THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Issue #2 2019
Targeting cyber security investment The FAIR approach
INTERPOL WORLD 2019 Editor Insights & Takeaways
Cyber crime: A war worth fighting
How real is the Islamic State threat in India?
ISACA Singapore Chapter GTACS 2019
What will drive cybersecurity: Hacking, crime, warfare and/or terrorism?
CLOUD SECURITY $8.95 INC. GST
WHO IS REALLY RESPONSIBLE?
PLUS
THE WORLD'S MOST
RESPECTED CYBER SECURITY
EXPERT
KEVIN MITNICK LIVE IN PERTH Kevin Mitnick Live Crown Casino, Perth 10th-11th October 2019 Don't Miss Out!
Founder - Silvana Macri
01
THE ENTERPRISE FIGHTS BACK How Hackers Attack and How To Fight Back in Business
02
FROM BLACK HAT TO WHITE HAT
03 04
What We Should Be Teaching in Schools About Cyber
CxO LUNCH
Security Threats to Critical Infrastructure
2019 WESTERN AUSTRALIAN CYBER SECURITY AWARDS
Gala Dinner and Awards Night
Book Your Tickets NOW! – wacyberawards.com.au Tickets Starting from �15 (plus GST/fees)
2 | Asia Pacific Security Magazine
Cyber Risk Meetup
Your integrated solutions provider
24 - 26 July 2019 ICC Sydney, Darling Harbour
J OI N U S
Across Australia and New Zealand, Hills is a leading technology provider. Not only do we distribute an extensive range of market leading brands, we design built-to-purpose integrated solutions, giving us competencies across the sector that few others can match.
Free Breakfast Seminar 24 July - ICC Sydney, Darling Harbour E3.7 8:00am 25 July - ICC Sydney, Darling Harbour E3.7 8:00am Register at: hills.com.au/templates/news
HCORP0056
Visit us on stand B2 For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit hills.com.au
facebook.com/HillsLtd/ CONNECT
E N T E RTA I N
SECURE Asia Pacific Security Magazine | 3
CYBER RISK LEADERS IMMERSE YOURSELF IN THE WORLD OF A CISO (CHIEF INFORMATION SECURITY OFFICER)
“This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI San Francisco Cyber Branch
“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.”
“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC
CEO, Cyber Security Capital (UK)
ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.
GET YOUR COPY HERE! Proudly Published by
4 | Asia Pacific Security Magazine
www.mysecuritymarketplace.com
Building a Secure & Resilient Future-Ready Organization 4 - 5 November 2019 | Rosewood Hotel Phnom Penh, Cambodia
Phannarith Ou
ICT Security Director MINISTRY OF POSTS & TELECOMMUNICATIONS (MPTC), CAMBODIA
APAC Cyber & Information Security Director BARCLAYS
Dato’ Ts Dr. Haji Amirudin Abdul Wahab
Parag Deodhar
CEO CYBERSECURITY MALAYSIA
Information Security Director VF CORPORATION, HONG KONG
Mark van Staalduinen
Doron Sivan
Fabrice A. Marie
Jorge Sebastiao
Abhinav Mishra
Tarun Samtani
Paul Jackson
Brian Hay
Lim Chin Wan
Shamane Tan
Paul Craig
Abhijitt Mukharjji
Dhillon Kannabhiran
Chris Cubbage
Ahmad Rizan Ibrahim
Murari Kalyanaramani
CEO CRONUS CYBER TECHNOLOGIES, ISRAEL
Seconded Cybercrime Expert INTERPOL
Group CISO AIRASIA
Chief Technology Officer HUAWEI TECHNOLOGIES, UAE
Global Data Protection Officer BODEN, UK
Bug Bounty Hunter & Founder ENCIPHERS, INDIA
Executive Director CULTURAL CYBER SECURITY, AUSTRALIA
MD, Cyber Risk Practice Head KROLL HONG KONG
Deputy General Manager VATTANAC BANK, CAMBODIA
Executive Advisor – APAC PRIVASEC, AUSTRALIA
Head of Offensive Security VANTAGE POINT, SINGAPORE
MD & CISO CYBERZEST GLOBAL, AUSTRALIA
CEO HACK IN THE BOX, MALAYSIA
CEO MY SECURITY MEDIA
Partner CONSULTING BOARD ASIA Exclusively by:
Theo Nassiokas
Executive Director, Security Technology Services STANDARD CHARTERED BANK Media Partners:
Supporting Organization:
Asia Pacific Security Magazine | 5
Book Your Seats: T:+603 22606500 | E: azlin@thomvell.com or karen@thomvell.com
Cyber Security
SCADA & ICS CYBER SECURITY WORKSHOPS PERTH, SYDNEY, BRISBANE, MELBOURNE 11 - 22 NOVEMBER 2019 Overview
Facilitator
Reliable and safe operation of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are considered critical for a broad range of industries supporting the wellbeing on a national level.
Daniel Ehrenreich, B.Sc. Engineering, ISO27001 Lead Auditor. Secure Communications and Control Experts
The growing convergence of IT and ICS, long-time separated domains, calls for a special attention and adoption of ICS-oriented best practices. That being said, these functionalities can be jeopardised internally by an incentivised individual, or through remote access by a hostile organisation; Hence appropriate preventive measures should be taken to mitigate these breaches and minimize possible damages.
Target Audience The proposed training workshop is aimed to empower the competency of a wide range of position holders in the SCADA/ ICS arena. Graduates of this course will master the key terms, technologies, and vector activities related to the computerised control which they operate. The training program is suitable for the following groups: •
•
•
•
•
IT personnel who need to know more on SCADA/ICS risks and defence technologies in order to assure better collaboration among these teams SCADA/ICS engineers involved with design, maintenance of critical manufacturing (food, medicine, chemical processes, etc. Operators dealing with control of renewable and other electric power technology plants, sewage plants, desalination and other chemical process plants A broad range of managers interested in upgrading their technical knowledge and to be able to make correct and cost-effective investment decisions Upon completion of this training workshop, graduates should be able to better defend their critical infrastructures and comprehend the mechanism behind it. Also, it will prepare you to apply for certification classes such as CISA and CISSP.
Daniel’s current assignments include writing ICS Cyber Security Methodology as well as lead facilitator for ICS Cybersec 2019, Israel and ICS Cybersec Asia 2019, Singapore.
Daniel Ehrenreich
Daniel brings over 25 years of experience with SCADA & ICS, deployed for electric power, water, sewage, oil and gas. Since 2010 he has combined his engineering activity with cybersecurity and has consulted and delivered training in Israel and across the world. Previously he held senior positions with leading firms in Israel, including Waterfall Security, Siemens and Motorola Solutions.
BEST PRACTICE WORKSHOP The two days are suitable to a broad range of technical and C-level positions in the OT & IT domains and includes provision of training material and Certificate of Attendance. The class is suitable for people, coming from or interested in entering typical SCADA industries:
Water and sewage Power plant Power distribution Oil and Gas Manufacturing Chemical plants
Public safety Transportation Smart Cities Public communication networks
COURSE REGISTRATION
REGISTER INTEREST HERE
EARLY BIRD $1,250 - CLOSES 1 SEPTEMBER 2019 FULL COURSE MATERIALS PROVIDED "Dan’s experience in this area of practice was great to learn from."
* PRICES EX GST
"Thanks to Daniel Ehrenreich for a great two day workshop on managing cyber risk within industrial control systems."
- Principal Engineer E&I – Technical Services
- Senior Risk & Security Consultant
Day 1 - Intermediate Training Workshop Syllabus
Day 1 - Intermediate Training Workshop Syllabus
Part 1 08:30 – 12:30 Introduction to ICS Technologies
Part 3 08:30 – 12:30 SCADA/ICS Cyber security vulnerabilities
o o o
o o o o o
o o o o o
Introduction to ICS (SCADA, OT) architecture Roles of the main computers in ICS architecture Description of the Triangle and the Purdue ICS models Field Control units PLC, RTU, IED and Remote I/Os Structuring an ICS Cabinet with I/O tech-nologies Complementing Sensors and Field Control Devices ICS Data communications; networks and protocols PLC / RTU Configuration and Programming principles
Part 2 13:30 – 17:30 SCADA/ICS Cyber Security Basics o o o o o o o o
ICS and IT systems differences related to cyber risks Introduction to SCADA system Security Vulnerabilities Cyber risk development through Social Engineering Introduction to IAM, encryption and authentication Defence achieved by PPT: People-PolicyTechnology External & Internal attacks: MitM, DOS, DDoS, GPS Defence solutions: Zoning FW, IDS, SIEM, DMZ, UGW Defence achieved by PPT: People-PolicyTechnology
o o o
Introduction to ICS (SCADA, OT) and HMI Solutions Field Control units PLC, RTU, IED and Remote I/Os Use of IoT and IIoT for ICS Installations Introduction to Authentication and Encryption Introduction to SCADA system Security Vulnerabilities Connection between Safety and Cyber Security ICS and IT systems differences related to cyber risks Experience Sharing: Vulnerability Assessment vs White Hackers Why You Need Both
Part 4 13:30 – 17:30 ICS Cyber Security Risk and Defence methodologies o o o o o o o o o
POWERED BY
External & Internal attacks: MitM, DOS, DDoS, GPS Industrial Cyber Kill Chain attack step-by step process Communications and Process Anomaly detection using packet’s inspection Firewalls, IDS, SIEM, DMZ, UGW, Visibility Analysis Best practices to enhance ICS-IIoT Cyber defence Periodic assessment to enhance ICS Cyber security Standalone Vs Multi-Purpose Cyber Security SW: Determining Cost vs Effectiveness Applicable standards: NERC-CIP, IEC 62443, NIST 800-82
MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.
Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.
The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.
My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.
The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations
The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.
Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications
Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies
Your one-stop shop for all things CCTV, surveillance and detection technologies
The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.
MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.
Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.
promoteme@mysecuritymedia.com
www.mysecuritymedia.com
The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE
promoteme@mysecuritymedia.com
www.mysecuritymarketplace.com
Contents Editor's Desk
11
Targeting cyber security investment - the FAIR approach
18
Cyber crime: A war worth fighting
24
ISACA Singapore Chapter - GTACS 2019
28
Celebrating the 50th anniversary of ISACA
30
Director / Co-founder David Matrai
How real is the Islamic state threat in India?
34
What will drive cyber security
36
Art Director Stefan Babij
The importance of strong cyber security ahead
Executive Editor / Director Chris Cubbage
Correspondents Jane Lo Sarosh Bana
MARKETING AND ADVERTISING promoteme@mysecuritymedia.com
of the new financial year
39
Who is really responsible for cloud security?
40
Cyber threats in the high seas
42
Interpol World 2019
44
Education Hack
46
Copyright © 2019 - My Security Media Pty Ltd GPO box 930 SYDNEY N.S.W 200, AUSTRALIA E: promoteme@mysecuritymedia.com
UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US
Page 34 - How real is the
Islamic state threat in India?
