Asia Pacific Security Magazine, Nov/Dec 2018 by MySecurity Marketplace

THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Nov/Dec 2018

Many modes of supply chain attacks The dawn of the digital Manager

India’s Supreme Court reins in citizen profiling Biological Protection-In-Depth

Australian-made FLAIM Trainer

How to minimise roulette wheel motion blur

The rise of hashgraph A cyber week in London – Part 2

$8.95 INC. GST

Cyber Risk Meetup - Wrap-ups & Launches Resilient organisations begin with resilient people

ROBOTICS GROWTH & OPPORTUNITIES

PLUS

Techtime

World Tourism Destinations Forum 2018 BUILDING AN OUTSTANDING

WORLD-CLASS

TOURISM DESTINATION

4 - 5 DECEMBER 2018

Royale Chulan Kuala Lumpur, Malaysia

Organised by:

www.worldtourismdestinationsforum.com

“Asia’s Premier Counter-Terrorism and Internal Security Exhibition and Conference!”

COUNTER TERROR ASIA EXPO (CTAX) AND CONFERENCE 2018 PREPARES TO WELCOME MORE THAN 100 EXHIBITING BRANDS!

Co-Located With:

An International Conference on Counter-Terrorism and Internal Security

4 - 5 DECEMBER 2018 Marina Bay Sands,Singapore For more info, contact us:

Organized by:

Phone: (+65) 6100 9101 | Email: sg@asiafireworks.com

www.counterterrorasia.com Proudly Held In:

Media Partners:

Knowledge Partner:

Workshop & Strategic Partner:

Official Sponsor:

Supporting Organizations:

Fireworks Trade Media Pte Ltd

MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Your one-stop shop for all things CCTV, surveillance and detection technologies

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.

promoteme@mysecuritymedia.com

www.mysecuritymedia.com

The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE

promoteme@mysecuritymedia.com

www.mysecuritymarketplace.com

Contents Editor's Desk 3 Risk Management – From SARs to Cryptocurrency

HID Global Consultant Roundtable 12 Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Jane Lo Tony Campbell Sarosh Bana Bennett Ring

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Cyber Risk meetup launched in Singapore

The future of innovation & the BIG CISO question?

A Cyber Week in London - Part 2

Internet of Threats

Cyber Security Forums

Robotics Growth and Opportunities

Sing Fintech 2018

7 Data Breach highlights

Many modes of supply chain attacks

The dawn of the digital Manager

Page 38 - Many modes of

supply chain attacks

Why digital transformation must incorporate security transformation

Australian-made FLAIM Trainer

The rise of hashgraph

India’s Supreme Court reins in citizen profiling

Biological Protection-In-Depth

How to minimise roulette wheel motion blur

Migrating to an IP video surveillance solution

Resilient organisations begin with resilient people

Book review

Page 40 - The dawn of the

digital Manager

CONNECT WITH US www.facebook.com/apsmagazine

Page 44 - Australian-made

FLAIM Trainer

OUR NETWORK

@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.australiancybersecuritymagazine.com.au

Page 48 - India’s Supreme

Court reins in citizen profiling www.australiansecuritymagazine.com

Jane Lo*

Tony Campbell*

Sarosh Bana*

Bennet Ring*

Dr Gavriel Schneider

Phillip Dimitri

www.aseantechsec.com

www.drasticnews.com

www.chiefit.me

Vlado Damjanovski Lance Krowitz

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

6 | Asia Pacific Security Magazine

Also with Deborah Evans | Helen Masters | Benjamin Low

Page 20 - Biological ProtectionIn-Depth

Editor's Desk "We don’t drown our partners in a sea of debt. We don’t coerce or compromise your independence. The United States deals openly, fairly.” - Vice President Pence at the 2018 APEC CEO Summit

n this final edition of 2018, Singapore Correspondent, Jane Lo has provided a number of impressive articles, including reviews on SingTech, Cyber Security Forum, CISO Elite Asia 2018, Risk Innovation Forum and the Singapore International Robo Expo 2018, noting the global robotics market is expected to reach USD 50 billion in total revenues in 2018, inclusive of hardware, software and services. By 2021 the market will nearly double reaching USD 90 billion. (ABI Research). With this forecast in mind, the security domain in the Asia Pacific remains fascinating and challenging to keep abreast. Be it the degrading geo-politics playing out between the US and China, along with the absence of outcome statements from the APEC Summit in Papua New Guinea. To the current news of the day in the Marriott Starwood breach, where the company discovered there had been unauthorised access since 2014, and believes up to approximately 500 million guests who made a reservation at a Starwood property have been compromised. With an Australian perspective, Danielle Cave, deputy head of the International Cyber Policy Centre at Australian Strategic Policy Institute (ASPI), has released an opinion piece, stating, “There is a lot at stake in the China– Australia relationship and, as we attempt to balance these economic and security interests, there is an element of schizophrenia to our attempts to ‘get the China relationship right’. It’s a deeply important relationship but it’s also incredibly complicated and it’s only going to get more so. There is no right path forward that will please everyone. But there is a wrong path, and we are in danger of taking it…The real issue is that in trying to protect the relationship with Beijing, the [Australian] government is not being open with the Australian public, who have the right to be informed about new and emerging risks to their businesses, intellectual property and online safety.” Directly related to geo-politics is cybersecurity. We have been at a cyber war for some years and the US is clearly starting to call it out, predominately lead by US Vice President Mike Pence. At APEC on November 17, Pence said, “China has ‘tremendous barriers’; they have ‘tremendous tariffs’; and, as we all know, their country engages in quotas, forced technology transfer, intellectual property theft, industrial

subsidies on an unprecedented scale. Such actions have actually contributed to a $375 billion good trades deficit with the United States last year alone. But as the President said today, ‘that’s all changed now’…. We’ve taken decisive action to address our trade imbalance with China. We’ve put tariffs on $250 billion in Chinese goods and we could more than double that number. But we hope for better. The United States though will not change course until China changes its ways.” For Australia and relating to its relationship with China, cyber security revenues will soar from A$2 billion in 2016 to A$6 billion by 2026. This comes as part of an upward trend in cyber security spending around the world. US$131 billion was spent on cyber security globally in 2017, with an 88 per cent increase expected by 2026. With the second-highest ‘cyber maturity’ in the Indo-Pacific and strengths in core skill areas such as quantum computation, wireless technology and high-value hardware, Australia, according to the 2018 update to Australia’s Cyber Security Sector Competitiveness Plan is the ideal growth environment for cyber security businesses. The statistics are included along with the first ever Australian Cyber Security Industry Roadmap; launched by the Australian Minister for Industry, Science and Technology, the Hon Karen Andrews MP. McAfee has also released its annual Threat Predictions Report, which outlines predictions for the cybersecurity landscape in 2019. One major prediction is that data exfiltration attempts from the cloud are expected to significantly increase in 2019, both globally and at a local level. Across the regions, protecting the cloud will become a non-negotiable safety measure to ensuring cyber-resilience, as 89% of organisations in the Asia Pacific store sensitive data in the cloud, and the amount of files shared with sensitive data has increased 53% YoY. Other predictions include: • The cybercriminal underworld will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. • Attackers will be employing AI to help them avoid detection by security software, particularly to automate target selection, or to check infected environments before deploying later stages and avoiding detection. • 2019 will see the use of multifaceted,

•

synergistic threats – in other words, where several different kinds of cyber threats (phishing, ransomware, cryptojacking) are used in tandem. These attacks are hard to classify, and even harder to mitigate, and is yet another manifestation of cybercriminals becoming even more sophisticated and collaborative. Identity platforms and IoT edge devices will be under siege as criminals leverage them to mount attacks on industrial control systems.

Another paper worth a look was released in Singapore, the Adversarial Attack Simulation Exercises (AASE), often referred to as Red Team (RT) exercises. These exercises are sanctioned, planned, risk-managed and objective-driven cyber security assessments that simulate highly sophisticated targeted attacks against an organisation. Aimed at guiding Financial Institutions (FI), the guidelines encourage creative scenarios for their attack simulation by identifying the most likely adversaries and the attack vectors through threat modelling. The goal of these exercises is to assess the capability of a FI to prevent, detect and respond to cyberattacks that may impact Critical Functions or business continuity. Exercises simulate a full end-to-end cycle of a cyber security attack, replicating actions and procedures utilised by real world adversaries with a high level of intent, sophistication and capability. It seems however, that all industry sectors should have such guidelines and preparing for an ever increasing rise in sophistication in attacks. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. Enjoy a safe and happy festive season and see again in 2019!

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Asia Pacific Security Magazine | 7

R1 OVE ODES, EPIS ER OV

00 S 0 , 0 5 OAD NL

DOW

www.australiancybersecuritymagazine.com.au 8 | Asia Pacific Security Magazine

PODCAST HIGHLIGHT EPISODES Episode 103 – World-renowned cyber security expert, “The Ethical Hacker” – Oliver Stone’s cybersecurity adviser on “Snowden” and CEO of Estonia startup Seguru.io This is a broad interview with Ralph Echemendia, world-renowned cyber security expert, known internationally by his alter ego “The Ethical Hacker.” For over 20 years, Ralph has delivered training on hacking and other security information to corporations including the US Marine Corps, NASA, Google, Microsoft, Oracle, AMEX, Intel, Boeing, Symantec, and IBM.systems provides new business opportunities with developing smaller and lighter payloads.

Episode 109 – Cybernomics: Digital Asset Valuation & Cyber Risk Measurement with Dr. Keyun Ruan, Computer Scientist & Author “Digital Forensics” This interview with Dr. Keyun Ruan dives into her research in identifying the value of ‘cyber’ in business, establishing traceability for better risk management, analyzing the attacker’s role in cyber risk and the outlook for the future of cyber risk quantification. Dr. Keyun Ruan has worked as a PhD researcher at the Center of Cyber security and Cybercrime Investigation (University College, Dublin) and in cloud forensics at the Cyber Security Research Lab (EADS).

Episode 112 – Interview with the CEO of CyLon at ICE71, Singapore. CyLon is the world’s leading cybersecurity accelerator We sit down with Anton Opperman, CEO of CyLon at ICE71. CyLon is the world’s leading cybersecurity accelerator. Since launching in London in 2015 CyLon has run several accelerator programmes, successfully accelerating over 50 cybersecurity startups, many of which are now working with major global corporations, governments and world-leading investors. CyLon is working in partnership with Singtel Innov8 and NUS Enterprise to deliver the ICE71 Inspire and ICE71 Accelerate programmes.

Episode 107 – Child Cyber Security Ambassador & Child Hacker – Reuben Paul, 12, aka “RAPst4r”, the Founder of CyberShaolin

@BSidesPer 2018 Podcast series #BSidesPerth BSides Perth 2018 attracted over 300 delegates, including kids and families, to UWA Business School and along with t-shirts, beanies and tool kits, delegates also received a cool and unique handmade conference badge, using a NodeMCU ESP8266 WiFi SoC. Security BSides (commonly referred to as BSides) is a hacker convention, held amongst a growing eco-system of events in Australia and New Zealand that provide a community driven framework for information security conferences.

Data Centre Deep Dive with #DCDAustralia & #DCDSingapore IAs part of our Data Centre #DCD media partnership here is a series of interviews which deep dive into the Data Centre industry, recorded in August & September 2018 at Data Center Dynamics – DCD Australia, Sydney #DCDAustralia and DCD South East Asia in Singapore #DCDSingapore. • Business Drivers & Data Centres, with Stephen Worn, CTO & CEO DCD North America • Achieving sustainable data centres and the next Moore’s Law trends, with Prof. Ian Bitterlin, Leeds University • Is this the McDonalds of the DC industry? Meet Digital Realty, the world’s largest full scale data centre provider • How IoT data capture and processing is driving new edge-to-core data center network • Data Centre trends in the era of edge computing and security considerations around rapid deployment • The future of Data Centres in an age of robotics, AI, IoT, machine learning and AR/VR, Prof. Greg Sherry

#KLNext CyberSecurity Podcast Series – Barcelona, Spain 2018 The #KLNext conference, held 29-30 October 2018 in Barcelona, Spain, gathered together journalists and experts from around the world to discuss the latest research and future possibilities in the areas of security, industry and technology. As participants in this year’s event, courtesy of Kaspersky Lab, we took the opportunity to sit down with a number of the Kaspersky Lab European team and their special guest presenters, including Jane Frankland, Eva Galperin, Ian & Nicole Whiting and Laurie Pycroft from Oxford University.

Following his presentation on stage at Cyber Security Asia, Kuala Lumpur, we sat down with Reuben Paul, our youngest guest and Cyber Security Ambassador, Child Hacker, Black Belt in Shaolin Do Kung Fu, USA Gymnast, Video-gamer & Cyber Ninja. These are some of the growing titles used to describe 12-year-old Reuben Paul aka “RAPst4r”, the Founder of CyberShaolin.

Episode 117 – GDPR & Cambridge Analytica – A Cyber week in London with Jane Lo, Singapore Correspondent Jane started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore. er experience included using data predictive analytics for fraud at global financial institutions (Deustche Bank, JP Morgan) and advisory to financial institutions with PriceWaterHouseCoopers.

www.australiancybersecuritymagazine.com.au Asia Pacific Security Magazine | 9

Cyber Security

Risk Management – From SARs to Cryptocurrency

By Jane Lo ASM Correspondent

What do SARS and Cryptocurrency have in common? SARs (Severe Acute Respiratory Syndrome), is a viral respiratory illness caused by a coronavirus. According to the World Health Organization (WHO) a total of 8,098 people worldwide became sick with SARs during the 2003 outbreak. Of these 774 died. The first case in Hong Kong was reported on 22th Feb 2003. It took another 2.5 weeks before a WHO worldwide alert was sent, and another 2 weeks for schools in Hong Kong to be closed. By the end of March, house containments were in place, but that did not stop the spreading of the disease which peaked on 20th April, when 12 deaths in a single day were reported.

“History is a tough teacher”, said Peter R. Morgan

Cryptocurrency

(VP, Clement Shield; former Assistant Commissioner

That is, a consolidated assessment of risks across business lines, products and locations.

(Ret.), Hong Kong Police) at the Asia Risk &

The stratospheric rise of BitCoin, from its humble

Resilience Conference 2018, (ARRC 2018, www.

beginning when 10,000 bought a developer 2 pizzas,

cryptocurrency and the activities surrounding

arrconference.com, Singapore Hilton, 29th August –

to trade as high as USD19,000, set off skepticisms

cryptocurrency trading and investment is but one

31st August 2018).

amidst a flurry of responses from regulators.

of the many vulnerabilities and risks that need to

The SARs outbreak taught the need for “Improved

Banking titans, Jamie Dimon of JPMorgan

Under this approach, identifying the role of

be managed.

Preparedness”. This included, according to Mr

famously said he would "fire in a second" any

Morgan, “increased Awareness”, “Effective Plans &

JPMorgan trader who was trading BitCoin; Some

organization is a key aspect of planning –

SOPs”, “Organisation capacity and readiness”.

countries have outright banned BitCoin trading;

reflecting the theme of the ARRC 2018 “Corporate

others see it as a solution to its struggling economy,

Governance, Risk & Resilience - Planning in Action.”

Dr. Attila Hertelendy (Professor, Georgetown University), speaking on “Leadership Lessons Learned in Managing Risk and Resilience from the

An understanding of risks faced by the

such as Venezuela. But the most cited reason for disparaging

Risk Management – the ISO 31000 framework

Global Health Security Perspective”, emphasized

BitCoin is its role in facilitating criminal activities. This

that “we should embrace a culture of forward-

is not surprising given that ransomware, illegal drugs,

International organization for Standardization

leaning proactivity and the benefits that can be

or stolen plastic demand payments in BitCoin. The

notes that “Risks affecting organizations can

derived from deliberate planning”.

seizure of 110,00 + BitCoin from the takedown of

have consequences in terms of economic

SilkRoad further linked BitCoin to illicit activities.

performance and professional reputation, as well

He also clarified that “plans are useless, planning is everything!”. This meant “exercises

In his talk “What has ERM got to do with

as environmental, safety and societal outcomes.

& drills” to put in practice the plans, which was

Anti-Money Laundering & Cryptocurrency”, Mr.

Therefore, managing risk effectively helps

echoed by Mr Morgan in his talk.

Dennis Lee (Risk and Compliance Director, Amicorp

organizations to perform well in an environment full

Trustees (Singapore) Limited), highlighted that these

of uncertainty”.

But what does “Improved Preparedness”, “Deliberate Planning” lessons learned from Health

concerns require a robust enterprise-wide risk

Security and SARs have to do with Cryptocurrency?

management approach.

10 | Asia Pacific Security Magazine

ISO 31000:2018, Risk management – Guidelines, provides principles, framework and a

process for managing risk – “can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment”. This is demonstrated by Er Lee Chuen Fei (Certification Lead, Council member, RIMAS) at “Workshop D: Implementation of the ISO31000:2018 – All you need to know”. The key themes of a risk management framework, starting with setting the “Scope/ Context and Criteria”, followed by “Risk Assessment”, and determining appropriate “Risk Treatment”, with regular “Monitoring & Review” are not unfamiliar to risk specialists. Ultimately, articulating the aims of the organization and linking to risks it faces means Dr. Attila Hertelendy (Professor, Georgetown University), speaking on “Leadership Lessons Learned in Managing Risk and Resilience from the Global Health Security Perspective”, Photo Credit: ARRC 2018. www.arrconference.com

“effectively understood, treated and managed” risks. “Reducing the likelihood” of an event or “reducing the consequence” in risk management are standard approaches – other options for consideration include accepting the risk, or transferring the risks through contract or insurance, or avoiding the risk altogether. Risk – opportunities and potential positive effects Notably, ISO31000 defines risk as "effect of uncertainty on objectives", which is a significant shift in paradigm from the previous definition of "chance or probability of loss". This new definition is a reference to positive consequences, or opportunities of uncertainty, as well as the negative ones viewed from the traditional prudent perspective. So, managing risks associated with

“Peter R. Morgan, (Assistant Commissioner (Ret.), Hong Kong Police) speaking on “15years on – Lessons Learnt from Hong Kong SARS outbreak in 2003”. Photo Credit: ARRC 2018. www.arrconference.com

developments that may contribute to more frequent health pandemic (e.g. denser cities spreading SARs and other diseases more rapidly), or, enabling more advanced cyber crimes (e.g. innovations underpinning cryptocurrencies) also means addressing the opportunities. One is “blockchain” which power the cryptocurrencies. This technology is being applied in logistics management to validate and track supplies, and in digital currencies such as the Singapore government’s issuance of a digital Singapore dollar on the blockchain for interbank payments that bypass the central bank. Indeed, Singapore's central bank head said he hoped the technologies underpinning cryptocurrencies such as blockchain would not be undermined by an eventual crash in the virtual currency. In other words, while cryptocurrencies may face risks limiting its expansion, the exciting

“What has ERM got to do with Anti-Money Laundering & Cryptocurrency”, Mr. Dennis Lee (Risk and Compliance Director, Amicorp Trustees (Singapore) Limited), Photo Credit: ARRC 2018. www.arrconference.com

opportunities to leverage off the blockchain ground breaking technology should not be overlooked.

