poorly configured innate security features, the culprits were ordinary and naïve mums and dads spread across 164 countries. To be more precise it was their 500,000 plus unsecured routers, digital video recorders (DVRs), security cameras, and even refrigerators that caused the outage – turned into ‘zombies’ by a botnet called Mirai. These mundane appliances, albeit with Internet connectivity, were one minute keeping vegetables fresh or recording an episode of Game of Thrones, and the next sending look up requests with the combined volume of 1,100 gigabits per second; all to a single IP address. Had the victim been a lone website, as was the case in December 31, 2015 when the BBC was hit by a Distributed Denial of Service (DDoS) attack from ‘New World Hacking’, only a small number of users would have been inconvenienced. But the Mirai botnet was more strategic. It attacked the Domain Name Service (DNS) provider, Dyn, based in New Hampshire, and in doing so made the websites of Amazon.com, AirBnB, Netflix, and over 70 other significant companies, invisible for six hours. The IoT had successfully been used for evil, at a cost to companies of roughly $110 million in potential lost revenue. Mirai represents a new type of threat for the interconnected world. By its very nature, IoT creates the condition for rapid proliferation of botnets that often have, as was the case for Mirai, scanning programs that
38 | Australian Cyber Security Magazine
automatically search the Internet for unsecured devices. They then infect, replicate and then hibernate, until a command is given to awaken and unleash cyber chaos. Worse still, IoT DDoS attacks originate from thousands or even hundreds of thousands of devices worldwide, whose owners are completely ignorant that they are accomplices in a crime. And even if they did know, many IoT devices have no simple patch, update, or virus scanning functionality, meaning the IoT device will be part of the problem until it is replaced. That could be years or decades. In the mean time, the exponential growth of IoT devices is estimated to reach 20 billion by 2020. One solution lies with the regulation of manufacturers. Frank Zeichner, the CEO for IoT Alliance Australia (IoTAA), says that modems in Australia that are “behaving badly” are visible to Internet Service Providers (ISPs) and that these ISPs are responsible for sharing this information with the Australian Communications and Media Authority (ACMA). But while vulnerabilities are being reported, “currently in Australia they are not being acted upon. There are no teeth in responding to this threat.” Zeichner believes that it’s just as important to get information out to the consumers regarding the vulnerability of their routers, cameras and IoT enabled white goods. But he adds that this education will take time and investment. “If Harvey Norman sales people don’t know about the vulnerabilities, then their customers aren’t likely to know either.” This is made further challenging by the eagerness of many manufacturers to release ‘smart’ products without complete understanding of the repercussions of lax security. Evidence to this is last week’s warning that an IoT
“HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to the service receive a bug report in less than 24 hours." dishwasher, produced by German white goods giant Miele, was ‘prone to a directory traversal attack’. These types of attacks let hackers access directories and data, such as sensitive configuration files, and potentially hijack the machine and infect it with malware or a botnet like Mirai. In a worse case scenario, the Miele dishwasher would still give you spotless plates, but could simultaneously crash your favourite shopping website. Zeichner hopes that the ACMA can encourage IoT manufacturers to follow a code of conduct on security, with a kind of ‘Heart Foundation Tick of Approval’ for those abiding by the rules. Failing that, he believes that “badly behaved manufacturers should be made public and suffer the consequences to their reputation.” And he hopes that as the IoTAA grows, from its membership of 140 companies, 450 individuals, as well as observers from both State and Federal governments, its recommendations become fullblown legislation. At which point, the second solution becomes available – legal action. In the United States, where IoT regulation is slightly ahead of Australia, the Federal Trade Commission (FTC) has filed a complaint against the Taiwan-based computer networking equipment manufacturer, D-Link Corporation and it’s US-subsidiary. The claim, submitted in January, states that the company “failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras.” This is despite the company stating on its website that the hardware was “easy to secure” and had “advanced network security.” This was clearly not the case; D-Link was a favorite target of the Mirai botnet. Further, the company’s inadequacies in security have been documented as far back as 2009. The hardware-hacking site, Hackaday.com, has it’s own section on D-Link, with step-by-step guides on how they’ve hacked the company’s many routers over the years. The FTC’s action is a warning shot across the bow of the IoT industry, although it will be a while before the outcome is known. In the mean time, the agency is also trying to be part of the solution by launching the ‘IoT Home Inspector Challenge’ - a kind of ‘bug bounty’ for freelancers, with a grand prize of US$25,000 for the best tool that helps “protect consumers from security vulnerabilities caused by out-of-date software”. The FTC hopes to employ the collective skillset of the IT community, which has been a model used by the likes of Facebook, Google, and the original ‘bug bounty’ pioneer, Netscape. Some companies have also profited from this outsourcing trend, developing a solid business model of rallying ready-for-hire ‘white hat’
hackers. HackerOne, one such bug bounty coordinator, has over 100,000 registered freelancers and boasts that 75% of companies that sign up to the service receive a bug report in less than 24 hours. That efficiency will be necessary with the exponential growth of IoT products, combined with ignorance and too often callous behavior of manufacturers. Of course, there is one other possible solution to ensuring IoT security, although Zeichner is quick to add that the consequences could be damaging to the entire industry. “Cyber-security insurance in the United States currently sits at about 3%, and there’s an indication that this will grow. And since insurance companies don’t like paying up, they will look to sue the culprits of the security breach.” Their targets are not necessarily going to be the hacker, or the manufacturers who have skimped on security. It’s also possible that they will ignore the distributors and wholesalers, who have ‘aided and abetted’ in distributing susceptible IoT devices. The most terrifying scenario is that these insurance companies, in their goal to recoup losses, could target those harbouring the infected routers, DVRs or Miele dishwashers. They could be coming for your mum and dad.
ISSUE #2
DUE OUT IN JULY Want your brand here? Get in touch today! Discount applies to AISA Sponsors. T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au
Australian Cyber Security Magazine | 39
Cyber Security
INFORMATION SECURITY: Not just for hackers
H By Anthony Langsworth
ardly a day goes by without reading about the information security skills gap. Changing IT landscapes (e.g. virtualization, cloud, BYOD, IoT, BlockChain, AI) coupled with increasing technology reliance, attack sophistication and frequency, mean even non-tech companies need information security expertise. However, the information security industry focuses heavily on hacking. Conferences that focus on new exploits or defences, like BlackHat, are "proper" information security conferences and those focusing more on business, as RSA does, less so. This binary viewpoint – you are either a security person or not and there is only one “true” information security professional – does more harm than good. Hacking is technology focused, leading to technologycentric thinking or tunnel vision. Information security needs people that can articulate security issue impact, potential solutions and their cost in terms that non-security people can understand. Information security needs people that can talk to non-information security people as equals instead of just being "the security guy." How often do frustrated information security staff complain about people not prioritising security? About
40 | Australian Cyber Security Magazine
how people need to be more vigilant? About the lack of repercussion for lapses? Bridging the divide needs two things: expertise in other business areas; and the credibility to be listened to. Expertise can be valued at an individual level, in the management or the boardroom. Credibility usually requires acknowledged expertise over an extended period. Security solutions are not just technical. For example, we live in societies governed by laws. These can be standardised government security requirements as FedRAMP or IRAP. These can be contractual obligations like PCI-DSS, covering credit card transactions. These can hold organisations accountable, like mandatory breach disclosure legislation, or protection of privacy, such as the European Union’s Data Protection laws. Effective legislation requires knowledge of both law and information security and the political nous to get it enacted. Financial systems also surround us. Those that punish those with weak security and reward those with proper security will only evolve if we (consumers and investors) value security more. Cyber insurance has potential. Cryptographic technologies like bitcoin and blockchain
algorithms are threatening to disrupt the financial sectors. Information security has and will continue to impact finance. Law enforcement faces huge information security challenges. For example, digital forensics requires technical skills for identifying evidence from the plethora of log sources and products, preserving them to ensure the chain of evidence is maintained. However, it requires different skills for understating what laws apply and for presenting evidence to a non-technical jury. Cross-jurisdiction cooperation is also needed along with an understanding of various legislation, precedents and expectations. In healthcare, security and compliance are the primary barriers for eHealth (centralised, electronic storage and access to health records) in Australia. Security vulnerabilities in medical implants, potentially dangerous diagnostic apparatus or monitoring systems can be life threatening. Security requirements must minimise the impact on stressed staff and budgets. From an education standpoint, someone needs to train the next generation of information security professionals. These educators need more than just the traditional cryptography and infrastructure focus to make information security appealing and relevant to a broader group. Meanwhile, they must keep their knowledge and syllabus current in a rapidly changing information security industry. The information security technology focus drives away non-technology people. In a world crying out for diversity and collaboration, the last thing information security needs are people focusing solely inward on themselves, reinforcing stereotypes of shady basement dwellers. According to the 2015 ISC2 Global Information Security Workforce Study, only 10% of the information security workforce is female. The study mentions women are increasingly drawn to governance roles, as well as risk and compliance (GRC), where a mix of technical, management and interpersonal skills are required. Would a broader focus encourage more participation? Taking this to technical areas close to hackers' expertise, security people often lack skills to contribute to IT system development and design beyond security. While information security touches many areas, information security expertise is not development or networking or architecture or DevOps expertise. In software development, for example, the OWASP Top 10 changed little from 2010 to 2013, and some predict it is unlikely to change much in the 2016 call for data. Per the 2016 Microsoft Security Intelligence Report, around half of serious, industry-wide problems are from applications. Software developers make the same mistakes again and again. Education is one solution. Security literate software developers may avoid or fix security issues themselves. Information security is finding its way into tertiary courses, although usually as an elective. Examples and how-tos increasingly consider security. Secure configurations are becoming the default. Software scanners are including better help and interactive training. A better solution is tools and libraries that are not vulnerable in the first place, moving security from being reactive to proactive. For example, it took years for the
“ ...only 10% of the information security workforce is female. The study mentions women are increasingly drawn to governance roles, as well as risk and compliance (GRC), where a mix of technical, management and interpersonal skills are required. vulnerabilities in constructing SQL by string concatenation, SQL injection, to be widely understood. While mitigations are now available like parameterized queries or objectrelational mapping, a lot of vulnerable code still exists. Many coders still do not know the risks, too. DevOps and software defined networking is another opportunity. Deployment and configuration of networks, operating systems and applications was once a highly manual and error-prone process. Information security responded by requiring strict adherence to defined processes, then scanning with vulnerability management tools to find gaps. However, with the increasing use of API-driven technologies to provision servers, configure networking devices or workloads on cloud platforms, information security has another option: information security staff can review or even write scripts themselves, ensuring security is built-in, and systems created using the scripts are not vulnerable to known threats. In both these cases, this allows information security staff to perform a technical security review, which checks the implementation instead of the more traditional documented or scanned ones. It is easy for a scanning tool to miss a server or subnet, for example, or documentation to skip or assume significant details. Scripting is also a more efficient use of time. The deeper or broader the traditional security review, the longer it usually takes. Implementing something repeatable scales out much more efficiently. Scripts can also be reused or extended. Information security needs different perspectives to succeed beyond just hacking. Not only will it meet business needs, but it can also improve information security people's effectiveness and attract more people into the profession. Moreover, information security is a specialisation for everyone to consider, not just hackers, and we should be creating a culture welcoming others' insights and contributions. There is a lot to secure, and we need all the help we can get. About the Author Anthony Langsworth has worked in a variety of software development, management, architecture and security roles for 20 years, from multiple startups to a director at Symantec. He currently works at Dimension Data, focusing on the overlap of IT security and system design, particularly in software development and the cloud. He has three security patents, a CISSP and a CCSP. He is an open source contributor and blogger.
Australian Cyber Security Magazine | 41
Cyber Security
CYBER SECURITY IN 2017 2 By Ricki Burke
016 was an interesting year in Information Security. I feel like it was the year being hacked became normal. We saw a variety of attacks targeting a variety of victims, ranging from a single person hit with ransomware, to the unprecedented DDoS attacks that took down a massive chunk of the Internet on the U.S. Eastern Seaboard. We also saw the U.S. election process’s integrity called into question, where the Senate Republican leader is now backing an investigation into whether Russian hackers influenced Trump’s victory. So, what will 2017 bring? More of the same? We’ll certainly see more data breaches, more hacks, new threats and vulnerabilities to old and new technologies, all of which need. What looks exciting is the further development of technology, such as IoT drones, AI and Blockchain. This year I think that organisations will become better prepared, especially as they start working with security as opposed to against it – this is because communication lines will be opened up as the business gains a level of awareness about cyber threats. Mario Bekes, Managing Director of Insight Intelligence, told Insurance Business, “We have seen a growing awareness from firms of the need to look at their cyber security from a people perspective and not just an IT perspective”.
What’s Changing? We hear about the skills shortages in cybersecurity, but what does it mean? Is it just a lack of people or does it
42 | Australian Cyber Security Magazine
go deeper than that? It’s been explained to me many times, “That it’s not the lack of people, it’s the lack of good people”. I think there is a shortage of people, but we must look deeper at the type of roles and people required. What has become apparent is the lack of Security awareness within organizations. Some organizations are now starting to do something about this. For example, a company called Enex Carbon based in Melbourne is focusing on the human element of Information Security not just technology, and offers security culture and awareness as a service. In 2017, we’ll see more of a shift from technology to looking at people. People are the biggest weakness but could be the biggest strength in this industry. Historically, Security has been the department that says "No" and that may be due to how agendas/reasons/initiatives sometimes haven’t been explained to the Board in a way that they care about and in their language. For the industry to succeed and be the enabler it can be, it needs a variety of people and skill sets. There is a big push for more females in the industry and rightly so, as per article from Booz Allen Hamilton, Information Security is made up of only 10 % female. What is required is the ability to bridge the gap between understanding what Security wants to achieve, explain what is going wrong or what could go wrong and understanding what is critical to the Board. Telling a Board, you want to spend $x on a product because it’s a malware detection tool to identify malware endpoints, isn’t going to fly (I know the conversations would be deeper than that, at least I hope). If you want to get sign off, you’ll
need to articulate to the board or business in a way they understand and care about. Additionally, it’s vital to communicate awareness across an organisation in a way the staff care about. Anyone, male or female, can play this role, you don't have to understand the nuts and bolts of how things work, you need to understand “the why” and then communicate that. An interesting trend I am seeing is a demand for people from other business areas to join the Security industry. I think different experiences and knowledge of other areas can help provide a better understanding and insight for Security when dealing with the internal business and communicating with them. For example, I’ve heard a few times that someone from a Bachelor of Arts or Humanities background fits well into Security due to their creative and analytical thought process. Recently, Lucy Chaplin, a manager at KPMG Financial Services Technology Risk Consulting and an (ISC)² member, stated in an article “Cybersecurity employers could easily diversify their workforce if they recruit for key attributes instead of specific degrees, understand that training ultimately pays off in better staff retention rates and that business skills are as important as technical expertise for the modern cybersecurity professional”.