The ‘go-to’ tool for leading professionals
www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Page 18 - Targeting cyber security investment - the FAIR approach
e | promoteme@mysecuritymedia.com
www.mysecuritymarketplace.com
Page 36 - What will drive cyber
security
www.youtube.com/user/MySecurityAustralia
OUR NETWORK www.cyberriskleaders.com
www.mysecuritymedia.com
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors Page 40 - Who is really
responsible for cloud security www.australiansecuritymagazine.com.au
Jane Lo* www.aseantechsec.com
www.drasticnews.com
|
Steve Sawyer
Sebastian Liu
Also with Chip Block Donna Gallaher Lionel Snell Dipesh Ranjan
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
Denny Wan
www.asiapacificsecuritymagazine.com
www.cctvbuyersguide.com
10 | Asia Pacific Security Magazine
David StaffordGaffney
Page 44 - The online matrimonial mayhem
Editor's Desk
"China resolutely opposes the wrong practices and provocative activities of the US side regarding arms sales to Taiwan, sanctions on the CMC (Central Military Commission) Equipment Development Department and its leadership, illegal entry into China’s territorial waters and maritime and air spaces near relevant islands and reefs, and wide-range and frequent close-in reconnaissance” - China’s National Defense in the New Era, The State Council Information Office of the People’s Republic of China, July 2019
I
n a highly publicised opinion piece in early August, Andrew Hastie, Federal Liberal MP and chair of the parliamentary joint committee for intelligence and security referred to a distinct moment in modern history, which had largely been forgotten. The moment is April 1, 2001 when a J-8 fighter jet from the People’s Liberation Army Navy collided with a US Navy EP-3 signals intelligence aircraft, off the coast of Hainan Island. The 24 crew of the US EP-3 were held for 11 days by the Chinese government and the aircraft returned much later, in pieces, via a Russian Antonov cargo plane. Hastie wrote, “This was an early test for the Bush administration, only 10 weeks old. It was faced with brinkmanship, intelligence plundering and technology transfer.” Just what China learned and took out of this incident may well have changed the course of this century. Fast forward nearly two decades. A number of national security observers now hold the perception that we are in a pre-war phase between the USA and China. The risk of major military action is expected to rise steadily over the next decade as China progresses to “complete the modernisation of national defense and the military by 2035.” In this context, Hastie observed, “The next decade will test our democratic values, our economy, our alliances and our security like no other time in Australian history.” As we move into the 2020s, be it the ‘New
Era’ as declared by China, or a ‘pivot to the IndoPacific’ as described by the US, this decade will be significantly complex but not without some predictability. The distinct difference in ideology has a long history of leading to war in an attempt to stop the advance of Communism. Political, economic and social tensions will continue to rise. The continuation of protests in Hong Kong, along with the risk of para-military action from the Mainland is one of the latest symptoms of this resistance. Inevitably, we are approaching a point where China’s rise will be blocked with force. Socially, the frontline is currently Hong Kong. Yet the outcome in Hong Kong will undoubtedly have a significant impact on the future of Taiwan. China’s National Defence Whitepaper states, “The ‘Taiwan independence’ separatist forces and their actions remain the gravest immediate threat to peace and stability in the Taiwan Strait and the biggest barrier hindering the peaceful reunification of the country…China must be and will be reunited...We make no promise to renounce the use of force, and reserve the option of taking all necessary measures...The PLA will resolutely defeat anyone attempting to separate Taiwan from China and safeguard national unity at all costs. Watch closely also Chinese political and military influence in Cambodia, Vietnam, Papua New Guinea and Vanuatu. As well as, US military manoeuvring and trade outcomes. Alongside this threat of major conflict in the region, is a growing threat landscape
to governments and a challenging business environment. As major powers manoeuvre militarily, so do intelligence and diplomatic services. An Australian Strategic Policy Institute Strategic Insights paper, From board room to situation room, Why corporate security is national security, July 2019, highlighted, “There exists a void between business and national security agencies when it comes to understanding each other’s capabilities and limitations. Our approach to national security planning should now include key companies and their supply chains: it’s time to rethink our national security approach in a more complex, dynamic and interconnected world…. That’s because in non-traditional warfare, or what the Australian Chief of the Defence Force General Angus Campbell calls ‘political warfare’ (which is below the threshold of direct military aggression), our corporate sector is now as much a target as our military forces.” In this context, all security professionals, be they physical or cyber orientated must up-skill and work hard to protect their respective domains. Government and corporate espionage, sabotage, corruption and trade secret theft will remain at a heightened and sustained risk. Support from corporate boards and company executives is required. Well done to ASPI and ASIAL for working to raise the profile of the industry. To highlight the trend further, in February 2019 the Australian Parliament systems were >> compromised and affected personal data of
Asia Pacific Security Magazine | 11
Editor's Desk several MPs from Labor, Liberal and National parties. Formal attribution is still indeterminate. Yet indicative of the cyber threat, Mike Burgess, currently Director-General of the Australian Signals Directorate (ASD) is to lead the Australian Security Intelligence Organisation (ASIO) as Director-General of Security. Given it is just over a year since ASD took over the Australian Cyber Security Centre, this appointment suggests cyber will remain at the heart of what ASIO will need to focus on in coming years. And on that note, as always, we provide plenty of thought-provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Sincerely,
MySecurity Media Update In September, MySecurity Media will be part of an Exchange program facilitating the visit of eight cyber security companies from New South Wales, to meet potential customers and investors in Mumbai, Bengaluru and Delhi, then to SingInnovate in Singapore. The NSW-India Cyber Security Exchange program is in collaboration with the NSW Treasury and the Optus Macquarie University Cyber Security Hub. MySecurity Media Director Chris Cubbage will then head to San Francisco, attending the NetEvents Global Media & Analysts Summit, and a judge on the NetEvents Innovation Awards, returning just in time for the WA Cyber Awards, being held in Perth, WA along with ‘Kevin Mitnick in Perth’. #Staytuned.
Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor
EDITOR EVENT REPORTS INTERPOL World 2019 Editor Insights & Takeaways INTERPOL World 2019 Cyber Security Weekly Podcast Series #Security2019 showcases the latest security technology for Australia RSA APJ Conference Podcast Series Interview with Rohit Ghai, President, RSA and Grant Geyer, Senior Vice President for RSA Products discussing the ‘New Why of Cybersecurity’. Digital investment accelerates business velocity, transforms constituent experiences and spawns new opportunities. But this formidable force for human progress also magnifies risk.
UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE
The ‘go-to’ tool for leading professionals e | promoteme@mysecuritymedia.com
12 | Asia Pacific Security Magazine
www.mysecuritymarketplace.com
Asia Pacific Security Magazine | 13
00 0 , 0 12 R S E OV NLOAD DOW
www.australiancybersecuritymagazine.com.au 14 | Asia Pacific Security Magazine
PODCAST HIGHLIGHT EPISODES Episode 169 – RSA APJ Conference Podcast Series Briefing with ISACA on the CYBERSECURITY NEXUS™ (CSX) TRAINING PLATFORM LABS Interview with Brian Page, Global Account Executive with ISACA, attending RSA APJ Confernece from Chicago, USA. Founded in 1960 and previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, and has grown to have over 140,000 members and 190 worldwide chapters. Brian provides insight into the ISACA CYBERSECURITY NEXUS™ (CSX) TRAINING PLATFORM LABS: A performance based, live lab environment, where anyone can obtain cutting edge cybersecurity training. Students gain access to relevant labs in live environments without the use of emulation. Labs are hosted in the cloud, so students may access them from anywhere in the world so long as they have a web browser and internet connection.
Episode 168 – Blackberry launches 'Intelligent Security' for mobile endpoint security in zero trust environments
Episode 166 – Certis CISCO Singapore launches Centre for Applied Intelligence, a Security Operations Research Hub Interview with Mr. Fuji Foo, VP of Business Digitalisation, Certis CISCO Singapore – discussing the launch and operation of the Certis Centre for Applied Intelligence (CCAI), a Security Operations Research Hub. The CCAI will enable Certis to build up AI expertise and resources to operationalise AI in the area of multi-disciplinary security and integrated services. In addition, it will enhance Certis’ expertise to orchestrate complex and critical business operations, enabling both Certis and its customers to keep pace with the fast-evolving business and technological landscape. Located at the Certis Commonwealth building, the 810-square-metre CCAI is equipped with software and hardware capabilities for machine learning and deep learning in Artificial Intelligence, Robotics and Data Analytics. It is powered by the Nvidia/Asus GPU (Graphics Processing Unit) farm with a processing capacity that is scalable, enabling its training speed to increase exponentially. It also houses an environment testing room for CCTV detection tests under different lighting conditions, an audio room to assess the accuracy of audio detection under varying noise environments, and an advanced system area for trialling the movements, turning radius and speed of robots.
Interview with David Nicol, Managing Director, BlackBerry Australia & New Zealand and Jonathan Jackson, Director, Engineering Solutions, APJ.
Episode 164 – INTERPOL World 2019 Series - Public v Private Partnerships - Interview with Anton Shingarev, Vice President for Public Affairs, Kaspersky
BlackBerry® Intelligent Security uses a combination of contextual and behavioural factors to dynamically adapt security requirements and calculate a unique risk score for each interaction. Using this unique risk score, a mobile user can be granted access to specific device applications and services, as defined by IT administrators. This provides granular control and delivers a better, more productive end user experience – all without sacrificing an organisation’s regulatory and security policies.
Interview with Anton Shingarev, Vice President for Public Affairs, Kaspersky. Anton is responsible for Kaspersky’s worldwide public policy agenda; managing both the company’s and the CEO’s cooperation and communications with national and international governmental bodies (UK, EU, etc.), as well as international public institutions and organizations (the United Nations, the World Economic Forum in Davos, INTERPOL, etc.). Anton coordinates the company’s participation in government-level events, programs and projects, and negotiates contracts and strategic alliances.
Episode 167 – RSA APJ Conference Podcast Series - The New Why of Cybersecurity - Rohit Ghai, President, RSA and Grant Geyer, Senior VP for RSA Products
On July 3, Eugene Kaspersky, CEO of Kaspersky, and Tim Morris, Executive Director of Police Service at INTERPOL, signed a contribution agreement under which Kaspersky will provide human resources support, training, and threat intelligence data on the latest cybercriminal activities to INTERPOL, strengthening the organisation’s cyberthreat hunting capabilities. The signing ceremony took place at INTERPOL World 2019, in Singapore.
Interview with Rohit Ghai, President, RSA and Grant Geyer, Senior Vice President for RSA Products discussing the ‘New Why of Cybersecurity’. Digital investment accelerates business velocity, transforms constituent experiences and spawns new opportunities. But this formidable force for human progress also magnifies risk. We discuss digital risk management and associated transformation and change in the digital environment and how RSA has set out to address the management of digital risk as the new ‘why’ for cybersecurity.
Episode 165 – INTERPOL World 2019 Series - Drone Alert and Reporting of Drone Activity Interview with Brooke Tapsall, CEO of DroneALERT and AGICS, Australia. Brooke has been a professional in the spatial science industry for 17 years, working around the world before establishing companies and initiatives that provide valuable services to security in the Drone Industry. At the event, Brooke will speak on a panel titled “Drones: How to stop drone intrusion in three easy steps?”.
Episode 163 – INTERPOL World 2019 Series - Dr. John Coyne, Australian Strategic Policy Institute - Policing & Innovation Interview with Dr John Coyne, Head of Border Security Program, Australian Strategic Policy Institute, Australia. Dr Coyne is an expert in transnational organised crime, with a focus on non-traditional illicit commodity flows. At Interpol World, he presented as part of a panel titled “Financial Crime: Tackling organised crime is all about the money – How can we improve the outcomes through sharing data from banks and financial institutions?” INTERPOL World sets the stage for all stakeholders from law enforcement, government bodies, academia and the industry to co-create, engage in conversations and form beneficial collaborations for faster and more accurate responses to security challenges of the future.