Asia Pacific Security Magazine | 11

Cyber Security L- R - Lawrence McKenna, Serra Luck, Bob Cross, Afiz Jabbar, Bob Firth, Luke Percy-Dove, Greg Lane, Shane Norton, Chris Cubbage

HID Global Consultant Roundtable Smart Buildings, mobility & outlook to the future

his is a special roundtable hosted by HID

The definition of intelligent buildings has been with

network design, resilience, availability, reliability

Global, as a forum in which senior Australian

us for quite some time.”

with cyber security, electronic security, physical

consultants share their thoughts on industry

“Some of the Singaporeans lead the first

security and that just to protect the network, not the

trends around smart buildings and mobility. This

foray into that space, certainly into the third-

actual building or the people, so they can maintain

recorded discussion, now available in a podcast,

generation technology buildings which I think at

that business and depend on that network to do

includes insights and experience on the evolution of

the time was roughly defined as highly integrated

whatever they need to do. It is something new that

end-user requirements, comments on industry best

building technologies that were enabling individual

has rapidly come to the fore in the last 24 months.

practices, and general expectations of what makes

occupants to control their own level of space,

a smart solution design.

comfort, and accessible amenity, at the device level.

the point, “everyone wants a smart building but may

Serra Luck, Vice President, End User and

Norman Disney & Young’s Afiz Jabbar raised

At the time, the device was nothing more than a PC.

not understand why they want it. We need to move

Consultant Business at HID Global highlighted, “The

Now I think the implementation of that concept is

beyond the technology to what the technology

motivation from HID’s prospective is creating the

little bit more ‘App’ based and mobile device based.

provides in the outcomes. What do we use all these

discussion on the physical security access control

But I think we are still talking about the same sort of

sensors for, what are we doing with the technology?

and we see a lot of influence coming from the IT

concepts. It is just that we have become a lot smart

The vision is good and there is demand, but what

side of the business with the Internet of Things

as to how we are implementing these concepts.”

are they doing with their smart building.

and seeing a lot of implementation around cloud

Greg Lane at Jacobs confirmed, “we are seeing

Luke Percy-Dove provides insight to the client’s

services. Service businesses ae coming in with a lot

a more educated client. Though in the high end

needs, “a big part of what we do is educating the

of integration and of course we see the impact on

security domain they understand what smart is,

clients and getting to the nuts and bolts of what the

the end user in that space. We are very much open

in terms of integration and may not want that in

problem is they want to solve and the best way of

to understanding what is motivating the customer

certain applications.”

determining that outcome.”

across the different vertical markets, what the

Lawrence McKenna of Wood & Grieve

Bob Firth outlined, “in terms of the architecture

change process is that is happening and we looked

Engineers highlighted, “it all depends on the

stage, there are some things you can’t bolt on later

to gather experts to share their views with us and

building owner or occupant and how much they

without enormous rework. Agreeing that we are all

learn from them.

want to invest. If it’s a building owner, and say a

going to be on the one network, agreeing that there

hospital, they definitely see a single integrated

is open standards, there may be middle ware that is

Shane Norton, who commenced, “the emergence

network and maintain that via their IT department

required, agree on the protocols early, allows you to

of smart buildings is not necessarily a new concept,

and seek to realise the cost savings as opposed

explore and expand as you go. Get those decisions

I think the way in which we do it certainly is but not

to having separate networks. But that opens an

wrong initially you can find it almost impossible to

the concept in itself. We have been talking about

entire issue around cyber dependency. Which is

retrofit some of the solutions or get the maximum

the implementation of first, second, third generation

something that is becoming more front and forward.

out of them. Planning ahead of time, what is the big

smart buildings in this region, since the late 1980’s.

That is a challenge within itself, trying to bring under

picture vision around the smart building or smart

The discussion was kindly opened by Arup’s

12 | Asia Pacific Security Magazine

environment is essential to getting the outcome

Shane Norton - Being able to advise accurately

decades thereafter. And for those buildings and that

at the end of the day. And you don’t necessarily

what those emerging technologies, trends, ways

function and amenity that that building provides

need to know everything you want to achieve,

of living in our cities are likely to be. Advising

to remain relevant throughout the entire lifecycle.

with some projects running seven years from initial

with some degree of accuracy on these and then

That’s the challenging prospect.

brief through to delivery so you don’t know what’s

allowing our clients to make informed decisions

going to be available but if you make those initial

based on that forward-looking perspective about

To listen to the full

decisions well you can enable yourself to add on

what they are going to invest in for their building

roundtable discussion

what happens to come out as the latest technology

assets now for when they will be built in a number

LISTEN HERE

evolves.”

of years’ time to be operational for a number of

Shane Norton, Associate | Leader – Resilience, Security & Risk Shane is Arup’s most experienced and knowledgeable Protective Security consultant (2ABC NSW Licenced Security Consultant, SCEC Approved Security Consultant) in the Australasia region, and fulfils various leadership positions across the firm; including the Resilience, Security and Risk (RSR) Skills Leader for the region, and the Team Leader for the New South Wales RSR business. As a Security Construction and Equipment Committee (SCEC) Approved Security Zone Consultant since 2006, Shane is a trusted adviser to all levels of Government and Australia’s most successful blue chip organisations. He is uniquely recognised for his high security but discrete designs in some of our region’s most beautiful and wellknown buildings.

Afiz Jabbar, Senior Security Consultant & Associate, Norman Disney & Young Afiz Jabbar has been working in the security industry for over 17 years and is a Senior Security Consultant and Associate with Norman Disney and Young (NDY) responsible for the design, engineering and management of a wide range of high level integrated CCTV, Video Analytic, Access Control, Intruder Detection and physical security systems across a broad spectrum of industries including Government, Custodial, Health and Education. As a SCEC Endorsed Security Zone Consultant, Afiz specialises in high security consulting and engineering solutions for Government agencies and has extensive knowledge and familiarity in key areas such as physical security, electronic systems technology and infrastructure.

Greg Lane, Section Leader, Melbourne Security, Jacobs Greg is a SCEC Endorsed Security Consultant with a Master of Security Management specialising in red teaming. As a Senior Security Consultant, Greg has worked with wide range of commercial and government clients to provide a range of risk and high security services, including the provision of SCEC security consultancy services. Greg has extensive experience in custodial security, protective security risk reviews, defence security (including Type 1), critical infrastructure security, physical and electronic security, IT security, information security, CPTED and risk management.

Luke Percy-Dove, Director, Matryx Consulting Luke is a 23 year veteran of the Australian security industry, has personally advised on security for organisations including ANZ, Lend Lease, Mercedes Benz, Ipoh Property, VISA Global Logistics, Vicinity Centres, Lend Lease, Colliers, Knight Frank Royal Australian Mint, Mirvac and DP World. He is an established writer, media commentator and expert witness on the latest technology, trends and developments in the global physical security market. Luke is also the Founder and CEO of Risk Dynamyx, an Australian technology company that has developed the first dynamic security risk management application for commercial property.

Bob Firth, Principal Consultant, ACAD Services Bob Firth is a Principal Consultant at ACAD Services and provides technology consulting services to corporate and government clients across a range of technologies including internet of things, security systems, building services networks, wi fi, control centres and smart buildings. Bob is currently working on a number of connected environments within office towers, shopping centres, hospitals, a roadway and a retirement village.

Lawrence McKenna, Telecommunications Section Manager, Wood & Grieve Engineers Lawrence has over 25 years of Telecommunications and ICT Systems Industry experience. Lawrence’s extensive ICT/telecommunication experience acquired from working 16 years with Queensland Rail, three years with Project Services (QLD Department of Works) and six years with SKM/Jacobs. Lawrence is currently a member of the following standards committees: • Standards Australia CT-001 (Communications Cabling) • Standards Australia CT-002 (Broadcasting and related services) • International Telecommunication Union ITU-T SG5 working group • International Telecommunication Union ITU-R ARSG-5 working group.

Asia Pacific Security Magazine | 13

Cyber Security MEETUP

Cyber Risk Meetup Interview with Shamane Tan, the Founder of Cyber Risk Meetup

018 has been an incredibly rich year, packed

it comes to experience. If we are patient enough,

(Shout out to Privasec for being our biggest

with conferences and events as the Cyber

there is so much that we can draw from their deep

supporter and for all their active contributions to

Security industry tries to keep up with trends

wells of knowledge. I started the Cyber Risk Meetup

the different industry events.) After a period of time,

and governance. In the midst of all that, there was

in Sydney in 2017 with the intention to create a

even strangers will become a friendly face and it

a meetup group that stood out amongst all other

platform where talented people can share their

helps to speak to a peer or one of the executives in

meetups and very quickly became known as a class

experiences and key learns. ‘It’s said that a wise

the same industry. I was recently watching Ocean’s

of its own. It was the Cyber Risk Meetup, which has

person learns from his mistakes. A wiser one learns

Eight on the plane and it’s interesting to see how

rapidly become a well-known favourite and one of

from others’ mistakes. But the wisest person of all

the bad girls had to collaborate together to pull off

those NEED TO ATTEND event.

learns from others’s successes.’ Hence, I wanted to

the biggest steal of the century. How much more

build a community where like-minded professionals

do we need to work together and be more active in

Cyber Risk Meetup on its uniqueness. As the APAC

can network with one another. In doing so, I find

sharing our ideas as we battle together to protect

Cyber Risk Adviser with Privasec, a leading Cyber

out their actual challenges, and was inspired to

our loved ones and workforce in this digital age.

Security consulting firm, she also works with her

organise my events around topics that industry

The meetups provide a fantastic opportunity for

GRC and Technical Assurance team together with

leaders are so passionate about! I never expected it

professionals, our new generation and the general

the different CISOs to bridge security gaps in

to scale up the way it did.

public to come together and learn from one another

We interviewed Shamane Tan, the Founder of

organisations.

in a comfortable and safe environment. Indeed it

Q. How does it work? Q: Why do you do what you do? We meet up once every quarter and start off first In my last 9 years in this industry, if it’s one thing I

with networking over complimentary food and

learnt - is that people are our biggest wealth when

drinks courtesy of our Cyber Risk Meetup sponsors.

14 | Asia Pacific Security Magazine

takes a community to build a community.

Q. Share your vision for the Cyber Risk Meetups We are vendor agnostic and extremely big on encouraging new faces and voices in this industry. Our Cyber Riskers (that’s what we call our members) get to hear from renowned industry speakers that they do see at conferences but also get to hear from fresh new speakers. Most of them being a CISO have had extensive experience leading people but somehow had never put their hands up to speak. Imagine my great delight several of our Cyber Risk speakers were discovered through our events and now speaks at major national conferences.

Q. What was 2018 like? It was incredibly exciting. We are at 800 members in Sydney, and already at 400 members in Melbourne with our inaugural launch just early March this year. Cyber Risk Meetup saw a successful launch in Singapore in July and was closely followed by Brisbane this September. We have now crossed over the 1,500 members mark across Australasia. We are always oversubscribed and full house with more than 100 attendees turning up each time.

Q. Can you share some of Cyber Risk Meetup’s highlights? What I love about our meetups is that they are all so diverse. One moment I am in Melbourne hosting presentations on the evolution of Artificial Intelligence, and the next session, I am moderating C-suite discussion panels on CISO matters in Sydney. There was a really memorable session we organised around Data Privacy where we had two law partners taking opposite sides at a debate on GDPR and the impact of the NDB’s amendment. At another of our meetups, we had a clinical psychologist present on the human factor and the insider threat. Singapore also saw a mini Ted-Talk style Cyber series and we had various ASEAN Heads and CISOs exposing the secrets of the Hacker all the way to presenting on Machine Learning.

Q. What does the future look like for the Cyber Risk Meetups? We are very excited to launch Cyber Risk Meetup in Perth on the 19th of November, as part of WA Cyber Week as part of the WA AISA Cyber week. Also, for the first time ever, Cyber Risk Meetup will be running our very own Summit as a joint event with Privasec in Feb 2019. Do stay tuned for more details! Cyber Riskers can subscribe to the events at cyberriskmeetup.com

Asia Pacific Security Magazine | 15

MEETUP

The future of innovation & the BIG CISO question? Cyber Risk Meetup – Sydney Wrap-up

n support of ISACA’s SheLeadsTech initiative and

on aptitude rather than qualifications is also an

but CISOs may still be segregated to have policy

once again, months of hard work, the Cyber Risk

important factor, particularly in cybersecurity.

freedom and separate to operations. Organisation

Meetup moved on from a successful Singapore

Interestingly, but maybe not surprisingly, ‘return

size and maturity all has an influence on where the

meetup and back to Sydney. At the central high-rise

to work mothers’ and ‘military veterans’ have

CISO may sit.

offices of AWS, and sponsored further by Privasec,

both been shown to show positive aptitude for

nearly 150 cyber riskers heard from six special

cybersecurity. Maybe it’s the ‘battleground’ traits

is good! Anticipating the unexpected, being able

guests in an exclusive two segment panel session.

they share?

to adapt the language to stakeholders, be across

The Future of Innovation panel, moderated by

The younger generation are doing so much

What skills does a good CISO have? Paranoia

the C-Suite. Cybersecurity can be perceived as

Igor Shparberg, Director, e-Pocket (Int) and joined

more with technology and the expectation on

complex – trying to use analogies can help, such as

by Gillian Findlay, COO, Safety Culture, Frances

younger people will continue to be so much

brakes on a car are there for safety but allows the

Bouzo, Head of IT Security, iCare NSW, and Tabitha

more. However, the digital disruption is only just

car to drive faster. CISOs also need to understand

Bauer Executive Manager of Digital Assurance,

beginning. The way we recruit is still using tunnel

the business and the biggest hurdle can often be

CBA kicked off with ‘What gets you up in the

vision and we can learn a lot of lessons from the

the sales team – who and what is really driving the

morning?’ The panel entered a great discussion,

past – a good example is how start-ups can be a

business. Security should enable the business and

from finding offices for a start-up in Surry Hills,

source of learning for large enterprise and likewise

be engaged.

motivating young people, and through to building a

start-ups can learn from enterprise on how to scale.

commercial minded enterprise but that also makes

One good takeaway line was “We don’t have to

learning fast – is it a technical, people or process

people feel better. The things we see in cyber

reinvent, but we have to catch up!”

fail and then getting all the ducks in a row for

security is continually challenging and changing, so

The second panel, ‘Where do I put my CISOs?

Dealing with a breach is about learning – and

communications, legal and executive. If it’s a failure

it is self-motivating, but with young kids, the alarm

moderated by Cyber Risk Meetup organiser

in the risk assessment then the CISO hasn’t done

clock still helps!

Shamane Tan, APAC Cyber Security Advisor,

their job.

‘How do you keep up and translate it day to

Privasec was joined by Robert Lang, CTO,

With a packed room and nearly 100 on a

day?’ – “I hire people who are smarter than me”,

OpenMarkets, Stuart Mort, CTO – Cyber Security,

waiting list, this Cyber Risk Meetup was well served

said one panellist. Look at what’s coming. Put

Optus Business and Wouter Veugelen, CISO,

with great content, a fascinating networking mix, as

in automation and have a mix of people – the

Primary Healthcare. Matching the variety of the

well as great food and drink.

questions asked often creates learning and then

panel, was a variety of responses.

technically trying to continually improve and set the bar high in cybersecurity.

CISO’s should be their own line of business,

If you are looking for an event of quality networking and new connections, or you just want

was one view, though in contrast one panellist

to see what’s the Cyber Risk hype all about – visit

reported to the CIO. How to get cybersecurity

www.cyberiskmeetup.com and stay tuned for your

should do more with it and use it to our advantage,

embedded into the enterprise is a well-recognised

next complimentary meetup.

far more so as we work and think globally – in a

challenge. Too often plans are put in place after the

global industry with global resources. Recruiting

breach has occurred. Reporting to the CIO is okay

How important is diversity? In Australia we

16 | Asia Pacific Security Magazine

Cyber Risk Meetup

ACCELERATING APPLICATIONS DEVELOPMENT WITH WORLD CLASS DELIVERY, RELIABILITY & SECURITY MAIN FORUM: 23 - 24 JANUARY 2019 (MELBOURNE) / 13 - 14 FEBRUARY 2019 (SYDNEY) POST FORUM WORKSHOPS: 25 JANUARY 2019 (MELBOURNE) / 15 FEBRUARY 2019 (SYDNEY) VENUE: PARK HYATT MELBOURNE / PULLMAN SYDNEY HYDE PARK

20+ SPEAKERS | ENGAGING WORKSHOPS INSIGHTFUL CASE STUDIES FROM KEY LEADERS IN THE DEVOPS FIELD

DevOps: Creating World-Class IT Agility, Reliability and Security

DevOps Success Stories: Westpac, Qantas, ING, Accenture, CSIRO and more

DevOps Transformation with Continuous Testing: Qantas Case Study

Continuous Delivery & Testing with DevOps

How Containers & Microservices are Revolutionizing Enterprise IT Architectures

Marrying Cloud Computing and DevOps

Integrating AI into DevOps (AIOps)

How Big Data & Analytics Will Empower the Future of DevOps

DevOps Implementation with Security (DevSecOps): AUSTRAC Case Study

Embracing DevOps to Increase Agility and Improve Efficiencies

Finding Talent for DevOps Implementation: Lion Group of Companies

DevOps in Government Services

VISIT HTTP://BIT.LY/ANZDEVOPS19 OR CONTACT KAREN WILLIAMS AT KAREN.WILLIAMS@CLARIDENGLOBAL.ORG FOR MORE INFORMATION +61 3 9909 7310

admissions@claridenglobal.com

claridenglobal.com

Asia Pacific Security Magazine | 17

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au

18 | Asia Pacific Security Magazine

Cyber Risk Meetup

Continuous Professional Development. It’s my Institute.

