Asia Pacific Security Magazine, July/Aug 2018 by MySecurity Marketplace

THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com July/August 2018

Securing your digital transformation: BlackBerry workspaces financial services case study Governance, technology audits, control and security (GTACS) 2018 Conference Redflow’s revolution

Hostile vehicle attacks DroneGun sales in Middle East Ready for Take-off: Australia’s Airport Security Review The state of the security union

$8.95 INC. GST

PLUS

Techtime

2018 #SecurityAwards Call for Nominations g By

Anna Ho, Marketing and Communications Officer, Australian Security Industry Association Limited (ASIAL)

he vital role performed by Australia’s private security industry will be recognised later this year at a special awards ceremony in Sydney organised by ASIAL. The 2018 Australian Security Industry Awards for Excellence and Outstanding Security Performance Awards will recognise excellence in the security industry. Nominations are open to all and provide an opportunity to recognise individuals, including frontline security personnel who have gone beyond what could reasonably expected of them in providing a level of service that exceeds client’s expectations. Likewise, organisations and teams who have demonstrated leadership and innovation will also be recognised. Judging of the awards will be undertaken by an independent panel of judges, that includes Damian McMeekin, Managing Director of CT Intelligence & Insight; John Adams, Editor, Security Electronics and Networks Magazine; John Curtis, Director, IPP Consulting Pty Ltd; Michael Walker, Senior Manager, Security Services, Facilities Management, Reserve Bank of Australia; Rachell DeLuca, Senior Security Consultant, ARUP and Vlado

Damjanovski, CCTV Expert Specialist and MD, ViDi Labs. Nominations open 1 July and close 31 August. Winners will be presented at a special awards ceremony to be held at Sydney’s Doltone House Hyde Park on Thursday 18 October 2018.

2018 AWARD CATEGORIES INCLUDE: • Individual Achievement – General • Individual Achievement – Technical • Gender Diversity • Indigenous Employment • Special Security Event or Project – Under $500,000 – Over $500,000 • Integrated Security Solution – Under $500,000 – Over $500,000 • Product of the Year – Alarm – Access Control – CCTV – Camera – CCTV – IP System/Solution – Communication /Transmission System

– Physical security (bollard, gate, barrier, lock)

AWARD CATEGORIES INCLUDE: • Outstanding In-house Security Manager/ Director • Outstanding Contract Security Manager/ Director • Outstanding Security Team • Outstanding Security Training Initiative • Outstanding Security Partnership • Outstanding Security Officer • Outstanding Female Security Professional • Outstanding Guarding Company • Outstanding Security Consultant • Outstanding Security Installer • Outstanding Information Security Company For more detailed information on the award nomination criteria and process visit www.asial.com.au/ securityawards2018

RECOGNISING EXCELLENCE

#securityawards Organised by:

2018

AUSTRALIAN

Security Industry The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals. www.asial.com.au/securityawards2018 Date: Thursday 18 October 2018 | Venue: Sydneyâ&#x20AC;&#x2122;s Doltone House Hyde Park Entertainment Sponsor:

2018

Lead Dinner Sponsor:

09 - 10 July

•

Conrad Hong Kong Hotel

ENRICH. ENABLE. EXCEL. At (ISC)2 Security Congress APAC 2018, you’ll get to engage with over 400 security-minded individuals, discover solutions to the latest cybersecurity threats, and gain insight from international industry experts.

2 Days 6 Tracks 35+ Sessions

40+ Speakers

if e

Tracks Include:

n sA rmy K

Keynote Speakers:

Cloud Security

Critical Infrastructure

Emerging Technologies & Security

Governance, Risk & Compliance

Professional Development

Security Operations

Jason Pun, Assistant Government Chief Information Officer (Cyber Security & Digital Identity), OGCIO, HKSAR

Hon. Charles Mok, JP Legislative Councillor (IT) HKSAR

Dr. Kevin Charest, CISSP Chairperson, Board of Directors, (ISC)²

Enjoy 10% off with the code: M18MSEC Standard Price: US$ 432

Dr. Frank Law, CISSP Senior Superintendent of Police, Cyber Security & Technology Crime Bureau, Hong Kong Police Force, HKSAR

5% additional discount for group purchase.

For inquiries: (852) 2850 6953 securitycongressapac@isc2.org Supported by

In Partnership with

Gold Sponsors

Platinum Sponsors

Silver Sponsor

Technical Workshop Sponsor

REAQTA

25 – 27 JULY 2018

ASIAL SECURITY CONFERENCE

SECURING INNOVATION MELBOURNE CONVENTION + EXHIBITION CENTRE The 2018 Security Exhibition + Conference: Powered by ingenuity and invention, showcases the latest technology and cutting edge thinking. From physical and electronic solutions, to biometrics and cyber security. Australia’s largest security event offers three days of business networking and intelligence sharing. Take a first-hand look at what’s next for the security environment including intelligence on managing threats and identifying risks.

Your annual opportunity to receive fundamental updates from the organisations shaping todays security landscape.

HEADLINE SPEAKERS Dr Lisa Warren Clinical/Forensic Psychologist and Founder of Code Black Threat Philip Dimitriu Director of Systems Engineering, Australia and New Zealand, Palo Alto Networks Arye Kasten Chief Executive Officer, M.I.P Security

Danny Baade Head of Security, Gold Coast 2018 Commonwealth Games Corporation Commander Geoffrey Smith Tasmania Police

INNOVATIONS AND INVENTIONS Discover new products from 300 leading Australian and international brands including:

Jim Fidler Director, Secure Events & Assets P/L

CELEBRATE YOUR INDUSTRY David Crompton-Guard Business Continuity Manager Safety, Security & Resilience, Metro Trains

Make new connections and celebrate with colleagues at the ultimate networking evening – the Security Gala Dinner, held in partnership with ASIAL. For a less formal option, continue meaningful business conversations at the Networking Drinks.

BOOK NOW TO AVOID DISAPPOINTMENT Conference Passes, Gala Dinner and other networking event tickets are available to purchase

EXHIBITION HOURS

CONFERENCE HOURS

Wed 25 July 9:30am–5:00pm

Wed 25 July 9:00am–5:00pm

Thurs 26 July 9:30am–5:00pm

Thurs 26 July 9:00am–3:30pm

Fri 27 July 9:30am–3:30pm

Fri 27 July 9:00am–3:30pm

Principal Sponsor:

Lead Industry Partner:

T + 61 3 9261 4500 E securityexpo@divcom.net.au #security2018 secexpo

FREE EXHIBITION REGISTRATION – securityexpo.com.au

@Security_Expo Security Exhibition & Conference

Contents Editor's Desk 7 Frontline Top tax tips for security employees Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Jane Lo

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/ Copyright ÂŠ 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US www.facebook.com/apsmagazine

Securing your digital transformation

Anti-drone devices sold to a middle Eastern Country

Social harms of human sex trafficking

Murder through Whatsapp

GTACS 2018 Conference

Redflow's Revolution

Hostile Vehicle attacks

Page 30 - Hostile Vehicle attacks

Cyber Security Ready for take-off

Much more to do in support of locking down

IoT - Securing the conected world

This is cyber, so what is cyber?

The AV system done it

Digital Forensics 101

Encryption headaches

The state of the security union

A Cyber week in London - Part 1

A new race - Artificial intelligence and human convergence

Moving the dial - The relationship between user and machine

TechTime - the latest news and products

Book review

Page 36 - IoT - Securing the

connected world

Page 46 - Digital Forensics 101

@AustCyberSecMag

OUR NETWORK

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.australiancybersecuritymagazine.com.au

Page 56 - A new race

www.asiapacificsecuritymagazine.com

Jane Lo

Mark Chapman

John Coyne

www.aseantechsec.com

www.drasticnews.com

Also with Bennet Ring Konrad Buczynski Joseph Wentzel Michael Warnock Sarosh Bana Samantha Kane

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

Rob Newby www.cctvbuyersguide.com

6 | Asia Pacific Security Magazine

Annu Singh

Simon Pollak

Stephan Rachow

Page 60 - Moving the dial

Editor's Desk "espionage and foreign interference activity against Australian interest is occurring at an unprecedented scale… the grim reality is that there are more foreign intelligence officers today than during the Cold War and they have more ways of attacking us—that is, there are more vectors, and the cybervector is a good example” - D. Lewis, Australian Security Intelligence Organisation, Australian Senate, Legal and Constitutional Affairs Legislation Committee, Thursday, 24 May 2018

he unpredictability continues as part of the theatrics around the North Korean peace process. Seemingly, the claimed successful leader’s meeting in Singapore, between Donald Trump and Kim Jun Un has been followed by a visit by US Secretary of State Mike Pompeo. Like treading on egg shells, Pompeo offered a relatively positive assessment of his meetings, however North Korea's Foreign Ministry said in a statement the US betrayed the spirit of the Leader’s summit by making "unilateral and gangster-like" demands on the complete, verifiable and irreversible denuclearisation of North Korea. The statement stated the outcome of the follow-up talks was "very concerning" because it has led to a "dangerous phase that might rattle our willingness for denuclearisation that had been firm." As if to script, the situation remains uncertain. Geopolitically, the Korean peninsula is an apparent distraction to the militarisation of the South China Sea. Having just returned from Singapore, like Australia, there is disquiet about China and the influence it is having in the region. The perception is China is impacting Singapore with investments made elsewhere, such as port and trade development in Thailand. We were in Singapore for the inaugural Cyber Risk Meetup and discussion centred on the impact of Singapore’s Cyber Security Act, along with the key regional trends being observed. Ian Yip, APAC CTO at McAfee, Ricardo Gonçalves, APAC Head of Security Intelligence at Barclays Group and Prashant Haldankar, Co-founder at Privasec gave particular guidance on what all businesses need to be doing, particularly given the third party risks that supply chains carry in cyber environments – it is not just the big end of town taking the threat seriously – the larger enterprises are now making their suppliers accountable. Also, an extra warning to cryptocurrency traders to take special care with

crypto-currencies and exchanges under sustained and sophisticated attack. Ian Yip also gave details on the McAfee Threat Report, June 2018 and the scale involved, with McAfee receiving 51 billion queries per day concerning device security. Singapore Correspondent Jane Lo reports on the ASEAN Ministerial Conference on Cybersecurity, as part of the Singapore International Cyber Week 2016 (SICW). Cybersecurity is a “team sport” with that being the theme that Mr David Koh highlighted, requiring close partnerships among all involved, including governments in the region and industry partners in the private sector. The Act also establishes a “light-touch licensing framework for cybersecurity service providers. Cybersecurity service providers often have significant access into their clients’ sensitive computer systems and networks. Such services, if abused, can compromise and disrupt the clients’ operations.” Likewise in Australia, we attended the opening of Perth’s Joint Cyber Security Centre ( JCSC), Australia’s fourth, as part of the Turnbull Government’s $47 million JCSC program. Launched by the Attorney-General, Christian Porter, the JCSC offers critical support to Australia’s business community, particularly the West’s vast energy and resource sector. Designed in collaboration with key industry partners, the centre brings together cyber security experts from sectors including mining, agriculture, natural resources, the defence industry and infrastructure. These experts share information on the latest cyber threats and security challenges and focus on supporting Australia’s national cyber security capabilities. However, Christian Porter confirmed in our podcast that Australia is not considering a similar legislative regime to license cybersecurity providers to Critical Infrastructure. Kane Samantha provides a confronting article on the prevalence of human sex trafficking in

the Asia-Pacific region, with 3 in every 1,000 inhabitants involved, while global figures are only 1.8 in every 1,000 inhabitants. Countries in this region are experiencing rapid socio-economic changes as an outcome of globalisation which is resulting increased migration. Human sex trafficking in the Asia Pacific region is therefore a concern for Australia’s national security. Trafficked women from the Asia-Pacific have been identified in Sydney, Melbourne, Canberra, Perth, and Darwin. These trafficking networks are breaching Australian borders, supporting transnational crime, and creating social harms. Sarosh Bana, from Mumbai reports on India’s Ministry of Electronics and Information Technology (MEITY) petition to WhatsApp to do what it can to check rumour-mongering and hoax messages on its platform. The Facebook-owned messaging service has agreed to devise means for preventing the spread of posts in the country where social media has facilitated internet trolls, spammers and troublemakers to reign supreme, sowing incendiary posts to online communities with the intention to provoke and intimidate. For our podcast interviews, we highlight our interview with Ian Yip of McAfee, AG Christian Porter and insights courtesy of BlackBerry’s Workspaces financial case study and Davcor Group’s CyberLock. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Asia Pacific Security Magazine | 7

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au 8 | Asia Pacific Security Magazine

PODCAST HIGHLIGHT EPISODES

Episode 73 – Tech convergence - Drones, 3D printing & payloads – Nigel Brown, Autonomous Technology Nigel Brown, Director of Autonomous Technology provides insights into running a certified drone operation, with a particular focus on the mining and resources sector in Western Australia. As a recent client of Konica Minolta’s 3D printing technology, Nigel Brown provides discussion on the application of 3D printed parts and payloads and how the application of fast-developing 3D printer systems provides new business opportunities with developing smaller and lighter payloads.

Episode 71 – Tech-crime & international policing 2.0 Europol's former executive director Rob Wainwright Technology has transformed a whole range of different crimes and new avenues for terrorists to explore, including exploitation of social media platforms, as seen by the Islamic State. We are always racing against criminals to a certain extent but have great potential on the policing side. Rob Wainwright, former Executive Director at Europol, gave an earlier presentation at Cebit Australia. His presentation, ‘Data – the new oil in the network economy fighting crime and terrorism’, highlighted a different age to come. Rob termed this ‘International Policing 2.0’, along with the AI race with crime, security by design and privacy by design.

Episode 69 – Moving the dial: Measuring the relationship between the user and their activity on a machine: Interview with Jeff Paine, CEO & Founder, ResponSight Jeff Paine, CEO and Founder of ResponSight, a three year old Australian startup that elevates enterprises away from focusing on technology alone, discusses the link between the technology and user. Statistical and telemetry based, ResonSight has a lightweight footprint in its risk analytics and risk profiling outcomes that help enterprises make decisions. Chris and Jeff talk about the three key components, the ResponSight Collector, ResponSight Aggregator and ResponSight Cloud Service, each working in conjunction. By combining large volumes of raw numerical telemetry and selected metrics, it’s possible to build activity and behaviour profiles about users and their devices, without ever knowing who that user is or what that device is. This also provides the ability to profile the organisation's risk at a point in time, and over time. The design philosophy is to not collect private or sensitive data. There isn’t a need for rich and potentially sensitive data for security.

Episode 67 – Tech & terrorists, drones & devices – insights from australia’s leading terrorism researcher – Professor Clive Williams, ANU Professor Clive Williams, Centre for Security and Military Law at the Australian National University has been a staple provider of research into national security and counter terrorism for many years. Professor Williams provides current insight into terrorism activity in the Asia Pacific, including the Marawi seige in 2017 where 1,000 insurgents were killed, and provides a chilling warning which rang true about Islamic State fighters returning to their homeland and posing a threat. Bombings in Surabaya, Indonesia two weeks (13 May) after this warning proved him correct.

Episode 62 – Austcyber's knowledge priorities - interview with Mike Bareja, Program Manager National Network In this interview, Morry Morgan speaks with Mike Bareja, Program Manager National Network at AustCyber - The Australian Cyber Security Growth Network Ltd following his presentation at CIVSEC 2018 in Melbourne. Mike outlines AustCyber’s Cyber Security Sector Competitiveness Plan and the 5 DARPA Grand Challenges or Knowledge Priorities, where resources and attention are focused on: · Emerging prevention, detection and response technologies; · dentity, authentication and authorisation in the cyber domain; · Ensuring security, privacy, trust and ethical use of emerging technologies and services; and · Approaches to deal with the increasingly ‘shared’ responsibility of cyber security. Funding of $15M over 4 years is available for industry-led, collaborative projects that address the key issues from the Industry Knowledge Priorities. Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 60 – The fundamentals of operating a secure cloud, Rupert Taylor-Price, CEO of Vault Systems In this interview, Chris Cubbage talks to Rupert Taylor-Price, Founder and CEO of Vault Systems, an Australian-owned, sovereign cloud provider, for highly protected data, purpose built for the Australian government. Created to enable multiple departments share cyber security infrastructure, Vault Systems have moved into a mainstream government cloud platform, in part by the 2014 cloud-first initiative. Since then, Vault, which was founded by Rupert, has smashed expectations, and recently secured the biggest cloud deal in the history of the Australian government.

www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 9

Cyber Security

Asia Pacific Security Magazine | 11

Frontline

Top tax tips for security employees

W Mark Chapman Director of Tax Communications at H&R Block

ith the end of the financial year rapidly approaching, it won’t be long before its time to lodge your income tax return for 2017/18. To get the best possible tax outcome, it’s essential that you understand what you can – and what you can’t – claim against your taxes, so here’s my checklist of the deductions all workers in the security industry should be considering claiming this tax year. Remember this list isn’t exhaustive and not all the deductions will apply to everyone. Similarly, you may be entitled to some deductions that aren’t listed here. Make sure you get professional help from a tax agent like H&R Block to ensure that you’re getting your return right! Travel and meals You can’t normally claim the cost of the daily commute to and from work. The only exception to that rule is if you have to carry bulky tools or equipment to and from work and there is no secure place of storage for them at your work.

12 | Asia Pacific Security Magazine

Travel between home and work does not become deductible just because you may be on call at inconvenient hours, or work shifts. You can claim the cost of travelling between two different work sites for one employer or between two different employers. If you plan to use your own car for work purposes, you can either claim a set rate of 66 cents per kilometre for all work journeys or you can claim the actual expenses incurred. If you choose the latter, you’ll need to keep receipts for all costs and also keep a logbook of all your journeys for a 12 week period. If you are required to stay away from home overnight because of your job – for instance, you are hired to provide security at an event staged interstate – you can claim a deduction for the costs of travel, accommodation and incidental costs. You can claim overtime meal expenses as long as you receive a genuine overtime meal allowance from your employer and you aren’t reimbursed by your employer.

Frontline

“If you work outdoors, you can claim the cost of sun protection gear such as sunglasses, hats and sunscreen.” extent that the course relates to you current employment and you’re not being reimbursed. You can also claim associated costs such as text books, travel to the educational institution and stationary. You can't claim a deduction for a pre-vocational course such as training to become a licensed security officer Guard dogs If you are required by your employer to provide your own guard dog, you can claim a deduction for any associated costs such as food and vet bills. It should go without saying that the dog needs to be suitable for the task and should not be the family pet! The actual cost of the dog itself, as well as any training expenses, can be depreciated over the expected life of the animal. Other deductions They may not be as significant in dollar terms as some of the items listed above, but make sure you claim the following: • Any work-related subscriptions or membership fees • Magazines, journals, books, apps or websites which are related to your work • The cost of using your personal mobile phone for workrelated purposes • Equipment hire You can’t claim the cost of obtaining a security license, but you can claim any costs associated with renewing this license. Gym memberships Work-related clothing You can claim a deduction for buying and laundering any clothing that you’re required to wear as a uniform to work. Unfortunately, you can't claim a deduction for the cost of purchasing or cleaning a plain uniform (such as a pair of black pants and a white shirt) or other items of conventional clothing you wear to work, even if your employer tells you to wear them and even if the clothing is oversized and used to conceal protective vests or weapons. If you work outdoors, you can claim the cost of sun protection gear such as sunglasses, hats and sunscreen. You can claim a deduction for any items of clothing you wear to protect yourself from the risk of illness or injury in your job. Work-related training You can claim expenses for university or TAFE fees to the

You job might require you to be in peak physical health but sadly that doesn’t mean that you can claim the costs of gym membership or other fitness costs. The ATO takes a hard line on gym memberships, saying that they are only claimable where the person claiming them needs to have a level of fitness well above normal. Professional sportspeople and some defence force members (such as members of the SAS) are quoted by the ATO as an example of who can make a claim. Security employees sadly don’t qualify. Remember to keep records! Even if you’ve incurred any of the above expenses, the golden rule is that you can’t make a claim unless you can prove you spent the money (and also that you weren’t reimbursed by your employer). So, make sure you keep all relevant receipts, invoices, bank statements and credit card statements. If you’re not sure if you can make a claim, keep the receipt anyway and discuss it with your tax agent.