Recorded at INTERPOL World 2019, Singapore, 3 July 2019. MySecurity Media attended as event media partners.
www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 15
Frontline
#IIoTSummit
October 18th-19th Chicago, Illinois
Enjoy 2 Days of Case Studies, Presentations & Focus Groups With:
www.industrialiotseries.com/usa 120+ IT Specialists • 6+ Networking Hours • 12 CPD Points Asia Pacific Security Magazine | 17
Cyber Security
Targeting cyber security investment - the FAIR approach By Denny Wan, peer reviewed by Chip Block and Donna Gallaher
Targeting can be applied to the following tasks in the investment decision process based on the potential financial loss against an asset: 1. Prioritising the risk assessment scope 2. Prioritising the recommendations on remediation actions In this article, I reflect on the discussions with Chip and Donna on the business need for targeting cyber security investments. We discussed how to apply the FAIR approach to the cyber security budget prioritisation process leveraging the above targeting effort. We are seasoned cyber security executives and chairs of our local FAIR Institute Chapters, which I will address later. The paper concludes by explaining how to use the security ROI dashboard and scorecard to assist in the investment prioritisation process IMF forecasted a weakening of the global economy in
18 | Asia Pacific Security Magazine
2019 which, for most firms, will inevitably result in some level of budget cuts. Unfortunately, cyber security spending is often the target for the cut because it generally does not result in direct revenue impact. However, executives must approach risk prioritisation decisions with caution since cyber breaches can impact customers and other third parties along the supply chain. If the organisation is found to be negligent in their risk management decisions, putting profit before customer security without due considerations, they can be exposed to significant punitive fines and damages which are not covered by cyber insurance. The Open Group FAIR (Factor Analysis of Information Risk) methodology is a structured approach to quantifying potential financial losses attributed to cyber risk. This is a powerful defence for organisations to justify their budget prioritisation decisions.
Cyber Security
How much less risk will we have? This was the infamous question put to Jack Jones (author of the FAIR framework) in 2001 as the CISO of Nationwide Insurance when discussing his (then) information security strategy. The best answer he could offer was to shrug his shoulder and reply “Less”. The executive knew he wasn't going to get a better answer but wanted to make a point. Sounds familiar? Jack knew the questions deserved an answer that could be defended and was useful to the business. It sowed the seed for the FAIR risk quantification methodology. He made it his mission to decompose risk into something he and an executive could understand. Fast forward to 2019; the picture isn’t all that dissimilar: The above picture succinctly and humorously captures the business communication challenge on managing cyber security. FAIR Risk Quantification Methodology has matured since its initial release in 2009 and remains the only open sourced approach surviving the scrutiny of the Open Group and global risk management professional communities. It is a powerful communication tool for bridging the perceived communication challenge depicted above. Membership in the FAIR Institute, the voice of the FAIR community, has enjoyed year-on-year growth of more than 25%, exceeding 5,600 members worldwide. There are over 400 blog articles published by the FAIR Institute, including many practical tools, tutorials, video guides and interviews. There are several simulation tools such as FAIR-U and statistical packages for R. It is a vibrant and active community. Cyber breaches can be costly The 2013 Target data breach which impacted 110 million shoppers was reported to have cost $292 million in primary losses in Target’s 2016 annual report. Additionally, the secondary losses from several class actions totalled $153.9 million. Target’s CEO resigned from the fallout. It was also a hard lesson for Yahoo where its valuation was reduced by $350 million due to previously undisclosed data breaches in 2013 and 2014. But the carnage did not stop there. Earlier this year, former Yahoo directors settled on a $29 million shareholder derivative lawsuit for their handling of these data breaches. The settlement is a noteworthy departure from other normally unsuccessful breach-related derivative lawsuits because it held the directors directly fiducially responsible. As the number of data breach derivative lawsuits against directors and officers continues to increase, the large settlements may create valuation expectations that increase settlement costs of other pending and future data breach-related derivative cases. The suit alleged that Yahoo officials breached their fiduciary duties by failing to protect Yahoo’s data. They also failed to investigate and remediate the breaches after they occurred by neglecting to put proper safety mechanisms in place to prevent such attacks (i.e., “the Board’s refusal to spend the necessary money to improve [Yahoo’s] data security infrastructure exposed [Yahoo] to significant hacking incidents”). Finally, Yahoo was also accused of issuing false and misleading statements about their knowledge of the data breaches.
In June 2019, rating agency Moody’s Corp and Israeli cyber group Team8 announced a joint venture to assess how vulnerable businesses are to cyber-attacks and create what they hope will become a global benchmark. Similar to the way that banks can check their stability with a stress-test, Moody’s and Team8 are developing a framework to measure companies’ defences and preparedness for such attacks in comparison to other businesses and over time. According to Derek Vadala (chief executive of the joint venture), the service will be a tool for companies engaging in mergers and acquisitions or when purchasing cyber insurance policies. The cyber health of companies can impact credit ratings. In March, Standard & Poor’s downgraded Atlanta-based credit bureau Equifax reflecting the possible fallout from a 2017 data breach. Moody’s in May downgraded its outlook of Equifax citing the breach as the reason for the change. This rating service could be a structured tool for lenders to justify an increase in the interest rate to compensate against the perceived cyber risk as premiums in a loan, directly impacting the cost of capital. Therefore, it would be useful for business executives to equip themselves with cyber risk modelling knowledge and tools to understand these new cyber risk assessment process. And, unfortunately, cyber risk assessment process and penetration testing results tend not to include any specific dimensioning of the potential financial impacts. On the other hand, it is unlikely that cyber risk rating agencies such as the new Moody’s-Team8 joint venture will be undertaking, or allowed to undertake, cyber risk assessment or penetration testing on the companies they are assessing. They will apply their proprietary cyber risk quantification methodology and tools for these assessments. Therefore, it could be very difficult for the target companies to challenge or refute an unfavourable assessment without building their cyber risk quantification models. The Slack Pre-emptive strike But not every company takes the cyber risk challenge lying down. Chip explained in his recent article titled “The Slack IPO – The Role of Risk Quantification in Investing and
Asia Pacific Security Magazine | 19
Cyber Security
the Lack of Faith in Insurance” that Slack took the unusual approach by drawing attention to two cyber risks: 1. It cannot assure that it can sufficiently mitigate the risk from cyber attacks 2. It cannot be certain that its cyber liability insurance cover will be available or adequate for all liabilities Slack’s share price surged 50% to $38.5 (over the reference
price of $26) when it was opened to trading. The current share price is still hovering at around $36. Such disclosure did not dampen enthusiasm for the stock. But to put the situation into perspective, Slack lost $138 million last year on revenue of $400 million. So perhaps the risk appetite of the investors differs to that of lenders assessing the capital raising request of a more mature business such as Yahoo or Target US. For these companies, an unfavourable cyber risk assessment might have a material impact on their borrowing costs. Their cyber security investment decisions or cuts to their cyber risk program budgets will attract much more scrutiny. Return on Security Investment (ROSI)
20 | Asia Pacific Security Magazine
Moreover, it is an established business practice to prioritise investment decisions based on Return on Investment (ROI) calculations. However, the prioritisation of investment in cyber security controls requires extending the concept of ROI to ROSI (Return on Security Investment) as depicted in the formula below: Cyber security primarily focusses on minimising financial losses to the organisation and its clients or partners. The ROSI is usually much higher than 100%, often in the ranges of 1000%-2000%. This might feel counter-intuitive because ROI is traditionally in the 10%-20% range. This is where the skill of an experienced vCISO is needed to interpret ROSI. To illustrate a typical ROI, consider car insurance. The ‘Monetary loss reduction’ (in the event of an accident) is the insured amount for the vehicle where the ‘Cost of the solution’ is the premium. The ratio of insured amounts to premiums should be in the order of 1:10 to 1:50, giving rise to a ROSI of 1000% – 5000%. Moreover, estimating financial losses attributed to cyberattacks is not straight forward because it requires specialised skills to estimate the probable frequency of successful attacks. Although we can calculate the cost of a given data breach after it has occurred, it is more difficult to predict the
Cyber Security
frequency and likelihood of attacks succeeding in a financial period. The FAIR framework breaks down the estimation of threat frequent into ‘Contact Frequency’ and ‘Probability of Action’, making it possible to perform such estimations. The taxonomy of the FAIR framework is depicted below, showing the break down of the core components: The cyber security ROI Dashboard and security scorecard for investment effectiveness The cyber security ROI dashboard and the scorecard are practical tools to support the investment prioritisation process. It is designed to answer the following question: How much less risk we will have? Below is a sample scorecard for investment effectiveness. The scorecard is not a risk assessment process. The inputs to the scorecard are: 1. Risks identified from the risk assessment process 2. The threat analysis underpinning the risk identification process 3. The recommended remediation options The scoring process accepts the result of the risk assessment process on its face value. The process assesses: 1. Whether the mitigation option address the identified risk using the FAIR factors analysis? 2. What measurements can be used to monitor the effectiveness of the remediation process?
business values. He is a certified PCI QSA and CISSP. He is a postgraduate researcher at the Optus Macquarie University Cyber Security Hub researching into cyber risk management in the supply chains. This is a useful model for managing 3rd party supplier risks under compliance framework such as APRA CPS 234.
This scoring process can be applied against different remediation solutions such as firewall, DLP (Data Lead Protection) etc. The analysis can be drilled downed further into each of these solution classes. For example, a firewall refresh program can be staggered based on scoring to ease the business impact and CapEx requirements. The scoring result is depicted in the following high-level dashboard:
About the reviewers Chip Block is the Vice President and Chief Solutions Architect at Converged Security Solutions and chair of the Great Washington DC Area Chapter of the FAIR Institute. He has been working in the high technology arena for over 30 years and enjoys the challenge of taking organizations working at the leading edge and growing them into vibrant and successful companies. Over his career, he has been fortunate to have worked on all sides of the business equation, from startup companies, to IPO companies, to Government contracting to international sales. He is the recipient of an R&D 100 award for the development of one of the top one hundred new product technologies in the world. His ongoing work with state of the art technology and operations include research into critical areas such as cyber protection of medical devices, the impact of the insurance industry on the cyber market and transitional cloud strategies. Donna Gallaher is the President and CEO of New Oceans Enterprises, LLC, an Information Security and Operational Risk Management Advisory Services firm providing fractional/virtual external CISO and data privacy services to CEOs and Boards of Directors. She serves on the Board of Advisors for the FAIR Institute and as the chair the Atlanta FAIR Institute Chapter. She is a thought leader in security executive leadership and a champion of the vCISO movement. Donna is a regular contributor to the National Technology Security Coalition which serves as the “voice of the CISO” in the United States by uniting public and private sector stakeholders around policies that improve national cybersecurity standards and awareness.