What’s with the Cloud? Cloud computing has been and will continue to disrupt traditional computing and we’ll see many more organizations moving to variations of the cloud. Infosecurity Magazine stated, “Cloud security worries are accelerating as the technology goes mainstream: Security and privacy of data and systems in the cloud remains a top worry for 70% of IT professionals worldwide, up from 63% in 2015”. Cloud security skills are critical for any business adopting this strategy and the roles I see in demand are: • Security Engineer • Network Security Engineer • Security Consultant • Security/Cloud Architect IoT will become a bigger part of our lives, although I don't see it going mainstream until maybe the end of 2017/ 2018. Drones are slowing creeping into different industries and a few months ago we saw Domino’s announce a partnership with a leading commercial drone delivery service which will be tested in New Zealand. These organizations will now have to start preparing for ‘Dronejacking’. Once you get past the immediate thought of Terminator and Skynet, AI looks very interesting. The market is expected to be worth over $16 Billion USD by 2022. This market growth is being fuelled by the likes of Google, IBM and Microsoft engaged in R&D and new product launches of AI-enabled products. What does that mean for Security? Cylance, for instance, is doing very well. Founded four years ago, this threat prevention company uses machine learning to solve complex problems and is already valued at a $1billion USD. AI will not bring an end to jobs, but like many industries, roles will continue to evolve. Blockchain also looks exciting. When you are dealing
"...a recent report by MarketsandMarkets estimates the industry to grow from $17.79 Billion USD in 2015 to $35.53 Billion USD in 2020. Tier 2 and 3 will outsource its security to a ‘security as a service’ (SECaaS) model." with money then it must be secure… full stop. This industry will require a lot of the existing talent that sits within the Security industry. As exciting as it is, I still think it’s a bit early, breakthroughs will likely come in 2017, but there are a lot of unknowns.
What’s the Future of the Security Landscape? Tier 1 organizations, such as banks, telecoms and large institutions that are well underway with cybersecurity projects and will mostly like have their own SOC. Tier 2 organizations could have a mix of SOC and outsourced Security or purely outsourced. Tier 3 needs the most help; this is focusing on Start-ups. These organizations could be one attack away from going out of business. Tier 2 and 3 are very similar in that they are organizations, which are starting to wake up to the fact that they need better Security, but simply can’t afford it. One of the biggest growth areas I see is MSPs (Managed Service Providers) and a recent report by MarketsandMarkets estimates the industry to grow from $17.79 Billion USD in 2015 to $35.53 Billion USD in 2020. Tier 2 and 3 will outsource its security to a ‘security as a service’ (SECaaS) model. 2017 looks like it will be an exciting year. More technology means more people entering the industry and transitioning into newly created roles. I think if organizations work better with Security then the industry can be even stronger in 12 months’ time. One thing I hope people will be mindful of, is that when technologies are emerging, opportunities open for hackers. Vulnerabilities can be exposed when technologies are evolving, and those working with them are learning as they go. In my opinion, big consideration must be made with the introduction of new technologies and Security needs to be a fundamental part of the decision-making processes and not an afterthought. About the Author Ricki Burke is Founder of CyberSec People, an international Information Security recruitment consultancy. In addition to supporting organizations with niche talent, he is actively looking to make a difference within the industry helping graduates and is a Co-Founder of Cyber Security Career Kick Start, a free event for students to gain knowledge and practical steps to get their first job within Information Security. Plus, he is partnering with networking groups to help promote diversity.
Australian Cyber Security Magazine | 43
Corporate Security
The feeling of digital identity management IAM Feeling Good?
By Guillaume Noé
I switched banks years ago. My former bank’s financial services and benefits were average when compared to other banks, but something triggered my decision to switch. I had developed a bad online user experience, and especially a bad feeling about Identity and Access Management (IAM). The online banking website had some clunky functionality, a poor look and feel overall, and an unusual and annoying authentication function. My dissatisfaction developed from my first interaction with the app and it increased every time I logged in. Online user experience (UX) is important and it usually starts with IAM functions such as identity enrolment and access.
The secure user experience conundrum A business I recently engaged with highlighted a common challenge across IAM approaches, which reminded me of my experience with my old bank. The context was about providing clinical staff with secure and convenient access to business applications from any device, anytime, anywhere. Business and security stakeholders had some different views on how to best implement strong authentication functions. “We’ll need two-factor authentication,” the business stakeholder told me. “I’d like to use SMS codes, but nothing like Google Authenticator, which would require the staff to deploy an extra app on their mobile device. It would kill the
44 | Australian Cyber Security Magazine
[business] service adoption.” At the stakeholder’s suggestion, I then discussed the matter with the company’s CISO separately. “Yes, we’ll want two-factor authentication,” the CISO confirmed. “I don’t want SMS passcode. It’s not that wellrated anymore from NIST, and for good reasons. We should look at a [soft] token solution.” The business stakeholder prioritised the usability and the security stakeholder prioritised the strength of the security controls. The different priorities are understandable, but they present a challenge of somehow converging the respective stakeholders’ expectations. This challenge is quite common with security projects, and especially with IAM.
Three key criteria of identity and access management The functions of IAM are implemented in many ways, in both enterprise and consumer contexts. For example, consumer identity enrolment processes can require different input from the registering users in content, format and steps. Authentication functions can also be implemented through a wide range of options that deliver different user experiences. The convergence of user experience and security priorities is critical to enhance the IAM feel, boost user satisfaction and facilitate the successful adoption of online business services. A good way to manage the convergence issue is through the following three key criteria of IAM: function, security and feel, with a set of guidelines to integrate them efficiently.
“Yes, we’ll want two-factor authentication,” the CISO
Balancing user experience and security
confirmed. “I don’t want SMS
The following guidelines can help IT teams manage a balance of Identity and Access Management function, feel and security for the best business outcome:
passcode. It’s not that well-rated
1
anymore from NIST, and for good reasons. We should look at a [soft]
2
token solution.” 1. IAM Function
Start with an application risk assessment and assert the required security assurance levels for IAM functions. Identify the technologies and process options available to achieve the target assurance levels. The IAM feel is valuable to the business. A better IAM feel can outweigh a different or more expensive IAM function if it contributes to better user satisfaction and better online service adoption, especially for online consumer services such as banking, shopping and citizen services. Collaborate across security, digital and business stakeholders on the IAM functions from the beginning. Don’t leave it to a User Acceptance Testing (UAT) phase for the business stakeholders to realise, very late, what their clients must go through to access apps. Some IAM technology platforms also make it easier to orchestrate such collaboration. Apply IAM UI and UX frameworks to IAM processes. For example, consider User Centred Design (UCD) principles for the development of IAM related user interfaces. For access processes, avoid using passwords at all if you can. They are a total pain for users. Prioritise the use of biometrics-based methods where possible. Use mobile apps for strong authentication options. I’m a big fan of the push authentication (Push-Auth) and push authorisation mechanisms. Consider also offering users the option to select a preferred, strong authentication method if they want to. It’s a nice touch.
IAM processes simply do stuff. For example, the identity registration process creates new digital identities and credentials, which users can then use to access applications. The authentication process verifies a user’s credentials. When the verification is successful, the process creates a session and provides the user with access to an application. The IAM functions require different levels of user involvement. They subject users to different experiences and provide different levels of security.
3
2. IAM Security
5
The key IAM functions of identity registration or enrolment, proofing and authentication can be rated on a security scale of assurance level. The US National Institute of Standards and Technology (NIST) issued digital identity guidelines that provide a good reference on assurance levels: The Identity Assurance Level (IAL) and the Authenticator Assurance Level (AAL). The assurance level is determined by the way the IAM functions are implemented. The higher the assurance level, the more is typically required from the users and the technology they use.
Based on previously published article on SecurityIntelligence.com: https://securityintelligence.com/ iam-feeling-good-what-cisos-should-know-about-thefeeling-of-identity-and-access-management-solutions/
4
3. IAM Feel Users such as consumers, citizens, staff members and business partners develop different feelings and experiences through their interactions with IAM functions. That experience can be critical to user satisfaction and to the successful adoption of online services, especially with consumers. The IAM functions create a first impression ranging from bad to good that will evolve over time. For example, the frustrating online banking authentication experience that contributed to my decision to switch banks involved the use of a virtual keyboard to input a Personal Identification Number (PIN), and the virtual keyboard changed the order of the keys every time. That type of frustration builds up. In my experience, the IAM feel has not been given much consideration to date across industries. The IAM functions are still often delegated to security stakeholders, with limited collaboration or influence from the business side.
Australian Cyber Security Magazine | 45
Dr Feakin presenting at #2017ACSC
“We are dealing with significant issues, significant compromises and we're still learning. We’re continuing to evolve.” - Clive Lines, Operational Lead, Australian Cyber Security Centre #2017ACSC
PILLARS & PLANS: Up close with Australia's Cyber Security strategy
T By Chris Cubbage
he Cyber Security Sector Competitiveness Plan (CSSCP), released in Sydney on April 20 and launched by Arthur Sinodinos, Minister for Industry, Innovation and Science seeks to break down how market judgements have been determined, the impacts on the economy and a roadmap for the cybersecurity sector. The CSSCP proposes Australia has competitive advantages in the cybersecurity domain, with a domestic market heating and global market growing exponentially, with most of the growth occurring in the Indo-Pacific region. Some of the key areas being focused on by the Government and quasi-industry led initiative of the Australian Cyber Security Growth Network (ACSGN) is on integrated platforms and software, professional services, GRC (Governance, Risk & Compliance) and as a leading exporter of cybersecurity education. But there are barriers. These include current economic limitations and national issues of a skills shortage, a poor bureaucratic culture lacking in SME procurement and gaps and blockages between the academic research and commercialisation domains. The CSSCP cites Gartner which reported “in 2016 the total external spending on cyber security by Australians and Australian organisations reached A$3.46 billion, and it is estimated that organisations spent a further A$919 million on their internal cyber security functions. To put that in
46 | Australian Cyber Security Magazine
context, Australia's external IT spending in 2016 was around A$85 billion.” The CSSCP projects over the next decade, the Australian cyber security industry could triple in size, with revenues rising to A$6 billion by 2026, from just over A$2 billion today. It should be noted that the existing A$4.8 billion (20122013) physical security sector, in particular the A$2.4 billion electronics sector was not considered or consulted as part of the CSSCP’s body of work. With this in mind, there is an opportunity for the security sector, as a whole, to potentially reach and aggressively seek to have a A$20 billion market size within the next 10 -15 years as it tackles not just cyber threats but also jihad, transnational organised crime and rogue nation states. Bringing the cyber and physical security sectors closer together, rather than keeping them apart, could have been a part of this plan and remains an opportunity. Despite not taking this approach, the CSSCP “provides a roadmap to strengthen Australia's cyber security industry and pave the way for a vibrant and innovative ecosystem.” The CSSCP claims, “It articulates the steps and actions required to help Australia become a global leader in cyber security solutions, with the aim of generating increased investment and jobs for the Australian economy.” Speaking in Canberra in March, Craig Davies, ACSGN’s Chief Executive Officer, confirmed the primary mission is to ‘create’ a Cyber Security Industry in Australia. “Our
only KPI that is measurable,” Craig Davies highlights, “is an economic benefit. Now, that doesn’t translate into it all being about start-ups. It’s partly about start-ups, of course, but we can help scale-ups to grow and help overseas firms invest in Australia. So, for example, using Cisco as an example, they have several people hired in Australia in the security field, so that’s good for the market. The other kind of company we deal with – let’s call them ‘return to OZ’ – is an Australian company that’s left and we are now helping them come back home, such as Quintessence Labs. Another good example of the return to OZ strategy is a company called UpGuard, who moved to Silicon Valley and are now planning on returning to Australia. They have plans to hire several people in Sales as well as Research and Development. There are a couple of other companies we are talking too, who are also getting ready to announce their re-establishment back into Australia, again not just in sales but in research and development work. Sandra Ragg, Assistant Secretary Cyber Policy with the Department of the Prime Minister and Cabinet (PM&C) confirms the success through the Growth Network will get investment in companies. “It is not the tick in the box, it’s the outcome and our capacity to change. We are trying to put this on our website to make it more transparent and talk about it as much as we can. For a start, it will be what we deliver from the action plan, and taking decisions to not proceed with things and move on with others. I see the success being measured in our economy, but how you do that I am not sure. Raising awareness, in terms of change in the way that our businesses and government do cyber security, are all things that will matter.” Just three months into his appointment, Craig Davies acknowledges the challenges but is confidently optimistic, “There is still a lot of work to do to ensure that everybody does work together, but the good thing about it is, when we talk to people and say “hey, we should partner” there has never been any pushback. We are the point of contact for the Cyber Security Strategy and we are the liaison between government and industry. We talk about ourselves as connectors and multipliers. We want to make it much easier for Australian companies to get information out of government, so we are aiming to become that trusted source of information. We are working now at trying to pull out all the information of what the government is trying to do and then present it in a user-friendly way.” Alistair MacGibbon and Sandra Ragg each have a role to provide the whole-of-community leadership and advisory to the Prime Minister. Sandra said, “The government part brings capability, international dimensions and Alistair is accountable to the Prime Minister for the delivery for the whole of the strategy and driving that agenda.” Sandra and her team have also indicated an intent and willingness to engage widely, “We will talk to everyone who comes to us,” Sandra said, “We are reaching out to more business associations, also as a way of getting out there. The Growth Network is going to be offering a real focus on Australian industry and investing in Australian cyber security businesses. This is how we’ll get greater commercialisation and have them compete with opportunities overseas. The Digital Marketplace is a fabulous example of that and
Craig Davies looking on as Arthur Sinodinos launches the CSSCP
we need to encourage more cyber security businesses to come into it, but also government needs to come into that marketplace and start to share some of their success stories. There’s a range of structured things and then there are more informal ways that we certainly see as part of our role in PM&C. Not the traditional, ‘just policy’ advice, because to me it is more about how you engage with the professionals, that they call ‘the community’ and do it in a different way. That’s why we have Twitter profiles and use social media to connect.” Craig Davies proposes this is a major shift as a result of the Cyber Security Strategy, “Australia has had its epiphany and has put lots of money into it. Now it might have taken us a while to get things moving, but we have all come together and we are now getting things done. We have got a very aggressive timeline, but the support we get from government both politically and operationally is picking up momentum. We have got to take them on a journey and the good thing about that is that the states and the government departments are aligning with what we are talking about.”
