Australian Security Magazine, Apr/May 2016 by MySecurity Marketplace

Print Post Approved PP255003/10110

THE COUNTRYâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au April/May 2016

A culture of risk

Effective communication skills How to keep your information safe in a hybrid cloud

Preaching the destruction 2016 Brussels bombings Uniting through oceans Has Snowden made the world safer for criminals & terrorists?

PLUS $8.95 INC. GST

TechTime, Quick Q&A, CISCO Feature and much more...

CLIENT VIEWING Workstations/ Network Switches/ Service and Support

IP Video STORAGE solutions

THE DAWN OF A NEW ERA FOR SMALL PROJECTS

The Aurora Series are built to fill a void in the small project market: economically-driven, enterprise-class storage systems. They bring features never before seen in budget projects such as redundant power, multiple RAID sets, and server-grade CPU’s with 10000 PassMark ®ratings. High-end features, while maintaining the price points required for the small project market. The Aurora systems alter the landscape on video recorders - in price and performance. For more info visit bcdvideo.com or email peaceofmind@bcdvideo.com

SCALABLE SOLUTIONS Solutions that fit every need, from small retail to airports and casinos

Global

Over 17,000 deployments worldwide partnered with global on-site support.

Guaranteed Calculations Follow our journey around the globe

BCDVideo’s calculations are guaranteed, so you never have to worry about project accuracy.

CivSec 2016 CONGRESS AND EXPOSITION 31 MAY - 2 JUNE 2016 MELBOURNE AUSTRALIA

CIVIL SECURITY AND CIVIL DEFENCE FOR THE INDO-ASIA-PACIFIC A COMPREHENSIVE FORUM FOR LEADERS AND PROFESSIONALS Border Control l Transport, Resource and Infrastructure Security l Physical, Cyber and CBRNE Security l Policing and Emergency Services l Surveillance, Intelligence and Response l Community Safety and Public Protection l Disaster Relief and Humanitarian Assistance l Remediation, Reconstruction and Resilience l Safety, Search and Rescue l Capability and Research l Technology and Innovation

FREE ADMISSION - PRE-REGISTRATION REQUIRED

www.civsec.com.au

Contents Editor's Desk 3 Industry Insights

Quick Q @ A Jason Legge - Head of security and consulting APAC

International Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Sarosh Bana Adeline Teoh Tony Campbell

Uniting through oceans

Counter Terrorism Feature Preaching the destruction - 2016 Brussels bombings

National A new collective voice for the tax stamp industry

Australian Bureau of Statistics change in census 2016

Organisations that lack a security aware culture

Cyber Security A culture of risk

Effective communication skills

CISCO FEATURE

Has Snowden made the world safer for criminals and terrorists?

Kathrine Pecotich T | +61 8 6361 1786

Keeping your information secure in the cloud

Big data & the internet

promoteme@australiansecuritymagazine.com.au

TechTime - the latest news and products

Editorâ&#x20AC;&#x2122;s book review

MARKETING AND ADVERTISING

SUBSCRIPTIONS

Page 12 - 2016 Brussels bombings

T | +61 8 6361 1786 subscriptions@mysecurity.com.au

Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

OUR NETWORK

Page 26 - A new collective voice for the tax stamp industry

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews,

events and other topical discussions.

Page 30 - Has Snowden made the

CONNECT WITH US

world safer for criminals and terrorists

www.facebook.com/apsmagazine www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Correspondents* & Contributors

www.youtube.com/user/MySecurityAustralia

www.asiapacificsecuritymagazine.com

www.drasticnews.com

Mike Schuman

Juan Yanez

Areg Alimian

Adeline Teoh*

Tony Campbell*

Sarosh Bana*

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

2 | Australian Security Magazine

www.cctvbuyersguide.com

Brian Henke

Anooshe Aisha Mushtaq

Jason Legge

Editor's Desk

“Keep your business growing as fast as technology and you have the fastest growing business.” - Kevin Bandy, Senior Vice President, Chief Digital Officer, Cisco, March 2016.

here remains uncertainty between Federal and State governments in Australia. Frustration amongst business, industry and communities has been steadily rising, in particular without consistent and trustworthy leadership, as far back as 2007. The Australian Federation is now under review and changes proposed - including proposals to turn back to a pre-WWII taxation system and the introduction of a new State in the country’s north east. Whilst further to the nation’s north, regionally, it is forecast as inevitable that there will be military conflict on the Korean peninsula. The outcome of such a conflict then becomes unpredictable but undoubtedly, for a period, will impact maritime trade routes and relations with all our primary trading partners in the Asia Pacific. Then look over the horizon, and internationally, and it seems a warning clause is required, as the scenes playing out ‘may be distressing to some viewers’. Brussels, Brexit and Trump to name but a few. But realistically, for a sustainable future, we need to look to our scientists, mathematicians and technologists. Highlighting a recent report, Technology and the Future of Cities, by the President’s Council of Advisors on Science and Technology, the advice is to spend billions and not millions on future cities. The concept is to go “beyond the ideas captured by the label, ‘Smart Cities’, identifying opportunities to improve people’s lives both by modernising key infrastructures (such as for energy, water, or transportation) and by using information

technology (often with open data) to enhance city operations and services. These opportunities illuminate new directions for place-based policy investments to renew infrastructures will have greater payoff when they incorporate innovations rather than merely replace old and failing systems.” Because this makes sense, I’m concerned some of our current politicians may not understand it. Innovation must be, and globally will be, the facilitating driver as we approach 2020 - 2030. In this issue, we have a Cisco Live 2016 feature following an impressive gathering in Melbourne last month. Innovation was the central theme but security was importantly recognised as the enabler. Cisco announced a new digital networking architecture and reported on the successful launch of innovation hubs and tech projects in Perth and Sydney. A number of ‘place projects’ are well underway amongst our leading universities, with pockets of engagement between business, industry and government. There was some key takeaways and with over 5,500 participants, Cisco has set itself the task of driving the economic transition in Australia. Cisco Vice President Ken Boal proudly concluded “IT itself is causing business to exist and businesses need to change the way they produce value. And time is moving fast. This isn’t theory. The example is Weightwatchers, which lost 95% value because they didn’t see Fitbit coming and they are yet to recover. There were 53 billion devices shipped in 2015 and digital growth in Australia is larger than GDP growth and the total value of the retail market. The nature of the IT implications

is dramatic, yet technology has to communicate securely. With this front of mind, Cisco is also the largest (cyber) security company in the world and weak security has been shown to inhibit innovation – with up to 20% slower growth due to cyber risks. As a result, this issue retains a strong cyber security theme and with a focus on innovation, culture and workforce development, as well as our regional and national security interests. Anooshe Mushtaq has kindly provided insight into the recent Brussels terror attack and the ongoing security environment in European cities and forced migration from Syria. In a global world these will continue to have global ramifications. As we re-examine Australia’s priorities and Federalism, we should also keep a lookout to the horizon – there is still much risk that we are yet to face. And on that note, as always, we provide some thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 3

WA Chapter of ASIS International leading the way in facilitating the Public-Private Partnership and addressing the Global Security Posture In light of recent global events, the need for greater collaboration between the public and private security sectors has become even more apparent. As such, following the recent signing of an MOU between the US State Department Overseas Security Advisory Council (OSAC) and the leading global security industry association, ASIS International, the first annual Western Australian Country Security Briefing was held late last year in Perth, WA, in which Jacobs and Gallagher played a pivotal role in supporting and sponsoring. The briefing included representation from over 80 security delegates across key market sectors of national significance including Aviation, Mining & Metals, Oil & Gas, Transport, Utilities, Education, Law Enforcement and Government Strategy. The luncheon provided delegates with a high level security briefing from the US Embassy’s Regional Security Office, an update on the latest national security issues and strategies from the Australian Security Intelligence Organisation (ASIO) and an insight into the role of the newly formed Western Australian Police Protective Security

US Ambassador to Australia John Berry, Perth, December 2015

4 | Australian Security Magazine

Unit. Additionally, Jacobs Global Security Director Joe Olivarez (based in Pasadena, California) flew into Australia to support and participate in the event by covering some of the particular challenges faced by the private sector moving forward. The event provided a great opportunity for academia, government agencies and private security partners to share information, contribute ideas and discuss issues of mutual concern, with the luncheon attracting high level government support including attendance by the US Ambassador and the Perth Consul General. The US State Department OSAC has been working to strengthen the value of Public-Private partnership and elevate the level of security discourse for its constituents globally for over 30 years. As a result of Jacobs’ strong presence and commitment to the security and safety of its staff, Jacobs has been acknowledged as an important facilitator in fostering connections between private sector partners and U.S Mission personnel, which has prompted the State Department to seek Jacobs’ assistance in supporting OSAC throughout our global footprint. For Garrhett Thomas, Senior Risk and Security Consultant, and WA Chapter Treasurer, “this is a great result for the organisation and the staff who contributed to the success of this event.” To follow on from such a successful close to 2015, the ASIS International WA Chapter kicked off 2016 with an afternoon briefing session from WA Police, held at Crown Perth. Delivered to a room of security professionals and joined by Perth’s facility and venue mangers, WA Police presented sessions on ‘Active Shooter’ guidelines for mass gatherings, organised crime activity and the ‘Ice’ issues impacting WA and local communities. These are important events for industry wide networking, sharing and learning.

The WA Chapter is pursuing an industry mentoring programme and has engaged with the Intelligence and Counter-terrorism Student Association (ICSA), a recently formed student body based out of Edith Cowan University and Neonie Colls, State Manager for G4S has helped with the introduction of a Women in Security representative role on the Committee. Watch out for the next event by your local ASIS International Chapter with a similar function being played in NSW, Victoria, Queensland and the ACT. Visit www.asisaustralia.org.au for more information. Contributors - Garrhett Thomas and Chris Cubbage

Looking to the future: AISA adopts world class association software A long-awaited software solution is arriving at the Australian Information Security Association (AISA). The move to an out-of-the-box software solution, expected to launch mid-2016, will free-up time consuming processes and help improve engagement with members. The new association software from Advanced Solutions International (ASI) allows AISA to manager member data, website, events, conferences, email communications and social communities in one centralised system. This system aims to eliminate data silos and enables continuous performance improvement. It will

expand and grow with AISA. Members can expect an overhaul of the way conferences and events are presented on the AISA website along with improvements in website functionality that will enable AISA to better serve its members. The new responsive design will facilitate optimal viewing making it possible for users to interact with the website from any web browser anytime, anywhere, from any device. AISA will be inviting its members to perform User Acceptance Testing (UAT) from mid-May. If you are interested in getting involved please send an email to website@aisa.org.au.

Australian Security Industry, with the Australian Security Magazine to support the OSPAs After a successful inaugural Australian OSPAs in 2015, the 2016 Australian Security Industry Awards for Excellence

Thursday 20th October 2016. For 2016, a new list of categories has been announced to fit the Australian security industry. These are: • Outstanding in house security team • Outstanding in house security manager • Outstanding contract security company (guarding) • Outstanding security consultant • Outstanding security training initiative • Outstanding security partnership • Outstanding investigator • Outstanding police / law enforcement initiative • Outstanding risk management solution • Outstanding cyber security initiative • Outstanding female security professional Entries for the 2016 Australian OSPAs open on 8th April. Each category has two questions (500 words in length) and anyone working in the Australian security sector can enter. You don’t have to be a member of an organisation or association to do so. The main criterion for entry is that you can show that you or your company have performed at an exceptional level. You are also per mitted to enter more than one award category. A nomination fee of $95.00 (incl GST) per nomination per category is payable when you submit your entry. To read category descriptions in depth and what we ask of applicants, please visit the categories page.

