Australian Cyber Security Magazine, ISSUE 8, 2019 by MySecurity Marketplace

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 8, 2019

Civic Cyber Warfare - The Fog Snake bites and data breaches Cyber Preparedness Building Blocks Windows Task Scheduler Flaw Discovery

Security Orchestration, Automation and Response (SOAR) Wanted: Effective CISOs Who Stay Longer Do you need to choose, to make the frame-work?

CYBER INSURANCE ESSENTIAL STEPS TO COVER

Cyber Security Weekly Podcast Highlights

PLUS

Techtime

TRANSFORM & CHANGE FORUM NETWORK ISOLATION AS A CISO SECURITY WEAPON MELBOURNE

SYDNEY

Wednesday 7 August 2:00pm – 5:00pm

Thursday 8 August 2:00pm – 5:00pm

(plus networking drinks) VENUE Mon Bijou Penthouse Level 10 & 11, 187 Flinders Lane, Melbourne, Vic 3000

(plus networking drinks) VENUE Four Points by Sheraton Sydney, Central Park 88 Broadw Broadway, Sydney, NSW 2008, Australia

The adoption of Software as a Service (SaaS) is causing companies to rethink their security architecture as they move to the cloud. But what works on premises does not work in the world of cloud. Companies must fundamentally rethink how to secure their networks. Network isolation changes the game and can deliver greater protection. This new approach must be a core component of modern security architecture. Registrations are by-invitation only and are kindly limited to government and corporate teams currently tasked with working in information security or information technology. AGENDA HIGHLIGHTS

MEET OUR GUEST SPEAKERS M E L B O U R N E

S Y D N E Y

2:00pm 2:30pm 2:40pm 3:20pm 3:40pm 4:20pm 5:00pm

RODNEY EADE

JANA PITTMAN

Senior Coach

World Champion

BROUGHT TO YOU BY

Registration and Networking Welcome and Menlo Introduction – Keith Symons Customer case study + MSIP demonstration Afternoon Tea Break Keynote Guest Speaker Panel Discussion & Closing Comments Networking Drinks & Canapes

Uber/Taxi Service is available to Venue only

E X C L U S I V E M E D I A PA R T N E R

PRIVILEGED ACCESS FORUM DEFENDING AGAINST TARGETED ATTACKS SINGAPORE

MELBOURNE

Thursday, 15 August 2019 Four Points by Sheraton

Thursday, 22 August 2019 Grand Hyatt

According to recent reports, 81% of hacking-related breaches leverage WHY YOU CAN'T AFFORD TO MISS IT

stolen or weak passwords. This is consistent with other breaches that have hit the Asia Paciﬁc region in recent years. Singapore Health, Cathay Paciﬁc

Real Case Studies & Invaluable Information

and the Australian Parliament are just recent examples of how unprotected

Hear from our international speakers and stay up-to-date with what’s happening in the IT security industry around the world and in Asia Paciﬁc.

privilege credentials can be exploited to gain access to sensitive data.

Watch a Live Hack!

Privileged accounts and credentials are the most commonly targeted point

How cyber hackers inﬁltrate an organisation’s network and exploit privileged

of entry for cybercriminals, and the risk surface is growing signiﬁcantly.

credentials to move laterally and gain access to sensitive information.

With the development of hybrid infrastructures, virtualisation, and cloud,

Privileged Account Security

there are more privileged accounts than ever for attackers to target. Asia

Understand why global industry analysts like Gartner recommend Privilege Access

Paciﬁc is a signiﬁcant target for cyber threats due to its geographical region

Management as the number one priority for CISOs, and a critical part of the IT

and hub for global commerce.

security strategy.

Taking place in Singapore and Melbourne, the "Privileged Access Forum: Defending Against Targeted Attacks" are designed for business and technical drivers of the cybersecurity program within government and enterprise organisations. With a dynamic mix of plenary sessions and interactive panel discussions, these half-day conferences will offer you the opportunity to hear from prominent industry experts and exchange best practices with fellow IT security professionals from across industries.

SHANE READ

MOREY HABER

GENE NG

Chief Information Security Ofﬁcer, Nobel Group HONG KONG

Chief Technology Ofﬁcer & Chief Information Security Ofﬁcer, BeyondTrust USA

Regional Vice President APJ, BeyondTrust SINGAPORE

BROUGHT TO YOU BY

Regist Registrations are by-invitation only and are kindly limited to government and corporate teams currently tasked with working in information security or information technology.

E X C L U S I V E M E D I A PA R T N E R

CYBER RISK LEADERS IMMERSE YOURSELF IN THE WORLD OF A CISO (CHIEF INFORMATION SECURITY OFFICER)

“This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI San Francisco Cyber Branch

“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.” CEO, Cyber Security Capital (UK)

“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC

ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.

GET YOUR COPY HERE! Proudly Published by

4 | Australian Cyber Security Magazine

www.mysecuritymarketplace.com

THE WORLD'S MOST FAMOUS HACKER

KEVIN MITNICK

LIVE FOR THE FIRST TIME HERE IN PERTH

Stay Cyber Safe is proud to be hosting Kevin Mitnick at Crown Casino Perth during October 2019 International Cyber Security Month Founder - Silvana Macri

Platinum Sponsor

THE ENTERPRISE FIGHTS BACK

How Hackers Attack and How To Fight Back

Live Hacking Demonstrations of the Current Threats to You and Your Business.

You will learn how to detect manipulation and take steps to protect yourself and your organisation. Kevin is the worldwide authority on social engineering and constantly improves and updates this highly effective and acclaimed "security awareness" presentation.

Kevin Mitnick is uniquely qualified to take you inside the mind of a hacker.

Kevin is now a trusted security consultant to over Fortune 500 companies and governments worldwide, and he leads the world’s top security penetration testing team maintaining a 100% successful track record of being able to penetrate the security of any authorised system.

Kevin's presentations are technology magic shows, which include the latest hacking techniques that educate and inform while keeping attendees on the edge of their seats. As he demonstrates security vulnerabilities, Kevin offers expert commentary on issues related to information security and increases "security awareness". All tickets go into the draw to win awesome prizes like a Chromebook, set of Kevin Mitnick’s books, a Broome holiday and so much more.

Book Your Tickets NOW! – wacyberawards.com.au

Australian Cyber Security Magazine | 5

Cyber Security

SCADA & ICS CYBER SECURITY WORKSHOPS

PERTH, SYDNEY, BRISBANE, MELBOURNE 11 - 22 NOVEMBER 2019 Overview

Facilitator

Reliable and safe operation of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are considered critical for a broad range of industries supporting the wellbeing on a national level.

Daniel Ehrenreich, B.Sc. Engineering, ISO27001 Lead Auditor. Secure Communications and Control Experts

The growing convergence of IT and ICS, long-time separated domains, calls for a special attention and adoption of ICS-oriented best practices. That being said, these functionalities can be jeopardised internally by an incentivised individual, or through remote access by a hostile organisation; Hence appropriate preventive measures should be taken to mitigate these breaches and minimize possible damages.

Target Audience The proposed training workshop is aimed to empower the competency of a wide range of position holders in the SCADA/ ICS arena. Graduates of this course will master the key terms, technologies, and vector activities related to the computerised control which they operate. The training program is suitable for the following groups: •

•

IT personnel who need to know more on SCADA/ICS risks and defence technologies in order to assure better collaboration among these teams SCADA/ICS engineers involved with design, maintenance of critical manufacturing (food, medicine, chemical processes, etc. Operators dealing with control of renewable and other electric power technology plants, sewage plants, desalination and other chemical process plants A broad range of managers interested in upgrading their technical knowledge and to be able to make correct and cost-effective investment decisions Upon completion of this training workshop, graduates should be able to better defend their critical infrastructures and comprehend the mechanism behind it. Also, it will prepare you to apply for certification classes such as CISA and CISSP.

6 | Australian Cyber Security Magazine

Daniel’s current assignments include writing ICS Cyber Security Methodology as well as lead facilitator for ICS Cybersec 2019, Israel and ICS Cybersec Asia 2019, Singapore.

Daniel Ehrenreich

Daniel brings over 25 years of experience with SCADA & ICS, deployed for electric power, water, sewage, oil and gas. Since 2010 he has combined his engineering activity with cybersecurity and has consulted and delivered training in Israel and across the world. Previously he held senior positions with leading firms in Israel, including Waterfall Security, Siemens and Motorola Solutions.

BEST PRACTICE WORKSHOP The two days are suitable to a broad range of technical and C-level positions in the OT & IT domains and includes provision of training material and Certificate of Attendance. The class is suitable for people, coming from or interested in entering typical SCADA industries:

Water and sewage Power plant Power distribution Oil and Gas Manufacturing Chemical plants

Public safety Transportation Smart Cities Public communication networks

COURSE REGISTRATION

EARLY BIRD $1,250 - CLOSES 1 SEPTEMBER 2019 FULL COURSE MATERIALS PROVIDED "Dan’s experience in this area of practice was great to learn from."

* PRICES EX GST

"Thanks to Daniel Ehrenreich for a great two day workshop on managing cyber risk within industrial control systems."

- Principal Engineer E&I – Technical Services

- Senior Risk & Security Consultant

Day 2 - Advanced Training Workshop Syllabus

Day 1 - Intermediate Training Workshop Syllabus Part 1 08:30 – 12:30 Introduction to ICS Technologies

Part 3 08:30 – 12:30 SCADA/ICS Cyber security vulnerabilities

o o o

o o o o o

Introduction to ICS (SCADA, OT) architecture Roles of the main computers in ICS architecture Description of the Triangle and the Purdue ICS models Field Control units PLC, RTU, IED and Remote I/Os Structuring an ICS Cabinet with I/O tech-nologies Complementing Sensors and Field Control Devices ICS Data communications; networks and protocols PLC / RTU Configuration and Programming principles

Part 2 13:30 – 17:30 SCADA/ICS Cyber Security Basics o o o o o o o o

ICS and IT systems differences related to cyber risks Introduction to SCADA system Security Vulnerabilities Cyber risk development through Social Engineering Introduction to IAM, encryption and authentication Defence achieved by PPT: People-PolicyTechnology External & Internal attacks: MitM, DOS, DDoS, GPS Defence solutions: Zoning FW, IDS, SIEM, DMZ, UGW Defence achieved by PPT: People-PolicyTechnology

o o o

Introduction to ICS (SCADA, OT) and HMI Solutions Field Control units PLC, RTU, IED and Remote I/Os Use of IoT and IIoT for ICS Installations Introduction to Authentication and Encryption Introduction to SCADA system Security Vulnerabilities Connection between Safety and Cyber Security ICS and IT systems differences related to cyber risks Experience Sharing: Vulnerability Assessment vs White Hackers Why You Need Both

Part 4 13:30 – 17:30 ICS Cyber Security Risk and Defence methodologies o o o o o o o o o

External & Internal attacks: MitM, DOS, DDoS, GPS Industrial Cyber Kill Chain attack step-by step process Communications and Process Anomaly detection using packet’s inspection Firewalls, IDS, SIEM, DMZ, UGW, Visibility Analysis Best practices to enhance ICS-IIoT Cyber defence Periodic assessment to enhance ICS Cyber security Standalone Vs Multi-Purpose Cyber Security SW: Determining Cost vs Effectiveness Applicable standards: NERC-CIP, IEC 62443, NIST 800-82

Australian Cyber Security Magazine | 7

FOCUS ON SECURITY THE 2019 SECURITY EXHIBITION & CONFERENCE:

WHERE YOUR SECURITY NEEDS ARE BROUGHT INTO FOCUS

24-26 JULY 2019 ICC SYDNEY DARLING HARBOUR

Gain insight into the newest innovations that are reinventing the industry. AI, biometrics and tech inventions are moving at lightning speed and smart technology is inspiring new discoveries every day.

EXHIBITION IS FREE REGISTER NOW

Industry leaders, new visionaries and expert users are all joining together to exchange ideas and developments. The Security Exhibition + Conference is Australiaâ&#x20AC;&#x2122;s largest and most established commercial security event that cultivates innovation, solves problems and leads an industry to be the best in the world.

#security2019

8 | Australian Cyber Security Magazine

securityexpo.com.au

LD RS SO EA CE Y N T3 RE AS FE L N HE CO T T U O

THE ASIAL SECURITY 2019 CONFERENCE

BUILDING RESILIENCE TO COMBAT CHANGING SECURITY THREATS The ASIAL Security Conference hosts a compelling program of renowned local and international experts, academics and visionaries addressing how to strengthen your capabilities, managing risk, a digital future, emerging technologies and innovations, integration and more. It is your annual opportunity to receive fundamental updates from the organisations shaping today’s security landscape in a program carefully curated by the industry’s peak body. The format and content of the program reflects critical industry updates and challenges on the first day, followed by your choice of streamed executive briefings on the second and third day of the program. Bring your security needs into focus, stay up to date with the latest developments and gain a competitive advantage with proven strategies to tackle a rapidly changing industry.

SECURE YOUR EARLY BIRD TICKET & ENTER THE DRAW

TO WIN A PENTHOUSE HOTEL SUITE DURING THE EVENT!