Sign up to the ACSGN
HERE
DIGITAL TRANSFORMATION AGENCY The ACSGN has established a relationship with the Digital Transformation Agency which Craig Davies sees as a key enabler and a fundamental change to the government procurement process. “In my first week in the role I had a meeting with the DTA about the Digital Marketplace and gave them some feedback around some ideas that we had and now they have launched the Cyber Security component - I think it’s a really good idea as its trying to simplify the procurement process and secondly, the DTA needs constructive feedback around what works and what doesn’t work and they are not going to get that unless people give it a try and they are very open to hearing feedback.” “Firms always complain that they can’t get a deal with government,” Craig Davies said, “because the system is not set up to support them in that. The Digital Marketplace is a start; we don’t do enough experimentation in this space. The digital team understands that it is important to get
Australian Cyber Security Magazine | 47
CSSCP Launch
Sandra Ragg - Assistant Secretary Cyber Policy
it right and that participating in government opens a big funnel and creates funding streams, creates work, which is good, and it takes one major area off the table and we can then focus on everything else. It is designed to replace the tender process for smaller government work.”
Cyber Security Strategy 2009 – 2016 “The 2009 strategy was very threat focused,” according to Sandra Ragg, “There were some elements that targeted business and individuals but I think it was primarily focused on government. The 2016 strategy is more focused on innovation, growth and prosperity, which is what we are more interested in. It’s very much about the underpinnings of trust and confidence in our economy; it’s the whole social
48 | Australian Cyber Security Magazine
construct of the Internet." Michelle Price, ACSGN’s Chief Operations Officer, agrees the key difference between the 2009 Cyber Security Strategy and the 2016 Strategy is that the former was too focused on government. Michelle said, “There wasn’t a ‘what’s in it for me’ for many companies. The big difference with the 2016 strategy is that more than half of it focuses on outside of government. It talks about the whole of nation situation around cyber security and I have seen since the day I started working on that cyber security review, through to now, a significant change in the nature of the conversation that people are having.” Michelle Price adds, “Secondly, there is a much sharper focus around the opportunity of what it means to have a secure business as well as a secure business in government. As I say all the time, I don’t think government sees itself as a business enough. These are all organisations that have a job to do for whatever their motivation is, whether it’s servicing clients or customers, or improving our world and standard of living, and all those things won’t happen unless it’s done hand in glove with cyber security.” Sandra Ragg explained, “There are 33 actions in the strategy, with plans available for each. This is what we are measuring ourselves against: in some areas, it will be slower but we will deliver the strategy in four years, but if that’s all we will do, we will have failed. We are looking at how the environment has shifted. Looking at the business engagement with CEOs and big business, which is a different space than it was 12 months ago. We need to think about how we adapt our policies and our implementation approach, some of the things we will get good ticks on.” The Cyber Security Strategy includes the establishment of Joint Cyber Security Centres, academic centres of excellence and capacity building, including ASX100 checks. Sandra said, “We will look at, ‘how did that work?’ and where we can take it from there. There is a whole lot of stuff being done, but what I am hearing is that people don’t know much about the Growth Network and people don’t associate
OVERVIEW OF THE KEY ELEMENTS OF THE CSSCP
how they are all fitting together. That’s a goal for me as we move to that 12-month timeframe from the strategy. How do we better explain the ecosystem the government is trying to support and promote? Again, it’s about supporting and promoting across the community players, not just the government, because people want to understand how they can engage.”
Australia’s role in the Asia Pacific Craig Davies confirms that the ACSGN is observing a new market opening in the services area, with some US firms looking to come to Australia and use Australia as the base for the Asia Pacific. “Instead of traditionally going into countries like Singapore, those firms are looking to come to Australia and base their operations here and then support growth into Asia, out of Australia. For Australian services firms, there is an incredible opportunity to look at Asian firms to help grow their businesses. They would probably have much more success entering that market than more established markets, in somewhere like the United States.” Confirming the ACSGN is in discussions with Dr Tobias Feakin, the Ambassador for Cyber Affairs, Craig Davies stated, “Most of the spend in cyber security over the next 10 years will be in the Asia Pacific region. The industry will be much more about the trusted partner. Our other job is being a business coach and connecting different companies and forming formal relationships. We are experimenting and looking at ways to do things differently and creating a super vibrant industry.” Sandra also acknowledged, “There are things
happening that probably go under the radar where we have bilateral dialogue with a lot of regional nations and they are focused diplomatically. There are relationships with Internet response through CERT Australia and law enforcement, capacity building investment, and part of what Dr. Feakin is going to do is bring all that together in a way that it fits with our domestic agenda to business and trade and opportunity, as much as threat and protection.” Presenting at the Australian Cyber Security Centre Conference in March, Dr. Feakin provided the framework, stating, “Clive Lines is delivering the Operations and Technical pillar, Alistair MacGibbon delivers on the Domestic focus and I have an International and Regional role and these pillars are important to understand the new government structure formed to implement the strategy.” Dr Feakin sees his Ambassador role as a fundamental opportunity to shape the future in cyber security and cyber space, in Australia and Internationally. The Prime Minister and Cabinet members, Dr. Feakin asserts, “understand the importance of this issue and the government is trying its hardest to work with industry and academic sector and we’re also beginning to see money being invested and start to flow into the cybersecurity sector.” Within the next few months Dr. Feakin intends to finalise and release an International engagement strategy which will form the basis for creative collaboration with the aim to have an ambitious document for capacity building options, foster public and private partnerships and include a measure of success. Dr Feakin concluded, “The role will continue to unfold and Australia intends to be leading the discussion and although Australia is not a super power, it is a trusted voice.”
Australian Cyber Security Magazine | 49
CISCO LIVE!
TOP 10 TECH TRENDS 2017 Now seven years into an annual review process, Kevin Bloch, Chief Technology Officer for Cisco has seen technology advancing from the driver’s seat. Cisco is a company spending $6 billion a year on development, so they need to understand what the micro transitions are and then look from the outside in, as well as to customers and partners. Such as why is Cisco making investments in some areas and not others. It’s not just about the technology, it’s also about the timing.
So, with technology continuing to transform a complex world environment, here is Kevin Bloch’s top 10 technology trends for 2017:
#1 Business transformation By Chris Cubbage
The world is moving from a ‘world of data’ to a ‘data driven world’ – there is a clear divergence occurring from the ‘old world’ to a new world of digital platforms, data intensive +AI (artificial intelligence), global scales and innovation investment in what is a boundary-less market. There is also a second order effect of digital, such as industry transitions from retail to media, a prominent example being Amazon winning an Oscar. The other key transformation is moving from the human scale to machine scale, which is getting some profound capability. Cisco forecasts there will be 500 billion devices connected to the Internet by 2030, though Chris Dedicoat suggested 10 years at CiscoLive!. Much of the devices will be data driven and predominantly based on AI, thereby likely to cause economic dislocation. A US White House paper found that 83 per cent of people who are earning less than $20 per hour will have their jobs automated, with 2-3 million jobs at risk. Truck and taxi drivers are an example. The risk to this trend is cyber security. The value of intellectual property is estimated at $6 trillion and alongside value is trust. The application of trust in a digital world can be referred to ‘algorithmic accountability’, as we move into AI and self-service on the internet. The Centrelink Robodebt crisis may come to mind.
#2 Software & Artificial Intelligence The project of mapping the exact location of every business, house and road network in France may sound
50 | Australian Cyber Security Magazine
like a massive task – yet it took Google just an hour to accomplish. With this in mind, the question then is, how are you going to leverage big data and its application? Work activities are going to continue to change but with digital transformation, as much as 45 per cent of tasks can be wiped out and when moving into AI – you can take that number to 80 per cent for machine learning to fully scale. This will remove human programming and creates a lot of connected data. This will be the end of code as we know it, as the software is connected, self-learning and increasingly intelligent.
#3 Everything as a Service By making infrastructure ‘smart’ you take it from being a ‘thing’ to a ‘service'. A light pole, when connected to an intelligent network, becomes a pole which delivers lighting, city Wi-Fi, smart parking, metering, digital signage, environmental sensors. This makes the intelligence available as a service. The number of infrastructure services that will evolve will change business models, organisation structures and how technology is used and seen. Cisco is working with the CSIRO’s Data61 which has deployed over 3,000 sensors across the Sydney Harbour bridge to monitor the bridge's performance against traffic, environment and structural conditions and using machine learning to predict preventative maintenance requirements, structural efficiencies and better learn about bridge engineering performance. When this learning can be applied to the 5,200 other bridges across NSW, you can get a sense of the impact and scale of the learning opportunities, just at a state level. On a much ‘smaller’ scale, Cisco is working with the CSIRO on honey bee research with RFID sensors being deployed on the backs of bees to measure and analyse
'Cisco is working with the CSIRO’s Data61 which has deployed over 3,000 sensors across the Sydney Harbour bridge to monitor the bridges performance against traffic, environment and structural conditions' hive and colony activity, part of a global initiative to monitor honey bee health. A standard honey bee colony will have about 10,000 bees. At just $0.32 each, about 400 – 500 sensors are deployed into the colony. The project, supported by Hitachi and Intel, has received over 500 million online queries on the project content. Australia currently has 500,000 bee hives but needs 750,000 to qualify for pollination service security. Dr Liz Barbour, from UWA’s Office of Research Enterprise, recently confirmed current industry problems that limited the value and expansion of the Australian honey bee products industry. Products include honey, beeswax, pollen, royal jelly, venom and honey bee export. “At present, honey bee product value is estimated at $125 million,” Dr Barbour said. “What is often overlooked is that 44 of our food crops wholly or in part rely on honey bee pollination which adds an additional farm gate value of $6.5 billion. With the new Australian focus of fine food export, healthy bees are an essential
ingredient for success.” It has become politically ‘cool’ to invest in infrastructure, with R$59 billion allocated to upgrade India’s infrastructure and US President Donald Trump is committing US$1 trillion to rejuvenate America’s infrastructure. By adding an extra 1 per cent to the budget allocation to allow for digital connectivity, infrastructure can be made safer, cleaner, have lower maintenance and offer new service opportunities. With adding billions of end-point devices, the impacts will be on cost, power and bandwidth. As we digitalise the world, the internet will not work for the internet of things, unless we move from human to machine control.
#4 Intelligent IT – the end of cloud computing. We’re in a multi-cloud market, with the average Cisco customer already deploying five cloud environments, with a mix of public and private cloud. We’re now entering into phase 4 and moving the intelligence to the edge. This is when the term ‘FOG’, in contrast to ‘cloud’ is used. The essence of FOG is about taking the query to the data, where in the past it was taking the data to the query. The ‘Application Evolution’ has moved from bare-metal, to virtualised and now moving to containers and microservices. This is taking monolithic applications and breaking them down into containers and using microservices. Microservices are becoming profoundly important because of the ability to move things around. Everything Cisco is doing now in development is around microservices. The next big thing is server-less computing, such as Amazon Lambda and Microsoft Azure Function. This allows you to spin up a processor, it is stateless and then you can spin it down again. You pay for what you use and you may pay as little as $0.01 for that cycle. This could also be used
Australian Cyber Security Magazine | 51
as a DDoS attack – you use 50,000 botnets, execute the process and spin it down and it is gone. But this is also critically important for business and the speed and cost of bringing applications to market. Traditionally, the IT spend has been about optimising the backend IT infrastructure and the speed of the servers. Today, if you want to drive new business, you want to be spending money on developers writing new Apps, not spending on increasing the backend IT infrastructure. When you’re writing Apps that are designed to be Cloud Native, the Cloud becomes the procurement exercise. Hyper-scale is getting big and the numbers are profound. Looking at the Cisco Cloud Index, there is massive investment in this area. Alongside there is also growth in hyper-convergence because you’re going to still need computing, not just in the Cloud. The workload locations are managed between public and on-premise infrastructure and moving from the public Cloud, to FOG. With this change, Policy also becomes a key element. If you’re spinning up micro-services in containers and you’re moving them around multiple cloud environments, you will need to maintain the service level agreements, quality of service and security requirements. Performance and visibility of the application will remain crucial and policy is such an important point in this respect. This is why Cisco has been investing in these areas and developing services, such as tectration, telemetry for infrastructure. Clicker, which is Cloud Centre, is about measuring and controlling where the workloads are actually running. And AppDynamics, will allow Cisco to look inside the workload. For example, if you’re a Qantas user and you’re using the Qantas App and the performance is too slow – then you’re potentially going to go to Virgin – so without visibility into the performance of your application,
52 | Australian Cyber Security Magazine
the business won’t know and could be losing customers. Cisco will be looking inside the entire stack, measuring it and optimising it. And finally, FOG, the distributed edge. For example, a 100 core, multiple petabyte card, going into an autonomous car. Cisco is connecting 1.5 million things per month on the Jasper platform. One million of these ‘things’ is a car. The ‘car’ is effectively a data centre. And this can be applied to drones, ships and trains. These are fully fledged, multicore, multi-petabyte mini datacentres and that’s why we’re moving to the end of Cloud, as we know it, because we’re already seeing a very distributed Cloud.