After 45 years the Institute continues to develop your knowledge and awareness of contemporary and leading edge security management best practice. Share in your expertise with other peers and develop your networks. Join our Institute and benefit from the following: · Networking Opportunities · Education & Professional Development · Seminars & Conferences · Peer Support Services · Advocacy VICTORIAN SECURITY INSTITUTE

vsi.org.au APPROVED SECURITY INDUSTRY ORGANISATION

Asia Pacific Security Magazine | 19

Cyber Security - A Cyber week in London Part II

Everything has relevance but not everyone sees it A Cyber Week in London - PART II

International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018

By Jane Lo ASM Correspondent

“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website which attacker accessed a customer information

confidentiality’)”. -GDPR Article 5, Para 1(f), Principles relating

“TalkTalk’s failure to implement the most basic cyber

database), patching out-dated software (which

security measures allowed hackers to penetrate

could have fixed a bug that allowed the attacker

TalkTalk’s systems with ease. Yes hacking is wrong,

to bypass access restrictions), installing defenses

but that is not an excuse for companies to abdicate

against common hacking technique SQL injection

To secure personal data, explicit obligations

their security obligations. TalkTalk should and

used to access the data.

for “appropriate technical and organizational

could have done more to safeguard its customer information. It did not and we have taken action.”

measures” include, in a written data processing “Integrity and Confidentiality”

agreement, “pseudonymisation and encryption

- UK ICO’s Elizabeth Denham, 5th October 2016. TalkTalk Data Breach

of data”, “ensuring the confidentiality, integrity, "Appropriate technical and orgnisational measures

availability and resilience of processing systems

shall be taken against unauthorised or unlawful

and services”.

processing of personal data and against accidental UK ICO’s enforcement actions include fines against law enforcement agency after interview disk went missing and individual health practitioner for

loss or destruction of, or damage to, personal data." - UK Data Protection Act 1998, Principle 7 –

approach to security, and benchmarking against industry standards and best practices. A critical

of TalkTalk

without a valid legal reason.

which is enshrined in the UK Data Protection Act

of £500,000 ICO is empowered to apply, for

2018. Referring to the integrity and confidentiality

contraventions of Data Protection Act 1998.

components of under the classic “CIA” model

cases, bank account details and sort codes.

“Cyber Security is a Board Room Issue” “Today’s record fine acts as a warning to

(confidentiality, integrity, availability), GDPR

others that cyber security is not an IT issue, it is a

stipulates that data be

boardroom issue. Companies must be diligent and

personal data of 156,959 customers, including names, addresses, dates of birth, and in many

weaknesses and external malicious threats.

UK Data Protection Act 1998, is also key in GDPR

fine against TalkTalk, close to the maximum fine

data from a cyber attack resulted in a breach of

aspect is how governance and culture mitigate privacy hazards arising from internal policy

The principle that deals with security under the

TalkTalk’s failure to properly protect customer

Many of these requirements are not new but complying would necessitate a fresh review of

applicable during the 2016 data breach incident

unlawfully accessing a patient medical records

The highest profile is undoubtedly the £400,000

to processing of personal data

vigilant. They must do this not only because they “processed in a manner that ensures appropriate security of the personal data,

have a duty under law, but because they have a duty to their customers.”

including protection against unauthorized or

-- UK ICO’s Elizabeth Denham, 5th October

prevented if TalkTalk had taken basic steps,

unlawful processing and against accidental

2016, on issuing the largest fine, £400,000 to

such as infrastructure scanning (which could

loss, destruction or damage, using appropriate

have uncovered vulnerable websites through

technical or organizational measures (‘Integrity and

ICO found that the attack could have been

20 | Asia Pacific Security Magazine

TalkTalk

A Cyber week in London Part II - Cyber Security

Tone-from-the-Top, where the Board is highly

ICO’s enforcement actions highlighted that

engaged and understands what comprises

Privacy intrusions and data breaches can arise,

Information “Crown Jewels”, is a foundational

not only from Cyber Security lapses, but also the

converging in the Physical and Cyber space,

building block for effective cyber risk management.

exploitation of standard operation procedures.

Chairman and former UK Security Minister, Admiral

Establishing clear authorities and

Protection Bill a week later. Speaking on the increasingly merging of threats

The convergence of Physical and Cyber space

Lord West of Spithead GCB DSC PC, reminded

responsibilities, demonstrating commitment to risk

further opens up the attack surface for inadvertent

us, “The tragic events in Paris, Westminster and

mitigation, fostering risk communication are some

or deliberate intrusions.

Stockholm only serve to show that the terror and

areas where industry best practices recommend

Reflecting these emerging security themes,

cyber threats focused on disrupting our way of life

Boards oversight. TalkTalk’s data breach also

focused conferences such as “Facilities

have never been greater and arguably we have

emphasized that Board’s oversight of regular

Management Security”, “CNI Security” (Critical

never lived in a more uncertain and dangerous time.

National Infrastructure) in addition to “Cyber Data

It is vital that we get our approach to protecting

& Information Security” are hosted as part of the

our society and ourselves right. Security is all

International Security Expo 2018.

our business and the lines between what was

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU (even those located outside the EU) and applies from 25th May 2018 onwards. Photo credit: St Albans Anglican.org

To find out more, under the invitation of

traditionally the defence market and what is the

independent assessments is essential to identifying

International Security Expo organizer (Peter Jones,

vulnerabilities and forming appropriate risk

CEO Nineteen Events), International Security

mitigation and incident response plans.

Expo Advisory Council member and OSP Cyber

also the Bank of England’s first ever CISO on

Simply: if it matters to the Board and senior

security market, are increasingly blurred.” We spoke to Don Randall MBE, who is

Academy’s Brand Ambassador (Don Randall MBE),

Cyber Security. He emphasized that: ‘The key to

management, then it will matter to everyone else

Managing Director (Tommy McCarthy), and Chief

successful prevention, detection and subsequent

across the organisation.

Legal Advisor (Sandip Patel QC), we attended the

prosecution is to understand the motivation of

International Security expo evening reception at

the attacker. Primarily people commit crime for

the House of Commons, Westminster - the venue

three reasons. One is they need to, they’re cash-

that would also see the 3rd reading of the UK Data

strapped, poverty-ridden and in such a bad state

All Threats, all hazards

The Queen’s Speech to Parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

that the only way to go forward is to cross the line and commit a crime. The others are greedy, script kiddies who are in pursuit for peer recognition and want the power of the hacker, or those with an alternative motivation, the likes of terrorism.’ Addressing these motivations such as countering terrorism in the digital age increasingly forms part of the big data conversation– and how data is collected and used. “They will ruthlessly sell our details to loans and soft-porn companies but not give it to our democratically-elected government,” – Rt Hon Ben Wallace, The Minister for Security and Economic Crime, argued in a Sunday Times interview on 31st Dec 2017, that companies such as Facebook and Google made life too easy for

This relates to a warning to police staff as force fined GBP130k for losing rape victim interview. Photo Credit: UK ICO Twitter post., 6th Apr 2018

terrorists. The Minister’s interview comments came a week after Germany’s cartel office (FCO) issued a preliminary finding that Facebook is transferring data to third-parties and abusing its dominant position in the German market. The case is one of the first proceedings in today’s rapid technological progress, which combines the regulatory principles of data protection and antitrust law. Indeed, an increasingly complex web of these laws and cybersecurity laws, self-regulatory frameworks, best practices and business contracts govern the processing and safeguarding of information around the world, create new challenges for organisations. Day 4 - 3rd May – Data Protection by design, by default

This relates to a former employee of a Milton Keynes hospital trust, who has been prosecuted for accessing patient records without authorization. Photo Credit: UK ICO Twitter post., 23rd Apr 2018 Asia Pacific Security Magazine | 21

Cyber Security - A Cyber week in London Part II

From Left: Sandip Patel QC (OSP Cyber Academy Chief Legal Advisor), Ken McMillan (CEO Cap Badge Singapore), Peter Jones (CEO Nineteen Events International Security Expo 2018), Audrey Brown (M.D. Fuse Box), Admiral Lord West of Spithead GCB DSC PC (Chairman and former UK Security Minister), Thomas McCarthy (Managing Director OSP Cyber Academy). Photo Credit: OSP Cyber Academy.

Address by Chairman and former UK Security Minister, Admiral Lord West of Spithead GCB DSC PC.

context and purpose of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both a the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organization measures such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subject.” -

GDPR Article 25, Para 1, Data protection

by design and by default. “Data Protection by design, by default” considers data protection and privacy up-front, and proactively anticipates potential privacy invasion events – that is, practicing end-to-end security in the design and architecture of IT systems

Don Randall (right), Bank of England’s first Chief Information Security Officer, presented with Outstanding Security Performance Awards (OSPAs) on 1st March 2018 at The Royal Lancaster London. Left Rick Mountfield of SYInstitute, sponsor of the Lifetime Achievement Award, presenting the award to Don Randall.

GUEST SPEAKER: The Minister for Security and Economic Crime Rt Hon Ben Wallace MP, with Peter Jones CEO Nineteen Events (International Security Expo 2018). Photo Credit, International Security Expo .

The ICO has promoted privacy by design for years,

in the EU Data Protection Directive of 1995, retained

automatically protect personal data to meet the

and there’s plenty of guidance on our website.

in the GDPR, mean that organizations need to be

principles of personal data processing.

But in this context it means building data privacy

responsible and accountable for their processing of

and security into every part of your information

personal data.

processing, from the hardware and software to the procedures, guidelines, standards, and policies that

and business practices: Protect, Detect (initial

“Data Protection by design, by default” underpins accountability.

your organisation has or should have. – UK ICO Elizabeth Denham's speech at the

Accountability

of “legitimacy”, “proportionality” and “transparency”

22 | Asia Pacific Security Magazine

And, by default, the design and architecture of IT system and business practices should also

Recognising that 100% protection is neither practical nor effective, a risk-based approach – or tailoring protective measures to the risk of a processing activity - is central to “Data Protection This means building data protection in accordance with the risk profile of the operation.

Previously known as ‘privacy by design’, “Data

One example of how GDPR views this, is the

Protection by design, by default” has always been

requirements on “high-risk” activities.

part of data protection law. Under GDPR, it is now a legal requirement.

Accountability is not a new concept. Key principles

investigation) and Recovery (business continuity).

by design, by default”. Risk-Based approach

National Cyber Security Centre's CYBERUK 2018 event, Manchester Central, 12 April 2018.

analysis), Know, Response (e.g. incident reporting,

“Taking into account the state of the art, the cost of implementation and the nature, scope,

Data Protection Impact Assessment I hear and I forget, I see and I remember, I do and I understand - Confucius

A Cyber week in London Part II - Cyber Security

Specifically, before engaging in such an activity,

protection, including regimes of jurisdictions such

an organization may need to conduct a detailed

as EU, UK, Canada, Hong Kong, Australia and

privacy impact assessment – or “Data Protection

New Zealand, as well as the OECD Guidelines on

Impact Assessment” (DPIA).

the Protection of Privacy and Transborder Flow of

“Processing in particular using new

Personal Data, and the APEC Privacy Framework.

technologies” is considered a high-risk activity.

Since the introduction of GDPR, three public

Other high-risks activities under GDPR that

consultations had been conducted to seek

requires a DPIA are explicitly stipulated as follows:

feedback. A recent proposed change relates to how companies handle individuals' NRIC numbers,

A data protection impact assessment referred to

collects the physical NRIC or a copy of it.

in paragraph 1 shall in particular be required in the

NRIC (The National Registration Identity Card)

case of:

had been widely used in Singapore for a range of

a) a systematic and extensive evaluation of

activities by consumers, such as seeking medical

personal aspects relating to natural persons

treatment, borrowing books at the libraries, signing

which is based on automated processing,

up for restaurant promotions. PDPC acknowledged

including profiling, and on which decisions are

that, as “the NRIC number is a permanent and

based that produce legal effects concerning the

irreplaceable identifier which can be used to

natural person or similarly significantly affect

unlock large amounts of information relating to the

the natural person10;

individual, the indiscriminate collection and use of

b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1011; or c) a systematic monitoring of a publicly accessible

individuals’ NRIC numbers is of special concern Consideration of Commons amendments to the Bill took place in the House of Lords on 21 May. Both Houses agreed on the text of the Bill and completes the final stage of Royal Assent when the Bill becomes an Act of Parliament on 23rd May 2018.

area on a large scale”. – GDPR Article 35, Para 3 – Data protection impact assessment

as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud”. The latest guidelines addressed this concern, and proposed that organisations should not collect,

This is the largest reported data breach of

use or disclose an individual’s NRIC number or a

local information to date. In September 2014, the

copy of the NRIC, except when it is required under

names, contact numbers and residential addresses

the law or when it is necessary to verify the identity

Within this DPIA there needs to be a risk analysis

of 317,000 customers were leaked by karaoke chain

of the individual.

with probability and impact of a data breach,

K Box Entertainment Group due to lax security

using an industry benchmark such as NIST, British

measures.

GDPR-ready for Singapore organisations

Singapore’s Personal Data Protection Act 2012

An organization that is not established within the

(PDPA)

EU, or does not have an establishment in the EU,

Standards International, or ISO. As with other risk assessments, mitigation or measures to reduce probability and impact is integral. However, if the residual risk remains high,

can still fall within the GDPR’s scope.

supervisory authorities need to be informed (and

Singapore’s Personal Data Protection Act 2012

block the activity if it is deemed that “the controller

(PDPA) came into force with the formation of the

location of the processing, as does the previous EU

has insufficiently identified or mitigated the risk.”)

Personal Data Protection Commission.

Data Protection Directive, but also the location of

For organisiations whose core activities include

As with the data protection acts in UK and

Specifically, GDPR not only considers the

the individual whose data is being processed.

substantial monitoring or processing of personal

EU, Singapore’s PDPA governs the collection, use,

data, and who are required to hire a Data Protection

disclosure and care of personal data. It recognises

data of data subjects who are in the Union by a

Officer (DPO), the DPO would provide advice on

both the rights of individuals to protect their

controller or processor not established in the Union,

if and how the DPIA should be conducted, risk

personal data and the needs of organisations to

where the processing activities are related to:

migration measures and outcomes, and help

collect, use or disclose personal data for legitimate

monitor on going performance of the DPIA.

and reasonable purposes. Enforcement actions had been taken against

Day 5 - 4th May – What does it mean for

organisations as well as individuals for lax cyber

Singapore?

security procedures, unauthorized access and failure to take reasonable security measure in

"Uber's breach has affected a significant number of users in Singapore. The PDPC takes a serious view

document disposals.

GDPR applies to the processing of personal

a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) The monitoring of their behaviour as far as their behaviour takes place within the Union. – GDPR Article 3, Para 2- Territorial Scope.

By regulating the flow of personal data

of data breaches and is investigating whether Uber

among organisations, ultimately, PDPA also aims

What does it mean for Singapore organisations?

has breached the data protection provisions of the

to strengthen Singapore’s competitiveness and

A Singapore e-commerce trader whose website is

Personal Data Protection Act (PDPA)."

position.

available in English and other European languages,

- Singapore Privacy watchdog, the Personal

and ships products to customers in the EU, is

Data Protection Commission (PDPC) said in Dec 2017, when it was reported that Personal

likely considered to be offering goods in the EU. A Development of Singapore’s PDPA

information of 380,000 people here, including

Singapore online behavioural advertising network or analytic company that processes personal data

names, e-mail addresses and mobile phone

The development of Singapore’s PDPA takes

of say, a Singaporean living in EU to offer tailored

numbers, were exposed when Uber was hacked.

into account international best practices on data

promotions is considered monitoring data subjects

Asia Pacific Security Magazine | 23

Cyber Security - A Cyber week in London Part II

“The most significant risks to individual's personal info are now driven by the use of new technologies” – Elizabeth Denham at Turing Institute as part of the Turing GDPR event. Photo Credit: UK ICO Twitter Post 23rd March 2018

communication speeds and falling costs of data storage and processing, innovations in the areas of mass data collection, automatic processing, and algorithmic programming give rise to fraud detection, behavioral analytics, ubiquitous surveillance and so on. Leveraging off technology for the legitimate interests and benefits for the customers and businesses promotes economic growth. Confidence and trust in the technology to securely capture, store and use information is essential to achieving this aim. GDPR focuses organisations towards achieving this aim. While there are certainly short to mediumterm costs for organisations to achieve compliance, data protection should also be seen as enabler of technological progress. Elizabeth Denham summed this up at her keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21st November 2016, “I wanted to make the point that I do not believe data protection law stands in the way of technological progress. The theme of my speech was privacy and innovation, not privacy or innovation.”

in the EU. In short, the territorial scope of GDPR means

Wrap-up - Privacy and Innovation

that a Singapore organisation that shares data or sells products and services within the EU, or

On 4th May 2018, UK ICO issued an order requiring

process data subjects in EU will be subjected to

SCL Elections, the British affiliate of Cambridge

GDPR. Moreover, as GDPR requires EU data

Analytica, to turn over all of the data it collected

controllers to only appoint GDPR-compliant

about a US-based academic David Carroll, or face

processors, any Singapore organisation that provide

criminal charges.

data processing service to data controllers within the EU will need to ensure it is GDPR-ready.

24 | Asia Pacific Security Magazine

Sheer processing power and ‘big data’ are accelerating technological capabilities. With high

A Cyber week in London Part II - Cyber Security

OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Your one-stop shop for all things CCTV, surveillance and detection technologies

The regionâ&#x20AC;&#x2122;s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android

E TUN IN ! NOW

Asia Pacific Security Magazine | 25

Cyber Security “Forging a Trust and open Cyberspace” was the theme of the Singapore International Cyber Week 2018, held at SunTec Singapore Convention & Exhibition Centre, 18th – 20th September 2018. Photo Credit: Cyber Security Agency of Singapore – Governmentware 2018

Internet of Threats

By Jane Lo ASM Correspondent

The Fourth Industrial Revolution characterized

Asia, (19th-20th September, Marina Bay Sands

IoTroop/Reaper infected Cisco, TP-Link routers,

by billions of interconnected devices with

Expo & Convention Centre), we learn more about

web cameras.

unprecedented processing power and storage

outages and denial-of-service, breach of digital

capacity underscores the digitalisation wave

data and other threats.

sweeping through modern societies.