HEADLINE SPEAKERS

HUGH RIMINTON

NICK ALDWORTH

DR TONY ZALEWSKI

JOHN LOMAX

Author, Television News Presenter, Radio Broadcaster. Conference Moderator

MPA DipPR, National Coordinator Protect & Prepare, Counter Terrorism Policing National HQ, New Scotland Yard

Director, Global Public Safety Pty Ltd

General Manager Asset Protection, The Star

KELLY SUNDBERG

SHARA EVANS

NICK DE BONT

DR LISA WARREN

Associate Professor, Mount Royal University (Canada)

Futurist, Market Clarity

Chief Security Officer, Thales Australia

Clinical/Forensic Psychologist, Clinical Director, Code Black Threat Management

SECURITYEXPO.COM.AU FOR FULL SESSION DETAILS

BOOK NOW TO SECURE YOUR PLACE and take advantage of the early bird discount. Lead Industry Partner

EXHIBITION HOURS

CONFERENCE HOURS

Wed 24 July: 9:30am – 5.00pm

Wed 24 July: 9:00am – 5.00pm

Thurs 25 July: 9:30am – 5.00pm

Thurs 25 July: 9:00am – 2:30pm

Fri 26 July: 9:30am – 3:30pm

Fri 26 July: 9:00am – 2:30pm Australian Cyber Security Magazine | 9

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Government agencies

• Scale-ups

• Research organisations

• Corporates

• Educational institutions.

• Venture capital funds

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com 10 | Australian Cyber Security Magazine

info@austcyber.com

+612 9239 3250

@AustCyber

One destination for all your cybersecurity needs. In today’s cybersecurity, there’s no standing still. The threats are greater, the stakes are higher. That’s why there’s RSAC 2019 Asia Pacific & Japan. Join industry leaders and peers as you explore best practices, get up to speed on new regulations, and stay on top of the latest developments through: •

Informative sessions covering eight tracks

•

Inspiring keynotes that examine where the industry is headed

•

Hands-on demos of cutting-edge products from over 90 companies

•

Innovation in action at RSAC Early Stage Expo and RSAC Launch Pad

•

Networking opportunities that can benefit your company and career

Don’t miss the chance to get all the tips and tools you need to help protect your organization. Register today at: www.rsaconference.com/mysecuritymedia19

Australian Cyber Security Magazine | 11

Contents

Editor's Desk 13 Editor Tony Campbell Director & Executive Editor Chris Cubbage

Cyber preparedness building blocks

Director David Matrai Art Director Stefan Babij

MARKETING AND ADVERTISING promoteme@mysecuritymedia.com

Wanted: Effective CISOs who (happily) stay longer

Copyright © 2019 - My Security Media Pty Ltd GPO box 930 SYDNEY N.S.W 200, AUSTRALIA E: promoteme@mysecuritymedia.com All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Snake bites and data breaches

Feedback loop - have your say!

Cyber preparedness building blocks

Information security meets scaled Agile

Podcast highlight episodes

Wanted: Effective CISOs who (happily) stay longer

Podcast highlight episodes continued

Podcast highlight interview

Do you need to choose, to make the frame-work?

Snake bites and data breaches

A FAIR based cyber insurance claim

Civic cyber warfare – The fog

Windows Task Scheduler

Does your heart plummet at the thought of SOAR?

Black Hat Seduction

Techtime

CONNECT WITH US www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Civic cyber warfare – The fog

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.cyberriskleaders.com

www.mysecuritymedia.com

Tristan Bennett

Samantha Humphries

Dan Lohrmann

Tony Campbell

Elliot Dellys

Also with Anthony Langsworth James Crowther Deven Raniga

www.australiansecuritymagazine.com.au

www.aseantechsec.com

www.drasticnews.com

www.asiapacificsecuritymagazine.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

David StaffordGaffney

Brenda van Rensburg

Annu Singh

Jane Lo*

Denny Wan

Pip van Wanrooij

Editor's Desk

Once more unto the breach This last quarter has seen some scary breaches affecting both Australian iconic brands, like the Australian National University (ANU) and many of the world’s largest and most respected ICT service providers. Interestingly, there is one common factor across all these hacks, and some of the lesser known ones, where the common enemy is alleged to be China. ANU was targeted because of all the valuable personal information it contains on many of Australia’s most senior business and political leaders. Even those students who were affected, who are not yet in influential positions within our economy, are now at risk in the future. This is devastating for our national security and the ramifications won’t fully be understood for many years to come. It reminds me of the Office of Personnel Management (OPM) hack in the US, where China (again) was believed to be behind the large-scale theft of all US Government’s employee clearance packs. The OPM breach will cause harm to individuals in position of influence or power, since a foreign intelligence service now has access to personal data that could be used against them. The ANU hack, which happened despite the fact the Australian government helped the university bolster their cyber defences in 2018, and China is believed to have got away with the last 19 years' worth of personal data for students past and present, including bank account details and tax records, along with academic transcripts for both students and staff. The other hack that’s come back into the news over the past few months is the next chapter in the “Cloud Hopper” tale of woe. It’s come to pass that we now know eight of the largest multinational managed service providers (MSPs) were breached by the Chinese government to control the supply chain of their customers: who are largely government departments, critical national infrastructure and very large commercial organisations. Breaching these MSPs is a relatively straightforward way to break into their clients, since they often use simple technology to connect from their corporate networks into their customer network, such as direct VPN connections or jump boxes (a system set up with all the access and tools needed to perform administrative tasks on the customer network). With all this news of hacking, it really seems like our adversaries are getting

the better of us. Some say that not much has changed and this has always been the remit of nation state intelligence services, whether they are against us or on our side. What’s changed is that the targets are soft, they are easy to breach, and the attack surface is massive. In this case, the Chinese intelligence services don’t need to leave Beijing – they simply point and click against their targets and go home at 5pm like the rest of us. Hacking is the new battlefront that we need to take seriously, since it’s now the primary means of intelligence gathering. When we look at the supply chain, we need to understand how vulnerable it might be, and it’s no longer okay to blindly trust that suppliers are doing the right thing. Call for transparency and actively seek the means to prove supply chains are secure. Given the fact that all of this personal data from ANU is now in the hands of an overseas government, and many of the MSPs you might trust are also shown to be compromised, it’s time to relook at cyber security as a key business imperative and ensure you are doing everything you can to continually assess and monitor your defences at an operational, tactical and strategic level. This issue of the Australian Cyber Security Magazine contains a number of articles on issues such as assurance, forensics and operations. This month, we’ll hear from

Tristan Bennett about his discovery of a serious flaw in a well-known vendor’s product, along with the validation he did to prove his discovery and the journey he took with the vendor to submit his findings and claim the bounty. Regulars, such as Annu Singh and Samantha Humphries have also provided insights this issue, and we have an interesting submission from Dan Lohmann regarding the sticking power of CISOs and why they need to dig in for the long haul. We hope you enjoy this issue of the Australian Cyber Security Magazine and, for now, we hope you all remain cyber secure. Tony Campbell and the Editorial Team

WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Reac h over out to 10 indu ,000 profe stry s per msionals onth !

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 14 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au

App now available

on iTunes & DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 15

Cyber Security

Cyber preparedness building blocks

An ignition guide to cyber drills for better incident response “Remember when the disaster strikes, the time to prepare has passed” - Steven Cyros

By Annu Singh

very day newspapers and news websites are rife with stories of cyberattacks on large organisations causing financial and market reputation losses (Bangladesh Bank) to businesses, forcing near shutdown in some cases (Norsk Hydro, Target), data theft of customers in others (Toyota, Standard Charter) and not to forget IP loss (Adobe fined $1Million) and regulator fines. As I write this, the latest in a long list of victims is German pharmaceutical and chemical giant Bayer, who was recently subjected to a sustained cyber-attack that allegedly originated from the Chinese Winnti hacking group. The news comes two years after Merck & Co was hit by WannaCry ransomware, a cyber-attack that the pharmaceutical company said had cost it around $135m in lost revenue, due to production shutdowns and lost sales, and they spent around $175m in remediation costs. The pace of cyberattacks is relentless and organisations invest serious sums of money to fortify their cyber defenses. The focus can no longer be limited to preventing the attack, organisations also need to know what to do when a

16 | Australian Cyber Security Magazine

breach happens. This is where a well-designed and tested incident response (IR) plan comes to play. According to a UK Government Study 58% of executive boards view cyber risks as a top business concern. 68% of boards have not received any training on how to respond to a cyber incident and 10% have no cyber incident response plan.

Defining Cyber Security Incidents and Incident Response Plans Cyber security incident is a broad term that describes any threat that may compromise the confidentiality, integrity and availability of an Organisation’s information. A threat could be internal, like policy violations or external like a cyberattack, encompassing network based or a web application or perimeter breach. Malwares, ransomware phishing, cyberjacking, DDOS can all be used for cyberattacks. An Incident Response (IR) plan addresses how an organisation’s resources will be mobilised to respond to minimise damage, increase external stakeholders’ confidence and reduce recovery time and cost when the cyber security incident occurs. Critical Incident response management is now a requirement to comply with both GDPR & NIS regulations. NIS requires organisations to

Cyber Security

'According to a UK Government Study 58% of

define policies, processes and procedures for incident detection, incident analysis & reporting and documentation of the response to cyber security incidents in IR plans.

executive boards view cyber risks as a top business

Cyber Drills

concern. 68% of boards have not received any

“It was not raining when Noah prepared the ark.” - Howard Huff An untested plan by itself is no guarantee of defense. As navy seals often say “under pressure, you don’t rise to the occasion, you sink to the level of your training. That’s why we train so hard”. Similarly, the ability to train and test the defensive measures, controls and response mechanism of critical incident response management teams and organisations at large, through periodic cyber drills, becomes essential to ensure the IR plan will be executed with desired results at your hour of need. Cyber drills help test the effectiveness of the security controls and identify gaps in incident response capabilities, through simulation of a series of near real time cyberattack scenarios on an organisation’s network. Cyber drills help assess the broader perspectives of the security posture of an entire network, in case of an incident, unlike penetration testing which helps identify vulnerabilities with regards to running services only. Deming’s cycle Plan-Do-Check-Act remains a pragmatic approach to plan cyber drills. Decide what is the objective of the cyber drill – is it to test security controls or incident response? Do we have expertise in-house to simulate attacks or use 3rd party vendors? Other details like blind or announced drill, scope of the teams participating in the drill – attack & defense teams (with ability to exploit vulnerabilities, extract data & bypass scenarios, block, isolate & contain attacks, respond within acceptable timelines), hardware and software to create a closed loop test network environment, escalation tree, containment & recovery plan, success parameters - to evaluate the drills effectiveness, frequency of drills needs to be defined. Then execute the drill as per the plan and ensure proper closure of the drill by removing test beds, which may contain known vulnerabilities and revert changes made if any in rules to pre-drill phase. Lastly capture the lessons learnt. Cyber drills can be table-top simulations and operational drills. They should challenge the testing team with multiple simultaneous scenarios to check the cyber breach decisionmaking process, cyber crisis management and IR plan execution capabilities of teams, both at an individual level and the enterprise level.

Pitfalls to avoid Cyber drills test the attack preparedness of the organisation. Post cyber drill reviews can provide valuable feedback for the incident response team, to strengthen the defense posture of the organisation and refine the IR plan accordingly. It allows you to check what elements of the security controls and incident response went as expected in the IR plan and what did not? How effective was the team’s detection and response abilities? Were they able to identify false positives in the alerts and cut

training on how to respond to a cyber incident and 10% have no cyber incident response plan. ' through the noise? Were there redundant, missing or inadequate controls that could have been used for the attacks? Was any down time required to block the IP or implement the rules? How fast was the response time? Were other infrastructure components impacted? Were there gaps in skills or procedures? – was the information in the IR playbooks adequate to guide participating teams in identifying and responding to the breach? Were the processes & procedures up to date? How was the collaboration between the cross functional team or did teams work in silos? How clear, concise and timely was the communication to both internal and external stakeholders? (press releases, updates) Were there any communication conflicts discovered that may have risen between people and teams? Was the decision-making process effective or challenged? Post cyber drills a results summary, lessons learnt, plan to address skills needed & process gaps should be documented and shared across the teams to further improve the training gaps via focused workshops and simulation exercises, as required.

Benefits Cyber drills give teams a real-world taste of how an attack scenario can play out. They build confidence in the execution ability of the organisation to address and contain the breach, as and when it happens. Cyber drills help reduce friction during handovers and joint tasks, they foster effective collaboration and relationships to manage cross domain breach events or team specific domain breaches. Cyber drill rehearsals also gear and orient crisis management teams, communication & press debriefing teams and legal reviews for response readiness. Cyber drills aid discovery of operational issues, like incorrect implementation or placement of security devices or post implementation challenges, like too many rules or too few or generic rules with loopholes that can be bypassed. They help identify attack surfaces and vulnerabilities for the entire network. With the exponential rise in cyber-attacks no organisation can ignore cyber preparedness or live under false pretenses of the security of an untested IR plan. Cyber drills need to move from ‘good to have’ to a ‘must have’ for cyber hardening in the enterprise security landscape today. To conclude, Benjamin Franklin’s words sums up the why a Cyber drill? question aptly – By failing to prepare you are preparing to fail.

Australian Cyber Security Magazine | 17

Cover Feature Cyber Security

Information security meets scaled Agile By Anthony Langsworth

nformation security teams (InfoSec) suffer the curse and blessing of working with others. All InfoSec teams need to ensure others’ work, like infrastructure changes and product development, is secure and meets standards. Many InfoSec teams also need to farm out security-related work to others because the information security team lacks skills, capacity or authority. If a project team within the information security team’s organisation adopts or standardises on agile practices (commonly abbreviated to Agile), integrating security into Agile is not a new subject. However, traditional agile does not scale well, presenting challenges and opportunities to both the organisation and InfoSec.