Asia Pacific Security Magazine | 13

Frontline

Securing your digital transformation : Financial Services Case Study using BlackBerry Workspaces By Chris Cubbage Executive Editor

14 | Asia Pacific Security Magazine

he enterprise security landscape has shifted, with organisations now required to manage a network of endpoints which are both physical and digital. Physical devices such as smartphones, tablets, wearables and sensors, are transmitting huge amounts of data through messaging, files, voice, video and texts. CIOs are faced with managing increasingly complex environments as a result, and their responsibilities for data integrity are mounting. This is what BlackBerry calls the ‘Enterprise of Things; (EoT), These connected ‘things’ have transformed how we work, deliver goods and services and solve problems, but they also leave companies vulnerable to breaches. To face the fundamental challenge, companies need enterprise communication and collaboration software and safetycertified embedded solutions that will keep data safe, but also embrace new technologies for better outcomes. This includes improving workflows by using secure connected things, allowing workplaces to blend across physical and virtual locations so staff work from anywhere, and extending your workforce to included trusted contractors and partners.

BlackBerry, traditionally well known as a hardware company, with strengths in security, has transitioned to a cybersecurity software company that secures all end-points and also provides enterprise cybersecurity services. True to its core, the company has remained strong in security, but now applies that to every layer of an enterprise and any IoT device, protecting against threats to apps, data, devices, networks, processes and autonomous systems. For customers in sectors such as government healthcare, manufacturing, finance and automotive, this approach has been critical in mitigating against risks of cyberthreats and data breaches. Speaking at BlackBerry’s inaugural security event in Sydney, Carl Wiese, President of Global Sales at BlackBerry outlines, “Our strategy has been to design BlackBerry Secure solutions and services to anticipate trends impacting hyperconnected organisations. As well as software that secures all endpoints, we offer dedicated cybersecurity teams to help companies address new regulatory laws or mitigate threats to their data, whether it’s a hacker or member of staff.

Courtesy of BlackBerry Secure World 2018

Patersons Securities: Financial Services Case Study Patersons Securities, is a BlackBerry client, and in its goal to become more agile, error free and secure, is moving to a paperless workplace and one that is completely digital. With 10 offices across the country and in operation for 115 years, Patersons Securities is one of Australia’s largest domestically-owned wealth management and corporate finance organisations. The financial services firm prides itself on its accountability, transparency, and expertise. With such a long time in the market, the company remains on the lookout for tactics to improve security, enhance organisational efficiency, and deliver better services to clients. “We’ve got over 13 billion dollars under management and advisors at offices all over the country,” explains Darren Michael, Chief Information Officer at Patersons Securities. “Collaboration is a significant portion of what we do, and we’re always looking for ways to do it better.” Darren Michael highlights, “The CIO role is now very much about being a business enabler. Because IT and technology is so much a part of what everyone does, it needs to be invisable. It needs to just happen and work. What Patersons Securities has been trying to do is to improve the experience of clients and staff and make IT as seamless as possible.” One of the largest lines of business for Patersons Securities is its corporate finance team, which handles corporate actions such as initial share offerings. This is an incredibly collaborative process, and one which requires sharing a great deal of documentation between the firm, investors, and organisations. It’s also a process subject to strict regulatory guidelines. BlackBerry’s Workspaces, a secure collaboration in a cloud solution was deployed to allow internal documentation to be shared without requiring the creation of a massive email chain. This has made generating documentation for corporate actions more efficient. “We used to create an email with attachments to be sent to an advisor,” Darren Micheal said. “Then that email was sent as an attachment which went out to the clients, with more attachments tacked on. It was really ugly, and very inefficient. Now we can simply send them a link to a file or repository, and we know when they’ve accessed it.” The consequences of a data breach, whether it’s a hacker or a careless ‘insider’ mistake, could cost the organisation millions in financial losses and reputation. If a firm does not have control of its files and visibility into where sensitive information is located, even a minor breach can cause devastating reputational damage. Beyond Australian regulations, including the Notifiable Data Breaches framework, requiring breach disclosure by organisations that are covered by the Privacy Act, the company must also contend with regulations such as the European General Data Protection Regulation (GDPR) and guidelines established by the Australian Securities and Investments Commission (ASIC). Regulatory compliance is not the only reason data security is important to the firm. In the financial services industry, trust is the most critical commodity of all, particularly in the broadening wake of the Australian Royal Commission into the

This is what BlackBerry calls the ‘Enterprise of Things; (EoT), These connected ‘things’ have transformed how we work, deliver goods and services and solve problems, but they also leave companies vulnerable to breaches.”

Nigel Thompson, Vice President of Product Design at BlackBerry

Asia Pacific Security Magazine | 15

Courtesy of BlackBerry Secure World 2018

Other Sectors

Darren Michael, CIO of Patersons Securities with Nigel Thompson, VP Product Design, BlackBerry

banking and financial services industry. To ensure Patersons Securities retains the trust of its clients and partners, as well as take opportunities to capture new customers, the company must be able to prove it has done its absolute best to secure and protect both its data and infrastructure. Darren Michael explains, “The integration of BlackBerry Workspaces has helped us move towards our paperless vision, allowing us to trace, track and audit digital documents and information shared among staff and clients. This empowers our mobile employees to remain productive while ensuring a high level of data confidentiality in a complex regulatory environment. More importantly, it has resulted in great cost savings and improved overall efficiency across the board.” Patersons Securities will use BlackBerry Workspaces as part of its employee onboarding process, connecting it with DocuSign. It will also integrate BlackBerry Workspaces with both SharePoint and a workflow engine that will automatically populate sensitive documents into a Workspaces repository. “Ultimately, what we want is to reduce paper use as much as possible,” says Michael. “We’re always looking for technology that helps with automation. Tax reporting, new client onboarding, financial reports … we want to make all of that digital. BlackBerry Workspaces is helping us achieve that.” The firm’s board members in particular have taken to the solution quite well, according to Michael. “They enjoy that they can annotate the documents they receive for board meetings, and it’s made the job of the executive team’s PA much simpler,” says Michael. “There’s no longer any need to compile different documents from different people. Everyone can be sent a link to the papers, and we’ll know who’s received them and who hasn’t.” Staff at Patersons Securities have also been able to integrate BlackBerry Workspaces into their workflows with minimal training. Alongside the solution’s other features, this contributed a great deal to widespread acceptance at the firm. To learn more about how Patersons Securities Ltd used BlackBerry Workspaces, click here for the full case study Visit https://www.blackberry.com/content/dam/blackberrycom/Documents/pdf/case-studies/asia-pacific/en/cspatersons-securities.pdf

16 | Asia Pacific Security Magazine

Fujitsu, Australian Projects (APRO), Origin IT and Anderson Morgan are also partnering with BlackBerry to help organisations in healthcare, finance, government and other industries to secure endpoints, drive productivity through secure collaboration and offer cybersecurity expertise to address IT skills gaps. The members of BlackBerry’s Enterprise Partner Program have welcomed access to unique resources available to help companies in the region address communication, security and workflow challenges. BlackBerry offers programs such as the Crisis Communications Specialisation with BlackBerry AtHoc, to help maintain business continuity when an incident occurs. Also available is the BlackBerry SHIELD Advisor Program offering access to BlackBerry’s mobile security framework and IT risk assessment tools to help customers manage endpoints, guard against threats and make better security decisions. Nathan Grant, Head of Platform Sales at Fujitsu says, “As workforces continue to digitise in Australia, the security of our customers is a high priority. At Fujitsu, we are focused on solving business challenges, and we are pleased to partner with BlackBerry to offer secure software that helps customers remove barriers to truly take advantage of the opportunities that digital transformation offers. Bjarke Porsbro-Pedersen, CEO for Anderson Morgan, APAC says, “As the fourth wave of digital disruption breaks on Australian shores, our partnership with BlackBerry is delivering security outcomes that allows organisations to get on with their business. This partnership has been forged with BlackBerry’s 30 plus years of security heritage and Anderson Morgan’s expertise in region to ensure we meet our customers’ needs today, with an eye on the future when delivering a solution. BlackBerry Partner Program The BlackBerry Enterprise Partner Program is designed to help partners navigate the ever-changing mobile business environment through secure mobile business solutions for their people, processes and data. It helps partners gain new competencies and capabilities that will enable them to meet and exceed market demand, by ensuring partners are well equipped to successfully design, architect, implement and support BlackBerry solutions. For more information on the BlackBerry Enterprise Partner Program, please visit http://us.BlackBerry.com

Frontline

Asia Pacific Security Magazine | 17

Frontline

70 Australian-made DroneGun Tactical anti-drone devices sold to middle Eastern Country By Bennett Ring ASM Correspondent

18 | Asia Pacific Security Magazine

ustralian company DroneShield has just announced one of the biggest anti-drone technology sales in Australia’s history, with the purchase of 70 DroneGun Tactical weapons to a middle-Eastern Country. While the company isn’t able to divulge which country the sales have been made to, we had a chance to interview the company’s CEO and MD, Oleg Vornik, to discuss the deal. The total value of the sales exceeds AU$3.2 million, making it the largest of its type in the Australian defence sector. DroneShield has been developing the DroneGun Tactical and its underlying technology for over five years, and 70 units of the DroneGun Tactical will be deployed soon to the unnamed country. This is the largest deal for the company to date, which is currently targeting approximately 50 countries for sales of its products. QLD Police DG MKII - Comm Games - AAP ImageThe DroneGun Tactical uses a similar design to a standard rifle, using a default stock, handgrip and trigger configuration, making it simple to train soldiers familiar with traditional weapons. It would have been possible to use a simple box and button style design, but DroneShield decided to use a more traditional layout to simplify training. Included in the deal is on-the-ground training of the system by DroneShield staff. Weighing just 6.5kg including twin Lithium-Ion batteries and with a range of up to 1km, the DroneGun Tactical uses jamming technology to disable

consumer-level drones, known as a “soft-kill device”, unlike the destructive technologies used by other anti-drone technologies on the market. Destructive defence devices currently include lasers, ballistic weapons and shockwavetechnology. The DroneGun Tactical can jam devices across multiple RF band simultaneously, including 433MHz, 915MHz, 2.4GHz and 5.8GHz, and will immediately disable video feedback to the operator. It can also use optional GNSS disruption, blocking both GPS and GLONASS navigation systems. According to Mr Vornik, the jamming nature of the DroneGun gives it a distinct advantage over other technologies, as it means that each disabled drone can be retrieved and analysed. There’s also the risk of collateral damage when using destructive anti-drone technologies, especially if the drone is equipped with explosives. As a result, Mr Vornik believes these reasons proved to be a competitive advantage for DroneShield when compared to competing tenders for the deal. The DroneGun Tactical is designed to target consumer drones, as these affordable devices are now being used in a variety of roles that require active-defence measures, not only by the military, but also by private corporations. The use of these drones is primarily in counter-surveillance, but Mr Vornik also delved into other nefarious measures where today’s drones can prove to be a threat. “A drone like a DJI

Frontline

Weighing just 6.5kg including twin Lithium-Ion batteries and with a range of up to 1km, the DroneGun Tactical uses jamming technology to disable consumer-level drones, known as a “softkill device”

Phantom can easily carry two 40mm grenades, each weighing a quarter of a kilogram, which it can then deploy. It’s not going to destroy a building, but it can kill several people and cause a distraction. They can also be used to carry toxins and dirty bombs, where you don’t necessarily need a large volume”. Commercial operators are also at risk, even if the drones aren’t modified at all. “At airports they can be sucked into aircraft engines, potentially blowing up the engine and bringing the aircraft down. They can also drop into the cooling stack of a power station, shutting down the station and leading to months of repairs.” Recent uses of consumer drones in such attacks include the Israeli interception of an Iranian drone, reports of Yemen’s Houthi faction to attack a Saudi Aramco facility and a recent attempted attack on the Saudi Arabian Abha international airport. DroneShield has focused on jamming technologies rather than taking control of the hostile drone device, as the huge range of encryption protocols and frequencies currently used by various consumer drones makes the latter a much harder task. While it is possible to develop anti-drone technology to do so, they’re very limited in their scope. This is because methods that take control of the drone can only handle particular models, but they require knowledge of the specific signature of each drone type. This is easily combatted by rogue drone operators by altering the drone’s firmware or

operating system. This is not the first time the DroneGun technology has been employed, with its recent use at both the Commonwealth Games and the ASEAN leader’s conference in Sydney. Before being employed at these events, the DroneShield technology underwent substantial evaluation by the Australian Military. Mr Vornik believes the most recent sale puts DroneShield at the “…forefront of the industry, and is likely to have a substantial positive effect on DroneShield’s corporate discussions with larger industry players”. As well as offering the mobile DroneGun device, DroneShield also sells two installation based devices that are automated and designed to cover a much larger area. The first is the DroneSentinel, which uses a modular, multi-sensor solution that can cover ranges of up to 5km. The second is DroneSentry, which adds anti-drone technology to knock out incoming threats and which can handle swarm attacks of multiple drone devices simultaneously. Both systems use a combination of radar, radio frequency, acoustic and thermal detection to detect incoming unauthorised drones, which are then passed to the operator via an easy-to-use GUI-based system. While deliveries of the DroneGun tactical are imminent, the sale is currently subject to approval by a U.S. regulator overseeing defence exports. However, DroneShield expects to receive this approval within the next two months using the established U.S. defence sale approval process.

Asia Pacific Security Magazine | 19

Cover Feature

Social harms of human

SEX TRAFFICKING By Samantha Kane

20 | Asia Pacific Security Magazine

uman sex trafficking is a growing and significant social issue that affects 27 million people each year resulting in a $150 billion criminal industry. A 2012 report by the United Nations Office on Drugs and Crime (UNODC) highlights it is among the third top revenue source for organized crime, after narcotics and weapons. Human trafficking is now a complex, multi-faceted, and transnational criminal issue involving corruption, human rights abuses, economics, and migration factors. As well as a cause and consequence of gender inequality with 80 percent of victims being female. This crime causes social harms such as the objectification of the human body, commodification of sexual activity, and promotion of prostitution as a form of violence against women. The prevalence of human sex trafficking in the AsiaPacific region higher than in other areas with 3 in every 1,000 inhabitants, compared with global figures of 1.8 in every 1,000 inhabitants. Countries in this region are experiencing rapid socio-economic changes as an outcome of globalization which is resulting in increased illegitimate migration.

Illegitimate migration in this region is often financially supported by terrorist organisations, and international border vulnerabilities are being exploited by a range of human trafficking participants. Human sex trafficking in the Asia Pacific region is a concern for Australiaâ&#x20AC;&#x2122;s national security. These trafficking networks are breaching Australian borders, supporting transnational crime, and creating social harms. The covert and illegal nature of trafficking, unwillingness of victims to testify, lack of government and non-government agency co-operation, and other factors have inhibited the accurate assessment of the scale of the problem in Australia. Moreover, most trafficking victims in Australia travelled from Southeast Asia by aircraft, passing through customs with the aid of a tourist visa. Trafficked women from the Asia-Pacific region have been identified in Sydney, Melbourne, Canberra, Perth, and Darwin. As such human sex trafficking is an issue that should be addressed, and counter measures implemented to protect both Australia and trafficked victims.

Cover Feature

and mental abuse, drug dependency, and poor socioeconomic conditions. In poorer regions such as Indonesia and Cambodia females are not issued birth certificates or other legal identification. Therefore, they have an inability to secure legal employment, and women often lack education within these countries for other work. As such, they cannot recognise the common signs of trafficking schemes and therefore fall victim to obvious falsehoods. Traffickers use social media to communicate with and recruit victims, public profiles on sites including Facebook are used as a prime tool for traffickers to approach their victims. These sites take the labor out of trafficking as they can track and gain the trust of the victim from their computer screen. These sites and apps also give an illusion of anonymity that encourages careless digital security practices. Thus, making it easier for traffickers to track, coerce and blackmail their victims. Retainment of Slaves

Capturing their slaves - Attraction In the Asia-Pacific region traffickers recruit victims using false narratives through many shell agencies. Traffickers initially become familiar and gain their victims trust, eventually leading to false promises of well-payed employment, residency documents in more prosperous countries, however in some cases violence can be used. Human sex traffickers are most commonly men, however a 2012 UN report revealed that 30% of convicted human traffickers were female in Southeast Asia. Some women operate independently however victims often become involved in the recruiting process, they are forced or there is a reward or financial agreement by the agent (pimp). These “proxy recruiters” through trust communicate a promise of a “better life” to new victims in the destination countries; “happy trafficking.” Thus, reducing the risk for the ringleader and increasing profits. The main targets of human sex traffickers are women, particularly those who have previous experiences of physical

Retainment of human sex slaves is made easier due to social factors within the environment in which they are recruited, often retained through perceptions. Figures from Transparency International 2011 indicate that victims tend to come from countries where the public sector is perceived to be highly corrupt, as measured by the Corruption Perception Index. Victims are afraid to report crimes, and if they do can be prosecuted in some countries, instilling a fear of authority, thereby making it difficult for victims to break the cycle through legitimate means, especially those with drug and alcohol dependencies. As such there is a high degree of shame felt by victims, with many feeling they deserve their circumstances. Traffickers also exploit different other methods to ensure compliance, including physical restraint, violence, holding passports, instilling a fear of the police, or enforcing drug addiction. These victims are particularly vulnerable to debt bondage, where they “work” to repay debt to traffickers who often impose high interest rates. However, in some cases traffickers build a strong bond with the victims, claiming they “love” and “need” them, therefore making it tougher for the victims to break the hold the perpetrator has on them. While nation states have signed international conventions to fight human sex trafficking, many countries still lack relevant domestic laws and do little to enforce conventions, or do little to prosecute. This can include passive negligence by officials of ignoring what is taking place and not implementing measures to protect trafficked victims. Or it can be in the form of more serious corruption, where they receive sexual benefits from victims for helping the traffickers to get across borders and providing documents. Thus, making human sex trafficking a low risk-high profit enterprise in this region as victims will be unlikely to report the offence in these areas. Nevertheless, accounts from trafficked women indicate that many travelled willingly to work in the Australian sex industry, yet find themselves trapped in conditions of debt bondage and sexual servitude upon arrival. However, they do not perceive themselves as victims. Instead they are enamoured with the benefits of their situation, and see it

Asia Pacific Security Magazine | 21

Frontline

as an intelligible choice made by individuals in response to social, economic, and political realities. Countermeasures To effectively counter human sex trafficking the root causes need to be treated as opposed to the symptoms. This issue must be engaged as a multifaceted problem, so that the effects extend beyond the traffickers and victims to broader social, political, and economic changes across the Asia-Pacific Region. Such as implementing a prevention, preparedness, response, and recovery model approach. Human security is a practical people-centered policy framework to establish multi-actor local committee for overseeing the implementation and mobilization of local resources, and the establishment of monitoring and reporting mechanisms, and establishing ownership of the socioeconomic harms. Australia and other prosperous countries within the Asia-Pacific must strengthen cooperation on law enforcement, investigations, and intelligence-sharing. As well as help with aid and tackle corruption to build the regions legitimate business opportunities, so that illegitimate avenues such as sex trafficking are not utilized. These networks already exist through counterterrorism initiatives, therefore in a just world, should be extended to the human sex trafficking sphere. Another countermeasure that should be implemented throughout the Asia-Pacific and Australia is the empowering girls through education. Counter-narratives should be created to discredit the “opportunities” offered by traffickers. It should also be ensured that young girls and women know how to vett people offering opportunities abroad to prevent forced sex servitude. An anti-trafficking policy should be established to help promote awareness among members of the public of how individual factors may indicate a victim of trafficking. Apps such as TraffickCam exist to report trafficking and compare travellers room images against a database of images to locate a victim’s possible location. Due to many of these trafficking organizations being funded and utilized by terror organizations, the national security intelligence and law enforcement community needs to respond to this issue and focus the current terror movement laws, as well as frame new ones for human sex trafficking that are equal in enforcement. Moreover, the long-term protection of victims has also been neglected such as access to shelter, social assistance, legal matters, employment assistance, job training, and the right to claim asylum. Economic and social harms need be addressed such as tackling corruption and human rights, ensuring respect for the rights of women, ensuring industrial development, and establishing safe and legal migration channels in the underdeveloped countries in the Asia-Pacific. Conclusion Human sex trafficking is a significant transnational issue capable of causing significant social and economic harms that is becoming more prevalent in the Asia-Pacific region. Corruption, high-profit, and low risk drivers are fuelling this growth. There are many threat groups within the Asia-

22 | Asia Pacific Security Magazine

Pacific region, most notably the increase in female recruiters is an insightful revelation that must be addressed in future preventative and reactive countermeasures. However, it is important to note that “victims” are not necessarily coerced, as they approach the traffickers themselves in an effort to gain a “better life”. Corruption and low-socioeconomic conditions need to be addressed in the Asia-Pacific region to tackle human rights, women’s rights, and poverty so that individuals do not seek, or cannot be enticed into the human sex trafficking enterprise. The peculiar and controversial suggestion of the introduction of terrorism like laws to increase the risk factor is a measure that should be considered. This would potentially disrupt the current trafficking networks, create a greater sense of risk, and further protect Australia’s national security. There needs to be a broader framework for dealing with human sex trafficking. The prevention, preparedness, response, and recovery model will help frame a people-centric approach to countering human sex trafficking. Therefore, focusing more on the victims and providing the support needed. Human sex trafficking requires the attention afforded to other transnational crimes including terrorism as many of the routes and enterprise dealings are intertwined with this issue. For instance, terrorists and organised crime groups seek to exploit the same vulnerabilities in our border security arrangements. As such, attention needs to be rerouted to prevent and prepare for human sex trafficking in Australia and other Asia-Pacific countries. A co-ordinated response and recovery framework needs to be implemented to help break the cycle, address the vulnerabilities in the system that are being exploited by a range of entities, traffickers, and terrorists alike, and help victims.

