THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com
Sep/Oct 2016
Cyber terror on wildlife
China's underwater great wall
Signs of deception
Protecting children from cyber bullies
Security industry must embrace modern technologies
The Safe city and Its need for interoperability
PLUS $8.95 INC. GST
TechTime, Quick Q&A, Cyber Security and much more...
From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI
Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.
LEARN MORE TODAY 1300 135 897 huntsmansecurity.com
CYBer SecurITY
Do we have IT right?
18-20 October
The Four Points Hotel - Darling Harbour National Conference 2016
Full conference program and registration: www.asisonline.org/shanghai
ASIS CHINA 2016 SHANGHAI, CHINA | 14–15 NOVEMBER 2016 Following a sell-out first event last year, the ASIS China conference is back again in Shanghai on 14–15 November 2016. The event is designed to provide senior security professionals with the knowledge and perspectives they need to excel.
Program Highlights Beyond Compliance, Live up to Security Risk Management Hanson Liu CPP, Greater China Security Manager, DuPont China Holding Co., Ltd, China Security Management in Global Operations Li Hongliang, Deputy Director of Security Management, BGP Inc., China National Petroleum Company, China
LIMITED
PLACES
Register Now!
China Pakistan Economic Corridor (CPEC): Threats, Vulnerabilities and the Mitigation Measures from Pakistan’s Perspective Kaleem Ahmed, Chief Security Officer, Pak Arab Refinery Ltd., Pakistan Omar Safdar CPP, Security Consultant, Pakistan The Evolution of Rules of Evidence for Investigators in China Theodore Kavowras, Managing Director, Panoramic Consulting Limited, Hong Kong, China
asiapacific@asisonline.org Tel: +32 2 318 57 51
Presents
2ND BIG DATA & CEM WORLD SHOW 1-2 NOVEMBER 2016 | JAKARTA, INDONESIA
#BIGITIDN16 www.bigittechnology.com/indonesia2016/ june.lee@olygen.com
|
+603 2261 4227
FEATURED SPEAKERS:
Noble Lesmana
VP Business Transformation Lazada Group
Dayu Dara Pramata
Co- Founder and Head Go-Life (Subsidiary of GO-JEK)
Alan Jiang
GM Uber Indonesia
OFFICIAL MEDIA PARTNERS
© 2016 Malaysia Digital Economy Corporation Sdn Bhd (389346-D). All rights reserved.
Komang Aryasa
Big Data Project Director Telkom Indonesia
Ignatius Untung
Country GM Indonesia iProperty Group
EVENT ORGANISER
Follow us @ BIGIT Technology
Contents Editor's Desk 6 Corporate Security
Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij
China's underwater great wall
10
Cyber terror on wildlife
12
Security industry must embrace modern technologies
16
Deception and detection uncovered
18
Prevention is still better than cure
20
Insider threat can be eliminated with a proactive approach
22
7 ugly truths about compliance
26
The safe city and its need for interoperability
28
Asia Pacific Region Correspondents Tony Campbell Prince Lazar Sarosh Bana
Malaysia: Security and risk environment
32
FORTINET FEATURE
38
Cyber Security How will Australia keep up
40
MARKETING AND ADVERTISING T | +61 8 6361 1786
The non-IT expert’s guide to surviving a cyberattack
42
How has information technology become the latest security threat?
44
promoteme@australiansecuritymagazine.com.au
Fighting technology with technology
48
Creating a culture of security to defend against social engineering attacks
49
Are security vendors leaving your business at risk
50
Editor's wrap-up IFSEC Southeast Asia 2016
52
Executive editor's show review - The commercial UAV show
58
TechTime - the latest news and products
67
SUBSCRIPTIONS
T | +61 8 6361 1786 subscriptions@mysecurity.com.au
Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the
CONNECT WITH US
Page 8 - Deception detection uncovered: Truth seeking through
Page 24 - 7 ugly truths about compliance
OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors
Page 30 - Malaysia: Security and risk environment
www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia
Sophie Zadeh
David Stafford
Simon Hill
Christopher Hadnagy
www.australiansecuritymagazine.com.au
Page 38 How will Australia keep up
www.malaysiasecuritymagazine.com
www.drasticnews.com
|
John Lord
Jaqueline M. Hummel
Greg Singh
Per Björkdahl
Tony Campbell*
Prince Lazar*
Kim Maslin
Keith Suter
www.chiefit.me
|
www.youtube.com/user/ MySecurityAustralia
www.cctvbuyersguide.com
4 | Asia Pacific Security Magazine
Lex Drennan
I N V I T A T Editor's I O N Desk
EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR
5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com
MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors
Some of the main topics:
PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:
Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting
• • • • • •
IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence
• Face recognition • Forensics
“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK
news.com
Express interest in joining us at this exclusive event interpol_world2017@mysecuritymedia.com
Asia Pacific Security Magazine | 5
Editor's Desk
Southeast Asia security market insights and risk environments T
raveling to a country soon after they celebrate the national day of reflection, their Independence Day, should be an opportune time to visit for an insight into the business, political and security posture and capture a sense of the state of the nation. As it was with my recent visits to Indonesia, Singapore and Malaysia and with national flags still flying soon after each of their respective Independence Days. As seen from Australia, as well as on centre ground in each of their capital cities, it remains apparent these three dominant Southeast Asian nations face a web of existential threats to their domestic and national security interests. Beyond the regional political and economic challenges, the security threat around illicit trade and people smuggling, drug trafficking, terrorism, pandemics and natural disasters remains inherently high and all will remain within a long term risk environment. Immediately following the G20 Leader’s Summit in China, ASEAN meetings were held in Laos, and followed the ASEAN Regional Forum on political and security issues. Meetings included the 25th ASEAN-China anniversary, alongside the first ever ASEAN-Australia meeting, with each reviewing the strategic partnerships between ASEAN member states and regional partners.
6 | Asia Pacific Security Magazine
Australia has yet some catching up to do and won’t be helped by Islamophobia appearing within the 45th Australian Parliament. According to the UN World Urbanisation Prospects (2014), throughout ASEAN, the percentage of people living in cities is projected to rise from about 47 percent in the mid-2010s to 56 percent in 2030 and then to 67 percent in 2050. The Southeast Asian region remains one of the few places in the world that can combine an abundant labour supply, many coastal cities and port facilities, however growth will rely on good public infrastructure and education. This could be an Australian opportunity, and may still be, but it would appear it is the Chinese taking the initiative, with the Asian Infrastructure Investment Bank providing substantial additional financing toward such purposes and investors have been referred to talking about the creation of another ‘China’ in Southeast Asia. The amount of construction contracts that China received from ASEAN has amounted to $10 billion, an increase of over 8 percent, year on year. In this issue, we cover the China State Shipbuilding Corporation (CSSC), one of China’s top shipbuilding and defence groups that builds virtually all People’s Liberation Army Navy (PLAN) warships, which has been laying a
network of ship and subsurface sensors that it calls the ‘Underwater Great Wall Project’, set to give Beijing an enormous undersea warfare advantage. Through its Underwater Great Wall, China will affirm the so-called ‘nine-dash line’ that it had unilaterally delineated in 1947 to claim as much as 90 per cent of the 2 million sq km expanse of the South China Sea. The line extends to as far as 2,000 km from the Chinese mainland to within a few hundred kilometres of the Philippines, Malaysia and Vietnam. And it was this claim that the Permanent Court of Arbitration in The Hague debunked in July in the case against China brought before it by the Philippines. Indonesia is seeking greater emphasis on maritime cooperation amid cases of Indonesians being kidnapped in the region’s waters around the Philippines and Malaysia. Each country also has Islamic State sympathisers constantly seeking out new recruits using social media and government security and police agencies are still yet to fully upskill themselves to counter the narrative and identify radicalised individuals. Indonesia is home to the world’s largest Muslim population and has been the target of frequent terrorist attacks over the past two decades, while other areas are used as training grounds for terrorists. This year has included the January 14
Editor's Desk
bombing in central Jakarta, July attacks in Central Java and an August attack against a Catholic Priest in North Sumatra, similar to the IS inspired attack against Catholic Priests in France and recent charges laid in Sydney, Australia following a knife attack. Concerns remain of growing numbers of extremists inspired by Islamic State, and rather than calling them IS cells, these groups have been described as ‘pro-IS’ who have been active on social media showing support and facilitating radicalisation. Most concerning was the recent thwarted missile attack planned against Singapore’s Marina Bay by a group in Batam that had made contact with the terrorist group via Facebook. Somewhat similarly to the Philippines, Indonesia’s President has declared ‘a drug state of emergency’ and an all-out war on illicit substances in 2015, with the country experiencing about 50 drug related deaths daily and about 5 million abusers. The National Narcotic’s Agency has reported that there are about 60 illicit drug networks operating with the battle against organised crime restricted by a lack of manpower, technology, rehabilitation facilities and funding while new types of drugs keep pouring into the country. The Government missed its target of rehabilitation 100,000 drug abusers, accommodating only 42,000. The Government has
raised the target to 200,000 in 2016. The scourge of terrorism is not endangering humans alone. We have a Cover Feature report on how individuals and syndicates across the world are displaying a horrific eagerness to plumb the depths of human nature to profiteer from vulnerable wildlife. India’s tiger population has been decimated from 100,000 a century ago to just 2,226 today. Yet they constitute 57 per cent of global tiger numbers, with the remaining 12 countries where tigers are found having a total of only 1,664. Poaching in India is driven by demand overseas, with one tiger rug netting over $160,000, while a stuffed tiger gets A$910,000 in international markets. Traditional Chinese medicine considers a tiger’s penis as a natural enhancer of male virility, a dish made from it selling for as high as A$7,500 in Beijing. You may also recall our previous issues and such reports like the FireEye Report which describes malware being detected at commercial and government entities across Singapore, Malaysia, Thailand, Vietnam, Philippines, Indonesia, and Brunei and advanced threat groups are behind many of these attacks and have unique motives in this region. We will continue to provide in-depth market and security risk environment analysis in our next editions as we continue our
Southeast Asia series. We have also included our show reviews following my attendance to the Commercial UAV Asia show in Singapore and IFSEC Southeast Asia in Kuala Lumpur, having enjoyed them both. And on that note, as always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. Chris Cubbage Executive Editor
Next week we head to California USA with visits to Silicon Valley, San Jose and San Francisco. Stay tuned too on the winners of the NetEvents IoT Innovation Awards for the Hottest Start-up.
Asia Pacific Security Magazine | 7
HRDF Claimable
Co-organisers:
TECHNOLOGY M A L A Y S I A
2 0 1 6
Anchor Event of the Big Data Week Asia 2016 19 - 20 September 2016 | KL Convention Centre, Malaysia
#BIGITMY2016 www.bigittechnology.com/malaysia2016/ june.lee@olygen.com
|
+603 2261 4227
EVENT SPONSORS: TITANIUM SPONSOR
PLATINUM SPONSORS
SILVER SPONSORS
OFFICIAL MEDIA PARTNERS
GOLD SPONSORS
Integrated Security Fabric delivers business continuity Fortinet’s end-to-end Security Fabric delivers: •
World-class security
•
Tightly-integrated management
•
Transparency at the granular level
•
Business continuity
Driven by industry-leading secure operating system FortiOS and powered by the thirdgeneration FortiASIC SOC3 (System-on-a-Chip) architecture, no other security vendor comes close to providing the depth and breadth of security solutions. With the lowest latency on the market and real-time security updates from the global FortiGuard Labs, Fortinet is the security solution of choice for enterprise-level data centres.
Fully-integrated Fortinet’s Security Fabric solutions work together seamlessly to provide trouble-free installation, centralised configuration and ‘single pane of glass’ management. Combined with the FortiGuard Labs’ real-time security updates, Fortinet’s Security Fabric will always be armed with the very latest threat intelligence and detection / mitigation algorithms.
Extending security to business continuity When you install Fortinet Security Fabric solutions, you are investing in business continuity. With Fortinet’s Security Fabric, nothing that happens on your network goes unnoticed. Intrusions, data leaks, DDoS attacks, system slowdowns or simply business
as usual. Fortinet gives you unprecedented visibility into your network’s performance and virtually eliminates the ‘window of vulnerability’ that can result in interruptions in service delivery.
Validated performance NSS Labs has awarded Fortinet’s Security Fabric their highest recommendation. NSS certified that Fortinet’s ATP solutions detected 100% of exploits delivered by social media and drive-by downloads. Fortinet has also received NSS Labs’ recommendations for the FortiGate data centre intrusion prevention system, FortiClient endpoint protection and FortiWeb web application firewalls, amongst others. NSS has validated Fortinet’s security effectiveness above 99%. That, combined with industry-leading performance, delivers what you need to ensure fast, secure operations and business continuity.
AT A GLANCE •
Enterprise Firewall
•
Advanced Threat Protection
•
Cloud Security
•
Application Security
•
Secure Access
•
Security Operations
FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 6000 anz_marketing@fortinet.com
www.fortinet.com
FORTINET SECURITY FABRIC CORE SOLUTIONS Fortinet’s Security Fabric is built around a core set of solutions, anchored by the FortiGate firewalls, that provide security from the server to the smartphone, into the cloud and everywhere in between. •
FortiGate next-generation enterprise firewalls / data centre intrusion prevention
•
FortiSandbox, FortiMail and FortiClient advanced threat protection (ATP)
•
FortiWeb web application firewalls
•
FortiAP, FortiSwitch and FortiCloud secure access solutions
•
FortiSIEM, FortiManager security operations and network optimisation
•
FortiGuard Enterprise Service Bundle real-time subscription-based security updates
FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS
Cyber Security Regional Security
China’s Underwater Great Wall
T By Sarosh Bana APSM Correspondent
10 | Asia Pacific Security Magazine
he stakes in the South China Sea (SCS) are apparently reaching down to the murky depths of this contentious waterway as Beijing readies its undersea surveillance network to consolidate its presence in the region. The China State Shipbuilding Corporation (CSSC), one of China’s top shipbuilding and defence groups that builds virtually all People’s Liberation Army Navy (PLAN) warships, has been laying a network of ship and subsurface sensors that it calls the ‘Underwater Great Wall Project’ that is designed to gain Beijing an enormous undersea warfare advantage. Estimated to be close to completion, the project will help China push its effective control zone and track all submarine, surface and aerial activity in the littoral. CSSC is also flaunting the system as “a package solution” in terms of underwater environment monitoring and collection, real-time location, tracing of surface and underwater targets, warning of seaquakes, tsunamis and other disasters, as well as for garnering research data on marine life and geology. Project details were made available at a CSSC booth at a public exhibition in China late last year, with IHS Jane’s managing to have them translated from a government official. According to a recent IHS Jane’s report, the system proposed by CSSC will likely be obtained by PLAN and may also be offered for export. The CSSC document is quoted as claiming that one of the company’s objectives, among others, is to provide its customers with “a package solution in terms of underwater environment monitoring and collection, real-time location,
tracing of surface and underwater targets, warning of seaquakes, tsunamis, and other disasters as well as marine scientific research”. Describing itself as “an extra-large conglomerate and state-authorised investment institution directly administered by the central government of China”, the 17-year-old Corporation notes: “Under its wing, there are totally 60 sole proprietorship enterprises and shareholding institutions, including a batch of most powerful and some renowned shipbuilding and ship-repairing yards, research and design institutes, marine-related equipment manufacturers and trading firms in China.” The CSSC stakeout model appears to be a vastly advanced and comprehensive version of the SOund SUrveillance System (SOSUS) that had accorded the United States a significant advantage in countering Soviet submarines during the Cold War. SOSUS was the result of an ultra secret mission tasked by the US’s Office of Naval Research (ONR) to AT&T and its manufacturing arm, Western Electric, in 1950 to develop an undersea surveillance system designed to detect and track Soviet submarines. The System was an array of hydrophones on the ocean bottom connected by undersea cables along the entire US East Coast to on-shore processing centres. SOSUS was itself a high engineering spin-off of the US Navy’s SOFAR (Sound Fixing And Ranging) channel discovered toward the end of WWII to detect submarines hundreds of miles away by listening for the noises they generate. The Underwater Great Wall gives visible shape to China’s intent on asserting its role in the region. Beijings’ claims of
Regional Security
sovereignty over almost the entire South China and East China seas have sparked disputes with its neighbours such as Japan, the Philippines, Vietnam, Taiwan, Malaysia and Brunei Darussalam. The bone of contention has been the various island enclaves, not of much value in themselves, but the possession of which would provide strategic resource-rich continental shelves and Exclusive Economic Zones (EEZ) that extend 200 nautical miles from the low-water shoreline. Towards this, China has been creating islands and militarising them to further its access to marine resources. Also, Beijing’s energyhungry export-driven economy that is heavily reliant on raw material and fuel imports seeks to buttress its suzerainty over the regional Sea Lines of Communication (SLOC) that are critical to the survival of the entire Asia-Pacific community. It is largely to its seaborne trade that China owes its spectacular economic transformation that helped shrink the 61 per cent of its population living in extreme poverty in 1990 to only four per cent by 2015. One study reckons that of the four billion tonnes added to global seaborne trade between 2002 and 2014, Chinese imports accounted for 94 per cent of the increase in iron ore volumes and 35 per cent in coal volumes, while Chinese exports accounted for 60 per cent of the expansion in container trade. To ensure safe passage to its maritime trade and expand its commercial footprint, China has been extending its blue-water presence in its neighbourhood through the establishment of its South Sea Fleet surface combatants in Zhanjiang in Guangdong province that faces Hainan Island to the south where its nuclear-submarine fleet is located. The area also has the deployment of precision cruise and advanced ballistic missiles that can target all current US bases and naval forces in the region. The ominous developments are posing a threat to the Asia-Pacific as a whole, the fastest growing economic region in the world. While this region has hitherto been driven by commercial interests, this widening unrest threatens the sea lanes that are its lifeline. With one of the largest fleets of attack submarines comprising four ballistic missile submarines (SSBNs), six nuclear-powered attack submarines (SSNs) and 53 dieselelectric submarines (SSKs), Beijing is close to deploying a powerful sea-based nuclear deterrent through long-range nuclear-armed submarines. Five Type 094 Jin Class SSBNs may eventually be built, each armed with 12 JL-2 missiles that can deliver one-tonne nuclear warheads at a range of 4,320 nautical miles (8,000 km). China’s military posturing challenges the US, viewing as it does Washington’s pursuit of its policy of “pivot” to Asia as an American attempt to curb Chinese influence across the region and embolden countries to brazen out China on the maritime disputes. Beijing has argued too that this policy is aimed at containing its legitimately expanding economy and military, as also at bolstering American presence in this region of the future. Also termed “rebalance”, the strategy was outlined in President Barack Obama’s 2012 Defence Strategic Guidance that reorients the US’s capabilities and capacities to better prepare for future global security. It enunciates the relocation of 60 per cent of the US’s naval assets – up from 50 per cent
today – to the region by 2020. Beijing views these moves as an American attempt to curb Chinese influence across the region and embolden countries to defy China on the maritime disputes. Though Washington has sought to be neutral, it is conscious of the need for freedom of navigation for all countries. It hence finds it imperative to raise its already formidable profile in the Asia-Pacific. Its numerous military bases in the region include 17 in Japan and 12 in South Korea, while it also has a presence in Australia, Thailand, the Philippines, Guam and Singapore, and on the Britishcontrolled Indian Ocean island of Diego Garcia. CSSC’s Underwater Great Wall combines a network of crewed and Unmanned Surface Vehicles (USV), or Autonomous Surface Vehicles (ASV), which are unmanned watercraft, active and passive sensors located up to 3,000 metres underwater, and a seabed sensor picket line to create a subsurface perimeter around China’s claimed maritime territory. This will help in the autonomous location and tracking of enemy submarines and ultimately in setting up a zone of anti-access/area denial in the waterways deemed critical by China for its security. The seabed-based component of this network features an array of hydrophones and magnetic anomaly detectors cited along undersea cables laid at the axis of deep sound-channels roughly to the direction that the arrays are to listen. This capability is next paired with maritime reconnaissance / ASW (anti-submarine warfare) aircraft assets to establish a multitier ASW network. Through its Underwater Great Wall, China may also well affirm the so-called ‘nine-dash line’ that it had unilaterally delineated in 1947 to claim as much as 90 per cent of the 2 million sq km expanse of the South China Sea. The line extends to as far as 2,000 km from the Chinese mainland to within a few hundred kilometres of the Philippines, Malaysia and Vietnam. And it was this claim that the Permanent Court of Arbitration in The Hague debunked in July in the case against China brought before it by the Philippines. The Court upheld Manila’s contention that the line exceeded the limits of maritime entitlements permitted under the UN Convention on the Law of the Sea (UNCLOS), a verdict that Beijing rejected, whilst re-asserting its “historical maritime rights” across the region. Actually, China had scripted a 11-dash line in 1947, but had removed two ‘dashes’ in the early 1950s to bypass the Gulf of Tonkin as a gesture to communist comrades in North Vietnam. This was the first time the Chinese government had been summoned before the international justice system, the tribunal indicting Beijing also for violating international law by causing “irreparable harm” to the marine environment, endangering Philippine ships and interfering with Philippine fishing and oil exploration. The absence of any mechanism to enforce the ruling, despite its being legally binding, emboldened China to defy it, affirming its claim to sovereignty over the South China Sea “since ancient times”. Not only the creation itself of the Underwater Great Wall, but its locational sweep in disputed waters, may spark fresh reprisals from nations in the littoral that are no longer agreeable to countenance any further excesses.