#5 Networking is getting cloudy Meraki, bought by Cisco in 2014, was turning over $50M and is now on a multi-billion dollar run-rate. It is the cloud management of Meraki that has made all the difference and created a suite of vendors to come together around it and has transformed how Cisco is deploying networks. Based on the Visual Networks Index (VNI) Report 2016 - 2021, which tracks global traffic, networking and connectivity is only getting more important. Costs are plummeting for storage and demand is rapidly increasing. There is a massive transformation. Microsoft confirms you’re getting 3x performance in compute, than you got 5 years ago. This is driving the move from human scale to machine scale. There is the decoupling from the hybrid, by the use of software. For example, you buy a Tesla vehicle today and will come a time when you download some upgrade software and it will become an autonomous vehicle. The architecture will move to cloud based networking and decouple the hardware from the software. Essentially what is happening is we’re taking control into the Cloud and the
routers, the switches, the compute are within the vehicles. With this in-built intelligence and connectivity to vehicles we should be able to do some pretty smart things, turning vehicles into service vehicles. In 10 – 15 years time, you won’t be buying a vehicle, you’ll be buying a service and will change the way transportation gets consumed. In terms of the architecture, the moment you say you need more people to run this, you’re going in the wrong direction. It needs to be automated and use of virtual network functions in the cloud and this is dropped into the infrastructure. Distributed computing will be grown by the Telcos with datacentres to deploy distributed network functions and especially when we move into the 5G spectrum. The other aspect is we’re also exposing interfaces to allow third parties to access software defined networking and software development in software defined infrastructure. We have to change our network administrators to network programmers because they’ll be looking at the metrics and analytics to understand how to do tectration – telemetry for the infrastructure. So, this is a shift from hardware to software, from physical to virtual, to simplified, automatic, segmenting and secure, and moving to a cloud managed and delivered world.
#6 Mobility The future of video is mobile and the future of mobile is video. When PokemonGo was launched in 2016 it generated a billion dollars in revenue and is still generating $2.5 million per day – but it was also a game changer where it presented augmented reality and demonstrated to the world of the next wave of mobile – AR, VR and Mixed Reality. This technology provides a new and fully immersed experience, a mixed experience and you’re forced to be part of that experience. It is much more than a game. Cisco’s prediction is this is going to grow, compound at 120+%, and is already a multi-million-dollar business. It is absolutely going to impact the ‘mobile’ market but also the ‘networking’ market. VR platforms need 96x the bandwidth of HD. This is just the start and it is going to get rather fancy, complex and sophisticated on the endpoint. Qantas is trailing VR with Samsung, so before you’ve even landed you will be able to snorkel the Great Barrier Reef. By mixing a physical environment with a virtual environment, this will be profoundly different user experience. It will change the way we build, design, educate, work, interact and entertain.
#7 Security This is now serious. Very serious. 2016 was a record year for security, smashing all the records. The Australian Census, Russian hack of Democratic National Committee emails, Yahoo data breach disclosure and DDoS attacks, with the Mirai botnet the largest ever. Cybercrime is now the number one economic crime and is actually the sum of all other economic crime in the UK. More CIOs than ever, 87 per cent, are investing in security. There is pyramid selling of ransomware, growing at 1,000 per cent and is already a billion-dollar business. Ransomware pyramid selling involves being compromised
but in return for your information you have to comprise two others. Nor is nation state cyber offensive capability being matched and mitigation is slow and complex. Despite record spending on cyber, we’re seemingly going backwards. There is nine start-ups a month in cybersecurity and VCs smell a lot of money. Fifty-six per cent of Cisco customers have more than six vendors and some have over 100. Customers are struggling to keep pace and divergence of capabilities is leading to over complexity. There are a lot of things that have to be right to address security. Cisco advocates integration of the entire stack from within the network to the public cloud, consolidation of security capability and automation to machine scale. The two key metrics, and these should be reported and monitored at the board level, is the time to detect (TTD) and time to remediate (TTR). Cisco time has reduced from 40 hours to 6.05 hours in a year and the industry average is between 100 – 200 days. From May to October 2016, Cisco’s TTD declined 9.14 hours to now be 6.05 hours.
#8 Transport In 2015 the Australian Government commissioned a study of the cost of congestion in Australia and reported the cost is $2 billion per annum, with social and economic loss across each of the cities. Vehicle to vehicle digital accident avoidance capability will result in the drop in the loss of lives, with some reports estimating a drop by 81% per annum. With vehicles having on-board intelligence and the road infrastructure having in-built intelligence, there will be the capability to manage city wide congestion, road and intersection traffic systems and individual vehicle safety.
#9 New Technologies Although not new, drones have the potential to be a major digital disruptor despite the many challenges. Drones are already being deployed in a wide array of industry – for example the wine industry has drones flying up and down the vineyard and can measure the production capacity of the vineyard, when to harvest, moisture content and all necessary information the wine maker needs to make the best and most informed business decisions. The timing is important but drones have the opportunity to digitalise the world faster, with drones now being automated, including automatic battery storage changeovers, deployed take-off and landing points and accurate tracking and flight mode monitoring.
#10 Innovation Accelerating digital transformation is seeing major investment in AR, VR and AI and the ability to transform the physical environment and major industries of transport, industrial, professional services, financial and a transfer of speed, access and skills as industries move from IT to OT. There will be a lot of people movement, acquisitions and on-going disruption. Regulation change requirements will be a gold-mine for legal firms, as innovation crosses over existing industry regulation frameworks and technology
Australian Cyber Security Magazine | 53
RSA CONFERENCE 2017 FEATURE REVIEW
THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 1 Editor’s RSA Conference 2017 Review & Austrade Cyber Security Trade Mission
// KEYNOTE TAKE-AWAYS RSA is named after Rivest, Shamir, and Adelman, the three inventors of public-key encryption technology. The RSA Conference therefore is unsurprisingly the event where the cyber trends are set and the security deals are made. Situated in San Francisco, giving rise to Silicon Valley, the RSA Conference is recognised as the largest cybersecurity gathering on the planet and is a ‘must-go’ cybersecurity vendor-rich conference. The impact is obvious across the city. Bus stops, bill boards and key advertising locations are taken up by the likes of Cisco, HP, McAfee and Ixia. Purple RSA lanyards are proudly worn by up to 45,000 technology and security professionals, entrepreneurs, businesses and support staff as they crisscross the city, to and from hotels, meetings and micro events. All this creates a dominant presence and a city-wide ‘cybersecurity’ buzz. Even passing former RSA
54 | Australian Cyber Security Magazine
Security CEO Art Corveillo at pre-registration, and the early appearance of Michael Dell, both at the pre-event media and analyst function and on stage for the opening morning keynote, gave an initial and suitable appreciation of the importance of RSA Conference 2017 and what it will contribute to the global cybersecurity sector. Opening with a monologue by actor John Lithgow, contemplating a world without security and without trust, naturally heightened the experience and created a ‘rock concert’ vibe. This adds to the natural spectacle, entertains and captivates the audience, and gets them ready to listen.
// PLAN FOR CHAOS “Embrace uncertainty and difficulty because human nature drives towards chaos. Chaos forces progress that can be painful and in these moments, our darkest and hardest, we have to stop and look in the mirror and ask ‘what am I made of?’ “ Dr Zulfikar Ramzon, RSA’s Chief Technology
Michael Dell & Dr Zulfikar Ramzon Opening Keynote Address
Officer opened with a message speaking to the thousands of ‘individuals’ in the room. The message being “don’t draw lines, draw connections.” Directed towards the conference theme of ‘business driven security’, whether it’s developing code, writing policies, managing teams or running businesses, today you need to be a business-driven security leader and living up to the expectations and redrawing the boundaries. Referring to the ‘butterfly effect’, Dr. Ramzon highlighted the potential for big consequences when playing with large integrated, complex systems. Such as the idea of a foreign government setting out to influence
FEATURE REVIEW RSA CONFERENCE 2017
a democratic federal election. The problem is not the immediate impact but the long-term ripple effect. “Ripples move faster and wider now with connected devices and we are fighting against human ingenuity which is a powerful thing. Innovations create ripples. Start by adopting a business security strategy and establishing the ‘gap of grief’. Business leaders want to understand the pay off. First treat risk as a science and use scenario analysis - ask what if! But as acknowledged, with a reference to Neils Bohr, ‘prediction is very difficult, especially about the future’. “Simplify what you control”, Ramzon explained, by noting he had recently spoken to a CISO who had 84 different security vendors. “How do you manage and measure that? Consolidate vendors and plan for the chaos you cannot control with an Incident Response plan based on the ABC’s - availability, budget and collaboration. Collaboration being the skill of bringing together IT, finance, sales and others across the business to work together. Connections, like those made at RSA 2017,
will have lasting impact on the industry, and cybersecurity now ripples and impacts throughout society.
// CYBERTHREATS IN UNCERTAIN TIMES: Microsoft President Brad Smith Starting with the problems, customers are clearly worrying about being hacked and the economic loss that will result, estimated to be worth $3 trillion by 2020. In the past year, there has been more and more nation state attacks. Geo political controversies have become more pronounced. The Sony (2014) attack was a turning point and in the two and half years since, the attacks have evolved and cyberspace is the new battlefield. Cyberspace is for all of us. This includes it being owned and operated by the private
sector and private property. It is a different kind of battlefield than the world has seen before. The industry has become not only the plain of battle but also the first responders. It is a sobering thing to consider that for over two thirds of a century, the Government has been protecting civilians in times of war. But now the Government turns to civilians, the private sector, to protect itself from (cyber) attacks on them, in times of peace. This is not the world the Internet’s inventors envisaged but yet it is the world we inhabit today. We each need to do more. Ninety per cent of intrusions start with a phishing attack. Using threat intelligence and advanced data governance tools can better harness the power of data. Microsoft’s datacentres around the world are connected to over a billion endpoints, creating over a trillion data points each and every day. With advanced threat protection systems scanning over 200 billion emails a month for malware. All of this data is becoming the game changing defence mechanism. Smith stated “we need to call on governments to come together. They came
Australian Cyber Security Magazine | 55
RSA CONFERENCE 2017 FEATURE REVIEW together in 1949 for the Geneva convention to protect civilians in times of war. But now we need a convention to protect civilians in times of peace. Like a United Nations body, able to agree to norms in cyberspace. We need a digital Geneva convention, supported by a new and independent organisation for the best and brightest and this will be the only way Governments recognise that cyber-attacks and cyber-war is not the way forward. We need to act collectively to do more and build a global technology sector Accord, similar in concept to a digital Switzerland. Focused on 100 percent defence and 0 per cent offence.” “Technology needs to retain the world’s trust. Every Government, regardless of its policies or politics needs a national and global IT infrastructure that it can trust. An example being a world partnership around Artificial Intelligence (AI) and Government spying. Bringing the world together as an industry – technology, products and people – and with 157 countries represented, Microsoft, Smith proposed, is like the United Nations of technology, with a unique level of mutual understanding and inspiration. “Build on what we can share. An industry than serves the world and even in an age of nationalism, the technology industry can still be a neutral Switzerland.”
we always have - we have not overcome any of them. The growing attack surface, continues to grow every day. Given the amount of data, the new attack surface is large in aggregate but small in isolation. It is in the home, increasingly where people do their work and the home has more powerful and more connected devices. These home devices are also being used to launch more attacks. Who is taking the home into the consideration of security architecture for the business? This requires policy to be driven down and locked down but ask yourself the question…if what I’m doing is right, what about RSA Cryptographics Panel - RSA Opening Keynote Session
// SWEATING THE SMALL STUFF: Christopher Young, Intel Security The role of data security was on display in 2016, with data manipulation designed to influence people making decisions. Now, big data and analytics is the bedrock of the economy. But leveraging on big data analytics to make decisions, we have to focus on the integrity of the small data going into the big data pools. Connected Cars, alone, are forecast to create 4,000GB of data per day. With 1 billion cars, 200 petabytes of data. But what about the data models we will use that the cars will rely on to allow driverless cars to function and for transport systems to operate at highest efficiency. When big data is compromised with small bad data, we will see the next cyber threat evolution - the weaponisation of big data. We are still dealing with the same threats
56 | Australian Cyber Security Magazine
RSA Security Operations Centre
RSATV Recording
the person next to me? The Mirai botnet and Dyn Attack (2016) is considered to be just a test of what is the limit to the attacker’s capability. As an example, a DVR was connected to an open network and left unsecured - it was attacked and compromised in less than a minute. The ‘Internet of terrorism’ is a risk into the future. Everything we knew about data security is changing again and turning around. It starts with all of us recognising none of us can go it alone - it is a difficult problem to crack. Young called the industry to “check egos at the door and focus on a bigger goal.” How do
FEATURE REVIEW RSA CONFERENCE 2017 Michael McCaul, Chairman of the House Committee on Homeland Security, RSA Opening Keynote
initiative and GIThub.com is now available as a development platform. Intel Security has partnered with Kaspersky Labs for the Nomoreransom.org website, in support of an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. The Cyber Threat Alliance has also been established with Cisco and Checkpoint joining as co-founders and will be led by Michael Daniel, former White House Security Coordinator.
we make the world safer through technology? Threats are getting faster, using smarter tools and scaling themselves - industry has to do the same and together. The global challenges need the highest call to action. Children get the complexities of the future, but are also counting on us to get the small things right.