Merger of the ACSP and SPR-A into SPA During 2015 the Security Professional Registry of Australasia (“SPR-A”) and the Australian Council of Security Professionals (“the Council”) merged to form the Security Professionals Australasia Ltd (“SPA”). In this merger, the Council has ceased to exist as a separate organisation, having been entirely absorbed into the SPA. The SPR-A has also been absorbed into the SPA, but has kept a separate and independent identity. This ‘independence’ is essential as the Registry and its processes must be independent of the SPA, particularly in relation to decisions about registration and the setting of competencies. The SPA Ltd was established in February 2015 and the SPA held its first AGM in November. In the interim, a new Constitution for the SPA had to be drafted as well as documents for the transfer of assets. The Constitution was adopted at the AGM and an interim SPA Board comprising Jason Brown, Alex Webling, Matthew Curtis and Steve Mark AM was confirmed. For more information visit www.securityprofessionals.org.au

will be held at The Westin Hotel, Martin Place (Sydney) on

Australian Security Magazine | 5

....with Jason Legge

Head of Security Consulting APAC, at Huntsman Security Huntsman Security’s Cyber Security Platform has built its reputation on its ability to monitor and combat defence-grade cyber attacks. This proven technology is deployed in some of the most secure and sensitive environments around the world. Jason Legge has been with Huntsman since 2013. His role is to help customers get the most out of the Huntsman platform. Jason is passionate about cyber risk reduction, and believes recent advances, which slash the time from threat detection to resolution, have started to tilt the balance in favour of the ‘good guys’. How did you get into the security industry? After graduating in electrical and electronic engineering, I worked in a consultancy role in the procurement of IT and telecommunications systems. I then joined Siemens, working in ICN, mainly with computer networks and fibre optics. After some time designing computer systems, I undertook several cyber security roles within the UK Government, before finally moving into a high-level security role. Along the way, I boosted my security expertise with courses like the Certified Ethical Hacker and International Information Systems Security Certification, which taught me strategies to monitor and stop attacks.

I used Huntsman technology extensively for about seven years while I was with the UK Government. Its speed and accuracy really helped support our security objectives, and the technology delivered exactly what it promised. So when the opportunity came up to work with Huntsman, I jumped at the chance.

that rely on us, is the increasing scale and number of cyber attacks – today every business, whether they know it or not, is under attack from outsiders trying to steal valuable information. The problem is that there are not enough security specialists in the industry to cope with this rising level of attacks. And you can’t just rely on every shiny new toy to solve your security issues. Effective security involves design and discipline – it requires the correct balance of technology, people and processes for the best outcome.

What do you like about your job?

What are the biggest changes you’ve seen?

I like the challenge the security industry presents. It’s ever-changing, so you have to constantly adapt and learn. It’s impossible to know everything and that’s why technology that you can rely on is an important part of any cyber resilience program. I get a sense of achievement when I can hunt, investigate and resolve a suspicious threat. My role with Huntsman allows me to make a real difference, which is very rewarding.

Perspective and context is paramount in any form of security. As a result there has been a flood of vendors providing valuable threat information to support analysts in their pursuit of resolving threats that matter. However, dealing with this manually is an overwhelming and endless task. The result is that businesses are increasingly exposed to risk for unacceptably long periods. Automation of this verification process is now emerging using technologies such as the Huntsman platform. These technologies use high-speed machine-based learning to manage routine threat investigation and verification, which allows analysts to hunt and investigate only the threats that matter.

How did your current position come about?

What are the biggest challenges facing the industry? The obvious challenge for us, and the businesses

6 | Australian Security Magazine

Another big change has been in the executive suite where there has been a significant increase in interest levels in cyber security. It’s no longer seen as just a tech or IT issue, but an ever-present business risk that can threaten any organisation, and must be managed. Where do you see the industry heading? I believe we need more collaboration – by means of sharing contextual information within trusted environments – between governments and security providers, as well as companies themselves. What’s a threat in the finance industry one day could well be a risk in the critical infrastructure industry tomorrow. What do you do when you’re not working? I love playing competitive sport. My main activities are cycling and field hockey, which I try to squeeze in around work and spending valuable time with my family. jlegge@huntsmansecurity.com

From the War Room to the Board Room, Huntsman速 Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI

Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.

LEARN MORE TODAY 1300 135 897 huntsmansecurity.com

International

Uniting through oceans

B By Sarosh Bana Correspondent

8 | Australian Security Magazine

olstered by its mighty surface, undersea and aerial capabilities, India’s blue water navy staged a spectacular maritime pageant off the eastern seaboard as it hosted its International Fleet Review (IFR) 2016 that was stunning in scale and turnout. Fifty countries ranging from the United States, United Kingdom, Germany, France, China, Russia, Australia and Japan to Iran, Israel, Mauritius, Myanmar, Somalia and even landlocked Turkmenistan participated in this landmark event that was held by the Indian Navy at the port city and Eastern Naval Command (ENC) base of Visakhapatnam from 4 to 8 February 2016. Twenty-four foreign warships and 75 of the Indian Navy, including three submarines, as also two ships from the Indian Coast Guard (CG) and three from mercantile marine, were at anchorage in six columns for review by President Pranab Mukherjee, who is also Supreme Commander of India’s armed forces. In attendance were Prime Minister Narendra Modi, Defence Minister Manohar Parrikar, and the state Governor and Chief Minister. So were 22 navy chiefs, including the host Chief of the Naval Staff (CNS), Admiral Rabindra Kumar “Robin” Dhowan, as also 27 heads of delegations, apart from over 4,000 international naval officers and men. The review concluded with a fly-past by the Naval Air Arm and a daring display by Marine Commandos (Marcos). The fly-past by 15 formations of 45 aircraft, including two CG formations, showcased the latest acquisitions of the Indian Navy such

as the Russian-built MiG 29K and AEW helicopter Ka31, and the U.S.-made Long Range Maritime Reconnaissance aircraft P8I. “The sheer number of navies represented from across the globe is an endorsement and recognition of India’s emerging status as a major naval power,” said Dhowan. “The event allows the host nation an occasion to display its maritime capabilities and the ‘bridges of friendship’ and trust it has built with other maritime nations.” As fulfillment of its assigned military, diplomatic, constabulary and benign roles, the Indian Navy regularly conducts joint exercises with other navies at their shores or in Indian waters, embarks ships on goodwill missions that call on navies internationally, and lends ships for peacekeeping and anti-piracy operations from the Horn of Africa to the Malacca Straits. Indian warships have besides assisted in evacuating the embattled from the war zones of Yemen (Operation Rahat in 2015), Libya (Operation Safe Homecoming in 2011), Lebanon (Operation Sukoon in 2006), and the Maldives (Operation Cactus in 1988), apart from moving out victims of national disasters as the Gujarat earthquake in 2001 and the tsunami at the eastern coast in 2004. The country has also gifted or sold several warships, new and used, and occasionally also maritime patrol aircraft, to smaller nations such as the Maldives, Seychelles, Mauritius, Vietnam, Sri Lanka and Bangladesh. India’s vast coastline of 7,615 km abuts onto the Arabian Sea, Bay of Bengal and the Indian Ocean, and

International one of its island enclaves, Andaman & Nicobar, is closer to Myanmar and Thailand than to the Indian mainland. With 66 per cent of global oil, 50 per cent of global container traffic and 33 per cent of global cargo trade passing through the Indian Ocean Region (IOR), that stretches from the Persian Gulf to the west to the Malacca Straits in the east, the India Navy has a vital responsibility in ensuring the safety and security in keeping sea lines open to global maritime movement. Noting that navies the world over conduct fleet reviews to symbolise their loyalty and allegiance to the nation, and to strengthen bonds between sailors and the state, President Mukherjee said IFR 2016 did all this and more. Addressing the Fleet during the Review, he observed that IFR 2016, while showcasing the prowess of the Indian Navy, had brought together navies from across the globe to Indian shores, underlining a common desire to use the seas to promote peace, cooperation and friendship, as also to develop partnerships for a secure maritime future. Of the 27 visiting heads of navy was Australia’s Vice Admiral Tim Barrett, who led his sizeable contingent that had steamed in on HMAS Darwin. The 4,200 tonne long-range escort frigate’s roles include area air defence, anti-submarine warfare, surveillance, reconnaissance and interdiction. “The Indian Navy and Royal Australian Navy have a proud history of partnership and this cooperation continues to grow and includes trips by Indian Navy ships to Australia, joint membership in the Indian Ocean Naval Symposium and recent Royal Australian Navy participation in exercises with the Eastern Fleet,” said Commander Phillip Henry, Darwin’s commanding officer. “Events like this IFR help foster understanding and mutual support.” Darwin’s crew was visibly impressed to see the vast array of warships anchored in formation off the Visakhapatnam coast as it sailed into the harbour. With their camaraderie, the crew and the naval band endeared themselves with the Indian crowds and audiences. Vice Admiral Barrett also met Prime Minister Modi during the event. HMAS Darwin was to sail onward to the Middle East after the IFR as part of Operation Manitou, Canberra’s contribution to the international effort to promote maritime security, stability and prosperity in the Middle East. It will relieve sister ship HMAS Melbourne, which completed her rotation and was returning to her home port of Sydney. IFR 2016 was only the second international review ever conducted in India, the first having been organised by the WNC in Mumbai in February 2001 in the presence of then President, K.R. Narayanan. It had elicited a turnout of 29 foreign and 60 Indian warships. There have besides been nine Presidential Fleet Reviews since India’s Independence in 1947, the first such having been held in 1953 and the last, in 2011. By their nomenclature, these have been national rather than international exercises. ‘United through Oceans’ was the motto and underlying theme of the IFR, signifying that while the world was divided by geography, it was unified by the seas. There was repeated emphasis that oceans were the great blue ‘commons’ that not only linked the global community, but granted it unfettered access. “IFR 2016 has enabled us to join hands and work together to secure our seas for the

"India’s vast coastline of 7,615 km abuts onto the Arabian Sea, Bay of Bengal and the Indian Ocean, and one of its island enclaves, Andaman & Nicobar, is closer to Myanmar and Thailand than to the Indian mainland. With 66 per cent of global oil, 50 per cent of global container traffic and 33 per cent of global cargo trade passing through the Indian Ocean Region"

greater good of humanity and the world,” the President maintained. This need was reiterated by speakers at the concurrent two-day International Maritime Conference, on the theme Partnering together for a secure maritime future. There were concerns over sea-borne terrorism, piracy, smuggling of arms and drugs, and immigrants, across the seas, and the security challenges in the East and South China Seas where China has maritime disputes with many of its neighbours in the littoral. In his presentation, Prof. Ye Hailin of Beijing’s Chinese Academy of Social Sciences, saw this “dispute” escalating as competitive issues got emphasised instead of cooperative solutions. “It is argued that given the overlap among the actions and policies of parties, the situation in the SCS [South China Sea] may deteriorate with the possible risk of serious conflict due to collision of differing interests,” he warned. The return of Asia-Pacific to the centre of world affairs is the great power shift of the 21st century. With this economically integrated region traversed by half the world’s commercial shipping worth $5 trillion of trade a year, the participating navies deemed it imperative to secure the regional Sea Lines of Communication (SLOC) that are critical to the survival of the entire Asia-Pacific community. The Indian Navy is mindful of Washington’s keenness to check Beijing’s growing maritime assertion and its looking to India as the power that can tilt the strategic balance. Ultimately, all three countries will define the strategic nature of maritime influence. India has emerged as the regional superpower and views the IOR, which it dominates, as its theatre of influence, just as China is seeking a similar role in the Western Pacific. Though India has no disputes in the IOR, its navy already maintains a stronger force, on conventional warfare, than Russia, France or the UK, and is poised to emerge as the third strongest, after the US and