Asia Pacific Security Magazine | 11
Cyber Security COVER FEATURE
Cyber terror on wildlife 12 | Asia Pacific Security Magazine
COVER FEATURE
T
India’s tiger population too has been decimated from 100,000 a century ago to just 2,226 today. Yet they constitute 57 per cent of global tiger numbers, with the remaining 12 countries where tigers are found having a total of only 1,664.
he scourge of terrorism is not endangering humans alone. Individuals and syndicates across the world are displaying a horrific eagerness to plumb the depths of human nature to profiteer from vulnerable wildlife. Their fathomless cruelty to animals — snaring them in iron traps till they die a painful, often gangrenous death, clubbing them to death when ensnared, and then skinning them, at times when some are still breathing — has been delivering rich dividends for them. The brutality reached a nadir when forest guards at India’s famed Kaziranga National Park who heard gunshots just a distance away from the forest lodge where Britain’s Prince William and Catherine Middleton had halted just hours earlier in April found an adult male rhinoceros riddled with bullets fired by poachers from AK-47 assault rifles. The animal’s horn had been wrenched off and as many as 88 empty AK-47 cartridges were found scattered at the bloodied spot. A rhino’s horn fetches Rs500,000 (about A$10,000) in the local market and goes up to Rs2,000,000 (about A$40,000) by the time it is consumed as aphrodisiac in China or Vietnam. Eleven rhinos have fallen to poachers in Kaziranga this year and 17 were killed last year, bringing the toll to 200 over the past 15 years. Twenty-six more died in the heavy flooding during the current monsoon. A rhino’s ‘horn’ does not grow out of its skull, but is actually agglutinated hair that can be knocked off by a sharp blow. India’s tiger population too has been decimated from 100,000 a century ago to just 2,226 today. Yet they constitute 57 per cent of global tiger numbers, with the remaining 12 countries where tigers are found having a total of only 1,664. Poaching in India is driven by demand overseas, one tiger rug netting over $160,000, while a stuffed tiger gets A$910,000 in international markets. Traditional Chinese medicine considers a tiger’s penis as a natural enhancer of male virility, a dish made from it selling for as high as A$7,500 in Beijing. Traffickers who make a living off the carrion of wildlife are now extending their atrocity to the internet, where they are using coded language to “market” endangered animals and their body parts on various e-commerce sites. The clandestine cross-border wildlife trade has been made that much easier, and safer, by the internet. These traders do not anymore need to step out to locate customers for their products when they can expose themselves or be tracked and caught. They now strike deals online from safe confines by reaching out to prospective buyers through innocuoussounding terms that indicate an animal or its parts, much in the manner electronic transactions are undertaken nowadays. Interested clients place orders, again in code, making online payments ostensibly for completely different products. Internet traffic in wildlife has been accelerating the extinction process worldwide for quite some time now, but of late it is making inroads into India, a country endowed with some of the most diverse and remarkable wildlife on earth. Wildlife trade is being rendered more difficult to monitor with this growing trend of internet commerce eluding enforcement. Seized with this menace way back in 2004, the Massachusetts-based International Fund for Animal Welfare (IFAW) launched an investigation called “Caught in the Web” that documented massive online marketing of live endangered and protected species and their parts, including
By Sarosh Bana APSM Correspondent
Asia Pacific Security Magazine | 13
COVER FEATURE
“As far as the illegal online sale of wild animals and products is concerned, the Bureau is regularly monitoring the websites for any such advertisements or offers for immediate action in the matter,” tigers, lions, elephants, rhinos, gorillas, sea turtles, falcons, parrots, and serval cats. India’s Minister for Environment, Anil Madhav Dave (pronounced Da-vé), informed Parliament the other day that several websites, including Amazon India, Snapdeal, OLX India, eBay India, Alibaba India and Quikr, have been advertising this grisly merchandise of rare animals and their parts. He mentioned that this clandestine activity was being monitored under relevant laws under the Department of Information Technology at both the Federal and State government levels as part of combating cybercrime. The New Delhi-based Wildlife Crime Control Bureau (WCCB) has collated a list of 106 such websites. The Bureau is a statutory multi-disciplinary body established by the Government of India under the Ministry of Environment and Forests (MoEF) to combat organised wildlife crime in the country. Section 38 (Z) of the Wildlife (Protection) Act, 1972, mandates the collection and collation of intelligence on organised wildlife crime activities and to disseminate it to State and other enforcement agencies for immediate action so as to apprehend the criminals. Many of these syndicates are well connected, enjoy political influence, even patronage, and have the financial heft to pull off their caper without hindrance. No less an institution than the Supreme Court, the country’s highest court, has observed that many animals are being driven to the brink of extinction by “ruthless sophisticated operators, some of whom have top level patronage”. Some of the messages traced were for the sale of an ‘Australian teddy bear’ - for Rs200,000 (A$3,913) - that was deciphered to be referring to the koala, the arboreal marsupial endemic to Australia that has been declared ‘vulnerable’ by the government there. ‘Dhaariwala chaddar’ (Hindi for ‘striped bedsheet’) is the code for tiger skin, the sale of which is illegal as this largest of all land carnivores is listed in Appendix I of CITES (Convention on International Trade in Endangered Species) that proscribes their commercial international trade. “As far as the illegal online sale of wild animals and products is concerned, the Bureau is regularly monitoring the websites for any such advertisements or offers for immediate action in the matter,” WCCB Additional Director Tilotama Varma tells APSM. “Considering the seriousness of the issue, the Bureau has also taken several initiatives, such as contracting a cyber crime specialist to carry out regular cyber patrolling to detect any posts or offers over such trade portals on the World Wide Web, apart from retrieving details of suspects and passing them on to relevant enforcement
14 | Asia Pacific Security Magazine
agencies for legal action.” The vigorous wildlife trafficking in India is more for meeting the demand from outside the country, there being relatively little domestic demand for wildlife products. This savagery prevails for meeting a flourishing worldwide demand for animal products, the United States being the biggest market for these voiceless victims, alongside China and Vietnam. There is a booming cross-border trade as China has always been a huge consumer of wildlife produce. Traditional Chinese medicine is based largely on natural flora and fauna in their various forms. Consumption in that country is also driven by the age-old belief in the aphrodisiacal powers of various animal products, such as tiger penises and rhino horns. Due to this huge overseas demand, the immense size and population of India, and inadequate anti-poaching efforts, the exact number of wildlife illegally killed and trafficked is difficult to ascertain. It is a fact, however, that widespread poaching, as also relentless inroads by settlements, industry and farms, are annihilating wild animals and their habitats at an alarming pace. Varma adds that her Bureau convened a meeting of representatives from online trade portals in May to discuss issues pertaining to online wildlife trade and sensitise them on this issue and to discuss means by which they could assist the Bureau in case of such detection. Most of the websites, she mentions, are hosted from overseas and hence their exact origins are difficult to identify. Whenever Indian online sellers are detected and caught, they are either found to be selling old products or are petty sellers trying to make quick money by selling products they have either bought somewhere or poached themselves such as turtles, snakes, ivory products, sea shells etc. Several of the e-tailers are said to have been proactive on the issue, with the more prominent ones like Amazon, eBay, OLX and Snapdeal claiming to have cracked down on such sales. WCCB officials, however, remark that while trade portals such as Amazon and Snapdeal have good control over their sellers, classifieds such as Quikr and OLX do not have much say in this regard. Some of the smaller websites do not even have offices in the country. WCCB Joint Director Kamal Datta says the Bureau has supplied the prominent websites with code words and filters and has asked them to report what would seem like suspicious activity. The other Joint Director, Vivek Kishore, observes that major sites such as Amazon report having acted against suspicious items being sold on their websites. Amazon India says that in May, it took down 296 items in the ‘animal specimen’ category and 104 items under the ‘snares or traps’ category that were listed by third party sellers, after Wildlife SOS drew Amazon’s attention to them. “Such products are no longer available on Amazon.in and in addition, we have strictly enforced any attempts to inadvertently sell them,” affirms a spokesperson. “We have also provided information as and when required by various government bodies and will continue to do so.” eBay too mentions that it has zero tolerance for any such wrongdoings, and has strict policies in place to stop the sale of products from endangered animals on the site. OLX claims to be taking steps to ensure that protected animals and birds are not put up for sale by any users of its site.
COVER FEATURE
According to Varma, the WCCB conducts training and sensitisation programmes for its officials and staff to keep them abreast of such trends and to take necessary action. Nearly 11,000 officials of other Federal and State government agencies and stakeholders too were sensitised through 176 such programmes. The Bureau has also conducted 62 two-day capacity-building programmes for over 3,000 forest and police officials, organised 34 inter-agency meetings, and undertaken awareness sessions for people living in proximity to wildlife reserves. Varma acknowledges, however, that the Bureau is facing an acute shortage of staff for fulfilling its mandates. It has 43 unfilled vacancies in its overall 109 posts. “But we are constructively coordinating with all concerned agencies like the forest protection force, the police, Customs, Central Bureau of Investigation (CBI), Intelligence Bureau (IB), Reserve Police Force (RPF), SSB [Sashastra Seema Bal, Hindi for Armed Border Force] etc. for effective enforcement activities,” she notes. “In addition to these agencies, the Bureau is coordinating with the Indian Navy and Coast Guard in the Andaman & Nicobar Islands, in the Bay of Bengal, and the Gulf of Mannar and the Lakshadweep Islands in the Lakshadweep Sea [an expanse of the sea bordering India, the Maldives, and Sri Lanka in the Indian Ocean] for effective action against the illegal poaching of marine species.” Varma stresses that despite its staff constraints, the Bureau has had remarkable achievements, having detected 725 cases at various exit points, issuing regular alerts, advisories and actionable intelligence, coordinating 141 joint operations leading to seizures of wildlife products and
arrests of criminals in various parts of the country, arresting, or assisting in the arrest of, 275 wildlife criminals between 2013 and 2016, and preparing wildlife criminal dossiers and sharing them with state enforcement agencies. Twentythree of the 275 arrested have been convicted till now. “If the investigations or criminal analyses by the WCCB or any other agency determine the involvement of any foreign nationals, the details of such culprits are sought from the respective countries through the National Central Bureau (Interpol),” she points out. Two of the 275 criminals arrested are foreign nationals. Asked if the WCCB had any estimates of animals poached in India, the Bureau, which was formed in 2008, notes that it is in the process of collecting such data from the Forest and Police departments. On the question of possible involvement of any ministers, politicians or high forest officials in any of the poaching cases, Varma maintains, “Such data are not compiled by this Bureau.” On how long does each case take, she indicates that such data are available only with the State Forest or Police departments, but that it would depend on the “forward or backward linkages” in the case. In India, like in many other countries, the problem is not of laws, but that these may be poorly communicated and just as poorly enforced. Often, efforts to counter wildlife trade are undermined by lack of political will and governance failures. Wildlife trafficking, deforestation, and loss of habitat are no longer localised problems, but global ones. Information is the key to developing an understanding and, with it, the resolve, to counter them. Ultimately, it is demand that sustains this massacre and such demand arises from a lack of understanding of, and sensitivity to, this massacre.
Asia Pacific Security Magazine | 15
Cyber Security Corporate Security
Security industry must embrace modern technologies
T By Magnus Hedberg CEO, GroupTalk
he global security industry is growing at a rapid pace. More professional and coordinated operations across disciplines and geographical borders among criminals, is one of the drivers of the increased demand for advanced security services. This calls for more intense surveillance and security, according to the Europol “Serious and Organized Crime Assessment Report”. Gartner puts the global security market at $86bn, with annual growth of close to nine percent, citing “growing complexity of attacks”. At the same time the security industry finds itself in a consolidation phase, adapting new technologies with a strong focus on digital services and offers as Security as a Service. Intense competition in the industry are also squeezing profits, forcing security companies to focus on more logistically efficient solutions, cost savings, and smarter and safer interactions between security staff. Out-dated communications routines An important factor for safe and efficient security monitoring is the successful coordination and interconnection between guards and security control centres while patrolling, especially when covering large areas such as shopping malls, hotels, airports, event venues, logistics centres etc. However, most security staff around the world still uses traditional and out-dated two-way radios (walkie-talkies) with a momentary button to switch from voice reception mode to transmit mode, when communicating. Building radio networks, programming and providing two way radios is complicated and time consuming. This is ancient and inefficient communication technology, not suitable for an industry with low margins that also needs to be in the technological forefront, aiming to be secure, flexible, efficient and profitable. Until now, development and deployment of efficient communication tools have been very costly and complicated. In some cases the technology has become out-dated before it
16 | Asia Pacific Security Magazine
has been completely rolled out. For smaller security companies this has not even been an option. For them it has been virtually impossible, for economic reasons, to get a modern communications solution with a good geographical coverage. Push-to-talk technology improves security company’s competitiveness But this is about to change, since there is huge potential to improve communication between the members of the security staff with more modern, yet simple and user friendly, technologies. An increasing number of security companies tend to abandon the ancient walkie-talkie communication solutions, replacing them with more modern communications solutions, based on digital models such as the push-to-talk (PTT) over cellular phones, a service that enables subscribers to use their phones as walkie-talkies with unlimited range over the existing mobile networks. PTT has several advantages: • •
• • • •
• •
PTT enables simple and safe communication between employees through the push of a single button. It is a cost efficient cloud-based solution that allows communication directly through the users’ smartphones (and tablets/laptops). It is secure. It uses existing mobile networks, with no need to build and maintain your own network. The sound is much clearer than walkie-talkies, which reduces the likelihood of misunderstandings. The administrator easily controls the number of users, PTT groups (known as “channels” when using walkietalkies) and user access. The solution can include push-to-talk accessories such as acoustic headsets etc. Use of Bluetooth-based PTT buttons in combination with smartphones for instant voice communication.
Cyber Security
Until now, development and deployment of efficient communication tools have been very costly and complicated. In some cases the technology has become out-dated before it has been completely rolled out. For smaller security companies this has not even been an option. • • •
•
•
It is fast; it just takes hours to roll out a cloud-based PTT service to companies with 10,000's of users. It is easy to connect different organizations with PTT. The flexibility to control who receives panic alarms and the routing of voice communication is "game changing" in relation to how traditional two-way radios and alarm solutions are working. The new technology-based smartphones can be easily integrated with existing communication radio systems so that you can benefit from the investments already made. With an IP-based PTT solution, services are no longer geographically limited. Now you can communicate with PTT services across borders, globally and also with users at sea and in aircrafts.
Many companies in the security industry has come to appreciate the flexibility in a solution that could be used on different staffing sizes, without having to make major new investments in communication systems. Being able to link staff in a communications network, gives them an opportunity to share information and resources in a way that they have not been able to do with their previous traditional communications systems. This is a solution that not only provides the user with a integrated panic alarm in the service, but it also saves them money compared to if they were to purchase separate personal alarms for each and everyone in the staff. “Substantial savings” Big security companies have the resources to be in the forefront and adopt new communication solutions, most of them are already rolling out smartphone based communications solutions. Interestingly, with the cloud based PTT services, the barrier to use the new solutions is virtually gone for companies of all sizes and the SMB (Small Medium Business) segment is a fast mover to leverage these solutions to get a competitive edge. A real life example of this is Norwegian security company, Telemark Sikkerhet, who in 2016 wanted to improve communication between the staff and making it more secure. The result can only be described as fantastic. The solution has
improved communication in the working process for Telemark Sikkerhet with results such as: • • • •
Improved security surveillance Improved competitiveness Reduced cost Dedicated staff and improved work environment
Smartphones are used to share information and status by both voice and text in order to improve accuracy, traceability and efficiency in communications. Text based communication ads traceability and clarity to PTT, creating an unbeatable combination. Automated machine-to-machine (M2M) communications is also gaining popularity as a supplement to PTT, e.g. in the airline industry for status updates like boarding and refuelling complete in aircraft turn arounds. Security companies can use status messages when they arrive at a destination, enter a specific area, have completed a task, etc. to keep guards in their team and the dispatch at the security control centre up to date with the latest status. Time limited and defined project tool Security is perhaps one of the industries that can draw the most obvious benefits from the new advanced PTT group communications solutions. But PTT has also gained interest from organisations in other industries where instant group communications are instrumental, such as aviation, construction/infrastructure, energy and retail. An increasing number of companies appreciate the fact that the new solutions are cost efficient, scalable and flexible, that allow staff of various sizes to communicate, without having to make major new investments in communication systems. Being able to link people working together in what can be described as ‘time limited and clearly defined short projects’ in a user friendly communications network gives them an opportunity to share information and resources in a way that they have not been able to do with their previous traditional communication devices. PTT solutions based on standard smartphones and tablets/laptops make task group communications faster, more flexible, secure – and, not least – more cost efficient. It might be the single most efficient and beneficial measure that the security industry can implement the solution in their quest for improved packaged services and lower costs. About the Author Magnus Hedberg is founder and CEO of the Nordic tech company GroupTalk and CEO of Satpoint. GroupTalk is a Swedish leading provider of enterprise push-to-talk (PTT) group voice communications services. Mr. Hedberg is a serial entrepreneur with decade-long experience of founding and managing tech companies and an expert in software, technical development and communications solutions. He was one of the founders of, Marratech, a Swedish company that produced software for e-meetings, later sold to Google. Magnus Hedberg has an MSc from the Luleå University of Technology in Sweden.