“As a small part of a much larger effort,” Young stated, “we need our own dream team for cybersecurity.” Intel Security is splitting the McAfee brand in 2017 to focus purely on cybersecurity. The company is providing an SDK for OpenDXL as part of a threat intelligence sharing
// WE SHOULD START OVER THE INTERNET TODAY IS REALLY ALREADY OVER: RSA Cryptographer’s Panel Chaired by Paul Kocher and sitting with Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir, this was a high-level discussion around the exponential growth in the number
Australian Cyber Security Magazine | 57
RSA CONFERENCE 2017 FEATURE REVIEW
of devices attackers can target, the amount of logic in those devices and growth in the value of systems, both to the owners and attackers. Cryptographic algorithms are one of the few, if not the only, security technologies that has withstood decades of scaling and the greatest ability to withstand years of further scale. It is anticipated that 15 years from now, the largest amount of data being gathered will be generated by Artificial Intelligence (AI). Though AI will be helpful in the defence side, the panel did not consider AI withstanding against a zero-day attack, where creativity is required for deviations – nor is AI considered suitable for offensive cybersecurity applications. Neither is quantum cryptography appearing to be moving as fast as quantum computing, though not one the highest of issues. Possibly in the next few decades, today’s cryptography algorithms could be broken by future quantum computing, though the mathematics is designed for 2,000 years. Adi Shamir led the discussion centred on the Russian strategy of ‘war by other means’ and democratic election integrity. With the Trump election being a case study on when normally you have to convince the loser but with Trump, you have to convince the winner. Though Russia has been involved with Election interference before, and the USA is hardly an innocent party in its roles in influencing elections around the world. The 1956 Hungarian
58 | Australian Cyber Security Magazine
FEATURE REVIEW RSA CONFERENCE 2017 city. In having this capability, it is critical that the government should not allow devices that are not sufficiently secured to be connected to the public internet.
FBI Stand
// WE ARE IN THE FIGHT OF OUR DIGITAL LIVES AND WE ARE NOT WINNING
elections was also highlighted as a suitable historical case of stolen documents influencing an election. Mossad and the CIA stole the speech of Russian leader Nikita Khrushchev, which later shocked the Soviet Union and Hungary by denouncing Stalin and detailing the dictator's crimes. The speech was smuggled out of Moscow and published in full in the New York Times. Susan Landau considered law enforcement is being somewhat assisted by how easy it is to do investigations over mass surveillance. The Apple iPhone case highlighted the FBI wanted the Apple hacking tools, which have now been released. Overcoming encryption means creating a backdoor and the panel did not think that was an option. Ronald Rivest referred to a December 2016 Encryption Working Group report from the Judiciary, Energy and Commerce Committees that concluded
four outcomes, namely any measure that weakens encryption works against national security, encryption is widely and increasingly spreading, there is no one size fits all solution and Congress should encourage collaboration between law enforcement and industry. Whitfield Diffie proposed we are doing everything wrong and the confinement problem is trying to be solved with interactive security and if as much money was spent on improving the quality of devices we would get much better results. The home is the place and basis of education and emphasis needs to be on education and people skills development. Shamir, presenting a paper later in 2017, titled ‘IoT going Nuclear’ described how we are approaching the time, with aggregated devices, when with the simple use of IP lighting, that by plugging in a single smart light in a hotel room, could feasibly, within minutes, infect an entire
Michael McCaul, Homeland Security Committee chair confirmed adversaries from Russia and China are stealing secrets and financial data, stating, “I’m going to be brutally honest. We are in the fight of our digital lives and we are not winning.” Terrorists are using social media to call for recruits and radicalisation. The phone in your pocket is the new battlefield. Cyber intrusions have the potential to interrupt the fabric of society. The volume and complexity of network intrusions is overwhelming, laws have not kept up with the digital age and the high speed of technology means the pace of adaption is too expensive for government to maintain pace. McCaul stated, “we are facing 21st century threats, with 20th century technology and with a 19th century bureaucracy.” The sharing of information between agencies and industry is still far too weak and deterrence is difficult in a cyber realm – reporting of attacks is too low. Government does not have a clear proportionate response against cyber criminals or nation states, nor do we have the manpower or legal structures. The paradox of national security and digital security means we are faced with a new generation of terrorists and their ability to recruit over the internet, globally. There is an unprecedented spike in terrorist plotting online and terrorists can stay under the radar and are using end-end encryption on their phones to cover their tracks. However, we also need to resist the temptation to go after encryption with simple knee jerk responses. “I believe that creating backdoors into security platforms would be a huge mistake.” It will make us all vulnerable to intrusion. It starts with the right mindset and we need to acknowledge we are under siege in cyber space. We need to double down to protect the private sector networks and the public. We need to continue the bleeding edge work in the
Australian Cyber Security Magazine | 59
RSA CONFERENCE 2017 FEATURE REVIEW
professional private sector and developing a talented cyber workforce. Government plays a critical role in coordination but we should not have military protecting public networks. The creation of a Digital Security Commission is underway and will be focused on breaking down bureaucratic barriers in order to collaborate and protect against adversaries targeting critical infrastructure. We know, with reports from the head of the NSA to Congress, that adversaries are leaving digital fingerprints on critical infrastructure systems, as a warning to America to watch what you say and do. ‘We can hit you from within and it is only a matter of time before this happens.’ The US will be developing a new national cybersecurity strategy to deal with the tectonic shifts and review response options, as well as conducting regular cyber exercises with allies. The US ability to win a war in cyberspace means having the ability to respond in a cyber realm and counter attack if necessary. We have to say ‘enough is enough’, and figure this out quickly because the attackers won’t give us the benefit of time. There must be clear rules of the road, especially when it comes to cyberwarfare. In times of crisis and uncertainty, it can cause situations to spiral
60 | Australian Cyber Security Magazine
FEATURE REVIEW RSA CONFERENCE 2017 Australian Cyber Security Showcase Evening
out of control, so we should refer with our partners on major incidents, work together to build mutual defences and put infrastructures in place for joint action. We should make sure we are prepared for what lies ahead. We need to be ready for the era of quantum computing, the digital atomic bomb is on the not too distant horizon and the first such nation to gain this capability will pose a serious threat to the rest of the world. The US should lead a coalition of nations to prepare for the quantum future and ensure we have the right cyber defences in place when it comes. The year 2016 was a watershed year for cyberspace and for a lot of the wrong reasons. But it has made us more realistic about the danger we face and more clear eyed about what needs to be done. And although the cyber future is bleak, we cannot let the fear of the unknown out way what we do know, in that we have the world’s greatest minds working to defend our networks.
// CYBERROOS HEAD TO SILICON VALLEY Releasing the Australian Cyber Security Industry Capability Statement in San Francisco, alongside the RSA Conference 13 – 17 February 2017, about thirty Australian companies
Craig Davies, CEO ACSGN
gathered at the lush Fairmont Hotel for an Australian Cyber Security Showcase event, hosted by Chis Oldfield, Australian ConsulGeneral to the USA. According to the Capability Statement, “In terms of citation impact, an indicator of research quality, Australian cybersecurity research ranks ahead of the US, Canada, England, Germany, Japan and Singapore.” The Austrade and Australian Cyber Security Growth Network Trade Mission to the
Dr Vikram Sharma, CEO QuintessenceLabs
San Francisco Bay Area had set out to make the link between Australia’s leading research and close a comparable gap when it comes to correlating this to an established industry. This gap is noticeable. With prominent pavilions from Germany, England, Korea and Israel on the RSA Conference Showroom floor, some of the leading Australian cyber security companies being promoted on the Mission have already left Australia, basing themselves in Silicon Valley.
Australian Cyber Security Magazine | 61
RSA CONFERENCE 2017 FEATURE REVIEW
Among the delegation, made up of predominantly service companies, there is some impressive new technologies needing as much support as possible. Robert Morrish of Haventec, a company which has developed a process to decentralise critical information stores to massively reduce organisation security risk, asserted “Australian companies need to ‘re-tune the pitch’. America is more ready than what Australia is. Australia’s corporate sector doesn’t look locally for new innovation. Our first deal was in the USA and our second was in Singapore.” Now backed by Macquarie Bank and being supported by Nuix, a sister company, Robert Morrish used the Trade Mission opportunity to hone his own pitch to leading American venture capitalists and potential
62 | Australian Cyber Security Magazine
clients, as well as learn from colleagues and coAustralian companies on their market approach. Another ‘wish I’d thought of that’ innovation is FunCaptcha, led by young CEO Kevin Gosschalk. FunCaptcha stops bot abuse by verifying humans with image-based, easy to solve games for website registrations and online payment systems – a simple and effective idea created by Gosschalk and co-founder Matthew Ford. Now proven effective, FunCatcha is suitable across social networks, voting systems and ecommerce platforms – plus with a 3D image technology patent pending. Other standouts include QuintessenceLabs, Randtronics and ResponSight. QuintessenceLabs now based in Silicon Valley, headed by Dr Vikram Sharma, CEO,
highlighted the advancements this Australian born company is making in high-speed quantum random number generation with advanced key and policy management. As part of the Trusted Security Foundation (TSF) – the technology combines FIPS 140-2 Level 3 hardware security modules, which can be deployed across a customer’s international data centres. Customers include financial services, government and defence. Based in Melbourne, ResponSight, a data science software development company, provides security and hacker detection through behavioural analytics. Focusing on behavioural profile management at the individual endpoint, this can now integrate with SIEM and forensic systems to enhance priority identification. Undertaking a data analytics pilot with an invitation-only enterprise, they expect commercially available algorithms to be available in mid-2017. With just a team of eight, the focus is on financial services, critical infrastructure and telecommunication sectors. Finally, Randtronics, established 15 years ago, has patent pending technology centred on the Data Privacy Manager (DPM), protecting structured and unstructured data using encryption, key management, masking, tokenisation and anonymization, with additional attributes of access control and auditing. Austrade is progressing their strategy to identify opportunities for cyber security activities and initiatives in global markets. In doing so, Austrade will work closely with Craig Davies and the tight but growing team at the Australian Cyber Security Growth Network to identify Australian cyber security companies with the capacity, capability and appetite to enter and expand into global markets. The RSA Conference Mission was also used to highlight the San Francisco hub, just one of five global Landing Pads, as part of the Government’s National Innovation and Science Agenda. Austrade has established other Landing Pads in Berlin, Shanghai, Singapore and Tel Aviv. For more information visit www.australiaunlimited. com/landing-pads
RSA Conference 2017 Review Part 2 will examine Vendors, Start-Ups and Key Innovations on display across the two showroom floors.
C O L L A B O R AT I O N
National Conference 10-12 October 2017 Hyatt Regency Sydney Australian Cyber Security Magazine | 63
64 | Australian Cyber Security Magazine
Australian Cyber Security Magazine | 65
Journey to customers: HPE SECURE DATA’S INNOVATION, APPLICATION & SOLUTION Insights interview with Tammy Schuring, Vice President of Sales, Hewlett Packard Enterprise
W By Chris Cubbage
hen discussing the focus for data security at Hewlett Packard Enterprise (‘HPE’), it becomes apparent that the worldwide news and headlines of cyber-attacks over recent years, remains a prime motivator for treating the risk of a data breach. Based in Silicon Valley, Tammy Schuring, Vice President of Sales for HPE Security – Data Security, came into the role in 2015, having dedicated over a decade to growing a loyal customer base. Tammy continues to evangelise a fundamental security approach, protect ‘the data’. Tammy was in Australia meeting with customers to provide her own insights into the capability of monetising data—be it personally identifiable information, healthcare, financial or similar sensitive information. Tammy asserts, “unfortunately, companies the world-over are faced everyday with the daunting realisation that it’s not a matter of ‘if’ they are breached, it’s a matter, ‘are’ they being breached now, have they ‘already’ been breached or are they ‘about’ to be breached. It’s a change in mindset. Whether it’s an insider threat, or a cybercrime organisation that’s patiently looking for a way to get in or that is already syphoning off data. It’s stepping out and saying at the outset: it’s not a matter of whether we can keep them out, we need to start seeing through the lens of its already happening.”
66 | Australian Cyber Security Magazine
INOCULATING SENSITIVE DATA HPE is attacking the data protection problem right at the heart of a much-needed solution. Tammy explains, “What we do at Data Security inside HPE is inoculate sensitive data, so when it’s in the wrong hands, it cannot be used against the customer, be it a company or person. The ability to take sensitive data that the cyber criminals can use, to create money, be it a fraudulent tax return, or credit information, and protect it yet have the data retain its format and its logic inside the company, is huge. This way, if the protected data gets stolen, it cannot be monetised. It cannot be used somewhere else – it’s not actually the real data.” Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data. “The other key element,” Tammy highlights, “is it can
“There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the 'get out of jail free' card."
also retain data relationships, with what in technology is called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.” “We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”
Tammy Schuring - Vice President of Sales for HPE Security – Data Security
ABILITY TO DECIDE ON SECURITY HPE SecureData has built a loyal customer base across a wide range of industries, with the standards-based technologies of HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST). HPE FPE is an encryption technology that preserves the original data format in the encrypted state, as well as context value, relationships and meaning, enabling business process and secure analytics. HPE SST provides advanced data security without token databases. HPE SST improves speed, scalability, security, and manageability over conventional and first-generation tokenization solutions. These technologies protect the data, and the protection is carried with the data itself – wherever it goes – in-motion, at-rest, and while in-use. Tammy described how customers have the ability to decide, from a rules perspective, how they want the deidentified data to appear, either once it’s been encrypted or decrypted, she said, “One of the things customers can do is called ‘obviously protected’. They can choose to transform it, perhaps as an example, add letters and visually see that this is in fact not the real data, so there are ways to decide, for a particular attribute of the use case or bi-product of the system.”
PSEUDONYMIZATION MEETS GDPR There are a number of regulations that companies must comply with, such as PCI DSS (Payment Card Industry Data Security Standard) through to the emerging regulation of GDPR (General Data Protection Regulation), and a wide range beyond that. Tammy notes, “At the end of the day, interestingly, regulations and audit compliance may be only pointers in the right direction. Just ask any compliant company that has still experienced a data security breach.” Tammy assured, saying, “If anybody believes that compliance equals security, just go read the news any day of the week. Customers are able to leverage our solution to greatly reduce their compliance scope and save personnel hours, and that’s not even the best part of the story.” “The best part of the story,” Tammy says, “is where they end up at the other side. It is truly addressing the risk. The risk that even if you were compliant, and have reduced the compliance footprint, like we do with PCI so dramatically, and you still suffer a breach. If that data is stolen, that data >>
Australian Cyber Security Magazine | 67
“When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. " itself cannot be monetised. The ability to leverage the format preserving encryption and format preserving tokenisation, that we bring to the market, enables them to protect the data at capture and keep it protected throughout its lifecycle. There’s no longer a need to decrypt it to determine where it goes next. It ends up staying in it's protected state. GDPR will greatly impact how companies will deal with data, going beyond just fines and protecting personal information, but opening avenues to a world of lawsuits and empowering the individual to take action. Up to four percent of a company’s annual turnover (Article 83, GDPR) is potentially at risk, so the stakes are tremendously high. Tammy explained, “There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the “get out of jail free” card.” Tammy said, “If you are taking this personally identifiable information as defined by GDPR, and you’re leveraging a data protection solution such as HPE SecureData, you’re keeping all the benefits of the data but you’re leveraging pseudonymization. Such that, should something happen to the data, and it is lost or stolen, the data is useless to the attackers, and is therefore a non-event and that is the ideal scenario.”