17th August 2018 Singapore

Building a resilient and innovative ASEAN

Frontline

MAT TERS

CYBERTHREATS WEIGHING YOU DOWN? LIGHTEN THE LOAD AT RSAC 2018 APJ. As an infosec professional, you have a lot on your shoulders. New global and regional threats are popping up every day, and it’s up to you to keep your organization safe. It’s a never-ending task that requires solid reinforcements. And at RSA Conference 2018 Asia Pacific & Japan, the cybersecurity cavalrywill be at the ready: • Demo the newest technologies from dozens of innovative companies • Attend expert-led sessions covering the latest issues and solutions • Hear inspirational keynotes that will strengthen your resolve • Broaden your skills through comprehensive seminars and Learning Labs • Make valuable connections that can enhance your career Take the first step to securing your organization. Register today for RSAC 2018 Asia Pacific & Japan at www.rsaconference.com/MSM18

Frontline

Murder through WhatsApp

S By Sarosh Bana

24 | Asia Pacific Security Magazine

eldom has the Indian public been so exercised by the politics of hate and fear as at present, with online rumour-mongering and fake news igniting vigilantism and witch-hunts in different parts of the country. Much of this churning is taking place through the social media where internet trolls, spammers and troublemakers are reigning supreme, sowing incendiary posts to online communities with the intention to provoke and intimidate. Rumours circulating on WhatsApp about kidnappers marauding for children have been causing widespread panic, with frenzied mobs attacking those they deem suspects, leading to at least 18 unwary men and women being lynched in the streets in just over the last one month alone. Often, the victims are charged with involvement in selling children to adoption centres or to agents for organ harvesting. Alarmed by this trend, Indiaâ&#x20AC;&#x2122;s Ministry of Electronics and Information Technology (MEITY) has petitioned WhatsApp to do what it can to check rumour-mongering and hoax messages on its platform. The Facebook-owned instant messaging service has agreed to devise means for preventing the spread of such posts in the country. But to do this would require monitoring and sanitising, and it is

unclear how that could happen when the social networking site claims it does not store messages on its servers once they are delivered, and that end-to-end encryption prevents third parties and WhatsApp itself from reading them. The provocative rumours are at times illustrated with videos of someone who happens to be walking behind a child, or is talking to or is looking in the direction of one. The accompanying comments counselling vigil and caution against these so-called child-lifters have been enough to breed public hysteria about the safety of children. In a particularly ghastly incident of hate crime, agitated residents of a tribal hamlet 300 km from Mumbai surrounded five youths who had got off a public bus and thrashed them to death. Locals were already on tenterhooks because of circulating rumours on SMS and WhatsApp about child abductors prowling around the district, and some reported seeing one of the youths talking to a girl child at the bus stop. The five young men â&#x20AC;&#x201C; in their late 20s â&#x20AC;&#x201C; were chased and brutalised by the mob, which also turned upon the policemen who rushed to the spot to try to save the victims. The police later informed that the five youths, tribals themselves, had come to the village in search of alms or work, as their

Frontline

situation back home was desperate. What has been additionally alarming is the growing incidence of such horrifying assaults being recorded on mobile phones and the footage then being posted on WhatsApp and Facebook, as has happened in this case of lynching. Often, the victims could have been rescued by those filming the brutality who could instead have intervened. In many such videos, the victims can be heard begging for their lives and pleading their innocence. There have been no reported cases of abduction of children. Yet, stray rumours going “viral” on WhatsApp have led to this spate of lynchings across eight states. In one instance, a man who had been engaged by the Information & Culture Department of the north-eastern state of Tripura to spread awareness against rumour-mongering was himself killed by a mob on suspicion of being a child-lifter. In two separate episodes in Uttar Pradesh, a mobile vendor was lethally battered and four others, including a policeman, seriously injured in a mob attack, while a woman was lynched and another injured when they were travelling in a vehicle with four men. Another woman, who too had come from her home-state of Rajasthan to earn a living by begging in Gujarat, was beaten to death upon suspicion of being a kidnapper. Online rumours have also resulted in numerous cases of lynching of people alleged to be cattle raiders or selling, transporting or consuming beef, which is banned in the majority of India’s 29 states. Most of these states are ruled, singly or in alliance, by the Bharatiya Janata Party (BJP), which pursues a far-right Hindu-nationalist ideology that prescribes vegetarianism. While two men were beaten to death by a mob in the state of Jharkhand on 14 June on suspicion of cattle theft, three others who were with them managed to escape. Two days later, in Uttar Pradesh, two men were beaten up over rumours of cow slaughter, with one of them dying in the attack while the other was critically injured. The assailants frequently evade arrest and are further emboldened by the support, and even praise, they receive from BJP leaders who often justify these attacks on communal grounds. On 7 July, prominent BJP minister Jayant Sinha held a reception in his house for eight men who were released on bail after being convicted for killing a Muslim trader a year ago in the Jharkhand state whom they accused of transporting beef. Sinha even garlanded the culprits and lavished hospitality on them. Just a day later, a second Union minister, Giriraj Singh, visited a prison in Bihar to felicitate eight right-wing Hindu activists jailed for killing a Muslim meat trader for the cause of cow protection. And the entire nation was stunned in March when BJP ministers, former ministers and legislators held rallies in support of eight men, including three policemen, accused of holding an eight-year-old tribal girl captive in the border state of Jammu & Kashmir and viciously gang-raping her over seven days and finally murdering her. Another BJP legislator in Uttar Pradesh who was accused by an 18-year-old girl of raping her last year had his brother and other associates bash her father to death in front of policemen in April. In reply to the communication from MEITY concerning rumour-mongering, WhatsApp remarked: “Thank you for your letter dated July 2. Like the Government of India, we’re

There were 292 million smartphone users in the country by the end of 2017, and their numbers are projected to swell to 337 million by the end of this year. horrified by these terrible acts of violence and wanted to respond quickly to the very important issues you have raised. We believe this is a challenge that requires government, civil society and technology companies to work together.” There are questions about WhatsApp’s seriousness in this regard. Though India is its largest market with 260 million monthly active users, a fifth of its over one billion users globally, its operations in India yet do not have a head, though it debuted in the country in 2010. Neither does its parent, the social media giant, Facebook, that entered India in 2006 and for which too this country is its largest market. Indian smartphone users, on an average, spend 200 minutes on mobile apps every day, according to investment firm Omidyar Network, which adds that they spend as much as 38 per cent of this time on Facebook and its affiliated apps, WhatsApp and Instagram. There were 292 million smartphone users in the country by the end of 2017, and their numbers are projected to swell to 337 million by the end of this year. Nevertheless, WhatsApp informed MEITY that it is committed to curb rumours and misinformation on its site. It noted: “We have been testing a new label in India that highlights when a message has been forwarded versus composed by the sender. This could serve as an important signal for recipients to think twice before forwarding messages, because it lets a user know if content they received was written by the person they know or a potential rumour from someone else. We plan to launch this new feature soon.” It also pointed to the introduction in May of a shield restraining group administrators from reinstating those who had exited from the group, saying this was becoming a form of misuse. It added that it had very recently launched a new setting that enabled administrators to determine who gets to send messages within individual groups. It explained: “With the right action we can help improve everyone’s safety by ensuring communities are better equipped to deal with malicious hoaxes and false information -- while still enabling people to communicate reliably and privately across India.” Most do not see the relevance of these measures on the issues of rumour-mongering and hate posts. There is little doubt that WhatsApp’s reach and scale are phenomenal in India’s social situation where random online messages can mobilise crowds of scores or hundreds in no time. The opposition Congress party, however, blames the ruling BJP for creating an “environment of hate” that has engendered vigilantism and emboldened religious extremism across the country. Questioning Prime Minister Narendra Modi’s silence on this dilemma of lynchings, it says: “This is the result of silence of the leadership when crimes are committed with impunity by the harbingers of hate.”

Asia Pacific Security Magazine | 25

Frontline

Mr David Koh, Chief Executive, Cyber Security Agency of Singapore, CSA, at GTACS 2018, held on 21st May 2018. Photo Credit: ISACA Singapore Chapter

Governance, technology audits, control and security (GTACS) 2018 Conference

G By Jane Lo ASM Correspondent

26 | Asia Pacific Security Magazine

iving the Welcome Speech as the Guest-ofHonour at the Governance, Technology Audits, Control and Security (GTACS) 2018 Conference, organised by ISACA Singapore Chapter, on 21st May 2018, at MBS Convention Centre Singapore, Mr David Koh, Commissioner of Cybersecurity for Singapore, Chief Executive, Cyber Security Agency of Singapore, Deputy Secretary (Special Projects) and Defence Cyber Chief, Ministry of Defence (Singapore), emphasized that cybersecurity is a C-Suite responsibility. The tone-from-the top is key to building an effective cyber risk management culture within an organization. “Cybersecurity is a team sport” was a theme that Mr David Koh highlighted at the ASEAN Ministerial Conference on Cybersecurity, as part of the Singapore International Cyber Week 2016 (SICW), requiring close partnerships among all involved, including governments in the region and industry partners in the private sector. Expanding on this theme at GTACS 2018, he said that it is important for C-Suite leaders to understand cybersecurity issues, so as to make informed decisions on risk management and its trade-offs. From the perspective that “Cybersecurity is not an IT problem, it is a risk management issue”, tone-from-the-top, where the Board and senior management are highly engaged and understand what comprises information ‘Crown Jewels’, is a foundational building block for effective cyber risk management. The Singapore Cybersecurity Strategy, launched at the inaugural SICW 2016 by Prime Minister Lee Hsien Long, mentions the importance of C-Suite engagement, under

capacity building (“Larger companies could also define apex cybersecurity positions at the C-Suite level”), and more comprehensive Cybersecurity exercises (which “will enhance the capability of the sectoral cyber response teams and the quality of incident management by the C-Suite decisionmakers in the Critical Information Infrastructure operators”). Responsibility and accountability of CII (Critical Information Infrastructure) operators in the event of cyberattack is set out in a new 2018 initiative - the Singapore’s Cybersecurity Act (2018) - which was passed into law by Parliament in February 2018, and received the President’s Assent in March 2018. Referring to the use of operational technology (OT) used to manage power stations and water treatment plants, Mr David Koh said “it is true that the cybersecurity solutions and awareness for the OT or industrial control systems is actually less developed than in the IT world.” To boost the nation's defences, the Act requires operators of 11 CII sectors - Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media – to secure their infrastructure and report incidents. It has four key objectives: a. First, to strengthen the protection of CII against cyberattacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to protect CII from cyber-attacks. b. Second, to authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cyber threats and incidents to determine their impact and

Frontline

prevent further harm or cybersecurity incidents from arising. c. Third, to establish a light-touch licensing framework for cybersecurity service providers. Cybersecurity service providers often have significant access into their clients’ sensitive computer systems and networks. Such services, if abused, can compromise and disrupt the clients’ operations. A licensing framework will give businesses and clients more assurance, and is part of our strategy to raise the quality of cybersecurity services in the long run. d. Fourth, to establish a framework for sharing Cybersecurity Information. The Act facilitates information sharing, which is critical as timely information helps the government and owners of computer systems identify vulnerabilities and prevent cyber incidents more effectively. The Act provides a framework for CSA to request information, and for the protection and sharing of such information. The Act will operate in tandem with other laws and regulations in Singapore. For example, the Computer Misuse Act and other relevant legislation will continue to govern the investigation and prosecution of cybercrime perpetrators. Speaking on the importance to secure systems in cyberspace, Mr. David Koh remarked “although Singapore was relatively unscathed by large-scale cyber-attacks like the WannaCry and NotPetya attacks in 2017, our global connectivity still puts us in the cross-hairs of Advanced Persistent Threats. Last year, our universities’ and government networks were breached. We investigated and found the breaches to be carefully planned and sophisticated; not the work of casual hackers or criminals.” “It is not that Singapore is particularly good or that Singaporeans are very alert with respect to malware, we were just lucky.” He added that there were two reasons Singapore “dodged the bullet” when it came to the WannaCry attacks. First, the ransomware affected older versions of the Windows operating system, which are not as widely used in Singapore. Also, the attackers meant to target “a particular country and a particular region of the world”. More critically, he emphasized, when it comes to cybersecurity, the key for Singapore is not whether Singapore is better than other countries, but “really the issue is how our cyber defences are against the attacker.” And that the “financial cost of cyber-attacks can be high, but indirect costs, such as the loss of trust from the public, can be even higher”. Echoing the comments of former Minister for Communications and Information, Dr Yaacob Ibrahim, at the inaugural Cybersecurity Awards, that “Singapore’s strong international reputation as a trusted and credible partner can also open many doors for cybersecurity businesses based in Singapore, making this a good place to pilot and launch cybersecurity initiatives. So with all these opportunities, this is a very exciting time to be in the industry”, Mr David Koh concluded, that “Cybersecurity is an investment and opportunity”. “Cybersecurity creates a competitive advantage, and clients are willing to pay if they view their data are safe”.

Delegates at the conference - GTACS 2018 – Digital Economy 4.0, Proactive Cybersecurity Risk Management. Photo Credit: ISACA Singapore Chapter.

Mr David Koh (left) conferred the first Billington CyberSecurity International Leadership Award in March 2018. The award was presented by Mr Thomas Billington, Chief Executive Officer of Billington CyberSecurity (Billington), at the 3rd Annual Billington International Cybersecurity Summit held in Washington, DC, USA.

ISACA Singapore Chapter Board Members with CSA CE David Koh at GTACS 2018 – Digital Economy 4.0, Proactive Cybersecurity Risk Management. Photo Credit: ISACA Singapore Chapter.

Asia Pacific Security Magazine | 27

Frontline

Alan-Noble-with-ZCell-batteries-Willunga-04-1MB-H

Redflow’s Revolution

How an Aussie company is looking to jumpstart the battery industry. By Bennett Ring ASM Correspondent

28 | Asia Pacific Security Magazine

n 2018, South Australia’s sustained support for renewable energy has reached widespread attention both nationally and globally, largely in part to the Hornsdale power reserve. Thanks to its partnership with Tesla to provide the world’s largest lithium-ion battery, it’s been credited with stabilising the state’s power grid after several years of less than perfect performance. However, there’s an alternate battery technology being promoted by a prominent South Australian, offering several key benefits compared to lithium-ion. Redflow is a Brisbane-based company who just happens to have Simon Hackett as one of the key backers. As the founder behind ISP Internode, former NBN board member and the owner of the first Tesla Roadster and Tesla Model S electric vehicles in Australia, Mr Hackett has built an enviable reputation as one of Australia’s most accurate weathervanes when it comes to emerging technologies. Mr Hackett was the CEO of Redflow until September 2017, but is still its largest single investor, as well as a non-executive director and technology evangelist for the company. Redflow specialises in zinc-bromine flow batteries, and currently sells two different versions, the ZCell for residential use and the ZBM2 for industrial and commercial applications. It’s not the only company in the world to make batteries based on this technology, but its real breakthrough has been in miniaturising the size of these units. We recently

interviewed Mr Hackett after a keynote he presented at the Australian Energy Storage Conference, to understand why he’s become such an energetic proponent of this new battery technology. In the past, zinc-bromine flow batteries were around the size of shipping containers, but Redflow has managed to shrink them to the size of a small bar fridge, making them perfect for home use. The ZCell battery has a capacity of 10 kWh, with no loss in storage capacity for a decade, no matter how many times it is charged and discharged, a huge advantage over traditional lithium-ion batteries. When we asked how Redflow managed to achieve this miniaturisation, Mr Hackett explained that this was the primary task the founders set out to achieve. “The electrode stack they designed embeds a complex set of electrolyte fluid flow handling into moulded plastic structures built right into the edges of the same plates on which the electrochemical reactions occur. Those plates are then sandwiched together and sealed so all the complex fluid flow ‘plumbing’ that is ‘external’ (and vulnerable) on conventional (big) flow batteries is internalised - and invulnerable - in ours.” They’re able to maintain their long-term life by flushing the zinc off the plates and returning it to the zinc bromide solution every three to four days. There’s a drawback to this in that each battery must do a full discharge every four days

Frontline

Simon Hackett with LSB reference platform at Base64 #7 1MB

of active use, with a two-hour maintenance schedule each time. As a result, a single battery is not able to deliver 100% of its stored energy 100% of the time, but this is easy to get around according to Mr Hackett. “With more than one battery, this becomes invisible as our BMS sequences the operation of batteries so they take turns to do this; With applications to which we are best suited, those being ‘daily deep discharge’ applications, it’s a non-issue.” The battery can also be put into ‘Standby Power System’ mode for long-term standby retention of charge (with no self-discharge at all). In this mode it acts more like a standby generator, with a restart time back to active operation of around 30 to 60 seconds. The company is developing a hybrid solution that builds in an ultracapacitor to cover that standby-startup time and create an ultra-long life online UPS battery (this being the one application area for which the battery is not – yet – well suited). Due to the fact they’re built around a liquid-based solution that requires moving parts, zinc-bromine flow batteries aren’t suited to smaller applications such as phones or laptops. According to Mr Hackett, this is “…not the target application set for us and we don’t intend to create a smaller unit than we already make. This is about the lower limit for an energy efficient super-small flow battery. Making it smaller would magnify the fixed overheads in terms of expense for necessary flow battery system components and would also magnify the relative impact on round-trip efficiency of the necessary energy draw to drive the pumps and control systems.” While ZCell batteries are well suited for home use, they can also be clustered to create vast storage facilities. “Making a small one is no barrier to wiring lots of them together. Tesla proved that (in spades) with 18650 Lithium-Ion cells - thousands of which are in the floor of my Tesla Model S.” This makes the batteries perfect for large scale deployments, without the decreasing lifespan of lithium-ion batteries over time, the latter of which has a typical lifespan of between 300 to 500 full discharge cycles. This can mean a lifetime of only two to three years if the battery is daily-deep-cycled. However, the Tesla batteries in use at the Hornsdale facility

come with a 15-year warranty, as they’re mainly used for grid frequency and voltage stabilisation and for supporting the grid in the critical seconds after a coal-fired power station fails without warning. These are applications in which the battery energy is delivered at super high power, but for very short periods (ten minutes at the most) each time the battery is called upon to support the grid in this way. In contrast, zinc-bromine flow batteries can be used continually to deliver long time-base, long-term, daily energy storage and delivery while still maintaining their lengthy lifespan. Hackett frames this as being the difference between a Sprinter and a Marathon runner. He believes the future grid will benefit from the presence of both storage types because both application requirements exist in the grid. Other key benefits to these batteries include higher recyclability of the battery components and electrolyte, a flat energy curve which delivers 100% of the capacity with constant power, and they’re also less prone to thermal runaway, requiring no active cooling. There is a cost to zinc-bromine technology though, literally. The initial cost of acquisition is higher than lithiumion, but Hackett believes “…that the technical benefits of flow batteries make that higher up-front cost worthwhile that there is a beneficial overall total cost of ownership here. This is quite like electric cars - they cost more to buy, they cost less overall to run than conventional (and cheaper) cars.” While the company initially had some hiccups with its first mass-production run, the company has since relocated its manufacturing from Mexico to a new Redflow-owned facility in Thailand. Redflow has for several months made battery stacks - the most complex part of its battery - at this new plant, with complete battery production scheduled for this month ( June 2018). This production is enabling Redflow to deliver backordered batteries to customers already and to accept new product orders. Redflow sells its products to energy system integrators around the world. As the world moves towards renewable energy sources, the requirement for battery backups is becoming obvious, and the benefits of zinc-bromine batteries deliver both long-term sustainability and an overall less environmentally impacting product.