An Agile Primer There are few people in the IT industry that have not heard about Agile. Based on a now almost two-decadeold manifesto, Agile focuses on delivering real value and minimises unnecessary work. A full discussion of Agile would consume many hefty tomes. However, Agile boils down to two main areas: (1) the

18 | Australian Cyber Security Magazine

mindset around delivering working systems, collaborating and building trust and (2) the practises and “rituals” to achieve this. Agile’s mindset consists of four tenants: 1. Individuals and interactions over processes and tools. 2. Working systems (initially software) over comprehensive documentation. 3. Customer collaboration over contract negotiation. 4. Responding to change over following a plan. Agile does not say to skip things on the right like documentation or planning – common criticisms of agile. It means to do a reasonable minimum of these to achieve the goal. The most common Agile practice is “scrum”. Work occurs in iterations or “sprints” of a few weeks. A sprint starts with a planning meeting, where the team pulls tasks from a single, prioritised list or “backlog” and commits to deliver what they are comfortable with in that sprint. Tasks are captured on a “kanban” board (physical or virtual), indicating who is working on them and at what stage they are in the process (e.g. unstarted, developing, reviewing, finished).

Cyber Security

SAFe organises work into “Agile Release Trains” or ARTs. These are groups of teams working toward similar goals (at the program level), such as those working on different aspects of the same product. Each one effectively follows Scrum using identical iterations.

The team meets every day in a short standup (participants stand to encourage a short meeting) or “scrum” (a word much more familiar to rugby-loving Aussies and Brits than Americans) to discuss progress, resolve impediments and update the task board. Tasks are only complete when they meet an agreed definition of “done”. At the end of the sprint, the team demonstrates completed work to business owners to get feedback and ensure the team has addressed the real problems. The team also has to learn and improve. In terms of roles, each team as a “scrum master”, often a part-time role that runs the planning meetings, demos and scrums. Each team also has a “product owner” that prioritises the backlog, balancing the competing priorities within the business.

Agile at Scale Unfortunately, scrum (and most Agile practises) handles the team level well, but not the program level (a set of related teams working on the same project) or the portfolio level (an organisation’s development work). It also only focuses on a

development team’s problems. For example, scrum does not address any problem more substantial than cross-team dependencies or aligning prioritisation. While scrum has the concept of an “epic” (a group of related tasks meeting a common goal), “epics” are often too small to be useful from upper management or executive-level. Consequently, several frameworks or methodologies to do Agile at scale (“scaled Agile”) emerged, including Large Scale Scrum (LeSS), Disciplined Agile Delivery (DAD), Scrum of Scrums (SoS) and Nexus. The Scaled Agile Framework (SAFe, https://www.scaledagileframework.com/) is one of the more popular methodologies. It is also more encompassing and prescriptive, meaning integrating security requires aligning to and understanding that methodology. Like scrum before it, a full discussion of SAFe is also beyond the scope of this article. However, it similarly boils down into mindset (principles) and practices. SAFe has nine principles including “Take an economic view”, “Assume variability and preserve options”, “Build incrementally with fast, integrated learning cycles” and “Decentralize decision making”. These build upon and clarify the original Agile manifesto's tenants. As for practices, instead of just epics and tasks to represent work, SAFe splits this into Epics (at the portfolio or organisation-wide level), capabilities (solution level), features (at the program level) and tasks (at the team level). This links tasks teams deliver back to major organisational initiatives. SAFe organises work into “Agile Release Trains” or ARTs. These are groups of teams working toward similar goals (at the program level), such as those working on different aspects of the same product. Each one effectively follows Scrum using identical iterations. SAFe operates in a sequence of four to six iterations called a “Program Increment” or PI. A “PI planning” event initiates a PI, where all team members along with business owners and management layout, prioritise, decide, then commit to work for the ART in the PI, scheduled by iteration. Epics, capabilities and features usually require sufficient return on investment, analysis and design before being approved for inclusion in a PI. A “Release Train Engineer” (RTE), like a scrum master of scrum masters, co-ordinates the PI planning. Inevitable cross-team dependencies and prioritisation discussions occur at the PI planning with the business owners. Schedule and delivery (not security) risks are raised, then either owned by business owners, accepted or mitigated through work. Once the PI commences, the RTE tracks the work of teams in the ART, handling risks and scheduling issues as

Australian Cyber Security Magazine | 19

Cyber Security

they arise, and runs the “scrum of scrums”, where scrum masters summarise how their teams are tracking. SAFe also scales to the portfolio level (having multiple ARTs) by introducing a “Solution Train Engineer” (STE) role, who coordinates work across the different RTEs.

In Steps InfoSec If an organisation adopts scaled Agile, an InfoSec team first needs to understand both the practises and guiding principles behind the selected Agile practise. Understanding the terminology alone can be a challenge, but speaking the same language is critical. Consider training courses or certifications. Otherwise, follow or enlist the guidance of those that co-ordinate or drive the process, such as RTEs and STEs mentioned above. Where InfoSec teams need to govern the work of others, like ensuring infrastructure is configured securely or software adheres to security standards, include security requirements in the “definition of done”. Do not separate these into a different task – insecure or unverified work is not “done”. InfoSec should engage authoritative, respected SMEs to help achieve these standards and requirements. Working with individual teams does not scale, although it may be useful to trial new processes, tools or requirements. Existing security policies and compliance requirements are helpful starting points, but are often too general for non-InfoSec staff to apply. Practises like automation (like code scanning, vulnerability scanning and deployment) standardisation (like libraries, reference architectures) and embedding security in existing processes is ideal. Adapt secure development lifecycles and education to fit the agile process and roles. Engage with architects and business owners before work is committed, such as at PI planning. For example, add security requirements to tasks before they are considered ready to start, like threat modelling, compliance impact assessments and GDPR reviews. InfoSec should attend PI planning to give context and assist teams with planning. PIs, or their equivalents, are also an excellent cadence to review work and gathered metrics then adjust strategies for the next PI. Agile encourages starting small, then incrementally improving and this can apply to InfoSec, too. For work InfoSec farms out to or requires from others, including compliance audits and preparation, the main hurdle is prioritisation. Most Agile practises delegate prioritisation to product owners, whom InfoSec needs to educate. Most scaled Agile prioritise based on both cost and benefit, so it is in InfoSec’s best interest for security measures to be fast and cheap to implement. All priority is relative and some compromise can help build much-needed trust, too. During iterations for teams working on security-relevant tasks, an InfoSec representative should attend planning meetings, demos and retrospectives. Attending helps InfoSec understand the business better and vice versa. InfoSec management should attend a “scrum of scrums” or equivalent meetings because it summarises the broader group’s activities, identifies security-sensitive issues and is usually an appropriate audience for security changes or requirements.

20 | Australian Cyber Security Magazine

Agile can be useful for project work within the InfoSec team, too. While full commitment requires additional roles (e.g. scrum master and product owner), this can help organise a large or disparate InfoSec team. It also provides a consistent way of managing InfoSec work that precedes or depends on others’ work. Most Agile practises exclude operational work, like monitoring or incident response. InfoSec teams that undertake both project and operational work should only devote a portion of their capacity to Agile. The amount can be hard to predict so err on too much and pull in additional tasks if required. However, the most crucial part of Agile is the mindset. People, particularly those administering scaled Agile, often focus too heavily on the rituals. However, like software before it, collaboration, emphasising real security measures over policies and standards along with reacting quickly to change all improve InfoSec, too. Thanks to Stephen Mills, Group Director of Information Security at Dimension Data, for his feedback.

PODCAST HIGHLIGHT EPISODES

Cyber Security

Episode 159 – (ISC)2 and Cyber Security Advocacy in the Asia Pacific - Tony Vizza Interview with Tony Vizza, Director for Cyber Security Advocacy - APAC at (ISC)² and presenting at the ASIAL Conference, part of the Security Expo 2019, 24 - 26 July, International Convention Centre, Sydney. Tony is responsible for Cyber Security Advocacy initiatives for the Asia-Pacific region for (ISC)², the world's largest not-for-profit association of certified cyber security professionals. The interview discusses IT/OT convergence and Tony's scheduled preentation "Navigating Complex Risk Environment & Managing Challenges of Cyber Physical Security Threats"

Episode 158 – Kasada raises $6.5 million to detect and mitigate malicious web traffic - Sam Crowther This interview with Dr. Keyun Ruan dives into her research in identifying the Interview with Kasada founder and CEO, Sam Crowther, based in Chicago USA about how the company will leverage a new capital injection to accelerate its engineering, research & development, and go-to-market expansion. Kasada, a leading Australian cyber security startup, underwent a $6.5 million capital raise with support from the CSIRO-backed venture firm Main Sequence Ventures and the Westpac-backed Reinventure Group. Kasada Polyform detects and mitigates malicious web traffic that other security measures are unable to identify. Kasada’s web security service protects websites and web applications in real-time from user account takeovers, fraud, data-scraping and other attacks that significantly disrupt user experience of websites.

Episode 157 – Keeping thousands of staff cyber aware - Phil Hall, Cyber Security Awareness and Intel Manager with AMP Interview with Phil Hall, Cyber Security Awareness and Intell Manager with AMP, recorded as part of AMP Amplify 2019. In his role, Phil brings to life real cyber threats through various immersive simulations, awareness talks and presentations, as well as targeted awareness for all levels of AMP staff. He is passionate about all things ‘cyber’, and spends his time performing reconnaissance for AMP threat communities, and presenting to all levels of staff.

Episode 154 - Taking a data science approach to cybersecurity and threat prevention

Episode 156 - AppSec & DevSecOps - Micro Focus Fortify’s product vision and strategy as a market leader Interview with Scott Johnson, General Manager for Fortify at Micro Focus, visiting Sydney as part of the Micro Focus Realize 2019 events, held in Sydney Melbourne and Canberra. In his role, Scott leads Fortify’s product vision and strategy for the market’s leading AppSec offerings. He is responsible for both on premise and SaaS (Fortify on Demand) based solutions covering SAST, DAST, RASP and IAST. Under his direction, Fortify was once again (8th consecutive time) designated as the Gartner Magic Quadrant leader in Application Security Testing in 2018. Scott has successfully led efforts in support of DevSecOps and AppSec Orchestration leading to increased revenue and customer growth. Scott offers a unique blend of enterprise and start-up experience with prior product management and leadership roles at IBM ISS where he led award winning endpoint and network security portfolios. Other highlights include security and technology product leadership positions with Ionic Security, Unisys, Nivis and b2b market exchange platform provider, Idapta. Scott also co-founded, Ho-Chunk, Inc., helping raise $8m to create a $250m diversified holding company for the Winnebago Indian Tribe of Nebraska.

JANE LO SERIES : Episode 150 - Interview @ICE71 with Head of Innovation & Partnerships at Singtel Innov8 - developing cybersecurity innovation and talent globally Jane Lo, Singapore Correspondent speaks with Paul Burmester, Head of Innovation & Partnerships of Singtel Innov8, about their role on developing the cybersecurity innovations and talents in the region, and globally in Europe and North America. Interview highlights include discussion on venture capital strategy versus other financial alternatives, mentoring, due diligence, and the investing process. And what success means, in Asia Pacific and other regions. Paul is leading a team responsible for identifying and engaging with innovative startups globally, supporting their growth and driving engagement, in support of the Singtel Group strategy. The team also build and drive various Innov8 programmes and partnerships to activate and grow awareness in the startup ecosystem, such as the Innov8-Connect programme; ICE71, Asia’s first cybersecurity startup hub and ecosystem; and the Go-Ignite alliance, an initiative that offers startups access to over a billion customers through engagement with the Singtel Group, Telefonica, Orange and Deutsche Telekom. holding company for the Winnebago Indian Tribe of Nebraska.

Interview with Mauricio Sabena, systems engineer manager, ANZ, Palo Alto Networks, based in North Sydney and discussion on using data science to improve threat prevention.

Episode 146 - High-Performance Computing (HPC) and why it matters for Australia: Pawsey Supercomputing Centre

Using a data science approach to cybersecurity and threat prevention can help organisations detect subtle malicious activity more easily, overcoming the challenge created by cybercriminals’ increasingly-automated approach. Businesses need to understand the potential challenges of using a data science approach as well as the possible benefits, so they can leverage data to outsmart cybercriminals.

Jane Lo, Singapore Correspondent interviews Mark Stickells, Executive Director, Pawsey Supercomputing Centre, based in Perth, Western Australia. Why HPC or Supercomputing – high performance computers that perform at highest operational rate - matters to Australia’s vision for 2030 to be a top tier innovation nation, and the history behind Pawsey, HPC projects, partnerships across the world, and talent development at the centre.