Asia Pacific Security Magazine | 17
Corporate Security
I T R A P
Deception detection uncovered: Truth seeking through interrogation
F By Sophie Zadeh Body Language Specialist
18 | Asia Pacific Security Magazine
or years, researchers have been searching for the ‘Pinocchio’s nose’ of deception. As of today, it doesn’t exist; there is no single cue indicative of deception. There is no machine, no technology nor person that can detect deception with 100% accuracy. Any claims that suggest otherwise are, in themselves, untrue. The best that we can do is identify anomalies and patterns in behaviour, physiology and voice, differentiated from baseline and emotional baseline behaviours. We then use these as potential red flags which may, or may not, be indicative of deception. How these red flags are addressed through questioning techniques and behaviour (of the investigator), is key to seeking the truth. With this approach, we can dramatically improve our rate of success during interrogation. As a Body Language Specialist, I want to focus on the body language component of deception detection. Which behaviours should we be looking for, as indicators to dig deeper, and what should we do with our own body to create an environment conducive to seeking the truth? We will explore these concepts over two articles.
There are some nonverbal cues, that can increase when people are not telling the truth; nose touching, increased blink rate, self soothing, etc. However, these are not ‘lying cues’ in their own right, because we also do these when we are telling the truth. Generally, behaviours like these increase with, and are indicative of, stress. They are associated with lying because lying increases cognitive load significantly, therefore causing stress. Our brain does not like it when we lie, and our body reacts with behaviours and responses that can be both voluntary or involuntary. Most people under interrogation will be feeling stressed. Where most people go wrong, is assuming deception as soon as they see nonverbal cues that they believe to be indicative of lying, such as those mentioned above. Perhaps the biggest myths I hear when talking to people about body language, are that you can tell someone is lying based on their eye direction or amount of eye contact. These are not true; let’s bust those myths right now! Most people’s ability to detect deception is 54% accuracy, little more than a toss of a coin. This includes law
Corporate Security
"As a result, fingerprint biometrics is far more accurate than facial matching. In fact, it is possible to perform one-to-many searches against a large database of fingerprint biometric records with very few false matches and false non-matches. " enforcement professionals, so unless you’ve been trained properly and practiced the skills, your accuracy, most likely, will be around this mark. Research also shows, that as soon as we start to dabble in the area, following inaccurate knowledge or beliefs, our ability to detect deception lowers even further. That’s a significantly high number of false accusations, which could potentially result in innocent people being convicted. Unless, you’re prepared to learn properly and practice these skills, I recommend avoiding dabbling in the area. On the bright side, those that are trained properly can get to the truth 90% of the time. Since deception detection is too complex an area to cover in just one article, and given the fact that I don’t want you to dabble, instead, let me aim to pique your interest in the subject and look at it from a different perspective. Let’s start by reframing deception detection and instead look at it as identifying red flags. Think of these red flags, not as indicators of deception, but as indicators of areas in which you may need to dig deeper. Red Flags; Indicators to Dig Deeper When decoding body language, we typically look out for clusters of nonverbal cues and use the cluster as a red flag. In this article, I’m going to highlight a few nonverbal cues, that can independently signal a red flag, due to their meaning. Remember, these are red flags and not ‘lying cues’. This will give you just enough to walk away with, so that you can start practicing to observe them in others. One Sided Shoulder Shrug The one sided shoulder shrug is a clear signal that the speaker is not confident in their own words. The shrug takes place as the words are being spoken, or at the end of the sentence. On the other hand, a full shoulder shrug (both shoulders) indicates the speaker is confident in their words. For example, saying, “I don’t know”, with a one sided shoulder shrug, means there’s more to it and the speaker is potentially withholding information. Saying the same line with a full shoulder shrug, indicates the speaker really doesn’t know. It can be either subtle or pronounced. Remember, do not take this as a lying cue per se, it’s simply an indicator of lack of confidence in their spoken words. For example: Imagine asking a suspect what time they left a venue and they respond with, “1 a.m.” and a one sided shoulder shrug. This doesn’t necessarily mean they are telling a deliberate lie, it may mean they aren’t sure if it was actually 1 a.m. Digging deeper at that point, could be a case of looking for evidence (e.g. CCTV footage) or asking further questions (e.g. “Is it possible that you left earlier?”).
Eyelid Flutter The eyelid flutter is involuntary and signals discomfort or dislike. It can be triggered by stress, and is usually seen when somebody says something that we strongly disagree with, in people struggling with thoughts or in finding the right words. We see this in people that stutter, which makes sense in terms of it’s meaning of struggling to find the right words. “When people are troubled, frustrated, or having silent temper tantrums, their eyelids close or flutter rapidly (Navarro & Schafer, 2001; Knapp & Hall, 1997)” — Advanced Interviewing Techniques: Proven Strategies for Law Enforcement, Military and Security Personnel. John R. Schafer & Joe Navarro Tongue Jut We slightly jut out our tongue when either, we feel like we’ve got away with something, we’ve just been caught or we’ve made a mistake. Sometimes we do this to deliberately signal to others. For example, if we publicly drop something, but then catch it before impact, we may signal to others that we got away with it by means of a tongue jut. In this case, the tongue jut may be accompanied by an eyebrow raise punctuator (to draw attention to the face/gesture; a nonverbal exclamation mark). The observer would clearly see the tongue jut out between the teeth, with lips drawn slightly back. The tongue may remain out for a second or two. Try doing this and you should feel the emotion behind it. However, when we conceal a tongue jut, it would be very subtle. There would be no eyebrow punctuator, the teeth wouldn’t be visible, the lips would be closed and the tongue would quickly jut out and retract. This subtle cue can easily be confused with lip licking. Lip licking is a self soothing, or pacifying, behaviour in which we try to bring comfort to ourselves by licking our lips. Like with other self soothing gestures, lip licking increases with stress. These cues may or may not be present during deception. They do not signal deception, specifically and should never be taken to assume or accuse a person of lying. When observed, these nonverbal cues signal their meanings, alerting us to a potential issue. This gives us the opportunity to seek more evidence or circle back (at the time, or later) with more questions. It’s the ability to spot the cues in context (to know where to investigate further), combined with good questioning techniques, that will be most effective in deception detection. In the next issue of Australian Security Magazine, we will explore the second component, crucial to uncovering the truth; The Role of Your Body in Eliciting Truth.
Asia Pacific Security Magazine | 19
Corporate Security
Prevention is still better than cure There is still a defeatist attitude resonating through the industry when it comes to security however Greg Singh, Lead Technical Engineer for APAC region, Cylance argues that security tools should put the focus back on Prevention, rather than Response. After all, isn’t that what the customer expects?
D By Greg Singh
20 | Asia Pacific Security Magazine
r Jackie Craig, Chief of Cyber and Electronic Warfare at the Australian Department of Defence, spoke at the recent Australian Cyber Security Centre (ACSC) conference in Canberra. Classifying cyber security as a science, Dr Craig went on to say “If we had a big science approach to cyber security we could ... begin to educate people more deeply about the types of risks that they're taking if they don't have proper virus checkers." It all sounded so promising until she mentioned virus checkers. We were hoping that the speakers from the FBI’s Cyber division might come up with something more radical when they said: "Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]". The point being made that “all the best tools” are still no match for good old human intelligence. I might have agreed to some extent, were it not for the fact that the example given of “all the best tools” was IDS (intrusion detection systems). That, for me, summed up everything that is wrong with cyber-defence today: the emphasis on detection and response, instead of on prevention. Surely, when a company is forking out thousands for cyber security, they are assuming that they are paying to prevent cyber-attacks? And yet there was very little mention of prevention at this year’s ACSC conference. For example we heard from Latha Maripuri, News Corp, the global information and publishing enterprise in charge of leading brands such as The Wall Street Journal whose
presentation focussed on the attacker only, it was all about how to structure a security program to address modern day threats. So much for Big Science and Threat Intelligence – it sounded more like a reactive response to try and Protect Company Assets after the burglar has escaped! The fact that antivirus has failed is no secret. In May 2014, Symantec itself declared antivirus “dead”. Traditional signature-based AV simply cannot keep pace with hackers who can rejig their malware with a few cosmetic touches to make it unrecognisable. As a consequence, anti-virus industry giants have been desperately buying up new technologies to patch up their reputations. So what solutions are being proposed at the ACSC conference? The key words seemed to be “detect” and “respond”. In other words: having given up hope of being able to recognise malware in advance, the focus is now on detecting that something is suspicious and then using detonation or sandbox techniques to see how it behaves before letting it loose in the network. So a first line of defence is the traditional antivirus search for recognised malware signatures, then a virtual machine is started up with the target operating system (so typically a virtual PC) and the suspicious code is copied into that “sandbox” to see what it does given enough time (typically about 5 minutes). A report is prepared and the VM is shut down and cleaned up. So we should now know if the incoming code is dangerous.
Corporate Security
Sandboxing is a powerful way to detect malware, but costly in terms of time and resources. How far do you go in virtualising the potential target? Should you not replicate the entire corporate network to test for a highly sophisticated attack? And five minutes is an eternity by today’s operating standards. What’s more, recent members of the Upatre malware tribe are using the Windows API GetTicketCount and will not activate unless the host has been running for more than 12 minutes. In other words, it recognises a sandbox VM and refuses to play in it. Artificial Intelligence is Golden The ACSC Conference was a disappointment, as no company seemed to offer a truly radical alternative to “detect and respond”. In the past, Antivirus has positioned itself as the solution but clearly this is not enough, what is needed is a Next Generation Anti-Virus that can identify specific attacks and speed the response to them once they are detected. For example instead of scanning vast databases of hashes, signatures and approved applications, CylancePROTECT makes real-time decisions by comparing against optimally trained statistical models that only need to be updated every few months. Looking for recognized malware signatures fails because cyber criminals simply alter the outer signatures – it is quick and cheap to simply recycle existing, proven malware by giving it a facelift. Instead NGAV recognition looks deep into the coding structure using sophisticated Big Data learning algorithms – and so a successful attacker would have to spend considerable time and money developing whole new coding structures – only to have the new attack promptly analyzed and registered in the NGAV system. This is not how cybercrime chooses to operate, because it relies on quick results with minimal investment before the authorities have a chance to catch up. But if the latest sandboxing solutions are already time and resource intensive, surely adding Big Data mining and artificial intelligence to the mix will bring the average corporate system grinding to a halt? Not so, because all of this heavy lifting takes place in the cloud, not in the client’s own system. The local software only has to analyze code in real time against a far smaller set of characteristics rather than an ever-expanding database of dubious signatures. The software for this approach occupies only 30 megabytes and typically uses less than 1% CPU making it practically invisible to the user, as well as being very easy to deploy and administer. Analogies should always be treated with caution, but try this. In 2003, a group of the world’s most dedicated scientists announced the completion of a 20-year project to map the entire human genome with 99.9% accuracy. Their work has led to many of the scientific breakthroughs we benefit from today. Effectively NGAV is unlocking the DNA of malware and applying artificial intelligence techniques, machine learning and algorithmic science to dissect the malware to almost a molecular level, before it is allowed to enter the network.
"Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]" confirming inbound attacks and intrusions nor the measures used to mitigate or neutralise them, a new “the gloves are off ” approach has been announced by Prime Minister Malcolm Turnbull. At the launch of the government’s new $230 million Cyber Security Strategy in Sydney he publicly announced that “offensive capability” is now a real live option. There is a lot of good and timely material in the strategy as published, but there is still too much evidence of that detect and respond mind set – witness the report’s heading “Detect, Deter and Respond”. The first four essential mitigation strategies are strongly focused on responses to recognised dangers, while the discredited signature based anti-virus approach has actually been moved up from position 25 (in 2012) to position 22 in 2014 in “effectiveness ranking”. This was perhaps the best takeaway from the ACSC conference this year, but it fell short in one respect. Let’s make Prevention once more our top priority – because ultimately that is what the IT user really expects from the industry.
Government gets serious The Australian Government’s recent announcement reconfirmed the level of commitment to cyber security. Instead of the old “keep it under the carpet” policy of not
Asia Pacific Security Magazine | 21
Corporate Security
Insider threat can be eliminated with a proactive approach The media would lead us to believe that the greatest threats faced in today’s digital business world are that of ransomware and ID theft. While they may be right, there is an equally damaging malady lurking right under our noses that is often overlooked – insider threat. This article identifies what insider threats are and looks at some of the mitigation strategies we can use to address it.
J By Tony Campbell APSM Correspondent
22 | Asia AsiaPacific PacificSecurity SecurityMagazine Magazine
ust over ten years ago, I attended a conference in London run by the UK’s equivalent of the Australian Signals Directorate (ASD), GCHQ. The theme of the day focused on insider threats with myriad presentations explaining how UK industry and government agencies should be preparing to detect, defend and respond to this kind of insidious menace. As each of the speakers took to the podium, we were taken through a journey of fear, betrayal, espionage and human vulnerability that showed the audience just how real and pervasive this issue is. Indeed, for some businesses and government agencies handling particularly sensitive information, the threat from rogue insiders can
become existential if not adequately addressed. As I said, this conference was over ten years ago, but the world has changed incredibly over the last decade, with new threats becoming chic and newsworthy, while these kinds of attacker have dropped off the radar of public opinion. Starting with the 2013 Target attack, hackers made off with almost 40 million credit card and debit card accounts from Target’s systems. This was the first major media event of the new world, where large-scale data breaches made news – especially because of their far reaching impact on society. Since then we’ve seen dozens of big brands in the news, such as Sony, Home Depot, Talk Talk (in the UK), with David Jones
Corporate Security
and Kmart also being hit here in Australia. We’ve also seen another peculiar trend emerge from the backrooms of security research companies, where new vulnerabilities are marketed with a sexy name, well-designed websites and sensationalist commentary to make them newsworthy. If the security team is not focusing on these two areas, then they aren’t doing their job right, while all the other threats fall by the wayside. But this approach is wrong. Managing security outcomes aligned with this kind of media sensationalism will only serve to protect one aspect of your castle, so you’ll have all your troops at the front gate, not realising your tunnels are unprotected and your streets are full of spies. The Internal Malady Security is a process and needs to be tackled in a methodical and sequential manner, where you start with a threat assessment, then conduct a full audit of your assets, classifying the assets against a scheme of labelling that allows you to a) determine the impact of loss of confidentiality, integrity or availability, and hence b) the risk to the organisation of this impact being realised. Your threat assessment will undoubtedly categorise a variety of threat actors, along with their attributes, such as likelihood of them attacking you, as well as their means, motive and intent. One such group is this insider threat actor category, which can be further decomposed into the following subgroups: • Current employee with standard system access rights • Current employee with elevated system access rights • Current subcontractor or partner with standard system access rights • Current subcontractor or partner with elevated system access rights
employee is a ‘plant’ and has been untrustworthy from the beginning. The majority of actions an insider will take are keenly planned and will attempt to cover their tracks as they go. Furthermore, no matter what the external influence is, something will have affected the internal threat actor to make them act: mounting up a gambling debt, an extra-marital affair or being addicted to illicit drugs. Once an external threat actor has leverage over a member of your staff, then they can be coerced into attacking you. The vulnerabilities that affect insiders are wide and varied. In some cases, it may simply be due because they have become disillusionment with the company or policy of your government. Edward Snowden, for example, has publically stated that he no longer believed in the U.S. government or trusted the motives behind their national security programs. He felt that their actions and leaders needed to be held to account under public scrutiny, which led to the massively damaging leak of highly sensitive data. It could be that your rogue insider wants to exact revenge on his boss, or the whole organisation, believing they have been overlooked for promotion or discriminated against. The other category of malicious insiders are those driven by personal or financial gain, who are looking for something that the organisation cannot or won’t give them, especially where they have a personal vulnerability, such as gambling debts or a drug habit. The point is, there is no typical profile for what an insider might look like or act like, which is the primary reason they are such a difficult threat to detect and a complicated one to deal with.
When you then consider the three elements of mean, motive and intent,
When you then consider the three elements of mean, motive and intent, you start to build a fairly comprehensive picture of what could happen if any of these threat actors were present in your business and had the associated rights to access information assets.
you start to build a fairly comprehensive
Who are these Insiders?
business and had the associated rights to
Reports of external actors recruiting members of staff to act against their own organisation are common, originating from foreign governments, competitors and organised criminal gangs, all with something to gain. In 2011, the results of a survey conducted by the U.S. Secret Service, the CERT Insider Threat Centre, CSO Magazine and Deloitte , showed that the most common crimes perpetrated by malicious insiders were: • Unauthorised access to or use of corporate information • Unintentional exposure of private or sensitive data • Viruses, worms, or other malicious code • Theft of intellectual property (IP)
access information assets.
History has shown us that few insider threats are acts of impulsive opportunity. Mostly, the crime is premeditated and the motive has come from a change of circumstance – unless it’s part of a longer strategy by an external actor, where the
picture of what could happen if any of these threat actors were present in your
Innocent Mistakes The one area of major concern that you can deal with relatively easily is that of innocent mistakes. If you have not trained staff on how they should behave and ensured they all know what they are doing, how they should act, and how they should interact with your systems, then there is little you can do if they do something wrong. A comprehensive security awareness program, with training, exercises, and regular communications campaigns, will ensure your security messages get heard. Review your induction program to make sure staff know what to do on the very first day of their employment, so that there can be no doubt of what is acceptable and what isn’t.