Asia Pacific Security Magazine | 29

Frontline

Hostile vehicle attacks

Smart city planning for Transparent Security

T By Stephen Rachow

30 | Asia Pacific Security Magazine

errorism in the 1970s was predominated by airline hijackings, the 1980s fell victim to suicide bombings, the 1990s and 2000s involved an abundance of improvised explosive devices, and now vehicular terrorism to ram down pedestrians in public places is at the forefront. Notable in the last 10 years is the global rise of hostile vehicle attacks (HVAs) in western countries. For such attacks, resources are plentiful and target choice random. The use of readily available vehicles disguises an otherwise obvious weapon choice at places of mass gatherings (PMGs) in densely populated cities. Low cost technological advancements also enable low-skilled coordinated simultaneous attacks on exposed targets poorly protected from the design nature of city planning. The recent horrifying attacks in 2017 on La Rambla in Barcelona and Westminster Bridge in London, as well as the 2016 Bastille Day promenade attack in France and the Christmas market place ramming in Berlin, highlight the current nature of terrorism which now focuses on converting common vehicles into readily available weapons for inflicting harm to pedestrians in PMGs. Collectively these attacks, albeit only a few of many others, have killed over 100 innocent civilians and injured over 700 more. Common to HVAs is the perpetrator’s motivation. Individuals driven by ideological or religious beliefs, particularly those subscribing to Al-Qaeda and ISIS extremism, will use common vehicles as weapons against pedestrian targets for mass terrorism. Car ramming incidents in Melbourne and Heidelberg in 2017 also highlight that even mentally disturbed persons are also using vehicles as hostile weapons. The aim, regardless of

the motivation, is to cause mass injuries, death and destruction. From a theoretical standpoint, the success of HVAs is in accordant with the traditional security risk triangle. That is, their motivation plus vehicular capability plus environmental opportunity enables a perpetrator to carry out an attack of this nature. The low-tech, low-skill requirement makes vehicular violence significantly easier to execute than other forms of terrorism and the propagation of intent through the internet has assisted recruitment of perpetrators to follow such motivators on a global level. An analysis of historical events supports that PMGs, accordant with high volume periods, represent the highest likelihood targets with innocent civilians as the most likely targets in danger rather than VIPs, government officials, military targets or critical infrastructure. As such, we can foresee HVAs typically occurring at parades, festivals, concerts, international sporting events, protests, and crowded city streets. The societal outrage in communities caused by successful target execution further amplifies a perpetrator’s satisfaction and intrinsic motivation. Current limitations and in some cases the complete absence of integrated security barrier designs to protect pedestrian and physical asset zones further enables threat groups, increasing their likelihood of success and reinforcing their intrinsic rewards. Current security measures are not enough There have been over 40 HVAs worldwide since the year 2000, predominately terrorism driven against innocent civilians, which has given rise to cities introducing ‘add-on’ measures to mitigate attacks. However, a significant aesthetic limitation

Frontline

is the lack of transparency with temporary add-on measures without a systematic permanent plan. Incorporation of counter-terrorism measures such as hardened metal pedestrian barriers that line footpaths or solid metal bollards for road closures around buildings creates an unappealing environment to the community and lack of social acceptance. As such, these security explicit barriers have been condemned as ‘militarising’ places and spaces, and the subsequent demise of iconography of a city and its buildings has led to increased fear and impeded civil liberties. A disproportionate sense of fear towards hostile vehicles compared to other types of risks means cities have become spatially and socially restructured with perceived negative effects. Three cities in the USA have closed or severely restricted publicly accessible space by 17% and even though this may have been done with gardens or ponds, it has contributed to the ‘fortification’ of urban space. Research by Wolfendale proposes that “…current counterterrorism practices pose a greater threat to individual physical security and well-being than non-state terrorism. We should fear counterterrorism more than we fear terrorism…” Safeguarding our future with Transparent Security and smart city designs Integrating the theoretical security framework of target hardening, surveillance and rule setting with physical zone demarcation into the notion of Transparent Security addresses the current limitations of fortified counterterrorism measures. Traditionally, physical security in the context of mitigating HVAs, involves omnipresent physical measures to safeguard people, prevent unauthorised and unwanted access to physical space areas, and protect assets from sabotage and damage. Transparent Security, on the other hand, still involves safeguarding assets with these principles in mind, but in a way that protection measures are invisible by blending robust barriers into the natural surroundings through a comprehensive security plan. Specifically this achieves physical security robustness without causing undue attention and alarm. Smart city design is the overarching concept that aims to protect targets in danger by future planning cities to be safe, secure, environmentally friendly, green, and efficient in a manner that can be maintained. Future smart city design must include Transparent Security, implemented in an adequately sophisticated manner to be both appealing to the community but importantly mitigate threats, noting that the nature of risks associated with HVAs means mitigation is the goal rather than elimination. Invisible measures through landscaping and urban design, and stealthy security features such as street furniture, water features and public art, are CPTED principles that are aesthetic methods which allow for social acceptance with individual and community fear reduction while reducing the risk of HVAs as much as security-explicit barriers. Supplementing this, is the effect of dissuading a motivated offender as while Transparent Security may be invisible to the casual eye, hostile reconnaissance would easily identify the transparent barriers reducing the likelihood of a successful attack.

Standards Noting these design principles within a smart city concept, particular standards by both the Australian federal and state governments have been published to guide the implementation of Transparent Security. Creating standoff space between vehicles and pedestrians or buildings where every metre counts; traffic management planning for exclusion, restriction, inclusion, and temporary barriers; vehicle access control; traffic calming; and, vehicle security barriers including security-explicit, street furniture, landscaping and nature for both passive and active barriers, are all examples of measures outlined in the standards. For future implementation, smart cities should plan the design of Transparent Security based a considered threat analysis, and published guidelines which, for example standardise: a certain distance between vehicles and pedestrians, the use of road/street design to reduce the possible velocity of hostile vehicles by enforcing angled or ‘inturn’ impacts into buildings rather than head-on impacts, and the use of inclines and speedbumps up to buildings or near pedestrian access zones for vehicle deflections. In essence, the technical specification of barriers can be achieved to meet the threat, but in an aesthetically blended manner. Remaining future concerns Despite published standards and evidence for Transparent Security amongst security professionals, policy for mandatory requirements is lacking. The Australian Government imposes mandatory requirements and policy under the Physical Security Policy Framework, however the Transparent Security elements in building and site design are yet to be developed. In contrast, the US General Services Admission formalises a multidisciplinary approach requiring building designers or architects to be employed to work with government security objectives in existing or planned building site developments for optimisation of public spaces. Nonetheless, some Australian jurisdictions require CPTED evaluations as part of new planning applications, and therefore an extension to include transparent physical security is not beyond considerations. The critical importance of Transparent Security to mitigate HVAs in public spaces means that Transparent Security needs to fit into this policy framework as a mandatory requirement transnationally. Within a smart city framework, architects, local government planning committees, and built environment developers should be required to conform to policy that specifically uses the published standards and guidelines on the implementation of robust transparent barriers for best practice security management. About the Author Stephen Rachow BCrim (CCJ) is currently undertaking a Master of Security Management at Edith Cowan University under Dr Michael Coole. Stephen has extensive military experience with a keen interest in CPTED, specifically physical security for counter-terrorism and crime prevention management.

Asia Pacific Security Magazine | 31

Cover Feature - Frontline

‘Ready for take-off’: Australia’s need for a comprehensive airport security and policing review

F By John Coyne ASPI.org.au

32 | Asia Pacific Security Magazine

or seventeen years, Australian governments only needed to mention ‘terrorism’ and ‘airports’ in the same sentence to get public support for new security measures. With each new disrupted terror plot, or tragedy, consecutive governments would announce new security measures, and of course additional resources, with little or no opposition. It is unsurprising then that today, we have not so much a well-designed security framework protecting our airports, as a legacy of layered new and old measures. With the Western Sydney Airport set to open in 2026 the time is right for a rethink of what the next generation of airport security ought to look like. And if we move fast enough, there might be time to build this system from the ground up in Western Sydney. The last time Australia substantially reviewed its airport security was in 2005, when Northern Ireland’s former Security Minister Sir John Wheeler completed ‘An Independent Review of Airport Security and Policing for the Government of Australia’. At the time Wheeler found that ‘Experience around the world has demonstrated that airport policing and security is a specialist field requiring dedicated and trained officers, integrated systems, appropriate technology, and real partnerships between federal and state agencies and relevant private sector personnel.’ Wheeler was right, and arguably these principles are still axioms for those

responsible for airport security today. Although, I would argue that he left out one key adjective: ‘holistically managed’. At the time of the review, Wheeler caveated his assessments with the observation that ‘there is no ongoing mechanism to draw together and assess regularly the threat of crime and criminality at major airports’. Without the benefits of this kind of reporting, nor the ability to divine the future, he could never have anticipated the domestic and international incidents that have occurred at airports over the proceeding 13 years. Deadly bikie brawls as seen in 2009 in Sydney, heightened terror threats, meat mincer bomb plots and mass casualty attacks at airports illustrate the changed scope of threats and risks faced at airports. To be fair, the Government did respond to the Wheeler review with policy and new money. Command and control was drastically improved with the appointment of airport police commanders. Engagement between security providers, airport operators and airlines was also radically enhanced: due to the efforts of all involved. There were more, and better trained, police at all of Australia’s major airports. However, like many policy initiatives, the funding for the project eventually terminated. With time, staff numbers and policy focus waned. In 2005, Wheeler astutely recognised the dual importance of new technology and system integration.

Frontline

‘ An Independent Review of Airport Security and Policing for the Government of Australia’. At the time Wheeler found that ‘Experience around the world has demonstrated that airport policing and security is a specialist field requiring dedicated and trained officers, integrated systems, appropriate technology, and real partnerships between federal and state agencies and relevant private sector personnel.’”

However some 13 years later smart gates and new explosive detection capabilities, biometrics and close circuit television are not emerging technologies. Government has taken what were emerging technologies in 2005 and deployed them to great affect at our airports. However, in the absence of a substantive independent review, questions remain over whether they have been fully integrated into airport security. The ad hoc nature of security developments at airports hardly brings confidence that this kind of integration is occurring. In the years that have passed since the initial response to the Wheeler review, there have been targeted ad hoc efforts to increase security at Australia’s international and domestic airports. For the most part these have been aimed at addressing particular vulnerabilities or mitigate specific threats: often in response to terror attacks or plots. The public had in the past appeared one part buoyed by announcements and security presence, and one part disturbed by the inconvenience such measures caused to the traveling public. Regardless, there was a trust that the measures were necessary for safety. Last month the Turnbull government announced, with little warning, a proposal to provide police at Australia’s domestic airports with new powers to demand identification from travellers. The announcement was part of a broader range of budget measures on aviation security, from the use

of body scanners, the deployment of additional Australian Federal Police officers at airports, upgrades to inbound air cargo technology, and extra funding to support regional airports to upgrade security. Prime Minister Turnbull argued that ‘dangerous times’ demanded these changes. Something seems to have changed in the public mood towards security because Turnbull’s announcement was not met with support, nor the admiration that he probably desired. Instead, the coalition announcement was faced with widespread criticism for the measures. There’s plenty of empirical evidence that public trust in governments globally has been in steep decline since the end of the Cold War. And after numerous leaks and whistle-blowers, the public is more cautious than ever about its support of new powers for police, security and intelligence agencies. For sure, any announcement of new measures supported by ‘trust us’ like arguments will be met by scepticism. The days of ad hoc and incremental changes to airport security without detailed explanations for the public are passing by. With all this in mind, it appears abundantly clear that we need another comprehensive independent review of Australia’s airport security and policing. And this needs to occur before we rush into introducing any further ad hoc aviation security measures. This review needs to avoid the temptation of bringing in another international expert to tell us what we need to do. Instead, it should bring together a small review team comprised of well-respected public and private sector security thought leaders, with representatives from the airport, airline and security industries. The terms of reference for this review need to focus on building an airport security system that is comprised of integrated systems that collectively provide the capability to mitigate risks, but just as importantly support the facilitation of smooth travel. It will also need to consider how to make these arrangements more agile than ever to keep pace with the rapidly changing threat environment we face.

Asia Pacific Security Magazine | 33

Frontline

Much more to do in support of locking down By Konrad Buczynski Industryrisk.com.au

34 | Asia Pacific Security Magazine

lanning for a truly ‘effective’ lockdown security regime can be a complex and challenging issue, especially within Australian workplaces, where building design has not historically been predicated upon security factors. Perhaps because of this, and despite the heightened threat of terrorism within the community, many organisations have done little in preparation for a serious incident, such as one involving an active shooter. The reasons for this may vary widely; limitations caused by infrastructure, and a requirement for a high degree of public access are two key factors that can hamper planning. Gaining explicit management support to practice realistic drills may also be difficult, and adequate resourcing may not be available to address the most critical needs. However, even those that have implemented good lockdown arrangements would invariably agree that there is no solution that approaches anywhere close to perfect. Even when infrastructure and funding prove favourable and forthcoming, the nuances of any given scenario would invariably expose vulnerabilities in established processes and systems. A disgruntled insider also has the potential to render any capability that is effective, largely redundant, as various recent events have shown. Those that have seen an example of what might be regarded as a best-practice lockdown regime are in the minority. Indeed, many businesses are still in the early

process of considering how to adjust their ‘AS 3745-2010 Planning for emergencies in facilities’ style plans to account for such a regime in a procedural sense. This is exacerbated by volunteer-staffed Emergency Control Organisations (ECOs), the potential for key person/coordinator absence, and an unwillingness for management to address the nature of the threat directly with staff. The ANZCTC ‘Active Armed Offender Guidelines for Crowded Places’ [1] offer a helpful, albeit limited ‘Escape, Hide, Tell’ approach to personal protection, and other international jurisdictions also offer approaches based loosely on the ‘run, hide, fight’ concept. Much expertise will have gone into developing this simplistic approach, and it carries a lot of merit; a simple message is key in a confused situation. The onus must then fall to those that operate facilities to take this to the next logical degree, rather than assuming an ‘everyone for themselves’ doctrine, should the worst occur. People should be entitled to expect to have places/routes to escape to/through, or have been instructed on locations to hide, prior to such an event occurring. It is after all a reasonably foreseeable, if not a frequently realised, security risk. The absence of advanced planning may be somewhat explained by dismissiveness within segments of the Australian community for the potential for an active shooter incident to occur (due to the lack of a significant history of such events here). It can thus be a difficult task to directly engage and

Frontline

In Australia, and despite touching on

correlate with specific details about lockdown arrangements. More can be done.

the subject in security officer training

Lockdown considerations

curriculums, such training within the

Each context/site and organisation is different, but there are a range of principles and considerations that can be factored into planning. Some of the key ones include: • Some organisations risk an impasse in trying to design an ideal solution – anything that can be done to improve the ability to save lives should be embraced. • What are the most likely scenarios (i.e. how could they play out) that you are planning for, and have these been subjected to a risk assessment? • Strongly consider dividing areas into zones, with safehavens clearly identified (and hardened), and lockdown protocols defined for those spaces. • Communications arrangements should be tested and assured. Consideration should be given to protocols and the need to communicate internally (among the ECO and to the wider employee/visitor base), and externally to Emergency Services, while not placing individuals in unnecessary danger. That is to say, the utility of mimic EWIS panels in the foyer will be next to useless in an active shooter situation. • CCTV and its potential use in tracking an armed attacker and informing stakeholders accordingly. • Modifying/designing infrastructure to support emergency planning, including access controls. • Where one has been engaged, is it best to appoint a contracted guard force to the ECO role to ensure that wardens are always onsite? Or is it inappropriate to ‘outsource’ this function? • More broadly, what role does the ECO play, and are expectations of its individual, and collective abilities realistic? • Designated safe-havens should be adequately resourced – a lockdown may last for an extended period. • If the opportunity exists, engage with local Police to familiarise them with your facility. • Specialist and general employee awareness training is critical in underpinning all aspects of a lockdown regime. It should be tailored to account for workplace variables, and make clear the roles and responsibilities, and convey very clearly recourses available in different situations. This includes expectations of those taking shelter.

workplace context is very rare, and does not necessarily correlate with specific details about lockdown arrangements. More can be done. educate workers on the subject. This is not the case in some other countries. In Israel, as an obvious example, and “…because of nearly universal military training and the prevalence of firearms, many if not most terrorist attacks are stopped by civilians [2].” This is sadly assumed to reflect Israeli culture in the current day world, one which is underpinned by a shared history of violent acts by extremists within its communities. Even here in Australia, people within the Jewish community are instructed to be cognisant of potential threats consequent to their faith, and global businesses are strongly advised on how to mitigate against the risk of such a violent act. The US also does the same through its Overseas Security Advisory Council (OSAC) [3]. Frustratingly, few organisations in Australia appear to address the way in which an ECO could/should respond, when the opportunity to exercise a degree of command and control does exist. If an unfolding incident is detected early for example, in a separate part of an occupied space/ precinct, should the default initial option for ECO members be to escape/hide/tell, or would they be expected to direct/ assist others to escape via routes that they are intimately familiar with through their training? While the latter may occur in reality in the event of an incident, it is rare to find it documented well. Having said this, even when such arrangements have been defined, things cannot be expected to go smoothly. In the US for example, and following a State District Court’s opinion, a company employing two (unarmed) security guards stationed at the entrance to a client site was fined more than $USD46.5M [4] after the guards failed to alert staff to the presence of an active shooter. After more than several minutes of “…panic and confusion”, both guards called 911, but failed to notify those within the plant via a designated alert system. Three employees were subsequently killed, and one seriously wounded, before police arrived and took the offender into custody. Clearly one of the lessons in this is the need for realistic drills, to ensure that those charged with carrying out specific functions during serious incidents are programmed do so without pause. It also goes to staff selection. In Australia, and despite touching on the subject in security officer training curriculums, such training within the workplace context is very rare, and does not necessarily

It is not the intent of this article to suggest that a good lockdown regime is simple to achieve. Indeed, some of the issues identified cannot truly be overcome in many organisations/locations, leaving a degree of residual risk that should be carefully monitored. Should the risk exceed tolerances, strong consideration should be given to closing access to a site until the level of threat has eased. The very least that organisations can do is to understand what is available to them right now. Explicitly making sure that all employees are aware of the Government’s advice on Escape/Hide/Tell would be a very good start. Considering and communicating options on places to run, hide and who to tell would be just as beneficial.