The symptoms of the infection were not obvious - many users may not even be aware that their devices were compromised and participated in

The Mirai worm and other case studies

a botnet attack.

health wearables, home security cameras are

Mirai was identified as the malware that matched

– only, for example, mere inconveniences from

becoming increasingly common. Beyond this

the tactics, techniques and procedures in the Dyn

completing an Amazon transaction.

diverse collection of consumer devices are

attack, compromising hundreds of thousands of

commercial applications such as specialised

devices - home routers, security cameras, baby

medical or smart logistics equipment. And

monitors – and bringing down the web in 2016 for

interacting with these devices include cloud

about 8 hours.

Devices such as smart appliances (TVs, refrigerators) connected to our phones,

and cellular technologies powering the digital connectivity.

Some may argue there was no real damage

Mirai brute-forced logins to these devices

But in some cases, there are genuine safety threats. Kaspersky Lab (Natalia Khudoklinova), at Internet of Things World Asia, pointed to a pacemaker manufacturer recalled by the FDA (The

using dictionary attacks, exploiting simple default

Food and Drug Administration) in 2017, which

password settings on devices. Breached devices

revealed that almost half a million devices contain

devices introduces a dynamic and vast cyber

became equipped with the malicious program

potential cyber-security issues.

network. What’s more, the increasing density

and in turn scanned for new victims to be similarly

opens additional entry points for malware to

infected. And so, victim devices carrying the

user could "access a patient's device using

establish foothold and facilitates the spreading

malware multiplied, spreading the infection through

commercially available equipment" and could

of infection.

the cyberspace.

"modify programming commands to the implanted

The rapid expansion of interconnected

In this set-up, voluminous digital data poses

Crossing borders and jurisdictions, the infection

If left unpatched, the FDA said an unauthorized

pacemaker, which could result in patient harm

privacy issues. Security of the infrastructure

effectively built a botnet army from which the actual

from rapid battery depletion or administration of

is also a concern. These risks associated with

denial-of-service attacks were launched. This

inappropriate pacing."

interconnected devices or internet-of-things

botnet attacked by sending exhaustive requests to

(IoT) are also known as the “Internet of Threats”.

Dyn’s data centres to jam the servers’ bandwidth,

endpoints and telecommunication equipment often ignore the basic principles of cybersecurity”.

Exploits of IoT brings disruption. At the

rendering them inaccessible. Ultimately, the failure of

Singapore International Cyber Week (18th- 20th

these servers to respond to legitimate requests shut

September, SunTec Singapore Convention &

down 80 websites, including Amazon and Google.

Exhibition Centre) and Internet of Things World

26 | Asia Pacific Security Magazine

A year later, a more sophisticated worm

Kaspersky Lab said “the manufacturers of IoT

These included: “devices are provided with preset passwords”, “network security configurations are weak” and “device software is not always

Cyber Security

Identifying unknown IoT devices and anomalous traffic The recent NIST’s “Draft Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks“ highlighted that “an authorized administrator, process, or device can directly access a conventional IT device’s firmware, operating system, and applications, fully manage the device and its software throughout the device’s lifecycle as needed, and monitor the internal characteristics and state of the device at all times”. “In contrast, many IoT devices are opaque, often referred to as “black boxes.” They provide little or no visibility into their state and composition, including the identity of any external services and systems they interact with, and little or no access to and management of their software and configuration.” “The organization may not know what capabilities an IoT device can provide or is currently providing. In extreme cases, it may be difficult to determine if a black box product is actually an IoT device because of the lack of transparency.” Understanding vulnerabilities requires identifying the devices on the network. Without a doubt, the dynamism and rapid growth of IoT networks makes this an extremely tricky task. At the Singapore International Cyber Week, we spoke to the team behind NUS-Singtel Cyber Security Research & Development Laboratory’s, which is developing a security platform that allows service Internet of Things World Asia, 19th-20th September 2018, Marina Bay Sands Expo & Convention Centre. Photo Credit: TechXLR8 Asia

providers to monitor, detect, and mitigate threats and unusual cyber activities in the IoT network. With the Zero Touch profiling, powered by Device Fingerprinting Technique (DEFT), and IoT security analytics capabilities developed by the team, potentially thousands of IoT devices connected to the network could be identified and tagged. Anomalous traffic originating from and targeting these devices can be monitored and tracked, and unfamiliar devices are flagged to security analysts for investigation.

“Elementary security mistake” - weak passwords The UK government recently released a “Secure by Design: Improving the cyber security of consumer Singapore International Cyber Week (SIWC) 2018. Opening address by Guest-of-Honour Mr. Teo Chee Hean, Deputy Prime Minister and Coordinating Minister for National Security, Singapore. Photo Credit: SICW 2018

Internet-of-Things Report”, focusing on the “Code of Practice for Industry on Consumer IoT”. One of its key proposals is “No default passwords – All IoT device passwords must be

updated, meaning devices run for years without

the safe execution of IoT system tasks, Kaspersky

unique and not resettable to any universal factory

updates and remain vulnerable to cybercriminal

Lab added.

default value”.

activity.” The need for IoT cybersecurity standards is

Often, complicating the challenges is that

It said: “many IoT devices are being sold

IoT devices run on processors that can cost a

with universal default usernames and passwords

clear. Standards bodies will need to classify IoT

mere fraction of a standard laptop – but unlike a

(such as “admin, admin”) which are expected to

security issues, examine potential threats, and

laptop, IoT devices do not have the memory and

be changed by the consumer. This has been the

determine how cybersecurity measures can support

processing to be secured properly.

source of many security issues in IoT and the

Asia Pacific Security Magazine | 27

Cyber Security

“user didn’t change the default password” story”. “Modern life depends on properly functioning IoT devices that are available when you need them, have integrity so you can trust them, and are confidential so they aren’t haring critical data with the wrong (nefarious) people. These basic principles of security were overlooked in the development of most IoT devices”. “Elementary security mistakes like allowing brute force attacks, default (sometimes hardcoded) admin credentials, allow operators can to launch an attack that takes out global Internet infrastructure”.

“Concerted Efforts” The complexity of IoT with the sheer number and variety of service providers, devices, firmware and software raises questions: To what extent can security control be shared? If something goes wrong, who’s responsible for the real-world effects? The role of standards, trust labels, regulations play a role in setting out a framework. For examples, the EU Cybersecurity Certification practice needs to be eliminated. Best practice

gain access to movements of these critical public

Scheme, the NIST draft Considerations for

on passwords and other authentication methods

services vehicles.

Managing Internet of Things (IoT) Cybersecurity

should be followed.” F5 Networks, Inc (Justin Shattuck, Principal

“We knew their routes to and from work, could watch as they responded to dispatch calls, and

and Privacy Risks highlight the considerations in establishing cybersecurity and privacy baselines.

Threat Researcher), at the SICW Internet of Things

could learn their patrol patterns. We could use

Security talk, highlighted the extreme vulnerability

sensitive information in the device configuration to

be deployed by 2020, the urgency to implement

of many emergency services vehicles due to use

infiltrate the networks these devices connected to,

security controls cannot be greater. This,

of onboard devices where security weaknesses

and possibly manipulate data. In the wrong hands,

Kaspersky labs said, required “concerted efforts”

– specifically through default login / password -

the information could be deadly.”

from “end device manufacturers; telecom device

expose sensitive details such as GPS coordinates. From tracking vehicles in real-time to identifying

Crucially he said “exploiting these devices is

With estimates of billions of IoT devices to

manufacturers; vendors of the basic hardware for

not done through a typical hardware or software

IoT and telecom devices; telecom service providers;

residential address in precincts where police

vulnerability. There is no weakness in the software to

application service providers in the IoT sphere;

officers took their vehicles home after shift end,

exploit. There’s no hacking of the hardware. This is a

system integrators working in the sphere of IoT and

external parties monitoring the GPS coordinates

weak admin user authentication exploit—the age-old

connected devices.”

28 | Asia Pacific Security Magazine

Cyber Security

Cyber Security Forum E

By Jane Lo ASM Correspondent

arly in July this year, the Maltese Parliament

of past incidents that shocked the world – such as

to cost constraint so confidential data was

passed 3 bills into law and established the

Snowden, Michael Scerba and Falcianis.

being stored on personal assesses without

world’s first regulatory framework for Distributed

He explained the case of an entity in Malta,

appropriate policies

Ledger Technology (DLT), such as cryptocurrency

which faced challenges that were not unique to

businesses (including exchanges) and virtual assets.

other organisations: “IT working in silo, pursuing

“In some cases, CIOs lack business training so

projects which the business didn’t really require”,

they are unable to view cyber threats not simply as

(MDIA Act) establishes the Malta Digital Innovation

and issues such as “silos, fear, comfort zones, weak

technical requirements but as critical risks issues”,

Authority to certify DLT platforms to ensure

communication”, and demotivational factors such

he said.

credibility and provide legal certainty to users;

as “poor visibility of career paths”.

(The Malta Digital Innovation Authority Act

The Innovative Technology Arrangement and

“Threats can be induced through complex

“De-siloing security issues” and “fusing business and ICT to leverage disruptive change

Services Act (ITAS Act) deals with the setting up

bureaucratic procedures” and the organization

as an opportunity to secure the organization”

of exchanges and other companies operating in

cultural challenges led to “repercussions on

brings the CIO out of a firefighting role and into the

the cryptocurrency market; and the last bill, Virtual

security”, he said. These included:

business’ front line of cyber security strategists.

Financial Assets Act (VFA Act), establishes the

•

regulatory regime governing ICOs, cryptocurrency exchanges, wallet providers). As Malta sets its ambition to become the goto location for startups and an innovation-driven

Log files managed and modified by one

Similarly, training for the business is also

administrator

necessary to align IT investments with business

•

No business continuity, no off-site replication

strategy.

•

Hardware assembled in-house lacking agility

•

Teleworkers not provided with a laptop due

economy, it also understands that security plays an important part in transforming into a digital society. “Security is there to facilitate the business, not to work against it”, stressed Ronald Psaila, CIO within the Public Service of Malta, at the Marcus Evans’ Cyber Security Forum: Data Governance and Transformation Success (Hilton Hotel Singapore 8th-9th Oct). In embedding security into technological solutions, Mr Psaila pointed out “most of the challenges are not related to technology but to social relationships, lack of security awareness, poor strategic vision and ambiguous reporting structures”. In particular, he said, “we tend to focus a lot about technology and forget to think about the people”. This approach is highlighted in examples

Asia Pacific Security Magazine | 29

Cyber Security

Robotics – Growth and Opportunities

n October 2017, Sophia, created by Hanson Robotics using robotics and artificial intelligence, made waves in the news as the first robot to

agriculture, construction and mining”.

By Jane Lo ASM Correspondent

Robotics Landscape in Singapore

“The global robotics market is expected to reach USD 50 billion in total revenues in 2018,

“Singapore today has a growing base of robotic

receive citizenship in the world.

inclusive of hardware, software and services. By

companies, research institutes, commercial system

Since its activiation, Sophia had appeared in guest

2021 the market will nearly double reaching USD 90

integrators and training providers to design,

appearances and interviews, including on CBS

billion.”, ABI Research elaborated.

develop and enable adoption of robotics solutions

60 Minutes, The Tonight Show, and the cover

“This is all very disruptive but also very

to support our industry transformation.”, Dr Koh

of ELLE Magazine Brasil. With over 50 different

exciting, as disruptive innovations bring with them

Poh Koon (Senior Minister of State for Trade and

facial expressions, Sophia is capable of natural

opportunities for growth”, said Mr Leck Chet Lam,

Industry), said at his Opening Remark.

conversations – and hopefully more – keeping

Managing Director, Experia Events, at co-organiser

company for the elderly or assisting with crowd

of SIRE 2018.

management at large events or parks. Sophia is one instance of investment focusing on social robots.

Global Robotics Market “Industrial and commercial robots account for half of all investment, driven predominately by

“That is why we chose the theme of “Riding Opportunities in Exponential Change””, he said,

“One example is in the manufacturing sector. Last year, we saw a record number of over 4,400 new industrial robots installed in Singapore, an increase of 72% since 2016”.

for the third edition of a robotics-centric platform,

“We also saw a record number of more than

SIRE 2018. “The strong growth in the Asia Pacific

300 SMEs across a wide range of manufacturing

region has reinforced the position of SIRE as a key

sectors adopting robotics and automation as part

platform for the robotics and automation sector to

of their transformation journeys, with promising

respond to rising demand.”

results.”, he said.

Indeed, the SIRE brand, "機" (pronounced "ji"),

As part of this transformation journey, the

autonomous mobile robot and healthcare robotics

meaning both "machinery" and "opportunity",

National Robotics Programme (NRP) was launched

systems”, according to ABI research at the

reflects the great potential in the application of

in 2016 to coordinate the development of advanced

Singapore International Robo Expo 2018 (SIRE

robotics across various sectors and unlocking many

robotics technology, test-bedding and finally to

2018, 1st – 2nd Nov 2018, Marina Bay Sands

opportunities for business success.

licensing and commercialization.

Convention Centre). There are also “opportunities in

30 | Asia Pacific Security Magazine

Under this programme were robotic solutions

groups, the Singapore Maritime Cluster is a key

•

“With the introduction of AI and decreasing

enabler of economic growth and “Autonomous

sensors cost, Robots will eventually interact

Systems & Robotics” is a key theme to creating an

with one another and work safely alongside

enabling environment for innovation in this sector.

humans in collaboration. These collaborative robots will see a reduction in cost and have

“Robotics can be a Singapore success story”

a greater range of capabilities than those currently used in manufacturing today”.

Mr Terence Tan (President of the Singapore Industrial Automation Association, SIAA), pointed out some benefits at his Welcome Address:

•

“Technology is transferrable, solutions are portable and can be adapted to address issues in the different sectors”.

•

“Robotics is also a multi-platform enabling tool that is particularly useful to drive Industry

“Robotics can be a Singapore success story and

Transformation Roadmaps - to enhance

we are well on our way to reaching that goal.” said

developed by Singapore University of Technology

productivity, create new jobs and skillsets to

Mr Terence Teo, President, Singapore Industrial

and Design (SUTD) with support from the National

empower business innovation.”

Automation Association (SIAA).

Robotics Research & Development Programme Office (NR2PO). With intelligent and automated reconfiguration that replicate human elements of adaptability and reactivity, these robots demonstrate clear improvements over earlier generation models. At “Symposium 1: Robotics Landscape in Singapore and Beyond”, Mr Su Lian Jye (Principal Analyst, ABI Research) said that while the key trends in Singapore centre on Cognitive Robots, Robots Uncaged, Robots as a service, there is also a strong focus on healthcare robot, driven by the government of Singapore with partnership across the board with healthcare institutions, robotics suppliers, academia and government agencies. At “Symposium 4: Public Sector Lead-Demand for Robotics Solutions”, the public sectors shared their challenges and demand-driven requirements for robotics and automation. One example was the Maritime sector. Connected to 600 ports worldwide in 123 countries, home to more than 140 of the world’s top shipping

Asia Pacific Security Magazine | 31

Cyber Security

Sing FinTech 2018

echnology has always played a major role

data governance, applied research, platforms for

in financial services, but today’s dramatic

innovation underpinned themes discussed across

transformation giving customers quicker,

By Jane Lo ASM Correspondent

And working with companies in the health and medical technology space could achieve that.

70 sessions at the festival (AI in Finance; ASEAN

In the area of Cybersecurity, we spoke to AIG’s

cheaper and smarter solutions has been

FinTech Opportunities; Cyber-Security, TechRisk

Sheri Wilbanks (Global Innovation Lead, AIG Client

enabled by the open-source accessibility of

and RegTech; Financial Inclusion; Future of

Risk Solutions) to understand CyberMaticsSM.

technology and declining costs of regulations.

Banking; Future of Money; Global Investor Summit;

These solutions along with the latest thought

InsurTech and Market Infrastructure).

leadership in Financial Technology or “FinTech”

Amongst the highly anticipated debates (Will

This technology-driven process combines verified client data with AIG’s benchmarking and analytics to provide tailored insights on the client’s

in short, were highlights at the third edition

physical cash be replaced? How do innovations

organizational cyber strategy performance. Specific

of the Singapore FinTech Festival (12-14th

help the underserved and the unserved? How

client information is periodically collected by one of

November) held at the Singapore Expo.

important are partnerships? What are the

AIG’s security partners and matched with the data

regulatory and security considerations in the

AIG has accumulated over 20 years of experience

pavilions, close to 45 thousand participants

business case for migrating to Cloud? What are

in global cyber underwriting. The result is an overall

from 130 countries, and over 250 speakers -

the challenges in payments regulations and how do

cyber security maturity score measured against

including Narendra Modi, Prime Minister of

the goals – stability, safety, consumer protection,

10 common attack patterns (e.g. DDoS, PoS

India, and Christine Lagarde, Managing Director

AML and risk management – impede innovations?),

intrusion) and across 11 asset groups (e.g. servers

of the International Monetary Fund - the event

here are the emerging themes that we see from the

& applications, critical IoT) – which can ultimately

promised to be the biggest FinTech event in the

conference this year:

help AIG’s clients reduce the likelihood of a cyber

With 450 exhibitors, 16 international

world to date. “Innovation and technology are key to

InsurTech (or Technology in the Insurance Sector) – Many associate FinTech with innovations

incident and potentially improve future policy terms. Blockchain and ASEAN– With the 6th largest

realising this future. But they are not enough.

focusing on the banking sector; the wide-scale

economy worldwide in 2017 and projected to be the

We need a FinTech ecosystem to make this

uptake and adoption of big data, AI by insurance

4th largest market after EU, US, China by 2030, and

happen. And growing this ecosystem is what

companies had been slow due to regulations

a population of 630+ million, ASEAN also needs to

we have been hard at work for the last 3-4 years

and legacy business models. But one area where

keep innovating to maintain competitiveness.

in Singapore with private and public sector

insurance companies are seizing the benefits of

coming together in collaboration.” said Ravi

innovations is reducing the costs overhead incurred

how ASEAN could redefine from a market and

Menon Managing Director, Monetary Authority

in processing claims.

production base for goods to becoming a generator

of Singapore (MAS) on the Opening Day of the festival.