Asia Pacific Security Magazine | 23
Corporate Security
Detecting Insider Threat Audit trails are useful when you know you need to follow an investigation into what someone has been up to. However, how can you get a notification into what that person has been doing that will initially raise suspicion? Firstly, audit trails need to be full of rich information that shows exactly what people have accessed, when they accessed it and for what purpose. If you have enough raw log information, you can pivot this data into an investigation tool and hunt down the evidence of a crime. It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team. You can employ tools that detect and intercept incidents, such as the legacy category of Security Information and Event Management (SIEM) systems, most often found in a SOC, however, if you really want to catch insider threats early and respond in as efficient a manner as possible, you need to be proactive. Look for a system that can provide an early warning of which users might turn bad, as well as one that can influence user behaviour before they do cause a breach, intentionally or by mistake. These kinds of systems are known as Insider Threat Management systems and if you are in the market for one you’ll need to make sure it covers all aspects of the threat management lifecycle: Education. Make sure the product provides the ability to educate staff in real time on what’s permitted and what’s not. Informing users whenever they do something that contravenes policy or could put the organisation at risk is a proven way of influencing and changing behaviour. You can use this to educate the careless, but well-meaning people in your organisation, while reducing the likelihood of someone taking advantage of unintentional mistakes. Deterrence. Deterrence is the process of informing the users when they are operating out of policy, which also serves to deter people with bad intentions as they see that the security team is constantly monitoring their actions. Prevention. Some tools are capable of intercepting and preventing incidents originating from insiders, while real-time education and deterrence can reduce the number of actual incidents that have to be managed by up to 50%. Investigation. Some tools provide a visual record of user sessions, offering incredibly useful insight into what a user has done, so investigations are resolved faster, which helps reduce the overall risk to the business. You’ll need to make sure your selection covers each of these stages, since they are all equally important. There must be a focus on real time education, such as informing the users whenever they do something which contravenes policy or could put the organisation at risk. By doing this, you educate the “good” people and reduce the likelihood of someone taking advantage of unintentional mistakes. This process can also serve to deter people with bad intentions, as they see that the security team is constantly monitoring their actions.
24 | Asia Pacific Security Magazine
"It’s also possible to install a technical system that can analyse what’s considered baseline normal behaviour of staff, which will result in anomalies being flagged to the security team."
Recommendation One company of note that is a market leader in this space is ObserveIT. Their technology is specialised in this area and is dedicated to identifying and eliminating insider threats. The product collects a plethora of user related indicators, from anywhere within the enterprise, including application metrics. The product has a dashboard that analysts can use to expose these kinds of insider threats, enabling security teams to coordinate responses to the business before the business is impacted.
CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING • FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)
FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION
SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS
w w w. a m l e ch o u s e . co m
Corporate Security
7 Ugly truths about compliance: A primer for new chief compliance officers
M By Jaqueline M. Hummel Managing Director Hardin Compliance Consulting, LLC
any compliance officers live in hope that if they ramp up their persuasive skills, engage employees with spectacular training presentations, and provide succinct and prompt advice, they will receive the respect and recognition that they deserve. Unfortunately, despite all best efforts, compliance officers will struggle to be heard. For those that have just received the dubious honor of Chief Compliance Officer, here are seven ugly truths you should understand on day one. 1. No one reads the compliance manual. Despite all the hard work compliance officers put into the regulatory compliance manual, no one reads it. That may be an overstatement, but, for the most part, employees remain blissfully unaware that the manual contains policies and procedures for many daily activities, until the Chief Compliance Officer discovers an issue, or a regulator points out a specific passage during an exam. My advice is to consider engaging employees in the drafting and revision of the compliance manual. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area. Revise the procedures based on input received, and require supervisors to review and approve them. Supervisors then have accountability for those procedures. Another approach is to read the manual to the employees by providing frequent training. Having short, focused training presentations can be very effective. (Free food is also a big draw.) Consider tailoring training to specific areas of the firm,
26 | Asia Pacific Security Magazine
and work with the supervisor to set the agenda and the best date and time for the presentation. Schedule training during periods when the attendees are generally less busy. Request input from the supervisor to ensure you cover topics that he or she identifies as problem areas, even if they may not necessarily be compliance related. Show your willingness to help advance firm-wide goals, as well as your own. Development of a good compliance program is a process; it takes time for everyone to understand their roles. By presenting yourself as a resource and taking the time to discuss the goals of the program, the more buy in you will get. This process can take years, so be patient. 2. Compliance officers don’t get any respect. Being challenged on your opinions or advice is a fact of life for most compliance officers. Executives, CISOs and Risk Managers require data and facts to support a recommended course of action. Unlike financial services professionals, compliance officers don’t tend to have a track record or a way of comparing services to an existing industry benchmark. To make matters worse, the regulatory rules are vague and advice from regulators is not always clear. Advice from experts may not be specific enough to deal with your firm’s situation. Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that
Corporate Security
‘Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that your client understands.’ your client understands. My advice is to be prepared. In areas where you know you are going to get push back, read the underlying rule. Consult your firm’s policy and procedure. Read any materials from the regulators relating to the issue. Look through the materials from the last industry conference you attended. Search the internet for articles written by law firms and other industry experts. Call your contacts at other firms to see how they deal with similar issues. Even if you have dealt with similar issues time and again, it is still helpful to refresh your memory and to see if there are any new interpretations. There may not always be time to do the legwork, and even if you can, there may not be a clear answer. These are the times when you must go with your gut – provide your initial thoughts on how a regulator might view the situation and a recommended course of action. But be prepared to back it up. For high risk issues where there is no clear path, call in an expert. There are two benefits to this approach: first, you will find out whether the advocate of a particular action is serious enough to spend some money for advice from a knowledgeable law firm or consultant, and second, you will have proof for regulators that you acted reasonably under the circumstances by consulting an expert. At best, the expert will back up your opinion, or at worst, you will learn the options available. It also helps to keep up with regulatory issues on a daily basis. Subscribe to blogs, law firm newsletters, SEC updates and read the news. There are many free sources of information to help compliance professionals keep abreast of regulatory developments. Knowing your stuff adds to your credibility. Once you are ready to give your advice, boil it down to its essence, with specific action items and recommendations. Those seeking your advice generally do not want to read the regulations or understand all the legal and regulatory fine points. They want to know what they need to do to solve the problem. Giving constructive, actionable advice demonstrates that you can help the firm reach its goals.
3. No one reads past the first three lines of your email. This is a corollary to item 2 above, but is important enough to require further discussion. Many compliance officers love details and have difficulty boiling messages down to their essentials. But people get bombarded by emails, so it’s important to be clear and concise. When a response is required, say that upfront. I recommend using all caps in the subject line: RESPONSE REQUIRED BY JUNE 30, 2016. And then flag these emails with a reminder for yourself, and a reminder for the recipients, to follow up by the deadline. In the body of the email, make sure you get to the point within the first sentence or two. Resist the temptation to provide a detailed explanation. Readers often suffer from email fatigue and seeing more than a screen of text may cause them to hit the “delete” button. If you are responding to a question, the answer should be in the first line of the email. If you need approval or feedback, tell the reader that you need their input on the issue to go forward. Bullet points are also useful to make points without overwhelming the reader with text. You can always attach a detailed explanation to the email; just do not expect that the attachment will be read. 4. If it’s not important to the boss, it’s not important to the employee. This is a hard lesson. When firm management says compliance is important but takes no action to support this statement, the compliance officer’s job is much more difficult. If management is unwilling to put their money where its mouth is where compliance is concerned, the compliance officer’s only leverage are threats of potential repercussions in the event of a regulatory exam or potential lawsuit. For example, if compliance training is mandatory, but the executives do not attend, they send the message that it is not important. On the other hand, if the Chief Executive Officer says that failure to complete required compliance paperwork in a timely manner will result in a reduction in an employee’s bonus, employees will be knocking down the Chief Compliance Officer’s door in an effort to meet the deadline. Getting management to buy in to compliance initiatives is a topic that requires more space that I can devote here. It’s good for business because it can help limit liability and preserve a firm’s good reputation. By way of an obvious example, if the Australian Bureau of Statistics (ABS) were to adopt a number of compliance frameworks that can be used to show the general public they are putting all the required security systems in place to protect census data, that assurance would allay some of the fears we are reading about in the media. Perhaps a more chilling example is the Volkswagen’s recent scandal. In September 2015, the Environmental Protection Agency (EPA) found that VW diesel cars being sold in the United States had software installed that detected when the cars were undergoing emissions testing, and adjusted the car’s performance to improve the results. Ultimately, Volkswagen admitted to cheating emissions tests in the United States. Since then, the firm’s stock price has plunged, the CEO was forced to resign, the EPA plans to impose fines, and car owners and shareholders are lining up to sue. Although all the facts are not in, it’s entirely plausible
Asia Pacific Security Magazine | 27
Corporate Security
'There will always be unpleasant surprises like these in the
•
life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the
•
smallest details to understand a process.' • that VW’s management approved the installation of the cheating software. And even if management was not aware of the details, the firm fostered an environment that encouraged cheating to boost sales. This is a worst case scenario and it demonstrates how management’s failure to support and encourage ethical behavior can lead to much more significant financial woes than disappointing sales. 5. You don’t know what you don’t know. Even the most experienced compliance officers can fall into the trap of making assumptions about a firm’s operations and processes. The truth usually comes out as a result of a trading error, client complaint, or, in the worst case scenario, regulatory action. There will always be unpleasant surprises like these in the life of a compliance officer. The best way to deal with them is to keep an open mind, and be willing to dig down through the smallest details to understand a process. This means developing standard operating procedures for all areas of the firm, and understanding the root cause of failures. Although it’s not the compliance officer’s job to write all the standard operating procedures for the firm, you can review and test these procedures to see if they are sufficiently detailed and robust. The compliance officer can also listen and observe. Have the employee responsible walk you through the process step by step, and ask questions. Watching the process from start to finish, or even performing the task yourself, may help you learn what you don’t know. It’s also a good idea to leave your desk and walk around the office regularly. Attend other departmental meetings and listen. Build relationships with people from all levels of the organisation. By making yourself available and visible, people will bring their concerns to you. 6. If it’s not documented, it didn’t happen. This is a lesson learned from numerous compliance examinations. Although an investment adviser might do the right thing, if there is no documentation to show that it was done, for all practical purposes, it did not happen. Most advisers maintain a set of auditable records, but until Australia adopts compliance, even in the area of mandatory breach reporting, records will largely be down to local discretion and may not even serve the purposes of a compliance assessment, should one occur. The government will expect advisers to maintain a variety of records that will be evidenced at various stages of a compliance examination. Here are a few examples of records that are not collected by default, but should be considered: • A current inventory of the firm’s compliance risks that
28 | Asia Pacific Security Magazine
•
forms the basis for its policies and procedures. The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers. Information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed. Documentation of employee access controls (i.e. electronic key card entry, locks, security cameras and guards) to physical locations containing customer information (i.e. buildings, computer facilities and storage record facilities). Information about the oversight process the adviser uses for any remote offices and/or independent advisory contractors, and any policies and procedures with respect to such oversight.
Compliance officers should look for pre-existing compliance audit reports along with findings relating to the latest hot topics, which can identify what regulators will expect to see. 7. It’s easy to say no, hard to say yes. Most compliance officers are aware of this truth – this is a lesson for the rest of the firm. Saying no is easy; it requires no additional work or thought on the part of the compliance officer and eliminates risk. To say yes, a compliance officer has to think, research and provide options, which takes time and effort. If you always say no, however, firm employees will stop coming to you for advice and guidance. You will not be consulted when new products are being developed, new marketing efforts are proposed, new types of clients are being sought, and new technologies are being explored. If the compliance officer is not aware of what the firm is doing, then he or she is not going to be effective. My advice is to take advantage of ‘teachable’ moments. For example, take the situation where your marketing team asks if they can use back-tested performance for a client presentation. If they expect an answer immediately, you’ll almost certainly have to say no. However, if they are willing to wait a day or two while you come up with a way to get the same message across, using extensive additional disclosure or a slightly different approach, the results will then show the marketing team how a collaborative approach works for everyone. The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job.
Frontline
The safe city and it’s need for interoperability
M by Per Björkdahl ONVIF Steering Committee Chair
ost people today who live in cities, particularly large ones, have become accustomed to a relatively high level of general and public surveillance, whether it is the police patrolling the streets, cameras in shopping malls or intelligent security solutions deployed in public transportation systems. Many feel that as long as these systems benefit them as citizens and keep them safe, general surveillance can be accepted and people feel safer as a result. It has become part of the fabric of 21st century life for many. Many of us value individual safety, especially in cities. Physical security systems are capable of delivering exactly that to citizens, though the management and operation of these systems can be challenging at times. Cities today often use video management systems or other platforms to view camera footage, protect citizens and property, analyze incidents, evaluate security and to help them determine appropriate responses to events such as natural disasters, disruptions to transportation and other municipal services, and other threats to public safety. They may also use intrusion, access control, building automation and fire detection systems in their management of a city’s security, in conjunction with video surveillance. Cities implementing this connected security approach have been dubbed ‘safe cities.’ Most safe cities share a common infrastructure and operate using sensors and/or cameras over a shared municipal network. Using these sensors and the data
from many different devices synthesized through one interface, government officials and law enforcement are afforded a total, holistic view of a city’s security. Integrating the Many Parts of a Safe City The integration of all of these systems enables a municipality to manage its security comprehensively and from a single point of view from the command center. If, for an example, there is a leak in a water main, the city’s command center can quickly review video footage from a camera positioned at the leak’s physical location, check access control data to see why and how the gate to the water main is open and determine who was the last employee to enter the restricted area. At the same time, the command center can use cameras on the street to monitor street flooding and assess damage to surrounding areas. There are operational challenges that accompany the many systems that are included in a safe city deployment. Interoperability continues to present one of the greatest challenges, particularly with video management systems, video recording devices and cameras. The most common scenario is that municipalities have several different management systems for city operations that were created by different manufacturers, each with proprietary interfaces for integration. In order to connect its different systems together, cities
Asia Pacific Security Magazine | 29
Frontline
often end up employing a “build once and maintain forever” approach, in which the continuing cost for integration of the city’s systems becomes prohibitively expensive. In a world where technology and features change quickly, the ‘build once and maintain forever’ scenario is not practical or attractive, as it severely limits an end user’s ability to try new technology and/or different vendor’s products and requires a substantial financial commitment to those specific manufacturers and proprietary interfaces. Another approach that some end users and integrators take is to deploy products from a single manufacturer in order to facilitate systemwide integration. However, this approach can also have an undesirable result: it stifles an end user’s ability to add new products from other vendors and locks an end user into a long-term commitment with the manufacturer.
authorities often receive exported video material in a multitude of formats with a multitude of players for playback. Here, a standardized approach for both file format and associated players, which ONVIF’s specification provides, increases the efficiency of the process and also adds the potential of including meta data in exported materials and reports, which determines the exact time and location of the recorded incident. ONVIF has also released an export file format specification that outlines a defined format for effective export of recorded material and forensics. These specifications together make it possible not only to integrate devices in multi-vendor video security system deployments in safe city environments but offer an effective common export file format that can streamline a post-event investigation where authorities are trying to react as fast as possible to apprehend suspects or to diffuse an ongoing situation. Enter Standards Other standards organizations outside the physical security industry have identified the need for standards in This is where the need for robust effective Safe City deployments, and well-defined standards such as the International ‘Cities today often use video comes into play, particularly for Electrotechnical Commission video surveillance, which is most (IEC) and Institute of Electrical management systems or other commonly at the heart of safe city and Electronics Engineers (IEEE). deployments. Standards, such as IEC has initiated a Systems platforms to view camera those from ONVIF, an industry Evaluation Group - Smart Cities, alliance that offers standardized SEG 1, a group that will evaluate footage, protect citizens and interface specifications for video relevant works and propose a security systems and physical standardization roadmap for property, analyze incidents, access control systems, provides the smart cities, a term often used common link between disparate synonymously with safe cities. The evaluate security and to help components of these systems. group will also provide a mapping Designed specifically to overcome of closely related activities in them determine appropriate the challenges in multi-vendor cooperation with the International environments, ONVIF’s common Organization for Standardization responses to events such as interface facilitates communication (ISO) and other organizations, between technologies from different going forward. natural disasters, disruptions manufacturers and fosters an ONVIF has been working interoperable system environment with the IEC on standards for to transportation and other where system components can be the physical security industry for used interchangeably, as long as the several years. In 2013, the IEC municipal services, and other devices conform to the ONVIF included an ONVIF specification specification. in its IEC 62676 standard for threats to public safety. ‘ Since 2008, when ONVIF Video Surveillance Systems, the was founded, the organization has first international standard for published a number of specifications video surveillance systems to be and profiles for effective integration of devices and clients in established. The ONVIF specification for video, which defines the physical security industry. For Video Security systems, video transmission protocols for communication between ONVIF has released Profile S for Video streaming and Profile network video clients and video transmitter devices, is based G for storage and playback. Currently, Profile Q for easy on Web Services and is referenced in IEC 62676 Part 2-3. deployment is in its release candidate state, scheduled for final This year, IEC will include an additional ONVIF release in July this year. specification in an IEC standard, this time with ONVIF’s In a safe city scenario, much of the recorded video from specification for Electronic Access Control, in the IEC video security systems is used to conduct post-event forensic 60839-11 System and components requirements standard investigations, where operators analyze a specific incident or for Alarm and Electronic Security Systems, based on Web series of incidents and determine suitable actions, which often Services. The specification includes minimum functionality, requires coordination with local, county, state and sometimes performance and testing methods for electronic access federal law enforcement officials. Video clips are exported to control systems and components used for physical access. provide authorities identification of suspects or for evidentiary The inclusion of ONVIF’s specification in the two standards purposes during prosecution. mentioned above indicates a steady continuity in the use of The challenge in a multi-vendor environment is that standards in the industry.
30 | Asia Pacific Security Magazine
Frontline
ONVIF Members’ Safe City Solutions Several ONVIF members are using ONVIF’s specifications in the large-scale deployment of video surveillance systems. Two of these, Meyertech and Huawei, have used ONVIF prominently in safe city deployments in large cities. In 2014, ONVIF member company Meyertech helped the city of York, U.K., to deploy a safe city solution for the city’s public spaces and transportation system. Using a Meyertech video management software and information management software, the city was able to integrate IP cameras with the many legacy systems for its York Travel and Control Centre command center. The city’s control room monitors more than 150 cameras from different manufacturers in the city and city representatives say the new system has had an immediate impact on crime rates. The integration of legacy and new IP cameras with the new VMS, which interfaced with the information management software, was made possible through ONVIF’s video specification. Another ONVIF member, Huawei, is considered a leader in smart city solutions. Huawei has deployed smart city solutions in Nairobi, Kenya, and in China in the cities of Nanjing and Shanghai. Huawei’s video management system was used in the Shanghai project as part of the Chinese Ministry of Public Security’s safe cities construction initiative. One of the key challenges of the project was to integrate old and new technology. Huawei’s VMS used ONVIF to integrate the cameras from manufacturers Dahua, Haikang, AXIS, SONY and other brands. A Multi-discipline Physical Security Standard? At present, physical security’s role in safe cities is
primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution. ONVIF’s vision is that all physical security systems will eventually have the same interfaces for interoperability, and is dedicated to facilitating the work of its members in developing a multi-discipline standard. Such an all-encompassing interface would provide a comprehensive approach to interoperability that would satisfy the core elements of video surveillance, access control and other essential operations of a safe city command center. Because safe city deployments and the Internet of Things concept operate on the same principles of connecting disparate systems and devices together, a multi-discipline physical security standard would no doubt also play a role in the further development of the Internet of Things. Many of those in the technology industry at large see standards as an important component in both safe cities and the IoT. The IEEE (the Institute of Electrical and Electronics Engineers) is already working on IoT standards for technology-based industries and some even predict that we may see global IoT standards in place by the end of this year. If an IoT standard is developed, this will likely have an influence on safe city deployments. As standards and industries collaborate even further than they already have and establish minimum interoperability standards together, the need for a multi-discipline physical security standard may present itself. A day will come when it makes the most sense to do so, rather than creating proprietary multi-discipline systems. We’re not at that point yet, as an industry, but a multi-discipline physical security standard is certainly somewhere on the proverbial horizon.