Episode 143 - Security contrasts of HPC & Cloud Computing and introduction to the National Computational Infrastructure at the Australian National University Jane Lo, Singapore Correspondent speaks with Andrew Howard, Cloud Team Manager, National Computational Infrastructure at the Australian National University (Canberra). HPC and Cloud Computing have different security considerations and yet both involve humans being the weakest link, in particular within the HPC environment where there is often a higher level of trust required. Australian Cyber Security Magazine | 21

Cyber Security

Wanted: Effective CISOs who (happily) stay longer Most security leaders change organisations every few years. The reality is that people leave jobs for many reasons. Here’s why this often becomes a problem for enterprises, the CISO or both. By Dan Lohrmann

or Chief Information Security Officers (CISOs) and other security leaders, the grass often looks greener on the other side of the fence. But is it really? No doubt, new professional opportunities are plentiful within the cybersecurity industry for those with the right skills and experience. Is switching organisations (when the going gets tough or the price is right) always the best road to take? Career decisions can be difficult to make and usually include a complex mix of working relationships, team chemistry, total remuneration packages and the whole work/ life balance. Meanwhile, both the public and private sectors have grown accustomed to a revolving door regarding security leadership. Some executives write this problem off as an inability to offer the right pay packages to keep top talent. Other times, security leaders get forcibly removed as the “fall person” after an embarrassing data breach or a major cyber incident or a wider management shake-up. The reality is that people leave jobs for many reasons. Nevertheless, why do security leaders tend to switch jobs more often than most other professionals? This article from

22 | Australian Cyber Security Magazine

CSO Magazine lists the top reasons that CISOs leave. This techrepublic.com article from last year lists the top reasons that 60 percent of IT security pros want to leave their jobs right now. “The main reasons cited by the IT pros who wanted to leave were job dissatisfaction and the lack of growth opportunities within their companies. Other top reasons for employees looking to quit, include unhealthy work environments (53%), absence of IT security prioritisation from executives or upper management (46%), unclear job expectations (37%) and lack of mentorship (30%).” Digging deeper, could constant changes in security leadership be a major contributing factor in the surge in expensive cyber incidents? Could security staff turnover lead to more global data breaches? Is switching companies every few years helping to stop cybercrime or making things worse? While every situation is different, CISOs seem to be swapping roles faster than a professional football player. Taken as a whole, this fact seems to point to cyber concerns worth considering by all of us — before it gets personal.

Cyber Security

Numbers Please? So, how bad is the problem? Let’s start with some numbers from different surveys over the past few years. Here’s an excerpt from SecureLink who wrote about their view as to why the average tenure of CISOs (from a CSO Magazine reference) was only 18 months: “Though a CISOs responsibilities may differ from company to company the core role is well defined; a CISO is essentially a senior level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy. It stands to reason that the CISO role is often held accountable when a data breach, of any form, occurs. In fact, according to a survey reported by Tripwire, 21% of IT decision makers would most likely blame a data breach on the CISO. Remarkably the CISO position is second only to CEO when it comes to perceptions of accountability after a cyberattack. This goes a long way in explaining why the average tenure of a CISO is a mere 18 months. …” This CIO Magazine article claims the average tenure of a CISO was 17 months in 2015. This 2019 CSO Magazine article quotes several studies describing 24-48-month tenures for most CISOs. They added details from a Kaspersky Lab study concluding that “barely half of all CISOs stay at their job for more than five years.” This recent Forbes Technology Council article from June 2019, written by former San Diego CISO Gary Hayslip, states that the average CISO tenure is now 2.5 years. The article also claims that the average chief information officer (CIO) tenure is 4.3 years. Gary also goes on to list some tips for creating an optimal environment for CISOs to stay put. One more source of data. This Korn Ferry Institute Survey article from 2017 stated that most other CXOs range in tenures from 4.1 up to 8+ years. In summary, as I examined this topic in detail, the research concludes that CISOs are staying in their jobs for much less time than corporate CIOs, CFOs, CEOs or other senior executive positions. While government organisations may have different leadership titles, I have noticed many similar patterns in the public sector recently, especially when government cyber professionals are NOT in defined benefit retirement plans, which tend to keep the baby boomer CISOs longer at the end of their careers. However, I must admit that I don’t have specific research data to back up my public-sector opinions.

What’s the Impact of Turnover? While the survey numbers may vary, what we know for sure is that there are numerous hidden costs to employee turnover. Here’s an excerpt from one particular study I found: According to a study by the Society for Human Resource Management, replacing an employee could cost you up to five times the annual salary of the now vacant position. But the costs aren’t limited to dollars and cents. What about the losses that are not so obvious? • The (exiting employee) takes knowledge with them. • The best suffers most, as they must train the new staff. • Creates a void. People become sad, bitter or distracted. Other people take on new work 'out of their

"Then, at best a caretaker manager is appointed; or worse, the role is left vacant for months until a recruitment is made internally or externally. Then someone new comes in, almost always with different views compared to their predecessors, and with the risk of seeing the same scenario repeating itself. …” • •

comfort zones, and employees start to doubt their jobs.' Distraction to management – must shift gears from strategic initiatives to hiring new executives. Domino effect. Others sometimes follow.

This excellent article from JC Gaillard in 2018 on business2community.com explains how CISO tenure is key to digital transformation. The article starts by quoting surveys stating that CISOs stay for only about two years. Next: “Nothing will change until the profile of the CISO is raised and they start to see their role over the mid to long-term.” Pay attention to this observation as to why so many CISOs leave so fast: “It often starts with the sense that the internal situation is vastly different from what they had been ‘sold’ throughout the recruitment process; they don’t feel valued or listened to; they feel trapped in management models where many key decisions are made elsewhere without their involvement; they feel like they haven’t got adequate resources in terms of budget or staff to do what they would like to do. So, they leave. Having achieved very little in practice. And in a number of cases, they leave for larger organisations or a larger pay package because of tensions on the recruitment market around those roles. "Then, at best a caretaker manager is appointed; or worse, the role is left vacant for months until a recruitment is made internally or externally. Then someone new comes in, almost always with different views compared to their predecessors, and with the risk of seeing the same scenario repeating itself. …”

Help Please! With so much at stake, including everything from organisational digital transformation, to protecting the enterprise from data breaches, want can be done? This 2017 article entitled: The CISO Merry-Go-Round, offers eight helpful ideas that can improve CISO longevity: 1. "Working close to the C-Level to understand how they operate; their requirements and what factors can support their success. This interaction needs to be a regular occurrence, not only when things are going awry. 2. Understanding their stakeholders and how their business operates. Knowing and managing the strengths weaknesses, opportunities and threats of the business to be able to make decisions efficiently with conviction.

Australian Cyber Security Magazine | 23

Cyber Security

7. 8.

Developing a strong internal network of allies. Identifying the astute individuals across the organization that can support them and reciprocate favours when called upon. Coaching and mentoring their direct line of reports to delegate activities and act as trusted advisors in their absence and identify a clear deputy. Continually adapting, gathering information, learning and developing new skills to improve their knowledge of the business, the industry they operate in and the information security domain. Building trust and respect by engaging with impact, delivering reliably, sharing successes with the business and acknowledging the team members and colleagues that have supported delivery. Sharing experiences and knowledge with peers and industry thought leaders. Developing resilience is critical. It takes thick skin and resolve to be a CISO."

This article from the IndianTimes.com offers tips on what CISOs need to focus on to stay longer term. No doubt, all security leaders want to be successful and improve cyber defences, no matter how long they stay and too many quick job changes can become a serious problem for resumes and personal reputations. I have written many articles that are relevant for CISOs and other leaders in cyber careers and here are a few to consider on this topic: • CSO Magazine: The case for taking a government cyber job: 7 recommendations to consider • Govtech.com: Security Pros Need a Mentor: Here's Why and How • BankInfoSecurity.com: The Value of CISO Mentoring • Govtech.com: Evaluating Technology and Security Leaders In the last piece about evaluating technology and security leaders, pay attention to the questions that John Maxwell has about leadership impact. Also, notice the planning perspective from these state CISOs (from earlier this year) from Nebraska and North Carolina. For balance, I encourage you to read this article on 11 reasons to stay in your current job (even if you hate it.) Here’s how it starts: “'I hate my current job and I will leave this place!' How many times have you heard someone say that line? To some people, it’s too often. It’s unfortunate how rare it is for someone to come across another individual who loves what he/she is doing in his or her place of work. It’s more likely for you to encounter someone ranting non-stop about how 'unfair' his or her employer is and how much 'he or she wants to leave'. In fact, this person might even be YOU …”

Closing Thoughts I know. I know. I have done little in this article to prove to you that CISOs leaving early can cause more security data breaches or other security incidents. My gut tells me that

24 | Australian Cyber Security Magazine

security effectiveness is (at least partially) related to CISO longevity — so send any research my way if you have meaningful data (either way). NO DOUBT, some CISOs must go — and the sooner the better for an organisation. (If this is the case, I question an organisation's hiring practices, but that is a discussion for another day.) Nevertheless, this topic must start getting more attention for the cybersecurity industry to improve. The bad actors are laughing all the way to the bank at all of the cyber leadership turnover in so many organisations. Some CISOs also take their teams (or best security talent) with them when they leave. I really like this excerpt from a CSO Magazine article on CISO longevity: "Take Andy Ellis. As Akamai's chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company's security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organisation's core security strategy. Ellis believes that being at the same company for so long has been critical to his ability to affect change. 'I've gotten to mould this position,' Ellis says. 'As I've gone along, it's been like wearing a comfortable glove. I understand how the organisation works; therefore, I can get more done.'" Andy Ellis’ experience has also been my experience while at the state of Michigan for over 17 years as an agency CIO, enterprise CISO, CTO and CSO. You can read about that CISO/CTO/CSO journey here, but happiness, career satisfaction and impact are not just measured by money. I have also seen this same trend in numerous other state governments and private-sector entities. Getting more personal: The key question you will ask yourself, when you look back at your time as a security leader is: “What lasting difference did your team make regarding cybersecurity under your watch?” Bottom line: Leading any organisation for two years or less is generally not enough time to build a positive legacy and improve the cyber culture. Strive to build strategic (and tactical) plans that are (at least) double that (four years or more) as a CISO. Next, stay and deliver effective cyber results. About the author Dan Lohrmann is an internationally recognised cybersecurity leader, technologist, speaker, blogger and author and was named as one of the World's Top IT Security Influencers in 2019. Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.

PODCAST HIGHLIGHT EPISODES

Cyber Security

Episode 152 - The Toll of TOLA - Australia's Amendment for Assistance and Access

end-to-end encrypted messaging, voice and video calling services, such as WhatsApp, Telegram and Signal.

Interview by Executive Editor Chris Cubbage with Nick FitzGerald, Senior Research Fellow of ESET, discussing the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA).

Early criticism of what was to become the Bill (now TOLA), centred around some truly awful messaging from some of the politicians involved, who seemed to be suggesting that Australia’s intelligence agencies had advised the government that the encryption itself could be broken. This resulted in responses from the “you clearly do not understand mathematics” end of the spectrum through to what was basically name-calling. As time passed and drafts of the Bill appeared, it became clear that – to be polite – these politicians had misspoken.

Based on the interview, conducted on May 1, 2019 in Sydney, Nick has provided the following opinion piece: During the podcast, in response to something I said about the extremely broad-brush definitions in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA), Chris said “We have to then trust the government to use the legislation in the correct way and not in their own sort of interpreted manner.” On reflection, I think that is largely why there is so much unease about TOLA. I’m no legal scholar, but a little online searching readily confirms my expectation that avoiding ambiguity or obvious points for diverging interpretation is core to drafting good legal documents of any kind, be they employment contracts, conveyancing agreements or parliamentary Bills. It seems the government is aware of this, as one of the defences it stood up to face the extensive criticisms levelled at earlier versions of the Bill (now TOLA), is a FAQ-style Myths about the Assistance and Access Act page. The defences on that page are generally unconvincing. Many just restate the intentions attributed to the former Bill (now TOLA), and few of them provide clear support for the denials of the “myths” they purport to debunk. Perhaps someone should explain to the Department of Home Affairs that referring, in a circular manner, back to the exact text in the Act that gave rise to a concern (or “myth” in the Department’s view) in the first place is unlikely to allay the concerns that that text raises with so many people. That it is clearly open to multiple interpretations is, in and of itself, evidence of deep problems with TOLA. Enough about the quality of its drafting – what else about TOLA should concern us? We live in an age that has recently seen an explosive growth in the digitalisation of our everyday lives, and we expect this to continue for some time, with the continuing, rapid growth of the internet of things. Further, the looming adoption of 5G, with its greater bandwidth and reduced latencies, promises even more connected “things” and services. However, we are also increasingly aware of just how poorly secured much of the already internetconnected stuff we now depend on is, and perhaps ironically, this has driven increased consumer demands for better security, better encryption of network traffic, and so on. And that we are increasingly turning to encryption-protected services, which means the criminal elements are too, is clearly what partly motivates the provisions of TOLA. When the bad guys used landline telephones, law enforcement could readily tap all calls to or from a given phone at the local telephone exchange (or anywhere along the trunk cables with some additional effort). The move to cell phones complicated that somewhat, particularly once cheap “burner” phones became available and could simply be bought over the counter with no registration, phone company contracts and so on. But now, we are told, the bad guys are increasingly moving to