Conclusion Prioritisation of cyber security investment is a step in the IT risk governance maturity process. The FAIR methodology focusing on minimising financial loss aligns with accepted business investment prioritisation practice. The increasing awareness of the impact of cyber risk on business can impact the cost of capital. A major step in helping organizations is making quantified risk operational and part of the day to day decisions of businesses. The scorecard for cyber security investment effectiveness and ROI dashboard are useful visual tool to assist in the investment prioritisation decision process and supporting the operational application of quantified risks for organizations. About the author Denny Wan is a cyber security expert with over 20 years experience in the Australian IT security sector. He is the principal consultant of Security Express and the chair of the Sydney Chapter of the FAIR Institute with deep expertise in Cyber Risk Economics. It is an effective approach for prioritising cyber security investments and to explain its
Asia Pacific Security Magazine | 21
Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today
Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:
NATIONAL SECURITY
DEFENCE
LAW ENFORCEMENT
REGULATION
BUSINESS
ACADEMIA
BANKING & FINANCE
INTEGRITY COMMISSIONS
As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration Sharing cutting edge and emerging global intelligence practices and enabling technologies Supporting and representing intelligence professionals throughout their career lifetime Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data
Do something positive for yourself and your career – join AIPIO today.
aipio.asn.au
Frontline
|
|
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 23
Cyber Security
Cyber crime: A war worth fighting
T By Steve Sawyer Vice President of International Strategy at Digital Element
he problem with dependence on connected technology is it makes us vulnerable; not only to system failure, but also ghosts in the machine — and we’re not talking Casper. In the last year, 11 companies lost more than a billion data records in 13 breaches, 48% of consumers experienced a data breach, and cyber attacks cost the Asia Pacific region $1.7 trillion collectively. As digitalisation has brought more everyday tasks online, copious entry points have opened up to digital criminals — and they have become increasingly adept at exploiting them. It goes without saying that battling cyber villains won’t be easy, but businesses can gain a fighting chance of success by shifting focus to the source of crime, not just the fallout. Is the issue too big to fix? Companies know that online attacks can damage business revenue and reputation; the latest ESET consumer survey shows 77% would feel negatively about a company after a breach – yet motivation to tackle the hackers seems limited. While Asia Pacific is especially susceptible — home to nearly a third of global digital crime — only 20% of IT and business decision makers view online security investment as a vital business differentiator, and one in five have opted to avert risk by delaying digital transformation efforts entirely. The most likely reason behind these attitudes is that cyber hazards are now seen as normal and inevitable. Not only have
24 | Asia Pacific Security Magazine
major security incidents become daily headlines, but criminals are also considered too difficult to catch. They can use the web to launch ransomware, take over networks, and illegally access customer accounts via multiple devices — from anywhere in the world. And by leveraging masking techniques, they can do so anonymously. Tools such as Virtual Private Networks (VPNs), proxy servers, Tor networks and Domain Name Systems (DNS) allow malicious actors to disguise their real identity and falsify location. But reliance on these tactics could be the key to unravelling crime networks and activities, if businesses take the right approach. One-size-fits-all won’t work It could be assumed that a fondness for proxies presents an obvious solution. If criminals are known to favour certain techniques, blocking any digital traffic using similar methods ought to be an effective fix. Except there is one crucial hurdle: not all proxy users have nefarious intentions. From anonymous browsing to remotely accessing corporate networks, VPNs are widely adopted by legitimate users for varied purposes, and a popular choice for enhancing online security and privacy; Asia Pacific alone accounts for twothirds of overall VPN usage. As a result, halting all VPN users isn’t practical; it increases the danger of real customers, or employees, being mistaken for
Cyber Security
'the latest ESET consumer survey shows 77% would feel negatively about a company after a breach – yet motivation to tackle the hackers seems limited.'
fraudsters. That’s not to mention the fact it fails to uncover the root of cyber crime. To minimise risk and protect genuine users, companies must find a means of telling them apart — and one of the best tools for that job is IP geolocation. Location as a crime-fighting tool As most companies know, the point of VPNs is altering a user’s IP address. So, accurate IP tracing is the best way to unmask criminals — and the basic premise of IP geolocation. Of course, success depends on quality. IP data reliability can fluctuate significantly, especially if data is composed of patched-together publically available information. The most accurate platforms not only ensure third-party data is continually refreshed and anonymised, but also collated from premium sources. When combined with sophisticated traceroute technology, this means data can be harnessed to pinpoint location down to postcode level and gain deep insight about connection traits, such as proxy details, without personally identifying users. What advantage does this offer? Once location is identified, criminal detection can begin. At an initial level, this might involve assessing connection type. For example, a hosting centre is meant to be a vehicle for traffic, not a source. So, traffic that originates from it should be reviewed alongside existing records, such as data
held in customer relationship management systems (CRMs). Much the same applies to proxies, VPNS and Tors; by evaluating what sort of proxy individuals are using against a premium proxy database, platforms allow firms to distinguish between trusted VPNs and mechanisms often associated with suspicious activity, such as encrypted ‘Tor exit’ gateways. Going beyond connection characteristics, IP geolocation platforms also enable companies to run comparisons. With retail, for instance, this may include implementing smart rules; where IP location is automatically checked when logins are made from high-risk or unusual areas, or evaluated in line with an individual’s bill-to or ship-to address. Alternatively, companies can secure internal networks by tracking velocity patterns: highlighting dubious trends such as individuals who jump between locations at unfeasible speeds or in an illogical order. Following analysis, businesses can choose their preferred course of action. Any suspicious activity that poses a low-level threat, for instance, can be flagged for additional investigation or confirmation: such as sending an SMS or email that allows users to verify its authenticity. Meanwhile, major threats can be instantly blocked to limit possible damage, prior to review. As well as reducing the likelihood of false positives, this discerning approach demonstrates to consumers that firms are committed to stringent crime prevention. Connected tech has brought many advantages for companies and consumers; convenience, speed, and constant web access from anywhere. But they are not alone in enjoying these benefits. Criminals are exploring the possibilities ubiquitous connectivity creates, and getting better at infiltrating the machines we rely on. For businesses, this makes cyber crime hard to fight but underscores that the war is worth winning. To prosper in a digital world, firms must equip themselves with tools that identify the hallmarks of digital crime and use them to strip fraudsters of their anonymity without impeding real users, using location as their guide. About the author Steve is responsible for strategic development of the company’s IP Intelligence and geolocation products across the Europe and Asia-Pacific regions. Steve has been involved in the IP Intelligence industry for more than 15 years, with substantial experience in fraud, gaming and enterprise applications. Of particular note is his leadership in the expansion of business interests across the fast-growing markets in the APAC region, including work with local teams in China and Japan to develop opportunities for the company’s NetAcuity solutions. Steve’s career spans more than a decade in advertising and technology. He worked on the forefront of newspapers’ early online adoption, later moving onto online auction sites as technologies rapidly advanced, and then joining the IP industry in 2002.
Asia Pacific Security Magazine | 25
WHITEPAPER
The paper delves into the various ways cybercriminals have evolved in recent years and offers specific guidelines for CISOs and security professionals to help manage risk. “We believe cybersecurity professionals should be looking at existing kill chain models with a new lens,” said Tom Kellermann, Carbon Black’s Chief Cybersecurity Officer and the paper’s primary author. “It’s no longer helpful to approach cybersecurity linearly. Cognitions and context are critical and help reveal attackers’ intent. Understanding the root cause of attacks and the way attackers think is paramount to good cybersecurity. With the ‘Cognitive Attack Loop,’ we’re offering defenders an updated model at how attackers think and behave.”
WHITEPAPER
With benefits like increased agility, improved efficiencies and lower overall fixed costs, it’s no surprise that nearly 95 percent of businesses are now using the cloud. In conjunction with this rapid adoption, users of cloud services are experiencing a 300% increase in cyberattacks targeting their cloud environments. When it comes to protecting sensitive data, extensive measures should be taken to keep information private and secure. However, that’s easier said than done, especially in the cloud. The growth and popularity of cloud solutions continues to drive more data beyond traditional IT security protections – into networks no longer owned, managed or controlled by corporate IT teams. On premise IT security controls do not touch the cloud, leaving customer data at risk from the same types of threats targeting applications in corporate data centers.
Can I See Your Hands
7 Rules to Influence Behaviour and Win at Cyber Security Awareness
by Dr Gav Schneider
by Chirag Joshi, M.S., CISA, CISM, CRISC
BUY NOW
26 | Asia Pacific Security Magazine
The title of this book, “Can I See your Hands” refers to one of the key outcomes of this book– being able to tell whether or not people want to cause us harm. To put it very simply, if you can see someone’s hands and they are not concealing them, holding a weapon or positioning to strike you, one’s levels of trust and confidence can increase. This simple example can serve as a reminder to all of us in many of the complex moments we have to deal with, and difficult decisions we have to make, in everyday life.
BUY NOW
Cyber Security explained in non-cyber language. Get ready to have everything you thought you knew about Cyber Security Awareness challenged. Fight back against the scourge of scams, data breaches, and cyber crime by addressing the human factor. Using humour, real-world anecdotes, and experiences, this book introduces seven simple rules to communicate cyber security concepts effectively and get the most value from your cyber awareness initiatives.
Frontline
Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups
• Government agencies
• Scale-ups
• Research organisations
• Corporates
• Educational institutions.
• Venture capital funds
AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.
The first step is to connect with us: www.austcyber.com
info@austcyber.com
+612 9239 3250
@AustCyber Asia Pacific Security Magazine | 27
Cyber Security
Mr Patrick Tay Teck Guan (Member of Parliament, West Coast GRC and Assistant Secretary-General, NTUC), the Guest-of-Honor at ISACA’s Governance, Technology, Audit, Control, Security (GTACS) 2019 conference (organised by ISACA Singapore Chapter, Marina Bay Sands, 15th May 2019). Photo credit: ISACA Singapore Chapter
ISACA Singapore Chapter GTACS 2019
By Jane Lo
28 | Asia Pacific Security Magazine
“Collaboration is a key ingredient to success in today’s changing world”, said Mr Patrick Tay Teck Guan (Member of Parliament, West Coast GRC and Assistant SecretaryGeneral, NTUC), the Guest-of-Honor at ISACA Singapore Chapter’s annual conference - Governance, Technology, Audit, Control, Security (GTACS) 2019. Addressing GTACS 2019 theme of “Managing Change, Embracing Uncertainty”, it is crucial to “stay ready, relevant and ahead of the curve”, Mr. Tay said. With rapid changes driven by the “ABCDEF” (acronym for “Artificial Intelligence, Blockchain, Cloud, Data, E-Commerce and Fintech), “expertise is no longer gained in a traditional 3-year program”, he explained. Instead, collaboration is key to promote the exchange of ideas, critical to the learning and upskilling process. “Speed to market” – the ability to respond and adapt to market changes – together with collaboration and skills are all the three essentials to “mange change and embrace uncertainty,” he added. “And ISACA Singapore will continue to partner U Associates to promote and advance the education and professional development of technology audit and cyber security,” he elaborated. Indeed, “uncertainty is constant in this world”, Mr Phoram Mehta (President, ISACA Singapore Chapter) noted at GTACS Opening address. Economic crisis and corporate scandals, innovations and
new information systems infrastructure have always raised expectations for improved standards, methods and techniques for controls and audits. What is different today is the exponential rate of change: rise of automation, proliferation of devices, increased frequency of breaches such as the recent SingHealth incident, amongst many others. Exchanging views on these tropical themes over networking breaks, ISACA members and industry thought leaders at GTACS 2019 also participated and shared through two dedicated tracks on topics of “Governance & Security + Compliance, Audit” and “Talent and HR”. GTACS theme “Managing Change, Embracing Uncertainty” was further expanded through industry talks ** which highlighted the need for proactive preparation and planning, and reflected the convergence of Cyber-Physical systems and an increasingly networked society. “Can you audit AI in the same way?” As a community of “networking, learning and mentoring” said Mr Leonard Ong (ISACA International VP, Director, ISACA International Board) at his opening address, ISACA equips its members in in navigating today’s sea of change. One such transformation is Artificial Intelligence (“AI”). “Can you audit AI in the same way?” he asked. There had been no shortage of regulatory, government agencies, and industry responses to transformational events, such as the Sarbanes Oxley Act, NIST publications, ISO standards. The Three Lines of Defence also gained prominence as risk control framework post the Great Financial Crisis. These developments played a part in evolving the audit profession: under the Sarbanes Oxley Act, audit of controls such as logging of network activities are mandatory; under the Three Lines of Defence, the auditors (third line) provides independent assurance to the risk-owner (first line) and risk manager (second line). The underlying common theme is “governance”, characterized by accountability and transparency through robust roles, responsibilities and policies. In fact, the annual gathering “GTACS” on-going since 1990s, was originally named “TACS” (Technology, Audit, Control, Security); “G” – governance was added to the official conference name in 1994. With AI, regulatory responses included Singapore’s proposed Model AI Governance Framework to address AI ethics concerns (e.g. data and algorithm biases). To be sure, such frameworks will guide future audit requirements and approaches. However, AI itself opens up opportunities for auditors, such as use cases that spot potential fraudulent activities from transactions and behavourial data fed through a machine-learning process. With more and more modern activities taking place online, leveraging digital data with AI to extract hidden insights can strengthen the organisation’s competitive positioning. No doubt, additional strategic inputs with predictive views that auditors offer will be invaluable. This, and many more opportunities can certainly be transformational for the profession, made possible with today’s innovations.