BIG DATA INNOVATIONS One of the big innovations is around data itself. Tammy notes, “If you go back just a few years, the amount of data that we could consume and do real-time analytics on pales in comparison to what we can do today. There is so much value in being able to take not only the data a company has, but bringing in data from other sources. Working with some of the car manufacturers and their belief there should never be a recall on a car again, because these cars are so instrumented and with so much data coming out of them, they should get ahead of any problem that would come up. But it wasn’t until ‘big data’ that they could see the patterns light-up in real time, in order to determine where they needed to make adjustments. Once they figured out with these innovations in technology, there was a major inhibitor standing in their way – and that was security.” “The proposition was there, but how could you take so much sensitive data about just one person? Their personally
68 | Australian Cyber Security Magazine
identifiable information, the vehicles’s identification number or VIN, where they’re going, GPS data, how fast they’re driving, you name it. How many times are they are hitting the breaks, and to put that essentially into a huge soup pot that’s based on Hadoop, innately probably the most insecure platform on the planet right now. The risk was too high.” “What we’ve been able to do with the SecureData technology is apply it into the world of big data analytics. For example, with the car manufacturers, that ability to protect the data in a way that the format is preserved, the logic is preserved, and most importantly the relationships. It is not important to know all the individual pieces of information and details. What is important is ability to detect the patterns. There is so much data there, the problem really isn’t an ability to associate with one particular person, but the ability to see those patterns.”
WAVES STARTING TO HIT: ACCESS TO THE CLOUD & INTERNET OF THINGS Tammy highlights, “One of the key aspects that is shining a light on this technology’s evolution is access to the cloud. The ability to embrace public cloud can save companies a tremendous amount of money by giving them access to things that they didn’t have access to before.” Referring to a large car brand as a customer, Tammy said, “they discovered they can save 40 per cent, per application, per year, if they moved their .NET applications to Microsoft Azure. This value proposition is potentially tens of millions, if not hundreds of millions of dollars in some cases, over a five-year period. When this was realised in one of the business units, the CEO was naturally very excited with such an innovative, cost-saving measure. Before proceeding, Security asked one simple question—is there any sensitive data, including PAN data, involved? The answer was, ‘yes’. Yet before objecting to the project, someone on the CISO’s team had recalled our ability to secure the data and preserve the format. Without creating a bigger processing footprint in putting this data into the cloud, in these .NET applications, the concerns the customer had around the data were addressed. The applications did not have to change their data model. With the data format and data relationship integrity staying intact, there was no need for any rule changes.” “We match the elasticity model in the underlying platform,” Tammy continued, “so most of our customers decide they want this data-centric protection model across their entire organisation. They don’t want to have to decide if it will only be in the Hadoop environment, or only in their mainframe, or .NET, or J2EE (Java Platform Enterprise Edition) applications, or open system applications. What we do is match to the acuity model of that environment. Such as in Hadoop, that is a node-based environment and we can sell our product based on the node count; for a smaller organisation with 10-20 nodes, through to some of the largest customers in the world, with tens of thousands of nodes, we have a model that can be adapted for all.” IoT is an exciting paradigm and the wave is just starting to hit. However, Tammy asserts, “there is so much data and this can be used very maliciously. Be it a driverless
car or a medical device, should someone manipulate that, the impact is no longer how much data can I monetise, the impact is on people’s lives.” The HPE SecureData technology comes packaged as either an API (Application Programming Interface) or an SDK (software development kit). HPE has a mobile SDK which allows companies to build right into their mobile applications. The capture of data and format preserving encryption paradigm, as we’re all out on the go, entering various information into our devices, right at capture, can be protected. Tammy explained, “It’s not sitting in memory in clear text. The vulnerability aspect of what these mobile devices bring is addressed. We’re seeing with IoT, the power, scale, innovation, is exponentially improving, not in years now but in months. What could be done a year ago, pales in comparison to what will be done a year from now. The ability to build in this encryption, right at capture from inside these IoT devices, is there in many cases, or on the verge of being there.” “When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. SecureData has the ability to take any production data, like transaction information, be it per second information, latency information, and then turn it around and apply it in the world’s top financial institutions, healthcare and retailers. We can show that at scale, so the customer’s requirements are often so much lower than we’re already being applied to.” “One of the key elements of what powers a lot of what HPE SecureData does and why this is being adopted so broadly now, is that the technology has format preserving encryption, now a mode of AES (Advanced Encryption Standard). We have received our NIST (National Institute of Standards and Technology) certification as FFX1, and our FPE technology provides accelerated encryption performance up to 170 per cent in conservative scenarios. Building on today’s proven high-speed FPE technology, while aligning to the high-volume needs of next generation
Big Data, cloud, and IoT scenarios. With the power of what this algorithm can do in terms of enhancing the encryption footprint, the US Federal Government fast-tracked it to make it a standard and now, as we’re finalising our FIPS 1402 and Common Criteria, this opens up many areas. Where it was already being leveraged before that certification, it is now able to be used by government entities and other entities who set the bar and this standard is a requirement.”
CAPTIVATING AUSTRALIA “Australia is a very interesting market,” Tammy observes, “we started investing here about seven years ago and have a lot of interest. One of the main discussions back then was PCI (payment card industry) and companies wanting to get to compliance – there wasn’t the view that there was the same kind of risk as there was in other parts of the world.” “Paradigms like big data, cloud, mobility and with data so transient now, the Australian market is much more exposed, and a light has been shone on it. Big data is probably the biggest driver now, and regulations like GDPR are right behind it, as well as the drive to public cloud.” The Australian market has a tremendous need, Tammy notes, “I spent time with the Government and large financial services, telecommunications, retailers, sports betting—and I was shocked. I was last in Australia, literally at the time when the Census breach was happening, and seeing the way that sensitive information is being used in this country. I found having been an evangelist of this approach across the globe, it has really surprised me how often a national ID, or a credit card number or an account number is used as a primary key and mode of identification. There is a lot of ground to cover here.” Tammy concludes, “I think the Census example, of showing how systems can fundamentally break down, showed when the confidence of the citizens in those systems evaporates. So, having returned to Australia this year, there is such a desire now to protect the information and it’s no longer about meeting a particular regulation as the driver, be it PCI or GDPR – it’s really about the overarching sense of confidence and protection of brand.”
Australian Cyber Security Magazine | 69
International
RSA CONFERENCE 2017 FEATURE REVIEW
THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 2 Editor’s RSA Conference 2017 Review - Vendor Insights
/// ARTIFICIAL INTELLIGENCE PROTECTING THE ACTIVE DIRECTORY INTERVIEW WITH JAVELIN FOUNDERS GUY FRANCO AND ROI ABUTBUL, CEO At RSA Conference 2017, Javelin announced the release of AD Protect™, an AI-based platform designed to stop the use of stolen and misused directory credentials to move laterally into an organization’s network environment. Thwarting attackers at the point of compromise, the AI autonomously projects to the attacker a false set of organisational resources, including the Active Directory, that look and act real, yet get the attacker nowhere, containing the breach to just one machine. The result is Javelin’s
70 | Australian Cyber Security Magazine
automated incident response (IR) and breach containment that provides attack compromise detection and directory credential theft or misuse, while assisting efforts to investigate and contain any further attack. The story behind Javelin arcs back to three young men meeting in the Israeli Airforce and Intelligence Corps. Guy and Roi, along with co-founder Almog Ohayon, started out in 2014 and after $2 million in seed funding. In early February 2017, they announced a $5 million Series-A Financing Round to fuel further development and growth. Based in Tel Aviv, the company is now also situated in Palo Alto, CA and Austin, TX. As Guy explained, “the industry is focused on protecting networks, computers, devices and applications, but at the end of the day the key element being targeted is the Active Directory (AD) – it is used by 9 out of every 10 companies around the world and remains mostly unprotected. All the campaigns APT (Advanced Persistent Threat) attacks are based on is achieving AD manipulation – the attacker’s aim is to be stealthy, leave no evidence and achieve
a high gain and mostly, a financial gain.” After almost two and half years working just on the technology, with a dedicated ADP (Automatic Data Processing) design team, the company launched in the second half of 2016 and hired former Cylance Executive, Greg Fitzgerald to drive the message home – that attacks and threats are focused on the AD – the heart of the organisation. Javelin reports seeing immediate traction with customers, with one customer, despite having a $50 million security budget, discovering they still had limited protection of their AD. Javelin can support 20,000 devices and then scale out to 500,000 end points. The learning phase is rapid, within minutes, acquiring 200 devices at a time – so a large enterprise network can be acquired within an hour or two. Roi stated, “the greatest thing we have accomplished is we have created an autonomous IR mechanism and the only one specifically designed to work in a domain environment. That domain environment has its own rules and we have built that from scratch – once we find an infection on one computer and
International
FEATURE REVIEW RSA CONFERENCE 2017
deployed inside a domain, the AI establishes the elements of the infection and will automatically look across the network for those elements, called automatic IRN counting. This pattern recognition algorithm is continually fed and creates automatic patterns based on the environment and data sets that is deployed in that environment. The company has 5 patents based on this
approach, with one specifically an AI patent on how it creates the virtual environment. As part of the hunting and cross reference to other computers, it looks to where the malicious processes came and what method was used for compromise, such as is it local or part of a bigger effort. This allows a forensic report to be formulated. Javelin is not an EDR solution, Roi explained, “we don’t reduce the noise, we just
pinpoint for only this type of (AD) attack.� With Javelin, the attacker will not get valid credentials or organizational topology. Without this, the attacker cannot move beyond the endpoint nor do so undetected. Javelin protects the entire organization from the point of attacker entry without unnecessarily adding to the infrastructure nor altering the AD itself.
Australian Cyber Security Magazine | 71
International
RSA CONFERENCE 2017 FEATURE REVIEW
/// KEYS TO THE KINGDOM: RISK AROUND CREDENTIALS THEFT EXPERT ROUND TABLE DISCUSSION Kowsik Guruswamy Chief Technology Officer, Menlo Security
Scott Scheferman Director of Consulting, Cylance
Roi Abutbul Chief Executive Officer, Javelin Networks
Stefan Lager Vice President of Services, SecureLink Credentials are a lot more than logins and passwords. It can be, for example, if you have a directory service like active directory, it could be the keys to the kingdom of every asset on that network. If you are an end user, you may have access to a small number of resources. If you are a senior manager, you might have access to more. If you're an administrator, you could have access to everything. In a special roundtable discussion organised by NetEvents in San
Francisco, we discussed credentials, phishing and cybersecurity risk. This is an edited extract of that discussion: Kowsik Guruswamy: I think it really depends on whose credentials are being phished. If somebody sends me an email from my bank saying my account has been comprised and I happen to fall for it, enter in my user name, password, somebody is getting into my bank account. They can do money transfers, etcetera. This is on a personal basis. If I'm the CFO or the controller for an organisation and that same thing happens to my corporate credentials, now all of a sudden it's a whole different ball game. Now they've got the company's bank account. It also applies to applications, such as Salesforce. I may not be a C-suite executive in a company, but if I'm Salesforce admin and I'm getting phished, then all of a sudden my entire company, all of the pipeline, all of the revenue information is now in somebody's hands. So, it really depends on who is getting phished and what sort of information that they possess that could be very, very valuable. Scott Scheferman: Maybe from a slightly different lens, a lot of what we do when we're doing response and compromise assessments is address this credential problem. Other than execution, credentials are a choke point common to every breach. The thing about credentials are that an attacker would prefer to just have legitimate
RoundTable - Javelin, Cyclance & Menlo - Roi Abutbul, Scott Scheferman, Guy Franco & Stefan Lager
72 | Australian Cyber Security Magazine
credentials as opposed to leave behind malware that might get detected. Once they get to the credential part of that kill chain, they're off and running and they're able to use white listed tools and other types of normal authentication, such as to Salesforce, or whatever it might be, and there is no more malware, so they can evade your detection systems. Stefan Lager: I think we can never be 100 per cent to protect against this kind of threat. I think limit the damage you can get if a credential is stolen and also making sure you can detect and respond to that as quickly as possible, is really key. The way we look at it is from kind of a matrix where you have people, you have processes, technologies and you have protection, detection and response. You need to have a good mix of capabilities within all these different areas. Kowsik Guruswamy: In the case of phishing and credential theft specifically. There is no malware or anything involved. There was a website, it looked like your bank and you typed in your password. It is very simple. I think that goes back to what phishing is all about. It used to be about stupidity. It's really become about sophistication. Every one of us I'm sure has fallen for it. I'm not a private investigator, but if I googled your name and there was something on your blog about a hit and a run that you saw and I sent you an email
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017 about an insurance quote for a hit and run, the chances are you're going to take a little bit longer to read it and I got your attention. It's about personalising that information, knowing some context around whether this person is going to read it or not. So personally, I delete all my emails that I get from people that I don't know. But every email that I take more than five seconds to read, I treasure them because they've got me. They've got my attention. Spear phishing is just a concept. It's really about contextualising the data that is being presented, so you fall for it.