Although contributing to the UK’s version of the same debate, two senior UK spooks – the technical directors of the National Cyber Security Centre, and of cryptanalysis, both parts of GCHQ – published an article on the Lawfare blog explaining the UK’s approach to the same set of perceived problems. In short, they argued that just as “the early digital [telephone] exchanges enacted lawful intercept through the use of conference calling functionality”, it should be “relatively easy for a service provider to silently add a law enforcement participant to a group chat or call”. Such solutions would require the client app on the target device(s) to be modified to not indicate that an apparent one-to-one call was actually a group call, and likewise that a group call contained N – 1 participants if one of those was a lawful intercept. As another member of the Five Eyes alliance, it seems that this kind of thinking behind the developing framework for the UK’s own exceptional access legislation is probably not too dissimilar to what the drafters of TOLA had in mind. While many of today’s most popular messaging and VOIP protocols do employ a central broker of some kind to at least perform the initial setup of sessions between callers, that is not a necessity of such designs. Fully decentralised, peer-to-peer systems, where no one client or central authority controls how connections are setup, what encryption keys are used, and so on, already exist. Further, TOLA specifically prohibits an order that would prevent an existing service provider from switching to use such a protocol, even if they were doing so explicitly to avoid being able to cooperate with Australian law enforcement intercept orders under TOLA. But why all the focus on just the modern equivalent of yesteryear’s telephone systems? We now live the era of the cunningly mis-branded “smart speaker” that millions have rushed to adorn their kitchens or living rooms with. And most of us carry a device apparently purpose-made for spying on our every move with its GPS sensors, microphones, multiple video cameras, multiaxis accelerometers and all with near-permanent internet connectivity. The overlords of Oceania in Orwell’s 1984, with their paltry “telescreens”, would be gobsmacked at the sheer enthusiasm with which we embrace contemporary technology that could so easily be turned to surveil us. As much of this technology only works through communicating with its centralised cloud services, these all appear to also be fair game to TOLA

Australian Cyber Security Magazine | 25

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au

PODCAST HIGHLIGHT INTERVIEW CH: It's a huge compliment. Having been off the earth three times. That's about half a year on board a spaceship, gives you time to contemplate and think about the variety of life on Earth but also the commonality of life on Earth. And as far as we can tell, the absolute, unique preciousness of it. So, to come to Sydney and talk, essentially to a bunch of strangers, about ideas and about possibilities and have them honour me by standing up and applause at the end, it’s a wonderful privilege. CC: Well you mentioned there's ten thousand ideas bolted together on the Space Shuttle and the launch, and those types of things. For our audience which is predominately cybersecurity technology, you spent many months on the International Space Station. There's a lot of activity in Australia around the new space agency. We're seeing the militarisation of space. But one of the things I wanted to capture from your session yesterday. You're dealing in that advanced tech environment and you talk about leadership, team building and ultimately, again linking it back to cybersecurity, is preparing for failure. The inevitable aspect of failure. Just your thoughts around that first and then certainly we'll grab your ideas and experiences in cyber security and space. CH: You know Chris I think it's even more than the inevitability of failure, it's the necessity of failure.

Colonel Chris Hadfield - Canadian astronaut

Recorded on 6 June 2019 at the Quayside Balcony, overlooking Circular Quay, Sydney, courtesy of AMP Amplify 2019. Welcome to the Cyber Security Weekly Podcast and recording on a beautiful sunny morning in Sydney. My name is Chris Cubbage (‘CC’) and we are joined by a very special guest, as part of the AMP Amplify 2019 Forum, and our special guest is Canadian astronaut and now the custodian of David Bowie’s ‘Space Oddity’, Colonel Chris Hadfield (‘CH’). Chris thanks for joining us. CH: A beautiful Sydney morning here Chris, thanks. CC: You've been to Sydney many times and you've flown over Sydney thousands of times I'm sure. You gave a keynote session to close AMP Amplify yesterday afternoon, speaking to about 150 people. It's an inspiring and awesome session and you received a standing ovation at the end. I'm sure you get that around the world?

If you want to tiptoe around everything and never have anything go wrong. It's almost impossible to accomplish anything. You have to not only accept the fact that things are going to fail, things are going to go wrong, but eagerly look for it. Try and push your system under as safe and early, as circumstances possibly can, to the point of failure. It's why we do nondestructive testing. But we often, when things get expensive enough or complex enough, we sort of stop thinking of the necessity for failure and instead try and cross our fingers and hope for perfection. And just because we're hoping and crossing, doesn't mean that's going to happen. There's been an enormous change in space exploration over the last 15 years as a result of shifting that mindset. Of going from the way that the governments have traditionally approached space travel, to the way private industry is doing it now the way, with Space X and Virgin and Blue Origin’s Jeff Bezos. The way they're approaching it, it's almost like you roll out a new software package. You recognise it's going to have bugs. You do an update on a regular basis but you get it out there and working and build a safety net around it. So, the failure is acceptable. That it's okay and you learn the most when something goes wrong. If everything works the first time, you're sort of like, you're just tiptoeing, whistling past the graveyard. Well eventually, it's going to fail. The sooner it can fail, the sooner it can show you what still needs working on, the better. Whether it's cybersecurity or whether it's a whole space ship.

www.australiancybersecuritymagazine.com.au

Cyber Security

CC: Do you think it might be, or have been, an advantage in that environment. Trying to translate and communicate that into a business environment where business seems to be risk averse to failure. Again, in technology and in our digital transformation. Do you think we should be more accepting of failure in business? CH: Well of course you don't want the actual business itself to fail. But what are you doing when things are going well? It's kind of the real question. Are you aggressively pursuing the things that are the highest probability of going wrong? What are you most vulnerable to? You know, if there's a change in commodity price or if there's a shift in regulation or if some other nation suddenly creates a competitive version of your product or whatever. Just like how I've approached my entire life, as a test pilot and as an astronaut, we used to always say; ‘what's the next thing it's going to kill me?’ Because that's the only thing that really matters. What's the next thing that's going to kill me? And am I ready for that to happen or not. And if I'm not, then let's use every second that's available up until that moment to get ready for that. Because then if it doesn't happen, no harm. If it does happen then the business doesn't crash or the spaceship doesn't crash. And it doesn't apply just to spaceships or businesses, it applies to operating a car or how you run your own life. The inevitability of anticipating failure and then simulating it and training for it and learning how to deal with it, so that when it does happen, you're not flummoxed and stopped or worst case, killed by it. CC: Of course. Let's touch on cybersecurity in space and the level of training that you would have had. And again, the precautions. CH: It's a funny thing. You wouldn't believe it but all of the computers onboard the space station have a password. I just thought it was funny, there was only six of us up there. CC: Please don't tell me it's ‘admin’ ‘password’. CH: Who were we keeping the secret from? That's just the way it is. So, I even posted something on Twitter there, I think at one point. I said, just in case aliens come by, we’ve got passwords logging in all the laptops up here. Even logging into our exercise treadmill, you had to know the password. So of course, we just grease pencilled it on the wall. CC: So, the post-it notes are on the International Space Station. Good to know. CH: But we do take it really seriously, in that the space station is 100 percent digital. Operated in concert with the crew on board and mission controls all around the world. There's one in Moscow, one in Munich, one in Tokyo, one in Montreal and one in Houston. All of them are in high speed, continuous digital communication with the space station. So of course, the security of that is huge. If someone could somehow tap into it or get a command. Because we get e-mails up and down all the time, if someone put something into there, that would be any sort of malware, it could have deathly consequences for the crew onboard. And there's only one space station for the whole world. So, we take it very seriously and everything is scanned to the best of our ability. We regulate the type of files that can go up and down. But right down to anti

malware that's onboard the space station itself. Amongst everything else that's going on, we also very much worry about our software not getting messed up. CC: You must have seen that sort of progression of technology across that. Even you talk about from your early childhood, all the way through. Then to actually be sitting up there and then to be doing YouTube videos, throughout to the world. Where do you see this heading? What is your projection? I suppose to close this off. CH: The space station is relatively primitive computer technology. The space shuttle was ridiculous. 128K memory ran the entire space shuttle. These little, very primitive, old, proven, space hardened computers. The space station, its core hardware is that way. But we run a lot of laptops onboard to run all the various sensory systems. There's over 100 laptops on board. So, it's sort of piggybacking on top of the framework that runs the space station itself. But if you look at the new vehicles. The new one that Boeing has put out, which is Star Liner and the one that Space X has, which is their Crew Dragon. They're really taking advantage of the technology. A much more updated crew interface, much higher memory onboard. And that's just the start. We want to take advantage of the early glimmerings of artificial intelligence. We don't want to have to manually do everything all the time of course, like the Apollo guys did. There were five hundred mechanical switches in the cockpit of the space shuttle. And you had to be intimately familiar with everything. Really analogue kind of vehicle. But it's becoming more and more digital like it ought to. That makes things lighter. Easy to make more levels of redundancy. Easier to control from a remote location. So, we need all of those things. And as we're heading towards now, going beyond Earth orbit, putting robots, and relatively soon people, permanently on the moon, we will want as much artificial intelligence, as much robotic help, as we can possibly get for the first settlers that are living on the Moon. And just paving the way for going even further. And I'm all for artificial intelligence. We need to learn how to control it. Like gunpowder and like fossil fuels, and all the other things that enable life, but also can have a detrimental effect. We need to learn how to integrate those responsibly into society. Artificial intelligence is the same thing. There are ways to do it. We've got a lot of precedents. But the advantages it can give us are huge and especially in the realms of exploration where it’s still very difficult to get to people there. CC: So you're talking and you can foresee a base on the moon and then moving that, using that as a sort of, as you say a base or a satellite, to move on. And the International Space Station, the future of that will be continued do you think? CH: The space station, the first space was launched in 1998, with a planned 30 year life, so till 2028. Another 10 years or so. And that's the first piece. There's been lots of pieces gone up in the last decade. So, the station, assuming that we all can manage to agree to continue to work it and we will, I think we'll be up there until the late 20s, maybe early 30s. We'll see. When the big pieces start wearing out and breaking, just like any old car, it's just a machine, creates more maintenance with time, like an old car. CC: You don’t want to be on there at the time. CH: But eventually, we'll just have to declare the end of its life and deorbit it

www.australiancybersecuritymagazine.com.au 28 | Australian Cyber Security Magazine

into the South Pacific, it'll mostly burn up, just like we did with the previous space stations. But by then we should have people orbiting the moon and living on the surface of the moon and just laying the groundwork for going further. And it sounds crazy and fanciful, and impossible. But when I was born no one had flown in space. All of this has happened in less than my lifetime and our early desperate flights were so hairy edge, crazy dangerous. And yet now we've had people living permanently on the space station for the last 19 years. And you hardly hear anything because it's just normal and safe, and part of what humans can do. So, you don't have to look too far into history to realise technology enables exploration and then settling into a new environment. You can look at New Zealand 800 years ago or Antarctica 50 years ago or space 20 years ago and very shortly the Moon. I’m realistically optimistic that's where we're headed. The real key is we need to keep it safe. We need to keep it productive. As part of the whole earth, moon economic system. CC: If anything, I think from what I take from you is also keeping it humble. That we are alone in this and we have to work together. It's a big takeaway. CH: Yeah, it's really important to use the inspirational and complex things in society to unite us. If you can do it all by yourself, that's fine. But if the very necessity of it drives people to work together, that's a good side benefit. And fifteen of the leading nations of the world have been working hand in glove for a quarter century on the International Space Station. There's hardly any project that parallels that. And you can look up any night or morning, early in the morning, just before the sun rises all across Australia, and watch the space station go over. And it's a good reminder of what we

can do together, when we do things right. CC: Well I'm originally from Perth. A WA boy and you mentioned Perth many times. Look you do talk in extremes and the impossibilities. If anyone listening in our audience has the opportunity to see your presentation, they must take it. You've got the best holiday picks anyone has. CH: I’ve been extremely lucky in my life. I've worked hard. I've been willing to take some enormous risks, as a test pilot and then as an Astronaut. But with great risk often comes great reward. To me the rewards are almost hard to explain to myself, but thank you for the compliment. I do my best to explain it to as many people as possible. CC: Look you're a standout individual. You mentioned the stats yesterday. There's 18,000 applications to be an astronaut and 12 are selected and I think you are one of a kind and doing a lot for humankind. So, thank you very much it's been an absolute pleasure. CH: Nice to talk with you Chis, thanks. CC: Colonel Chris Hadfield, thanks for joining us on the Cyber Security Weekly Podcast. CH: Pleasure, take care. CC: Cheers mate.

The ‘go-to’ tool for leading professionals

www.mysecuritymarketplace.com

Cyber Security

Do you need to choose, to make the frame-work? Take the work out of framework by making the right choice

I By David Stafford-Gaffney

t’s July and that dreaded day is only a matter of months away. As that date draws nearer, you become increasingly anxious. Staring out of the window into a gloomy autumn morning, even a nice warm coffee brings little comfort. There is still so much work to do. You know you need to roll up your sleeves and get on with it, since your job as security manager for a private health insurer means you are responsible for compliance with the Australian Prudential Regulation Authority (APRA) regulations. July 2019 brings in the assent of APRA’s CPS 234 Information Security Standard, and one specific section made you nervous: Maintaining an information security policy framework. Your head hurts as you wonder why you’ve not investigated this before, but you’d always put it to one side since you couldn’t figure out which of the many InfoSec frameworks or standards you needed to use. By process of elimination (based mainly on Google’s advice), you have narrowed it down to NIST’s Cybersecurity Framework (CSF) and ISO 27001. However, a friend in another health provider

says she uses the PSPF, since it is highly prescriptive, but the last time you looked at the PSPF it was overwhelmingly complex. You are left with one tough choice: NIST or ISO?

Sensible Use of Frameworks and Standards The reality of this situation is, maintaining your environment based on guidance from one or the other of these approaches will result in an improvement to your security posture. However, when you raise the hood and gaze into the engine compartment, they complement each other perfectly. There is no online shortage of supporting material to assist you in mapping and aligning both approaches with your business, so a hybrid approach often works best.

Frameworks: NIST CSF The NIST CSF is more prescriptive than ISO 27001 and breaks controls into five obvious domains:

Cyber Security

'There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?'