Cyber Security
Mr Leonard Ong (ISACA International VP, Director, ISACA International Board) at his opening address “ISACA celebrates 50 years”. Photo Credit: ISACA Singapore Chapter.
Above, ISACA Board members with the GTACS organizing team Standing Fr L to R: ISACA Singapore Chapter Board Members Yap Lip Keong, CISA, CISM Hon. Treasurer | Tan Jenny, CISA Hon. Secretary | John Lim (workshop director, Past President) | Viktor Pozgay, CISM, CRISC Director, Industry Outreach, Chair GTACS 2019 Phoram Mehta, CISM, CRISC President | Steven Sim Kok Leong, CISA, CISM, CRISC, CGEIT Vice President | Paul Lothian Director, Program (Seminar) | Gaurav Thorat, CISM, CRISC Director, Marketing Chuah Yak Ngi (Past President) | Daryl Pereira (past president) | Peter Gwee Ban Hock, CISA, CISM, CRISC Asst. Hon. Secretary | Harley (Event manager) Lance Peng Cheng Han, CISA, CISM, CRISC Asst. Hon. Treasurer | Phelicia Glenda Goh, CISA, CRISC Director, Membership | Simon Lam, CISM Director, Academic Outreach Ben Tan Ming Han, CISA, CISM Director, Government & Regulatory Outreach | John Lim Yueh Han, CISA, CISM, CRISC, CGEIT Director, Program (Workshop) + Technology
Asia Pacific Security Magazine | 29
National
Mr Chew Teck Soon, (founding past President, ISACA Singapore Chapter) took the stage to recap memories
Celebrating the 50th anniversary of ISACA
H By Jane Lo
30 | Asia Pacific Security Magazine
alf a century ago, a significant milestone in human history was marked when Apollo 11 landed two men on the moon. The remarkable achievement reflected the decades of dedicated research following ENIAC (Electronic Numerical Integrator And Computer) – the first programmable generalpurpose electronic digital computer built during World War II. Compared to the ENIAC which occupied a space equivalent to a standard two-room flat, the Apollo Guidance Computer was considerably more portable. The exponential scaling of computing efficiency during those decades of innovation sent two men to the moon; it also led to the development of applications for commercial use. Adoption rate of computers rose and in the same year as the moon mission, The Electronic Data Processing Auditors Association (EDPAA) – the former name of ISACA - was born in Los Angeles, United States (US). As computers became more widely used, urgency for know-how and good practices in computer system audits and controls grew, adding further impetus to EDPAA’s aim to meet the demands for exchange of tools, knowledge and experience. Watershed events such as The Equity Funding Fraud scandal, in which a computer program generated fictitious policies in hundreds of millions that led to the collapse, further propelled EDPAA’s growth. International expansion followed in the mid-1970s (Mexico City, Mexico, and Sydney, Australia in 1976; Israel and Milan, Italy in 1979); and in the 80s in Asia with China Hong Kong (1982), and Singapore a year later in 1983.
More recently, in the Asia-Pacific region, the organisation was boosted by the opening of the Beijing office, its first international office outside of North America. From a handful of passionate individuals gathering in a restaurant 50 years ago in 1969, today, it is a global organization with 135,000 members, 200 chapters across 188 countries. At a gala dinner held on 31st May 2019 in Orchard Hotel to commemorate the 50th anniversary, Singapore Chapter’s founding past President, Mr Chew Teck Soon, took the stage to recap memories and the journey of the Singapore Chapter. The Singapore Chapter Story Barely 20 years after its independence in 1965, Singapore was then a relatively young country. However, the waves of computer innovations were sweeping across the world, and Singapore was no exception. “Those days, computers were not that complex”, said Mr Chew Teck Soon (founding past President, Singapore Chapter), as he took to the stage at the gala dinner. But the thirst for knowledge and practices prompted individuals including Mr. Steve Ross, to establish a local chapter. “The CISA (Certified Information Systems Auditor) was introduced by the organization in 1978. Once I passed my CISA exam, I took up the presidency in 1983”, Mr Chew said. “The biggest break came in 1989 when we held the first computer security conference in Singapore at the Pan Pacific
Cyber Security
hotel. Mr George Yeo, then the Senior Minister for Trade and Industry was our VIP. The event was a huge PR success, drawing 50 – 80 persons, a huge crowd in those days,” he reminisced. In 1994, a significant moment happened in the history of the organization. “That year, we moved to change the name from EDPAA to ISACA to ensure continuing relevance. ISACA – Information Systems, Audit and Controls Association. It incorporated all the critical keywords, and the full name was adopted in 1994. Today, it is known as “ISACA” in short,” he said. In some ways, the change reflected societal and economic trends as the economy shifted gears from the Industrial Age to the Information Age. The next challenge was to differentiate the objectives and unique skills in auditing computer systems versus a traditional (financial) audit. “We faced the challenge of “competing” against the Big 8 audit firms.** To address this, we launched in 1996, The Control Objectives for Information and Related Technology (COBIT) framework to help the financial audit community better maneuver in IT-related environments” he said. COBIT today has evolved through five iterations, with the latest known as COBIT 2019, a testament to its role as a go-to guidance for effective and strategic enterprise governance of information and technology. Over time, certifications had also been introduced to reflect the changing audit and controls standards as computers grew more sophisticated - CISM (Certified Information Systems manager), CGEIT (Certified in the
From a handful of passionate individuals gathering in a restaurant 50 years ago in 1969, today, it is a global organization with 135,000 members, 200 chapters across 188 countries. Governance of Enterprise IT, 2006), CRISC (Certified in Risk and Information Systems Control, 2010), and, most recently, CSXP (the Cybersecurity Nexus Practitioner). ** Arthur Andersen, Coopers and Lybrand, Deloitte Haskins and Sells, Ernst and Whinney, Peat Marwick Mitchell, Price Waterhouse, Touche Ross, Arthur Young. “Today, with 2,000 members, the Singapore Chapter is firmly established as representing, promoting and developing the professional practice of IT Audit, Security Management, Risk Management and Governance,” but to continue growing, “developing a vibrant cybersecurity ecosystem” is important, Mr Chew emphasized. Through partnerships with government agencies, vendor companies, and educational institutes (academic outreach), the Singapore Chapter plays a crucial role in building an ecosystem consisting of companies, professionals and communities of practice enabling active exchange of ideas. Examples included the signing of the MOU (Memorandum of Understanding) with Cyber Security
Asia Pacific Security Magazine | 31
Cyber Security
Agency (signed by Mr David Koh, Chief Executive of CSA and Ms Theres Granfenstine, Chair of the ISACA Board of Directors during the second edition of Singapore International Cyber Week (SICW) 2017), and the coordination of industry’s feedback to the Public Consultation of the Singapore’s CyberSecurity bill (passed on 5 Feb 2018, received the President's assent on 2 Mar 2018 to become the Cybersecurity Act). Workshops and seminars remain a focus for the Singapore Chapter to update members on regulations (e.g. Personal Data Protection, Amendments to the Computer Misuse And Cybersecurity Act) or market and technical developments (e.g. “Anatomy of Targeted Attacks”). A multi-year winner (2014, 2011, 1998) of the K. Waynes Snipes Chapter Award for the very best large Chapter in Asia (established in 1989, the award recognizes ISACA chapters that meet or exceed service goals by actively supporting local members), the Singapore Chapter will co-host and support the ISACA International to deliver the next ISACA Global Leaders Meeting (GLS) 2020 next February.
Technology does not stop. In the world where uncertainty is the only constant, ISACA has maintained relevance to become an organisation synonymous with information systems, controls and audit. The Singapore Chapter, “… a place for meeting of minds, sharing of experiences, promoting thought leadership, and fostering professional growth for all members” has demonstrated the strength of its platform. It will take similar commitment from its members to ride the waves of innovations in the next 50 years. Indeed, as “The ISACA50 Story” noted, “ISACA’s success has been—and always will be—dependent on the dedication of its people”.
The next 50 years Much has changed since the moon landing, notably space flight is no longer a remote possibility for those who can afford it. Compared to the hardware powering the spacecraft, today’s chips are significantly lighter, Giga-folds denser and quicker; and power not only desktops, but also Smart phones, wearables, sensors and many more. The last 50 years saw the standardization of computing designs (e.g. segregation of “trusted” versus “untrusted”), access controls (e.g. password), policies (e.g. “bring your own device”). Tomorrow, we face a “disappearing perimeter” as interconnectedness rise, we adopt new authentication tools such as biometrics, we work more with third parties as partnership models emerge. How will standards, practices and polices evolve and what are the impacts on the audit profession?
From left to right, top to bottom (Singapore past and current Board of Directors and presidents) Top row: L to R - Yap Lip Keong, (Hon. Treasurer), John Chin (past president), Simon Lam (Academic Director), Daryl Pereira (past president), Jenny Tan, (Hon. Secretary), Mr Chew Teck Soon, (founding past President, ISACA Singapore Chapter), Mr Leonard Ong (past president), Viktor Pozgay (Director, Industry Outreach, Chair GTACS 2019), Peter Gwee Ban Hock ( Asst. Hon. Secretary), Ben Tan (Government Outreach Director) Bottom row: L to R, Lance Peng (Hon. Asst. Treasurer), Gaurav Thorat (Director, Marketing), Raymond Tan (Seminar Director), Steven Sim Kok Leong, ( Vice President), Phoram Mehta (President), John Lim (past president, Workshop Director), Abdul Hamid (past president), Yoong Ee Chuan (past president), John Lee (past President), Sandeep Kothari (past president).
32 | Asia Pacific Security Magazine
National
September 25th - 26th 2019 Singapore #CS4CA
Enjoy 2 Days of Case Studies, Presentations & Focus Groups With:
www.cs4ca.com/apac 100+ Senior Experts • 6+ Networking Hours • 12 CPD Points Asia Pacific Security Magazine | 33
International
How real is the Islamic state threat in India? : Technology advancements for the future
J By Sebastian Liu
34 | Asia Australian PacificSecurity SecurityMagazine Magazine
ust weeks after the Sri Lankan bombings, the Islamic State (IS) declared the establishment of a province in India, naming it the ‘Wilayah of Hind’. The announcement followed the killing of a militant, Ishfaq Ahmad Sofi, during a security operation in the Shopian district of Jammu and Kashmir ( J&K) earlier that day on May 10. Ishfaq was thought to have been a close associate of the leader of an IS-inspired group, known as the Islamic State Jammu and Kashmir (ISJK). Initial signs of IS presence in the conflict-ridden state were observed in 2016 after the IS flag appeared during several protests. This was followed in 2017 and 2018, when IS claimed responsibility for two separate attacks on the state’s security personnel, which resulted in two policemen being killed. These developments have spawned concerns about how real the threat of IS is in India’s northernmost state. India has been fairly sheltered from the spectre of IS, with the group being linked to only a few low-intensity attacks in recent years. Notably, in 2017, an explosion targeted a passenger train near the Jabri railway station in Madhya Pradesh, wounding ten people. The incident was perpetrated by militants with alleged links to IS, though the authorities insisted that the militants were self-radicalised.