Australian Security Magazine | 9

National

China, in the coming years. It is in this context that IFR 2016 gained importance, with 50 nations joining it in an acknowledgment of India’s emergence as a maritime power, and by extension, its role and importance in international geo-politics. Apart from a vast fleet that includes two aircraft carriers, 10 destroyers, 15 frigates, one nuclear-propelled submarine and eight dieselelectric submarines, the Indian Navy has 41 ships on order from Indian yards at a combined cost of Rs1,08,761 crore (about $16 billion). It is again in this context that India and the U.S. are exploring the joint development of India’s next-generation aircraft carrier that will have combat capabilities superior to its Chinese counterparts’. The visiting Chief of U.S. Naval Operations, Adm. John Richardson, said talks on this, potentially the biggest military collaboration between the two countries, were progressing well and ranged from its design to construction. The joint working group on the project is meeting in New Delhi later in February to take this forward. “Today, U.S.-India defence ties are strong and continue to grow stronger with each passing engagement,” said Richardson. “We are two countries with similar values democratic governments, civilian control of the military and all volunteer forces, and there is much that binds our nations and navies together.” Representing the U.S. Navy at the IFR were the Ticonderoga Class guided missile cruiser, USS Antietam, and the Arleigh Burke Class guided missile destroyer, USS McCampbell. “A central line of effort is to expand and strengthen our network of partners and the visit to India and interactions with Indian and other navy leaders help deepen relationships and expand shared maritime interests,” Richardson remarked. “We value like-minded partner countries like India, as a close, continuing and expanding partnership is important for security and stability in Asia and for effectively managing Indian Ocean security in the 21st century.” Lt Cdr T. Öwezgulyýew, Vice Chief of the Turkmenistan Naval Staff, said his landlocked navy, essentially a compact flotilla of patrol boats, safeguards its

waters in the Caspian Sea, which is variously classed as the world’s largest lake or a full-fledged sea. A landlocked navy is that operated by a country bereft of a coastline. The Caspian states are Turkmenistan, Azerbaijan, Russia, Kazakhstan and Iran and in 1993, the former Soviet Union’s Caspian Sea Flotilla was divided among the first four states. The Caspian states have to deal with the challenges of drug smuggling, the ‘sea’ having become a transit route for narcotics coming from Afghanistan, human trafficking, cross border crime, extremism and terrorism. All this is confounded by the fact that maritime borders are not yet settled between them and they have differing views on how ownership should be divided. Struck by the maritime power of the Indian Navy, Öwezgulyýew said bilateral partnership will need to be heightened with construction launched last December on the TAPI pipeline running 1,814 km from Turkmenistan through Afghanistan and Pakistan all the way to Fazilka in Punjab, India. This route, especially through Afghanistan and Balochistan in Pakistan, is fraught with peril. Militant groups like the Taliban and Islamic Movement of Uzbekistan had briefly captured villages on Turkmenistan’s borders in 2015. The pipeline, estimated to cost $10 billion and to be functional by 2019, will carry 33 billion cu m of gas from southern Turkmenistan. In Indian fleet reviews, the President’s yacht steams past an impressive array of ships of both the Indian and merchant navies and the Coast Guard, while reviews held by some other navies have ships sailing past the reviewing yacht or ship. The Royal Navy, from whom the Indian Navy has inherited much of its customs, dates its first Review to 1415 when Henry V – King of England from 1413 to 1422 - inspected his fleet before embarking for war with France. It was also an occasion, perhaps the only one, when the ruler or sovereign appeared before the sailors as symbol of his country to strengthen the bond between Lord and subject. A fleet review is a long-standing tradition followed by various navies and is a grand occasion when every operational ship is spruced up, proudly displaying its crest and company. It was perhaps conceived as a show of naval might or an inspection of readiness for battle at sea, while later reviews were celebratory demonstrations for victories in battle, for a coronation or a royal visit. Reviews today entail parading of warships without any belligerent intentions. Indian Navy ships have often sailed across the seas to participate in fleet reviews of friendly nations. While India’s maritime traditions hark back to the Vedic times (1500 – 500 BC), its earliest recorded fleet review was in the 18th century by the powerful Maratha fleet off the Ratnagiri fort on the west coast. A highlight of IFR 2016 was the Operational Demonstration and International City Parade at the Visakhapatnam waterfront in the presence of the Prime Minister. Several warships, submarines, aircraft and squads of Marcos displayed the multidimensional operational tasks of the various arms of the Indian Navy. The city parade had marching and military band contingents from the visiting navies and the three Indian services, replete with floats and dances. The parade was followed by illumination of ships and pyrotechnics, culminating in a light and sound show.

International

Counter-terrorism Feature

Image soure - Takashi Images / Shutterstock.com

Preaching the destruction 2016 Brussels bombings

T By Anooshe Mushtaq

12 | Australian Security Magazine

he wedge between Muslim and non-Muslim citizens in Europe was driven even deeper on March 22nd when coordinated attacks in Belgium – claimed by Islamic State (IS) – killed at least 30 and wounded more than 230 people. IS’s intensifying sphere of influence is more evident than ever, with real implications for security in France, Belgium and the UK as the militant organisation expands its strongholds in the region. This phenomenon of terrorism and violence will continue to thrive for as long as we allow the divide between peoples to exist. Planning for the Belgium attacks took up to six months and it is almost certain that IS has further atrocities in development. Some sources suggest that Spain and Italy are the next targets – but how, when and where is a dangerous riddle that Western governments will be trying to unravel with haste, as these latest attacks demonstrate the very real and present threat. The heightened hostilities in Europe can be traced back to early 2015 when a series of satirical cartoons published by French newspaper, Charlie Hebdo, ridiculed the prophet of Islam, Muhammad, and stirred up emotions worldwide. Muslims regard this act as an unforgivable insult and it triggered many to break their silence on the Western world’s perceived mockery of their religion. Terrorist groups such as IS reacted quickly and called for a violent retribution. This revenge came swiftly and heinously, when jihadists

perpetrated a massacre at the offices of Charlie Hebdo on Wednesday 7 January 2015 which killed 12 people, most of them journalists. Despite calls for non-violent protest by many Muslims in France, the fire of hatred has never been extinguished. Following the Charlie Hebdo attacks, the reputation of Muslims worldwide was tarnished and the terrorist label has been applied broadly to all that follow this religion. Now, a whole community is isolated and the jihadist thesis that ‘all Westerners are enemies’ is strengthened. At the core of IS’s success is its ability to reach and influence people, primarily through the strategic recruitment of jihadists from western countries including Europe, the US and Australia. Its exploitation of social media to sell its propaganda is well-known. Yet, efforts to combat this tactic are relatively ineffective and often too little too late; a reaction to events rather than promotion of social cohesion on an ongoing basis. Basically, the frequency and volume of social media messages that espouse negative sentiment on the Muslim-West relationship seem to far outweigh the positive. But it is not only through the virtual world that IS summons people to its violent cause. It also preys on vulnerable and destitute refugees fleeing to Europe. A large community of North African IS militants have migrated to France, Spain and Belgium using various routes. These groups continue to radicalise young Muslims through the promulgation of grossly misinterpreted Islamic teachings that

Counter-terrorism Feature

“At present, IS’s strategic plan appears to be succeeding. An increasing number of young ‘jihadis’ (those who fight in the name of religion) from Africa and the West are successfully lured into joining this militant organisation.” are masked as truth. This strategy has enabled IS to establish more ‘dormant cells’ in the region, which can be enlivened to facilitate the kinds of planned and coordinated attacks we have witnessed in recent times. IS recruitment primarily targets young people, usually European nationals, but also those who reside in other Western countries such as the US and Australia. The aim is twofold. First, it gives them access to European residents (France and Belgium) who may not yet be known to security organisations and can therefore lay the foundations for jihadist acts with relative anonymity. Secondly, it provides IS with intellectuals who can communicate in foreign languages and may hold degrees in electronics or engineering. The value of this human capital is impossible to overstate. At present, IS’s strategic plan appears to be succeeding. An increasing number of young ‘jihadis’ (those who fight in the name of religion) from Africa and the West are successfully lured into joining this militant organisation. Continued recruitment of North African youth combined with expanding strongholds in the region has significant implications not only for regional security, but also for France, Belgium, and UK, as these militant groups take control of more routes from Africa to Europe. Time to take the threat seriously The future for security appears bleak in Europe. Threats are hovering at the horizon and devastating attacks are to be

anticipated. The mutual understanding between people that should link the two shores of the Mediterranean Sea has given way to hatred and animosity. This is the very sentiment that resulted in violence and caused enormous damage in Paris, and now Belgium and possibly other European countries next. So is the response adequate? Many would argue that you can never do enough to quash this heinous crime. In the very least, the response should be proactive, strategic and multi-faceted. To achieve sustainable results it must focus on promoting a genuine, deep engagement between Muslim and non-Muslim members of the community – both domestically and internationally. Effectively leveraging social media to promote unity is one strategy that could have a real impact on IS’s capability and recruitment. Most importantly, we must not wait for another atrocity before we act. It is time to take the threat seriously.

Image soure - CRM / Shutterstock.com

Australian Security Magazine | 13

National

A new collective voice for the tax stamp industry Juan Yañez, Thomas Greg & Sons de Colombia, and newly appointed Chair of the International Tax Stamp Association (ITSA) explains the role and responsibilities of the newly created organisation.

O By Juan Yañez Chair of the International Tax Stamp Association

14 | Australian Security Magazine

ver recent years a range of fiscal, socio-economic and anti-counterfeiting factors have led to the proliferation of excise tax stamp programmes around the world. The focus of these efforts has been the development and deployment of innovative tax stamp technologies and systems capable of increasing government revenues and, at the same time in many cases, provide effective barriers to counterfeit products and illicit trade. In many respects tax stamps have a unique role. Their original and primary role remains as an excise security issued by the government, treasury or finance ministry of a country or state to confirm that duty on ‘excisable’ goods has been paid by the manufacturer and/or consumer. However, the modern tax stamp is also being increasingly used to curb illegal trade in products for which an excise duty is payable, thereby helping to avoid money laundering. It does this by incorporating ‘track and trace’ elements and by providing a mark of verification or authenticity, not only to demonstrate that the product itself is genuine but also that the trade channels used in its distribution are legitimate. Also, by being positioned over the opening of a tobacco package or alcohol bottle, tax stamps can also act as an antitampering/anti-reuse seal.

A global industry Among this myriad of roles and applications for tax stamps, the global challenges are continually growing. For example, the deteriorating global economic environment means that the effective enforcement of excise duty rules to maximise the recovery of tax revenues has become critical for governments to enable them to finance national spending plans. At the same time, the introduction of a global marketplace and international brands has encouraged counterfeiting to become one of the fastest growing economic crimes of modern times. In particular, high value goods on which excise duties should be paid are a particular target, with the ever increasing illicit trade in tobacco and wines and spirits costing manufacturers and national treasuries huge sums of lost revenue each year. Of course excise duties on some products are high in part because, as well as raising tax revenues, governments have wanted to discourage smoking, drinking and driving. It follows that illicit trade in these products therefore not only deprives governments of tax revenues, but can also have an impact on important public health issues. In the face of such challenges, the tax stamp sector is continuously evolving. Over 250 revenue agencies at both national and state