Figure 1 - NIST Cybersecurity Framework (nist.gov)

NIST CSF can improve your effectiveness and clarity when communicating your current security posture’s strengths and weaknesses to the board, so it improves the likelihood of success. Furthermore, maturity of your NIST CSF implementation is easier to measure since it comes with a complementary maturity model.

Standards: ISO 27001 Unlike NIST’s CSF, ISO 27001 is a ratified standard, which can be externally audited and certified. Therefore, ISO is an important consideration, but the underlying security controls approach in both are similar, with NIST CSF even referencing relevant controls in ISO 27001 where it deems them important. Again, like NIST CSF, ISO 27001 breaks its proffered security controls into domains, but rather than the five domains of the CSF, there are 14 separate domains, covering everything from security operations to personnel Figure 2 - 14 Domains of ISO 27001/2 (Cybersecurity Frameworks; Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam - https://link.springer. com/chapter/10.1007/978-1-4302-6083-7_17) Each domain highlights to the company which cybersecurity controls are performing which risk management activity, so InfoSec is not just an IT focused activity. Some of the non-IT domains are: • Human Resource Security; • Asset Management; • Supplier Relationships; • Aspects of Business Continuity. ISO 27001 provides the ability to break security concerns into functional areas and align them with your organisation’s structure, so you understand where in the value chain issues may arise. ISO also offers enough detail to explain what the purpose of the control is, without telling you how to implement it – each implementation will vary depending on your business context.

Figure 2 - 14 Domains of ISO 27001/2

Using Both CSF and ISO Both approaches have their advantages and starting with either will be a good first step. Yet, when these two approaches are combined, you end up with a robust approach to your information security management problem by allowing flexibility to dive deep into complex risk areas and apply a granular approach where required, while highlighting specific functional areas that require focus. Together, CSF and ISO combine to provide effective reporting that all stakeholders can understand. So, don’t think you have to choose one or there other, they are stronger together than the simple sum of their parts. When your environment has been baselined and you have measured maturity for each domain or section, gaps in your security model reveal weaknesses. From that report, you can effectively prioritise elements of your security program based on your findings. Combining the two approaches lets you highlight how gaps in functional areas affect your ability to Identify, Protect, Detect, Respond or Recover from a breach, which still being compliant against a certifiable standard. You will likely support some of your colleagues working in other areas who may be trying to fix these issues; now you have the justification in terms of business risk to help secure manpower or funding to address the gaps. The fact that you’re reading this and seeking further detail on which approach to take is an indication you’re on the right path. Predictable and repeatable outcomes based on good industry practice are undoubtedly a great outcome that both ISO and NIST will help you achieve. Once you’ve worked through the implementation of both, you’ll have a robust security management programme that communicates well with stakeholders and justifies security activities at the organisational level. You’ll also sleep better at night knowing that you can meet most of the security requirements listed in APRA CPS 234.

Australian Cyber Security Magazine | 31

Cover Feature Cyber Security

Snake bites and data breaches

W By Elliot Dellys, Principal Analyst at Hivint, a Trustwave company

hy is treating a snake bite like responding to a data breach? It might sound like the beginning of a cheesy joke, but the two can have more in common than you might expect. First, each require an initial triage that is generic to all incidents. For a snake bite you immobilise the patient, bandage the limb, and call an ambulance – little more can be done until the professionals have more information. The initial response to a breach or intrusion is equally predictable: engage key stakeholders, isolate the threat, and call the lawyers. For both, the subsequent remediation efforts become highly diverse once further detail is uncovered about the incident. With a snake bite, the crucial next step is to identify the species to determine the correct antivenom; attribution and remedy are unquestionably mutually beneficial. With a cybersecurity incident, determining the correct ‘antivenom’ is often not so clear. Do you dive deeper to determine the techniques, severity and persistence of the threat, or do you focus on damage control? Sometimes attribution is crucial; at other times it provides little more remediation value than entertaining curiosity. Assuming it is possible at all, of course – which is rarely a given from the outset. The debatable value of attribution is well known among cyber first responders, as recounted in Kevin Mitnick’s book 'The Art of Intrusion': “They were scared out of their wits and wanted the hackers terminated — ‘Get them off the computers and shut all this off right now.’'' Don was able to convince them it would be wiser to wait. "I said, 'We don't know how many places

32 | Australian Cyber Security Magazine

these guys have gotten into. We need to monitor them for a while and find out what the heck is going on and what they've done.'” Here another similarity between snake bites and breaches emerges – the importance of maintaining your cool for sound decision making. After a snake bite, resisting the temptation to run to the local doctor can stop the flow of toxins that might otherwise kill you. Following a breach, an elevated heart rate is just as likely to work against you. A hasty response to a live incident may alert an adversary that they’ve been sprung, causing them to cover their tracks or destroy vital data or infrastructure. The same can be true for preserving forensic evidence in our own actions, where shutting down a device or network may come at the expense of valuable log files. Of course, keeping calm is easier said than done, and increased regulatory pressure has only intensified the need for organisations in Australia to be prepared for the worst. Cybersecurity managers know the value of a wellinformed workforce – and much like treating a snakebite, education plays a crucial role in incident prevention, detection and response. A simple call to security can be the early warning system or the timely notification that makes the difference between an event and a catastrophe. Regular tabletop exercises play an equally critical role in ensuring what we put to paper is actually reflected in reality. Without tried-and-tested incident response plans and adequately trained and resourced staff, we condemn ourselves to the same fate as a snake victim who does not even feel the bite. After all, it is better to learn how to avoid the long grass than where to turn for antivenom.

Cyber Security

ISACA' S S HE L EA DSTECH PR OG R AM SEEK S TO I N C R EAS E T H E R EPR ESEN TATION OF WOME N I N T E C H N O LO GY LEA D ER SHIP R OLES AN D THE T EC H WOR K FOR CE. sh e le a d stec h. isac a.o r g

RAISING AWARENESS We will work to educate employees, allies, and engaged professionals so that we can overcome unconscious bias.

PREPARING TO LEAD Our training and skills development programs will prepare current and upcoming female leaders for the digital future.

BUILDING GLOBAL ALLIANCES Through strategic partnerships, we will amplify our impact beyond the ISACA network and support our chapters as they tackle the unique challenges in their region. Australian Cyber Security Magazine | 33

Cover Feature

A FAIR based cyber insurance claim Synopsis

By Denny Wan; peer reviewed by James Crowther and Deven Raniga

Cyber insurance is an important element in the cyber risk management program, to enable the transfer of residual risks. As a result, insurance is often seen as the “doing nothing” option which represents a “moral hazard” to the insurer. This is far from the truth as policyholders must manage the non-insurable residual risks themselves in accordance with their risk appetite statements. Prudent policyholders partner with their brokers and underwriters to develop cost effective insurance covers to minimise over insurance and ensure they are not under insured. The current court cases covering disputes in high value cyber insurance claims demonstrate the importance of these considerations. A genuine risk appetite statement provides the foundation of this assessment process. It is written in a language which the cyber risk team can understand and be able to prioritise their mitigation program to fortify against the “residual risk” boundary. Assessing the sufficiency of cyber insurance cover is

34 | Australian Cyber Security Magazine

an important and difficult task. Sufficiency can be measured against the dimensions in coverage scope, insurable events, coverage limits and exclusions. The Open Group FAIR (Factor Analysis of Information Risk) cyber risk quantification framework is a useful tool to calculate the most cost effectiveness coverage. The article explains how to apply the FAIR approach in the pre-loss risk assessment phase to guide the process in determining the sufficiency of the cover by quantifying potential business losses.

Insurance basics Insurance, as a risk transfer mechanism as depicted in figure 1 As shown in the diagram, routine operational security risks (such as password management and anti-virus protection) are managed through the enterprise cyber risk management programs. The probability of loss is high but the loss value is not catastrophic. The ‘MUST RETAIN’ risk category of risk is not commercially attractive for insurance

Cover Story Figure 1

This can be achieved by reserving capital to cover such loss events or design the business strategy to minimise their exposure to such risk events. Defensive strategies such as withholding services or products in designated high-risk countries or jurisdictions. To improve the profitability of commercial insurance, insurers target policyholders with a good risk profile through incentives such as no claim bonus, subsidised monitored home alarm systems and gym membership, for example under property and health insurances. Contrary to the perception of an adversarial relationship between policyholders and insurer leading to “moral hazard”, the right incentives structures they can encourage them to become partners in managing their collective risk as discussed in the following papers: Pro-active Cyber Insurance Pricing Model Cyber Insurance Incentive model

Key insurance terms

coverage due to the excessive premium relative to the insured value. Other classes of cyber risks such as ransomware which are not routine but can result in significant financial loss are candidates for commercial insurance. The ‘CAN TRANSFER’ risk category can be covered by commercial insurance but the premium could become excessive if the coverage limit is set very high. The ‘tolerance level’ is adjusted to reflect the risk appetite of the organisation through coverage limits and exclusions in the insurance policy. A common example is the excess (or deductable) which can be increased to lower premium. By accepting a higher claim excess, the policyholder has increased its risk appetite. Risks exceeding the tolerance level fall into the ‘SHOULD TRANSFER’ risk category. Policyholders might still decide to transfer the liability to the insurer by paying a higher excess. Finally, extreme risk exceeding the ‘confidence level’ is managed under the approach of ‘self-insurance’. This level is set based on the risk appetite of the organisation defined as the risk level it is willing to take in the pursuit of its strategy.

Insurance policies are binding legal contracts between the policyholders and insurers and must be reviewed by suitably qualified legal practitioners. This article does not provide any advice on insurance. This section explains some key insurance terms found in most policy documents: Loss of Net Profit vs Gross Profit – Gross Profit is revenue less variable costs. Net Profit is Gross Profit less operating expenses for the period. It is common for the business interruption element of cyber insurance policies to provide cover for the loss of Net Profit as opposed to Industrial Specific Risks Insurance (ISR) or other commercial business policies which generally provide cover for the loss of Gross Profit. An experienced and suitably qualified consultant should be engaged to quantify the revenue/profit at risk, provide advice on an adequate level of cover and the particular cyber policy wording. Waiting period – This is a period of time after an event for which business interruption losses will not be covered. It is usually applied to every claim. This limits the amount claimable per incident. The policyholder must budget for

Australian Cyber Security Magazine | 35

Cover Story

this and manage their capital plan and cash flow accordingly to cope losses which may occur during the Waiting Period. Be sure to understand how the insurance policy calculated the time i.e. do they use business hours or normal hours. Period of Indemnity – Also called “Indemnity Period”. Cyber policies will only provide cover for business interruption losses for a specified period of time, usually three months. Therefore, policyholders need to examine their BCPs and account for potential losses beyond the Indemnity Period. Policy wordings should be reviewed carefully to determine when the Period of Indemnity begins. The Ponemon 2017 Cost of a Data Breach Study shows US companies took an average of 206 days to detect a data breach. It is important for policyholders to understand the term “Indemnity Period” as defined in their policies. For instance, forensic examination of a data breach might conclude that the system intrusion is deemed to have occurred before the policy commenced but remained dormant until the intrusion was exploited resulting in the data breach, rendering it an “existing risk event” which might not be covered. Moreover, there might be ‘extra expense’ such as sourcing from alternate suppliers at a higher cost. These expenses might not be covered by the insurance policy and should be budgeted for. Some policies have additional cover for ‘extra expense’ subjected to “economic test”. The economic test might state that the additional expenditure to mitigate the event should not exceed the amount that would potentially be lost during the indemnity period. Be sure to consult an experienced and suitably qualified consultant to get a full understanding of the coverage provided. 3rd Party Costs – Often the focus of cyber insurance is the cost to restore impacted systems. But the interconnected nature of IT infrastructure increases the likelihood of 3rd party claims. For example, under EU GDPR (General Data Protection Regulation) legislation, organisations who collect personal data are still liable even if the data is breached through their service providers. These data holders will make claim against their 3rd party service providers to offset their own liabilities. This is because their cyber insurance policy will not cover liabilities.

The FAIR quantification approach

The Open Group FAIR quantification framework can be used to evaluate the cost effectiveness of cyber risk mitigation solutions by estimating the potential loss attributed to insured loss events. The framework is depicted in figure 2 below. The analysis on the left side of the model breaks down the risk scenarios to its core components such as Threat Capability vs Resistance Strength. This approach helps to visualise alternate mitigation options such as “do nothing”, effectively shifting them into the “residual risk” bucket. As discussed previously, residual risk can be managed through risk transfer mechanism such as insurance. Understanding the loss magnitude calculation is an important step in the assessment of sufficiency in insurance cover. The right side of the diagram above focus on the estimation of loss. The FAIR taxonomy defined six forms of loss as depicted in figure 3. Of the six forms of loss, Productivity, Response, and Replacement are generally the forms of loss experienced as Primary Loss. Secondary Loss, occurs as a result of secondary stakeholders (e.g., customers, stockholders, regulators, etc.) reacting negatively to the primary event. Think of it as “fallout” from the primary event. An example would be customers taking their business elsewhere after their personal information had been compromised or due to the frustration experienced as a result of frequent service outages. Two important considerations of Secondary Loss are that: • It is always predicated on a primary event. • It does not materialize from every primary event. Another important aspect of Secondary Loss is that its effect on an organisation can cascade. As losses pile up from initial Secondary Losses, additional secondary stakeholders may react negatively, compounding the effect until losses are so great that the organization fails completely (e.g., the demise of Andersen Consulting in 2002). This is the primary factor in deciding the boundary between commercial insurance and self-insurance. These considerations aew often codified in organisation risk appetite statements. But, unfortunately, the information is often not expressed in a format easily consumable to the management decision in the insurance cover composition process. The FAIR quantification process is a key to enable a consensual

Figure 2 36 | Australian Cyber Security Magazine

Cover Story

FORMS OF LOSS PRODUCTIVITY LOSS: Loss that results from an operational inability to deliver products or services RESPONSE COSTS: Loss associated with the costs of managing an event REPLACEMENT COSTS: Loss that results from an organisation having to

approach to the interpretation of these risk appetite statements, to enable the prioritisation process.

law firms experienced in these areas of litigation could provide a good estimate based on precedent cases. It is clear that these loss estimates require specialist skills which should be coordinated by an experienced and suitably qualified consultant to ensure transferable risks are identified and adequately quantified.