Moreover, there is little evidence of IS possessing the operational capability to inflict significant casualties or damage in J&K. The security forces have indicated that the militants involved in the aforementioned 2017 and 2018 attacks on the Kashmiri security forces were merely inspired by IS ideology; this is in line with previous IS attempts at propaganda and is not reflective of the group’s resources and membership in J&K. While the IS has issued a somewhat credible claim of responsibility for the April 21 Sri Lanka explosions, the May 10 Indian declaration appears to lack credibility. Compared to the IS proto-state that existed in Iraq and Syria, there is no semblance of such governance and territorial control in Jammu and Kashmir, let alone the rest of the country. Moreover, the Indian security forces have consistently maintained that the IS does not have a coherent membership base within J&K. While militancy is rife in the state, IS has not developed affiliations with any local Kashmiri separatist group, which have been waging an insurgency against the Indian government for decades. Unlike in other countries, where IS has used local militant outfits to springboard operations, IS has failed to garner a pledge of allegiance from a Kashmiri separatist group. Groups
International
J&K is one of the most militarised region in the world, with more than 500,000 security personnel being deployed across the state. that have done so have been known to adopt a more sectarian disposition and emulate its barbaric antics like beheadings. The key differentiator in J&K is that local separatist groups view their cause as a territorial dispute, rather than one that is based on religion. Accordingly, the differing ideological aims hamper the IS’s ability to recruit Islamist militants to its cause. The Indian Muslim community also largely refrain from discussing matters relating to the ongoing insurgency in J&K for fear of being perceived as Pakistani agents, further isolating the recruitment efforts of IS. The heavy military presence, and frequent security operations against suspected militants in the state, also represent significant obstacles to the organisation of IS in J&K. J&K is one of the most militarised region in the world, with more than 500,000 security personnel being deployed across the state. The security forces possess robust intelligence capability, and actively monitor social networking sites, mobile phones, and surveillance footage to obtain intelligence on militant groups. Legislation, specifically the Armed Forces (Special Powers) Act 1958, grants further overarching powers to members of the security forces who can arrest individuals without a warrant and use undue force to effect the arrest, including the use of live ammunition. Frequent security operations, including pre-emptive raids targeting suspected militants, also serve to suppress the capabilities of militant groups in the state. IS may have limited operational capability in the state for now, but it has shown a latent intent to widen its footprint in the country, and across the wider South Asia region. Separatist groups active in J&K tend to conduct attacks with the aim of attaining independence, or to seek the accession of the Muslim-majority state to Pakistan. However, contrary to these aims, IS carries out attacks with more religious undertones and views the whole of India as part of the Khorasan Province; this was included in a 2014 map of its planned caliphate. IS has demonstrated its desire to recruit and expand its presence in the area through its propaganda videos, many of which have featured subtitles in Tamil and Telugu. The territorial defeat of IS in Iraq and Syria has driven the group to shift their attention towards South Asia. For example, IS has already established a capability in Afghanistan, reflecting its pattern of expanding into conflict zones where it is possible to foment radicalism, take advantage of underlying sectarian tensions, exploit security vulnerabilities, and recruit from the local Muslim community. The intent to expand their operational presence in South Asia is further evidenced by the recent spate of high-profile announcements and claims of responsibility, including the April 21 Sri Lankan bombings. Local militant groups in Sri Lanka are unlikely to possess the capability or operational
expertise to conduct such a sophisticated attack, with many opining that external instruction from IS operatives was likely. Local media outlets have also indicated that a new emir (chief ) of Bengal was appointed by the IS in late April, amidst threats to carry out attacks in India and Bangladesh. The May 10 declaration, regardless of the operational capabilities of IS in-country, may have been an attempt to skew the perception of the ongoing Kashmiri insurgency away from its separatist origins and aggravate MuslimHindu tensions in the state. Under such circumstances, the disaffected segment of the Muslim-majority population in J&K would provide a conducive recruitment ground for IS. On the other hand, the group’s history of making unsubstantiated claims to capture media attention is well documented. Its grand declaration on May 10 is, more likely than not, an attempt at propaganda, one that requires minimal resources but with the potential to create fear and uncertainty in the region. About the Author Sebastian Liu is a Global Threat Analyst for Asia Pacific with Healix International Risk Management Services, a global risk management group headquartered in the United Kingdom
Asia Pacific Security Magazine | 35
Cyber Security
What will drive cyber security:
Hacking, crime, warfare and/or terrorism? By Lionel Snell Editor, NetEvents
36 | Asia Pacific Security Magazine
A
t first it seems a logical question: understand the enemy and you will understand the threat. If the threat is cyberwar, then military and armaments organizations are an obvious target. If it is cybercrime, then financial institutions should be concerned. If it is hacktivism, then any company with considered malicious by a significant portion of the public should be alert for attacks by campaigners. But on second thoughts, the scene becomes far more confused. An attack on the national electricity grid could severely compromise military suppliers. One that caused traffic chaos could make it harder for an enemy to mobilise ground forces. Financial companies are already heavily guarded, so it is far easier for criminals to make money by blackmailing hospitals with stolen data. Hacking has always been an irritant, if not a major problem, because the motives can be so arbitrary – maybe an institution was hacked for no other reason than that it claimed to be unhackable? In the case of hacktivism against a broad target like the present government, then any attack that disrupts the economy or draws attention to the cause could be an effective weapon when followed by a public announcement. Terrorism is similarly almost impossible to predict because the aim is to do absolutely anything that might invoke public terror – and that makes it highly threatening. Joel Stradling, Research Director for the analyst company GlobalData, chairing a recent NetEvents session, mentioned
a call for half a million heart pacemakers in the US to be recalled because of vulnerability to cyberterrorism. That is a very good example, because any family or group with a heart patient that might drop dead will feel threatened, and that fear generates panic that could spread far and wide. It also raises another key point about cyberterrorism: that the threat can be more effective than the actual attack. Terrorists know that a failed bomb attack can be just as effective as a successful one, because the public starts thinking about all the deaths that might have happened. Terrorist groups have far broader agendas than before, going beyond physically harming civilians. Ray Ottey, Fellow Cybersecurity Practitioner at Verizon, responding to Joel Stradling, described two distinct areas: cyberwar is really just another weapon in the evolution of war, while cyberterrorism has a different motive: “It's a subset of the wider threat, but it's just coming with a different motive. There's no different toolset, and it's not in some cases different people either. So, it can be the same person during the day being a hacker, or having a normal day job, and by evening a gun to hire”. Attacks may have different political or criminal aims, but the symptoms are the same. The Internet of Things (IoT) adds a major terrorism threat because it brings what was seen as information war down to physical manifestation – like a compromised pacemaker causing a friend to drop dead. A loss of data is one thing, but if it compromises an entire electricity network
Cyber Security
“The biggest problem is IT meeting OT. I’m seeing fundamental failings in basic principles of security when we get to IT and OT” or water supply, then you have terror potential. Another factor is that it suddenly extends what has become a pretty well secured IT network by added a mass of far less secure endpoints previously air-gapped from the Internet. As Roark Pollock, Chief Marketing Officer, Ziften Technologies put it: “You're trying to protect a network that's very different than your IT infrastructure. From a security standpoint it’s 20 years behind traditional IT. We've integrated those devices into our traditional IT networks, so they become a big part of what you're trying to protect now, as opposed to just trying to protect the underlying data”. Optiv’s European Director of Strategy and Technology, Andrzej Kawalec, explained: “IoT is going to completely explode it, and it forces us to think about devices again – which is something we've forgot about for a while. We need to start doing that again… To create physical safety implications on a network, you used to have to have quite specific deep domain capability… the integrated industrial cybercriminal global network allows you to do anything, whether it's malware as a service, ransomware as a service, being attacked by swarms of kettles” – a reference to the story that the UK company Hargreaves Lansdown was attacked by a botnet of smart kettles last year. Another factor that blurs the boundaries is the way that cybercrime and drug cartels provide funding for terrorism. IT can also be misused for recruitment and propaganda – as it was recently in New Zealand to amplify the impact of an isolated terrorist incident. Kawalec pointed out that cybercrime had overtaken the global illegal drugs trade: “National crime agency in the UK moved drugs off their top three focus areas, and put online fraud and cybercrime on. I think there's a lot in there to be unpacked, but I think it's actually about digital world influencing cyberterrorism, rather than cyberterrorism influencing the digital world”. Kawalec concluded: “If there's anything, it's going to make us focus on the safety component of cybersecurity, rather than the confidentiality, the integrity, the financial impact. It's the human implication of hacking into an autonomous car via the DAB radio to turn the brakes off. Who thought that was going to be a thing, but it is.” Roark Pollock agreed that the IT fundamentals had not changed as much as the motives for attack. And with IIoT the user is no longer only an office working with years of PC experience: “As we talk about industrial terrorism we're bringing in a whole new user group. Now you're talking about a user in some industrial facility, managing the safety and reliability of its devices. That person is not used to talking about cybersecurity”. For Joe Baguley, VMware’s VP and CTO for EMEA: “The biggest problem is IT meeting OT. I’m seeing
Asia Pacific Security Magazine | 37
Cyber Security
fundamental failings in basic principles of security when we get to IT and OT”. He gave the example of ubiquitous security cameras: “I found cheap USB ones of which there is no patching model and no way to update them. It's just people missing basic fundamental steps in deploying IoT systems. That will set us up for massive failure in the future”. Ray Ottey pointed out that security for the new users Pollock mentioned was about physical, not cyber, security: “So that MRI scanning machine, or that nuclear control system, whatever it was, the security around that was all entirely physical – you can't get into it, can't touch it – security badges etc” He outlined a scenario where the industrial control manager is approached by a the new network manager and says: “So you want to try and connect your IT systems to my control system? But you are the guys that gave me that XP laptop riddled with viruses that never really worked, and you're now telling me you want to try and connect to my OT system? Get stuffed!” Adding a more positive note, Roark said: “It's taken us 20 odd years to get to today’s security perspective. At least we now have mature frameworks we can start to apply to those industrial control networks, whether the NIST framework, or any other framework”. Hopefully we can implement these existing frameworks a lot quicker than it had taken to develop them. Joe Baguley returned to the prevention theme and the principles of cyber hygeine that are so blindingly obvious to people in the security industry, but not to others: “Things like least privilege, micro segmentation, and encryption. Encryption 10 years ago was a horrible thing, because it was hard. Now it's really easy and it's not a burden on processors, so let's just do it everywhere. Multifactor authentication: Tesla owners are crying out for multifactor authentication on their cars – even Tesla aren't applying it now – and patching. People are deploying stuff and not thinking about the ongoing lifecycle management”. Questions from the floor brought the discussion back to the specific issue of cyber terrorism, when the panel was trying more to focus on general prevention. Joe Baguley referred to the Spectre processor issues: “How long had
38 | Asia Pacific Security Magazine
certain nation states known that those vulnerabilities were there, and kept it to themselves, before the wider world found out? You know, it's those kind of things were actually more worrying… We're looking again at how do you build a layer on top of that, that almost abstracts you from that threat?” Andrzej Kawalec said the whole issue is even more blurred when several cybercriminal gangs share malware using an existing vulnerability hijacked through another service to some industrial ecosystem. Hence the need to focus on the continuous hunting and analysis of threat: “You need to go back to what you can control best.” Baguley agreed that there can be too much trying to anticipate what the next big threat is going to be, rather than just going back to base and how the system is built and made rock solid. For Ray Ottey part of the problem is that people often do not even know they are under attack: “A process running a bit longer every day, because it's doing something else. A machine occasionally pinging some other machine, which isn't necessarily out of the ordinary… and many organisations don't know what their normal is”. Roark Pollock had the final word in what was a great debate session. He suggested a gaming approach to security training: “These companies need to create some sort of cyber range, where they can play red team, blue team, and train their people, of how to respond when something does occur. Because it's too late once it happens”. The transcript of the entire discussion is available : https:// www.netevents.org/wp-content/uploads/2019/01/Debate-ICyberSecurity-GlobalData-final.pdf
Cyber Security
The importance of strong cyber security ahead of the new financial year By Simon Eid, Area Vice President, Australia and New Zealand
T
he threat landscape is constantly evolving, and businesses are coming to understand that no-one is immune to a cyber-attack. To best prepare for a potential attack, businesses need to aware of the risks and ensure cyber security is ingrained with day-to-day operations. With a number of high-profile breaches over the years showing the various industries being targeted and different attack techniques, there is no question that cyber-attacks pose a serious risk to businesses of all size. The compromising of private data could cause significant financial losses and legal implications, as well as breaching the trust of customers and causing reputational damage. With the beginning of another financial year soon upon us, now is the perfect time to reassess the security posture of your business, by focusing on the key areas of technology, people and processes to ensure that threats can be handled in an efficient and economical manner. Adapt technology to meet future trends Improving security operations is something that should be done regularly in order to keep up with the constantly evolving technological landscape. As disruptive trends continue to develop, new cyber security solutions will need to be adopted to keep up with this pace. Businesses should be using security tools that leverage artificial intelligence (AI) to identify known and unknown threats, allowing you to investigate and respond faster by processing mass amounts of data to detect malicious activity. This allows a streamlining of investigations and can ensure that employees can focus on optimising processes instead of wading through unnecessary data. The right employees for the job While AI is playing an important role in modern defences by provide actionable and predictive insights quickly, having skilled employees able to delve deeper into analytics is still incredibly important. In the recent State of Dark Data research from Splunk, 82 per cent of respondents say that
humans are and always will be at the heart of AI, which will generally augment opportunities rather than replace people altogether. It’s crucial then that the right employees have the skills and confidence to tackle ongoing threats, which could mean recruiting specialists to help bolster specific areas of your strategy, or provide the opportunity to upskill existing staff so that they’re armed with the tools they need to be effective. Education allows for pre-emptive action and raises security awareness overall. Strong processes, strong defence By identifying vulnerabilities in your network, you’ll be able to work towards implementing stronger processes that will result in stronger defence against cyber threats. A solid cyber security strategy can prove to be an important pillar for any business that wants to ensure they are continually assessing risks and making thoughtful changes to their processes so that they stay prepared. Key to this is having systems in place that reduce the time to detect malicious threats in your environment, allowing you to respond quickly and appropriately with automated actions and workflows. Having visibility through the network is incredibly important to identify any gaps in your organisations security posture that could be exploited by malicious threat actors searching for vulnerabilities. The end of financial year can be a stressful time for many, but it’s also a time to investigate the things that have been working for your business, and the elements that can be improved. To avoid becoming a victim to cyber threats, businesses need to instil a strong culture of guidance and improvement when it comes to security. This means focusing on adapting to modern technology, educating staff and ensuring a strong foundation of processes. With these in place, the next financial year isn’t going to be nearly as daunting as it could be.