National

levels now use tax stamps as their method of collecting excise duty, with a combined requirement for over 140 billion stamps annually. As the applications for excise taxes have grown, so has the value of the stamps representing them, and this, in turn, has made it more worthwhile for criminals to produce counterfeit stamps for the purpose of disguising illicit, untaxed product. As a result, tax stamps need to be secure enough to combat the criminals who try to smuggle, counterfeit, re-fill and otherwise find ways to avoid paying the taxes. This phenomenon has led to the need for stamps to carry robust, visible security features – much like those on a banknote – to distinguish them from fake stamps. Another driver of the evolution in tax stamps involves the breakthroughs in data processing capabilities and mobile communications, which have allowed products to be marked in-line during production with their own unique codes, recorded in a database. The codes may then be used to verify the product in remote locations and provide key data on source, destination and authenticity. In response to these challenges a specialist industry has developed to supply tax stamps and this has led to the introduction of a variety of technologies and methods of issuance, as well as differences in tracking, control and collection processes. Clearly as the industry has grown and become more complex, we have now reached a stage where everyone involved - suppliers, product manufacturers, revenue agencies and enforcement organisations - would clearly benefit from a collective understanding and approach. In addition, everyone would benefit from the generic promotion of tax stamps through education, media and lobbying programmes – encouraging wider understanding and focusing in particular on the need for holistic solutions, be they based on physical or digital stamps. Overall there is therefore an obvious need for authoritative information on tax stamps to be more easily available and more readily communicated to those who need it. A standard approach This situation became particularly apparent with the formation of a new ISO Working Group to create a new standard for tax stamps. The normal vehicle for funding such working groups is via industry associations, which represent the collective view of their members. However, in the absence of such a body for the tax stamp association, at the first meeting to define the scope of the new standard, representation was provided by a number of individual tax stamp producers – something of an anomaly for standard-writing procedures which was pointed out at that meeting. This situation provided the catalyst for change within the industry and as a result, a number of producers at that initial meeting have taken the initiative to push ahead with creating a formal body to represent their views. The International Tax Stamp Association (ITSA) has therefore been created to provide a broad advocacy role for the tax stamp sector. It will bring together and represent the industry producing tax stamps, but it will do this without

differentiating between technologies and methods of issuance, control and collection. Currently comprising 15 leading companies in document and product authentication and traceability, the not for profit organisation is now formally open for membership from legally incorporated companies and businesses that supply tax stamp components and features, as well as finished tax stamps, equipment for stamp design, manufacture, application and authentication, and systems for coding and marking stamps. Initially, with the development of a standard (ISO19998) for tax stamps already underway, the priority is for ITSA to engage and actively contribute to the drafting process. The standard itself will be a significant step for the sector and to improve the overall quality of tax stamps in use and thus their effectiveness as a collection and criminalfighting tool. By providing guidance on the content, security and issuance of tax stamps (whether physical or digital) it is intended to facilitate adoption of effective tax stamps by revenue agencies. However, moving forward, the new trade association will also have a much broader role in helping to ensure a better understanding of the benefits of tax stamps and tax stamp technology, and to promote high professional standards through education, research and advocacy. In fulfilling this role it will also seek to develop and promote best practice by providing a collective voice for all those involved in the industry at a time when the sector faces some unique challenges. Details at www.tax-stamps.org

‘Over 250 revenue agencies at both national and state levels now use tax stamps as their method of collecting excise duty, with a combined requirement for over 140 billion stamps annually.’

Australian Security Magazine | 15

National

By Tony Campbell

Australian Bureau of Statistics change in census 2016

read with interest that the Australian Bureau of Statistics (ABS) are planning to retaining all of the names and addresses collected from the forthcoming 2016 census. Given the depth of invasion into our personal lives the Australian census delves, coupled with the uncommon frequency of this audit compared with other counties around the world, it raises the question as to how the government plans to protect such a useful hoard of information, given its potential value on the black market. On reading the press release on ABS’s website that explains this change of policy, they say they have addressed all of the issues the general public have raised through public submissions and public testing. How was this conducted? Was this advertised well enough to get a real public opinion, or was it purposely kept low-key to engender the right responses from the tested minority? Interestingly, the justification for change reads, “The Australian Bureau of Statistics has decided to retain names and addresses collected in the 2016 Census of Population and Housing in order to enable a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data.” ABS provides two examples of the justification as to how retention of our names and addresses will assist them in meeting their research objectives: • They will gain better insight into how educational pathways lead to employment • Cross-referenced census data and health records improve the government’s ability to plan support for patients with mental health issues I’m bemused. How does having our individual names and addresses linked to census responses allow the government to analyse national-scale outcomes, such as career pathways mapping to education? How can they change how they deal with mental health issues any better if the information can be tied back to an individual? Surely these are all national issues that can be addressed without having to link records back to individuals? The biggest questions that needs to be asked is what else could this corpus of information be used for by the government? Might it be used in national security matters? Is there anything stopping this database being made available to any department in government that needs it? Privacy Impact Assessments ABS seems to have followed due process in their decision to capture our Personally Identifiable Information (PII). They state that they conducted a privacy impact assessment (PIA), which looked at the risks of collecting processing and using these records, along with the risk of data breaches and what the impact might mean to the individuals affected, which in this case has the potential to be more than 15 million Australian citizens. When you undertake a PIA, you need to consider why this information might be targeted and who the threat actors might be that would be looking to steal it. This is essential so that you understand how much protection the database needs to be afforded, and if you can’t afford the level of protection in terms of security controls, then the risk needs to be accepted by someone in the agency who is accountable should the data be breached. The impact on the data being

16 | Australian Security Magazine

leaked is akin to what happened after last year’s attack on the US Office of Personnel Management (OPM), where the nation-state attack from China, saw millions of personnel records stolen, allegedly by the Chinese government according to the FBI. ABS says the following: “The Privacy Impact Assessment assessed the level of risk to personal privacy, considering the protections in place, as very low. The risks identified are mitigated by storing names and addresses separately from other Census data as well as separately from each other. The risks are further mitigated by governance and security arrangements the ABS already has in place.” I suggest that 15 million census records, all of which are personally identifiable and linkable to healthcare records, irrespective of whether they are encrypted or not and behind the biggest most modern firewall ABS can buy, is such a massive treasure trove of information for hackers, identity thieves, etc. that they will struggle to give it the protection it needs. In security we use a term called aggregation of information to explain how datasets become more valuable (and hence riskier to lose) as they become bigger. In government security circles, this usually means the protective marking of the overall data set goes up as certain thresholds are released, usually based on a risk assessment. If you look at the Australian Governments Security Classification System the SECRET security classification should be used when the following criteria are met: “When compromise of the confidentiality of information could be expected to cause serious damage to the National Interest, organisations or individuals.” My closing question would be this: has the underlying security architecture, security technology, system configurations, staff vetting, security processes and audit controls within the ABS been implemented and assessed as being ready to handle a classified dataset? Have the security controls listed in the Australian Signals Directorate’s Information Security Manual been met prior to ABS collecting a classified dataset of 15 million PII records? What will ABS do to ensure that other government departments that request access to our data will also protect the data to the same level of ABS? Security is only as strong as the weakest link in the processes, so some additional assurance to the Australian public would certainly be welcomed.

National

Organisations that lack a security aware culture By Tony Campbell

he cultivation of a security aware culture is vital to ensure successful cyber and information security. According to the PGI/Harvey Nash 2016 cyber security survey, 49% of respondents said that such a culture is lacking in their organisations. Nearly three quarters of senior information security professionals surveyed said that the creation of such a culture is a vital part of ensuring that an organisation has effective cyber security measures in place. Without such a culture the threats posed from insider threats rises greatly, mostly as a result of employee accidents such as opening harmful emails which download malware. The company itself will also be an easy target for hostile actors with repercussions that could seriously harm the organisation both financially and in terms of reputation. According to the survey, 54% of Chief Information Officers (CIO) and 48% of Chief Technology Officers (CTO) were classed as being ‘very well informed of risks’. In comparison, only 27% of Chief Executive Officers (CEO) and 25% of Chief Operating Officers (COO) were classed as well informed. The Board meanwhile was rated lowest for their risk awareness with just 17%. With nearly half of organisations lacking a cyber aware culture it appears that many are happy to talk the talk but not walk the walk when it comes to cyber security. Ambition Outpaces Actuality in Developing Security Aware Cultures The issue of creating a cyber security aware culture is the responsibility of an organisations leadership. If executives and the board are not willing to learn how or invest in creating a culture then it is almost certain that such a culture will not be made. The survey also reveals that Chief Information Security Officers (CISOs) are working hard to try and make sure that their superiors are aware of the risks. It seems that a lack of knowledge and/or an unwillingness to spend cash on the creation of a security aware culture is the reason for such a high numbers of organisations lacking such a culture. 56% of the senior information security professionals that took part in the survey said that they were concerned that their organisation does not have an effective budget when it

According to the survey, 54% of Chief Information Officers (CIO) and 48% of Chief Technology Officers (CTO) were classed as being ‘very well informed of risks’. In comparison, only 27% of Chief Executive Officers (CEO) and 25% of Chief Operating Officers (COO) were classed as well informed. The Board meanwhile was rated lowest for their risk awareness with just 17%. comes to information security and 37% of respondents said that the lack of budget threatens their ability to prepare for and respond to security incidents. Over a third of the senior information security professionals that took part in the survey said that their organisation suffered a ‘business-affecting information security incident’ over the last year.73% of respondents said that their organization had experienced social engineering and phishing attempts. 53% reported a virus or malware outbreak. Almost a quarter experienced a DOS or DDOS attack. These figures highlight just how important having a cyber aware culture is. The education of executives and board members is key if organisations are to create a cyber security aware culture and introduce an effective budget to tackle cyber threats. Educational courses such as PGI’s Executive Cyber Awareness Course teach leaders and managers of organisations to grasp the business critical issues of cyber security. By understanding what needs to be done to reduce risks, an organisation’s leadership can take appropriate and effective action.

Australian Security Magazine | 17

Cyber Security

A culture of risk The best security system in the world can’t stop a risk-ignorant employee from jeopardising an organisation. The solution? Invest in your people.

T By Adeline Teoh Correspondent

he company decided to be tough on security. It installed a multi-million-dollar security system complete with all the widgets and appliances you’d expect of a high tech solution. On-site security staff patrolled and monitored the building 24/7. But one weekend the company was brought to its knees by an attack that lasted four hours. The culprit? A door left ajar by a well-meaning employee. It’s a tale ripped from a textbook on how security systems fail, but David Turner, Global Risk Management Speaker & Consultant, assures me it’s real. Only in retrospect, by looking at who came through the door, to whom they spoke and figuring out why they left the door ajar, could the client see that the system meant nothing without risk awareness in its staff. And it’s unfortunately common. “You can have the latest software but 85% of the time the problem will come from the person sitting behind that laptop, how they are inducted, how they are trained, how they understand risk and how they use it correctly,” says Turner. “We’re way too dependent on our systems and procedures when we should be looking at people first.” Documents aren’t enough Risk policies and procedures do not influence risk culture unless they are understood and put into practice. In other

18 | Australian Security Magazine

words, simply having those documents isn’t good enough, you need people to activate them. “A lot of companies have risk standards and procedures but people who are trying to deliver those, trying to put risk practices in place, still don’t get the basis of risk management,” Turner explains. “We have lots of technology and the same amount of breaches. Why? It’s still not getting through to Joe Bloggs on the ground. He doesn’t understand risk management and that is a risk in itself.” According to Turner, about 75% of procedures are never put into practice or used correctly. “That’s a massive amount of paper and information no one reads. The stuff they do read is quite laborious and they are not coached through it,” he says. He believes the most effective method of changing risk behaviour is the hands-on approach: workshops. “It enables people to see risk management in a fun, engaging, interesting way.” Workshops also allow staff to role-play different contingencies and contribute to the way the organisation assesses risk and handles issues. When staff have ownership of a risk process, they are more likely to practice good risk management of their own accord, which is far more powerful than having a manager yell at them for doing the wrong thing. “Do it a few times and you can see the risks decreasing quite rapidly. There’s huge amounts of value being added,” says Turner.

Cyber Security

“They need to keep tabs on any kind of change, any kind of new infrastructure, any kind of new training. The skill they need is basic risk management awareness and methods so they can start identifying risk properly. If companies did this, threats would come right down.” Achieving risk maturity Embedding a risk culture is difficult and requires a sustained effort to change existing behaviours. Rather than having a one-off training session, a regular workshop to strengthen staff practice and introduce new employees to the risk culture is more effective, much like how first aid courses require candidates to undertake a refresher course every few years to ensure knowledge and practice stay current. Turner says he has a practice of checking in with previous training clients to ensure they have not relapsed. “Half the organisations will say ‘it’s great’ or ‘it needs tweaking’. The other half will say ‘I don’t really know’. They fall back into that corporate culture of ticking the box and moving on. That’s a whole new form of risk.” He recommends risk-averse organisations hire a dedicated risk change manager. “They need to keep tabs on any kind of change, any kind of new infrastructure, any kind of new training. The skill they need is basic risk management awareness and methods so they can start identifying risk properly. If companies did this, threats would come right down.” Another practice Turner says he’d like to see is having risk culture introduced to new employees at induction. “For most people, induction is 45 minutes of someone saying how great the company is, then three questions. You made that culture. You didn’t show that you were serious about risk management and security.” And the benefits of a healthy risk culture go beyond preventing fraud and breaches, he points out. “Risk mature organisations start looking at the future, the threats and opportunities for growth. They are ten steps ahead.” Andrew McGregor, CEO of professional services consultancy Cohesion in South Africa, says he uses change management techniques to ensure behavioural changes are sustainable. He recommends Prosci’s ADKAR® Model as a structured way to encourage the behavioural change needed to engage staff in risk management.

careful not to provide risk management training too soon. Ability: Like most things, the ability to manage risk comes from doing it in practice. We need to use our risk management knowledge so that we develop the ability to apply it effectively. Reinforcement: It is natural to slip back into the old way of doing things. One of the most common issues organisations face when undergoing a cultural change of this nature is dealing with the tendency to revert to previous behaviour. “Behavioural change requires regular reinforcement,” McGregor emphasises. “We need to make sure people remain aware of the importance of managing risk, and maintain their motivation to do it themselves. If we can implement risk management well, we will realise the benefits of risk management faster.” Special thanks to The Risk Doctor (risk-doctor.com) for providing support material.