Planning the insurance claim process

Conclusion

To adequately transfer cyber risks to insurers, COMPETITIVE ADVANTAGE LOSS: a business must Losses resulting from intellectual first quantify their property or other key competitive expected losses in differentiators that are compromised the event of a cyber or damaged. incident. This is normally done with FINES AND JUDGMENTS: Fines reference to various or judgements levied against the scenarios. organisation through civil, criminal, or Failure to contractual actions. adequately quantify REPUTATION DAMAGE: Loss their expected losses resulting from an external stakeholder in the event of a claim perspective that an organisation's could result in the value has decreased and or that business being underliability has increased. insured, therefore retaining a portion of the risk they expected to transfer to insurers, or being overinsured and therefore paying unnecessarily high premiums. A policyholder should ensure it has processes in place to estimate expected losses attributed to insured loss events. This process requires a good general understanding of their industry and their particular business environments, as well as a deep understanding of their policy wording and how it will be applied in the event of a claim. This section explains the basic approach to the loss estimation process based on the six forms of losses in the FAIR framework. Productivity loss – This is essentially losses due to business interruption. Response cost – This is a commonly underestimated, confined to the cost to restore the IT systems and data. There could be significant additional costs to restore full business function after the IT systems and data have been successfully restored. For example, inventory and payment reconciliation and rescheduling of products and services delivery. These costs might not be covered by the cyber insurance policy. Replacement costs – This includes the cost to replace physical assets which cannot be sufficiently restored or where there is little confidence that malware has been successfully removed. Competitive Advantage Loss – Losses resulting from competitors taking market share from you by compromising intellectual property or other key competitive differentiators. The executive management team such as the chief financial officer might be the best source of estimation. Fines, Judgements and Reputation Damage – Specialist replace capital assets

The traditional adversarial approach to insurance management is not a sustainable approach to manage cyber risks in the contemporary information driven supply chain economy. The attack surface is expanding rapidly, and the loss can be catastrophic. Understanding the process, enabled by cyber risk quantification techniques, is an essential step to express enterprise risk appetite statements into cyber insurance cover. This will ensure sufficiency and sustainability for both the policyholders and insurers. About the author Denny Wan is a cyber security expert with over 20 years experience in the Australian IT security sector. He is the chair of the Sydney Chapter of the FAIR Institute with deep expertise in Cyber Risk Economics. This is an effective approach for prioritising cyber security investments and to explain its business values. He is a certified PCI QSA and CISSP. He is a postgraduate researcher at the Optus Macquarie University Cyber Security Hub researching into cyber risk management in the supply chains. This is a useful model for managing 3rd party supplier risk under compliance framework such as APRA CPS 234. About the reviewer Deven Raniga specialises in insurance claims and forensic accounting, with a particular focus on Business Interruption and Cyber insurance claims, as well as pre-loss quantification of Cyber and Business Interruption risks. He is a CPA, Chartered Loss Adjuster and an ANZIIF Senior Associate/Certified Insurance Professional, and has also completed the FAIR Analysis Fundamentals training course through RiskLens. James Crowther is the General Manager of Agile Underwriting. He is an entrepreneurial risk and governance specialist, over 15 years experience in risk management, and commercial portfolio management gained at Lloyd’s of London. Specialisms include risk review and assessment, raising cyber resilience awareness and working with all key stakeholders to ensure enterprise cyber security risks are well understood and managed. Building on Lloyd’s career I progressed to lead multiple Cyber insurance start ups in Australia and gained experience in; pre risk identification, post risk and response services, data breach response framework development, which include cyber risk identification, impact assessments, crisis management, risk mitigation, public relations and business continuity planning. Acknowledged industry specialist on Cyber insurance, dealing with IT security incidents and data breaches effectively.

Australian Cyber Security Magazine | 37

Cyber Security

Civic cyber warfare – The fog

T By Pip van Wanrooij

here is a fog settling across the general populace, the civic space, due to lack of situational understanding and the broader characteristics of cyberspace. These characteristics include hyper and inter-connectivity, virtuality, expansion and ambiguity. The current threat landscape consists of all types of actors, from script kiddies, malicious employees, to state-sponsored proxies and nation states, all with various levels of expertise and motivations. Cyber warfare or conflict is associated with attacks and exploitation of computer networks. The term ‘fog of war’ was first associated with a wellknown war strategist, Carl von Clausewitz and it applies to confusion, uncertainty and lack of perspective in battle. Today, the fog of civic cyber warfare produces doubts about the level of trust of information provided from cyberspace. In the current climate almost anything cyber, digital or connected is now considered trustless. An end-user cannot trust anything on a cell phone, or laptop, storage device, cloud applications or hardware. So, what can be done to restore our trust? In the military context, the ‘fog of war’ has been decreasing as intelligence, surveillance and reconnaissance capabilities continue to improve. However, the cyber battlespace has shifted and now includes the civilian populace. In the civilian environment, uncertainty, confusion, lack of clear information, poor cyber literacy and technological competency provides a platform for digital and physical exploitation or indeed a form of ‘civic cyber

38 | Australian Cyber Security Magazine

warfare’. Territorial conflicts, and battles for resources and ideologies are primary drivers for conflict. The tenets for every nation state is to look after its own interests economically, maintain sovereignty and the security and safety of its citizens. Essentially, the power of a nation rests in its ability and ambition to control both territory and resources. In a technology driven and digitally reliant society, the cyber vector has provided a platform of power, information, and deception. For many the cyberspace realm is difficult to conceptualise and manage. Even when data is ‘in the cloud’ it actually relies heavily upon physical infrastructure to function. It connects to computer networks, energy grids, the Internet, servers, and IoT enabled devices. In the mix, it is the human element that creates, runs and manages this complex architecture.

The new gold The digital age, or “the cyber century”, has enabled economic progress, social benefits and democratisation of information. Data has become the new gold, leveraging power both for good and for destruction of economies, cultures and ideologies. Data is mined, profited from without a consideration for the individual data owner. Data custodians including schools, health organisations and government agencies struggle to protect valuable

Cyber Security

information. More effective management and coordination is required to support the recruitment and training of information technology professionals. In the civic space further effort is required to understand the significance of digital security and data privacy, legal and statutory requirements, and criminal, reputational and financial data breach impacts.

Cross-domain synergy and civic transition

security awareness training. Some initiatives in building upon current cyber capacity has begun at trade and educational institutional levels. Many sound noteworthy, however in a number of cases there has been a talking up of learning opportunities in Australia, yet without accurate statistics it is difficult to say whether it will fill the current gaps and expertise levels required by the future market requirements. The trajectory of delivered cyber-attacks, speed, and manoeuvrability of attackers will require robust civic cyber security strategy, change management (dealing with uncertainty, complexity and change), disaster response and business continuity plans at all levels. Implementing ‘tick the box’ compliance solutions or spending bucket loads of money on technical solution-based controls are simply not enough for long road ahead. In a time period of uncertainty and rapid change, cyberattacks will continue to dominate global and inter-regional discussions. However, it is at the grassroots level of society, in our everyday communities, our children, that the impacts of cyber conflicts will have far reaching consequences and be felt physically, financially and psychologically. Key points: • Practical steps for resiliency and robustness – getting beyond the Plan and Act to the actual “DO” part is proving challenging to many across the government sectors. • Human resource efficiency and information management requires better interpretation and implementation • Deeper links across civic communities for practical solutions • Inter-regional Indo-Pacific (APAC) collaboration across not-for-profit, community, school and post-secondary educational space • Increased investment in training the humans. Developing multi-generational technology competent, cyber literate and security aware workforce. Revitalising the current workforce with a new roadmap and collaborative risk-based mindset to take us into a new era which we’ll all be required to navigate to survive • Whole-of-government led risk-based framework that can be seamlessly integrated across local community groups, business and organisations, K12, business, local state governments bodies.

Not surprisingly, information management is gaining more attention. Digital security and data privacy statutory and regulatory requirements are slowly accommodating the rapid pace at which technology is evolving. Data custodians are continuing to tailor and police information exchanges. This includes improvements to better synchronise both classification and access control.

Significant work needs to be done to overcome the confusion, uncertainty and lack of perspective from the ‘fog of civic cyber warfare.’ A cyber workforce needs to grow to defeat malicious individuals, state-sponsored proxies and nation states. The uncertainty of the ‘fog of war’ needs to be overcome in the civilian environment. Trust needs to be restored in the information provided from cyberspace.

Building cyber resiliency

About the Author Pip van Wanrooij is a professional educator and security generalist with a background in higher education, technology and international engagement. She promotes cyber resilience across civic and K12 communities.

A new battleground and cyber conflict The ubiquity of conflict is a human trait. Throughout history, there have been numerous examples of adversaries employing unconventional tactics. Technology asymmetry has now become the primary method of exploitation by organised crime groups, proxies for nation states, and malicious persons. Protecting against these threats requires both defensive and offensive cyber capability provided by defence and government agencies. Unfortunately the targeting of every day people via methods that take advantage of flawed human behaviour, poor technological competency and lack of security awareness has enabled a passive entry point for cyber intrusions. Nano computers, future AI technology and stealth-improved weaponised malware continue to evolve helping attackers move more laterally. The civic space is the new battleground for cyber warfare. New patterns of asymmetric conflict are emerging and the new resource war is now data harvesting, algorithmic and covert influencing and critical infrastructure attacks. Deployment and sophistication of new style attacks will continue to be delivered across operational technology, cellular, sensor, IoT connected devices and commercial technologies. The information domain, including cyberspace and the electromagnetic spectrum, is also highlighted as an area of conflict within the civilian sphere. As collateral damage, the general civic populace are likely to feel substantial blowback and subsequent turbulence from cyberattacks to critical infrastructure, financial systems and the organisations they work for. Unfortunately, the number of employees becoming victims of phishing scams and identity fraud has risen alongside the resultant rise in job loss, blame culture, mental duress and possible death.

Acquiring new skill capabilities takes time. Continual advancements in telecommunications, sensors, data storage, processing power and information transfer requires implementation of balanced tech skill and trade building and

Australian Cyber Security Magazine | 39

Cyber Security

Windows Task Scheduler So helpful at disclosing credentials, even when you ask it not to

I By Tristan Bennett

t’s not every day you come across an issue that Microsoft deems worthy of a patch, especially when your day job is sifting through logs to try and find indicators of compromise. However, while testing some techniques to detect password scraping from memory, that’s the position we found ourselves in. The first thing we had to confirm was whether the issue was present on all our Windows test servers as we were worried we had configured something in error on the server where the flaw was discovered. Once confirmed that we could reproduce the issue on multiple operating systems including a fully patch Windows Server 2016 environment we had the confidence to submit the issue to Microsoft. Microsoft has a simple process to follow in order to submit a security vulnerability and ask for the following information as a start, included is a summary of our submission; • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.) Plaintext/Easily Reversible credentials stored in memory • Product and version that contains the bug, or URL if for an online service Tested on Windows Server 2012R2 and Windows Server 2016 • Service packs, security updates, or other updates for the product you have installed Up to date with security patches. • Any special configuration required to reproduce the

40 | Australian Cyber Security Magazine

issue None • Step-by-step instructions to reproduce the issue on a fresh install The steps to reproduce this issue are described below. • Proof-of-concept or exploit code No code required for this. • Impact of the issue, including how an attacker could exploit the issue Administrators may have a false sense of password security due to all the robust security features built into Windows Server 2016 to remove the ability for password dumping tools to extract plaintext passwords. However, it appears a single scheduled task may expose potentially sensitive credentials despite all the other safeguards. Attackers can dump passwords with a variety of tools, and it has become very difficult to extract plaintext passwords from LSASS in Server 2016. It appears though through Credential Manager extraction is possible leading to easier privilege escalation options. Once submitted someone from the Microsoft Security Response Center gave regular update about the status of the patch and the CVE number (CVE-2019-0838) was assigned about 3 months after the flaw was disclosed. The issue was patched on 9th April 2019 with for all supported Windows Operating systems and get a 6.6 CVSS score. Interestingly Microsoft describe the issue as an “unintentional read access to memory contents in kernel space from a user mode process.” which makes it sounds a

Cyber Security Figure 1 – Error due to Group Policy

bit more severe than it is in practise. Microsoft Task Scheduler The actual issue itself is with Microsoft Task Scheduler which sends credentials over to Credential Manager which are then store in plain within LSASS. Microsoft has made many improvements over the last few years to how credentials are managed within Windows so that cracking open LSASS wasn’t necessarily the guaranteed easiest way to get plaintext passwords. We've also seen improvements such as WDigest Authentication being off by default and the ability to configure Windows Defender Credential Guard & additional LSA protections. This has resulted in the use of other techniques to steal credentials, such as asking users or using a tool like Responder. To reproduce the issue in your demo/test environment the following steps should work on systems without the above patch. 1. Set Group Policy “Network access: Do not allow storage of passwords and credentials for network authentication” to be “Enabled” 2. Edit the task to “Run whether user is logged on or not” 3. Change user to a domain service account 4. Ignore error (Error due to GP change above, does not allow task to be saved) 5. Credentials are now in Credential Manager 6. Run Mimikatz/SafetyKatz and password will be available in the plaintext.