‘At present, physical security’s role in safe cities is primarily through video surveillance, a key part of safe city deployments. Physical security is also playing a substantive role in the Internet of Things’ evolution.’
Asia Pacific Security Magazine | 31
Asia Pacific Region
S E C U R I T Y
U By Prince Lazar ASM correspondent
32 | Asia AsiaPacific PacificSecurity SecurityMagazine Magazine
A N D
R I S K
E N V I R O N M E N T
nderstanding the Security spectrum of Malaysia, it’s worthwhile to run through a bit of the Malaysian geo-political situation & location and the typicality of the South East Asia region with which Malaysia shares boundaries with a few other countries. Malaysia’s location makes it less susceptible to earthquakes and tsunamis than other countries in Southeast Asia. Within the Southeast Asia region, Malaysia is a highly open economy due to its maritime location, historically porous borders, geographic proximity to major trade and traffic routes, smaller population combined with relative affluence, shared ethnic heritages with the neighbouring countries inside and outside of Southeast Asia, government policy to encourage ties with the Islamic world, and globally oriented economic outlook. Malaysia offers lower costs in labour and land migrant workers are attracted to Malaysia because of the country’s relative affluence compared with its Southeast Asian neighbours (excluding Singapore and Brunei) and other countries in Asia. Foreign migrant workers are introduced
both legally and illegally in sectors such as farming, food processing, mining, construction, house-keeping and with the promotion of the tourism industry also requires a large pool of low-skilled labour. Opportunities for transnational crimes has coincided with Malaysia’s growing migrant population and increased trade which can be attributed to the globalisation. Malaysia’s geographic location has exposed the country to long-distance commerce and migration has led to the many transnational issues Malaysia faces today, like drug smuggling and illegal workers. The porous nature of both borders and the corruption at official crossing points are both identified as causes of Malaysia’s ineffective immigration management. Human trafficking is subsumed under the illegal workers category, leading the government to focus on visa violations of the trafficked victims, terrorism and maritime piracy. In sustaining the growth trajectory, Malaysia has become increasingly dependent on data & information systems across verticals, like healthcare, critical infrastructure, defence, finance and technology, which are all potential targets
Asia Pacific Region
for financially motivated cyber criminals and politically motivated actors like nation-states. The proliferation of wi-fi connected tablets for sales service personnel and in-store customer wi-fi access are adding to the complexity of the security challenges for major retailers in Malaysia today. The retail industry is fast becoming a major target for cyber criminals. Hence, for retailers with stores throughout Malaysia, secure network connectivity linking all sites to the head office is critical to business operating processes. Malaysia is considered to be having moderate crime levels, although the country has seen a spurt in the crime rates in the last few years including several reported assaults and robberies, sometimes involving weapons, but overall the security situation in Malaysia is considered still moderate. Other types of non-violent criminal activity include credit card fraud and automobile theft. In the list of security concerns crime, kidnapping, piracy, terrorism, human trafficking, financial fraud and money laundering are among the country’s priorities. Financial and organised crime is
present in Malaysia, but has a limited direct impact on foreign businesses. The threat of cybercrime is growing, however, and companies must ensure they have sufficient cyber protection. The security challenges faced by Malaysia predominantly emanates from territorial complexity and intricacies. Undefined or unclear land and maritime boundaries have given rise to contestation and overlapping claims, which has manifested itself in some territorial disputes and intrusions. To counter this the country has formed a Defence pact with the Five Power Defence Arrangements (FPDA) established in 1971, committing Australia, Malaysia, New Zealand, Singapore and the United Kingdom to consult on a response to any armed attack or threat against Malaysia or Singapore. The FPDA has also recently expanded its focus to address non-conventional security threats facing the region, including terrorism and maritime security. The Territory and Territorial Seas of the Philippines, Indonesia, and Malaysia constitute a single geopolitical space. Long-standing ties facilitate commerce and social relations among the populations of the region, but they are also
Asia Pacific Security Magazine | 33
Asia Pacific Region
conducive to transnational dissident, terrorist and criminal activity. Vast areas lie outside government control, and ethnonational, ideological and religious conflicts exacerbate the void in governance. The threat from kidnapping has become a serious issue in maritime piracy which is predominantly prevalent in East Malaysia, particularly in the islands off Eastern Sabah due to its proximity to the Sulu archipelago in the Southern Philippines. The tri-border area (TBA) between the Philippines, Malaysia and Indonesia is a key hub of terrorist and related criminal activity in Southeast Asia, a well-known transit zone for weapons and explosives, and a principal logistical corridor for local and transnational terrorist groups. Terrorism has increasingly become a big threat in Malaysia of late and it remains a potent risk due to the Islamic influenced groups operating in the region and in the Middle-East. While previous terrorist organisations were disparate organisations fighting for separate causes, the regional terrorists may get-together to fight for a common cause across national boundaries and will possess capabilities to target masses using easily-acquired advanced technology weapons or equipment. The insurgency in the Southern Thailand by the Muslim Thai rebels who are active along the Thai border, has also further increased the threat of Terrorist attacks in this region.
34 | Asia Pacific Security Magazine
The Revenue in the “Security” segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 International terrorists are suspected of operating out of Malaysia for some time and the growth of Muslim extremism has spurred the development of home-grown terrorist groups and dozens of disparate fundamentalist groups/cells are believed to be operating in the country. The terror threat to Malaysia, however, doesn’t stem from a particular IS terror outfit, but by the presence of regional terror groups like Abu Sayyaf, the Moro National Liberation Front and many insurgent (terrorist) organisations which have always posed a threat to Malaysia’s northern state of Sabah, and now with their given allegiance to IS, the threat has become more potent.
Asia Pacific Region
Malaysia has taken a strong stance on terrorism with the increased terrorism threat; however the counterterrorism posture is still driven by domestic political considerations. Malaysian authorities have arrested several individuals for activities linked to IS. They have also been very proactive, especially in terms of monitoring flight manifests, preventing people from travelling to and from Syria and Iraq and monitoring social media. While Malaysia’s counter-terrorism capabilities are relatively strong, the risk of political violence remains high due to tensions between ethnic groups. Over the last five years, Malaysia has experienced an increased number of demonstrations over political divisions, racial/religious tensions and international developments. The country has recently implemented security legislation introducing indefinite detention without trial has the potential to foster discontent and trigger violent protest. Another growing aspect of security is the threat posed to the tourism industry in Malaysia. With the rise of tourism and Malaysia being known as one among the top tourist destinations in the region, it receives a high number of tourist arrivals, which has increased the issues of safety and security in crime, terrorism, food safety, health issues and natural disasters as the main concern. The security industry in Malaysia, especially the guarding sector, with around 24,000 registered Private security guards, is saddled with problems on issues of employing incompetent, unqualified and unfit guards. There is a need for a comprehensive review of the security industry in the form of a proper security framework & regulations. If Private Security Companies (PSC) can be regulated and they co-ordinate well with the government institutions, they can be a source of tremendous information and can help the police track down criminals and assist in larger law and order maintenance. Public and private sector organisations are investing in several areas to ensure that their economic rise does not slow because of infrastructure disruptions brought upon by cyber sabotage or terrorism or lost revenue because of intellectual property theft. There is an increasing emphasis on security awareness, training & certifications and academic institutions are also focussing on specialised training and certification courses specific to security & safety. Security based job programs, such as internships are in place between the academic institutions, government organisations and the private sector which is a positive boost to security. This manifests in strong information sharing between public and private sector organisations and a general openness amongst organisations, even competitive organisations, when it comes to combating cyber-attacks. Going with the economic growth in the last few years in Malaysia, from securing the physical borders & assets to endpoint and data security, there is a good trend in a holistic approach to security. Security in Malaysia has been seeking an approach from the perspective of: What can be done, What technology/solutions are available and How it can be employed for end-to-end controls, which is a healthy sign towards security. When vetting solutions, security consistently makes it into the top three on the list of musthave requirements. The total Malaysian safety and security sector is
The security industry in Malaysia especially the Guarding sector with around 24,000 registered Private security guards is saddled with problems with issues of employing incompetent, unqualified and unfit guards. estimated at US$2 billion and is expected to grow. Private consumption of safety and security equipment has also risen over the last decade mainly due to the increased rate of urbanisation, a growing middle class owning assets which they wish to protect and a lack of faith in the local law enforcement (Source: Global Safety & Security guide US COMMERCIAL SERVICE). The Revenue in the “security� segment in Malaysia amounts to USD 1.1 million in 2016 and the revenue is expected to show an annual growth rate (CAGR 2016-2020) of 46.94% resulting in a market volume of USD 5.3 million in 2020 (Source: Statista market research portal). Public consumption is mostly government initiated purchases for the maintenance of law and public order, which is a long and tedious process. On the private consumption it is usually driven by purchases of new homes, cars and other assets that the common consumer wishes to protect. Until recently, most consumers based their selection process purely on price. In the last five years, there is a significant change in the attitude and mind-set of consumers, whereby quality and reliability also play a major role in selecting the type and brand of security products to invest in. The demand for technologies to keep users updated on the status of their security system. These usually include remote access via smart phones through internet, instant notifications via SMS and/ or monitoring companies. New solutions like intelligent video surveillance and cloud security devices are also gaining popularity, especially among the more affluent segments of the market. US companies presently dominate the Malaysian market for both the public and private market segments. However, Chinese and German companies are fast gaining footholds in the market, especially for point of entry equipment and for the private consumer market, Taiwanese and Chinese are eroding US market share with newer and price competitive surveillance and prevention systems. Some of the leading global security companies operating in Malaysia, which help to provide the latest security technology are Pelco, MOBOTIX, Sony, Avigilon, Bosch, HID Global, Panasonic, Samsung, Arecont Vision , AxxonSoft, CLIQ - ASSA ABLOY, Hikvision, Seagate, Suprema, Surveon Technology, Videotec, VIVOTEK, Chubbs and ADT. Malaysia with diverse ethnicity, race & language, faces dynamic security issues and challenges. This calls for maintaining a secure environment in the country, providing opportunities for economic development and better stability.
Asia Pacific Security Magazine | 35
29-30 November 2016 Australian Technology Park, Sydney, Australia
Building the Digital Utility
REGISTER NOW!
Free to attend includes: Focus Startup Innovation Technical 8 Groups Zone Zone Zone
Track 1 of the conference on both days Maintenance & Operations (Day 1) & Intelligent Buildings (Day 2)
REGISTER YOUR FREE EXPO VISITOR PASS NOW infoasia@clarionevents.com | +65 6590 3970 | www.australian-utility-week.com
EXPLORE. EXCHANGE. EXCEL.
Boost Your Cyber Security Knowledge Join the Experts at CSX 2016 Asia Pacific
Cyber threats affect your enterprise every day. Threats don’t take holidays and they are becoming more intrusive and potentially devastating. Stay ahead of the most critical issues, meet global colleagues and find effective solutions to the ever-changing security landscape at the must-attend event of the year—CSX 2016 Asia Pacific Conference. Build your cyber security knowledge and leadership skills as you learn about new tools and trends from globally renowned speakers. Test your skills and compete in the innovative new CSX Cyber Challenge. Hosted by ISACA’s Cybersecurity Nexus (CSX), this event brings together many of the brightest minds in information systems and cyber security. Take the next step in protecting your enterprise and boosting your career.
Earn up to 32 CPE hours.
Register by 4 November 2016 and Save! 14 – 16 November | Singapore Presented by ISACA®’s Cybersecurity Nexus™ (CSX).
www.isaca.org/2016CSXASIA-APSM
Cyber Security
By Gary Gardiner, Director of Engineering & Services, ANZ at Fortinet
Building a national security fabric:
The Fortinet approach ‘If we don’t hang together, we’ll surely hang separately.’ Benjamin Franklin’s (the face on the American $100 dollar note) quote is as valid today as it was 240 years ago. Building a strong national response to network security has to be a coordinated, nation-wide effort. Otherwise Australian organisations are sitting ducks. Right now Australia’s national security landscape is comprised of thousands and thousands of discrete, individual networks that, in effect, operate in a network security vacuum. There is no significant nationwide policy to share expertise, identified threats, work-arounds or even to alert organisations of the latest malware infections. We have thousands of organisations each duplicating efforts, playing catch-up and, unfortunately, leaving the doors and windows open for cyber criminals. Technology in-place It doesn’t have to be this way. The technology is in-place to share network security information in near realtime. The challenge is, that for far too long, organisations have viewed their network security policies and practices as their own intellectual property. And fair enough. Businesses have invested significant resources into developing security policies, buying, leasing or subscribing to cloud-based security infrastructure and training up their IT staff. But they haven’t been able to take advantage of the efforts of their peer organisations that are doing exactly the same thing. There shouldn’t be competition around network security. There has to be cooperation. Of course many organisations see their network security as a competitive edge,
38 | Asia Pacific Security Magazine
especially in the managed security services market. We’re not advocating a wholesale ‘open source’ security policy. What we are promoting is the real-time sharing of threat intelligence across all sectors. We’re not asking how an organisation identified a fast-moving ‘zero-day threat’ – that is and should be proprietary. All we’re saying is that once that threat is detected and analysed to create mitigation procedures, there should be a mechanism to release this information to the public. Extending the reach Fortinet, amongst other leading security vendors, has these capabilities already in place. Right now these capabilities are available to our client base as part of our Advanced Threat Protection (ATP) and FortiSandbox solutions and we are extending these capabilities to the endpoint, access layer, applications, the cloud and event into IoT-enabled devices. What we really want to do is expand this process so that any malware that we detect and the mitigation procedures that we develop are pushed out to the wider community. While we would like to see a wider adoption of Fortinet equipment in the marketplace, we fully understand that there are other players on the market and that many organisations have invested heavily in their security solutions. Indeed this is the whole idea behind a national security fabric. Our clients could benefit immensely if they were alerted to malware picked up by a competing vendor’s security solution. There is a time and place for competition. But there is an equally compelling rationale for cooperation, especially if it results in
the rapid dissemination of mitigation procedures for zero-day threats. Supporting a national Cyber Security Strategy Fortinet isn’t alone in advocating such an approach. Australia’s recently released Cyber Security Policy advocates strong cyber defences with a specific goal of ‘establishing a layered approach for sharing near realtime public-private threat information through joint cyber threat sharing centres, initially piloted in a capital city and an online cyber threat sharing portal.’ The need is clear. The tools are in place. The benefits are manifest. What it will take is coordination. Fortinet is in initial communications with various government agencies to extend reach of ATP, FortiSandbox and the hundreds of researchers at our international FortiGuard Labs to a wider audience. We call on other security vendors and private industry to join us to work together on these initiatives. Our combined resources can and will overwhelm the resources that the bad actors can employ. It’s a strategy that we must adopt. Otherwise we will always be in react mode instead of leading the charge. About the author Gary Gardiner, Fortinet’s senior security executive in ANZ, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
Cyber Security
Working together towards a Cyber Smart Nation There is no shortage of hackers, cyber criminals and rogue operators. And why not? The hours are short, there are no dress codes nor long commutes and the pay is great. Legitimate network security specialists, on the other hand, are in short supply. Indeed, finding people who understand simply the basics of network security is a tough ask for many Australian businesses. And once a business trains up their security staff they are lured away for more pay to a company with deeper pockets. No wonder network security is one of the key concerns of CIOs across the country. This lack of network security specialists and practitioners is made abundantly clear in the recently announced Australian Cyber Security Strategy. It states that “the information security field is expected to see a worldwide deficit of 1.5 million professionals by 2020,” and calls for “programs for all people at all levels in the workforce to improve their cyber security skills and knowledge starting with those in executive level positions.”
By Allan Mouawad, Fortinet Network Security Academy Project Manager
Work in progress
FNSA across the region. “We have developed a curriculum that has proven successful overseas,” says Jon McGettigan, Senior Director Australia, NZ & South Pacific Islands at Fortinet, “and have a number of highly experienced and qualified trainers who have the technology transfer skills to fast track the program once it gets started. What we need now are educational partners.” Ideally the FNSA curriculum would be incorporated in already existing STEM (science, technology, engineering and mathematics) programs but that is in the future. “We can roll out our FNSA course work almost immediately,” says McGettigan. “We offer short courses, workshops, more advanced course work and certifications either at a learning institution, business or conference venue. There will be no shortage of prospective students. We are looking for educational partners who can take our initial material and build on it for their particular stakeholders.” An added advantage of the FNSA is that students who complete the program will have a globally recognised certification. “The training is fully certified,” notes McGettigan, “so that graduates will be able to advance their careers. This particular aspect is a powerful incentive for people to take advantage of the FNSA offerings.” Fast track deployment
Right now Fortinet is in discussions with a number of learning institutions to roll out the
Fortinet is in a position to fast track deployment. Most of the development work is done and
Introducing the Fortinet Network Security Academy Fortinet takes these concerns seriously. Over the years Fortinet has offered a wide range of training and certification programs in Australasia for Fortinet staff, Partners and clients. But as the requirement for more security-aware staff in government, industry and education has grown exponentially, Fortinet has recognised the need to expand training and education offerings to a much wider audience. As a result, Fortinet is introducing its industry-recognised training and certification program, called the Fortinet Network Security Academy (FNSA), into Australasia. Woking in tandem with TAFEs, tertiary institutions and private training facilities, the FNSA is designed to give students a firm understanding of the dynamics at play in network security, training in developing and deploying network security policies and handson knowledge of techniques to enforce network policies in the workplace.
Fortinet has a team of ‘train the trainer’ experts on staff. “It will not require a huge build up,” concludes McGettigan. “There is a pent up need for this type of network security training. But it does take a certain commitment on the part of educational institutions. We are a hardware vendor, not a training organisation. We have developed the programme. But now we need partners to roll out FNSA as far and as wide as possible. If we are to build a ‘Cyber Smart Nation’ we need to move quickly.” Both Fortinet and Australian Security Magazine are actively soliciting feedback and partnerships with TAFEs, tertiary institutions and private security and training firms. If your organisation wants to be part of the solution, please contact Fortinet on anztraining@fortinet. com. We look forward to hearing from you. About the writer Allan Mouawad is Fortinet’s senior technology transfer specialist in Australasia and is spearheading the Fortinet Network Security Academy initiative. With more than a decade of hands-on experience on a wide variety of security-related systems and the holder of many advanced industry certifications, Allan is focussed on technology transfer and building a broad base of cyber security awareness across the region.