Changing risk behaviour Risk management may not be a natural inclination for all staff, but you needn’t resort to a series of threats or bribes to implement a healthy risk culture in an organisation, there is a way to get people to change their behaviour and manage risk willingly.

McGregor understands ADKAR as: Awareness: Before people change their behaviour, they must understand the need for change. Why should we adopt risk management? What would happen if we didn’t? Desire: Having understood why change is necessary, people must develop the desire to own the change for themselves. Each person must see ‘What’s in it for me?’ in a way that inspires them. Knowledge: When people are excited about adopting risk management, they will then be receptive to training. Be

Australian Security Magazine | 19

Cyber Security

Effective communication skills By Mike Schuman

ffective communication skills are probably the most important attributes a cyber security professional or any senior leader can have: here’s why. I wrote this article to explain how ineffective communication can erode your credibility with the C-suite, and explain how a good communicator, who delivers succinct and accurate briefings to the executive, will command respect and engender belief in the security team. Let’s start with a situation… THE INCIDENT You’re the information security manager for a large corporation. It’s just turned 4 pm on Friday afternoon and you’ve taken your team to the pub for a well-earned beverage. Your mobile phone rings – it’s your service delivery manager – something’s happened at one of your major sites. Users are reporting issues accessing their files. You ask, “OK, so how is this a security issue? Have you spoken to the infrastructure manager?” The reply is the last thing you want to hear, “We thought it best to call you because the error message said, ‘Your personal files are encrypted.’ The message may have looked something like the dialog shown in Figure 1. Figure 1 Typical Ransomware Dialog Box Demanding Ransom

You sigh, thinking to yourself, finally, it’s happened. You’ve been protesting for years that your organisation is vulnerable, but you now have a fully blown incident on your hands. What

20 | Australian Security Magazine

could you have done differently? Why wouldn’t they listen to your warnings? Are you now going to be able to say, “I told you so!”. It’s time to stop and take a deep breath. Could it be your own fault that you’ve been unsuccessful in getting your initiatives over the line? Let’s go back and take a look. LOOKING BACK For years, I’ve worked very closely with IT security professionals. At times, I have even walked in their shoes. Years ago, these dedicated crusaders didn’t get much airplay with the executive, since security was a backroom activity for the true geeks of the IT team. Some would say this is still the case today, however, security has always had somewhat of an antagonistic relationship, even confined within the IT organisation. Behaviours that permeated security teams at that time included: • Empire building: The desire to build larger teams and add new security infrastructure (or take control of hardware from other teams) • Chicken Little communications: Articulating scenarios in emotive and inflammatory tone in order to win favour for big programs of work • Power trip: Locking down access, authorisation without business engagement and treating assets as if they are wholly owned by the IT security team • Crisis driven: Chasing the spread of viruses across the globe and focussing on where to attribute blame • Drowning in policy: Creating ever more restrictive security policy, instead of looking at causal factors and security awareness Over the years, I have seen IT Security business cases with no numbers and a great deal of inflammatory language designed to elicit emotional responses. That emotion is fear. In business, however, fear is not going to drive C-Level executives to knee-jerk decision making. Yes, I hear you…You are the subject matter expert! You know more than those silly execs! SO…why isn’t anyone listening to you?

RECIPE FOR SUCCESS Fast forward a decade or so… the role and, in many cases, the philosophy of security professionals has matured. IT Security is now ever present and in the world of “Digital” buzzword bingo is referred to as Cybersecurity. However, changing the behaviour, mindset and skills of security professionals will take time. Today, more than ever, it is important that security professionals start to think, act and communicate strategically. •

Strategic thinking: Holistic view of the enterprise (closer relationship with enterprise architecture), instead of infrastructure-centric security • Proactivity: The search for methods to provide event correlation and early anomaly detection instead of building fences (legacy perimeter thinking) • English: Speaking plainly, in layman’s terms is the easiest way to be heard by the executive • Risk-based reporting: Risk aversion is out the window as there is no way to engineer it out; understand it and report in line with enterprise risk reporting standard (if there isn’t an enterprise risk standard, spearhead its creation) So how do you engage with the executive? What does the C-suite expect from you? Perhaps, once upon a time they would have wanted you to just get on with it, quietly defending the realm from the vicious script kiddies and freakers without attracting too much attention to yourself. Today, however, things are very different. Your wish for prominence and relevance has come true, so you need to step up. If you’re still the legacy IT security professional, you will always struggle with the same issues I highlighted earlier. Here are some things you need to consider. You need to write all of your briefings in Plain English. This is how executives want to receive communications about security (or anything for that matter), with a clear illustration of the risks to the business. You may not always get as clear a request as this: “Okay, Danny, I need a no-B.S. assessment here. Can you get to the crash site?” ~ General Garrison in Blackhawk Down Nevertheless, I guarantee this is how I prefer to receive my information. No sugar coating and certainly not drowning the message in irrelevant technical jargon. You also need to absolutely incorporate all of the necessary Detail for me to make a decision, if a decision is what you need. I know, I said no technical jargon, so how do you do both? You must be clear on how you know what you know and, just as importantly, what you don’t know. Times, dates, people, machines, affected services, business impact etc. These are the kinds of things that leaders care about. Use non-emotive language. This will get you further into the discussion. If you over-catastrophise everything you present, using terms such as, “cyberwarfare”, “zero day” and “cataclysmic,” you will lose my attention and respect since you’ve not considered priority and attempting to frighten me into a decision that may not be best for the business with no hard evidence. This is not the way to craft formal business communications.

What’s the risk? Is the situation contained or controlled? Are there residual effects from the incident? Have we lost data? Without at least an initial risk assessment, you may as well be running a dairy farm and reporting that the barn door was left open overnight but not reporting whether you have any cows left. Strategic thinking. You must provide assessments of the entire enterprise, explaining where we are exposed today and where we may may be at risk tomorrow. Every attack vector is yours to evaluate and present to the leadership on its significance and priority, and in each case the evaluation needs to be from a business risk perspective. You must prioritise risk above technology, shiny objects and cool projects to present a well balanced case for investment. TOUGH MUDDER Being an Information Security Manager or Chief Information Security Officer (CISO) is not an easy job and, unfortunately, it’s meant to keep you up at night so the rest of us can sleep. To be an effective leader in security you must be: • Thick skinned: To take the criticism that surely comes when something sneaks through • Collaborative: To work with the stakeholders of all the disparate groups you must influence instead of control • Courageous: To speak out and clearly articulate risk even when it’s not popular Big picture: To see the entire playing field as the CISO must think strategically about where to focus and invest resources GET OUT THERE AND LEAD You have to lead up and lead down (notice I didn’t say “manage”) and those are very different skills. You are probably very skilled at leading down. You came from there and can speak that language backwards and forwards, but up…well that requires a different language. Learn that language and use the suggestions I mapped out for you to form the structure of your communications. Learn what drives your organisation and speak to your executive in terms they understand. When you finally become a big-picture, plain-speaking, risk-aware, non-emotive security professional…then will you be heard. About the author For over two decades Mike Schuman has covered the breadth of IT roles and responsibilities. He has led enterprise level Strategic, Projects and Operational functions within large, multi-national corporations, government, startups and service providers. With this broad background, he clearly understands what it takes to enable business through technology from both sides of the negotiation table. As a mentor and coach for many C-Level executives, he provides guidance on everything from organisational change to technology. Mike is a change agent and pragmatic strategist.

Australian Security Magazine | 21

CISCO FEATURE Global solutions needed for a global community Kevin Bloch, Chief Technology Officer, Cisco …it’s global. It’s a global product, it’s a global solution, and that’s exactly the way we think, we can’t just look at developing for Australia. If we’re going to farm, we have got to farm intelligently. We’ve got to take this intellectual property that helps that farmer and take it global – we want to export that technology, as we export the food. Everyone brings up the Israel example, but not unlike Australia, Israel literally had to scratch their economy out of the dirt. They have got young people that are soldiers that go on missions at a very young age in very dangerous places. As a country they are developing as being not risk averse and they are also very good at being mission focussed. Obviously, in Australia we go to the beach. I think, in Australia, we have to embrace the fact that we have to shift our culture. We have to take risks and can’t just keep digging dirt. We have to be smart, we have to get our kids into STEM. There are so many aspects of R&D programs but this starts with culture, and I think we have to shift to what is above the ground, as well as what is below the ground.

Session with a Cisco CTO and his partners… I’m Kevin Bloch, Chief Technology Officer at Cisco, and let me introduce, Professor Ian Gibson from the University of New South Wales and Paul Nichols from Curtin University in Perth, both of whom have been terrific in helping us get our act together, because before that we had a blank piece of paper. We also have Jonothan Gregory, Executive Director Business Operations – NSW Department of Primary Industries – this guy has been terrific. I’m not great at navigating my way through government, but I did blunder my way through the New South Wales government and it was hard, until I met Jono. He quickly got what we were trying to do and within four weeks, we were on the same page and about to move forward. Kevin Bloch Ian, if I can start with you, can you give us some background on UNSW and who you are, as well as what you feel about the

22 | Australian Security Magazine

partnership and why you are here? Ian Gibson The University of New South Wales (UNSW) is a big engineering school with approximately 60,000 students, 12,000 of which are in engineering, taught by 800 engineering staff. We are the biggest in Australia and ranked 21st in the world, so we comfortably consider ourselves a top-tier establishment. UNSW is well engaged with industry, sponsoring over 500 projects last year alone, so we play a massive role in the Australian innovation game. I don’t have a university background, or a teaching or research role, instead I facilitate and support the university and faculty in realising the impact of our technology and research. From experience, we’ve learned that we cannot do this by ourselves, hence our partnerships with industry. We’ve establishing a vibrant start-up community on campus, which helps us promote and support entrepreneurialism in our staff and students. Entrepreneurialism is engendered through strategic partnerships with companies, such as Cisco. The university serves as a massive innovation engine, however, our Engineering Centre is quite unique, bringing together the best of research, the best of government and the best of start-ups seen through ATPI (@ATPInnovations), user groups, customer groups, all in the one place, without the bureaucracy, in small focussed groups, with a mandate of being agile to disrupt. You don’t see that very often. In hindsight, it makes so much sense to work this way and I fully expect to see others mimic this model in the future. That’s why it’s so special, because it does two things. Firstly, it provides a means to expose our staff, students and technologies to real customers with real problems, which is really important in a university environment. Secondly, it provides a pathway for innovators to gain access to our staff and students, something that we are already seeing, even though the centre was only launched three weeks ago. We don’t even have a physical space yet but we already have a project underway and, as you’ll hear shortly, they have a security product they want to test. For this, we’ll be using students, since they are so very good at breaking things. UNSW usually wins the cyber hacking competitions, with teams coming 1st 2nd, 3rd and 4th, so they are having a red hot crack at this product and after that, it should be able to survive just about anything. Kevin Bloch Jono, can you give us a heads-up about the Department of Primary Industries (DPIS)? Jonothan Gregory Thanks Kevin. It’s worth stating that DPIS is not here as a sponsor. We have approximately 900 scientists and have had this number for well over 100 years. Primarily, we