What’s new This ecosystem - people, identity, payments,

32 | Asia Pacific Security Magazine

But as clients increasingly expect the fullservice experience, insurance companies recognize

Blockchain application is an example of

of ideas Brad Garlinghouse, Chief Executive Officer

they need to move from a payer to a client partner;

of Ripple, which runs modern payment solutions

in other words, from merely underwriting and

on Blockchain, highlighted that regulatory clarity

collecting a premium and compensations, to

has the advantage of driving blockchain adoption,

providing prevention solutions.

and, “in ASEAN, the regulatory environment for

blockchain and digital asset technology is clear” and “several countries have contributed to this, including Singapore, Thailand and the Philippines”. “In particular, Thailand has introduced a framework that balances consumer protection with innovation. It legalizes several digital assets, including XRP, and provides clear and explicit guidelines for outside blockchain companies to operate.” Additionally, one of the most pressing customer pain points in ASEAN is remittances. “The Asian markets received $130 billion in inbound remittance payments last year alone. They are expensive, and the market is ripe for adoption of new technology, like blockchain, to drive costs dramatically lower,” he said. “We see a high degree of pain in cross-border payments in terms of how long it takes, how much it costs and the surprising lack of transparency in each transaction.”

InsurTech panel. Photo Credit: Singapore FinTech Festival. Dr. Tom Ludescher, CEO Asia & EMEA, Entsia International Alex Schmelkin, Chief Revenue & Marketing Officer, Unqork Teo Peiru, Chief Executive Officer, KeyReply Pte Ltd Rohan Kumar, Chief Executive Officer and Co-founder, Toffee Insurance Moderator: Ian Pollari, Head of Banking, Australia & Co-Head, Global FinTech, KPMG Australia

“We see this in ASEAN, in particular, because this region has been left behind by the correspondent banking network. Banks like Siam Commercial Bank (SCB) are moving aggressively to address this need, embracing digital asset and blockchain technology to solve these problems. SCB now serves as next-generation hub, a regional clearing partner on the network, to improve connectivity and coverage across these underserved areas. The bank is also able to make payments into the region faster with lower costs and greater transparency.” He also said “Blockchain and digital assets also solve for problems sourcing liquidity for cross-border payments. Today, approximately $10 trillion sits parked around the world in pre-funded accounts to enable these transfers. Ripple’s network leverages this powerful new technology to make cross-border exchanges work without the pre-funded accounts. By unlocking this capital, Ripple is helping to accelerate the global engine of commerce in a way that’s good on a remittance level for corporations and consumers throughout the region, and around the world.” Data Governance, Privacy and GDPR – GDPR which came into force on May 25th 2018 was a “good wake up call” to remind organisations to “walk the fine line between data privacy, customer privacy and innovation”, some speakers stressed. As data is foundational to transforming financial services, inevitable questions on data security arise: how are the rights of the data subjects - “Right To Be Forgotten” - recognized in Blockchain, where transactions history is tracked in the immutable ledger of records; how should data transfers and sharing with third parties such as in the Cloud be managed, even after clients consent are given, to safeguard data subject rights? Data governance is critical to ensure the free flow in the innovations while at the same

Asia Pacific Security Magazine | 33

Cyber Security

time preserve privacy and security. While data localization is an easy solution, it may stifle innovation. Ravi Menon, MAS managing director, said: “MAS has been actively working with the industry to develop principles to guide the responsible use of data in financial services, and has released a set of principles to promote Fairness, Ethics, Accountability & Transparency, or FEAT, in the use of Artificial Intelligence and data analytics.” “On the international front, we need more data connectivity and less data localisation. This is a key challenge for the technology community to solve together with policy makers – how to enhance data connectivity while taking into account the issues of data sovereignty.” “We need more common data standards across countries so that data can flow freely Ravi Menon, Managing Director, Monetary Authority of Singapore. Photo Credit: Singapore FinTech Festival.

in an environment of trust and security. In the digital economy of the future, data connectivity

Christine Lagarde, Managing Director of the International Monetary Fund Photo Credit: Singapore FinTech Festival.

agreements among countries will become as important as today’s free trade agreements.”

Finally on Artificial intelligence (AI) … There are already several credible business use cases where AI had been deployed – providing personalized VIP experience, fraud detection, claims processing, credit assessments, threat hunting in Cyber Security - driving revenue and at the same time operational efficiency. In “The Future of Financial Services”, Jessica Tan (Deputy Group Chief Executive Officer, Chief Operation Officer, Ping An Insurance (Group) Company of China), predicted that AI innovations would power on with additional business scenarios and real-life data, after overcoming the challenge of computing power in the 1970s, and the lack of data in the 1980s. Future of Money - Challenges in Payments Oversight & Regulation Panel Klaus M. Löber, Head of Oversight Division, DG Market Infrastructure and Payments, European Central Bank Ayman Hussein, Sub Governor, Payment Systems & Business Technology, Central Bank of Egypt Ong Chong Tee, Deputy Managing Director, MAS Sharon Yang, Acting Deputy Assistant Secretary, International Financial Markets, US Department of Treasury Moderator: Santiago Fernandez, Head of Financial Systems and Regulation, BBVA

So, how will AI disrupt Financial Services? “In financial services, technology is changing the way work is done, and how services are delivered and consumed,” Mr Ong Ye Kung, (Minister of Education and MAS' Board Member) said at last year’s launch of the industry transformation map (ITM), which aimed to create 4,000 net jobs annually till 2020 across investment advisory, risk modelling and artificial intelligence. “The competitive landscape gets shaken up, workers find themselves needing new skills in order to stay relevant, and regulators need to respond to new risks as well as opportunities.” Indeed, that the disruption by artificial intelligence will re-define some jobs and help people do their jobs better, summed up the pragmatic views of many at the festival.

34 | Asia Pacific Security Magazine

Quote “BKYA” for additional 15% discount off conference passes

9 MAIN CONFERENCE: 26 – 27 March 2019 Centara Grand & Bangkok Convention Centre at CentralWorld, Bangkok, Thailand PRE-CONFERENCE WORKSHOPS: 25 March 2019

700+ ATTENDEES

120+ SPEAKERS

NETWORKS VIRTUALISATION

WHOLESALE

TELCO 4.0

40+ SPONSORS 5G

IOT

EARLY CONFIRMED SPEAKERS INCLUDE

Natasak Rodjanapiches Vice Chairman, Creative Digital Economy

Erik Meijer

Jacqueline Teo

Matthew Sturgess

Tony Zameczkowski

Strategy GPM, Group Innovation

Chief Digital Officer HGC Global Communications

Head of Asia Pacific Verizon Digital Media Services

Vice President of Business Development, Asia Netflix

Deutsche Telekom

Board of Trade of Thailand

Frank Sliwka

Sri Safitri

Wing Lee

Pedro Uria-Recio

Saiful Hidayat

COO Asia

Senior Advisor – Chief Innovation & Strategic Portfolio Office

CEO

Vice President, Head of Analytics

Director of Telkom Group Transformation Project

Axiata

Telkom Indonesia

ESL – Turtle Entertainment

YTL Communications

Telkom Indonesia

TO SPEAK, CONTACT

TO SPONSOR, CONTACT

Yun Xuan at +65 6322 2703 yunxuan.koh@terrapinn.com

Taj Marhim at+65 6322 2722 tajuddin.marhim@terrapinn.com

terrapinn.com/conference/telecoms-world-asia/ Asia Pacific Security Magazine | 35

Cyber Security

By Jane Lo ASM Correspondent

CISO Elite Asia 2018 (“Data Breach – Walk with Privacy, Security & Trust in a changing regulatory landscape, moderated by Verizon Threat Research Advisory Centre, Ashish Thapar). Photo Credit: CISO Elite Asia

7 Data Breach Highlights

he focus on the protection of data against

often with zero notice. Investigation the source of a

requirement by other jurisdictions lead to less

misuse, hacking, inadvertent human error

data breach or issue, contain it, verify the extent of

breaches is not clear. Ultimately, regardless of the

continues to grow as innovations such as

losses and—most importantly—limit the impact is

hard requirements, taking proactive measures and

Artificial Intelligence, Biometrics, Big Analytics

important. Plan now for the unexpected, test and

instituting robust controls are evidence that data

become more widely tested and adopted.

adapt as the organisation evolves.

protection is taken seriously. Most importantly,

Reflecting on the increasing importance of

embed the mindset to “plan for the worst, hope for

Rasa Sentosa Report and Spa Singapore, “Data

2.One of the challenges facing organisations is striking the right balance between harnessing new technologies and addressing data protection concerns. There is no easy

Breach – Walk with Privacy, Security & Trust in a

answer as data breaches continue to be a threat.

changing regulatory landscape) and ARiMI (Asia

The Verizon Data Breach Investigations Report 2018

4.Industrial Revolution 4.0 and the Internet of things enable the production and recording of voluminous data about consumer interaction and usage. There is yet not much transparency

Risk Management Institute) Risk Innovation Forum

(DBIR) cited that the 9 incident patterns identified

in how the data is being used for, with whom they

(Oct 25th 2018, Grand Copthorne Hotel, “Privacy,

in 2014 that still hold true today – such as Denial of

are being shared, or what securities are in place to

Security & Reputation - The Risk Management

Service, Payment Card Skimmers, Privilege Misuse,

protect the data. But basic steps can be taken to

Challenges posed by IoT & AI to Data Ownership

Cyber-Espionage.

guard against potential breaches such as regular

this topic, panels at two forums dived into the implications and challenges of data breaches: CISO Elite Asia 2018 (Oct 24th – 25th 2018, Shangri-La

and Protection and the Need for Regulations to Protect Business Relationships”). We gathered here the 7 highlights from the forums:

1.Incident response is as important as defense. Data breach events happen fast and

36 | Asia Pacific Security Magazine

the best”.

reviews of privacy settings on social media, being

3.Fragmented legal and regulatory landscape can encourage organisations to seek the “best” jurisdiction for certain business activities. Closing the gap may not necessarily

selective about the apps installed on phones,

lead to desired outcomes; for example, whether

5.Real-life case studies, such as the recent Sing Health incident, underscores the

adopting EU’s mandatory breach reporting

keeping anti-virus software up to date, encrypting sensitive data.

ARiMI Risk Innovation Forum ( “Privacy, Security & Reputation - The Risk Management Challenges posed by IoT & AI to Data Ownership and Protection and the Need for Regulations to Protect Business Relationships”), moderated by Jane Lo (Correspondent, MySecurityMedia) Photo Credit: ARiMI

importance of data protection when it comes to sensitive personal data. One example is

to mitigating and responding to data breach incidents. UK ICO (Information Commission

cybercriminals are motivated by cold, hard cash.

the NRIC (The National Registration Identity Card),

Office)’s Elizabeth Denham, issued the statement,

you, they will. That could mean stealing payment

widely used in Singapore when seeking medical

upon issuing the largest fine, £400,000 to TalkTalk :

card data, personally identifiable information or your

treatment, borrowing books at the libraries and

“Today’s record fine acts as a warning to others that

intellectual property. And they don’t care who they

other activities.

cyber security is not an IT issue, it is a boardroom

take it from. Ignore the stereotype of sophisticated

issue.”

cybercriminals targeting billion-dollar businesses.

PDPC (Personal Data Protection Commission –

If there’s some way they can make money out of

Most attacks are opportunistic and target not the

responsible for regulating organisation’s compliance

Tone-from-the-top includes the sign-off for

wealthy or famous, but the unprepared”, according

with the Personal Data Protection Act “PDPA”)

regular Data Protection Impact Assessments and

to the Verizon DBIR.

acknowledged that, as “the NRIC number is a

mandatory appointment of a Data Protection Officer.

permanent and irreplaceable identifier which can

An “all threats all hazards approach, where risks are

be used to unlock large amounts of information

quantified with likelihood and impact measurements

relating to the individual, the indiscriminate

is an industry best practice to prioritize mitigating

collection and use of individuals’ NRIC numbers

controls. Having a clear communication plan with

is of special concern as it increases the risk that

internal and external stakeholders can play a major

the NRIC numbers may be obtained and used for

role in maintaining the organization's reputation and

illegal activities such as identity theft and fraud”. It

minimizing the financial impact of a breach.

has recently issued guidelines for organisations on handling NRIC.

6.Cultural aspects including Tone-from-thetop, and effective communication are keys

7.Each person attaches different levels of sensitivities to their own personal data and everyone needs to play their part in managing the risk of data breaches. “Most

Asia Pacific Security Magazine | 37

DroneZone D O W N U&N Unmanned D E R A N D D RSystems ASTICNEWS . COM

DRONE ZON E

CONFERENCE & SEMINAR PROGRAM FRIDAY 1 â&#x20AC;&#x201C; SUNDAY 3 MARCH Friday 1 March

DroneZone RPAS Conference

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Industry (Mining, Resources & Construction) Drones in Agriculture (Heavy Lift Drones & Precision Farming) Drones for Local Government (Parks, Property & Maintenance Inspection)

0930 - 1130

Drones in Search & Rescue (Oceans, Mountains & Beaches)

Room 4

Friday 1 March

Responsive Drones & Robotics Conference

Room 6

0930 - 1130 1200 - 1300 1330 - 1500

Robotics 2025 and Beyond (Whatâ&#x20AC;&#x2122;s the future) Responsive Drones (For a secure workplace & society) Robotics, Artificial Intelligence & Human Convergence (+ VR- AR)

Saturday 2 March DroneZone RPAS Conference

Room 5

0900 - 1100 1100 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drones in Agriculture (Field Mapping & Harvest yield) Drone Pilot Training (CASA Licensing & Registration)

0930 - 1130

MRO for Drones (Safety & Repairs)

Room 4

1200 - 1300

Starting your Drone Business (Tips for entering the industry)

Room 4

The Responsive Drones & Robotics Conference is a joint initiative of Room 6 DRASTICnews.com and the DroneZone DownUnder Showcase.

Saturday 2 March Robotics & Robots at Home & School 1000 - 1100 1130 - 1230 This is 1300 - 1400

Buying a Robot (What and where to buy) Study Robotics (TAFE & Universities) opportunity to be part of a special exhibition Play with Robots (Science & Games clubs)

an and distribution of a cobranded print and digital edition for primary online websites and media centres RPAS Conference Room 5 Sunday 3 March DroneZone across the Avalon International Airshow 2019 0930 - 1130 1200 - 1400 1430 - 1630

Drones for Film & Photography (Flying the Lens - Masterclass) Drone Pilot Training (CASA Licensing & Registration) The Responsive & Robotics Conference DRASTICnews. Drones for Sport Drones & Recreation (Drone Racing &and Sports Entertainment) com will receive additional promotional and marketing exposure via

Sunday 3 March Robotics & Robots at Home & School Seminars

Room 6

www.airshow.com.au Buying a Robot (What and where to buy) Study Robotics (Secondary, TAFE & Universities) www.dronezonedownunder.com.au Play with Robots (Science & Game clubs)

1000 - 1100 1130 - 1230 1300 - 1400

& channels of www.mysecuritymedia.com

For more information visit our website: www.dronezonedownunder.com.au or contact Rodd Craig - M: 0457 848 104 E: rcraig@amda.com.au

www.airshow.com.au

019 is organised by Aerospace Australia Limited (ABN 63 091 147 787). A not-for-profit corporation limited by guarantee and registered as a charity, its mission is to aviation and the development of Australia's industrial, manufacturing and information/communications technology resources in aviation, aerospace and defence. 38 | Asia Pacific Security Magazine

D R ON E ZON E

DOW N UND ER

AND

D RASTICNEWS . COM

Trade promotions, started with Farnborough UK Airshow followed by: Aviation AIA Conference, 30 -31 July D & I Conference & Dinner, 1 -3 August Land Forces Expo & Conference, 4- 6 September IAC, 1- 5 October AUSA, 8- 10 October Euronaval, 22-26 October UK Security Expo, 28-29 November

Nelson New Zealand Canberra Adelaide Bremen, Germany Washington USA Paris London

Receive exposure across 160,000+ visitors to the show and the 10,000+ visitors through the DroneZone including industry, federal and state governments and international buyers.