Asia Pacific Security Magazine | 39
Cyber Security
T By Tony Campbell ASM Correspondent
40 | Asia Pacific Security Magazine
he UK’s National Crime Agency (NCA) has recently published its Cyber Crime Assessment 20161, highlighting the enormous amount of cyber-attacks targeting the UK. Unsurprisingly, the report says, “A cyber attack that poses an existential threat to one or more major UK businesses is a realistic possibility.” Over the past twelve months, over 2.46 million incidents were reported, including 700,000 cases of fraud, all originating from just a few hundred criminal gangs. The volume of attacks endangering UK businesses is staggering – and we’ve certainly not seen statistics like this in Australia. So, does this mean the threat we face here at home is a lot less? If we look at the threat actors, it’s the same selection of Russian, Chinese, European and American cyber criminals who are perpetrating the majority of the world’s cybercrime. These organised criminal gangs are the most successful and wellfunded cybercrime operations on the planet, all of which are threatening Australian businesses just as much as they would threaten any other nations. Nevertheless, it’s our government’s response to the threat that I find the most interesting. The NCA says the UK government will spend £1.9bn (approx. $3.5bn AUD) over the next five years to help bolster the nation’s cyber-defences. Prime Minister Turnbull has pledged $33 million AUD in the recent launch of Australia’s Cyber
Security Strategy to address the problem here at home. That’s less than 1% of the UK’s budget to fight exactly the same threat. Furthermore, the majority of the Australian budget will be used to swell the ranks within government departments, such as ASD, as well as to move the ACSC into new accommodation, so the investment left to improve our nation’s defences and create a “Cyber Secure Nation” is somewhat unimpressive. The existential threat referenced by the NCA is also mentioned in the ACSC’s Cyber Security Survey2 (albeit a year old). The ACSC recognises that, “the cyber threat facing Australia is undeniable and unrelenting.” In the period covered by the ACSC’s survey (2014-2015) CERT Australia was called in to deal with 11,733 cyber security incidents affecting Australian businesses, of which 218 were related to attacks on national critical infrastructure and government systems. Compared to the 2.46 million incidents in the UK this seems like a much smaller problem, but we know that under-reporting is a massive issue everywhere, so these numbers need to be considered as a mere fraction of the real attacks, so the threat is real and persistent. The NCA says that under-reporting of cyber-related incidents is prohibiting them from understanding the full extent of cybercrime in the UK. This has a knock on effect
Cyber Security
of hampering law enforcement agencies in being prepared to counter the threat, since there is still not enough information on the operating models the cyber criminals use. Unlike Australia, the UK has had mandatory data breach notification laws in place for many years, so it’s little wonder why underreporting is even more of an issue here. We know that here in Australia under-reporting is a massive problem, which is why the ACORN website3 was set up by the AFP as a national policing initiative of all states and territories to allows anyone to securely report instances of cybercrime. With the statistics gathered through ACORN, the government can then decide just how real the problem is, and hopefully invest enough money to start allowing our law enforcement agencies to tackle some of these big, international issues. Who are the bad guys? Russia is home to some of the most successful organised cybercrime groups. Some reports suggest their aptitude for cybercrime stems from the cold war, with ex-KGB spies now commercialising their tradecraft for black market profit. The so-called Russian Business Network (RBN) has shown incredible resilience to international law enforcement attempts to take it offline. Journalist, Brian Krebs’s account of the RBN in his book, Spam Nation4 is an eye opening account of just how corrupt Russia is and how it shows just how Russian cybercrime groups continue to profit. If you want to know more about Russian cybercriminals, read Krebs’s book. A variety of very capable cybercrime organisations also operate out of Africa. Ghana and Nigeria are the two biggest hacking exporters, with Ghana being extremely advanced in terms of its technical capability. Nigeria on the other hand is not as technologically advanced as Ghana, but is certainly rife with cybercriminals looking to target Western countries. The so-called Nigerian 419 scams have been in the press many times before, but the origin of this comes from the Nigerian criminal code, where it reads, “any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.” For more details on the extent of Nigerian scams, take a look here4 The last aspect of cybercrime worth looking at, from the perspective of the threat actors, is the state-sponsored attacks originating from China. Unlike the previously mentioned Russian and African cybercrime gangs, much of the hacking undertaken from China has a state-based economic intent, with links to both industrial and international espionage. In 2015, for example, it is believed by the Federal Bureau of Investigation that the Chinese government was behind the massive attack on the US Office of Personnel Management. This attack saw the
perpetrators make off with over 21.5 million U.S. government workers’ records, including 5.6 million fingerprint records. The Government Standard Form 86 was the basis of what was stolen, which is the form used for government clearance applications. Each record comprised of a complete historical record of the employee’s life: friends, family, run-ins with the law, sexual preferences, history of drug or alcohol abuse, medical conditions, as well as copies of every kind of identification document the employee owned. This is a true treasure trove of information for both cybercriminals, from the perspective of ID theft, as well as from the perspective of international espionage. Clearance details for staff with up to and including access to TOP SECRET information was taken. This problem will affect the U.S. government for the next 30 years, until all those people have retired and can no longer pose a threat to national security. Fighting Back at Cybercrime In the 2015 Strategic Defence and Security Review, the UK Government made building cyber defences a Tier 1 priority, doubling the investment from previous years. This included building a National Cyber Security Centre to perform a similar function to that of the ACSC, along with myriad support for businesses, including two new innovation centres to support talent and drive growth. The Australian Cyber Security Strategy also shows that Australia is raising the bar in an attempt to fend off this global scourge, albeit with limited funding. However, is there more that can be done? The reality is that individuals and corporations need to assume that their systems have already been compromised. Only then will industry and government’s focus be on protecting the national infrastructure we all rely on. There is no easy way to combat cybercrime and it’s as much about educating individuals as it is about putting in technical controls, such as firewalls, IPS’s and content checkers. People are usually the weakest link in the chain, so unless we educate people not to click on the links they receive from the Russian spammers or the Chinese spies, we’ll always be acting on the defensive. Adopt a security framework and make sure it’s been operationalised rather than just documenting a lot of processes that are ignored until audit time comes around. ISO 27001 is a good place to start, since it’s an international standard and one that’s well respected and widely adopted. But don’t stop there – you need to make sure that your staff are living and breathing security in their everyday activities. It just takes one slip of attention, one double click while running on autopilot after lunch, for your whole organisation to be compromised, so regular, immersive training and awareness programmes are needed, with cyber drills showing staff what can go wrong and just how easy it is for them to be the weak point in the company.
Website Refrences links 1) www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016 2) www.acsc.gov.au/publications/ACSC_CERT_Cyber_Security_Survey_2015.pdf 3) www.acorn.gov.au)4) http://krebsonsecurity.com/tag/russian-business-network 4) www.geektime.com/2014/07/21/millions-of-victims-lost-12-7b-last-year-falling-for-nigerian-scams
Asia Pacific Security Magazine | 41
Cyber Security
The non-IT expert’s guide to surviving a cyberattack
C By Lex Drennan
42 | Asia Pacific Security Magazine
yber-crime is one of the fastest growing industries in the world. In the last year, it is estimated that cybercrime costs business over $400 billion, including reputational damage, costs to remediate breaches and interruption to normal business operations . There is no doubt that the real figures are higher due to under reporting and it is projected to reach a staggering $2 trillion by 2019 . The risks arising from cyber-crime are clearly top-ofmind for the C-suite and those concerns are only likely to increase as the cyber-crime industry grows increasingly sophisticated. This rising level of concern reflects awareness that cyber-crime is no longer “just an IT issue”. The mode of business interruption may be through information technology, but the impacts are organisation-wide and have the potential to destroy businesses. The most common types of cyber-attacks fall into the categories of ransomware, data theft and malicious interruption. Whilst the technical details of these attack modes are relevant at the operational level, at the board-room it is necessary to understand the type of attack mode as it has significant bearing on your response options and the management strategy you implement. The following scenario will call on the skills of all the executive team to address it – whether you consider yourself an IT expert or not. This is the nightmare scenario – compromised systems, breach of privacy, harm to customers and significant reputational damage. Nonetheless, an executive team can take immediate and critical steps to minimise the extent of this breach.
1.) Establish Management Control With a sudden-onset critical incident, employees and customers will naturally look to the business’ leaders to see who is in charge. There is often a grace period where customers and the general public will sympathise with a business as the victim of an attack. However, this grace period does not last long. The absence of clear, strong leadership by the executive team can be taken as a sign of incompetence, rapidly turning a potentially sympathetic audience into a hostile one. For organisations that have pre-defined Crisis Management Plans, this is the time to implement them. Often businesses take a ‘wait and see’ approach to activating these plans, fearing that they may be crying wolf. However, any time lost at the commencement of managing a crisis cannot be regained, and will immediately place the business on the back foot. It is essential that the management team rapidly assemble to assess how serious the incident is, its potential for escalation and, most importantly, to communicate these actions to staff and customers. 2) Address the Technical Issues Whether or not you understand the technical aspects of a cyber attack, you cannot back away from building a strategy to address it. If your business is large enough to have inhouse IT staff, call on them. They may not be cyber-crime experts but asking questions is the best and only way to
Cyber Security
establish the perimeters of what you know and what you don’t. From there, you need to determine if you will call in outside help. Many businesses specialise in providing cyber-attack support in addition to the advice available to businesses from the Australian Government’s Cyber Emergency Response Team (CERT). Regardless of the choice to in-source or seek out-sourced expertise, your next priorities are to: • Confirm the validity of the data leak - Knowledge is power. If the data is valid, this will shape a very different management response strategy to false claims of data theft. The process of validating the data may take some hours so rapid commencement is vital. • Identify and block the breach - This process may take days to many months to complete. It is methodical, detailed and painstaking. This ongoing exposure will pose a continued challenge to the business and the management team as it seeks to reassure staff and customers that the issue is under control. 3) Assess the Extent of Business Interruption Again, knowledge is power. To build an appropriate response strategy, you need to understand what parts of the business have been affected. In part this is a question about what data has been leaked. It is also a question of what other parts of your business’ IT systems have been affected. Anticipate that clearly establishing what has been impacted and what has not may take some time. The picture will become progressively more clear over a period of hours, and potentially days. In the meantime, it is necessary to plan and act on the basis of what you do know. This is where ensuring you have the right people in the room to assist decision making is essential. Whilst the incident may impact IT systems, this has the potential to cripple a business. It is important to consult with operational teams to truly understand the impacts of system outages on productivity. The business may be able to continue working almost as usual, suffering only productivity reductions due to delays and inconvenience. Or, if critical systems such as CRM’s, billing or logistics, are compromised it may be necessary to revert to paper-based work arounds supported by extensive customer outreach. Understanding the criticality of individual systems and developing work around options will enable your business to continue to function whilst the technical aspects of the incident are resolved. 4) Communicate Early and Often Communicating all of this complex and continually evolving information to staff and customers is a difficult challenge. In a rapidly moving media environment, poorly managed or ineffective communication can allow a media firestorm to evolve, leaving the business with two major issues to manage – the cyber attack and the media fire storm. Following a breach resulting in the release of personal data, a business has very few communication options available to it. As Symantec noted in their 2016 Internet Security Threat Report, “Transparency is critical to security”. Efforts to hide the extent of the hack, to shift blame or deny
“Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 monthstwo years and the price of computers would halve every 18 months-2 years.” responsibility will only compound the difficult circumstances faced by the business. Once you have confirmed the data leak is real, your response strategy needs to focus on minimising further harm to customers. This should be supported by your communications strategy. You can expect that every communication channel available to the public, from twitter to snail mail, will receive a major spike in activity. One of the biggest mistakes businesses make is failing to anticipate this deluge, not preparing key messages for rapid response and consequently responding slowly, inaccurately or not at all. Although the situation will change rapidly, and at the outset the business may face many unknowns, it is important to lead the communication process rather than reacting to mounting customer anger. Given all the uncertainties, your communications must be regularly updated. Further, as the incident runs into days, then weeks and months, your communication strategy must evolve to reflect the organisation’s changing objectives. In the immediate term, communications should focus on sharing known information and dispelling rumours. In the short term you should focus on communicating the extent of damage and reassuring customers that you have a clear strategy in place to address the issue. Over the medium to longer-term, your focus will shift to rebuilding your brand and customer confidence. Honesty, and communications centred firmly in your organisation values, is the only path that will allow a business to survive a cyber-attack and salvage its reputation. A major hack will cause disruption to normal operations for weeks to months and will occupy a disproportionate amount of the executive team’s time. However, beneath all the noise, the business must continue to operate, serving its customers and sustaining its revenue and market share. Strong leadership, regular communication and clearly articulated values provide the basis for an effective management strategy. With a clear understanding of the nature of the attack, its current and future potential impacts, an executive team can successfully lead a business through a cyber-attack. About Lex Drennan, B. Bus Mgmt, M. Public Admin. About the Author Lex is a Senior Specialist in risk consulting for CGU, one of Australia’s largest insurers. She has an extensive background in crisis and emergency management, planning and training, complemented by experience in operational response to events spanning bomb threats, natural disasters to counterterrorism operations. In her spare time, she is also an Adjunct Research Fellow at Griffith University where she researches disaster resilience, adaptation and government policy.
Asia Pacific Security Magazine | 43
Cyber Security
How has information technology become the latest security threat?
E By Keith Suter Global Directions
44 | Asia Pacific Security Magazine
veryday there are security stories which involve information technology (IT). This article provides three explanations for how we have been taken by surprise by the IT revolution: the IT revolution is a “black swan event”, the IT developers were too optimistic and too trusting, and government is being overwhelmed by the IT revolution. The bottom line is that humankind is still on a steep learning curve as it copes with the new IT era Information Technology as a “Black Swan” Event “Black Swan” events are high impact/low probability. They are very difficult to predict because of their rarity. The phrase originated with US financial expert Nassim Nicholas Taleb who lived through a financial crisis. His book is called The Black Swan: The Impact of the Highly Improbable. Europeans thought that all swans were white and then they reached Western Australia and found black swans. “Black swan” events challenge the dominant paradigms of their day. People get taken by surprise people because they extrapolate from current conditions rather than “think about the unthinkable”. Three big technological inventions are Black Swan events: computers, Internet and lasers. They were all unplanned,
unpredicted and unappreciated initially upon their discovery. Gordon Moore (a founder of Intel) predicted on April 19 1965 that the power of computers would double every 18 months-two years and the price of computers would halve every 18 months-2 years. This is the most profound prediction to haunt us this century. The prediction was clear but few could believe the mathematics. People were unwilling to “think about the unthinkable” – the implications of such drastic increasing IT power. The Internet was not designed for all the purposes for which we are now using it. No one predicted how it would come to dominate our lives. No one evidently thought about how vulnerable it could be from people with malicious motives; there are too many points of vulnerability. Meanwhile older senior people at the top of organizations and companies may have been out of touch with all the IT developments. For example newspapers carried stories of how IT was changing society but newspaper board members were slow to ask “what will all this mean for the newspaper business model?” Consequently the old newspaper business is broken and there are no new clear business models. Additionally IT personnel may have had
Cyber Security
difficulty in explaining IT matters in plain language, and so there was a communications problem: the experts who could see the coming changes could not communicate the gravity of the situation. Therefore society has been caught by surprise.
that the power of computers would double every 18 months-
IT Developers Were Too Optimistic
two years and the price of computers would halve every 18
IT developers forgot that there is always a hidden cost for convenience. The Internet was designed to survive a surprise Soviet nuclear attack. The developers were permitted to use a version of it to communicate rapidly between university campuses. Evidently no one thought about the risk of millions of people (including fellow Americans) having malicious motives. The initial development community was small and people knew each other – but it soon expanded and malicious people could become anonymous. (The first major Internet worm was made by Robert Morris – the “Morris worm” - in 1988; after serving time in prison he is now an honoured member of the US IT profession). Although the Internet was developed via US Government money (ARPANET: Advanced Research Projects Agency Network), the US Government did not subject it to US regulation at the time (ARPANET ceased to exist in 1990 when the Internet began as a public network). Perhaps in retrospect, the US Government should have insisted in a more controlling role (certainly China does so within its borders). No one is in charge of the Internet and so who is overall responsible for IT security? Meanwhile, some of the crimes that get committed are based on exploiting a person’s sense of greed (such as the Nigerian scams informing the recipient that a distant relative has left them money in Lagos bank account). Perhaps they are naïve in hoping to get money for nothing. Employers thought it would be a good idea to have a BYOD policy (“Bring Your Own Device”); it saved money for the employer, and it was “staff friendly”. But it can make the company’s IT system vulnerable to cyber-attack. It was well-meaning but perhaps naïve.
months-2 years.”
IT Challenges for Government Government is on steep learning curve. First, many governments are under siege from different categories of cyber-attack: (i) hostile governments (ii) criminal groups (iii) politically-motivated “hacktivists” (iv) “script kiddies” (younger people who want to see what they can get away with) (v) terrorist groups. Each group has its own motivations. They have different motivations. Second, the technique of nuclear Mutual Assured Destruction (MAD) does not work with groups which have a suicidal apocalyptic mindset. For example, if there were a destruction of the civilian communications network handling financial transactions, Islamic State would not be too worried if it could take the rest of us with them. Third, there is a wide range of “soft” targets: transport infrastructure, water and sanitation, fuel supplies, distribution centres, computer-controlled ground stations, mass deletion of government data, hacking hospital IT systems to murder
“Gordon Moore (a founder of Intel) predicted on April 19 1965
patients on life support systems (“hacked to death”), carjacking. This is new era of conflict because the targets are no longer military ones. Fourth, the full extent of the problems may be obscured because some financial institutions may prefer to keep quiet rather than admit to having problems. This means that there is not necessarily as much learning from experience as one would like (people need to share information on their problems as a way of creating a “learning society”). The Bigger Picture for Government Governments are too concerned with immediate, short-term issues and so get taken by surprise. The issues raised in this article, for example, were not raised in the recent general election. Perhaps politicians may lack the knowledge base with which to consider technological issues (much the same could be said about company directors, who will agree in minutes to spend thousands of dollars on an IT project, while arguing for a long time over the location of a bicycle shed). Therefore: how do governments make sure that the staff are not part of the problem, such as on BYOD? There is a need for new ways of conducting security checks: for example, security problems may arise from idealistic staff becoming disenchanted when they learn about how operations are being carried out (such as Daniel Ellsberg and the Pentagon Papers, Bradley/ Chelsea Manning, Edward Snowden). IT has made government more vulnerable to “leaks”. Meanwhile the complexity of IT developments and the slow response by government, gives the impression that government is out of touch with events: “reputational risk”. Citizens seek reassurance that government is somehow in control but the threat is now possibly faceless and borderless; potentially disruptive IT knowledge itself knows no boundaries and so may be acquired by anyone. Another challenge is how to make the most of “surveillance capitalism”? This is the growth of the technological monitoring industry. It has already had an impact on reducing some crime because criminals now fear they will not get away with their crimes (such as every lamp post is a set of eyes looking over the street). Certainty of punishment rather than length of sentence is a key factor in deterring crime. There is still far more that can be done in this area but it is a positive development. To conclude, IT represents a new frontier for security considerations. The IT industry is making great progress and transforming many areas of our lives. We have to make sure that the security industry keeps up with all the changes and be willing to think about the unthinkable.