Wombat Security Technologies stand
Scott Scheferman: A lot of what we were calling breaches or compromises are actually starting outside of the organisation all together. If somebody does a massive database dump and they grab the whole database, user names and passwords for a common social media site or something else, those passwords are then very readily available, email addresses and passwords. So many of our users have reused a password for their personal life. Not all organisations are using two-factor authentication for all of their external phishing applications. You put those two facts together and what you realise is that there is a massive market for the stealing and reselling of credentials so that you don't have to use any malware. You can opportunistically target a certain vertical that you're looking to target as an actual attacker. Attacker not being a hacker, but an attacker that's interested in an organisation, in a certain vertical. Why not just buy the credentials for that vertical as opposed to try to touch your victim? You never want to touch the victim if you don't have to. Much like spear phishing, just put in your user name and password and you barely touch the organisation at all and they've done all the work for you. Kowsik Guruswamy: The underpinning technology behind Menlo is what we call isolation. The concept of isolation is simple. If you look at the overall risk from the web, it's active content, flash, Java script. That's the risky part. If you go back 20 years in the old Netscape days, when the Internet was filled with five web pages that were all static, there was about zero risk. There was no problem. Fast-forward 20 years you've got this interactivity and advert networks, everybody rushing to inject interactive content into the web
browser, that's a risk. Our concept behind isolation is very simple. We stop playing this game of trying to figure out is this website good or bad and just execute away from the user in the cloud. We do it in such a way that the end user has no idea that we're doing that and retains the native user experience. That's the underpinning model behind isolation and that's what Menlo does.
Specific to phishing, if you look at how phishing links come to the user and what it does, it falls into three buckets. First is what we call the known bad. Everybody knows it is a phishing site, it's on some list, Google has it, other feeds have it, everybody knows it is a phishing site. You do the obvious thing, you block it. The next one is what we call the known
Australian Cyber Security Magazine | 73
Corporate Security
RSA CONFERENCE 2017 FEATURE REVIEW the password into a bank looking site, are you sure? So that really helps eliminate phishing, in our opinion.
Malwarebytes Stand
Cylance AR display
good. Like amazon.com is not a phishing site. Yes, there might be some ads that give you malware, but it's not a phishing site for sure. So, there is a known good. Then the grey area. If you look at the grey area, we're doing the same thing that we've been doing for the last 20 years to phishing, which is trying to figure out if it is a phishing site or not. What Menlo does is we gave up on that idea. It's not working. It's very difficult. Instead
74 | Australian Cyber Security Magazine
what we do is when people click on the link we end up isolating them and we have certain workflows which basically combines the training aspects and also puts the website into a protective shell. It's a read only mode. People can't type anything. The combination of that effectively means when you're about to enter the password into your bank account, you've got to pause. There is some training that's built into the workflow that tells the user, hey, you're about to enter
Scott Scheferman: I love the pause part of that description because I think in security, any time you're looking at this kill chain we've been talking about, it's important to pause before each one of these things. In Menlo’s case, it's before the user clicks. In Cylance's case, the best way to describe it would be, we have tried to solve the problem in those 100 milliseconds prior to an executable executing and allow the AI (artificial intelligence) to predict whether or not that file should run or not within that 100 milliseconds pause, if you will. In the time it takes you to blink your eye, we would look at seven files. We can look at seven files and convict them to be able to run or not. It's a very interesting thing because what we're using is predictive AI. What that looks like is, if you take something like Shamoon2, Wave 2 that just came out in the Palo Alto Unit 42 report, which they did an excellent exposÊ on, what that threat actor is and the motivations. The TTPs, the IOCs, all these buzzwords of intelligence, we were actually able to prevent that pre-execution 430 days before Palo Alto's report. So, when we say prevention, we're literally talking days, weeks, months or sometimes years in front of when the threat actors, in some case like ZCryptor ransomware have even compiled their first binary. We've predicted that binary and are able to block it. So that's what our pause is. The other aspect of what Cylance does extremely well is our compromise assessments. We leverage that same machine learning as well as machine learning that's focused on the credential aspects of this problem space. I'm looking at user account profiles and applying machine learning to that problem to instantly discover accounts that are probably compromised based on statistical confidence. We have about 86 per cent efficacy that we have baked into our compromise assessments, where we hit the big red button and out pops all the accounts that mathematically, we know that these accounts have been comprised. For us, that allows us to move very, very quickly, or allows the organisation to pivot to containment. On the product side, it's predictive prevention via AI and that's a really big exercise. We're in the top 100 customers of Amazon where we're crunching these millions of files. For each file we're breaking them up into 2.7
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017
million features that we're looking at. It's not just 30 features or 200 features that malware analysts understand and the rest of the whole industry, but actually features that the human race doesn't even have words for. The machines are telling us about features and absences of features and combinations of features that we know to indicate this malicious software and we're able to, because of the confidence we have, make an autonomous decision and put that 100 milliseconds pause before execution to say no you can't run. We're seeing a massive shift in money from doing penetration testing in traditional services, shifting over to doing annual, biannual or quarterly compromise assessments because the value is much more to the Board than hiring a small team for a small period of time. You're able to tell the Board I know I'm not compromised or I am compromised and I've been able to learn how the bad guys got in that were targeting the organisation. Instead of hiring penetration testers, hypothetically, to protect you, hire the entire Internet that has targeted you the last two years and learn from that. That's how we get to the place we are today. As vendors, the three of us here have the AI aspect and we're sitting in the middle of this revolution. Those are the ways that we can solve these problems with confidence. Confidence ends up being a mathematical definition. It's a mathematical term. We actually have a degree of confidence index. Roi Abutbul: I want to add to your comments that if you look at it, the CISOs today are swamped. The security teams are overloaded
with, as you said, data and a lot of work that they need to do at the end of the day. But from the other equation, if you look at the effort that attackers need to invest in order to penetrate, in order to bring down an organisation, is exactly that asymmetric problem. Their investment in order to bring down an organisation is low and our investment as defending the organisation from being breached is high. That's the main problem in
this industry. Also, the CISOs today, on top of that, are over swamped. They are understaffed and with limited budgets. If you look at here at RSA, if you go inside under the expo of North and South showrooms, most of the vendors are saying the same. It is very hard for them even to distinguish exactly what they are doing.
Australian Cyber Security Magazine | 75
Cyber Security
RSA CONFERENCE 2017 FEATURE REVIEW
/// BIG SWITCH NETWORKS: TRAFFIC VISIBILITY ON A CLOUD-NATIVE APPLICATION Sitting down with Greg Holzrichter on the RSA Showroom floor, we were walked through the next generation of networking and datacentre switching, offered as an open alternative to Cisco’s Application Centric Infrastructure and the offer of being up to 50 per cent cheaper with pervasive visibility, scalability and security, overlayed by the Big Monitoring Fabric – or Big Mon. Big Monitoring Fabric Release 6.0 is currently in beta and is expected to be available Q1, 2017.
76 | Australian Cyber Security Magazine
Receiving Series C funding for US$48.5 million and a strategic partnership with DellEMC, BigSwitch Networks is enjoying triple digit growth. In December, the company announced significant updates to the Big Mon product line with the introduction of BigSecure Architecture™, a cyber-defence platform that enables Terabit attack mitigation. Extended Pervasive Visibility use cases include cloudnative application traffic for monitoring of VM, Containers and Public Cloud environments. This solution enables existing security tools to leverage an externalised attack mitigation infrastructure, consisting of a pool of x86-based compute resources. Once BigSecure Architecture is instantiated, a security tool detects a high-bandwidth attack and interacts with the Big Monitoring Fabric Controller via programmatic APIs to redirect incoming traffic for elastic mitigation. Depending on the type of attack, the Big Mon Controller
activates SDN fabric and compute resources for attack mitigation, reconfigures the service chain to redirect traffic to mitigation infrastructure, and load-balances traffic across a cluster of Big Mon service nodes and NFV tool farm for scaleout performance. The combination of SDN fabric, Big Mon service nodes and NFV tool farm performs Layer-7 scans of network traffic and blocks those packets/flows that contain attack signatures. With BigSecure, security teams are able to deploy dynamic cyber-defence architecture that provides elastic, Terabit-scale attack mitigation capability at an affordable price while continuing to leverage best-of-breed security tools. Integration with leading Technical Solution Partners, includes • A10 Networks and Big Switch Networks have partnered to create a solution for DDoS attack detection across the entire data centre. The solution is composed of
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017
•
•
•
•
A10 Networks' Thunder Threat Protection System (TPS) and Big Switch’s Big Monitoring Fabric, which leverages open networking switches. ExtraHop and Big Switch Networks have partnered to deliver a scalable solution for all IT teams to gain visibility into network and application traffic. The joint solution combines ExtraHop’s streaming analytics and proactive remediation capabilities with SDN controls from Big Monitoring Fabric. The collaboration between FireEye Threat Prevention Platform and Big Switch Big Monitoring Fabric enables monitoring of any flow, at any time on orchestrated service chains, from a single pane of glass. Riverbed SteelCentral NetExpress network performance management platform and Big Monitoring Fabric deliver an all-in-one pervasive network monitoring solution that combines flow as well as packet collection and analysis for the entire data centre. Certified joint solution of Symantec SSL Visibility Appliance with Big Monitoring Fabric Inline through Symantec's ETM
Ready Program (Encrypted Traffic Management) helps customers address malware hiding in SSL traffic.
/// WEBROOT INSIGHTS TRAFFIC VISIBILITY ON A CLOUD-NATIVE APPLICATION Webroot announced three new products. Webroot FlowScape® Analytics, Webroot BrightCloud® Streaming Malware Detection, and Webroot SecureAnywhere® DNS Protection leverages an AI engine for protection against malicious known and unknown cyber threats. Chad Bacher, SVP of product strategy and technology alliances said. “Our new products offer better protection against today’s most advanced threats—both known and unknown—
no matter where users are or what devices are connected. These new solutions are built on a mature cloud platform that uses proven machine learning methods that continue to get smarter and more effective as we add new endpoints, sensors, and data sources.” Webroot has integrated FlowScape Analytics with Webroot BrightCloud® Threat Intelligence to accelerate the discovery and investigation of unknown threats that access, traverse, and exit disparate networks. The FlowScape solution analyses different traffic types and behaviours within the network, as well as inbound and outbound traffic, to supply security operations teams with the ability to identify anomalous network traffic from unknown threats. Combined with BrightCloud Threat Intelligence, FlowScape Analytics offers contextual threat intelligence on malicious IPs and URLs with network visibility for incident response teams to investigate threats and devise mitigation plans. As malware is now overwhelmingly polymorphic and advanced persistent threats (APTs) mask their activities within everyday network noise, FlowScape
Australian Cyber Security Magazine | 77
Corporate Security
RSA CONFERENCE 2017 FEATURE REVIEW is part of a much bigger, global machine, that is RSA. Leonard provided insight into his role as Chief Cyber Security Advisor for the Asia Pacific region.
What role does a cyber security advisor fulfil?
analytics and unsupervised machine learning enable organisations to reduce the time required to classify and address threats. Quoting Gary Hayslip, CISO for the City of San Diego “With a daily count of approximately 500,000 cyberattacks against the city of San Diego networks, Webroot FlowScape Analytics gives us the network visibility we need to protect critical infrastructure and services. FlowScape Analytics technology allows us to determine risk of system-wide user behaviour and flag anomalies for remediation.” “With these new releases, Webroot is working to address some of the key issues that make protection against modern malware so difficult,” said Eric Ogren, Senior Analyst with 451 Research. “Through greater visibility into the network layer, Webroot will now help customers identify threats based on anomalous network behaviour. Providing a security solution that combines endpoint security and DNSbased web security, will also help protect businesses from threats, while lowering overall support costs.” The FlowScape solution is available for custom integration and evaluation as part of an early availability program. BrightCloud Streaming
78 | Australian Cyber Security Magazine
Malware Detection is available for Beta technology partners with general availability scheduled for mid-2017. Webroot SecureAnywhere DNS Protection is in Beta currently and scheduled for GA release in April 2017.
/// PREDOMINANT FOCUS: IF CONTENT IS KING, THEN CONTEXT IS QUEEN Insight Interview with Leonard Kelinman, Chief Cyber Security Advisor, RSA - APJ Region Leonard Kelinman should be well known in Canberra cybersecurity circles, but sitting down to chat in San Francisco amongst 45,000 other busy professionals, there was a sense he
This role with RSA allows me to remain forward focused when reaching out to industry, government and organisations. Essentially, I provide the advice, guidance and support that they may need. The three predominate sectors I’m working with are governments in the Asia Pacific and Japan region, critical infrastructure and education. The first part of the role is to understand the landscape, mainly with government and utilities, particularly with the mandatory data breach legislation and the impact this has at the board level. This includes Incident Response (IR) and IR capabilities, cyber insurance and considering how it affects their ability to discover and respond to breaches. I have found invariably the larger the agency or organisation the better they are in terms of posture and preparedness. I feel for the SME type organisations, they often have contracted services, where they may have good process and procedures but with limited inhouse capability, you cannot outsource responsibility, so vetting the contractors is vitally important. My mantra going forward is based on our traditional technology capabilities which have been built around content but now we are talking about context – put simply, ‘if content is king, then context is queen.’
What does it mean to be contextually aware? There is a lot of value there in what organisations have already invested in. What we are doing is building a capability that creates a plus one, adds to the traditional services and gives context. My role allows me to come to understand the pain points and develop the strategy around that for customers. An easy industry example would be the cyber-industry vocation. I’m working with a government agency in assisting them with their recruitment for cyber. The focus is on developing the right job description, criteria and develop a methodology for selection. In the Federal Government space, based on my experience at the Australian Taxation Office, there was great success in vulnerability management and a large part of
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017 that was about getting the right people. That means the right people into the right roles. Part of the problem can exist at the higher positons of organisations, with those who have the capability and responsibility but due to age and years of experience, bring a more traditional ‘they know best’ mentality and this makes it much more difficult for cultural change. But having said that there are those with a more open mind set and who are better prepared. The engagement is so much more fruitful with those individuals. The other aspect, is with time, you are going to find that the newer generation, say those of 5-10 years junior to the current senior roles will have greater cyber exposure and will bring a better and stronger appreciation to cybersecurity services and capabilities. I’m a bit pragmatic. If your organisation got hacked, you need to better understand that. Bad stuff is still going to happen and understanding you have done everything that is reasonable to have done. Knowing what is reasonable, learning about known breaches and have a clear proceeding course of action.