are a scientific organisation, a regulator and policy maker. Our involvement in this initiative has two perspectives. Firstly, we have established ourselves as a proven innovation partner, with tremendous capacity, but in this case, moving into an area that we don’t have a capability in. The Internet of Things is obviously something very different to our traditional work, only encountered through little bits and pieces of project work. We have a quarter of a billion dollars’ worth of externally funded projects and with over 700 scientists involved, covering a complex and demanding scientific spectrum, running all the way from genetics through to landscape management. The second thing is that the focus of our department is on economic development. This doesn’t mean that we don’t care about the environment, but our key driver is about building the economy. In DPIS, we have in total approximately 3200 staff, with a turnover of $1.3 billion, covering agriculture, bio-security and food security, water and water resources. We also cover crown lands, where we physically manage 42% of the state, and we also look after science, innovation and fisheries. If it swims, walks or grows in the ground, we’re interested. If it’s wildlife gaining access to water, land, food or soil, a ruminant or crop, or something that’s happening within an intensive space inside a city, again, we are interested. We want to be involved with partners. We already work with most of the universities and we certainly work with CSIRO and Data61, because we have around 150 years of data. We have lots of people doing really clever things, but at the end of the day, we are the government. We are here to enable things, not do things; we are not the ones to ultimately benefit from this, instead, our job is to take the benefits of the data that’s been collected and connect it to people. We’ll then work to enable the people to make NSW and ultimately Australia a smarter and more successful economy. All that sounds nice, and very smooth, but underneath, it’s a lot of hard work, especially in this Internet space. These kinds of opportunities provide focus. They provide access to entrepreneurs, as well as the opportunity to bring multiple public data sets together to leverage them. We talk about 4D4ME (Four Dimensions for Me ‘i.e. end user/ consumer’), the opportunity for individuals to work in four dimensions, 3D plus time, through a 4ME interface: What do I want? What happens if ? Can I do this? What if I do this here, will it happen there? And that is a unique change, as Kevin talked about, in human experience, where the average person is able to do that. It may be a super computer in the background, but I don’t have to know that – I’m using a

CISCO FEATURE personal device. There maybe sensors in the ground that I’m oblivious to. I just want to make a decision, which I now can because I have the ability to visualise four dimensionally and add the two dimensions of my own personal view. So that’s our vision and that’s why we’re involved. We do many things, but we are very excited about this opportunity because it is unique, bringing together parties that have a focussed intent, with something to say beyond the election cycle. Five years moves us across boundaries and in to a space where I think we can get some real work done. Kevin Bloch Thanks Jono, that’s a great example of what government can do. Paul, over to you. Paul Nichols I’m the Director of Strategic Projects, Research and Development, at Curtin University in Perth. We have been heavily involved in a project called the Square Kilometre Array (‘SKA’), which is driving a lot of innovation in both Western Australia and Australia more broadly. It’s attracting the attention of computational scientists and data scientists from all around the world and it’s increasing the interest in areas where we’re taking the smarts these guys are working on from up in the sky and applying them to the ground. The downturn in the economy is driving companies like Woodside to our centre in Perth, to try and improve their efficiency, as well as looking for ways to digitally disrupt their markets in the future. We have the Institute of Computation in Western Australia applying these capabilities and trying to connect them up to industries. We’ve been on this journey with Cisco for a number of years, through the SKA. Nationally, there is an SKA industry consortium that has been very keen to see how they can benefit from these investments around the country and, with Cisco investing, we’ve been able to do that. So, what we now have is an Innovation Centre sitting in Perth, where we have a number of verticals were we think there’s expertise in Western Australia, not only in researchers but in the SME environment and we’re now trying to connect them to bigger companies to innovate. The challenge we see in these groups, is that the pace of innovation needs to be accelerated. For a long time, companies have invested in research, and, while there is still a demand for research, in this age of digital disruption, innovation needs to happen a lot faster. The creation of these start-up environments for our SMEs and innovators to work alongside big companies is actually critical to our national success. Kevin Bloch Woodside is an example of one of those companies, generating around 288 million records per day. Paul Nichols Woodside has 40 years’ worth of

data sitting in a data bank and they want to know what they can do with it. We look through it and see what patterns existed previously and this will allow us to inform the business as to what they can do to improve their performance and work out how they develop new ways of operating. We’ve had mining companies knocking on our doors wanting similar things, with remote operations centres, where they want to take people out of those environments and start to look at how they can improve the performance of those businesses. For us, the challenge is, how do we bring those groups together and how do we let them use the centre? We have been trialling this for the last six months and we are now seeing companies like Horizon Power, who have huge volumes of data, asking how they can use that data to improve efficiency. This is a safe way for them to come in and use their data in a safe way and, very quickly, innovate or, if it doesn’t work, throw it out and move on to the next thing without costing them a lot of money.

Introducing the paper! Why research and ideas matter Mark said to me, “take a look at this paper,” which I read, and it blew us away. When Mike, the General Manager of our Innovation Centres, and myself took a look at a paper Slav wrote some time ago. It nailed it in terms what is happening on the technical side of connecting things, like lights. There are some serious technology limitations with, for example 3, 4 and 5G. There are some serious technology

limitations in terms of power and performance. This paper went through each of those issues logically and methodically to the point that says, now we understand the problem..this guy has come up with a solution. I would now like to introduce you to Slav. Slav Zinger My name is Slav Zinger, Chief Technology Officer of Minion Networks. We are a start-up that has developed a wireless software defined network, purposely built for mobile IT to enable those 50 billion devices to actually be connected. To do this, we had to address and develop key requirements for IT. One is, in terms of security, from the device all the way back to the cloud. Unlimited number of hops……large scale mesh network, very low-cost entry to the market, because we believe that it will only be economical to have 50 billion devices if you can drive the cost of connectedness down to less than a dollar. The key point is that the whole network management and network intelligence is done in the cloud, which allows us to have all these small and varying devices. The other aspect is they have a long battery life and are very power efficient, which is crucial because many of those 50 billion devices are battery powered, and it’s is all about being able to stick a device on a wall or on a tree and forget about it for several years. The second point is Cisco’s validation of us actually delivering what we promise to deliver and validating that we’ve got the scale to distribute across an advanced network. The third reason is that it opens up opportunities for us to really collaborate because we believe that what we do will enable many applications. As a startup we need to focus on what we do really well, and that’s just the wireless bit. Being in the Innovation Centre has opened up projects such as smart city, agriculture and maybe more.

Australian Security Magazine | 23

CISCO FEATURE Interview with John N. Stewart Senior Vice President and Chief Security and Trust Officer at Cisco, and Executive Sponsor for Cisco in Australia.

Executive Editor (EE): John, can I start by asking about your role as Executive Sponsor for Cisco in Australia and how you came to be a champion for the Australian market back at Cisco headquarters? John Stewart: I’ve had the good fortune to have spent a lot of time in Australia over the last 20 years, predominately in my role at Cisco. I’m very passionate about Australia as it’s a country very similar to the United States both as an ally and in terms of global issues. Furthermore, it’s a strategic market for Cisco’s success for both revenue and innovation. Cisco now has a significant workforce down here and because I’m working closely with the Australian defence industry and I have the opportunity to deal directly with the Prime Minister and Cabinet (PM&C) office and sit on the defence review board as one of only two nonAustralians representing national strategy. EE: How did you find the Prime Minister’s advisory council and that process? John Stewart: It was good, but got a bit confused when the Prime Minister switched from Tony Abbott to Malcolm Turnbull right in the middle of our work. This certainly set us back a bit while the new prime minister settled into deal with the priority issues facing the country. From a collaboration standpoint, there was plenty of input and we were submitting dozens of pages

24 | Australian Security Magazine

of considerations back to PM&C, highlighting the need for government, education and the commercial sector to work together to address some of country’s more strategic issues. Innovation centres in Perth and Sydney are examples of these, where government, education institutions and the private sector are collaborating. EE: Cisco has reported that it’s detecting 20 billion attacks across its customer base every day and resolving somewhere between 99.2% to 99.9% of those attacks. I am interested in how many APTs are targeting Cisco systems on a daily basis? John Stewart: I think APTs often get mixed up with malware and vice versa. With APTs, the focus is more about who the actor is, but I only care a little about the threat actor as I’m more concerned with what they are trying to do. We’ve had very unsophisticated threats that aren’t really radical APTs, which could potentially be just as damaging if they broke loose as a truly advanced one. I think more about the threat, its impact and how we get resilient against it. I would rather focus on how fast we detect it and what we can do to stop it as quickly as possible. We should be spending energy on making sure that we can detect 99.999999 of the attacks that come in and that even if it gets through all the lines of defence, we’ve detected it within 36 to 24 hours. This is industry leading, especially for a company protecting itself. We are continually trying to improve these timeframes and our aim is to reduce these down from12 to 6, then 6 to 3, and finally down to 1. Once we get down to dealing with all attacks within minutes, we’ll have solved it. EE: In terms of understanding “Zero Day” threats, it’s taking between 100 to 200 days to detect? John Stewart: Yes, for most businesses the average is 130 days. EE: And for Cisco customers? Are you are bringing that down into hours? John Stewart: Yes. By October last year, we managed to achieve detection times of 36 hours. The total telemetry we are collecting from malware analysis during every single hour of every single day, along with the total amount of DNS traffic we are analysing, excluding the DNS, is now down to 36 hours for full protection. EE: That’s pretty impressive. Obviously, following that trend, you’ll soon be getting down to almost real time detection.

John Stewart: We can hope. Cisco is always going to be pushing at the edge of this. It was 48 hours in June. We got it to 36 hours in October, and now we are pushing very hard to get it down to less than 10 hours. There is still a defensibility. We want to make sure we are accurate when reporting this kind of data, so, despite all our hard work, we are going to play it conservatively and it might only achieve 20 or 25 hours in the short term, but rest assured, what our customers and our business needs, as a subscriber to our own capability, is to have these detections down to minutes. EE: I attended a Talos presentation earlier today who detailed how a ransomware group made over US$34M in 2015 - tell me what you are doing to tackle ransomware? John Stewart: Ransomware, by its very nature, is a criminal activity about profit, motives, driven by a series of hacking teams using packaged software that get into your computer in some way and lock up your data and demand money to unlock it. Cisco’s policy has been extremely aggressive in detecting the teams that are developing ransomware, along with the infrastructures being used to deploy it. We’ve also invested a lot in protecting our own computer systems from ransomware and how to disrupt it before it activates so that you are in effect immunised before you get actually hit. What is obvious though are three things. Number 1: If you have failed to patch your computer or mobile device, you are vulnerable to all types of attack, ransomware being just one. What steps do you take? Patch your computers. When systems report that updates are available, you need to update right away, don’t hold back. Number 2: Social engineering techniques for gaining access to your computer are very effective. You might receive a link in an email attachment or you might go to a website which already has malware on it. This is what needs to be disrupted, maybe by your service provider, sometimes by a vendor and sometimes by the company you work for. Number 3: If you get hit, there are only a couple of options, Firstly, many law enforcement agencies, along with vendors like ourselves, have devised ways to reverse ransomware and malware installations. We can also retrospectively detect it and remove it. However, there are still going to be times when there is no option but to engage law enforcement and hope they can help you regain your data. EE : In Australia we have ACORN, the Australian Cybercrime Online Reporting Network, but we don’t have mandatory reporting yet. Are you pro mandatory reporting?

CISCO FEATURE prepare for the coming services-based economy in Australia. This year’s big focus is on education, overall country-level awareness, mandatory breach reporting and discussions in each of these topics and what the threats to Australia are from an electronic standpoint. There are use-cases when you build technology, such as the original focus in CMX around advertising and globalisation and how you get directed to the right thing for a particular situation. When you develop a technology, other use-cases arise, which include some of the ones you described in the question. I have been asked similar questions, in terms of the use-cases you fielded, but I know for a fact that any one of the examples you describe could be possible, and in all candour this is when you have to design security in, you have to design resiliency in, because what its built for might be turned into something else. You don’t want it to become the threat when it was supposed to be designed for something good.