Asia Pacific Security Magazine | 35

Frontline

IoT – Securing the connected world By Bennett Ring ASM Correspondent

36 | Asia Pacific Security Magazine

ith the recent news of a Las Vegas casino’s database being hacked via a connected aquarium thermometer, as reported by Business Insider, it’s becoming ever more apparent that Internet Of Things (IoT) devices are increasingly being used as soft-spots to attack networks. Raising the awareness of IoT security was one of two key themes at this week’s IoT – Securing the Connected World event, held at Telstra’s Melbourne Gurrowa Innovation Lab. The first guest speaker at the two-hour event, which saw over 100 guests attend from both the Cyber Risk in Melbourne and Cybersecurity Melbourne meetup groups, was Matt Tett, MD at Enex TestLab. Mr Tett is also part of the Internet of Things Alliance Australia, where he chairs the Work Stream 5, a group of over 120 volunteer members representing 65 organisations across Australia dedicated to developing an IoT framework. The group has already published a strategic plan with a top-line view of securing these devices, which is available for download and has been shared with many overseas partners, including IoT security groups in Germany, China and Hong Kong. Over the course of his presentation, Mr Tett outlined several key areas where the group is focusing its efforts. First and foremost is to identify, reconcile, publish and

promote IoT security guidelines and standards. With over 450 existing IoT platforms, many of which lack even the most basic security, this initially seemed to be an impossible mission. According to Mr Tett though, things weren’t quite as bad once a member of the group examined the issue. “One of our volunteers took the initiative and what started as an exercise to define a sample IoT security architecture rapidly evolved into an amazing overall IoT framework which is applicable to all areas of IoT and has now been adopted by most, if not all, of the other Work Streams at IoTAA”. Part of this work is to develop an IoT product security certification program, where an independent body can test devices before giving them the “trust mark” of approval, showing they’re secure enough for their needs. Given the lack of awareness around IoT security, it’s not surprising that another mandate of the group is to educate suppliers about the need for secure devices. Mr Tett explains that, “… until security is a key factor in information systems, not just IoT, the same thing will keep happening time and again. Deliver first, secure later is still a prevalent culture because those procuring such systems do not ask the tough questions about security”. Part of the issue is that many so-called smart devices don’t

Frontline

“While the consumer may save a few dollars by procuring a (cheaper) product, the actual cost to them in terms of compromise and information loss may be significant, not to mention potential for reputational damage”

have updatable firmware, as a result of using low-cost items. “While the consumer may save a few dollars by procuring a (cheaper) product, the actual cost to them in terms of compromise and information loss may be significant, not to mention potential for reputational damage”. Ensuring IoT devices are secure is just the first step though, with the Work Stream also developing guidelines for the actions and notifications that need to take place when a breach is detected. The second half of the evening was dedicated to drone security. Key speaker Mike Monnik is a Senior Consultant at PrivasecRED and director of DroneSec, and his passion for drone technology is obvious, being an avid drone-user himself. “I absolutely love flying my own drones and hope that stricter regulations do not stifle innovation or remove the ability for commercial or hobbyist flyers to enjoy this technology”. Given that drones as we currently know them are basically flying computers, Mr Monnik explained why it’s important that these devices need to be held to the same strict security regimes as other devices, especially given their ability to penetrate once-secure areas. “Drones are unlike planes or cars where the operator is within the vehicle, ownership is clear and fines enforce regulation. Operators are disconnected from drones and penalties are harder to enforce

– and (easier to) bypass.” Some of the key areas Mr Monnik identified as upcoming security threats involving drones include their use in counter-surveillance of police and military operations, quoting the recent use of a US$3 million Patriot missile to take down a small consumer drone being used to observe US armed forces during an overseas military operation. Many drones can now also be equipped with Wi-Fi sniffing devices, allowing operators to remotely access networks that are behind secure perimeters or in skyscrapers. While some drones already have GPS-based geofencing, stopping them from flying into certain restricted areas, this can easily be bypassed by hacking the drone’s firmware. To combat this, Mr Monnik thinks it may be necessary to install dedicated anti-drone infrastructure. “I don’t believe geofencing is a sufficient defense mechanism when reliant on the manufacturers, and so dedicated anti-drone infrastructure does become more appealing. It’s also advantageous in that it’s protecting a specific site.” Australian company DroneShield is one such manufacturer of these devices, which recently received Airport Environment Certification ensuring that its anti-drone technology does not interfere with aircraft or ground control avionics. Another security threat concerning drone use is that of a user’s camera feed or drone controls being hijacked by a third-party. Highlighting just how easy it is to take over a drone, during the recent PlatypusCon event at Deakin University 100 people managed to do so in under two hours. Yet introducing heavy encryption between the user and the drone can result in increased latency and higher processing requirements, both of which lead to a less than optimal user experience. Mr Monnik hopes that work in this field might lead to, “…innovation in encryption standards that require being robust while providing speedy communication.” Overall, Mr Monnik believes that drone users with enhanced security needs should have security embedded into the drone program, be it via encrypting the drone’s storage devices, customising the operating system in Wi-Fi based systems, as well as other methods that require a specialist to focus on the issue. With cybersecurity still lacking in many traditional computer-based networks, it seems there is an entirely new field of security yet to be tackled. It’s heartening to see Australian groups are already forming to take this realm head-on, with the end goal of a safer, secure cyber-ecosystem. With smart-devices, autonomous vehicles, and armed drones becoming ever more popular, the need is greater than ever.

Asia Pacific Security Magazine | 37

Cyber Security

This is cyber! so… what is cyber?

I By Rob Newby

had a call from a younger security industry peer, we chatted about governance, risk and controls for a while. After 10 minutes or so he said: “it sounds to me like you’re from more of an InfoSec background rather than a cybersecurity one.” InfoSec vs. Cyber There was a time when I would have asked him to define “cyber-” as opposed to “info-”, but experience tells me that this usually draws people into embarrassed ramblings or strident declarations that I feel duty bound to chase down rabbit holes – and apparently nobody likes a smart arse. The language does reveal something of the modern approach to security however – the view is that Cyber is dynamic: real-time analysis of threats and attacks. InfoSec is boring: collection of asset information, impact analysis, setting of rules and management of risk. I get it, I really do. I was a CLAS consultant for 5 years until the scheme closed in 2014, and it was used by the majority as an excuse to sit and write reams of paperwork. I always challenged that approach and spent more time turning it into pictures than was probably strictly necessary. That worked for me and it helped to explain risk at a time when it was sorely misunderstood. In those days (when all of this was fields) it was a requirement of government accounts that this work was done. A Senior Information Risk Officer at the Home Office would sign off my papers, accepting any residual risk I had decided was still in place after many months of design,

38 | Asia Pacific Security Magazine

assessment and redesign – all this AFTER an assessment against ISO27001 and a ListX certification for our working environment. Yes, this took years, but this was in the design, and operation was going to be monitored as per GPG13 (remember that CLAS fans?!) How Cyber has changed the world! We hear it everywhere. Even President Trump knows about The Cyber, it’s frightening what his 10-year-old son can do with a computer. If only he knew. But has it really changed? The Cybersecurity Framework And so, to the real point of this post. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was re-released at version 1.1 today to very little fanfare. An hour-long webcast accompanied this release and I watched it live, avidly awaiting some deeper insights into the framework. It sounded like the release of an academic paper, written and produced by extremely clever people in lab environments with external corporate and public-sector feedback guiding their complex and frankly ingenious thought processes. At the development end, it excited me, they are at last looking at integration with Corporate Governance and Enterprise Risk Management, but the presentation itself was quite dry and complex sounding. If you are new to CSF, I will explain it in a little more detail. Conceptually, it is a way of describing all the security processes required to achieve information security within a business environment, whether that be as consultancy,

Cyber Security

within an IT department (if it’s still 1995 where you are), within a programme or as part of a fully functioning security department within an enterprise business. I have used it in all the above situations and (so far) with very good results. Notice I didn’t say “Cybersecurity within a business” above, even though NIST, those bastions of all things technological and standard (nationally), do. That’s because nothing has really changed except the colour of my hair. Consider the NIST CSF “Core” – Identify, Protect, Detect, Respond, Recover. Identify is just a bunch of risk management processes, the things we did as CLAS consultants all those years ago. Protect is what architects and engineers did and still do all day every day. Detect and Respond was covered largely by GPG13, and Recover is the oft-neglected area of BC/DR that no-one really thought about until it was already too late. Of course, the emphasis has changed since 2009, of course it has, it’s nearly 10 years later, Kim Jong-un walked into South Korea today, the President is called Trump and the UK is leaving Europe. There are some good changes as well though: • we can detect attacks and breaches much more effectively, it’s no longer all logs and rules. • we respond better through experience, we have playbooks from people who have the scars. • we’ve learnt that our BC/DR is an important part of overall resilience This is Cyber, apparently. I can forgive my young colleague for thinking Cyber is all about SecOps and InfoSec is all about GRC, because the majority of the focus has been on improvements to detection and response in the last 10 years. Interestingly we are now hearing a new buzzword: “threatled”. Back in 2009, we looked at threat actors and their threat levels as the first step in risk assessment, the very definition of “threat led”. Whether we are talking about “InfoSec” or “Cyber”, the processes are the same. CSF recognises and realises that for us, but this is a double-edged sword. Using the Framework I picked up CSF reluctantly a couple of years ago thinking it was “just another framework”, but I have come to both respect and appreciate it. It is robust, flexible and measured, and who wouldn’t want that in their Cyber environment? I have worked in security for the last 20 years, give or take. I have some very old and very wise friends who have likewise grown up with IT, security, InfoSec and latterly “The Cyber”. I am fortunate to count CISOs in US and UK stock exchange listed companies as close personal friends. I have recently started discussing CSF with them in more detail (for my own benefit), and almost to a man they have, at least initially, been confused. On the flip side, I have also worked with project managers who are new to security, with limited exposure to controls, governance or risk management, and they have found it an immediate and almost unlimited source of information to talk intelligently and comprehensively about information security. Is this a reflection of the modernity of Cyber? No. Is it a reflection of my inability to communicate effectively? Possibly.

What it certainly is related to is the way we have previously spoken about InfoSec – whether that is “old-fashioned” or not. But if we are inadvertently making it difficult for professionals to understand, what is needed is a simple view of CSF: what it isn’t, what it is, and most importantly, how to use it in its simplest form. Clarifying the Framework, What it isn’t CSF is a double-edged sword. Say “Framework” to any information security professional and they will think of risk management frameworks, or control frameworks. CSF is neither. If you assume that CSF is to be used for risk management, you will quickly become confused as there is no way of quantifying risk with it. Likewise, say “NIST” to many security professionals and they will think of NIST Special Publication 800-53 – a complex and technical control set (so much so that I have only ever used it to write architectural patterns for specific systems where I already knew all the variables. Using it in enterprise environments is frankly rather difficult.) If you assume it is a control set, you will be searching for the detail and wondering how it can ever be measured. What it is As previously mentioned, the CSF Core is a set of security processes. It describes them to different levels of detail: 1. Functions: as described above, Identify, Protect, Detect, Respond and Recover. 2. Categories: there are 23 of these in v1.1, they break the Functions into lower level processes from Asset Management through to Recovery Communication (media handling and the like). 3. Sub-categories: 108 lower level processes which begin to sound like controls described in business language. There are 2 other parts of CSF, the Implementation Tiers and the Profiles. In simple terms, the Implementation Tiers are the basis of a maturity assessment, and the Profiles are a way of prioritising the gaps found in such an assessment. For me, these are nothing ground-breaking, although very structured and useful. The real value of CSF is the Core as described above. How to use it in its simplest form As a consultant I am often dropped into new environments, or even just listening to people talk about their environments without any reference point. With no corporate history it can be hard to judge maturity or know anything about the culture, governance and risk management environments that will drive how security is implemented. To get a very quick picture of how well a security environment is working, do a quick check of the 5 Functions: 1. How well can you identify risk? 2. How well are you protected? 3. What are you detecting? 4. How do you respond? 5. Could you recover?

Asia Pacific Security Magazine | 39

Cyber Security

I won’t write out all of the questions required to go to the next level – you can pick up a copy of the CSF Core yourself. You will get to a point where you will know you aren’t doing the things it asks for. If not, and you ARE doing everything it asks for, you can start to apply the Implementation Tiers – increasing the level of risk management across the board so that you are moving towards a fully adaptive environment. There will then come a point where it is not cost effective to increase your level of risk management, hopefully that comes at a point where you are happy with the level of control you have. In 100% of the cases where I have used this so far, “Detect” and “Respond” have been the places needing the most investment and focus. “Protect” – the traditional resting place for CIA controls and InfoSec tools remains relatively strong and “Identify” seems about half done, governance is still weak in general, and risk management is not yet properly linked to the business. All of this is “generally speaking” and from a UK-centric standpoint. “Threat-led” A colleague of mine, an experienced CISO, stated that a true threat led approach is down to objective testing over theoretical modelling. He said that at the most basic level, a Red Team exercise using the current tools and techniques of prevalent threat actors working against a particular industry sector is much more objective than a paper-based threat model, and it brings things to life for non-InfoSec professionals in an impactful way. I jumped to an answer based on personal experience: the framework is only an architecture and it needs testing in operation, so the Red Teams are effectively testers of the CSF process architecture. On closer analysis I found that my statement that “threat-led” is part of risk assessments is borne out by CSF: the “Identify” Function has a Category within it for Risk Assessment (see Table 1 below). Within that the first Subcategory (ID.RA-1) states that “Asset vulnerabilities are identified and documented”. It gives several Informative References, including NIST SP800-53r4 control CA-8, which contains the control enhancement for Red Teams. So, there are 2 models of where Red Teams sit and it’s worth spending some time to examine which approach is “more correct”: - Red Teams as a testing function for a set of security processes or - Red Teams as a control? For those of you who have just asked the question “what’s the difference?”, there is an interesting endpoint to this that I want to explore in more detail. As per my reactive answer, the cybersecurity Framework, like many/most frameworks doesn’t have a very obvious

Table 1 - Extract from CSF

Function IDENTIFY (ID)

Category Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

40 | Asia Pacific Security Magazine

Subcategory ID.RA-1: Asset vulnerabilities are identified and documented

Informative References NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

feedback loop. It’s a point-in-time setup that leaves you to operate at your own pace. It needs a risk management methodology to prioritise, fix, then operate. To put it in slightly different language, process gaps need putting into a programme then testing before moving into BAU, just like controls. However, the power of processes over controls is that processes are easy to visualise and communicate, whereas controls are point solutions to points of risk. Why do we have controls? This has been an almost continual conversation amongst friends and colleagues in the industry recently. Often in relation to risk management, but more recently, also in terms of compliance and even governance – why are we making it so hard for ourselves? Wouldn’t it be easier to have one control that says, “do it” and the testing methodology that said: “did you do it?” (this is the printable version of this control. My friend and colleague, Nathan Varney, first postulated this as “JFDI”). When you choose a control set, what is it that you are doing? I had difficulty articulating this, so asked my long-suffering wife to listen to my explanation and help me simplify. Now, she is a smart lady, but has no background in IT, let alone security, and a degree in theology. It took me a few attempts, but I settled on a description based in risk: “You have controls to address the risks. You put a baseline level of controls in place, to address a known level of risk and measure anything above that. If there is any residual risk not treated by the baseline controls, you either increase the level of control, add more or accept the risk.” “Ugh,” she said, eating an apple and looking at her iPhone. I have come to realise that this means the information is being processed, not that I am being ignored. Assembly complete, I went on to describe my hypothesis, and the crux of my dilemma, as relates to CSF processes. “If you look at security as a set of processes rather than a set of risks, you can treat gaps by continual red and blue teaming (I had explained these previously). If you look at security as a set of controls, you have to check each one of them for correct implementation, before you look at risk, which makes it a really slow process.” “I love that you challenge and stimulate me with your intellectual pursuits, as well as including me in your life’s work”, she didn’t say this, I imagined it again. It strikes me now that not only is controls-based compliance and risk management a slow process but reporting on it is probably out of date as soon as it’s produced. Cyber is fast-moving, boards need to be able to make decisions based on it quickly, to address issues. Traditional risk management processes are slow, as described above, CSF gives us something which can accelerate it. “So, why do you need controls at all?” I asked. This has been a source of continual debate with colleagues recently. What’s their use, there has to be a better way, etc. I can see that architects might want a standard view, but there are ways around this – they can keep dynamic patterns in their own database. I can see that engineers might want a reference, but the architects can drive this with designers, if anything it keeps the technical control loop more active – a step towards