Asia Pacific Security Magazine | 39
Cyber Security
Who is really responsible for cloud security? Discussions about cyber security used to be dominated by horror stories of recent hacks and technological promises to never let it happen again. A recent debate suggested that things are becoming more interesting – and maybe more scary
By Lionel Snell Editor, NetEvents
A
t a recent NetEvents EMEA Press Spotlight the question was raised about security in the cloud, and where does final responsibility lie? Analyst Rik Turner from Ovum was surprised how many people were not aware of the “Shared Responsibility Model” summarising three different ways of consuming cloud services – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) – and the relative responsibilities of the customer and the cloud supplier – see diagram. In IaaS for example: Amazon Web Services (AWS) take care of all the grey bits, from Virtualization down to Networking. But above that it’s the customers’ responsibility. “You are not going to get any money back from them if you are breached because you didn’t secure those layers above” said Rik Turner. Similarly, for PaaS you are responsible for security in the top two layers. “If anything goes wrong with any of that, AWS would have to refund some money, or whatever”. The shared security model is clearly very important for any enterprise migrating to the cloud: the enterprise will have to take care of security in all the red bits. So these are the very parts provided for by security vendors to the enterprise. The joy, and the temptation, of SaaS is that it is so easy to buy without IT even needing to be involved. Hence the threat of shadow IT, and the rise of Cloud Access Security Brokers
40 | Asia Pacific Security Magazine
(CASB) as the initial response. Since then the CASBs have mostly been acquired by larger security companies with broader portfolios. IaaS and PaaS are more complicated for the enterprise, because the customer has broader responsibility and there is more use of Containers, Microservices, or Serverless services - each with their own format. It’s a progression: VMs remove the dependence on physical servers; containers spare the spinning up of new VMs, and Serverless means you can forget these and just specify the functions to be supported – with a 70-80 percent saving in infrastructure costs. As a consequence, we are hearing more about Cloud Workload Protection Platforms – blocking and remediating attacks, and restarting the workload somewhere else – and Cloud Security Posture Management (CSPM), which is essentially a compliance function. It’s so easy now to spin up a Virtual Machine (VM) so CSPM monitors and manages the spread of VMs to ensure compliance with company policies. According to Turner these two worlds should ultimately converge, because CSPM is starting to move in the direction of remediation, rather than simply alerting: “It gets a little bit more difficult with containers, in as much as you are starting to see smaller packages of code. Things become more ephemeral with Serverless: “the life of a piece of code that’s running in a serverless environment may be a matter of milliseconds. How do I secure that?” His suggestion is
Cyber Security
that we are moving towards a DevSecOps world, where the developers become responsible for embedding the security: “not a traditional developer concern”. Some people who struggle with security use the cloud as a fall-back. That was the opinion of Jan Guldentops, Director, BA Test Labs: “We’re going to outsource to the cloud as it’s all secure and all the problems are gone. That’s the first misconception I see all the time. We are going to the cloud just to be able to secure”. Is that really so? Others, like Peter Galvin, Chief Strategy and Marketing Officer, nCipher Security, disagree and say the main cloud driver is not security, but agility and reducing spending on data centers. The real problem is companies migrating ASAP to a fastevolving cloud without upgrading their thinking: what used to be best practice is now actually wrong. A recent Verizon Data Breach Investigation Report reported a doubling of the number of nation-state level attacks against small businesses in a world where every single cloud connected device is now a potentially vulnerable endpoint. So Aaron Turner, CEO & Co-Founder, Hotshot Technologies, suggested a need to rethink the risks to the perimeter: “how’s the average small business going to defend themselves against a nation-state adversary?” Hence his company’s emphasis on: “a new solution that helps those least sophisticated people protect themselves from the most sophisticated adversaries”. Perhaps it is necessary to think less about trust and more about verification? Philip Griffiths, Head of EMEA Partnerships, NetFoundry gave the example of ‘a three-letter government agency” his company work with, and their very severe verification standards: “To access applications on the cloud, they have to show five points of trust. They have to have a client on their laptop, they enter a password onto that laptop, they are wearing a watch with unspoofable hardware, they put their thumb on that watch to give biometric proof of trust and that watch also measures their EKG, so it can’t all be done under duress.” How secure is that? Guldentops reminded us: “If the prize on the end of the hack is big enough – somebody will come up with something”. Griffiths hit back with: “If you’re harder and more expensive to hack, people find another victim. It’s about having better shoes to run faster than other people when the bear comes along.” That may be true, but for many people the point of IT is to enable business and make it easier. Complications on that scale could drive us back to pencil and paper except that Griffiths followed up with a very different counter-example: “But at the other end of the scale, you can literally go on to our website, download a couple of endpoints, deploy into your cloud and, in five minutes, create a network. One of our customers connected seven AWS data centres in two hours the other day, while doing another job that implements multiple layers of security by design. So that you take away many of these threat vectors such as DDos, man-in-themiddle et cetera”. Another company that focuses on providing good security for less sophisticated users is Hotshot Technologies. Aaron Turner, the company’s CEO and Founder claimed: “We try to make it so that a family or a small business can deploy nation-state level protections in 30 seconds or less…
so easy to use and so intuitive that you get that protection built in”. One counter argument says that, however well thought out the security solution, it is only as good as the way it is applied: “The problem is when it gets to the customer, they often make a mockery of what you’re trying to do by adding bells and whistles. Like having a beautiful car designed for minimum wind resistance, and people put a roof rack on it.” Atchison Frazer, Versa Networks’ Worldwide Head of Marketing, sees this as a key argument for more automation: “Capital One has a thousand sites. They use digital labour delivered by Versa. It’s all automated. We have the NSS labs, we’re the only SD-WAN vendor that scored in the top vector of NSS labs rating. At some point, you have to automate as many of these functions as you can, be able to reprogram as needed and set those policies and have complete visibility onpremise through the cloud and back.” But even with automation we cannot get away from the reality of human error or malicious intent, according to Jan Guldentops: “People will stay stupid… It’s a brave new world and we’ll have to learn to live with it”. That may not be the best mental approach when planning security strategy, but as a warning, it should never be forgotten. The full transcript of this session is available now.
Asia Pacific Security Magazine | 41
Cyber Security
Dr Ng Eng Hen, Minister for Defence, touring the USS William P. Lawrence (DDG 110). The guided-missile destroyer USS William P Lawrence (DDG 110) with embarked MH-60R helicopter joined static displays at Singapore's Changi Naval Base and multilateral exercises osted by the Republic of Singapore Navy (RSN). Photo Credit: IMDEX ASIA 2019.
Cyber threats in the high seas By Jane Lo APSM correspondant
42 | Asia Pacific Security Magazine
F
rom wire-guided torpedos, anti-air warfare sensors, dipping sonar and high power microwave to disable outboard motors of hostile vessels, capabilities in the communication systems provide the decisive advantages to military operations in the high seas. Communication systems – including Internet, telecommunications - with computers, embedded processors and controllers, form the interdependent network that make up Cyberspace, which is widely acknowledged to be the 5th dimension of warfare that coexists with the traditional four land, sea, air and space. Defending this Cyberspace, used for synchronizing, storing, coordinating and protecting information, is therefore critical to the success of the military’s mission – not unlike in the commercial sector. However, the threat actors targeting the military cyber assets are typically state-sponsored. The treasure trove of information of extreme sensitivity is without a doubt a favored target for causing impactful conflicts and disruption, and effective gathering and compromise of intelligence. One case reported in Singapore was a 2017 attack on the system
used at military premises which resulted in the theft of the personal data of about 850 national servicemen and Ministry of Defence employees. “Traditional threats (land, maritime and air-based) continue to persist, with increasing volume of maritime traffic and emergent threat of transnational maritime terrorism, piracy and sea robberies. Technological advancements and digitisation have also led to cyber-related threats, prompting military strategies to integrate technologies to manage both traditional and digital threats”, said Mr Leck Chet Lam (Managing Director, Experia Events Pte Ltd) at IMDEX Asia 2019, the Asia-Pacific’s biennial maritime defense event for naval and maritime stakeholders (14TH – 16TH May 2019, Changi Exhibition Centre). The twin considerations of innovation and security were reflected at IMDEX Asia 2019 International Maritime Security Conference business forums – “Cybersecurity in the Maritime Domain” and “Innovation in the Maritime Domain”. One example of the increasingly parallel conversations surrounding these two themes is the land-based autonomous
Cyber Security
“Traditional threats (land, maritime and air-based) continue to persist, with increasing volume of maritime traffic and emergent threat of transnational maritime terrorism, piracy and sea robberies. Technological advancements and digitisation have also led to cyber-related threats, prompting military strategies to integrate technologies to manage both traditional and digital threats”, vehicles. Much technological advances are being observed, and at the same time, the implications for security, safety, privacy and ethics of, are well-publicised. Unmanned vessels face similar debates, but the goals of threat actors and the maturity of threats across these four components of security, safely, privacy and ethics differ. Very often, attacks on onboard communication systems of vessels involve some form of GPS jamming. Systems are also manipulated to affect navigation routes. Though threat scenarios are not as dramatic as the movie Speed 2 where a hacker sent a cruise liner onto a collision course with an oil tanker, weak encryption or authentication of Automatic Identification System (AIS) protocols have been known to be exploited leading to spoofed positional data, rendered disappearance, or even denial-of-service. These incidents underscore the importance of secured communication systems of autonomous vessels that are necessarily equipped with a sensor package of AIS, navigation radar, differential GPS. Yet, attacks on the military assets deployed in the
high seas are rare. Known attacks target the onshore communication systems, such as the 2016 case of a stolen laptop leading to the leak of personal information of US current and former sailors. However, as the forces of innovations intensify the volume of onshore-offshore information exchanged, securing the expansive and congested communications network against intrusion is more and more critical to the military’s mission success. This means understanding and prioritizing what to defend. As John Lee, Senior Manager, Information Security and CERT Ops, Wärtsilä Maritime Cyber Center of Excellence noted at the “Cybersecurity in the Maritime Domain forum, “we live in an uncertain world and due to the need for connectivity, we put ourselves at risk. We need to understand who is assessing us and who is looking at our assets”.