John Stewart: Kind of. All too often, when an organisation is forced to report a breach data, the theory is that the mandatory disclosure will help the affected party or the consumer most affected. However, as this is near real time and, of course, you now have knowledge of the data at an aggregate level and know how big the problem is, there are some consequences that can be counterproductive. You can have the best strategy, you can have the best approach, one that is truly effective, leading in its class, but if you get eviscerated as a result of reporting the breach, now you’re the victim, getting victimised as a result. That part has got to be calibrated since the purpose of mandatory reporting is not to further beat the company that was attacked, it’s supposed to be about making sure the consumer is aware and that shareholders are briefed that an issue has arisen. Doing it right should not turn what should be a positive approach into punitive behaviour against the company that was victimised.

system has to be designed as best as is currently possible and tested rigorously to determine if there are any weaknesses in the design. Since you think like a criminal, you know there is always going to be crime; this is not something that is going away. Crime has always been part of society, but how do you ensure it’s contained and eradicated? With new technologies, you can start identifying behavioural patterns of people movements. Cisco’s CMX is a really good platform for that, identifying data privacy concerns and movement concerns. The architecture has a whole series of protections designed in to it, built on the theory that the individuals walking around, who would voluntarily let the world know, “hey, I am here,” versus this happening automatically. That’s one of the big issues, data privacy and personal privacy, which is exactly why there is a chief privacy officer at Cisco. I hired her to consider these issues and help educate us all, making Cisco a class leading, industry leading company.

EE: I like to think like a criminal, so I need to ask you, John, there are always going to be new capabilities for criminals, so how do we guard against these? Is this even considered at Cisco? Is there someone on your team red teaming new capabilities as they are discovered?

EE: Great Answer. I have seen capabilities for law enforcement in using CMX (Connected Mobile Experiences), such as for parolees or registered sex offenders moving into ‘HyperLocation’ areas, such as Cities, Centres and Campuses. Have you seen any applications like that? You have been dealing with National Security, was there interest in the technology to track people who are under surveillance?

John Stewart: Absolutely. Cisco is taking a broad approach to security considerations. To us, security is more about a state of protection, a state of privacy, hardware and software assurance and validation to build security in the right way and operate it in the right way. It must not turn into a vulnerable part of the problem. Each and every

John Stewart: I don’t know of any examples of that myself, certainly not at this stage. The PM&C are talking about national policy over the next 10 years. This includes education cycles to

EE: Beautiful, let’s stop it there, well done. Thank you so much John, it was great to meet you.

Delivering Visibility: Anthony Stitt, General Manager of Security Sales ANZ, Cisco One of the areas we see organisations really struggling with is visibility, being able to detect the presence of threat actors within their environment. I think we have got to this point because of vulnerable software and because users don’t always do what they should do to protect themselves. Minor compromises happen and organisations seems to have a lack of visibility to see them and deal with them in a timely manner. It’s all about stopping a threat before it can get into the environment and exfiltrate data. So, you could broadly consider it as all part of the protective countermeasures an organisation has, but when we think about the threat continuum before, during and after an attack. Visibility can come from anywhere, it can come from the cloud, the endpoint or the network. We have the ability to turn on the visibility at any point, in fact, it’s one of Cisco’s key differentiators. We talk about “security everywhere” and the ability to turn on the visibility anywhere where a company needs to do business, whether it’s got a mobile, virtual or physical device or network.

Australian Security Magazine | 25

CISCO FEATURE actively addressing investment protection and flexibility. There are five guiding principles that DNA is built upon, they include:

Cisco announces Digital Network Architecture Business innovation and customer experiences help to transform businesses in every industry. In an age where digitisation involves more than just reducing operational costs and increasing business capabilities, it requires a digital network that involves insight, while improving on customer experiences. The Cisco partner summit unveiled a new open, extensible and software driven digital network architecture, or DNA. This new network architecture will allow businesses to increase innovation, reduce cost and complexity and will also lower risk. While enterprises have begun to address their own move to digitisation, there is an extensive amount of innovation and improvements to networking, which also includes software defined networking (SDN), network virtualisation, model-driven programming,

26 | Australian Security Magazine

overlay networks, open API’s, cloud management and business orchestration. Despite these promising innovations, overall adoption has been sluggish due to the complexity of previous network architectures and the consuming of new products, which has prompted for a new solution that will integrate the critical innovations in network architecture, while keeping the solution integrated and simple for consumers. DNA will be predominately software driven, but will also be integrated with hardware components which is what makes this architecture valuable, according to Dave West, Vice President, Enterprise Networking Sales, Chief Technology Officer, Cisco, APJ, “DNA will compliment Cisco’s data centre based application centric infrastructure (ACI) technology, by improving on the software strategy and policy approach. This scope includes from campus to branch, wired to wireless and core to edge strategy.” DNA will also be delivered within the Cisco ONE software family which will allow for simplified software based licensing while also

1. Virtualize everything: this principle seeks to give freedom to the organisation, the freedom to run services at any given time that aims to be independent from the underlying platform, this is not limited to physical components, but now includes virtual routers, virtualised services, virtualised firewall services and is no longer limited to premise but now involves the cloud. 2. Designed for automation: DNA has a strong focus on simplicity, so automation is where the network architecture makes networks and services running on a network easy to deploy, manage and maintain. This is rewriting the approach to network management. 3. Pervasive analytics: to provide the insight needed for consumers to effectively understand the operation of the network. The focus is on speed and ways to make the network faster for consumers. 4. Service management: delivered from the cloud, the orchestration across the network is important and by enabling the agility of the cloud, the network can have the security and control of an on premise solution. 5. Open, extensible and programmable at every layer: through wide integration, Cisco and third party technology allows support for a rich ecosystem of network-enabled applications. “The digital network is the platform for digital businesses,” according to Senior Vice President Rob Soderbery for Cisco’s products and solutions, who highlights the importance of DNA in the integration of virtualisation, automation, analytics, cloud and programmability. To support the DNA architecture, Cisco has announced the increased capabilities of DNA, which includes automation, cloud management and virtualisation. APIC-EM (Application Policy Infrastructure Controller Enterprise Module) is now available and meets enterprise scale and resiliency for the largest customers. New services announced for the APIC-EM platform include Cisco plug and play, which removes the need for pre-configuration or truck roll-outs especially for remote locations which is known to be a costly exercise for the IT areas. Intelligent WAN Automation services will also provide increased WAN deployment flexibility; the services will improve the speed in which IT can configure and deploy a full service branch office. Intelligent WAN automation will automatically enable Cisco best practices through

CISCO FEATURE application prioritisation, path selection and quality of experience to improve user interaction. Evolved IOS-XE is a network operating system which has been optimised for programmability, controller based automation and serviceability. This provides open model-driven API’s aimed towards third party application development to enable virtualisation from the physical infrastructure; it will support the Cisco Catalyst 3850/3650, ASR 1000 and ISR 4000 with scope to be improved and expanded across the enterprise network portfolio. DNA cloud service management will provide CMX cloud which will provide business insight and based on location and presence information will personalise user engagement using Cisco wireless infrastructure. Again, this is to aggregate customer behaviour while maintaining that focus on improving customer engagement. Because DNA innovations can be employed on existing infrastructure, “it can move quickly and with minimum risk while offering maximum investment protection” according to CJ Singh, Chief Technology Officer. With this, “it has never been more important to have fantastic network architecture,” according to Jeff Reed, the Vice President of Cisco’s enterprise products team. DNA services allow for innovation using speed and open programmability through a variety of virtualised functions. It is aimed at the transition for customers into the digital business environment and is designed to connect employees, customers and technology.

Interview with Mike Burgess and Rachel Falk, Telstra

Executive Editor: You have announced Telstra is running a “Cyber Drill” within Telstra. Can you tell me how many staff are involved in this and a bit more your expectations from the exercise? Mike Burgess :Telstra has about 10,000 staff involved in the Cyber Drill currently out of our 37,000 staff in total. The 10,000 staff were selected at random, except for the members of the board who wanted to be fully included. We have two campaigns of 10,000 emails, a standard phishing email, like you would see everyday, one from a fake branded company that the criminals can use and the other is from our own brand. The two campaigns are backed up with messages sent out to all staff prior to releasing the email, to make them aware that this is not to trap them, but to help and educate them and make them understand that they are the first line of defence in protecting our customers’ data and making our network secure. We have done the first wave of emails and we have looked at the results. We will then do the second wave of emails and look at the results, then take a step back and report our findings to the Audit Risk Committee of the board. Rachel Falk, who is my General Manager of Cyber Influence, myself and our team will work through the lessons learned and look at the feedback from staff. When the people involved receive the phishing email, they get taken to a landing page were they get educated on how to deal with dubious emails. They also get the opportunity to call our Cyber Security Operations Centre and whoever takes their call logs the feedback and collates all their data. The company that is helping us do this gives us the data to analyse and we can then decide what the best course of action is and how to proceed. Executive Editor: I have not heard of the term

‘Cyber Drill’ before, can you tell me how you came up with the concept? Mike Burgess: We came up with this idea, to make it as real as possible for our staff, just like when we have emergency evacuation drills. It’s all about training and educating our staff. This is the first time we have done this and I would argue that the criminals themselves actually allow us to educate our staff every day, and we watch that, but this is a concerted effort to do it better. Doing the Cyber Drill allows us to put in controls and measure their effectiveness and look at the psychology behind it. Executive Editor: How do the staff involved in the phishing emails contact and alert you? Mike Burgess: Telstra has a 24/7 Cyber Security Operations Centre Team who are able to handle all the calls raised by the staff involved. After the first email, we did have a good response and we coped really well, with people emailing our team, going online to alert us, as well as calling our team, so that’s been very effective. We have the results of our first email, but we aren’t going to share them at this stage, we will have to come back to you on that! Executive Editor: I will definitely follow you up on that as I think it’s really worthwhile hearing how successful this has been. You have done your “5 knows” strategy. Are you looking at doing some sort of model for this Cyber Drill for other businesses to implement? Rachel Falk: First and foremost we are the “test bed” and we have over 35,000 staff, so we are using this to establish where we need to concentrate our focus and when we have fine-tuned the process, we will look at a model for external sources. We need to look at more targeted areas of the business. The Cyber Drill is part of the “5 knows” of Cyber Security, which is absolutely embedded in everything we do at Telstra. It’s also about instilling into our staff that you don’t open a suspicious email, even if you are expecting it. Executive Editor: Can you elaborate on how the Cyber Drill fits into the “5 Knows” of Cyber Security? Mike Burgess: It is all about knowing the value of your data, so we use communication, like online chat rooms to push messages to our staff to engage them. At Telstra we use Microsoft Yammer internally and Rachel regularly does a yam jam. Rachel Falk: We also record videos. We try anything to get the message out there to our staff, and look at other ways to be creative and educate them.

Australian Security Magazine | 27

CISCO FEATURE

Behind the headlines Multinational company hacked? Treat the media frenzy as a distraction to the real story of how to protect yourself against a potential security breach. By Adeline Teoh, Correspondent

ou have to feel a little sorry for Sony. It wasn’t too long ago that technology media held the multinational giant up as an example of how innovation could transform a company from a little electronics bxusiness to a multimedia empire. Today, technology media are more likely to hold Sony up as an example of what happens when a big company suffers a significant and embarrassing data breach. The problem is, for all the editorialising about North Korean hackers and emails that should never come to light, the public are complicit in the way the media reports these issues. “Every time a big data breach happens, everyone wants to go to the ‘whodunit?’ headline. It sells newspapers,” explains Mike Burgess, Chief Information Security Officer at Telstra, who believes the attribution headline is ultimately a distraction.

Lessons from Sony So what actually happened to Sony, and moreover, what does it mean for your organisation? According to reports, attackers working for the North Korean government broke into the network as revenge for The Interview, a comedy Sony Pictures Entertainment made portraying Kim Jong-un as an assassination target. The attackers weren’t after specific kinds of data, but sought to disrupt the multinational. They had five months to learn all they could about the network topology and security features before discovery, when they had deleted files on more than half of Sony’s servers. This is not uncommon. Notification data suggests it takes between 100-200 days between a breach and discovery. Organisations need to realise that better protection is not about perimeter control but about stepping up internal detection methods. Burgess adds that a well-meaning employee had a spreadsheet with a description of every Sony Pictures server, username and password on it for reference. “On one level you can admire having all that information on a lovely little spreadsheet. On another level you think ‘captured on a spreadsheet? Unfortunate’.” It prompts the question you should ask yourself: do you know who has what information in your organisation? And how is that data protected?