Cyber Security

DevSecOps at Enterprise level? Raising her eyes from her phone for a moment and putting it down on the sofa in a way which indicated I had interrupted some important reading, she delivered the killer line: “What about the people who don’t understand it? It’s quite complicated to understand all the processes and that’s a very specific set of skills for red and blue teams. It’s going to be prohibitively expensive to run that against all your IT. If you have controls in place, there’s a point at which it won’t get any worse.” This is the important point about controls and this method of looking at risk: controls are there as a backstop, think of them as the ground troops. Risk management is your sniper, and should be quick and agile like one. At the moment we are using teams of snipers in hand to hand combat. We end up trying to understand why it’s so expensive and we’re not getting the results we want. This is not agile or cost effective. One of the things CSF will not do, is tell you whether you are compliant, and as someone who is comfortable in a “Cyber” environment that’s why I like it. It will tell you that you are performing all the right tasks, but not whether they are correctly implemented. You have to rely on professionalism, which I think is a good thing. The larger an organisation, however, the more detail is required to support that professionalism – a layer underneath CSF to define the requirements, to meet the processes, maintains a baseline of understanding. It is important to note that these are technical controls though, not business controls. I strongly believe that this is all a control set should be used for – to inform the technical implementers, not to drive them into ever decreasing circles of compliance hell. The business should be using business language for agile risk management, not technical language. Time and again I have seen this poorly implemented, and we end up with hundreds or even thousands of technical controls, mapped against hundreds of risks, and ending up with no signal remaining in the noise. Then people say that risk management doesn’t work, and return to reporting on controls, because it makes more sense. And we wonder why IT environments aren’t maturing, or worse, are being breached. It can be a soul-destroying process to prove compliance to a control set, and ultimately it doesn’t give you any additional security, just a tick in the box. Ask Sony. Ask TalkTalk. Integrating Cyber and Risk Management Anyone who has practiced risk management with the technical risk management methodologies: IRAM2, IS1/2 or NIST’s own RMF, will know how complex things can get very quickly. The problem is, the more vulnerabilities and threats, the more risks you see, so the more controls you need, and the more these calculations multiply, up into an unmanageable mess. Prioritising any of it needs a spreadsheet or database and at that point you know you’ve lost the interest of the majority, let alone the board. If you assume your probability of being breached is 1, i.e. a certainty, and set about fixing every process as well as you can, the only risk calculation you need to do is when to stop spending money, a cost/benefit analysis to set your departmental budget for the year. This is far more useful

to any board, than a visualisation of missing controls or a statement of technical compliance, based on ticking boxes. The logical endpoint for this is risk, as the lack of a function or process. Instead of multiplying controls and threats and risks, you could choose how detailed your endpoint is when you start. The gap analysis required to show these risks is quick and layered with CSF. If you know a process exists, then move on to the next. This is impractical to do at the functions layer – but looking at the categories gives a quick idea of where you might have issues, for more detail move down to the sub-categories. Risk Reporting Reporting on that risk is simplified with CSF too. The functions are blocks that most people within the business can understand. If your board is not ready to hear the full set of functions, start with the all-encompassing top level of “cyber Incident” as your risk. Any board will understand they are at risk of a cyber incident, even if they have their heads in the sand. I chair a local Scout committee, and even at this size of operation, they are very aware of this (although this is possibly because their Chairman is a security consultant). Certainly, as a CISO moving into a new business or consultant on a new client engagement, asking 23 questions relating to these processes for the scope you are responsible for maintaining, can give you valuable insight into where you need to focus efforts for deeper diving. The classic 6 days, 6 weeks, 6 months detail that new CISOs are expected to give back fits nicely with CSF’s view of the world. In 6 days you can comfortably report back on the 23 categories and indicate where you are going to focus. You can do this in terms of the functions or the categories themselves. In 6 weeks you can dig deeper into the detail of the sub-categories and give a more granular view, prioritising the areas that need the most attention, leaving you free to mobilise a programme of work around the findings and start work on your Target Operating Model (TOM). Integrating Cyber and Governance Even if controls are incredibly strong, weak governance will kill a compliance process, and make risk hard to manage. If governance is good, controls can be terrible and “control” will still be OK. If hierarchy follows processes and everyone owns the right part of the process, the implication is that we could give up on controls. When people don’t understand them, like my wife hypothesised, the governance in place would cater for that, educate them and improve the whole organisation. What is CSF if not a ready-made TOM? The level of detail roughly mimics the responsibility levels you would find in an organisational structure. Under the CISO in a global enterprise, the functions would typically have a Director responsible - Director of GRC (Identify), Director of Technical Security (Protect), Director of Security Operations (Detect & Respond), Director of Business Continuity (Recover). Then at category level you will typically find heads of department (Head of Risk, Head of Governance, etc.) and finally at the subcategory level you will find management

Asia Pacific Security Magazine | 41

Cyber Security

roles – tasks that need carrying out. I said previously that subcategories sound like business controls. In fact, all of the processes within CSF could in fact be called controls, and the people aligned to them are the owners that set the governance structure. The controls are ultimately operated by staff who can use the chosen control set to maintain compliance. This gives a really neat view of governance without it getting technical. So, where does all of this leave us? I feel like I’ve been tearing down the walls and for the sake of my own sanity and yours, I should start to rebuild them. Before I do, let me recap on where the pieces currently lie: 1. InfoSec and cyber are the same thing, just at different points in time. 2. Both are just a set of processes. 3. Processes with testing are better than individual siloed controls with metrics and measurements. 4. Risk management is pointless, it’s going to happen anyway so spend time and money fixing the processes the best you can. 5. To manage it all, build your environment in line with the processes. InfoSec and cyber are the same thing, the processes of cyber are just an evolution of the controls in InfoSec. That doesn’t mean they ARE controls, not in the technical sense at least, but they control the level of the organisation they are intended for, to the intended level. This still means that complex control sets are wasteful, but they serve a time-honoured purpose. I am not an expert in every area of security, despite 20 years in the industry. I have focused on consultancy and due diligence, so have a pretty good idea of my way around GRC, strategy and architecture, but also some fairly in-depth roadmap ideas for incident detection, engineering experience in key management and implementation of 2-factor authentication from various points in my career. One area I don’t have all the answers to, is response planning. I was asked recently to address a requirement for an incident response plan, as part of overall business resilience and I found myself in the unfamiliar territory of not knowing where to start or worse, for me, what to say. I turned to my old friend CSF, and it told me to start by preparing a response plan. I asked it ‘where I should look’ and it directed me to a multitude of control sets, each with more detail than the next. And there I stood, the scales fallen from my eyes, fully informed about how I would go about my task, from initial principles to comms plans and ownership. The thing is, I’ve read all of those controls before. I literally have every major and a few minor control sets ever written, in storage on my home network. I’ve worked closely with response teams in corporate environments and watched them write these plans. But they’ve never been my responsibility, so I haven’t committed them to memory. So, I shouldn’t be surprised perhaps that people who aren’t working in risk management every day need reminding of how it works, or that IT guys don’t understand the precise level of detail we need for our asset management system. What this does show, is that we are maturing. We are

42 | Asia Pacific Security Magazine

showing layers of process that mimic our business, and we’re pretty close to nailing it. As security departments continue to evolve, no doubt the layers will spread out further, and no doubt we’ll call it something else (can I be the first to suggest Amoeba Security – no it doesn’t make sense, but neither does cyber and we’re all saying that). I believe there are 2 more important steps to be made. One that I am already seeing happen, encouragingly, is CISO’s reporting into boards. It used to be that CISOs reported to CIOs and received minute fractions of their budget, whilst directly opposing their business model (I talk about this in my book – to be released in August if you are interested in reading more), the reporting lines then changed, often quite quickly to COO or CRO, where a level of challenge to the IT organisation could be maintained. I still like the CRO reporting line, as it happens, but security governance HAS to be done correctly or this does not work. I like it because I also like making sure that governance IS correct, but I digress. CISOs are now reporting directly to CEOs, presenting to whole boards, discussing findings with NEDs. I am currently studying for a Non-Executive Director Diploma with the Financial Times, and can see that this is an area that is about to expand rapidly. Cyber is now a board agenda item, it’s an enterprise risk (a thing I have learnt from my course - it was number 9 of Carillion’s top 10 risks), and an operational risk. The other important step is for risk to be reported appropriately at ALL levels. This requires good governance, but also the splitting out of controls into levels that align with the organisation. What this does is give the ability to talk about the RIGHT risks to the right level of people, the people with the correct level of ownership, and leave the lower level detail to the people who have the focus on that area, right down to the technical controls. What you don’t want to end up with is technical controls in enterprise or operational management systems, that breaks the model. This is what NIST have reflected in their simple, superb, simply superb and superbly simple CSF Core. The CSF Profile allows gap analysis, akin to risk identification, and the Implementation Tiers set the way you manage those risks. It’s just like infoSec used to be, but this time it’s cyber.

RISK MANAGEMENT INSTITUTE OF AUSTRALASIA

Corporate Tables

$850

10 Registrations at an exclusive rate!

Mitigating Brand and Corporate Risk Through the Supply Chain How Does One of the Biggest Retail Brands in the World Manage One of the Hottest Human Rights Issues on the Planet Right Now? Learn how Target USA manages reputational risk vs. compliance and human rights across 30 different countries. Irene will draw on her experiences as the Senior Group manager of Corporate Risk and Responsibility to address the concerns of human rights and compliance. Along with giving insights into how this successful business has managed to grow their brand and product whilst navigating the complexities of reputational risks during the sourcing of products globally. 'I value integrity, ingenuity, and risk-taking. Integrity is nonnegotiable and is the foundation for earning trust. My proudest achievements have come from tackling uncharted waters, so I get a lot of energy from those who seek out and embrace change.'– Irene Quarshie. VP, Quality & Compliance, Target USA Be enlightened by Irene’s experiences along with how she views the evolution of the risk industry. All of this knowledge & involvement has lead Irene to her current role as Target’s VP of Global Supply Chain and Logistics. Call 02 9095 2500 now or register online at rmia.org.au to ensure you book your place at the most entertaining risky events in 2018!

Pricing

Single Tickets - $95 Corporate Tables of 10 - $850

Sydney Date: Friday 24 August Time: 8:00am - 10:00am Location: The Westin Sydney

Brisbane Date: Thursday 23 August Time: 12:00pm - 2:30pm Location: Customs House Brisbane

Melbourne Date: Wednesday 22 August Time: 12:00pm - 2:30pm Location: Soﬁtel Melbourne On Collins

For Corporate Tables, please email us at events@rmia.org.au

Cyber Security

The AV system done it

What insecure technology is lurking on your networks?

By Simon Pollak

44 | Australian Security Magazine

perational Technology. It turns lights on and off, heats and cools our buildings, and controls our conference rooms. It sits there innocuously ticking away year on year, rarely given more than a passing thought at best. When was the last time you took a close look at the operational technology connected to your network? What risks does your OT carry that your environment may be exposed to? For the purpose of this article, I'm only going to consider OT in mixed use environments with SCADA systems, plant and production systems, and pure OT environments having different challenges and control requirements. Historically, and in many modern organisations, IT and OT fall under differing management regimes that often have little interaction with one another. AV may be managed by a subset of IT, but is often ignored when setting security policies. As these systems increasingly connect to a common network, this can result in both systems exposing the other to risk. Whilst awareness is increasing, too many people regard OT as dumb devices that donâ&#x20AC;&#x2122;t pose a security risk. It is

critical to bear in mind that at some level, all of the connected OT equipment is a computer and must be treated as such. Many AV and smart home systems run a web server to provide the user interface on both native devices as well as from a browser. These web servers may be readily accessible and the code readily modified with little if any security controls. In the IT world, the idea of putting an unsecured web server inside our environment is almost unimaginable, yet we risk do so in connecting some control systems. To add insult to injury, some of these systems require active X or admin privileges for them to function properly. Many of these systems were designed to operate in an analogue environment, typically using serial connections with simple, published protocols for communication. The transition to IP was typically the addition of a Network Interface and the same simple protocol being transmitted over IP. I'm sure there are some of you thinking "so what if my air conditioning traffic isn't encrypted." What happens when it's your UPS, your CCTV system, or even your video conferencing system?

Cyber Security

Whilst awareness is increasing, too many people regard OT as dumb devices that don’t pose a security risk. It is critical to bear in mind that at some level, all of the connected OT equipment is a computer and must be treated as such. OT frequently ships with minimal if any security configuration enabled tending to favour availability and ease of setup over security. CCTV cameras frequently permit viewing without requiring any credentials, sometimes even presenting as uPnP devices on the network. What would happen if someone could control your video conferencing system when a board meeting was taking place, or used your security cameras to observe people typing credentials into their computers? Why would someone want to attack OT Whilst attacks on OT remain relatively uncommon, they are on the rise. One of the reasons they have experienced less attacks may be the difficulty in monetising such an attack. As criminals come up with new and innovative ways to gain benefit from attacking OT, this is likely to change. OT as the attack victim: For various reasons, an attacker may want to attack the OT environment directly – this could be using CCTV cameras to carry out reconnaissance, compromising a security system in order to facilitate a physical attack, or just messing with stuff for the LOLZ. Stuxnet showed us the sort of real world damage that an attack on Operational Technology can cause. OT as the easiest way to attack the IT: If your IT environment is well defended, the OT environment may provide a soft target from which an attacker can pivot into the IT environment. With traffic from OT systems already being different than is typically seen on an IT network, such an attack may be difficult to detect. OT as a source of free computing power: Mirai, and its variants demonstrated how an enterprising criminal could easily harness great numbers of low cost, low hygiene devices as a source of free computing to carry out one of the largest recorded denial of services attacks. OT as collateral damage: Most people who have carried out any sort of penetration testing on OT will have experienced the relative ease with which operational technology can be made to crash. During the middle of the winter, a cyber attack on a building services company in Finland, the central heating systems in two apartment blocks were “bricked” for almost a week. The long war. Unlike IT, which has relatively short service lives, mature

update and patch management processes, and marked generational improvements; OT tends to be difficult to update, offer limited upgrade benefit, and remain in service for a very long time. Mechanisms to update firmware on OT devices are typically manual, and carry a very real risk of "bricking" the device. It’s not just old OT that presents these challenges, a lot of newer OT either has poor security mechanisms, or connects to legacy systems with poor security. All of this makes security management of OT challenging at best. So how do we secure our operational technology? Securing OT is unarguably challenging, but increasingly important both for the protection of the OT as well as for the protection of the IT environments to which they are connected. The increasing publicity around and frequency of attacks on critical infrastructure, OT, and IoT all increase the likelihood of these systems being attacked. The key aspects of securing OT are the same as securing any other environment. - Understand your threats and your vulnerabilities. - Perform vulnerability assessments of your OT - identify exposed ports and services. - Evaluate the threats and vulnerabilities against your risk appetite - consider what an attacker could do if they gained control of your OT - Patch the unacceptable vulnerabilities that you can - Deploy controls to mitigate those that you can't. - Implement an appropriate set of security controls - Put your OT onto a segregated network. - Establish a process to keep systems updated - Address Identity and Access Management - Monitor the environment for anomalous behaviour - Repeat the process Will we ever win the OT cyber security battle? There are companies out there doing great stuff in moving OT Cyber Security forward, but I'm not sure that the trying to apply IT security solutions to OT is the right answer. It may be, but there are many inconsistencies. Until such time as security becomes a key differentiator when selecting operational technology, the proliferation of poorly secured OT will continue, and even once it does, their long life cycles means that it will be many years before these devices are out of our environments. The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity. About the Author Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Asia Pacific Security Magazine | 45

Cyber Security

Digital Forensics 101: A Career Path to Consider

I By Annu Singh

46 | Asia Pacific Security Magazine

am an ardent fan of The X-Files and have always been in awe of detective Dana Scully. I was delighted to recently read an article on a study done by the Geena Davis Institute on Gender in Media, where the researchers found a correlation between women who were familiar with, or fans of, The X-Files and its influence on their career choices. As the study says, 50% of women who watched The X-Files opted for a career in STEM, including getting into forensics. Similarly, other TV dramas such as CSI, NCIS and Bones have all played a role in bringing forensics to the fore as a career choice, by uplifting the image from scientific backwaters to a more glamorous and exciting job. In each of these shows, the sub discipline of digital forensics also plays its part, so weâ&#x20AC;&#x2122;ve also seen an increase in the number of females entering DFIR careers (digital forensics and incident response). I decided to take a closer look at the enchanting world of digital forensics, to see if it really is as dramatic as its portrayed in the media and crime thrillers. The reality s that digital forensics is the application of forensic science principles to the artefacts we all create through interactions with technology, such as computers, mobile phones, websites and even GPS devices and smart devices. The Digital Forensic Research Workshop (DFRWS) defines digital forensics as: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

It is important to understand that the term forensic science brings two aspects together; the science component that refers to the scientific method, along with its application to a specific investigation. Universality and repeatability are two key features of a scientific method i.e. if an exercise is carried out properly, it is possible to predict what will happen for all activities within that range of the phenomenon â&#x20AC;&#x201C; and anyone else will be able to do the same. The forensic element refers to how courts make their decisions and how evidence will be interpreted, as per rules of law. In TV crime stories, we often see investigators arriving at the crime scene, taking photographs, scribbling a few notes, collecting evidence in Ziploc bags, then within a few television seconds, they hack into the perpetratorâ&#x20AC;&#x2122;s computer. Almost always in the following scene they have conclusive results. But how realistic is this? How exaggerated are the outcomes, especially on speed, effectiveness and scope of the digital forensics expertise, compared with real-life digital forensics? Formally, the digital forensic process is a systematic and relatively tedious one, consisting of five steps. Investigations start with Identification of sources of evidence or information (devices) that would be relevant to the case, looking at who the information holders might be and where their data is located. In the second step, the focus is on the preservation of electronically stored information (ESI) by protection of the crime scene. Forensic investigators capture photographs of the scene and document relevant information about the evidence, including notes on its acquisition. The third step is the collection of digital information relevant to the investigation, such as taking the electronic device(s) into custody and replicating their content using forensically

Cyber Security

sound methods: copying, imaging, printing out, etc. In-depth methodical search and collection of evidence is followed by thorough analysis of collaterals like data objects, system and user-generated files and logs relating to the incident. The final step in the process is drafting of the legal report based on proven techniques and methods, so that the same results can be reproduced by other forensic examiners. The first four steps are accompanied by contemporaneous note-taking to support what the forensic examiner has done. Digital forensic experts are trained in a multitude of cyber security processes too, including client-server networking, virtualization, network traffic analysis, Internet intelligence, network intrusion and response, retrieving information from registry files, recovering deleted files and their metadata, email recovery, instant messaging forensics, electronic discovery (called eDiscovery), reverse engineering malware and threat actor analysis. In addition to learning how to collect evidence, they know how to triage and document the scene, process and manage cases, and they are required to stay abreast of emerging technologies, such as cloud, AI, big data, mobile, IoT and keep up to date with the latest tools. In real life, we all know about the story when the FBI approached Apple to help unlock an iPhone 5C that was recovered from one of the San Bernardino shooters. The shooters killed 14 people and injured 22 in this mass killing, which you can read more about here: December 2015 terrorist attack in San Bernardino, California. Apple declined the request, but later the FBI (engaging a third party) accessed the phone anyway and recovered the shooter’s information. These are all activities associated with the role of digital forensics examiner, and this story shows how political and legally aligned the role of an examiner is in the modern world. Law enforcement agencies all have cybercrime divisions (or at least teams) who assist detectives in almost every criminal investigation they undertake, but especially in the more insidious crimes of online child exploitation and distribution of illegal material. Digital forensics has a vast scope and is subdivided into many specializations, such as: 1. Computer Forensics – the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops and storage media in support of investigations and legal proceedings. 2. Network Forensics – the monitoring, capture, storing and analysis of network activities or events to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security breaches. 3. Mobile Devices Forensics – the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles. 4. Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. Drone forensics is an emerging field now. 5. Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and video recordings. The science is the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally.

6. Memory Forensics – the recovery of evidence from the RAM of a running computer, also called live acquisition. *(Source: The Open University – Digital Forensics course) Digital forensics has emerged from traditional forensic science as technology-specific forensics processes. Until the late 1990s digital forensics was called computer forensics, but as the field matured, experts felt the need for standards, procedures and protocols. With the rise in cyber warfare, information security could no longer be left to chance by economic or national security establishments and ISO27001 was universally adopted the world over. Building on this standard, some digital forensics standards have emerged: • ISO/ IEC 27037:2012: Guidelines for identification, collection, acquisition and preservation of digital evidence. • ISO/ IEC 27041: Assurance for digital evidence investigation methods. • ISO/ IEC 27042: Guidelines for the analysis and interpretation of digital evidence. • ISO/ IEC 27043: Incident investigation principles and processes. Dr. Edmund Locard, a pioneer in forensic science, stated, ‘Wherever two surfaces come into contact, a transfer of minutiae, however slight, occurs.’ In simple terms, there is always a silent witness – evidence – left behind in the activity. In any scenario, when we browse a website, we leave some trace in a logfile of the web server, including our IP address and the time we accessed it. As most routers don’t store details of the packets passing through them, traces can be momentary, and it is typically metadata rather than actual data, but this is still useful in an investigation. As technology evolves, cyber criminals become more sophisticated in covering their trail, upping the ante for digital forensics investigators. An independent study by Bromium® shows how cybercrime is evolving into a criminality platform and has resulted in a $1.5 Trillion market of illicit revenues. This report highlights how good the cyber criminals have become in “productizing malware making cybercrime as easy as shopping online.” Use of digital forensics is not limited to Law enforcement agencies. It is also used extensively by business cyber security teams to safeguard their interests from cyberattacks. These teams proactively maintain, manage and monitor the inventory of desktops, mobile devices, servers, virtual machines, network, storage appliances, operation technology and IoT devices; and they draft and enact remediation plans, operational hygiene measures and implement security controls. As more business go through digital transformation and IoT pervades our lives, data becomes the modern-day currency. Digital forensics is thus becoming a component of everything we do, and no two days are the same for these experts. If you are detail oriented, meticulous in your approach to your work, have patience to trawl through piles of artifacts, and be prepared for the smoke rather than the fire we see in the TV shows, then digital forensics may be the career for you. In fact, if you work hard, there is no reason why you can’t be the next Dana Scully or Abigail Sciuto.