Asia Pacific Security Magazine | 43
Cyber Security
By Chris Cubbage EDITOR
INTERPOL WORLD 2019 ED I TO R I NSIGHTS & TA KEAWAYS
A
ttending INTERPOL World in Singapore as Media Partners, it was clear at the outset that this event is a needed opportunity to maintain a strong focus on ‘thought leadership’ pertaining to international law enforcement. With 194 country membership and 82 countries represented, INTERPOL World consisted of 32 labs exploring how law enforcement should face contemporary challenges. The three-day event managed four working groups; Chief Innovation Officers Group, Darknet and Cryptocurrency, Drone Expert Forum and Artificial Intelligence (AI) for Law Enforcement. With a brief announcement by a OneBerry Robot, President of INTERPOL, KIM Jong Jang opened the event with an emphasis on societal trends impacting the policing role, highlighting social media, terrorism, illicit funding, cybercrime and how policing worldwide is grappling with preparing for a future yet unknown, asking; “Are we ready and are we ready for the next disruption?” Jurgen Stock, Secretary General of INTERPOL emphasised that even annual predictions are failing to keep up with the pace of change. The required reaction time to trends is plummeting and reaction itself is no longer enough. He said, “We must see, anticipate and prepare. No single police force or country will ever face a challenge alone.” Responding to emerging threats, including malicious use of robots and drones, Stock closed with stating the three key areas needing to be addressed is the speed of legislative response, overcoming jurisdictional boundaries and building trust. Mrs Josephine TEO, Singapore’s Minister for Manpower and Second Minister for Home Affairs briefed the opening ceremony on Changi Airport’s anticipated growth from 220,000 passengers per day to 500,000 passengers. The Government has plans to implement a ‘contactless clearance system’ involving biometrics for ‘iris and facial’ scanning. This is part of a three-tier strategy to rapidly solve crime through technologies via biometrics, data analytics and digital forensics.
44 | Asia Pacific Security Magazine
The amount of data, despite often being of low quality, provides strong insight and ultimately the possibility of predictive policing. A Dutch ‘City Pulse Project’ is monitoring the tones of people’s voices to highlight potential trouble spots. Similar in application to gunshot sensors being used in the United States. Policing has leaped into the digital frontier and tapping into extracting data in digital devices is now the next challenge. Police will need to ensure evidence can be captured before criminals destroy digital evidence or use it to hide their identity, acknowledging criminals are always looking for the next exploit. INTERPOL has worked closely with the United Nations Interregional Crime and Justice Research Institute (UNICRI) on the joint “Artificial Intelligence and Robotics for Law Enforcement” report, which describes new threats related to their malicious use. INTERPOL is also in the process of creating a Drone Response and Forensic Guidelines, which will offer police and other first responders’ standard procedures for handling this type of technology to preserve and source evidence, and minimize harm. One leading project by Singapore Police is SkyARC, or Sky Aerial Response Command, exploring autonomous technologies with drones and robotics and a concept which will operationalise drones (UAVs) to be the first police vehicle to arrive on the scene. Mrs Teo said, “Crime and terrorism are increasingly borderless and inventive. If we are to win this fight, we must support each other and become better together. Among other things, this would involve law enforcement agencies sharing information much more quickly and pooling resources to coordinate transnational responses. The ASEAN Cyber Capability Desk (or ASEAN Desk for short) within the INTERPOL Global Complex for Innovation (IGCI) was officially launched in July 2018. Currently staffed by seconded officers from Brunei and Singapore, the Desk drives ASEAN-centric operations to build capacity and enhance threat-related intelligence on cybercrime within ASEAN. Singapore
Cyber Security
also supports the INTERPOL’s Regional Counter-Terrorism Node initiative (RCTN) with a seconded officer to the RCTN Asia and South Pacific, also housed in the IGCI. 2nd Australian Delegation Luncheon MySecurity Media and INTERPOL World hosted the 2nd Australian Delegation Luncheon as a successful networking opportunity and also to share Australia’s efforts in combatting cybercrime and coordinate a tour of the INTERPOL World Exhibition showcase. Doug Witschi, Assistant Director, Strategic Innovation, INTERPOL and Superintendent Brad Marden, Australian Federal Police provided presentations on each other’s roles and the Australian law enforcement frameworks for cybercrime. Thanks again to INTERPOL and the INTERPOL World team for assisting with organising the event with us and to Kaspersky and BeyondTrust for supporting the event. Stay tuned for the podcast series now in production with the following interviews: Mr. Walter Lee, Evangelist & Government Relations Leader, Global Safety Division, NEC Corporation Dr John Coyne, Senior Analyst, Australian Strategic Policy Institute Mr. Anton Shingarev, VP for Public Affairs, Kaspersky Ms. Brooke Tapsall, CEO of DroneALERT Mr. Fuji Foo, VP of Business Digitalisation, Certis CISCO Singapore
Asia Pacific Security Magazine | 45
Cyber Security
Education Hack
Jane Lo APSM Correspondant
46 | Asia Pacific Security Magazine
O
pened in April 2019, Changi Airport’s new Jewel complex, epitomises how technology and design are inextricably linked in creating and executing a vision of tomorrow's city that inspire and awe, with its 40-meter high indoor waterfall (reportedly the tallest in the world), and use of pioneering automated checking and baggage handling innovations. Technology and design, not uncommon in everyday context, cannot be further apart in their social meanings: while both involve measurements and calculations, the former is based on hard sciences and precise engineering to make things work, the latter on proportions and appearance, to push physical limits and social conventions, with the aim to impart a vision. Often thought of as separate fields of specialisations, SUTD's (Singapore University of Technology and Design) multi-disciplinary approach is unique, reflecting its vision of how these two elements influence the ways we work, live and play in the future. We hear more from SUTD’s 10th Anniversary
celebration, and its FIRST (Fostering Industrial Research Success Together) Industry Workshop – the platform to foster collaborative research success through convening relevant high-level stakeholders from industry, academia and the Government while showcasing relevant SUTD graduatelevel research capabilities. “In an environment where technology is advancing rapidly, the world is more globally connected than ever, and the boundaries between disciplines are blurring, or they may not even exist”, said Mr Ong (Minister for Education) at SUTD’S 10th Year Anniversary celebration on 10th July 2019, “SUTD is unique to equip students with the right skills.” Prof Yeo Kiat Seng (Associate Provost, Research & International Relations, SUTD) explained: “by 2050, 50% of the traditional universities may disappear due to the powerful forces such as technology, urbanization, economics, politics and demographics. Hence, universities of the future need to play an active role to equip our talents with the skillsets to continuously learn and quickly assimilate knowledge, and to solve cross disciplinary problems.”
Cyber Security
He added, “technical specializations and skillsets are still relevant, but the future manpower will need soft skills such as creative thinking and problem solving, and social and emotional skills, as well as the appetite for lifelong learning. This requires a strong foundation that cuts across a variety of disciplines coupled with a human-centric and a designcentric education”. Indeed, with BlockChain, Cloud and other technologies of Industry 4.0 powering tomorrow's societies, organisations are self-disrupting their business models, and nonincumbents are seizing opportunities as barriers to entry tumble. In this wave of disruption that is also sweeping across the educational sector - coding skills are introduced in early education, ethical hacking skills of high school students are cultivated during hackathons - SUTD's unique emphasis on technology and design innovation, emerges from a result of a collaborative effort with the Massachusetts Institute of Technology (MIT) and Zhejiang University in China. SUTD’s emphasis on development beyond book knowledge to soft skills fosters a growth mind-set of continuous learning and entrepreneurship. What is more, “rather than organize around traditional stores of knowledge production in departments, colleges, or schools, SUTD has created an agile and fluid network that pulls performers from the academic units,” said Prof Yeo. The results, leveraging both technology and design, are practical applications evident on-campus and on the streets of Singapore: Scropio, a search-and-rescue robot that operates in remote controlled and autonomous modes; the SUTD ring which uses near-field communication to grant user-access to campus facilities; the Zodiac lantern structures that decorate Chinatown during Chinese New Year. “All these give but a small glimpse of the larger whole of our journey, what we hold dear, our vision to nurture a new breed of innovators, makers, inventors, designers, architects and entrepreneurs”, said Mr Lee Tzu Yang, Chairman of SUTD Board of Trustees. Its Industry collaborations with M1 and SSIA (Singapore Semiconductor Industry Association) to advance research in 5G and AI enabled electronic IC design are examples of what Prof Fitzgerald (CEO & Director, SMART, MIT’s Research Enterprise in Singapore) at the SUTD’s FIRST Industry workshop, referred to as “working together to make things for everyone”. In this philosophy, instead of the pre-industrial “pie is finite” view, we are in a post-industrial age driven by “productivity, growth, economics” in which "pie can grow” and “innovation is a societal activity” involving “real-world interactions”. Set up only in 2009, SUTD, noted by the Minister for Education, “marks a turning point in the development of the university landscape here, when we begin to have universities with distinctive offerings and niche strengths.” Ranked as the fifth most influential scientific research institution in telecommunications according to Clarivate Analytics, it was the only non-US institution to make the top 10 list, ahead of Princeton University and Carnegie Mellon University in the US. This achievement, within a short span of 10 years is impressive – and its efficiency and effectiveness in overturning traditional educational approaches, is no less than a “hack”.
From Left. SUTD founding chairman Philip Ng, SUTD Chairman Lee Tze Yang, Minister for Education Ong Ye Kung, SUTD President Professor Chong Tow Chong, SUTD President Emeritus, Professor Thomas Magnanti, launching the commemoration “Tree” which was wheeled in by the robot Momo. Photo Credit: SUTD
SUTD FIRST INDUSTRY WORKSHOP 2019 Keynote Speaker – Prof Eugene A. Fitzgerald, CEO & Director, SMART, MIT’s Research Enterprise in Singapore. “Innovation: A Collaborative, Societal Process” Photo Credit: SUTD
Yeo Kiat Seng (right), SUTD associate provost for research and international relations, and Denis Seek, chief technical officer of M1, signed the memorandum of understanding for the research partnership at the SUTD FIRST Industry Workshop 2019. Photo Credit: SUTD
SUTD FIRST INDUSTRY WORKSHOP 2019 Panel Discussion..Singapore 4.0: Research, Innovation and Enterprise for Humanity. What does Singapore need to succeed in the 4th Industrial Revolution? Moderator: Mr Julian Matius Mr Atsushi Kawai, Managing Director, CM Engineering Co, Japan Mr Bryan Ong, Senior Manager, Corporate Strategy, Kulicke & Soffa Pte Ltd Ms Jane Lo, Correspondent, MySecurity Media Dr Karen Chong Director (Engineering Cluster) , Science & Engineering Research Council (SERC), A*STAR Professor Lim Sun Sun, Head of Humanities, Arts & Social Sciences, SUTD Photo Credit: SUTD
Asia Pacific Security Magazine | 47
Cyber Security
Asia Pacific Security Magazine | 49
NSW–India NSW–India Cyber Cyber Security Security Exchange Exchange A joint initiative between the NSW Department of Industry Aand joint initiative between the the Optus Macquarie NSW Department of Industry University Cyber Security Hub and the Optus Macquarie University Cyber Security Hub
Cyber Security
48 | Asia Pacific Security Magazine