Frontline

Many modes of supply chain attacks

I Tony Campbell ASM Correspondant

t’s no secret that cyberattacks are on the rise. Furthermore, the threats posed by hacking and systems exploitation don’t exist in isolation in your technology platforms. More often than not, it’s easier for attackers to target your downstream suppliers and/or service providers, since you are likely to trust their products and services as being safe and secure. These sorts of attack are known as supply chain attacks and there are several modes of attack threat actors use to disrupt or compromise their targets. Let’s explore those modes of attack to give you an appropriate threat model to help you build resilience into your organisation’s supply chain. Physical Supply Chain Attacks On June 9th, 2010 in a remote outpost of the Punjab in Pakistan, the local Taliban militia claimed responsibility for an attack against a truck depot on the outskirts of Islamabad. The attack saw the destruction of 60 trucks, where some of those vehicles were carrying NATO supplies for troops based in Afghanistan. The motive, in this case, was service disruption. It is evident that the intent was to harm NATO’s capability, since the attackers didn’t try to hijack the convoy, destroying the cargo in the hope that their actions would reduce NATO’s capability to engage them in battle in Afghanistan. In the world of cyber security, physical attacks on the supply chain are also something to be concerned about. Take

40 | Asia Pacific Security Magazine

for example the threats of your computer systems being tampered with before they even arrive in your office. It might sound like fiction, but NSA documents released in Glen Greenwald’s book, No Place to Hide, show how the NSA’s Tailored Access Operations (TAO) unit intercepts computer and networking equipment being shipped to organisations they want under surveillance. There are even pictures of a workshop showing a special “load station”, where NSA engineers are implanting custom (malicious) firmware onto CISCO networking devices prior to them being shipped onto their destination. These are two different mode of physical attack, where the first is aimed at disruption and service degradation, while the second is an attack on confidentiality, since the aim there is remote control or data exfiltration. The first is an overt attack, still on the supply chain, while the second is covert and much harder to detect. Digital Supply Chain Attacks Off the shelf hardware and software, whether it’s from a bigname supplier or provided by one of the thousands of niche vendors out there, how do you know if the software you are installing on your systems or the hardware you are plugging into your network is secure? Case in point, back in 2016 the media had a field day

Frontline

“These are two different mode of physical attack, where the first is aimed at disruption and service degradation, while the second is an attack on confidentiality”

pressed to entertain helping in these supply chain attacks? Huawei has also been in the press recently for being banned in several Western countries due to its supposed tie to the Chinese government. So, the question is who can you trust? Coding and Open Source Libraries Even coding has its issues. No one writes every line of code in their application’s codebase anymore. Most of the time, open source libraries are linked into the main application to provide services such as security, identity and access management, cryptographic services, graphical interfaces and hardware access, all of which have functions that need the highest privileges on the system to run. Many applications are built entirely on openly available third-party platforms, such as gaming engines like Unity, Cryengine and Unreal. Each of these platforms offers all the core gaming capabilities, such as the physics processing needed for games appear like real life. So, how can you know, for sure, whether you can trust these? Building Trust in Your Supply Chain

when news broke of networking giant, Juniper Networks, announcement that they found, as they called it, unauthorized code embedded in their firewall operating system. To make matters worse, investigations showed that the rogue code appeared to have been included in many iterations and revisions of ScreenOS (their custom operating system used across many of their products), dating back as far as 2012. And what did this rogue code do? It allowed attackers to take complete control of Juniper NetScreen firewalls. That, unsurprisingly, for a suitably skilled hacker, is game over for the owner of the firewall. The story gets even more incredible after that, where it seems the NSA might have been responsible for the original back door, executing that attack (possible with permission from Juniper) to launch their own supply-chain attacks on foreign governments – now we are speculating, but it seems likely. For the whole story, read Wired’s coverage of it here: https://www.wired.com/2016/01/ new-discovery-around-juniper-backdoor-raises-morequestions-about-the-company/. This example shows how complex code systems can be corrupted and backdoors can go unnoticed for a very long time. Furthermore, companies that are requested to assist their government in their international espionage pursuits are stuck between a rock and a hard place. If you say no, could they put you under pressure to comply? Under a harsher oppressive government regime, how far could a company be

The problem with supply chain attacks is that you have little to no control of most of these issues. If you are buying networking equipment and run a secret government lab, your choice of vendor might well be limited to US manufacturers who are on the NSA’s friendly list. In the UK, CESG maintains a similar list, as does ASD in Australia. The vendors on these lists have gone through evaluation by these government entities, but this is usually only for the largest vendors, which also attracts the highest price tag. So, if you are on a tighter budget, it’s all about risk management, as is everything in security. You can grab some assurance in the form of a contract, where indemnity clauses could help you fix problems if they arise, and the supplier would attest to them fixing bugs and having no knowledge at the time of sale of any such authorised back doors or unpatched vulnerabilities. Again, there is no guarantee, but you’ve taken some steps to mitigate the risk. At least you have considered it and had the conversation. Supply chain attacks are a major concern for governments, financial companies and other such entities that carry massive national security and economic risks when they do business. However, most businesses won’t be targeted by national state actors, but due diligence is still required when you build and procure systems. Just take a beat the next time you ask your software development team to compile in a library from GitHub, without at least doing a cursory code review. Who knows, you might find a juicy vulnerability during the review and rake in a bug bounty in the process, after all most clouds have a silver lining.

Asia Pacific Security Magazine | 41

Frontline

The dawn of the digital Manager By Helen Masters, Senior Vice President and General Manager, Asia-Pacific at Infor Systems

42 | Australian Security Magazine

hink about your boss. You may be experiencing a positive feeling due to their genuine support and encouragement — or you may have felt a tinge of frustration resulting from their controlling and authoritarian approach. So, the following news may be or may not be welcome: the role of manager (as you know them) is going the way of the dinosaur. We are incessantly bombarded with the message that artificial intelligence (AI) and robots will soon replace as many as half of today’s existing jobs. While there is undeniably an Orwellian fear associated with the future of work, we must step back and remember that we have already relinquished control to technology in other areas of our lives. Consider transportation: virtually all of us have ridden a train with no human conductor, self-driving cars are supposedly just around the corner, and soon airplanes may not even need a captain. So, is the notion of replacing your existing manager with a digital one that hard to imagine? And if you think this is a tale about the distant future, keep in mind that Gartner predicts in 2018 more than 3 million workers globally will be supervised by a ‘roboboss’. Operational Automation Before we wish them a bon voyage, it may be helpful to reiterate the actual role of a manager. The basic premise of “management” in most organisations is centred on the responsibility to monitor individuals and ensure compliance with policies/procedures. This is admittedly an oversimplification that excludes many other critical obligations, but it is nonetheless an accurate portrayal of most of their daily tasks. According to a recent study by Accenture, these administrative activities typically comprise 54% of a manager’s time. If time is money, that equates to some serious savings, especially if we can offload transactional tasks to someone (or something) else. Absent the influence of technology, the millennial generation has already begun to challenge the old-school, command-and-control form of management, in favour of new ways of engaging, enabling

78% of managers of managers said they would trust the advice of intelligent systems in helping them make better business decisions in the future. and empowering the workforce. These evolving social conventions, when combined with new technologies, paint a very different picture of the role of the manager in this new framework. Operational automation is arguably minute in comparison with the true value that comes with what many refer to as “augmented intelligence” instead of AI. All organisations rely on managers to make frequent decisions that fall into “gray areas.” Far too often, these decisions are based on all-too-human intuition (which is subject to attribution errors, unconscious biases and a host of other problematic elements that frequently prevent us from reaching the correct conclusion). Banishing bias What if you had 24/7 access to the relevant data you needed to make an evidence-based decision versus an intuition-driven choice? In a recent survey by Harvard Business Review, 78% of managers of managers said they would trust the advice of intelligent systems in helping them make better business decisions in the future. As the role of humans in the workplace evolves, there is an increased need to balance both technical and social skills. While some will continue to rage against the future of robots in the workplace, others will welcome having a digital manager to approve expense reports and PTO requests so we can focus on creating authentic, meaningful relationships with our people.

Organised by

Industry Accolades

Asia Pacific Security Magazine | 43

Frontline

Why digital transformation must incorporate security transformation

E Philip Dimitriu Director of systems engineering, Australia and New Zealand, Palo Alto Networks

44 | Asia Pacific Security Magazine

ffective cyber defense must withstand changes to adversary tactics and tools that traditional nonintegrated “best of breed” approaches cannot address. It must address advanced unknown threats as well as known threats. Resiliency and defense across the Cyber Attack Chain comes from protecting and defending systems at all places in the network, across all network traffic on endpoints, in data centers, in remote locations, public and private clouds and at major Internet gateways. Philip Dimitriu, director of systems engineering, Australia and New Zealand, Palo Alto Networks, said, “Most business leaders are at a point where they fully understand the need for digital transformation and it can be frustrating for them to be told that they need to slow down or avoid implementing certain projects because existing security measures are inaccurate. “As more organisations embark on a digital transformation journey, many are finding their ambitions thwarted by a security infrastructure that can’t cope with the new environment. While it’s essential to leverage new and emerging technologies to achieve business goals, failing to secure these properly from the outset can open organisations up to significant security risks that can potentially negate any advantage derived from that technology. Therefore, businesses must consider a security transformation in parallel to any digital transformation projects. The answer is to secure it from

the outset.” One of the key stumbling blocks for organisations in the midst of digital transformation is overcoming cultural contributors to poor security. Philip Dimitriu added, “Ignorance can often be the biggest contributor to cyber incidents. Depending on the size and complexity of an organisation, multiple individuals, teams or governance committees, may be required to cascade security transformation. Organisations must adopt a prevention-oriented mindset if they want to have a chance at protecting themselves. When boiled down to its core, security transformation really means four key things, complete visibility accompanied by credible intelligence feeds, reducing the attack surface, prevent known threats, and prevent unknown threats. In organisations where a strong security mindset hasn’t always been part of the culture, it can be easy for people to make innocent mistakes that lead to cyberattacks. As with transformation of any sort, the first area for businesses to focus on is staff education – across the entire organisation, including IT. People unwittingly click on the wrong link or use the same password for every app, and suddenly the organisation is experiencing a cyberbreach. Organisations can mitigate this risk by providing comprehensive, regular security education to all team members. For example, security professionals need to

Frontline

“Businesses need a security solution that is tailored to their environment and can monitor, detect, and report on threats, automate workflows, and meet compliance requirements. Stopping sophisticated attacks requires a strong, strategic security posture. Businesses looking to digitally transform must ensure they build security considerations in from the outset to ensure success.”

teach employees how to spot malicious emails, reinforce the importance of strong, hard-to-guess passwords, and explain why they should never download apps without checking with the IT team. “Security is everyone’s responsibility. The more technology an organisation relies on, the more important it becomes that everyone does their part to keep the business safe.” A successful digital transformation, therefore, depends on the organisation being able to bring together the right people into agile teams so that they can begin to think differently and change the way they work to fully leverage the value of new technology tools. A strong security culture must be augmented by the right security tools. This includes automating the security response. It’s impossible to keep up with the speed and frequency of cyberattacks using manual resources. You must fight an automated adversary, with automated security processes.

Businesses therefore need to choose tools that don’t get in the way of agile business, while supporting workflow across the organisation. Businesses also must secure every aspect of the transformed enterprise, including cloud and endpoints. Most businesses have a mixture of on-premise and cloud-based workloads and data repositories. Each of these presents a potential entry point to the broader network for malicious attackers. Implementing strong security measures that protect on-premise infrastructure without similarly securing the cloud renders the on-premise security next-to-useless. Only by securing every potential entry point can organisations be satisfied that they have a strong security posture. Businesses should choose a security vendor capable of protecting every potential entry point regardless of where it sits. Furthermore, security services must share intelligence and automate enforcement so team members can confidently focus on core tasks. Philip Dimitriu said, “Businesses need a security solution that is tailored to their environment and can monitor, detect, and report on threats, automate workflows, and meet compliance requirements. Stopping sophisticated attacks requires a strong, strategic security posture. Businesses looking to digitally transform must ensure they build security considerations in from the outset to ensure success.”

Asia Pacific Security Magazine | 45

Frontline National

Australian-made FLAIM Trainer helps fight fire with the power of VR

V By Bennett Ring ASM Correspondent

46 | Asia Pacific Security Magazine

irtual Reality might be best known for its entertainment qualities, but it’s also set to revolutionise the way certain industries take part in training. For example, NASA has been using VR technology to train its astronauts in EVA walks for over two decades. Now two Australian companies have teamed up to bring VR to the art of firefighting, with the introduction of the the FLAIM Trainer training system. Created in a unique partnership between Dimension Data, a global technology integrator and managed services provider, and FLAIM Systems, a start-up wholly owned by Deakin University, the FLAIM Trainer aims to replicate the difficult and dangerous conditions that firefighters must face when training to fight fires. Rather than a simple Head Mounted Display (HMD) and motion controllers, the FLAIM system integrates the existing Vive HTC HMD into a full face-cover that replicates the breathing apparatus used by real firefighters. As a result, it doesn’t need to mimic smoke, as the closed-breathing system removes any externally inhaled smoke. This full-face mask is used in conjunction with a clothing system that includes heat generation components to mimic the harsh heat faced by

firefighters. Called Hitoe, it’s described as a “a wearable, biosensing nano-fibre vest which tracks electrocardiogram (ECG) readings and transmits them in real time for fitness analysis of firefighters during training.” This allows trainers to monitor the exact physical condition of trainees during the simulated fire situations. The analytics platform was originally designed by Dimension Data to monitor the performance of athletes in the Tour De France cycle race, but has since been modified for use in the FLAIM system. As well as the Hitoe vest and simulated breathing apparatus, the system also includes a virtual water hose which uses haptic simulation to deliver force feedback, allowing the user to get a feel for the strength of the flow of water under different pressures. Further optional extras include hose reels with a higher jet reaction force, augmented reality and 360 degree video training solutions, and real time performance data visualisation. The entire cost of each basic training unit is $40,000; according to James Mullins, Associate Professor, Deakin University and Chief Technology Officer of FLAIM Systems, a single week of real-world “hotfire” training can cost up to $50,000. The reusable nature of the FLAIM system thus represents a substantial cost saving in comparison.

National

condition and fitness levels. The FLAIM system has only recently reached the market, with customers already existing in Australia. It’s also being marketed internationally, and Mr Mullins describes the target customer base as, “….traditional fire departments/public safety, airfield rescue and firefighting, military, mining and industry and training service provider organisations.” According to Mr Mullins, the most difficult aspect in developing the simulation was accurately modelling the physical properties of fire, smoke, water and heat, which the system must do simultaneously, thus requiring significant computing power. While specifics weren’t given, the software runs on “high end PC systems”, allowing the company to use off-the-shelf components that are easy to upgrade and support. In future, the company aims to develop more scenarios that will be used as part of a subscription library, allowing customers to more accurately train for specific instances. There are also plans to add a first-aid component to the training system, as on-the-ground medical support is a huge part of a fire-fighters roles. As one of the most innovative VR training solutions found in the world, FLAIM again highlights Australia’s ground-breaking research in this field. Combined with other companies such as Opaque media, who are working with NASA on simulations, the land down under is well on its way to becoming a world leader in the field of VR.

It’s also fully portable, so can be used across an organisation’s various operations. It’s not intended to be a total replacement to real-world hotfire training though; rather it can reduce the preparation and length of hotfire training required to train a candidate, as well as increase the effectiveness of equipment familiarisation. Mr Mullins explained the various scenarios that FLAIM can mimic. “Our scenarios are designed to replicate real world effects of fire, smoke, water and heat. The environments in which the fire activity occurs also impacts the behaviour of each of these factors. The behaviour of these factors in a house fire are different to open-air bushfire scenarios. We have and continue to develop specific software models and scenarios to simulate with high fidelity the visual, sound and physical experience of firefighting.” During the training, data is captured via an analytics dashboard, and measures things such as smoke level, fire intensity, water jet reaction force and spray patterns. The system’s Hitoe bio-sensing tech also monitors how the firefighter is coping with the conditions, keeping track of the user’s heart rate, ECG and stress levels. This can then be used as a benchmark, to ensure the user is meeting required

The ‘go-to’ tool for leading professionals WEBINARS WHITEPAPERS UP COMING EVENTS CONFERENCES

promoteme@mysecuritymarketplace.com

www.mysecuritymarketplace.com Asia Pacific Security Magazine | 47

Cyber Security

The rise of hashgraph

edera Hashgraph recently secured $100 million in funding as it seeks to create a new commerce network based on its hashgraph consensus technology. (That’s just another term for a new distributed public ledger.) The US-based company, which will use the money to accelerate the development of key services, says the amount of money raised highlights how much potential it has to change the internet as we know it, and overcome some of the obstacles faced by cryptocurrency and blockchain companies. But what is hashgraph? And why should you be paying attention to it? Hashgraph is a distributed ledger technology, or DLT, developed by Leemon Baird, co-founder and CTO of Swirlds – a software platform for distributed applications. Hedera Hashgraph is a cryptocurrency based on the hashgraph algorithm. According to Baird, hashgraph – not blockchain – is the future of DLT. Why is hashgraph superior to blockchain? The main benefit hashgraph has over blockchain consensus mechanisms is fairness in transaction order. Use cases include high-frequency trading (HFT) on a stock exchange, where the millisecond transaction ordering offered by Hashgraph creates a ‘fair’ market. This fairness is achieved through a

48 | Asia Pacific Security Magazine

combination of mathematical proof and accurate timestamping. Then there are the transaction speeds. A common factor of debate among Bitcoin Core developers, for example, is that it increases block size within the blockchain to increase transactions per second, whereas events in hashgraph can be any size. When creating a new event, any new transaction/s, plus a few bytes for overhead, make up the entirety of the event size. Events can be anywhere from a few bytes (no transactions) to whatever size is required. Combine this with hashgraph’s consensus algorithm, ‘PoG’ (proof of gossip), where events within the graph ‘gossip’ to each other about all previous events, thus spreading ‘gossip about gossip’. Transaction speeds can now reach 250,000 per second, pre ‘lightning network’ equivalent and pre ‘sharding’. Also, hashgraph is completely secure with aBFT (asynchronous Byzantine Fault Tolerance), which is, in theory, the most secure version of BFT. Bitcoin is not. aBFT can overcome internal and external attacks. No one can influence the transaction order, as there is no mining. Since consensus is arrived at by randomly syncing with others, hashgraph doesn’t require large computation power like bitcoin does. This lowers transaction costs significantly.

Cyber Security

‘We think that will be incredibly important for things like the internet of things, where the things will discover each other and engage in commerce automatically in a micro economy,’ Harmon said in an interview with VentureBeat. enable is the micropayment. ‘We think that will be incredibly important for things like the internet of things, where the things will discover each other and engage in commerce automatically in a micro economy,’ Harmon said in an interview with VentureBeat. He also said it could enable high-throughput transactions for online games, where you can use the hashgraph to verify the authenticity of resources. Hedera Hashgraph is creating public applications programming interfaces to enable three services. It will: • •

•

Does hashgraph make blockchain obsolete? In short, no. Hashgraph is not without its flaws. In fact, it will face the same issues that other public blockchains are currently facing, and may not be able to maintain is security and performance. For example, the original bitcoin blockchain tended to hit its limit at only seven transactions per second, while Ethereum maxed out at around 15 transactions per second. Hashgraph currently scales only in relation to the number of transactions processed, but doesn’t scale with regard to the number of nodes in the network. This inherent limitation is often referred to as the ‘scaling problem’. This problem is often regarded as one of the main obstacles for cryptocurrencies to overcome. While we should appreciate the underlying technology in hashgraph, we should also appreciate the blockchain technology that has paved the way for it.

Create a cryptocurrency-as-a-service with native support for micropayments Create distributed file storage for the network that can be used by smart contracts, or programs that run on the public ledger Create smart contracts based on Ethereum’s scripting language, Solidity

That makes it possible to build distributed applications that run on the Hedera Network, Harmon said. Anthony Stevens is the founder and CEO of Digital Asset Ventures, a digital strategy and software development company. Digital Asset Ventures’ technology expertise is concentrated in three key areas: distributed ledger technology, artificial intelligence, and big data and data networks. Anthony is also the co-author of Chasing Digital: A Playbook for the New Economy (Wiley).