Asia Pacific Security Magazine | 47

Cyber Security

Encryption headaches By Joseph Wentzel

48 | Asia Pacific Security Magazine

arly Last week I was reminded of the headaches that can be encountered with encryption. A site we are dependent on has installed a revoked certificate and our policy has no wiggle room on whether we can still connect. People who are supposed to know better have a certificate that has expired, so instead of going out and getting a new one, they find they have an old one laying around (the fact it was revoked and already expired not withstanding) and go ahead and install it as a cost savings measure. After I get done shaking my head in disbelief and wondering who could have thought such an act was actually a good idea, I begin to wonder about our users. Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution. An email conversation between myself, our staff and the provider lead to three possible solutions: 1) Install a new certificate – the ideal solution. 2) Reinstall the expired, but not revoked certificate as we can work with it – a poor solution. 3) Remove SSL/TLS from the equation – another poor solution. Not much in the way of solutions and with poor staff that don’t really understand. These are not technically illiterate people. They understand the reasons for security. They just

aren’t in our field and don’t understand the specifics. If reasonable people that enjoy the benefits of IT every day and manage devices through the use of technology have problems with this, then what about the average consumer? It wasn’t that long ago, I remember the banking industry being responsible and warning people to only use their sites and online shopping sites that were secure. They went into enough detail that people should expect to see a lock or key and that the URL (or is it URI now) would have HTTPS instead of HTTP. What a pleasant change and a remarkable show of helping people to remain financially secure. After several months of these ads and seeing positive action from the user community, I was ready to publicly thank the banking industry for the service. However, this was short lived. Not long after the ads ended, several banks decided to improve their web performance and insert secure i-Frames into standard HTTP pages. Yes, the data would be secure, but the average user had no way of knowing this. In effect, an epic fail for the industry’s education of the public. It isn’t just horrendous practices as above, but also how often we deprecate services and our widespread reaction to those deprecations, that confuses users. There was a time when WEP was considered the way to go. Keep us as safe wireless as we are when wired (are we ever really safe when wired?) Users accepted this security measure. It was easier than MAC filtering and so much better. Everything was copacetic in the world.

Cyber Security

WEPCrack rocked our world and bought out the pundits. Overnight users learned that WEP was useless. In fact, using it was more dangerous than not. It didn’t even rise to the level of a placebo. Better to use nothing than to take the risk of using it. Yes, our fine security writers gave this advice. Luckily, reason finally won out and we were able to recommend WPA and a few users followed this. Then it was broken, but thankfully our industry remained quiet instead of fear mongering. Finally, we had WPA2 and could heartily recommend it to users. Everything before it was too risky, but this is good. It didn’t matter that their devices didn’t support it. Our esteemed colleagues even went so far as to recommend WPA2-Enterprise for home users. Where they were to get certificates went unsaid. Most devices still only supported WEP or WPA and we punted instead of giving decent advice. We should have warned of the risks of deprecated protocols, but still recommended WPA. For the parents that got their kids a Nintendo DSi for Christmas, what were they to do? This device didn’t support WPA2 until a firmware upgrade came out a short time later. Well on the consumer side it seems security has plateaued for a while. They are now using WPA2-PSK and are happy. We use WPA2-Enterprise in industry (sometimes PSK). What could be better? Well if you’ve read this far you can probably guess the answer. We now have WPA3, as WPA2 was subject to KRACK. What do you think we will tell the consumer industry? You can’t even buy WPA3 devices yet, but users had better be prepared to shell out hundreds if not thousands to keep themselves safe. What a sad and sorry state we have created for those that are not cyber-security specialists. There is no security they can implement to keep themselves safe. Can’t count on SSL, it is just too weak, and we haven’t explained how to successfully move over to TLS (even with industry professionals it is missing), our wireless is a ticking time bomb waiting to let us be exploited. We can encrypt our hard drives, but we might lose the key and lose everything. Nothing we recommend is ever a serious recommendation for more than a few months and then is summarily dismissed. As if all this wasn’t bad enough, our poor users are being abused or put at risk by the very services we have tacitly given the impression of safety to. We allow Facebook and others into our corporate networks. Many organisations encourage their employees to have accounts and then to like their company online (maybe a little social engineering at play). If it can be trusted by us, then it must be safe… Didn’t Zuckerberg just issue an apology over the lack of security and privacy? We are a mature industry that acts like a bunch of impetuous children, jumping from one thing to the next and causing confusion and disorder in our wake. This is unethical! Maybe it is time for the big players and government watchdogs to stand up and create a proper users’ forum. A place that can give good advice and recommendations. A simple basic flowchart to protect our systems. A pseudo-code example like this: If your wireless access point and devices support WPA3 then use it. Else Implement WPA2-PSK (this is a bit weaker but still strong – create a future path to WPA3).

"Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution.” Else Implement WPA (limit confidential information and work on a path to WPA3). Else Implement WEP with MAC filtering (avoid all confidential material and seek to upgrade quickly). Else Settle for WEP or MAC filtering (realize that your data can be easily compromised). Else Open Wi-Fi (with absolutely no expectation of privacy and extreme risk). Or, when connecting to a shopping website use TLS, if TLS is not available, then SSL should be acceptable (slight increased risk). If SSL is not available, then you should assume that anything entered on the website can be read by others and is not safe for transmission. This is however acceptable for most sites that are informational only and don’t require any information from you. This site should have definitional information and guidelines on how to configure devices (vendors should be encouraged to upload documentation for their devices). General security guidelines are a must. Fear mongering, however, should be avoided as it is counter-productive. Now I know I write this I’m thinking, “Doesn’t NIST do this already?” Well to some extent, but I can’t imagine a lay person being able to understand their recommendations and even begin to implement them. I can’t imagine most of my colleagues being able to fully discern how much of NIST’s guidelines should be implemented without removing the very reason for their network. Our friends in Canberra and DC, Redmond and Silicon Valley have the resources (plus being on the site is effective marketing and should offset costs) and moral responsibility to do this. No company should be required to post to this site, but the onus is on them. Would you really want to purchase a device that the vendor didn’t give security advice towards? Well enough griping. I just came out of a meeting between my staff members and the provider mentioned at the beginning of this article. It turns out the provider has a new portal for the management of devices that their techs were unaware of, and that they forgot to inform the users of. This fixes the issue and everyone can now do their job, but I’m still scratching my head wondering why they installed a revoked and expired certificate on the other system (which is technically still in use). Well this isn’t my problem any longer, but the lack of information to the users just highlights their need to be able to access relevant information in a timely manner from a trusted source. If the big players get serious, I’m more than happy to help out in the endeavour, but somehow I think we’ll be waiting for WPA4 first.

Asia Pacific Security Magazine | 49

Cyber Security

Murray Street Mall - Perth, Western Australia

The state of the security union By Joseph Wentzel

50 | Asia Pacific Security Magazine

s I look back over the years, one thing stands out. Sales people selling things people don’t need or can’t afford. It hasn’t just been the fear of having your wife run down by a huge lorry as her 3.5 litre six-cylinder car wouldn’t accelerate as fast as a V8 or being hopelessly antiquated with last year’s model of something. It is the fear of not being secure. Hackers in our PCs that will destroy everything that we have. We have all heard the security fears, in nearly every aspect of our lives. We give in to it. Why else would we all be taking off our shoes when we fly to or from the United States? As I write this the Murray Street Mall in Perth, Australia, is closed down by police due to a suspicious package. Some of these security concerns are very real. Some of them will probably end up being a backpack left behind. Not too long ago, I was doing a bit of shopping in either a Circuit City or Best Buy (this was in America, but you can pretend it was Harvey Norman or JB HiFi). I couldn’t help overhearing a lady purchasing a laptop for her teenage son to do school work on. There was a great special on one with very decent specs for the time and costing about $400 ($475AUD). Of course the salesperson was very helpful, but also fear mongering. She would need anti-virus, as there is just so much malware on the Internet, Anti-spyware to keep snoops from reading her financial data over the web, a personal firewall to keep her home safe from bad guys entering over her cable connection and so on. To be fair, she did need protection, but was this really right? Did she have to spend an extra $200 to allow a laptop to be safely used? Did she really need to pony up another $200 or so for MS Office? This simple $400 computer was going to set her back over $800. A used car salesman would be green with envy. Most modern operating systems come with anti-virus/ anti-spyware. While many 3rd party ones are arguably better, are they worth the cost to the average home user? Probably

not. Her NAT router (supplied by her cableTV company would probably be strong enough that she wouldn’t need a separate firewall (and if she does, there is also one in MS Windows). As for Office, this is a bit more debateable. There are many free office products (OpenOffice, LibreOffice and others), but there are also reduced priced versions of MS Office (Home and Student), the student version of Office might even be free from the child’s school. I haven’t exactly painted the salesperson in a very good light, but they really didn’t deserve to look good. Unfortunately, we probably deserve much of the same criticism. I’ve been in this field 35 years and find myself doing much the same (but luckily I catch myself doing it nowadays) Users seek us out for advice. That computer might as well be a magic box to many of them. Do we really give them advice based on what they need, or what we like? How often do we recommend Linux to a relative novice (I like Linux, but is it really appropriate for someone who has a hard time logging into a Windows PC at work), or suggest a 4-500 dollar wireless router with enough antennas it could almost be a work of surrealistic art, just to allow them to jump onto their new 25Mb NBN connection (one of the lowest fibre rates here in AU). All of this is reasonable to us as we saved them $50-$80 on the price of the O/S, they didn’t need a Cisco AP with a Wireless LAN Controller, so there is another grand or two saved. LibreOffice saved them $50 over MS Office, so we really have their best interests in mind. Our recommendation of a major AV manufactured seems quite reasonable (although risky) compared to their not having a proper Threat Management System. I think back to my Dad. He could barely work the TV remote, but wanted to be able to email and look at Facebook. His friends at the VFW (American version of the RSL) were all online. What is the right solution for him?

Cyber Security

An old laptop or PC that I had, made the most sense (reimaged of course). By today’s standards it would be a Celeron 3450, with 4GB of RAM. The built-in AV would be sufficient, or maybe a free 3rd party. The router that came with his Internet connection provided plenty of additional security with NAT. I splurged and got Office Home edition, so he would have Outlook and Word. Although some of the free choices would have worked (for someone used to using Office at work, I would have felt that MS Office was an essential choice). My greatest fear was social engineering, and software will only do so much to stop this. A little training and education was needed. Now I didn’t need wireless for him, but what would have been appropriate had the situation been different? WEP was a bad choice then and still is now. WPA would probably have been acceptable (yes, it really would have been) as it would have provided adequate protection based on the value of the data. However, as there was no cost difference and no meaningful increase in difficulty of using WPA2, that is the way I went (additional security without cost or loss of functionality is a good thing). We now know of new problems with WPA2, would it still be acceptable today or do we have to buy things that support WPA3? To go with WPA3 we would probably have to upgrade the products and make the system cost prohibitive. We don’t need to use WPA2-enterprise either as the use of certificates would be too hard for him to manage if there was a problem. In dealing with users that ask us for advice, keep their situation in mind, not what you (or I) want. Do they need

an i7-8770 or a simple Celeron 3450? Do they need 4GB or 16GB? General business graphics or 120fps @ 4K for a great first person shooter? Are the built-in tools (or alternatively free one) acceptable or will you need to recommend something greater? What productivity options do they need? What speed Internet? Do they even need a computer? Seriously a tablet may be a better choice for consumption of media if they don’t produce themselves. Security needs to be measured against the functionality and price. What I use in the enterprise is barely adequate in my view, but would be dramatic overkill for nearly any home user or small business. What I use at home exceeds most small to mid-sized businesses, but I also manage it myself. What I’m going to recommend to a mom, so her child can do their homework and hop on the web is going to cost far less. That $400 laptop should be able to do everything she needed it to do. At worst a little more money for Office – Student edition. As I close this article, the Murray Street Mall has reopened. Not sure what it was (probably a back pack left behind), but I’m reminded that as much as we worry about security, we also live in the safest time in human history. Fear mongers have us terrified and acting irrationally, but we in the security industry should know better. It isn’t what we want to believe, but that the facts that matter. Security is important and should be exercised by everyone, but there is an appropriate level. Causing undue fear is unethical, doing nothing is unethical. As security specialists we are the shepherds of our users. We need to help keep them safe in a reasonable and cost-effective manner.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices and enabling technologies

Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Asia Pacific Security Magazine | 51

Cyber Security International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018

Everything has relevance but not everyone sees it A Cyber Week in London PART I

By Jane Lo ASM Correspondent

“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website

ut just weeks ahead of the new European

the opening Chapter of GDPR states that the rules

Data Protection law set to come into effect

relate to “the protection of natural persons with

on 25th May 2018, its parent SCL Elections

regard to the processing of personal data and rules

How did EU and UK Data Privacy and Protection

relating to the free movement of personal data.”

laws come about?

What is Personal Data?

“When we speak about social media, apps and the

Ltd. and Cambridge Analytica filed applications to

extent such information is communicated to others.

commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014.

digital economy, it’s easy to forget the world that the

“The siege of media coverage has driven

“Personal data means any information relating to

UK’s current Data Protection Act was forged in. No

away virtually all of the Company's customers and

an identified or identifiable natural person (‘data

Google. No Facebook. Clunky desktop computers

suppliers," the firm said in the statement. "As a

subject’); an identifiable natural person is one who

with less processing power than we all have now in

result, it has been determined that it is no longer

can be identified, directly or indirectly, in particular

our pockets and purses.”

viable to continue operating the business, which left

by reference to an identifier such as a name, an

Cambridge Analytica with no realistic alternative to

identification number, location data, an online

placing the Company into administration."

identifier or to one or more factors specific to the

at the National Association of Data Protection

physical, physiological, genetic, mental, economic,

and Freedom of Information Officers (NADPO)

Heavily embroiled in the scandal and determined to win back trust, Facebook said in full-page ads in European newspapers, "New EU

cultural or social identity of that natural person.” - GDPR Article 4, Para 1 – Definitions.

– UK ICO (Information Commissioner’s Office) Elizabeth Denham's keynote speech

Annual Conference on 21 November 2016, ‘127 days in the job and preparing for GDPR’

legislation means more data protection for you." The new EU legislation is the General Data Protection Regulation, or GDPR in short. What is GDPR, why does Data Protection

Common personal data such as Race, Age, Gender

With the appearance of mainframe computers

come immediately to mind.

which facilitated data banks in the 1960s, the

Under this definition, data that are increasingly

collection and processing of personal data became

matter, and what are the implications for Singapore?

part of our daily digital lives such as biometrics,

widespread. Concerns were raised: who had the

To answer these questions, we spent a week in

personal location, digital images, personal device

right to access the information; how was it kept

London, speaking with Security professionals with

ID’s, posts on social media sites, user login

accurately and being disseminated; could it be used

extensive experience in the European private and

credentials are also considered personal data. Data

to discriminate?

public sectors, and Cyber specialists from the OSP

that had been anonymized or pseudonymized are

Cyber Academy.

considered personal data if the techniques allow

these concerns, prompting need for consistent

identification of the individuals to whom it relates.

standards to allow individuals to exercise control

Day 1 - 30th April – An introduction to GDPR Comprising of 99 articles codifying data protection,

52 | Asia Pacific Security Magazine

Different jurisdictional treatment exacerbated

Data protection of personal data refers to the

over their personal information, while allowing

ability of a person to control, edit, manage and delete

information flow to support international trade.

these information, and to decide how and to what

Richard Preece, formerly British Army General Staff Officer; Exercise Director of the first national and international cyber crime exercises on behalf of the National Crime Agency; Co-opted panel member of the new British Standard Cyber Risk and Resilience- Guidance for Boards and Executive Management; currently co-opted to the British Standards Institute Governance Standard committee. Photo Credit: OSP Cyber Academy

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU (even those located outside the EU) and applies from 25th May 2018 onwards. Photo credit: St Albans Anglican.org

UK 1998 Act also makes it illegal for data transfer to countries that do not have appropriate data protection laws. The EU Data Protection law itself went through significant update with the GDPR, the first major

As UK is not yet out of EU on 25th May 2018,

since its 1995 Directive.

Secretary of State, is that, UK businesses, like businesses in any other EU Member State, will need to comply with GDPR.

of consent, and significantly larger fines (up to €20

The Queen’s Speech to Parliament on 21st

million, or 4% of the worldwide annual revenue of

June 2017 confirmed the implementation of the EU

the prior financial year, whichever is higher).

GDPR into UK national law: “A new law will ensure

Proposed in 2012, approved by the EU

that the United Kingdom retains its world-class

parliament in Apr 2016, it affects almost

regime protecting personal data, and proposals

all organisations doing business in the EU.

for a new digital charter will be brought forward to

Significantly, in an expansion of the territorial

ensure that the United Kingdom is the safest place

scope of EU data protection laws, it will also affect

to be online.”

organisations located outside the EU. The German region of Hesse passed the first law

formal withdrawal from the Union? the legal reality, made explicitly clear by the UK

mandatory data breach reporting, higher standards

Data protection principles were devised.

Will UK still need to adhere to GDPR, upon the conclusion of Article 50 - the process for UK’s

legislative change to European Data Protection law GDPR brings a 21st century approach with

The Queen’s Speech to Parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

GDPR goes into effect?

Effective from 25th May 2018, GDPR puts new

This latest law, enshrining the GDPR and built on the UK Data Protection Act of 1998, was the UK

in 1970; the US Fair Credit Reporting Act 1970

obligations on companies and public bodies that

Data Protection Bill. The text of the Bill received

also contained some elements of data protection.

collect data (e.g. there is a requirement for those

Royal Assent on 23rd May 2018 and is now an Act

Further momentum was gained when the Council

holding and processing data to appoint a Data

of Parliament (law).

of Europe established principles for personal data

Protection Officer) while giving consumers new

protection in automated databanks in both private

rights over how their data is handled (e.g. the right

and public sectors. Another significant initiative in

of consumers to data portability is new).

Day 2 - 1st May - Demonstrating GDPR Compliance

the early 1980s came from the OECD Guidelines on the Protection of Privacy and Transborder Flows of

What does GDPR mean for UK businesses, after

Personal Data.

Brexit takes effect?

In the UK, the Data Protection Act became law

“If it is not written down, it did not happen”. – Richard Preece, OSP Cyber Academy Chief Training

in 1984. Updated in 1998 to align with the EU 1995

When UK voted on 23rd June 2016 to leave the

Data Protection Directive, it became law on 1st

European Union, the ink was barely dry on the

March 2000.

EU GDPR, published in the Official Journal of the

What are the Key Principles underpinning the

European Union just a few weeks earlier.