Asia Pacific Security Magazine | 45
27-29 November 2016 Phuket, Thailand
DID YOU KNOW? ■
75bn USD - is how much the worldwide cyber security market is currently worth and expected to grow two fold by 2020
■
$32.95bn USD is how large the Asian cyber security market is expected to grow by 2019
■
$200bn USD is the forecast for connected devices by 2020
■
$30bn USD is the predicted growth for the global managed security services market by 2020
MAJOR TOPICS TO BE COVERED AT CYBER SECURITY EXCHANGE ASIA
1 Detecting an attack, how to and how not to address a data breach 2 Discussion of the Asian regional cyber security policy 3 Ransomware – best practice risk assessment, prevention and response role of the Chief Risk Officer in an organisation’s cyber security strategy 4 The 5 How to get the most out of your systems using your staff for implementation with the convergence of IT, OT and physical 6 Strategies security SOUNDS INTERESTING? WE WANT YOU! Come be a part of Cyber Security Exchange Asia 2016, 27-29th November 2016 in Phuket, Thailand, as we bring together 45 CIOs, CISOs and Heads of Cyber Security from across Asia, to discuss the challenges faced. Visit www.cybersecurityexchangeasia.com to find out more information on this unique event.
If you would like to request an invitation to see if you qualify to attend this event, email enquire@iqpcexchange.com referencing code CSCDM_Del
OR
If you would like to have 30 minute pre-scheduled meetings, to offer your solutions to these CISOs and Head of Cyber Security, email enquire@iqpcexchange.com to find out what opportunities are available referencing CSAPSM_SX
+65 6725 9921 | enquire@iqpcexchange.com | www.cybersecurityexchangeasia.com
Quote
6 SCADA th
WORLD SUMMIT ■ ■
Main conference: 9 & 10 November 2016 Post Conference Workshops: 11 November 2016
■ ■
“MYSECURITYMEDIA” to qualify for extra
10% discount*! *discount applicable to 2-day summits,
Pre-conference Workshops: 8 November 2016 Venue: Kuala Lumpur, Malaysia
What Makes 6th SCADA World Summit 2016 A Must-Attend Event! Recipe for Success Hear from Cross-industry SCADA Professionals and Project Owners share their experiences in managing SCADA system integration, upgrading and maintenance within an energy efficient environment through various large scale projects globally Interactive Discussions Join exclusive panel discussions featuring SCADA industry experts as they share their challenges and perspectives in eliminating cyber security threat and adopting smart applications to elevate SCADA system operational efficiency Eye-opening Presentations Gain strategic insights from over 20 industry experts on overcoming major challenges in managing SCADA system including Cyber security risk, complicated SCADA system integration and upgrade, achieving accuracy on real time data acquisition, improving connectivity between MTU and substations, data management and protection, reducing human errors in SCADA operation and amongst others In depth Workshops Attend the 6 Expert-Led Pre-Summit Workshops to grasp the nuts and bolts in achieving effective SCADA system management
Researched & Developed by:
Media Partners:
PHONE: 65 6376.0908 EMAIL: enquiry@equip-global.com WEB: http://www.equip-global.com/6th-scada-world-summit-2016
Cyber Security
Fighting technology with technology: protecting children from cyber bullies
T By Kim Maslin
48 | Asia Pacific Security Magazine
echnology has altered the way we live. This goes for both positive interactions with technology, such as keeping in touch with family overseas, as well as the negative aspects, such as cyber bullying, cyber stalking and cyber terrorism. Cyber bullying is no different to traditional bullying, aside from it leveraging technology. Cyber bullies use of technologies, such as email, text messages and social networking sites to hurt their victims, prowling the common platforms used by teenagers, including Facebook, Instagram, SnapChat and Skype. But how do we adapt our anti-bullying strategies to deal with cyber bullying, given its innate ability to invade not just our children’s school lives, but also their home life? The answer is that we all have a role to play in combating cyber bullying. Leading the way are our schools. Australian schools have already developed a number of measures to help combat cyber bullying, minimising the impact on our children. These measures include formulating policies that outline how the school will deal with cyber bullies; educating the student cohort about the impact of cyber bullying; responding to cyber bullying complaints; and providing support through counselors and pastoral care programmes for those who have been victimised. Technical measures have also been introduced in the form of content filtering and monitoring. These approaches draw upon digital technologies to filter out communications that may be deemed inappropriate, as well as monitoring the websites students visit and their behaviours while on school networks. This enables schools to collect evidence of cyber bullying incidences and hold those responsible to account. School ICT departments play a critical role in managing these filtering and monitoring systems, ensuring they stay one step ahead of today’s technically savvy teens. This approach goes a long way in minimising the number of cyber bullying incidences reported in schools, but it also aligns with the bigger vision the Australian Federal
Government outlined in the Australia’s Cyber Security Strategy (https://cybersecuritystrategy.dpmc.gov.au). Underpinning the success of this strategy is the development of a ‘cyber smart nation’ – a country complete with highlyskilled cyber security professionals, as well as a nation of citizens who understand the threats from cyberspace. While information security professionals are undoubtedly required to address a broad range of cyber threats – from terrorism to financial scams – protection of our children must remain a high priority. Research has found that one in five Australian children from the age of 12 to 17 have been victims of cyber bullying over the past year. Furthermore, the adverse effect of cyber bullying on our children’s mental health has been shown to be profound, ranging from selfesteem issues all the way through to suicide, so it’s vital that we keep it front and centre in people’s minds as we develop these national plans. As a community, we need to maintain the momentum that is building to tackle cyber bullying. Schools need to continue monitoring and educating our children, while parents need to do wake up to these threats (and their indicators) at home. In order to keep up with the everchanging digital landscape, Australia needs to invest in the future of anti-bullying technologies and professionals. We hope the government hears our call and invests in the future of Australia, which lies in the hands of the children of the digital age. About the author Kim Maslin is an entrepreneur, educator, cybersafety expert, social media enthusiast and founder of 3103 Communications. She is most importantly a ‘digital native’, who has grown up with the Internet and has been around social media for the better part of her life. Her expertise in communications, experience as a Technologies Teacher and Digital Learning Integrator and her passion to empower the community with digital literacy skills are the forces
Cyber Security
Creating a culture of security to defend against social engineering attacks
T By Christopher Hadnagy
he Fifth Annual Benchmark study on Privacy and Security of Healthcare Data by Ponemon Institute (https://www2.idexpertscorp.com/fifth-annualponemon-study-on-privacy-security-incidents-of-healthcaredata) has recently revealed what others have long perceived: There has been a shift in the root cause of data breaches from accidental to intentional. While 90% of healthcare organisations represented in the study had experienced a data breach, for the first time, criminal attacks are the number one cause of these breaches. Criminal attacks are highly targeted. When it comes down to it, attackers will stop at nothing to break into an organisation. They will use whatever means necessary to infiltrate, especially if those means are low risk. It’s far easier for attackers to bypass technical controls and exploit human nature to breach an organisation than to compromise a network surrounded by technical controls. Unfortunately, there is plenty of overlap between the proactive criminal and the unsuspecting employee that really adds fuel to the fire. Despite the balance of breaches shifting to criminal activity, organisations are beginning to recognise the importance of starting with employees first. According to Ponemon’s study, the data backs this up, as healthcare organisations rank employee negligence as a top concern when it comes to the exposure of patient data. Employee negligence goes far beyond the occasional lost or stolen laptop. What about when an employee accidentally discloses confidential data? A whopping 70% of Ponemon survey respondents admitted that careless or negligent employees are responsible for the most concerning security incidents impacting their organisation, but what can be done to help? Also, in Australia, the Australian Signals Directorate has openly acknowledged that Social Engineering tops the list of threats to Australian businesses, so it’s a true concern and one that doesn’t have an easy answer. To add to complication, organisations are gradually increasing their budgets and resources to protect both their data, however, not enough investment is being made in human capital to address the evolving threat landscape. It’s time for organisations to start investing in a culture of security that makes employees the first line of defense. Ask yourself, do your employees know what a phishing email is? Is there a process in place for the verification of a caller’s identity? Do you have a process in place to report security incidents? If you’re unsure of the answers to one or more of these questions, odds are you are not engaging in a culture of security.
What does a culture of security look like? A culture of security begins with active testing and training of employees for security awareness. Employees who know they are being actively tested have heightened awareness for security initiatives and are more apt to shut down an attempt to exfiltrate information or breach confidential client data. Buy-in for the culture of security should start at the top of the organisation and build down: this makes it the responsibility of each and every employee to contribute to this culture of security. Exposure, exposure, exposure! Not only should organisations implement continuous training initiatives, but they should also work to publicly reward employees who successfully respond to or report security incidents. Try publishing regular blog posts, try sending out organisation-wide emails, post your messaging on the corporate bulletin board, try handing out gift cards as prizes for staff who demonstrate they understand the security needs of your business and publicly recognise those who embrace it and live these values. A bit of positive reinforcement goes a long way. About the author Christopher Hadnagy, is the founder and CEO of SocialEngineer, LLC. Chris possesses over 16 years experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. Chris established the world’s first social engineering penetration testing framework at www. social-engineer.org, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.
Asia Pacific Security Magazine | 49
Cyber Security
Are security vendors leaving your business at risk?
A By Tony Campbell ASM Correspondent
50 | Asia Pacific Security Magazine
n issue that I’ve been mulling over for some time relates to the fundamental nature of customer security engagements, especially concerning product vendors and their place as trusted advisors. This issue led me to a couple of conclusions. Firstly, there is a mismatch between what’s best for the client and what’s best for the vendor. And secondly, the security threat environment is so badly defined that vendors could be peddling "snake oil" and customers would still buy their products if it took away their fear. Today’s security industry is almost entirely product focused and driven by fear-mongering. I’ve even seen some of the big consultancies pitching up at client sites with software products dealt as the cure for what ails them. Every week, another new security vendor hits the news, riding on the back of the venture capitalists' love affair with our industry. And with each new product comes a new story of data mining, artificial intelligence and predictive analytics, which is more and more baffling for the poor old customer who needs to make a risk-balanced investment decision to address their
risks. In part, I blame the media. Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market. What the media has successfully managed to do is play right into the hands of the security product vendors, who are more than happy to sell software that can detect and defend against these kinds of remote attack. However, how many organisations, before having a discussion with AntiThreatWare Inc. have undertaken an actual threat assessment? Consider this. Cyber criminals are not the only category of threat actors that want to attack your business. Moreover, threat actors have a variety of different means, motives and intentions, so you need to understand all of those factors to assess the risk accurately. For example, if you run a medical scanning business, your patient data will be at risk from cyber criminals, that’s a given. But you will also be under attack from foreign nation states who might want the patient data for espionage purposes, who will very likely use different
Cyber Security
'Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market' techniques to hack you than the simple malware drops used by the cyber criminals. What if your patients include celebrities? Now you might be attacked by journalists, so again, you need to be on the lookout for that threat group again acting with an entirely different set of means, motive and intent. Further to these threats, you must always consider the potential of threats originating from inside your network boundary – this can come from employees, contractors, partners, customers, and even the casual staff who empty the recycling bins once a week. Security breaches attributed to insiders can be from two perspectives: unintentional and intentional. No single security product will address all your risk. Instead, you’ll hear a lot about cyber criminals attacking you through malware drops, using phishing campaigns to deliver their malware to your users' desktops. But this vendor won’t tell you that their technology can do nothing to support you if the attacker is a rogue administrator recruited by your competitor to steal your company's IPR. Even if you have a comprehensive threat assessment, are you now able to determine where you most at risk? Do you have data classification or at least some means of determining the value of your data? Are the emails in your corporate Exchange server all of the same classification and if not do you, therefore, treat that data with the security requirements of the most sensitive email it contains, or do you consider the entire Exchange service database entirely benign and without value? Are there even any rules over what can and should be sent using the corporate email system, and what if legitimate users with unfettered access email corporate documents out to a third party. Would you know or even know to care? If asked the question you might say, “But they know not to do that,” but I ask you this. Are you confident that no user has ever accidentally hit reply all to an email that included third party recipients outside the business, unintentionally sending an attachment meant for only corporate eyes? Even if you have the very best approach to classifying and valuing data (which frankly is one area of security management that most businesses are shockingly bad at) without a full and accurate threat assessment, it’s impossible (and I mean impossible) to determine risk. Without a full understanding of the information risks you are attempting to mitigate using new technology, how can you ever hope to measure the benefits of your investment when you can't measure the risk reduction? Businesses need to pause and reflect on what security is and what it means to them. If you think about the word itself, security is simply a state of being where it’s all good unless you have information to the contrary. If you are blatantly ignoring the threats, then, of course, when you are breached is when you'll start to care. Once you become aware of the problem, this is when you can choose to hire and expert
who knows how to navigate the security industry, someone who knows what security is and can manage expectations effectively. If you can’t afford to hire someone directly, it's time to call in a consultant. But you need to make sure the consultant isn't just another product junkie, out to push the latest and greatest cyber security gadgetry. If they immediately jump into pitching products before they've looked at your business and assessed your architecture, frankly, ditch them and look elsewhere. There is certainly a place for security technology in our enterprises, but it's time to start letting the security requirements lead the architecture, and it's this level of planning that will lead the design. At this stage, we can make considered, sensible technology investment decisions based on them meeting real business requirements and we can build test cases to prove they work. It's time to stop vendors leading the market and start basing security decisions on strategic thinking, a true understanding of threats, vulnerabilities and risk, and an architecture-driven approach that drives real security value into the enterprise.
Asia Pacific Security Magazine | 51
Cyber Security
Editor’s Expo Wrap-Up: IFSEC Southeast Asia 2016
K
uala Lumpur was the host of the fourth edition of IFSEC Southeast Asia at the classic venue of KL Convention Centre. IFSEC SEA provides the security, fire and safety industries in the region a major boost with plenty of business and networking opportunities. Over the years the event has established itself as a very important gathering point for industry players annually, and this year was no exception with numerous Malaysian and regional ASEAN participants, including pavilions for China, Singapore, Taiwan and Britain, over three exhibition days. More than 350 company platforms displayed all facets of security, fire and safety technologies and advancements in CCTV, surveillance, biometrics, perimeter security, access control and many other solutions available in the market. Some of the larger displays included HID, HikVision, Alhua, Panasonic, Lilin, Vivotek and WaferLock and an interesting display by the Royal Malaysia Police, complete with a hands on firearm display which attracted a lot of public interest. If anything was missing it was a security robot and only two drones were spotted on the Expo floor. The event was supported and graced by important dignitaries, including Minister of Home Affairs Malaysia; Director General of the Federal Department of Town And Country Planning Peninsular Malaysia; Inspector General of The Royal Malaysia Police and together with the Chairman of Cyber security Malaysia and Chair of ASIS – Ma52 | Asia Pacific Security Magazine
laysia Chapter. Business Matching sessions were organised by EU-Malaysia Chamber of Commerce & Industry enabling meeting with 12 companies traveling from Europe. The event has the continuous patronage and support from key Malaysian government departments - Ministry of Home Affairs, Ministry of Urban Well-being, Housing and Local Government of Malaysia, Royal Malaysia Police and the professional security bodies such as ASIS International Malaysia Chapter, Asian Professional Security Association (APSA), Cyber Security Malaysia and British Security Industry Association (BSIA). MySecurity Medias proud to be associated with the IFSEC SEA 2016 and took the opportunity to launch our new media channel – MALAYSIA SECURITY MAGAZINE (MSM) to compliment our other channels which cover the Asia Pacific region – Asia Pacific Security Magazine (APSM), Australia Security Magazine (ASM), ChiefIT.me and Drasticnews.com. The feedback we received from the exhibitors and organisers were very positive and overall the event was very lively and notably the number of visitors streaming through the doors each day, with lines forming each afternoon. Quite rightly, UBM Malaysia, organisers of IFSEC Southeast Asia announced its dates for the next event which will take place from 6 to 8 September 2017, Kuala Lumpur Convention Centre. Put it in the diary if you have business in Asia.