What does the future hold for hashgraph? Upcoming cryptocurrencies based on hashgraph will have to register with Hedera Hashgraph. They’ll also have to request tokens for vendors that accept virtual currencies running the hashgraph algorithm. According to Hashgraph Hedera CEO Mance Harmon, one of the things Hedera Hashgraph will

Asia Pacific Security Magazine | 49

Regional

India’s Supreme Court reins in citizen profiling

I By Sarosh Bana ASM Correspondent

50 | Asia Pacific Security Magazine

n a sharp rebuke to India’s civil libertarians, the country’s Supreme Court has upheld the constitutional validity of the biometric-based national identification platform called aadhaar that is widely viewed to be a tool of mass surveillance. Though in its majority verdict (with one judge completely dissenting), the five-judge constitutional bench of the apex court did reduce the scope of aadhaar’s application, an outright striking down of this personal data gathering medium would have grossly discomfited the Narendra Modi government. Prime Minister Modi had put his personal weight behind aadhaar and had his rightwing Bharatiya Janata Party (BJP)-led government push the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, through Parliament in March 2016. Modi had vigorously contested the ID platform ever since it was first mooted in 2010 by the previous Congress-led government, saying it violated one’s “constitutional right to privacy”, but changed his stance once he became Prime Minister in May 2014. An adverse verdict would have complicated his campaign for the 2019 general elections, his government

having already enrolled 1.22 billion aadhaar holders, 91 per cent of India’s overall population of 1.34 billion. While aadhaar was originally conceived as a means to provide efficient access to government welfare schemes meant largely for the underprivileged, the BJP government made it mandatory for accessing a host of services like opening and operating bank accounts, filing Income Tax returns, and for applying for cellphone services, passports, driving licences, house subsidy, school admissions, death certificates, train tickets, and even for supplementary meals at crèches and maternity benefits. Besides, permanent account number (PAN) cards, required for all banking services, would be unacceptable unless linked to aadhaar. In its ruling on the 27 writ petitions challenging the constitutional validity of aadhaar, the Supreme Court observed that the scheme empowers people on the margins of society, and its benefits far outweigh concerns about the violation of privacy and data breach. But it struck and read down certain sections of the Aadhaar Act, most significantly clarifying that the government cannot deny any benefits to

Regional

The government has said it was considering amendments to laws to get around the prohibitions imposed by the Supreme Court order.

any individual for not having an aadhaar number. “It would be appropriate if a suitable provision be made for providing alternative remedies,” it said. The Supreme Court also held that banks and other financial institutions, telecom services, private companies and educational institutes cannot seek aadhaar data for any services they render. The court, however, upheld Section 7 of the Aadhaar Act that mandates aadhaar for any government scheme that draws out of the consolidated fund of India, such as subsidised rations and LPG, and the employment guarantee scheme. Aadhaar will also be necessary for filing Income Tax returns, for applying for PAN and for linkage with PAN wherever the latter is mandatory, implicitly making aadhaar inevitable in such situations. Significantly, the Supreme Court forbade agencies from retaining beyond six months the authentication data of citizens who have enrolled for aadhaar. It urged the government to bring in a robust data protection regime, even while observing that there were “ample safeguards” for security and data privacy in the aadhaar mechanism. Noting

that collection, storage and use of data do not violate the fundamental Right to Privacy and the Aadhaar Act, the court deemed the archiving of such data and records for a period of five years “bad in law”. In his dissenting judgment, Justice D.Y. Chandrachud deemed aadhaar unconstitutional and its enaction as a “Money Bill” - thus bypassing the Rajya Sabha (Upper House of Parliament) - a “fraud on the Constitution”. India’s Constitution does not require any legislation notified to be a Money Bill by the Speaker of the Lok Sabha (Lower House) to be ratified by the Upper House, a procedure mandated for all other legislations. The Aadhaar Bill was considered to have not fulfilled any of the seven provisions for a Money Bill to be so designated, but as the Constitution holds the decision of the Speaker in this regard as final – and not open to judicial, Parliamentary or even a Presidential review – the BJP government opted for this method to push the Bill through, especially because it did not enjoy a majority in the Upper House. The Congress party and some of the petitioners have been heartened by Justice Chandrachud’s dissenting judgment and are planning to reopen the case by asking for a larger seven-judge Constitutional bench. Justice Chandrachud held: “Bypassing Rajya Sabha to pass Aadhaar Act amounts to subterfuge and the law can be struck down.” In his judgment, he said it was “impossible” to live in India without aadhaar, which is a violation of the Constitution, that there was absence of any regulatory mechanism to provide robust data protection, and that allowing private players to use aadhaar would lead to profiling that could be used to ascertain the political views of citizens. The government has said it was considering amendments to laws to get around the prohibitions imposed by the Supreme Court order. As the fingerprint and iris scans and documentation for aadhaar applications are done on computer, erratic, or lack of, electricity has proved a major hindrance. There have been numerous instances where the poor have suffered immeasurably for want of an aadhaar number. A crematorium refused to have the final rites performed on a body in the absence of the deceased’s aadhaar card. A child passed away in her father’s arms as the man could not have her admitted to hospital without an aadhaar card. Hearings on the aadhaar case had continued even as a nine-judge Constitutional bench of the Supreme Court had in August 2017 unanimously ruled that privacy was a fundamental right as it was intrinsic to right to life and personal liberty guaranteed in Article 21 of the Constitution. Petitioners in the aadhaar case had hoped for this verdict to have had an influence on their outcome.

Asia Pacific Security Magazine | 51

BioSecurity Special

Biological Protection-In-Depth: A closer look at biosecurity and biodefence strategy. By Deborah Evans

52 | Asia Pacific Security Magazine

he importance of broad-spectrum Biological Protection for the survival of mankind is becoming increasingly apparent. Ebola Virus, Hendra Virus, Nipah Virus, Severe Acute Respiratory Syndrome (SARS), Middle East Respiratory Syndrome (MERS), and Avian Influenza are just a handful of examples of pathogens recently causing or threatening widespread fatalities. They strike fear into the hearts of citizens and governments alike and for good reason... they have the potential to devastate lives, families, economies and destroy the social fabric of civil society. We are not immune from what we cannot see, and protection from biological threats is perhaps the most urgent human endeavour of the coming decades. Biosecurity and Biodefence are co-dependant strategies sitting under the broader concept of biological protection. Biodefence is multi-faceted, consisting of multidisciplinary measures implemented at a national level to protect both civilian and combatant populations from biological threats. Although biodefence is often thought of as being exclusively the domain of government and military, its concepts have evolved beyond a fundamental objective of defending against biological attack. Progressive biodefence concepts incorporate protection from biological threats of a diverse nature, including those from naturally occurring, accidental and deliberate sources. Subsequently, biodefence concepts

transcend military discourse and extend across disciplines and sectors. Such disciplines include security & law enforcement, intelligence, politics and governance, emergency management and national preparedness, the health sciences, agriculture, the environmental sciences, the life sciences as well as most of the technological fields and specialities. Biodefence is very much a collective effort â&#x20AC;&#x201C; it permeates all sectors and is incorporated into disciplinary specific methodologies and practices in a myriad of ways. In the event of a biological incident, each discipline will uniquely contribute to form part of the immediate response and longterm recovery efforts. However, the practical challenges of implementing and achieving a cohesive structure to support biodefence objectives are momentous. Co-ordinating and balancing the agendas and objectives of multiple sectors and disciplines is intrinsically problematic. Immense changes in technology, research and environmental factors have further elevated the capacity for biological threats to circumvent existing defences. Subsequently, approaches to co-ordinating biosecurity and biodefence mechanisms must be revisited and redefined as part of global biodefence strategy. To assist in the facilitation of global biodefence efforts, a multidimensional Protection-in-depth (PID) framework may require development at an international level to better coordinate and formalise the existing structures designed

BioSecurity Special

to achieve biodefence. PID – the ‘Onion Ring Model’ is a security theory used extensively to create enhanced security by overlapping layers of protection and detection through the systematic application of sequential measures. Although PID is often used to achieve physical security, the theory may be applied to both biosecurity and biodefence to achieve a more cohesive level of biological threat protection. Protection-In-Depth for Biosecurity Biosecurity is a core component of biodefence prevention and detection strategy. Biosecurity refers to the policies and measures applied to biological agents and toxins to prevent their loss, theft, misuse, diversion, unauthorised access or intentional unauthorised release. Security of high consequence pathogens such as Ebola Virus, Marburg Virus or Botulinum toxin in laboratories for instance, is vital to prevent acquisition by terrorists or adversaries with malicious intent. As a result, high containment microbiological facilities containing security sensitive biological agents are required by law to have sufficient biosecurity measures in addition to biosafety procedures. In Australia, the Security Sensitive Biological Agents (SSBA) Standards prescribe the requirements for the secure handling, storage, disposal and transport of known and suspected SSBAs.

The SSBA security requirements encapsulate ProtectionIn-Depth (PID) security theory - facilities containing SSBAs are required to have a systematic approach to physical security, policies, procedures, and practices to sustain a high level of biosecurity. For instance, access control requirements for facilities containing Tier 1 agents include an electronic access control system for entry into the secure area perimeter, and an additional form for access to Tier 1 SSBAs. In addition, the required procedural measures include formal authorisation, maintenance of detailed access control records, management of access control tokens and extensive reporting and documentation. Collectively, the technologies, systems and procedures overlap one another to reduce the inherent vulnerabilities of each measure. Given the abundance of security technologies available, the sky is the limit in terms of creating an ultra-secure biological facility using advanced technologies, policies, procedures and practices through the application of PID theory. The possibilities are restricted only by budget and operational requirements, not by system capabilities. Systems such as biometric access control, smart CCTV with behavioural anomaly detection, integrated perimeter detection systems, and specialised air filtration pressure systems are all examples of technologies which may be implemented to create the desired level of PID. While the capabilities of these technologies are impressive, they are not without vulnerabilities and limitations – like most technologies they can be compromised or circumvented with the right knowledge, capability and opportunity. Hence the value of PID becomes apparent – each security measure must be thoroughly scrutinised to identify vulnerabilities before additional layers of protection can be implemented. In controlled environments such as microbiological or other high security facilities, this is certainly achievable. Elements of an entire facility such as geographical location, site, construction, policies, procedures, practices, personnel, and routines may be decided and controlled – and the security mechanisms can be constructed and adjusted accordingly. Thus, the number of ‘Onion Rings’ in the PID framework should correlate with the degree of control over the environment. In dynamic environments where control is limited, PID may still be achieved, but the approach must be multidimensional and fluid enough to reflect and accommodate shifts within the environment. Protection-In-Depth for Biodefence Biodefence operates in a highly dynamic environment. Preventing, detecting and responding to naturally occurring, accidental or deliberate biological threats becomes difficult when the threats are constantly changing. Antimicrobial resistance, synthetic recreation, genetic modification, gain-offunction research techniques, the emergence of novel viruses, and the natural evolution of pathogens all contribute to the unpredictable nature of biological threats. Human behaviour and movement further facilitate the ability of pathogens to succeed in self-propagation and dissemination. The microbial world is both phenomenal and incredibly frightening. There are many biodefence technologies which have been developed to bolster efforts in detecting and responding to

Asia Pacific Security Magazine | 53

BioSecurity Special

There are many biodefence technologies which have been developed to bolster efforts in detecting and responding to biological events.

54 | Asia Pacific Security Magazine

biological events. For instance, Biological Point Detection and Biological Standoff Detection systems are technologies used for the detection and identification of aerosolised biothreat agents within the environment. Point detection systems sample aerosolised particles at a fixed point and may be deployed in both internal or external environments such as in subways, shopping centres, airports or in open public spaces. The United States has point detection sensors deployed in approximately 30 major cities across the US as part of their BioWatch program. Advanced point detection systems such as Autonomous Pathogen Detection Systems (APDS) can operate continually and use both Multiplex Immunoassay and Polymerase Chain Reaction (PCR) techniques to detect and identify aerosolised agents. They are sophisticated, sensitive and reliable systems that can detect a biological attack in real time and support the prevention or reduction in civilian casualties as well as directing medical treatment requirements and decontamination efforts. Standoff detection systems are an alternative type of technology used for the detection of Chemical, Biological, Radiological or Nuclear (CBRN) events. Biological standoff detection systems analyse aerosolised clouds or plumes remotely, from up to tens of kilometres without the need for sampling. They use technologies such as Light Detection and Ranging (LIDAR) with Ultraviolet Laser Induced Fluorescence (UV-LIF) to read the biological signatures of particulate matter contained in the plume based on the optical signatures reflected in response to laser excitation. UV-LIF LIDAR systems are one of the most prominent emerging technologies for biological standoff detection. Like point detection systems, they can direct efforts to prevent or reduce civilian and combatant exposure to aerosolised biothreat agents as well as assist in investigation efforts to determine the threat source based on point of attack. Despite their sophistication however, these technologies are relatively limited in scope and application. Currently, point detection systems may only detect known agents – unknown DNA sequences from modified, enhanced or novel pathogens created in the laboratory may go undetected, or mistaken for non-virulent species. This is perhaps the most significant and problematic issue likely to dominate future biodefence discourse concerning biodefence technologies. Critics of the technology also argue that point detection systems may easily be circumvented if adversaries are aware of the location of sensors or launch a series of localised attacks to increase the probability of mass-casualty. Standoff detection systems using UV-LIF LIDAR have a limited detection range and have not yet overcome the challenges associated with ambient light increasing signal to noise ratios. This means the technology is less sensitive during daylight hours, reducing the likelihood of an aerosolised agent being detected. Perhaps the most fundamental issue with UVLIF excitation, is that many other harmless substances, amino acids and fluorophores such as pollens, plant debris, fuel oils and some agrochemicals are excited at the same wavelength as biological agents, making it more difficult to distinguish between virulent and benign aerosolised matter. These limitations demonstrate that although biodefence technologies are at the forefront of military and defence research, they are certainly not beyond the abilities of foreign

governments or other well-equipped actors to circumvent or defeat. The costs involved of extensive bio-surveillance to adequately monitor multi-penetration points such as dams, waterways, public airspace, agricultural and food facilities, may be exponential to the risk involved. The biodefence environment is vast and multidimensional - more than aerosolised biothreat agents exist, and subsequently vulnerabilities and limitations cannot be addressed by simply overlapping detection technologies, procedures and practices in the same manner as controlled environments such as high containment microbiological facilities. To apply PID to biodefence, the ‘Onion Rings’ must be three-dimensional - overlapping policies, measures and technologies across disciplines, sectors and jurisdictions. These mechanisms currently exist in the form of diagnostics, syndromic surveillance, environmental and other monitoring systems, although sometimes very loosely depending on the country or sector. To enhance biological preparedness, the biodefence framework must be revisited to systematically identify and address newly emerged biological threats and vulnerabilities. In a practical sense, this means addressing emerging risks such as those created by commercial development in fields such as synthetic genomics. For example; although commercial genomics companies cannot ship or otherwise supply whole sequences of high-consequence or prohibited pathogens, there is currently nothing in place to prevent individual gBlocks (sequence-verified, double-stranded DNA fragments) from being obtained in a manner which defeats existing flagging or biosecurity mechanisms. Another example is the biosecurity risk created by naturally occurring events such as the recent string of Ebola outbreaks. Clinical samples, waste, medical and laboratory equipment, unsecured burial sites and the mobility of infected patients facilitate not only the further spread of disease but may also provide a source for the acquisition of pathogens for biological agents. The threat of biological based ‘lone wolf ’ attacks is not a new concern, however the opportunity for malicious acquisition through naturally occurring events is rising. As a result of the dynamic nature of the threat environment, the PID framework must address vulnerabilities across the complete biological continuum - inclusive of naturally occurring, accidental and deliberate biothreats. A systematic approach to designing and constructing a multidimensional PID framework is vital, building on existing multidisciplinary, multi-sectoral and multijurisdictional mechanisms. The process must ensure that technologies, policies, procedures and practices are carefully selected and implemented to overlap and mitigate the vulnerabilities and limitations of each measure. The approach must also consider the establishment of pre-markers for biological events to ensure the domino effect of a coordinated biological response so that if one falls, they all fall. To achieve an effective biodefence structure, all disciplines must work collaboratively and with sufficient fluidity to incorporate and address emerging threats and newly identified vulnerabilities in the PID framework. This means that biodefence policy and strategy must become more accessible across disciplines and sectors, not withheld as the exclusive property of government and military. Progressive

BioSecurity Special

public discourse on biosecurity and biodefence issues must permeate and drive biodefence policy – thus, publicly acknowledging the need for collaboration on biodefence issues should be at the forefront of next generation biodefence policy. The US National Biodefense Strategy is an example of how governments and policymakers may approach dynamic biodefence needs which are beginning to transpire. The United States is Leading the Way in Biodefence Strategy The September 2018 release of the US National Biodefense Strategy emphasises the need for a multidisciplinary approach to biodefence with explicit direction and oversight. The Trump Administration intends to address biological threats through the development of a multi-sectoral and collaborative biodefence enterprise, with oversight from a Cabinet-level Biodefence Steering Committee. The National Biodefense Strategy calls for multi-sectoral cooperation for threat prevention and response, and a multidisciplinary approach to the prevention of disease emergence. The US approach demonstrates a maturation in biological preparedness, where biodefence policies and operations cease to exist solely behind the closed doors of Washington and are publicly acknowledged as the responsibility of multiple sectors. US Biodefence strategy is evolving in line with contemporary society to reflect the rapid ‘bio-commercialisation’ of

technology, materials, equipment and expertise. However, despite this refreshing evolution in biodefence strategy, there will undoubtedly be challenges and setbacks in establishing the functional and operational structures required to sustain such a strategy. How the US Biodefense Steering Committee facilitates the conflicting objectives, agendas and requirements of multiple sectors is sure to be appraised – and scrutinised by avid international observers. Regardless of potential obstacles, the US must be commended for leading the way in creating a biodefence interface which may facilitate collaborative efforts and actively seek the expertise of individuals and non-government enterprises. We must hope that other nations including Australia support and follow the US lead and produce an accessible biodefence strategy, drawing on the capabilities of multiple disciplines and sectors. We must also encourage policymakers to consider the use of contemporary models and frameworks such as PID to address the complex needs of biodefence in the current environment. Ultimately, global biodefence efforts require a collaborative approach to identify and address the limitations of the existing biodefence infrastructure. We need a united front. Humanity is more than capable of addressing biological threats, however the challenge lies in our ability to design and construct the protective framework in a peaceful and systematic way.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices and enabling technologies

Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Asia Pacific Security Magazine | 55

Cyber Security

A b i d j a n

2 0 1 9

International Security and Defence Exhibition 21-24 January 2019 Abidjan / Côte d’Ivoire