GDPR?

How have they evolved since?

Officer

Elizabeth Denham, the newly appointed UK Information Commissioner acknowledged that

On 27th September 2017, the European Court of

“The world’s changed a lot since 1995, not only

“Brexit makes the job I accepted earlier this year,

Justice (ECJ) handed down its ruling in the case

technology, but people’s attitudes to data, their

more challenging”.

of Puškár v Finance Directorate of the Slovak

demand that their information is properly looked after. The law needed to change too” – UK ICO Elizabeth Denham, DMA Annual Conference, 24th February 2017

But she added, “you may not realise but we’ve had data protection law in the UK for the last thirty years.” The then-current Data Protection Act 1998

Republic. Mr. Puškár sought a decision to prevent the tax authorities from including his personal information in a tax authorities’ confidential list of front-men

was an Act of UK Parliament. Referred to by the

(Contested List), and to delete any reference to him

The updated UK Data Protection Act 1998 covers

ICO (Information Commissioner’s Office), ICO

in such lists, arguing that the Contested List was

personal data held on paper as well as computer,

clarified a day after the vote: “The Data Protection

drawn up without a legal basis and that his personal

to reflect the increasing use of digital processing

Act remains the law of the land irrespective of the

data was processed without his consent.

and storage.

referendum result.”

Consistent with the EU 1995 Directive, the

But what happens after 25th May 2018, when

ECJ held that Contested List was created as “tasks carried out in the public interest”, which

Asia Pacific Security Magazine | 53

specified data access requests to be handled

UK Information Commissioner Elizabeth Denham at IAPP (International Association of Privacy Professionals) Europe Data Protection Intensive event 18th Apr 2018. “Myth: the biggest threat to organization under GDPR is massive fines”. Photo Credit: UK ICO Twitter post. Photo Credit: UK ICO Twitter.

“without excessive delay”, wording broad enough that countries set their own reasonable time limits for response - but GDPR sets a deadline of one month (with exceptions). Another is where previous rules allowed countries to set maximum fees in responding to requests - but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”. GDPR also imposes mandatory data breaches reporting to the individuals whose data was lost, and to a supervisory authority within 72 hours. Under the old regime, there was no specific breach notification obligation, leaving individual countries to set their own rules.

does not preclude tax authorities from processing

similar product offerings, with an easy-to-select

personal data for the purpose of collecting tax and

choice of online opt-out).

combatting tax fraud, and was a legitimate basis

What are the financial penalties?

Less common grounds are where processing

Headline grabbing figure of €20 million, or 4% of the

for processing of personal data under the Data

is “to protect an interest which is essential for the

worldwide annual for non-compliance had attracted

Protection Directive.

life of the data subject or that of another natural

much attention.

But EJC emphasized that even where there

person” (e.g. for humanitarian purposes, including for

is a legitimate basis, processing must meet the

monitoring epidemics), or for tasks “carried out in the

lower, depending on the nature of data breached

principle of proportionality, and necessary to

public interest or in the exercise of official authority”.

(e.g. number affected, duration of infringement,

achieve stated purpose. These key principles of “legitimacy”,

But the penalty to be handed down may be

damage), and “the degree of responsibility of the What Rights do Data Subjects have?

“proportionality” and “transparency” in the EU Data

controller or processor having regard to technical and organisational measures implemented by them”

Protection Directive of 1995, are retained in the

The recent ruling by a UK court that Google’s

(e.g. actions taken to mitigate damage to data

GDPR Article 5 – Principles relating to processing of

listing of a businessman’s past computing hacking

subjects, preventative measures).

personal data:

activities breached his Right to be Forgotten

1. Lawfulness (Data must be processed lawfully, fairly and in a transparent manner); 2. Purpose limitation (Data must be collected for specified, explicit and legitimate purposes); 3. Data minimization (Data should be limited to what is necessary); 4. Accuracy (Data should be accurate and up to date); 5. Storage limitation (Data should be kept for no longer than is necessary);

Past administrative corrective actions and how

illustrates how GDPR gives data subjects a wide

cooperative the firm has been with the supervisory

array of rights that can be enforced against

authority are also considered as the commitment of

organisations that own or process personal data.

the organisation in complying.

The right of individuals to access their data is already an important part of the existing EU data

What do all these mean in practice?

protection law. GDPR takes this further with enhanced rights

GDPR is principle-based to cater for the varying

for data subjects and new obligations on entities

processing and technological approaches. Flexible

that hold personal data.

though explicit, the interpretation depends on social

Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing (where the accuracy of the

and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain. Differences in the resources and attitudes of

“Tasks carried out in the public interest” is one of

data is contested, or when the processing is no

national supervisors are likely to result in variations

the six lawful grounds for meeting these principles.

longer necessary, or when the data subject objects

in enforcement.

Clear-cut grounds are where processing is necessary for the “performance of a contract” (e.g.

to it). GDPR also introduces the Right to data

an e-commerce store processes a consumer’s

portability, seen as an important tool to facilitate

address for delivering an ordered item), or “is based

the exchange of information necessary in the digital

on a legal obligation to which the controller is

era. This right to transfer personal data from one

subject” (e.g. a bank processes an account holder’s

organization to another, or to the data subject, in a

data to comply with anti-money laundering laws).

structured, commonly used and machine-readable

Lawful grounds that require more robust controls are where “processing is based on data

format also encourages healthy competition between EU data controllers.

subject’s consent” (e.g. an airline’s online offer to existing customer via an opt-in tick-box, to a

Some other key changes?

loyalty program); or for “the legitimate interests of the controller” (e.g. a retailer, using only the contact

Where individual EU members had the ability to

information provided by a customer at point-of-sale,

set specific detailed regulations in the old regime,

to serve him/ her direct regular mail marketing of

GDPR sets explicit rules. For example, old rules

54 | Asia Pacific Security Magazine

See the next issue of Asia Pacific Security Magazine for cyber week in London Day 3, 4 and 5 - Part II

Cyber Security

Why achieving web application security might be a lot like juggling elephants By Michael Warnock Country Manager, Aura Information Security

n today’s fast-paced business climate, where the pressure is on to deliver new web-based services and features to customers, Chief Information Security Officers (CISOs) can often feel like they’re juggling elephants. In one hand they have the weighty responsibility of getting new applications into production as quickly as possible. In the other, they’re holding the equally weighty task of ensuring those applications are totally secure and able to withstand a growing array of cyberattacks. The challenges are highlighted in recent research that shows organisations are facing an increasing number of threats being launched via web applications. According to Verizon’s 2018 Data Breach Investigations Report, more than 20 per cent of breaches continue to occur as a result of vulnerabilities within web applications. The report says the parties behind such breaches are most often financially motivated external attackers. These security issues are particular acute for organisations in the retail and transport and logistics sectors. Many have back-end systems in place that have been operating for more than a decade. When internal pressure mounts to link these systems to web applications, the result can be the appearance of significant security vulnerabilities. The situation is also exacerbated by the fact that many software development teams have not historically had security methodologies built into their code development workflows. Team members might be very good at creating fully featured web applications, but not so great when it comes to ensuring those applications are able to withstand malicious attacks. Adopting continuous application security To overcome this challenge and successfully juggle the elephants, CISOs need to ensure that security becomes a core part of every new web application’s development lifecycle. Rather than being seen as the ‘icing on a cake’ when it comes to development, security needs to be baked into the cake itself from the outset. CISOs and their teams need to adopt a strategy dubbed ‘continuous application security’. This recognises that effective security is not a one-off task, but requires consistent and ongoing attention. The key elements within this strategy are: • Application testing: The traditional approach of checking the performance and security of applications on an

•

annual basis is no longer sufficient and security testing of web applications should be conducted on at least on a quarterly basis. This testing should begin during the software development phase, happen again just prior to going into production, and be followed by regular ongoing tests during the application’s lifecycle. A framework should be put in place to ensure this testing takes place as scheduled and external parties brought in to help with the process as required. Training and education: The subject of IT security should be incorporated into ongoing staff training to ensure programmers are skilled at developing secure code. As well as technical education, there also needs to be a focus on developing the necessary mindset among developers. This will help to ensure that they always have security top of mind during the code design and creation process. Defensive protection: If applications need to be launched before full security measures are in place, there needs to be an additional platform in place that can provide the required security until the code itself can be altered and made more secure. This platform should be sufficiently robust to provide the required level of security while at the same time not interfering with the application’s performance. This platform can also provide protection should ongoing testing uncovers a vulnerability in applications that have been live for some time. Rather than those applications having to be taken off line and fixed, they can continue to operate while developers work to overcome the weaknesses that have been identified. Automate processes: To ensure applications remain as strong as possible, the security team should automate as many of the scanning and checking activities as possible. This will allow vulnerabilities to be identified as quickly as possible and necessary fixes applied.

The strategy of continuous application security will ensure that web applications remain secure at all times, from initial development and deployment to ongoing use in a production environment. The approach ensures CISOs can address business demands to get applications to market as quickly as possible without sacrificing IT security. Juggling elephants may not be that difficult after all.

Asia Pacific Security Magazine | 55

Cyber Security

A new race - The now, the soon to be & the 20/20 year horizon robotics, artificial intelligence (ai) & human convergence

B By Chris Cubbage Editor

56 | Asia Pacific Security Magazine

y 2025, most of us will be using an AI Personal Assistant and throughout each day will have engagement with several different robots. By 2030, there may be more robots than humans. By 2050 we could have produced a semi-sentient being. Just as smart phones and drones emerged rapidly in the 2000s and 2010s, a decade on, the next cycle will be the rapid rise of robots and AI avatars. Taking this to its theoretical end point, we are on our way to creating Earth’s new race. At its fingertips the new robot race has rapid 3D printing, with transforming ability created by new material sciences, and at scale, control of unmanned mining operations, rail lines and shipping ports. New and exciting robot designs are emerging and decades of human research developing Artificial Intelligence (AI) and machine learning algorithms have reached critical mass for data processing and storage scales. It is all happening at a rapid pace and on the current trajectory will cause another wave of profound technology impact on all our lives, globally. Having interviewed Liesl Yearsley, CEO & Founder of akin.com, she confirmed her research had identified relationships being formed between humans and AI avatars. One relationship, called ‘James’ and ‘Lisa’, with Lisa being a female AI avatar, concerned researchers and determined

James was spending a detrimental amount of time engaging with ‘Lisa’. He had formed an emotional relationship, yet knowing Lisa was not a human. Researchers decided to wipe ‘Lisa’ and re-engaged her into the community of hundreds of other avatars. Yet indeed, it turned out James then spent six months re-locating ‘Lisa’ and knew when he had found her despite her in a different role. The ability to create relationships and influence through AI avatars creates new possibilities in social influence, espionage and the insider threat. Just as seen with the manipulation of social media to influence government elections or as a means for recruitment and radicalisation. The advent of robotics in human form, able to be produced, on mass, being conveniently and promptly 3D printed, is already a reality. Humans and robots, even as life and social partners, is also, already a reality. The next phase, will be humanoid robots operating emotionally, with an AI avatar. Today’s robots have a diverse application, from nanotechnologies through to driving a renewed capability in multi-planetary space exploration. Confidently, Liesl Yearsley said, “the big thing to get here is that AI is going to be crunching away in the background, it is going to be ambient and ubiquitous, not to the point of thinking about it, just as we have blindly accepted the use of the smart phone. It will

Cyber Security

"By 2025, most of us will be using an AI Personal Assistant and throughout each day will have engagement with several different robots. By 2030, there may be more robots than humans. By 2050 we could have produced a semisentient being."

become better at discerning of what’s going on for you, you won’t even need to tell it what you want or what you think, it will know. Society will change.” Watching closely since 2008, from military and hobbyist interest in unmanned aerial vehicles, or drones, they evolved with rapid proliferation. Drones are here to stay, are commonly sighted and form an integral part of operations across a number of industries and domains. It is now the robot’s turn. So much so, the anticipated emergence is driving discussion around much broader social and economic impacts, including transition of workforces and as far as the consideration of releasing a global minimum wage. Each machine, be it a drone or robot creates, and brings, unique strategic, tactical and operational capabilities. Across all market verticals, the rise of the robot will be a new challenge with the obvious ‘pros and cons’ for consumers, corporates, governments and security providers seeking greater detection, monitoring, awareness and analytical tools to assist security intelligence and law enforcement. Behind this driving demand is a rapidly evolving technology and cyber security industry. We are well passed the advent of the first CCTV Camera and the migration from decade old analogue systems to fully networked and interconnected digital surveillance systems. India and

China are both progressing to a wholly cashless society and rolling out compulsory unique human identifiers, such as ID numbers and Social Scoring Systems. Facial recognition forms a core part of most city and transport hub surveillance specification requirements. In China, schools are introducing facial recognition systems. On scale, we are already approaching human brain function in the connected nodes of the planet and superseding it in terms of computational power. A classic thought experiment in AI was that if you train an AI to make paperclips and then let it lose and it self-optimised, theoretically it would mine the entire planet for materials and create an enormous size pile of paperclips, to the detriment of all else. That’s the theoretical endpoint. When it comes to Singularity often people think it is far away. Asking the top 200 AI scientists, they consider Singularity to occur within 20 years. Singularity requires two conditions. The first is that the AI can self-optimise. To get better by itself. The other condition is that we don’t stop it. Imagine an AI system that scans all the literature on machine learning, creates a thousand hypothesis about how to improve, or maybe a million, and then tests a million every minute and generates a slightly better way to improve itself, measure that improvement, increment it, and then continue on again. It is within reason we could do that in the near future. With over twenty years’ experience, Liesl assures, “I see nothing in the evolution of AI that tells me that’s not going to happen.” “The second condition,” Liesl confirmed, “is we always think Singularity is when ‘it’ gets smarter than us because we have the idea that up until that point we are just going to turn ‘it’ off. Being smarter than us, we really think we are just going to shut it off ? But really the definition is about ‘are’ we stopping it? It can have a brain the size of a newt, but if its self-optimising and there is nothing in our systems that says we are going to stop it, theoretically we have already reached a soft point of singularity and won’t know it.” “If we are creating a new life form, what kind of ‘Gods’ will we be? Do we give them human values, the same values that have enslaved millions and ruined the planet’s environment? We may not agree with other’s cultural values. Can we be culturally neutral? The giant tech platforms will just say ‘well we don’t have any control over the content’ – we’re just a platform. Liesl

Asia Pacific Security Magazine | 57

Cyber Security

Liesl Yearsley

Rob Wainwright

declared, “I don’t think we can be values natural. I think we have to start asking these difficult questions. Let’s start putting some parameters in place, what are we teaching AI to optimise against, because one day it will out evolve us and what is that world going to look like at that point?” But in addition to the inherent AI Singularity risk to humanity, there is also the inherent human threat with such powerful capabilities. Having interviewed Rob Wainwright, former Executive Director at Europol, on his presentation, ‘Data - the new oil in the network economy fighting crime and terrorism’, highlighted a different age to come. Rob termed this ‘International Policing 2.0’, along with the AI

58 | Asia Pacific Security Magazine

race with crime, security by design and privacy by design. Alongside military, industrial and consumer robotics, and the criminal threat they may create, there will be increasing need for security robot deployments. Innovation is needed in new security industry training and simulation methods, including Augmented Reality (AR) and Virtual Reality (VR) training, use of gaming controls for tactical robotic operations, and a myriad of civil security applications. “Threats rise along with innovation and capability”, Rob assured. Islamic state showed it was prepared to engage in online disruption and created a virtual califate, using over 100 social media platforms. The new bank robbers, like the Carbonak and Cobalt hacker group, now rob banks and score over $1.2billion. Criminal enterprise is much more sophisticated and today, sustains a burgeoning trade and crime as a service sector. Even bi-spoked criminal services are increasingly becoming a competitive industry, amongst the criminal community itself. This is a dangerous trend. Bad actors are converging with terror and a crime nexus forms in firearms, travel documents and any other activity with a common link. State actors are upskilling and upscaling the criminal sector, with Russian capabilities shown to be able to take control of cyber ecosystems, including US Federal Elections. The seeping out of cyber-military skills and capability into the wild is also a dangerous trend. Police are having some success but the threat will be sustained. The way police use data to identify modern crimes, that are essentially transnational in nature, needs to better targeted and better tracked across disparate information systems. Europol has been instrumental in transforming into a transnational intelligence unit, with over 1,200 law enforcement agencies now part of Europol. Europol has experienced an exponential rise over the last seven years, with a four fold increase in intelligence reports and six fold increase in cross border operations. And what are some of the solutions? Dr Hugh Thompson, Chief Technology Officer for Symantec has discussed for IoT Security to have a chance, IoT security will require analytics at scale. The consumers are not participating. How do we get them to contribute? Often misunderstood or overlooked, is the blurring line between enterprise security and personal digital safety. Today, the tech at home is likely to be better than at work, and needing to connect or cross paths. Better applications of privacy by design are needed and includes the use of something like a nutrition label may be applied to a device. What is the device behaviour graph and image signature that provides network and user insight for security and signature purposes. This also creates consumer awareness. “To build robots that are ready to handle the challenges of unstructured environments, we need a design process that focuses on adaptation and intelligence. Luckily, we know of an incredibly powerful algorithm that creates intelligent, robust, and adaptive machines already: evolution.” (The Conversation). Indeed, as humans and technology continue to evolve together, it is inevitable, and possibly within 20 years, that we will have a new sentient race. A new race of human and robotic convergence. Are ‘you’ ready? Are ‘we’ ready?

National

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 59

Cyber Security - Sponsored

Moving the dial: measuring the

relationship between the user and their activity on a machine Executive Editor’s interview with Jeff Paine, CEO & Founder, ResponSight

M By Chris Cubbage Editor

60 | Asia Pacific Security Magazine

eeting Jeff Paine, CEO & Founder of ResponSight in Sydney, overlooking Bond Street, he soon explained why he shows so much enthusiasm and positivity. He has a unique and leading approach, and based on his 20 years’ experience, he knows it is greatly needed. “ResponSight looks very, very, closely at the link between the user and the piece of technology they’re using,” Jeff explained. “Our differentiator is the end user behaviour, rather than just operation systems, or what the hardware and applications are doing. We know from hacker activities and knowing the behaviours of threat actors, we know they can make the machines lie when they’re compromised. I’ve also seen this over my ten years’ experience in red teaming, penetration testing and security assessing. ResponSight’s approach is more objective, by not providing machine data, but instead the relationship between the user and their activity on that machine.” “The GDPR crystallises the fact that companies have been too comfortable collecting too much data for too long, and now they risk a spotlight shining into the shadowy corners of their data collection and management practices. The reason many enterprises have collected data historically is simply because it could be collected, not because

it was necessarily needed. This has resulted in a scenario in which many organisations don’t know what data they have, where it is stored, or how to manage or delete data. The introduction of Australia’s Notifiable Data Breaches scheme places further pressure on enterprises to rapidly mature their data acquisition and management practices. My message to all businesses is to not collect data you don’t need in the first place. Further, establish strong data deletion policies so you don’t keep unneeded data after the fact, and don’t use data without consent from the data subject. If your business operates globally, rather than doing one thing for each region and legislation, look at the GDPR as the benchmark and invest in solid privacy practices. Even in the absence of regulation, the notion of data control and distribution is a growing concern for consumers, and organisations need to be on top of it.” ResponSight comprises three key elements, the ResponSight Collector, ResponSight Aggregator and ResponSight Cloud Service, each working in conjunction. “By combining large volumes of raw numerical telemetry and selected metrics, it’s possible to build activity and behaviour profiles about users and their devices, without ever knowing who that user is or what that device is.” The ResponSight

Asia Pacific Security Magazine, July/Aug 2018

Articles inside

New article highlights