How is Australia fairing in the APAC region? The AU$230 million allocation as part of the Australian Cybersecurity Strategy and AU$300 million to the ASD is encouraging because it is substantially more than before, but far less than the UK and USA. Let’s see what we can do with it first and then allocate more if needed. We are working with other countries and using them as a yard stick. Within ASD and review of the PSPF, there has been a change to devolve risk to the agency heads and now it’s up to the business heads to manage, so cyber programs are subject to different risk appetites. Most organisations have a moderate risk tolerance and production programmes tend to have a higher risk tolerance.
How does the 2017 cyber landscape look? In 2017, we are likely to continue to see a lot of volatility and this industry is naturally volatile. In particular consolidation across the vendors and the legislative landscape changes, highlighting mandatory reporting and GDPR, which is applicable anywhere in the world, including Australia. Discussions have started to make some waves, such as ‘how does that affect us?’;
but it still playing catch-up to the cyber realm. Organisations have to spend some time thinking about this, in a global world and with a pervasive technology.
/// MENLO SECURITY UNCOVERS NEW SPEAR PHISHING CAMPAIGN Leveraging multiple scripts to customize attacks on US enterprises Menlo Security, a pioneer of cloud-based isolation security technology, announced that its cybersecurity researchers recently uncovered a sophisticated spear phishing attack at a well-known enterprise that went undetected by existing security solutions. A close examination of the recent spear phishing event by Menlo Security researchers revealed the following details: • The attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack. • The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page. • The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account. • The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city. “Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, Chief Product Officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials,
they have the keys to your kingdom.” The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis. In the case of spear phishing attacks, which target specific individuals within an organisation, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device. For more details on the anatomy of the spear phishing attack, please visit: www.menlosecurity.com/research-brief-2017
Australian Cyber Security Magazine | 79
Modernising your security strategy
W By Peter Tran General Manager and Senior Director of RSA Security’s Worldwide Advanced Cyber Defence Practice RSA
hile cloud, mobile and the Internet of Things (IoT) present undeniable efficiencies and opportunities in the business world, the reality is that they also add a multitude of cybersecurity complexity and potential exposure. In 2016, over 260 billion apps were downloaded over the Internet across approximately 7.5 billion mobile devices communicating in an interdependent web with cloud based platforms and services. This is referred to as the Internet’s “Third Platform” and is where innovating your information security strategy is imperative. Many organisations are finding the increased efficiency gained from new technologies is paramount to remain competitive in today’s “Third Platform”, as these technologies are foundational to many critical key business and operational innovations. The number of devices, identities, and cross-functional systems across hybrid cloud, on-premise, public/private infrastructures, mobile platforms and shared business IT services is skyrocketing. To date, there are over 22 billion connected IoT devices on the World Wide Web with a projected growth to over 50 billion by 2020. This is predominately driven by an increased adoption of cloud collaboration infrastructures, mobile workforce, sales and operations teams as well as an expanding number of global trusted partner networks and privileged external/ third party users. The explosion in the number of devices, identities, and shared systems isn’t just transforming business but is changing critical cyber security requirements directly related to the sheer scale, speed and complexity by which organisations, both public and private, are migrating legacy system to the “Third Platform”. While modern organisations are capitalising on cloud, mobile and IoT, they are also expanding their attack surface— and with it, new “hacker hot spots” are left in the wake of IT technology expansion, which leaves a fertile ground for nation state hackers and cyber criminals to exploit.. The worldwide cybersecurity spend for 2016 topped US$74 billion according to research analyst firm, IDC with projected spend to reach over US$102 billion by 2020. Despite this level of spending, we have seen over 2,000
80 | Australian Cyber Security Magazine
data breaches, 700 million personal records stolen with an average financial loss of US$3.5M per incident. That said, the most shocking statistic is that on average, organisations were aware they had been hacked less than 30 percent of the time. Another way to look at it is that with today’s aging security capabilities, hackers have a 70 percent chance of breaching an organisation’s network undetected. It’s a reality check now, and time is not on our side, for organisations to face the hard facts. Traditional security measures no longer stack up against the advanced cyber risk that organisations face today. They are ineffective because they are built around the belief that attacks can be prevented based on conventional perimeterbased designs. The rapid transformation to the “Third Platform” coupled with new attack techniques and tactics are driving a call to action for strategies to be put in place to manage attacks based on business context and operational risk or “business driven security”. Traditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that have already been put in place within legacy on-premise infrastructures. Business initiatives were and in many instances are still developed without considering the cyber risk exposure associated with them. In fact, many organisations have not even gone through the exercise to determine what their cyber risks are. Simply put, the right hand doesn’t know what the left hand is doing. The widening gap between business context and cyber risks is where breach exposure exists. The gaps in traditional security strategies become wider with the proliferation of cloud, mobile and IoT, as well as a surge in third party workforces within organisations, all adding to business complexity and risk. If businesses want to modernise their security operations, technology investments alone is insufficient. Security innovation and transformation begins with a balanced strategy between IT architecture, infrastructure, technology, process, automation, data analytics, effective workforce management, compliance and governance. Cloud technologies provide enterprises with on-demand
"The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities." anytime/anywhere access to key applications, services and platforms. However what many organisations fail to realise is that all the convenience provided by the cloud is in fact at the heart of the problem; better, faster, cheaper but NOT necessarily secure. Decisions about cloud systems are often made by siloed and federated departments while bypassing formal approval channels and without the knowledge of IT - a practice that is called working in the shadows or “Shadow IT”. It’s easy for malicious insiders and other attackers to take advantage of Shadow IT. Cloud systems often interact with other business and operations systems and/or are used to store the organisation’s valuable data about engineering/ developing, partners, prospects and customers. In this way, attackers can easily compromise cloud systems in order to steal proprietary and/or confidential information completely undetected.. The best way to control cloud technologies is to gain complete visibility into the cloud infrastructure and services being used and implement appropriate controls. Although this is easier said than done, it is a sound security strategy that drives continuous monitoring and early detection across the cloud and to the end points. Additionally, “Bring Your Own Device” (BYOD) has now become common practice for most organisations, allowing employees to work remotely and/or have access to the organisation’s information from their personal devices. Does this further compound the problem? Absolutely! The combination of mobile or potential rogue devices and an Internet connection is enough to breed mass scale mobile security risks. Users may rely on a device and/or connection that is not owned, provisioned, managed, or controlled by the organisation. If businesses provide mobile devices to employees or have a BYOD policy in place, then it’s critical to closely monitor activity for all devices accessing organisational data. Modern organisations are aware of the risks involved and as such, they have control over which business data can be accessed by and saved to mobile devices. More importantly, continuous monitoring and early detection of user behavioural analytics (UBA) in context to business risk should be a top priority with an adaptable security strategy. In only three years there will be over 50 billion connected devices and sensors worldwide. How prepared are organisations to integrate and cope with the influx of business-enabled, internet-enabled devices?
Many of these devices and sensors send continuous streams of unstructured information about business and operational activities across the Internet where that information is harvested for insights. As such, IoT is often referred to as the “Next Industrial Revolution” – with the promises of dramatically increasing the production and efficiency of manufacturing, healthcare, banking, workforce productivity and more. This is the promise of “connected and enhanced living” and business driven security will be a force enabler in managing “Third Platform” risks of intrusion, data disruption and destruction. As security strategy shifts from perimeter to managing dynamic, business driven security environment, a stronger partnership between business leaders and their security experts is essential. Business leaders want to know what the business impact is or would be of a security breach. Security experts focus on the technological details and implications of a security breach. This gap in understanding stands in the way of being able to answer THE critical question when an incident does occur… HOW BAD IS IT TO THE BUSINESS? The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities. As such, modern organisations are moving rapidly toward a business-driven security strategy—developed in collaboration with the broader IT team, operational and business leaders—that prioritises security efforts by connecting security risk to the business and operational risk. Fully understanding the security risk in the context of impact to business and operations is key. With a businessdriven security strategy, organisations can connect security risk to business risk that is contextual and specific to the growing organisation. About the Author Peter Tran is an Advanced Cyber-defense Technology, Security Operations Practitioner and Executive Leader with over 18 years of demonstrated field experience focused on developing, implementing and growing cutting edge cyber-counterthreat, exploitation solutions and operations to address new innovations, applications and applied information security defence methods. As the GM & Senior Director for RSA’s Worldwide Advanced Cyber Defence (ACD) Practice, Peter is responsible for global cyber defence strategy, breach readiness, security operations design/implementation, intelligence and proactive computer network defence solutions and services. Prior to RSA, Peter led Raytheon’s commercial cyber professional services and solutions business as well as its Enterprise Security Operations and Cyber Threat Programs for SOC/CERT, intelligence, APT threat analysis, technical operations, exploitation analysis and adversarial attack methodologies research/tools development. He possesses over 18 years of combined government, commercial and research experience in the field of computer network forensics, exploitation analysis and operations.
Australian Cyber Security Magazine | 81
10 Cybersecurity startups to watch in 2017
By Tony Campbell Editor
A recent influx of investment capital into
of the cybersecurity industry, with areas of
cybersecurity has driven innovation and
focus such as security risk mitigation, cloud
expansion in startup communities all around
security and adaptive behavioral modelling
the world. Cybersecurity is now a red-hot
technologies.
business proposition, which is why new
players at the RSA conference in February
companies, even when they are still in their
2017, here are ten of the most exciting new
infancy, can create entirely new segments
cybersecurity startups to watch in 2017.
10 | Darktrace
7 | Kenna
Darktrace focuses on a cyber “immune system” to manage and mitigate threats to network security in an enterprise or industrial setting using adaptive machine learning technology based in Bayesian mathematics. The company was founded in 2013, and received over $25 million in funding during 2016 alone. CEO: Nicole Eagan Headquarters: Cambridge, United Kingdom Founded: 2013 www.darktrace.com
Kenna security software is a risk intelligence platform intended to prioritize and mitigate vulnerabilities within a company’s infrastructure in a matter of minutes. This is particularly important for companies that need to provide risk reports to their stakeholders on a regular basis. Kenna was founded in 2011 and had a $15 million funding round in late 2016. CEO: Karim Toubba Headquarters: San Francisco, United States of America Founded: 2011 www.kennasecurity.com
9 | Evident.io Evident.io provides security and compliance monitoring for Amazon Web Services, public cloud services, infrastructure as a service and platform as a service. Their software allows for real time monitoring and security alerts for companies operating in the cloud. Evident.io was founded in 2013 and had a $22 million funding round in 2016. CEO: Tim Prendergast Headquarters: California, United States of America Founded: 2013 https://evident.io
8 | Intsights IntSights’ software subscription allows companies to detect, analyze, and remediate cyber-attacks to their infrastructure in real time. The company was founded in 2015 and had a $15 million funding round already this year. CEO: Guy Nizan Headquarters: New York, United States of America Founded: 2015 https://intsights.com
82 | Australian Cyber Security Magazine
After seeing all the big
6 | PerimeterX PerimeterX offers behavior based defense from automated or non-human cyber-attacks. The company was founded in 2014 and had a $12 million funding round in early 2016. CEO: Omri Iluz Headquarters: San Mateo, United States of America Founded: 2014 www.perimeterx.com
5 | Phantom Phantom was founded in 2014, and provides an automated security and orchestration platform that can perform incident response, triage, and remediation. The company has already received $13.5 million in funding in 2017. CEO: Oliver Friedrichs Headquarters: Palo Alto, United States of America Founded: 2014 www.phantom.us
4 | RiskIQ
2 | Cynet
RiskIQ, founded in 2009, provides risk monitoring technology for online threat detection concerning a brand’s customers. RiskIQ had a $25+ million funding round in 2016. CEO: Elias (Lou) Manousos Headquarters: San Francisco, United States of America Founded: 2014 www.riskiq.com
Cynet is a newer cybersecurity company, founded in 2015. They provide threat detection and incident response for enterprise companies. They had a $7 million funding round in early 2016. Their software provides endpoint detection and remediation, user behavior analytics, network analysis, and system forensics in a single platform. CEO: Eyal Gruner Headquarters: New York, United States of America (and Rishon Lezion, Israel). Founded: 2015 www.cynet.com
3 | Skybox Security Skybox security is the most senior company on this list, founded in 2002, however, they had an impressive $96 million investment in 2016 from private equity. Skybox offers a security analytics and intelligence platform for companies operating in the cloud. CEO: Gidi Cohen Headquarters: San Jose, United States of America Founded: 2002 www.skyboxsecurity.com
Users
1 | Fireglass This company was founded in 2014, and had a significant $20 million funding round in 2016. Fireglass offers a network security and isolation platform to companies operating in the cloud, aimed at removing threats and stopping security breaches in real time. CEO: Guy Guzner Headquarters: New York, United States of America (and Tel Aviv, Israel). Founded: 2014 https://fire.glass
Web Australian Cyber Security Magazine | 83
84 | Australian Cyber Security Magazine
FEEDBACK LOOP - Have Your Say There are many ways that you can provide feedback to us and
single one of you and publish the best discussion pieces in each
converse with our editorial board, but we’re establishing this
issue in this new standing section, entitled Feedback Loop.
regular feature in the Australian Cyber Security Magazine because
To thank you for your feedback, we’ll provide a token of
conversations can change the world. It is encouraging to see that
our appreciation for the best letter in every issue. As this is the
so many of you are already so vocal on some of the big issues
inaugural issue we don’t have any feedback yet, so let’s cut to the
affecting Australia, voicing your opinions on LinkedIn, blogs and
chase. The prize for the best letter in issue 2 will be a complete set
at industry conferences. We will endeavour to respond to every
of social engineering guru, Chris Hadnagy’s three amazing books.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analysed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.
Unmasking the Social Engineer: The Human Element of Security The Human Element of Security focuses on combining the science of understanding non-verbal communications with the knowledge of how social engineers, scam artists, and con men use these skills to build feelings of trust and rapport in their targets. The author helps listeners understand how to identify and detect social engineers and scammers by analysing their non-verbal behaviour. Unmasking the Social Engineer shows how attacks work, explains nonverbal communications, and demonstrates with visuals the connection of non-verbal behaviour to social engineering and scamming.
Social Engineering: The Art of Human Hacking The first book to reveal and dissect the technical aspect of many social engineering manoeuvres. From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering.
Australian Cyber Security Magazine | 85