Figure 2 – Passwords in plaintext from Credential Manager

What can we do? With Microsoft releasing a patch, that's the best solution to this issue; however, there are some other things that can help reduce the impact of account misuse before patching can occur and review of privilege is always a effort worth expending. 1. Review Use of Scheduled Tasks For the most common accounts used to run scheduled tasks, review what privilege level they have within the Domain. Use this list within your SIEM and look for activity that is abnormal for service accounts such as web activity, VPN logons or interactive logons to servers. 2.

Review the Privilege Level For the most common accounts used to run scheduled tasks, review what privilege level they have within the Domain and look at reducing it where possible. BloodHoundAD is an excellent tool for reviewing this privilege as you can execute queries using either the group or the target account as the starting point. More information can be found here - https://github.com/ BloodHoundAD/BloodHound

3. Patch With no concrete workarounds or mitigations the best course of action is to patch. More information on the security advisory can be found here - https://portal. msrc.microsoft.com/en-us/security-guidance/advisory/ CVE-2019-0838

Other Reference – Microsoft Reporting FAQ https://www.microsoft.com/en-us/msrc/faqs-report-an-issue Our patch notes https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0838

Tristan is Cyber Security professional, having primary worked in security operational roles, and has been working in Cyber Security for the past 10 years. He has worked for multiple customers across the country in that time, however the last few years has been centred around logs and trying to find all manner of attack techniques hidden. He currently works for small Perth based Cyber Security startup, Seamless Intelligence, with his primary role being responsible for researching new detection techniques and providing consulting services to uplift SIEM maturity.

Australian Cyber Security Magazine | 41

Cyber Security

Does your heart plummet at the thought of SOAR?

S By Samantha Humphries

ecurity Orchestration, Automation and Response (SOAR) seems to be the shiny new kid on the block in the heady world of cybersecurity. Standalone SOAR solution vendors are snapped up by larger vendors faster than you can say ‘playbook’. A short wander around a security trade show will immerse you in a universe where automation & orchestration are the answers to all your problems. Skills shortage? SOAR. Productivity issues? SOAR. Cat stuck up a tree? SOAR. World peace? Well…... that might be slightly beyond SOAR’s current capabilities, but never underestimate a creative marketeer on a particularly keen day. Regardless of vendor promises, the idea of handing off your security processes to the machines may well fill you with a sense of dread. What if something terrible happens? What if we break production systems? Should I add in a workflow step to automatically update my CV if the domain controller falls over? It’s not wholly surprising

42 | Australian Cyber Security Magazine

that these concerns occur. Computers do things rather quickly, so whilst automated playbooks and workflows can save you a tonne of time, if there’s something amiss it does have the potential to blow up pretty fast. Even something as straightforward as an automatic product update has proven costly to many organisations in the past, leading to time consuming internal testing before deploying even the most critical of security patches. The decision to embark on a SOAR project, or even just to utilise some of the automated features within your current security tools, ultimately boils down to whether or not you trust the software not to break things at breakneck speed. Manual processes do feel safer (even though they aren’t necessarily so), they have human eyes on them, they move at a more pedestrian pace. Then there’s the human factor to consider, especially if you’re performing a lot of manual tasks. Will we be automated out of a job? Will security teams only need more seasoned

Cyber Security

analysts? What happens to the junior folks? How would we attract fresh new talent? Maybe staying as we are is just better for everyone… But in the fast-moving world of security, if you’re standing still, you’re basically going backwards. Before we get into methods of approaching SOAR, let’s address the people side of things. This might sound a little controversial, but I’m of the opinion that automation and orchestration are, at least in part, an HR benefit (stay with me!), as it can help drive employee retention. For security leaders, hiring skilled people is hard enough, finding ways to keep them is even harder, especially in a job market that is weighted very much in favour of the hiree. In a recent report by Exabeam, security operations centre staff cited compensation, benefits, and a good/challenging environment as the top reasons for staying put. And whilst little says “I love you” like cold hard cash, providing an interesting environment for security professionals is vital to your success. The crux of the problem is time. The cup of time afforded to security teams does not at any point overfloweth, if anything it barely contains dregs. There’s always more to do, more alerts to investigate, systems to tweak, fires to fight. Trying to eke out time to provide mentoring, go on a training course, even watch a webcast or read an article, is in very short supply. Feeling ‘pigeonholed’ because there’s no time for you to advance your skills, especially during office hours, doesn’t make for a great experience. Manual, repetitive (read: boring) tasks are often farmed out to the more junior team members, or something the more seasoned analysts despise as they aren’t being stretched or even fully utilized. SOAR isn’t just about improving productivity, it provides time to do more interesting tasks, to build skills, to get the very best from the security team. “Operational excellence” is a phrase often banded around with great gusto, but all the metrics in the world won’t keep security professionals in their seats if the environment sucks. A demotivated team member may not be brilliant at paying full attention to work they deem to be less interesting, which in itself brings risk to your organisation. SOAR, done right, can help reduce risk in many ways. Manual processes can be riskier than you might think, especially if they are frequently repeated. Humans can and do make mistakes, it’s easy to skip a step in a process if you’ve been doing it over and over. False positives and false negatives are not the friend of the security team - whereas accurate results definitely are the droids you are looking for. The trick to approaching SOAR is not throwing your pedal to the metal and zooming off into the wonderful automated and orchestrated future. Especially if this is new ground for your organisation. Slow and steady wins the race here. Taking a logical and comfortable approach, which allows you and your organisation build confidence and trust as you progress, will result in better success in the long term. When starting your project, evaluate the usual three pillars of people, process, and technology. Ascertain what skills you have in-house to set up and test your automation workflows - if you or your team have decent scripting capabilities, or you decide to bring in some external services, you could go down the route of building things yourself, but that does mean whatever you build will need maintaining.

SOAR isn’t just about improving productivity, it provides time to do more interesting tasks, to build skills, to get the very best from the security team. Single points of failure can be extremely costly, so unless you have a lot of resources with these skills, it may make more sense to purchase a tool. There are plenty available on the market today, and more and more security products now come with varying degrees of SOAR functionality built in. I’m a big fan of keeping things simple, so my personal recommendation would be to go for options with a drag and drop style interface, and prebuilt customisable workflows. Next comes deciding what to automate and orchestrate. Tried, tested, repeatable processes are solid initial candidates. Investigating suspected phishing emails or gathering intel on suspicious files can be good choices to tackle, ultimately it really does come down to your own specific processes, and the tools you have available. There are plenty of places to find ideas too, many vendor community sites have people sharing their experiences, even code snippets if you’ve chosen that route. It almost goes without saying that it is important to have measurements in place to be able to demonstrate return-oninvestment. You may already have these, but if that’s not the case, work out how long a process is taking, how frequently it’s being run, and how much it’s costing in FTE hours. Whether you plump for the DIY approach or pick a thirdparty technology, you shouldn’t necessarily implement full end-to-end automation on the first run. Automating parts of a process are a fine first step - try it, test it, get comfortable with the output before adding in more automation. Some steps in a workflow may always need a human eye, especially if you’ve got actions in the process which could impact critical systems or user accounts. Keep measuring and refining, and it won’t be long before you wonder why you didn’t implement SOAR sooner. Then grab a beer, put your feet up, and enjoy all your new-found free time! OK, so it would be great if that were completely true, but you’ll be freed up from a great deal of busy work, allowing you to focus on more strategic initiatives, training, mentoring, and fighting the good fight. About the author Jill of many trades, mistress of a few. Samantha has spent most her working life entrenched in the world of cyber security. As you can imagine, she loves it. Her career has spanned many areas of the business - sales, technical support, solutions marketing, channel support, outbreak management and incident response, engineering and researcher management, product management, and more. She likes solving problems and making customers happy. She fully believes that it’s wonderful to be able to do what you love.

Australian Cyber Security Magazine | 43

MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Your one-stop shop for all things CCTV, surveillance and detection technologies

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.

promoteme@mysecuritymedia.com 44 | Australian Cyber Security Magazine

www.mysecuritymedia.com

The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE

promoteme@mysecuritymedia.com

www.mysecuritymarketplace.com

Australian Cyber Security Magazine | 45

Cyber Security

Black Hat Seduction

Mitigating the migration of qualified professionals to the dark side

T By Brenda van Rensburg

he statistics are out. There is going to be a skill shortage in the very near future. Security Ventures has predicted that there will be about, 3.5 million unfilled positions by 2021. However, if you look at the current trends, it is the complete opposite. In Perth, Hays recruitment placed an advert for a “Cyber Security Analysis”. By the end of the week, this position had over 106 applications and 361 views. In Melbourne there is a job for a middle tier position as a Cyber Security Manager. This job has 94 applicants. If we head over to New York, there is a Cyber Security Sales position with 378 applicants. If cyber security skills are in such high demand, why are there so many applicants for a range of cyber jobs? More importantly, why are we continually encouraging more people in this field, when the current people can’t even get jobs? Who has to gain from the ‘alleged prediction’ and what happens to the people with a skill set they can’t get a job with? In 2014, CISRO made a prediction that the industry will be short of more than 1 million professionals. We can

46 | Australian Cyber Security Magazine

clearly see that this is not the case. According to John McAfee, there are two job openings for every qualified individual. Maybe the individuals that are applying for different roles are not qualified? Or maybe, the industry does not know what they want. If you look at some current job ads, you will notice a request for a cyber superhero with certificate of every acronym that is listed in the ‘cyber acronym dictionary’? And while you think that this would only fit one individual, I can guarantee you that this job had 121 applicants. Obviously, a number of cyber superheros in the world. Cyber Security, although a predicted skill shortage, is not void of certification. In fact, it is one of the industries where educational institutions have seen a huge marketing opportunity and have offered cyber security degrees/ certification. Being a recognized facility, coupled with the use of common used media statistics, people are lining up to get a head of the curve. Outside of the possibility that most of these individuals already have a good foundation of ‘hacking’ skills, education facilities are scrambling to

Cyber Security

'According to Business Insider, a black hat makes an average of $80,000 per month. No certification is needed. When a student completes their university degree, they are faced with an average of $36,000 debt which could be offset by a possible entry level job of $45,000.'

provide an education for a platform that is evolving rapidly. According to emerging future, technology doubles every 11 months. This means that by the time you complete a degree in Cyber Security, most of the information you learnt, will be history. It is probably why IBM hire individuals without a degree. According to Business Insider, a black hat makes an average of $80,000 per month. No certification is needed. When a student completes their university degree, they are faced with an average of $36,000 debt which could be offset by a possible entry level job of $45,000. Notably a job that is not guaranteed, and clearly given the mistake of statistically facts, a position that probably will not be there when they graduate. However, they will have a very unique skills set. A skill set that could be compared to that of a trained marine. The only difference is that these individuals know how to move in and out of a system without being detected. They are also able to acquire data and sell it on sites which are, most often, hard to track. Furthermore, they love to be paid in bitcoin. And with more, and more retailers

accepting bitcoin, means that a career on the dark side of the fence is a little more alluring. As a result, what we will be facing is not necessarily a job skill shortage in the cyber sector. What will most definitely could expect is an increase of individuals with a unique skill set that would make Bryan Mills (a.k.a Liam Neeson in Taken) look like a ‘private’. While everyone is scrambling to make a ‘buck’ from selling a dream that may have a nightmarish ending, very few are thinking of the long-term impact. Cyber Security skills in the wrong hands could be catastrophic. Tie that with someone who has spent a lifetime in a digital landscape and a number of years acquiring a certification for job that may not exist, then you will most definitely have an equation for disaster. After all, survival instinct is extremely powerful. When you place someone in a desperate situation, it is highly likely that they will apply desperate measures. If these measures mean dancing with black hats, then there is a strong chance that ethics will not longer be part of a solution. In conclusion, to reduce the migration of our qualified professionals to the darker realm of the digital landscape, we must take on equal responsibilities to offer them a role in which they can continue to contribute positively to the community and support themselves financially. Whilst it is unlawful to ‘hack into sites’ without an owner’s permission, a person with significant amount of skills will most definitely dance with the concept of being a ‘black hat’ because they too have bills to pay. Notably, we tend to turn to the private sector to pick up the pieces and offer jobs which were spurred by agencies outside of this area. However, the responsibilities of ensuring an opportunity of our digital citizens, should fall on everyone’s shoulders who are encouraging people into the cyber industry. Everyone that is capitalizing off the alleged prediction of a cyber security skill shortage, should be equally responsibility in assisting these individuals with acquiring a job. Unfortunately, when reality does not meet prediction, we are left with the same line that is given to every career decision taken: “We cannot guarantee you a job with this degree, but you have a better chance of one”. Unfortunately, for a country as a whole, we have a rising number of skilled individuals that have shifting ethics, values and morals. These same individuals will quickly work out that there is a more seductive opportunity on the darker realm of cyber than remaining hopeful that ‘one day’ they will get that job. The question that we are facing now: “What are we going to do about it?”

Australian Cyber Security Magazine | 47

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au