Royal Malaysia Police Stand - Firearm display
Cyber Security
Brig Gen (R) Rashid Ali Malik speaking on Terrorism – Failing World Order
Exectutive Editor Chris Cubbage with Asian Professional Security Association's (APSA) Secretary Khen HM and Malaysia Security Magazine Editor Prince Lazar
Opening Ceremony including an official opening by Malaysia's Minister of Home Affairs
Asia Pacific Security Magazine | 53
Cyber Security
CRoyal Malaysia Police Stand - Firearm display
Royal Malaysia Police Stand - patrol motorcycle
54 | Asia Pacific Security Magazine
BodyCamera Unit by IndigoVision
Royal Malaysia Police Stand
Cyber Security
HID Stand focusing on Mobile Access
Intelligent Transportation System by Alhua
Asia Pacific Security Magazine | 55
Cyber Security
Nightingale Security Drone pod
John Tinny and Francis Yeoh of Falcon Safe
56 | Asia Pacific Security Magazine
Y.Bhg Dato’ Dr Dolbani Bin Mijan, Director General of The Federal Department of Town and Country Planning Peninsular Malaysia
Cyber Security
Kuala Lumpur Convention Centre
WaferLock stand
Asia Pacific Security Magazine | 57
International
EXECUTIVE EDITOR’S SHOW REVIEW COMMERCIAL UAV ASIA SHOW AND IOT CONFERENCE, SINGAPORE
D
espite a very busy and somewhat problematic registration process, though taken as a sign of success, once inside and underway this was a great event. Well attended from across Asia and show casing drone technologies from around the world, the attendees represented all facets of industry, academia, business, technology and large enterprise. Having first written about the emergence of drones entering into the civil sector in 2009, it is obvious now that drone technology has become main stream and is now in full flight. Literally! It remains only government regulation restricting much wider commercial use, and with companies like UniFly (www.unifly.com) these regulations can be easily referred to and evaluated. Others have much more ambitious plans, like Daka Technologies which reports to be progressing fast with the concept of installing drone delivery pods in all high rise apartments. To help alleviate any safety concerns, ParaZero drone safety systems, an Israeli company used the show to introduce an innovative pyrotechnic parachute and autonomous triggering technology. Fundamentally, drones continue to do the 3'D's - the dirty, dull and dangerous work, but the technology has expanded into ‘dronetainmant’ (unless told otherwise I'm coining that phrase) with drones being used for stage show productions and drone racing is also increasingly popular. Infinium Waders have developed performance drones, specially engineered for the entertainment industry. With in-house proprietary algorithms, complex swarming of UAVs indoors and outdoors is possible for live and novel entertainment showcases. The exhibition included mini drone races, drawing an enthusiastic crowd around a confined safety
58 | Asia ChiefPacific IT Magazine Security Magazine
Altura Zenith from www.Aerialtronics.com
net protected centre stage on the expo floor. Races saw drones crashing, smashing and even completing the small course, in what was a challenging mini event for the pilots. One of the key technologies I was seeking out was automatic response drones, which deliver operational security capabilities for responding to alarm events, or being used for perimeter inspections or first deployments to signs of movement or suspicious activity. Only two systems claimed success in this area with developments underway fast and more announcements still to come by SmarmX and DroneBox. But others are also getting there, if not already and I would envisage well within two years we will see these systems deployed in much wider circles. H3Dynamics, a member of the Intel IoT Alliance, has developed the DroneBox as a specialised IoT
product. A Singapore-based, fast-growing robotics technology company, H3Dynamics also specialises in high performance hydrogen-electric energy propulsion systems for UAVs, integrated field and aerial robotics systems, and data analytics solutions across a number of industry sectors. The multi-national team, including based in Melbourne, consists of technologists, engineers, scientists from multiple disciplines, entrepreneurs, and industry leaders who have a wealth of technical and business expertise from their respective fields. Swiss drone manufacturer, senseFly, used the show to launch the eBee SQ fixed-wing agricultural drone. Built for the Parrot Sequoia multispectral camera, this system can cover up to 10 times more ground than small quadcopter drones. The eBee SQ builds on senseFly’s eBee platform, which has so far recorded over 300,000 successful customer flights over seven continents. The Parrot’s Sequoia camera
International claims to be the smallest, most advanced multispectral sensor on the market. The eBee SQ combines precise crop imaging with large ground coverage flying for up to 55 minutes on a single battery charge. This performance enables it to cover up to 500 acres (200 ha) in a single flight at 400 ft (120 m) above ground level* up to 10 times more ground than small quadcopter drones. Founded in Hong Kong in 1999, Yuneec International manufactures over 1 million units a year and includes the Typhoon brand of multi-copters. The Company’s achievements include the introduction of the hobby industry’s first “Ready to Fly” radio control electric powered airplane and the design and manufacture of market leading radio controlled helicopters and micro-copters. The Wingcopter, developed in Germany, is a Hybrid Vertical Take-Off and Landing (VTOL) UAV, with the advantages of a multi-rotor and a fixed-wing using a patented tilting-rotor mechanism. The new innovation provides a solution to cover large areas of land without the need to find take-off and landing areas that are difficult in tough terrains. The system has a maximum flight time of over 2 hours, a range of up to 100km, a maximum payload of 2kg and the ability to cover up to 2,000 hectares in a single flight. AeroLion is a spin-off from the Unmanned Systems Research Group of the National University of Singapore. The company has specialised in UAV autonomy, formation and navigation in both indoor and outdoor environments for more than 10 years. AeroLion Technologies provides custom solutions and has developed the BlackLion-168 and BlackLion-068, both with rugged design for harsh environment applications, high payload, long endurance flight, multi-sensor based, GPS-less indoor navigation, obstacle avoidance and provides intelligence analytical features. Silvertone, established in Australia in 1958, proudly displayed their new Mark 3 Flamingo, a 25kg class RPA capable of carrying up to 8kg of payload for more than 12 hours. The unit was designed to provide a 65% increase in payload volume (3kg capacity increase) and an additional 4 hours of flight time while remaining within the 25kg maximum takeoff weight. Finally, UCON SYSTEMS, a manufacturer of UAVs for the Republic of Korea Army and Marine Corps displayed a range of surveillance, reconnaissance, industrial and agricultural UAVs. Alongside the Commercial UAV Asia Show was an IoT Conference with Innovation Hubs displaying a wide array of sensing devices, delivery and control Apps and plenty of other new ideas for budding entrepreneurs. This will hold us in good stead as we head to Silicon Valley later this month for the Net Events IoT and Cloud Innovation Summit and Innovation Awards. Stay tuned!
Thermal Imaging sensors at the Yuneec.com stand
Auto take off and landing system by SwarmX.com
Wingcopter Hybrid Speed Drone - wingcopter.com
By Chris Cubbage
Asia Pacific Security Chief IT Magazine | 59
International
IoT Conference
Tarot Racing Drone Kit - sells for around AU$200 online at tarotrc.com
“Asia is expected to be the largest regional manufacturer of UAVs in the world over the next decade.�
DroneBox by H3Dynamics.com
60 | Asia ChiefPacific IT Magazine Security Magazine
International
Typhoon 4K by Yuneec.com
SkyeIntelligence Orbit - www.sky-intelligence.com
Asia Pacific Security Chief IT Magazine | 61
International
Intense discussions about ORION Drone Proection Systems, multisensor detection and tracking system
Multipurpose flying platform with wingspan of 2.95m, payload of up to 7kg fully autonomously over a distance of more than 1000 km within 10 hours flight
Typhoon H by Yuneec.com
62 | Asia ChiefPacific IT Magazine Security Magazine
Ruggedised Flight Controller Unit from Tarotrc.com
International
Wingcopter -Editor Chris Cubbage with Tom Pluemmer, CEO - wingcopter.com
X-Star Quadcopter in action AutelRobotics.com
Mark 3 Flamingo RPA by Silvertone.com.au
Asia Pacific Security Chief IT Magazine | 63
CumulusOne Fixed Wing Drone by IFCON Technology - www.ifcontech.com
International
X-Star Quadcopterand controller by AutelRobotics.com
64 | Asia ChiefPacific IT Magazine Security Magazine
SkyDroner 1000 by TeleRadio Engineering - www.skydroner.com
International
Drones Robotics Automation Security Technology Information Communications
news.com
www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews Asia Pacific Security Magazine | 65
Available online!
10110
55003/
Y’S NTR
AND
ENT
RNM
OVE
GG
DIN
LEA
ATE
POR
E
ZIN
AGA
YM
URIT
SEC
|
ed PP2
Approv
See our website for details ma
lian
sec
urity
U
CO
15
|
.a www
ustr
alia
Post
000032
nal natio ar, in Inter ASIS nual Sem, USA An aheim An
d PP1
Approve
ine.
com
.au
te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia
nsec
uritym
agaz
16
ep 20
Aug/S
E
RNM
OVE
GG
DIN
LEA
.au
ov 20
27
s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE
om
Oct/N
rity in Secu ment, rn Gove anberra C
of cult The ware the a
’S TRY
ne.c
URE
FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote
THE
gazi
S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust
R CO
Post
N COU
ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep
ption dece s of Sign $8.95
INC.
ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech
US
GST
PL
Time Tech
erl Cyb
1 YEAR SUBSCRIPTION
city Safe The need for ity Its and roperabil inte
reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr
TO THE AUSTRALIAN SECURITY MAGAZINE
Get each print issue per year for only $88.00
US
PL
A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc
$8.95
INC.
GST
SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐
AUSTRALIA
A$
88.00
(inc GST)
1 YEAR
☐
INTERNATIONAL
A$
158.00
(inc GST)
1 YEAR
Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)
No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.
Go to
www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)
66 | Asia Pacific Security Magazine
PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155
FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059
Email subscriptions@mysecurity.com.au
GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056
Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.
DCS-960L Wide Eye HD 180Ëš Panoramic Camera
To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au
Latest News and Products Asia Pacific Security Magazine | 67
TechTime - latest news and products
Axis introduces the industry’s first IP cameras with i-CS lens “The new i-CS lens technology is based on an open protocol standard allowing the lens and camera to communicate. The release of the i-CS lens will truly help drive the industry forward,” said Fredrik Nilsson, VP, Americas, Axis Communications. “Additionally, the release
of the new indoor AXIS Q1615 Mk II and the outdoor AXIS Q1615-E Mk II shows that we’re taking a step toward the future of the industry.” Due to several motors inside the i-CS lens; zoom, focus and iris opening can be remotely adjusted. Furthermore, the exchange
of information between the i-CS lens and the camera, enables easier formatting of Electronic Image Stabilization (EIS) and Barrel Distortion Correction (BDC), which reduces the time needed for setup. Both of the new fixed cameras can provide HDTV 1080p video at frame rates of up to 50/60 fps or HDTV 720p video at frame rates of up to 100/120 fps. This allows for detailed video capture of fast moving objects, which can be of great importance in industrial applications, especially when monitoring a production line. Details of parts and packages can be monitored easily and precisely, enabling full control of the production process. AXIS Q1615-E Mk II features Axis’ Zipstream technology, which significantly reduces bandwidth and storage requirements, while maintaining video quality. Both cameras also support Wide Dynamic Range (WDR) – Forensic Capture as well as Axis’ Lightfinder technology to ensure qualitative images in complex scenes. The indoor AXIS Q1615 Mk II and the outdoor AXIS Q1615-E Mk II are planned to be available in Q3 2016 through Axis’ standard distribution channels at the suggested retail prices of $999 for AXIS Q1615 Mk II and $1299 for AXIS Q1615-E Mk II.
D-Link launches 180˚ wireless AC wide eye camera D-Link ANZ has released the DCS-960L Wide Eye HD 180˚ Panoramic Camera Joining a growing range of mydlink-enabled cameras, the Wide Eye HD 180˚ Panoramic Camera can be easily and securely accessed, remotely viewed and managed via a smartphone, tablet or PC. Accessed through the free mydlink app or the mydlink online portal, users do not incur ongoing subscription charges or require special software. For ease of use, the included 16GB microSD card means users can record video locally onto the camera, without incurring monthly fees. It can be set to start recording either by an event trigger, schedule or continuous record. Features • 180 Degree Field of View – Widest angle lens on a fixed consumer camera, ideal for
68 | Asia Pacific Security Magazine
•
• •
large rooms and areas with multiple entry points HD 720p Quality Video – Rich detail and crisp image quality for monitoring your home Unique De-Warping Technology – Maximises video quality with less distortion Wireless AC – Latest dual-band Wi-Fi technology for better bandwidth and improved range
•
Motion and Sound Detection – Push alerts notify you of detected motion or sound • Local Recording – 16GB MicroSD card for local recording Night Vision – See up to five metres in complete darkness with built-in IR LEDs The DCS-960L is available now at an RRP of AUD $349.95
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
New major release of MxManagementCenter 1.2 MxManagementCenter (MxMC) is a MOBOTIX application for PC/MAC systems with the focus on a unique and intuitive user experience, providing the highest cost savings and flexibility in the market. Following the MOBOTIX software concept, MxMC is 100% included in the MOBOTIX portfolio, requiring no extra software, license or update costs. MxMC can be used in projects independent of the number of cameras or the mix of products incl. doorstation, MxDisplay, accessories, storage devices, etc. All MOBOTIX products in the network will be automatically detected and can be configured with the brand-new graphical user interface without any web browser, easy and intuitive. So, it is possible to setup a complete system of cameras, home automation and alarm devices in the shortest time without extra software and license fees. Especially the configuration management of MxMC will help to reduce installation, configuration and maintenance costs dramatically. Unlimited number of cameras, touchscreen-optimized operation, camera groups with representation in Grid and Graphic views, Grid views with a focus window and controls, quick display of particular cameras in the focus window by “drag and drop” from the camera bar. Graphic views with freely definable icons,
“soft buttons” used to execute any URL and live windows, quick switching between Grid and Graphic views, optical and audible alarming of new events, quick switching to the Playback view to allow playback of events and continuous recordings. Instant Player allows for quick viewing of the latest events during live video monitoring
operation, a special Research view for easy viewing of a large number of events, easy use of multiple monitors by double-clicking on the live image, grid or event image, camera sequencer, door station functions (intercom, open door, turn light on/off, etc.), data export, subsequent distortion correction of hemispheric camera images – in live images and in recordings.
Security by Design at 200 George Street 200 George Street, Sydney is Mirvac’s latest Premium grade office tower. Designed by award winning architects Francis-Jones Morehen Thorp 200 George Street is set to be one of Australia’s most environmentally advanced and sustainable buildings with a 6 Star Green Star. Part of the requirement for the building was for an integrated access control system, lift destination control system and turnstile solution to limit building access to only authorised occupants and visitors whilst speeding up pedestrian movement in to and up through the building. The caveat being the turnstile design had to blend in with the overall building design. Based on the EasyGate HG, the design was customised so the pedestals where clad in the same stone as the concierge desks and the metal work was finished in black to ensure the speedgates complemented the overall design concept for the buildings striking lobby. Centurion EasyGate uses glass barriers of up to 1800mm in height, in conjunction with state-of-the-art optical technology to provide
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
a high throughput security gate. The bidirectional glass barriers are designed to work in a ‘normally closed’ mode and swing open after a valid card has been presented to allow the authorised user to pass. The barriers are designed to close quickly behind the authorised person to deter tailgaters whilst the IR sensors monitor the lane to detect unauthorised entry and ensure the safety of users.
The final solution incorporated a Schindler PORT access and lift destination control system integrated with Centurion EasyGate speedgates so when staff enter the building they scan their card at the turnstile, which in turn directs them to the next available lift going to their specific floor whilst verifying they can access the building at that specific time.
Asia Pacific Security Magazine | 69
Cyber TechTime - latest news and products
Hellenic launches payband using Gemalto’s waterresistant contactless EMV payment wristbands Gemalto has supplied Hellenic Bank with its Optelio contactless EMV Payment wristbands. These water-resistant NFC wristbands that are marketed as PayBand to Cyprus consumers will ensure that Hellenic Bank customers no longer have to worry about carrying cash or cards, even when they head to the beach or pool this summer. The solution features an embedded Visa applet and links seamlessly to the user’s
Hellenic Bank debit or credit card account. Fast and secure cashless transactions are therefore possible across Cyprus, which was recently named in Visa’s ‘Top 8′ for contactless terminal penetration in Europe. Well over 50% of the country’s POS terminals are contactlesscompatible, and one in five cashless transactions, is already completed using this time-saving technology.
Juniper networks introduces cloud-enabled branch to deliver on-demand cloud services Juniper Networks has announced Juniper Networks Cloud-Enabled Branch, a transformative solution that will allow enterprises and managed service providers alike to seamlessly create and automate delivery of branch office networking services on-demand. As part of Juniper Networks Unite, an agile enterprise cloud architecture, the new solution suite helps companies accelerate deployment of real-time services and applications, including SD-WAN functionality, across branch locations incorporating network automation, zero touch provisioning and an open platform. The suite includes security capabilities to proactively identify and intelligently respond to threats and enforce polices across all branch locations.
70 | Asia Pacific Security Magazine
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Cyber TechTime - latest news and products
Ixia expands cloudlens support for private clouds Combining the power of Ixia’s virtual tap, packet and application flow filtering, SSL decryption, and rich Netflow metadata generation, Ixia’s CloudLens platform provides service providers and enterprises with unprecedented insight into physical, virtualised, and hybrid environments. CloudLens enables security monitoring, performance analytics, and troubleshooting in a seamless, integrated solution. In addition to OpenStack KVM, VMware ESXi and NSX, the CloudLens platform now supports Microsoft Hyper-V and VMware vNetwork Standard Switch (vSS). As a result,
customers can easily manage a virtualised computing environment, while reducing IT costs. “Ixia works hand in hand with our customers to understand their unique challenges when initiating or managing their cloud deployments,” said Christophe Olivier, Senior Product Manager at Ixia. “It’s this close collaboration that enables us to develop visibility and virtualisation solutions that eliminate these challenges, and enable customers to fully benefit from the advantages offered by the cloud.” A platform consisting of existing Ixia solutions and planned products that will
integrate network visibility, CloudLens enables customers to easily and quickly deploy a highly scalable traffic monitoring system spanning private, public, and hybrid cloud deployments. CloudLens currently includes Ixia’s Virtualization Tap™ solution to access private cloud East/ West traffic, as well as the company’s Vision™ series of Network Packet Brokers with the Application and Threat Intelligence Processor™ (ATIP™) for actionable insight into network activities and the ability to visualise and analyse user, device, and application behaviours.
Norton ships new app to stop hackers from stealing private information over unsecured wi-fi The newly released Norton Wi-Fi Risk Report reveals that the online habits of consumers gives hackers unimpeded access to sensitive data like banking information or social media passwords. “What turns people into easy targets is confusion about the security of public Wi-Fi networks. Norton found that only 34 percent of Australian consumers are able to distinguish between a secure and an unsecure Wi-Fi network,” said Mark Gorrie, Director, Norton Business Unit, Pacific region, Symantec. “Most people assume that all Wi-Fi networks available in public places like airports, hotels and cafes have security built-in. That’s not the case. When consumers log onto an unsecure network, hackers are able to steal information as it travels across the web, sell it on the dark web for profit or even use the information to drain consumer bank accounts,” Gorrie added. Even popular apps found on Android devices lack security – in Australia, 14 percent of Android apps transmit sensitive information without encryption, leaving their data unprotected. To combat this, Norton Wi-Fi Privacy uses sophisticated encryption technology and scrambles consumer information to help protect their information and identity online. The Norton Wi-Fi Privacy app is available on Android and iOS platforms for purchase in the iTunes and Google Play app stores. A yearly subscription service includes protection for one mobile device and 24/7 in-app support. PC, Mac and multi-device availability coming soon. For more information: www.norton.com
Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
Asia Pacific Security Magazine | 71
PRESENTING THE 14TH ANNUAL
National Security Summit
Policy, Surveillance, Interoperability
30 – 31 August 2016 | Vibe Hotel, Canberra PRESENTATIONS FROM: Chief (Ret’d) Mike Fisher, Former Chief of US Border Patrol, CEO, Scorpion Security Services LLC Colonel Tom Hanson, Assistant Chief of Staff, G-7, US Army Pacific Dr. Marc Siegel, Commissioner, Global Standards Initiative, ASIS International Lieutenant General Angus J Campbell, DSC, AM, Chief of the Australian Army Michael Pezzullo, Secretary, Department of Immigration and Border Protection Admiral (Ret’d) Chris Barrie AC, Former Chief of Defence Force, RAN, Adjunct Professor, Strategic and Defence Studies Centre, Australian National University Nicole Seils, Head of Government Relations, Lockheed Martin Australia & New Zealand Assistant Commissioner Wayne Buchhorn, Investigations Division, Australian Border Force Assistant Commissioner Neil Gaughan APM, National Manager Counter Terrorism, Australian Federal Police Jacinta Carroll, Head, Counter Terrorism Policy Centre, Australian Strategic Policy Institute Professor Peter Leahy AC, Director, National Security Institute, University of Canberra Dr John Moss, National Manager Intelligence, AUSTRAC Tony Antoniades, Head of Export Control and Security, BAE Systems Australia
LANYARD SPONSOR:
CONFERENCE SUPPORTER:
Todd Smithson, Chief Security Officer & Technology Control Manager, Thales Australia
www.informa.com.au/nationalsecurity
MEDIA PARTNER:
Australian Security Industry Awards
Call for Nominations
2016 RECOGNISING EXCELLENCE
Industry Partners:
Awards Ceremony & Dinner:
20 October 2016 The Westin, Sydney
Organised by:
Nominate now:
www.asial.com.au
Media Partners:
the peak body for security professionals.