LET’S PROTECT OUR DEVELOPMENT 50

Official Delegations 115 delegates from 24 African nations

133

exhibitors from 25 countries, 93% of them international

3,237

professional visitors from 64 countries

2019 Theme: Borders Protection and Control

République de Côte d’Ivoire Ministère de l’Intérieur et de la Sécurité

56 | Asia Pacific Security Magazine

www.shieldafrica.com

Cyber Security

Asia Pacific Security Magazine | 57

CyberCover CCTV Security Feature

How to minimise roulette wheel motion blur

By Vlado Damjanovski © Oct 2018 - vlado@vidilabs.com

58 | Asia Pacific Security Magazine

nce I was approached by a casino professional, asking me if I can help them find a camera with 60fps which they want to use with their roulette tables. First I asked him about the purpose for such camera, before I gave him my response. Certainly, I knew of a handful IP camera manufacturers that had in their range 60fps cameras (some even more than 60fps), but I somehow sensed that the question was based on the lack of understanding of how camera works (more specifically - the electronic shutter), rather than a real quest for a camera of high frame rate. Plus, high frame rate cameras are usually more expensive. When I was explained by the customer that the images from his roulette wheel winning numbers appeared very blurry, and customers were complaining about that, I knew what was problem. Cameras are often used to look at the roulette wheels, and display the winning number as soon as the roulette ball lands on a number. Casino dealers don’t wait for the roulette wheel to finish

spinning, as this takes quite some time, and players will not wait. The most practical thing for them is to wait until the ball, after jumping around, lands in the winning number area and while still spinning, they show a snap-shot image of the winning number on the large screen. The light conditions are usually very low, typically no more than 10lux at the gaming tables, which forces the cameras to expose each frame at least 1/25s (or 1/30s) in order to produce “live video.” It may well be that the exposure could be even longer if the cameras are left into Integration mode. The results are blurry videos of the roulette spinning wheels, with the hard-to-read numbers of the winning numbers. No wonder roulette players are not happy and are asking for better and faster information from the roulette tables. The customer that asked me this question, didn’t necessarily need a high frame rate camera, which would usually be more expensive. All he needed was to set the camera to a higher electronic shutter (Exposure), so that the motion blur from the roulette wheel was minimised

CCTV Cover Feature

Longer shutter - hard to see numbers

Shorter shutter - sharper winning numbers

Asia Pacific Security Magazine | 59

CCTV Cover Feature

to the level that clearly shows the ball and the winning numbers. What exposure do they need to set the camera to? This can easily be calculated by the ViDi Labs calculator application. In fact, one of the reason the ViDi Labs calculator was designed is to help with cases like this. Using the Sensor blur calculation, which is produced by a moving object with a known speed, a casino operator can calculate the most acceptable electronic shutter speed in order for the camera to see sharp winning numbers. A little bit of imagination and length measurement is required, but the hard work is done by the ViDi Labs calculator. Certainly, we all know that the shorter exposure you have, while keeping the same lens and F- stop, you would need more light for a good picture. It is however important to consider that every IP camera has built in AGC (Automatic Gain Control) which even when the light levels are lower - it will push the video signal to be close to the nominal values of full video (1 App in the analogue days, and around 800mVpp in the digital world). In our testing we have used in this example the following variables were used: â&#x20AC;˘ IP camera with 1/1.9â&#x20AC;? sensor

60 | Asia Pacific Security Magazine

CCTV Cover Feature

• HD Resolution = 1920 x 1080 Lens = 9mm • Distance from camera to the roulette wheel approx. 1.5m Using the ViDi Labs calc one can find out the longest exposure for the acceptable motion blur. The blur will always be there even at the shorter exposure, as the roulette wheel is still spinning, but it will be much sharper than having the default “live” exposure of 1/25s (or 1/30s) Our tests and experiments have shown that using high frame rate cameras, like for example 1/60s instead of 1/30s, will hardly reduce the motion blur. As it can be seen on the above screen-shot, there were around 21 pixels of blurriness produced on top of the actual roulette ball being 29 pixels (a total of 50 pixels in the horizontal direction). This eﬀect makes the numbers still appear blurry. The ViDiLabs calc has calculated not very far from this, 22 pixels. By setting the camera electronic exposure to 1/250s, the resultant frozen image appears much sharper, and this time the roulette numbers can be clearly read. The ViDiLabs calculator indicated that we will have 5.3 pixels blur pixels when motion velocity is 3km/hr. This is suﬃcient to see clearer numbers of the roulette wheel. So, although we have not installed a higher frame rate camera (60fps or 120fps), we managed to still produce sharp video of 25fps by just setting the electronic exposure is set to 1/250s.

40 ms

Standard“live” exposure

Active exposure voltage

25 fps camera

...

Stop exposure voltage

<40 ms Active exposure voltage electronic shutter (1/30s, 1/60s, 1/100s, 1/200s, 1/500s)

25 fps camera

Electronic shutter ON (“live” exposure) 2

...

Stop exposure voltage

>40 ms Active exposure voltage

f - focal length

5 fps camera Stop exposure voltage

d - distance

...

1 second

w - hor. width of the view r - roulette wheel diameter

The meaning of electronic shutter

Asia Pacific Security Magazine | 61

CCTV Cover Feature

Migrating to an IP video surveillance solution All you need to know By Benjamin Low, Vice President, Asia Pacific, Milestone Systems

62 | Asia Pacific Security Magazine

he migration from analogue video surveillance to IP systems has been increasing for some time, driven by decreasing costs and rapid advances in new security technologies such as video analytics. As William Tan, director of global face recognition & surveillance, global safety division, NEC Corporation puts it: “The use of video analytics in surveillance systems improves operational efficiency as it eases the workload on security officers. Analytics add value and makes the IP camera system more intelligent in its work. Increasingly, government agencies are adopting safer city technologies such as facial recognition as they allow the authorities to have more "eyes" on the city than before.” IP systems allow vastly increased functionality, from analytics and the use of non-visual sensors like fire alarms to remote access from anywhere in the world, while giving organisations the flexibility to easily expand and reconfigure their network as necessary. Yet, even with all these benefits, IP solutions still offer the lowest Total Cost of Ownership (TCO).

IP systems also make storage more flexible and less costly. HC Chang, general manager, APAC (excluding China), Promise Technology, explains: “Analogue systems may require storage to be onsite, but if an installation has many sites, or sites that are geographically disparate, this may be difficult. IP systems allow storage to be placed wherever makes the most sense, making it easier to maintain and upgrade.” While the benefits make migrating an easy decision, the steps from analogue to IP should be carefully considered. At the start of the migration process there should be a full analysis of the organisation’s security requirements, looking in detail and the varying levels of security needed in different areas and sites. Once these requirements are known, it is then necessary to design a detailed blueprint for the new IP system. Once the blueprint is ready, it is then time to develop a plan for deployment. There are two options for any organisation looking to migrate to an IP network: upgrading the whole network in one go or upgrading in stages. Upgrading the whole system at once simply involves removing all the old equipment and installing the new IP

CCTV Cover Feature

Analogue systems may require storage to be onsite, but if an installation has many sites, or sites that are geographically disparate, this may be difficult. IP systems allow storage to be placed wherever makes the most sense, making it easier to maintain and upgrade.”

system. In a way this is the simpler option, as it means all the new IP features will be ready to go once installation is complete. However, installing all that equipment – not to mention the equipment itself – can be costly, especially for medium and large organisations with significant amounts of infrastructure and assets to replace. Another disadvantage of this option is the inevitable downtime between the old system going offline and the new system starting up. The cost pressures can be a challenge, while the downtime is unacceptable for most medium and large organisations, which is why the more popular option is to upgrade in phases. This is possible with IP surveillance systems because all cameras and sensors feed into a central VMS. The right VMS will be open source, meaning it will be able to manage feeds from many different types of visual and non-visual sensor, both legacy and new, from many different manufacturers, at the same time. This means a surveillance network can evolve in line with its requirements. This capability can be especially useful in large installations which have many different buildings and levels

of requirement from their surveillance. For instance, some areas may require higher security, with new high-resolution digital cameras and video analytics functions such as facial recognition. An important point to note here is that migrating to an IP system does not require the replacement of existing cable infrastructure. Winston Goh, head of marketing, South APAC, Axis Communications, notes: “Pulling out and replacing existing infrastructure, such as coaxial cables and analogue cameras, can be a very expensive process. The benefit of migrating to an IP solution is that converter devices can be used to convert the analogue signal to a digital one, so it can be fed into the VMS. This allows sections and assets to be upgraded in a way which suits the budget and requirements of each organisation. It also greatly reduces any installation downtime.” Once the deployment plan is ready, the phases of installation can begin. This starts with installing the VMS, which will be the heart of the network. Then you can begin installing new cameras and preparing old cameras to feed into the new VMS, as well as the necessary monitoring equipment such as PC monitors, at your own pace. The benefits to IP video surveillance systems are so numerous that migration is only a matter of time for most organisations. However, it’s likely most will opt for a phased approach, due to costs and downtime issues. These factors can be minimised if organisations invest the time in understanding their security needs and thoroughly planning implementation, meaning companies can reap the benefits of IP surveillance faster, where it’s needed.

Asia Pacific Security Magazine | 63

Frontline

Resilient organisations begin with people. Organisations have a duty

C By Lance Krowitz, Director, Risk 2 Solution South Africa (Pty) Ltd; and Dr Gavriel Schneider, CEO Risk 2 Solution Group

64 | Asia Pacific Security Magazine

yber security. Admission controls. Biometric security. Security guards and barricades. Electronic counterespionage measures. Large organisations do all these things as a matter of course. Despite this, they accept that risk is something that can only be minimised – it’s impossible to completely prevent. But all these measures (and more) are largely futile when you consider that the weakest point of vulnerability is your most valuable asset: your people. Employers and shareholders like Return on Investment (ROI) and rightly so. Human Resources people are tasked with developing their workforce in a manner that helps the organisation acquire new and vital skills. There are financial incentives too, often sponsored by the taxpayer to incentivise corporates to up-skill their people. These programmes centre on business skills, leadership, IT skills, Compliance, Occupational Health and Safety and similar training. But here’s the thing: we forget that those same people spend a large chunk of their non-working lives outside of our organisation, be it in the real world or the virtual one. From a

purely selfish perspective, they’re outside of the organisation’s ability to protect itself should they venture into dangerous territory in either of those dimensions. It’s a VUCA world after all... What is VUCA? Volatile, Uncertain, Complex, and Ambiguous. It’s an old description of the world that’s become repurposed to describe how crazy our environment has become (and continues to get) as we become more and more interconnected. And in the midst of all this our people are travelling long distances to and from work in any number of modes of transport. They walk down the block at lunchtime with their faces glued to the screen of the latest/ shiniest/newest/most powerful smartphone. They stop at traffic lights and take the opportunity to read that last text message that just got delivered. Is it any surprise we’re such soft targets? Any impact on that person is an impact on the organisation and there are any number of possible permutations. Employees suffer from flat tyres, muggings, carjacking, physical injuries, phishing scams, hacking of

Frontline

"The trick is to create awareness in our people of their environment and the possible risks therein. We should help them to listen to that little voice that is the mind’s way of pointing out that something doesn’t quite fit. "

h resilient y of care. online profiles, identity theft etc. These result in mundane time off work requests for admin (police reports, credit card and ID replacements etc) and for medical attention, or worst case scenario – the employee is incapacitated or deceased and is never returning to work. We don’t mitigate these risks and its common cause that they’re an expensive cost to the organisation. Enter the Whole of Person approach. We view the employee as the sum of their Work Life, Personal Life, Online Persona, and Virtual Life. Despite what some security managers might think, the organisation has very little influence over most of those. The obvious answer is that we need to get out of the old paradigm thinking of providing hard security measures via the workplace and adopt a newer approach – Let’s holistically make our people more aware of the threats out there and by doing so we make our organisation more resistant to an

adverse event and more resilient should one occur. The trick is to create awareness in our people of their environment and the possible risks therein. We should help them to listen to that little voice that is the mind’s way of pointing out that something doesn’t quite fit. We must give them the tools to plan for any eventuality so they can react appropriately. This might be as simple as deleting that strange looking email without clicking on the link, or crossing to the other side of the street because something ‘doesn’t feel quite right’. In short, we need to ‘Switch Them On’. And we need to do it in a balanced way so as not to create paranoia. As my colleague Dr Gav Schneider writes in his article published in Security Insider June/July 2018, page 26: Being paranoid is just as ineffective as not being aware at all. The goal is to enjoy life to the full whilst at the same time being more aware of what’s going on around you. I believe that the one cannot exist without the other, i.e. you can't truly squeeze the most out of life if you are paranoid or unaware. It is important that we teach our people to continually adjust the balance for themselves. We call this balancing act Dynamic Risk Equilibrium (DRE). How does an organisation achieve Switched-On people? Face to face training is first prize, but it’s expensive, time consuming, logistically demanding, and takes people away from their jobs when they should be productive. Our solution is the online approach which we believe gives the organisation the best bang for buck. It’s scalable, accessible from home or work, self-paced, and can reach the entire workforce. Simply put, the more people you reach the better the outcome. We won’t stop incidents from happening, but we can create stronger defences by strengthening our people.

About the Author Lance Krowitz is a director of Risk 2 Solution South Africa (Pty) Ltd and has business interests in the risk, training, and energy savings sectors. Lance’s background is in financial markets having successfully run small cap portfolios for a division of the Standard Bank Group, Africa’s largest bank. Since leaving the corporate environment Lance has invested in a number of small businesses in the energy, property, and finance sectors. He is well versed in financial services, asset management, and investment banking, and spends his leisure time with his wife and young son as well as participating in endurance fitness events such as Ironman and the Comrades Marathon.

Asia Pacific Security Magazine | 65

BOOK REVIEW | by CHRIS CUBBAGE This book starts at 2:30am. Waking to the news of a serious cyber security breach, this is a time as a Director or Executive you are best already prepared, rather than scrambling to get with the cyber jargon and have the first read of the Notifiable Data Breach legislation. There are new obligations and an ever increasing expectation on companies and organisations subject to the Privacy Act to get the response right. “In today’s highly and widely connected world no one is fully prepared. We need more books like this to lift our cyber resilience.” - David Spence, Chairman PayPal Australia

THE CYBER BREACH COMMUNICATION PLAYBOOK By Peter Coroneos and Michael Parker

As a ‘playbook’, the authors have set out to provide clear guidance of a practical nature, so that if organisations are faced with, say a ransomware demand, they have a decision-making framework to help ask the right questions. Providing a ready-made communication strategy, with sample statements for media and social media, and an internal capability in place that is based on ethics, openness and maintenance of public trust – this is a playbook best kept at the bedside just in case the early morning call does come in. The book delivers on equiping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.” And if you were going to seek advice, then the authors, Peter Coroneos and Michael Parker have the experience and qualifications to call on with confidence. "Cybercrime is a genuine existential threat to all of the organisations upon which our economy depends. This extremely useful playbook is a weapon for the good guys and should be compulsory reading for all executive and non-executive leaders." - Justin Milne, Chairman MYOB Holdings and Netcomm Wireless The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format with a focus on ‘The Context’, namely the cyberthreat landscape, ‘Best Practice Communication Model’, with the internal and external postures and decision-making framework, and then provides an assessment of recent case studies. The latter could be invaluable to many executives, as it includes the evaluation methodology and ten grade criteria in which they are most likely to be judged. These are best to get right to avoid ending up in playbooks of the future. Case studies kick off with the infamous Census DDoS attack, followed by Uber, Equifax, Australian Electoral Commission, Ticketmaster,

66 | Asia Pacific Security Magazine

Geoscience Australia, Republican National Convention, Target, Ashley Madison, TalkTalk, Yahoo, JP Morgan Chase & Co, Verizon and Pageup – quite the list! With six conclusions, one is drawn back to the start of the book to read a second time and ensure it’s understanding – best heed these, as follows; 1. Breaches will be reported by the media irrespective of your posture or preparedness. 2. The C-suite will be called to account and resignations often follow a large and poorly handled attack. 3. Brand and reputational damage can translate to major write-downs in valuation – and if you’re in the unfortunate position of being involved in a merger or acquisition at the time, expect headlines to be used as a huge negotiating lever against you. 4. The attacks which have occurred in the case studies were not particularly sophisticated not hard to prevent. 5. The cost of the damage far outweighs any investments in better security practices and communication preparedness that could or ought to have been taken. 6. In the end, the examples provided were all failures of governance. Boards are on notice that community, stakeholder and regulatory expectations are for the better performance all round. Watch out for out ‘Playbook’ giveaways and will be available on mysecuritymarketplace.com

BOOK REVIEW | by CHRIS CUBBAGE

CHASING DIGITAL A PLAY BOOK FOR THE NEW ECONOMY By Anthony Stevens and Louis Strauss

Anthony Stevens

uthors Anthony Stevens and Louis Strauss are both KPMG alumni who were inspired to write Chasing Digital after watching pre-digital incumbents (companies formed prior to the digital age) struggle with the colossal task of digital transformation. Outlining a comprehensive and detailed framework, this book is designed to help leaders redesign their organisation from the bottom up by leveraging their strengths to create a new competitive advantage in the digital economy. The book is roughly divided into three parts. In part one, you’ll discover how to lay the foundations of transformation. Anthony and Louis explain how to develop a considered strategy, grow a conducive culture and build a receptive organisational design. Then in part two, the focus shifts to building core digital capabilities. This involves taking advantage of data, harnessing artificial intelligence and embracing appropriate platforms. Finally, in part three, you’ll learn how to adapt the accelerators of change. Namely, navigating board expectations, mitigating potential roadblocks and making the right investments. All in all, this unique playbook will give you the tools and mindsets needed to not only survive but to thrive, and leave a legacy for future leaders and future generations. In a nutshell, you’ll learn how to: • Integrate technology into your business strategy and culture • Prioritise and manage your company’s digital transition • Create opportunities for fast and intentional digital growth • Learn how to minimise friction

with stakeholders Chasing Digital is a no-nonsense book that shows you how to cut through the jargon and hype, and focus on what is critical to undertaking a truly successful, companywide, digital transformation. In a world where digital is changing everything, Chasing Digital will help your organisation transition beyond old business models to adopt the new digital paradigm and a new era of business. Embrace the chase.

Asia Pacific Security Magazine | 67

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Government agencies

• Scale-ups

• Research organisations

• Corporates

• Educational institutions.

• Venture capital funds

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com 68 | Asia Pacific Security Magazine

info@austcyber.com

+612 9239 3250

@AustCyber

Asia Pacific Security Magazine, Nov/Dec 2018

Articles inside

Robotics - Growth & Opportunities