28 | Australian Security Magazine

As a result of the disruption, Sony employees lost personal data and the breach hit the payroll system, which meant salaries had to be manually processed and some staff were not paid on time. “Importantly, the company were unable to file their third-quarter financial results in Japan on time,” says Burgess. All this shows that cyber crime has real world consequences, he underlines. “Let’s face it, ‘cyber crime’ is just crime, ‘cyber espionage’ is just espionage and ‘hacktivism’ is just protest.” The difference is that the ‘cyber’ part heightens everything. “Connectivity and technology means these bad things and mistakes can happen at a pace, scale and reach that is unprecedented.”

A level-headed response Burgess compares the press releases that accompanied the top 13 breaches of 2015 with the one his organisation, Telstra, had to issue when it discovered its new Pacnet acquisition had been compromised. Other companies used terms like ‘unprecedented’, ‘unparallelled’ and ‘undetectable by industry standard’; Telstra deliberately chose less extreme words. “Not once did we say ‘this was unprecedented’. We avoided all that language,” says Burgess. “We did not lose one customer as a result of that breach and we did not get crazy media because we didn’t come out and say crazy things. We certainly didn’t come out and cry victim.” It is this tendency towards victimhood that Burgess dislikes most because it positions the organisation as passive when they should be taking active steps towards protecting their data. “Today it is a reasonable, foreseeable event that someone will attempt to hack into your organisation.”

Getting to know security One mistake Burgess sees organisations make is sticking to compliance guidelines without thinking of a breach as a business risk. Telstra developed the ‘five knows’ of cybersecurity (see box) to help cement the concept in its business so that its security response could remain focused on results. “When you lose sight of what you’re trying to protect, you turn security into a tick and flick

exercise and you haven’t generated an effective security outcome,” says Burgess. “It’s about making informed business decisions.” Another mistake is forgetting that a security solution is a combination of people, process and technology. People are usually the first line of defence but very little effort goes into fortifying this segment. “Most hackers today are successful because they exploit human behaviour,” Burgess points out. As part of its security education, Telstra runs a cyber drill where 10,000 employees will receive a compromised email. “We told them this was coming, we’ve told them this is not about making them feel bad or embarrassed or trapping them. If we find there’s an individual not learning, then there’s a conversation we’ll need to have, but this is primarily about helping them understand they can help the organisation manage risk effectively.” Lastly, security is about knowing what’s normal and what’s not. Burgess says his team uses analytical engines to characterise normal network behaviour and normal access to data. When something unusual pops up, a human will take a look to see if it’s a real problem. But you don’t even need a tool for this, he says. “If you’re a manager, you have to know your team. If they are disgruntled, you have to know that and pay attention to that. Think of Edward Snowden. I’d be confident they knew he was not a happy chappie long before he did what he did. Know your staff.” Mike Burgess spoke as a guest presenter at Cisco Live 2016 in Melbourne.

The 5 Knows of Cybersecurity 1. Know the value of your data. That includes the value to your business, your customers and your competitors and any criminals who might want to steal it. 2. Know who has access to your data. Should all those people have access to that data? 3. Know where your data is. You’ll be surprised how many people don’t know where their data actually is. 4. Know who is protecting it. Would you know if someone attempted to steal that data if you don’t know who’s protecting it? 5. Know how well it is protected. There is a role for compliance professionals in this space, and there is a role for the Australian Signals Directorate (asd.gov.au), the SANS Institute – CIS Critical Security Controls (sans.org), and a whole lot of best practice out there. - Mike Burgess, Chief Information Security Officer, Telstra

CISCO FEATURE

Building a secure cyberspace

By Adeline Teoh, Correspondent

Security may have left the building for cyberspace, but architecture is still an important piece of how we defend ourselves.

magine a building in an earthquake prone area, somewhere like Japan or New Zealand. In the early days, a building that collapsed would need to be rebuilt every time a tremor troubled the Richter scale. As construction evolved, however, the buildings became more sophisticated, more in tune with the potential for quakes, and so able to withstand all but the most direct, high-rated shocks. This safety feature, part of the buildings’ architecture, has saved many buildings as well as inhabitants’ lives. While we no longer think of security as just a guard patrolling a building, architecture is a good way to describe the new way defenders develop cybersecurity solutions. Security may have left the building for cyberspace, but it is still conceptually close to it.

The business case Cybersecurity is no longer the afterthought it once was, says John N Stewart, Vice President and Chief Security Officer of Cisco’s Corporate Security Programs Organization. “Cybersecurity has come out of the dungeon and is now a business service. We’ve gone from ‘I’m not sure I could put anything critical on an IT system’ and then suddenly everything that’s critical is on an IT system.” In fact, cybersecurity is now an important pillar of business and if not done well, it impacts innovation, Stewart stated at his keynote presentation at Cisco Live 2016 in Melbourne. Simply put, good cybersecurity is confidence and a lack of confidence affects organisations’ risk appetites. The casualty of a diminished risk appetite is innovation. “There’s so much executivelevel attention on cybersecurity and it has not translated into confidence yet.” The good news? “All of this is solvable,” he says. David Goeckeler, Senior Vice President and General Manager of Cisco’s Security Business Group, has data on what chief information security officers think. “We asked CISOs what percent they think they have up-to-date, effective security infrastructure and the number is lower this year than it was last year. How can that be? There has been more investment in security in

the last 12 months than ever. It’s because of complexity. Every customer has 50-60 security vendors in their network. They add the next piece of technology and the complexity is overwhelming the value you get from it, so you’re actually going backwards.” He believes many in the industry have lost sight of cybersecurity’s main function. “Security is a business enabler. You want to learn lessons and drive automation and drive simplicity because that’s what leads to effective security. What drives efficacy is automation, simplicity, and architecture.”

Building on the threat landscape Cisco employs more than 250 staff in its division known as Talos, a team specifically assembled to research and analyse the threat landscape. With data coming in from more than 160 countries, hundreds of customers and millions of users, the multinational IT company has a good idea of what’s going on at any given time. “We have a very big investment in understanding the threat landscape. We see multiple attack vectors across email, web, in the network, we see over a million pieces of malware a day through our labs so we have a unique perspective on the threat landscape,” says Goeckeler. “We get an enormous amount of threat telemetry, over 100 terabits of information, and then the Talos team turns that into threat intelligence and uses that information to find out where the threat actors are.” The actual threats have not changed: attackers still want access to systems to obtain and/or destroy data in order to sell it or disrupt an organisation. It’s an arms race, however, and the changes are all in the increasing level of sophistication. “There’s a lot of money being made in the attacking economy, it’s very professional. There are nation-states, organised crime, hacktivists,” says Goeckeler. “The attacks get more and more sophisticated, more and more elusive; they know how to hide better, they know how to evade protection so it’s very important to build a security architecture that blocks as much as possible and then finds everything else as quickly as possible.”

What having security architecture does is provide a much wider platform on which to run different types of security products. The result? Organisations detect breaches far quicker. “The industry average for how long something is in the network before it is found is around 100 days, depending on which incident response research report you read. We’ve got that down to 17.5 hours. That’s the advantage of taking the architectural approach¬—we can look across the entire extended network and integrate as opposed to what a bunch of point products does,” Goeckeler explains.

Open and flexible The architectural approach also allows others to build on the platform. Cybercriminals have the advantage of being able to share information about their attacks and even sell code or software to help others get a head start on nefarious activities whereas the security industry was previously hampered by fragmentation because individual vendors held their proprietary software close to their chests. “Building an open architecture is so important—you don’t know what you’re going to need in the future because you don’t know what your adversary is going to do in the future,” says Goeckeler. “It’s important to build architecture that is going to allow people to innovate as quickly as possible and our latest platforms are open to third party developments so we can encourage exactly these kinds of models.” The other advantage of taking an architectural approach is that it can then use feedback to reinforce defences. Greater visibility of sophisticated threats informs policy, which then boosts security measures in an unending cycle of learning. “This is a market where we have an active adversary. They’re very well funded, they’re very sophisticated and whatever we do to thwart them they’re going to adjust, so you have to build architecture in a way that is open and flexible,” says Goeckeler. “You need an architecture that allows to you innovate as quickly as possible because the attackers are going to constantly change their approach.” Having good security technology is like having good concrete: you need it to support a building, but it isn’t enough—the architecture of the building is also key. Is your organisation ready for a cyber quake? The cyber crime economy is valued at US$450-500 billion a year, almost a quarter of the world’s IT market, which is purported to be worth US$2.1 trillion. —David Goeckeler, Cisco

Australian Security Magazine | 29

Cyber Security

Has Snowden made the world safer for criminals and terrorists? Why do we insist on idealising whistle-blowers?

By Brian Henke

30 | Australian Security Magazine

t wasn’t too long ago that we trusted our governments, with citizens largely believing security agencies (ASD, ASIO, GCHQ, MI5, CIA and the NSA) were protecting their interests and thwarting the bad guys’ plans for global domination, havoc and mayhem. However, somewhere along the line, things changed, fundamentally assisted by Edward Snowden and other government whistle-blowers. Governments writ large have become synonymous with the bad guys and what was once a rational fear about safety and security has developed into national paranoia that government is listening to everything we say and considering us all guilty until proven innocent. As a veteran consultant in the national and international security arenas, I have seen dangerous knee-jerk reactions in legislation, such as the US Patriot Act, that simply don’t help imbue public support for the security services. However, large scale privacy and security concerns aside, does the average citizen really think they are that interesting to the security services? It may be flattering to think that a conversation about your up and coming holiday to the Netherlands is critically important to the security services, but realistically, all they are really doing is trying to catch the bad guys and keep you and your loved ones safe. The problem is, surveillance can’t be constrained to such a narrow field of focus as to only target suspected terrorists and criminals. It takes hard work, diligence, perseverance and tedious trawling through petabytes of information, from the perspectives of gathering intelligence, surveillance and reconnaissance.

Oversimplifying the Issues In July 2014, the Pew Research Centre conducted a worldwide poll asking global publics to decide if the American government’s monitoring of communications of [insert your country] citizens, is acceptable. This was followed by the same question posed with suspected terrorists instead of citizens, as the target of the surveillance. Over 80% of those surveyed across 44 countries said it was unacceptable to monitor communications of (survey country) citizens, while only 29% said it was unacceptable to monitor communications of suspected terrorists. So, the answer is simple, to make life easier, we should simply demand that would-be terrorists identify themselves to the security services, so that the government can regain the global publics’ acceptance. Why is distrust in governments and disclosure of national secrets bad? Let’s start with a statement of fact. Snowden’s disclosure of US government secrets has focused attention, like a witch hunt, on what governments are doing and not doing instead of protecting citizens, enhancing security, improving legal frameworks and making it more difficult for criminals and terrorists to operate. It will be nigh on impossible to regain this trust, however, governments have to still carry on protecting citizens to the best of their abilities, now further hampered by their methods being disclosed and calls for oversight committees

Cyber Security

“Over 80% of those surveyed across 44 countries said it was unacceptable to monitor communications of (survey country) citizens, while only 29% said it was unacceptable to monitor communications of suspected terrorists.” and investigations making the complex job they perform even harder to get results from. Governments need to start being more open and honest about their intentions, explaining what they are collecting and why. We all allow our employers, retailers and online social networking sites, such as Facebook, LinkedIn and Google, to collect copious amounts of data about our activities and habits, and even sell it on for profit. This information is also quite openly categorised as personally identifiable information (PII) so it’s the same stuff that we are so unwilling to have the government access. If it was clearly stated that the government would like to track your information to ensure your identity remains safe and protected online and ensure cyber criminals are not trying to steal your information, would you be happy with that? Time Cooks extremely public rebuttal against the FBI’s attempt to get encrypted data off an Apple iPhone, where he was asked to help build back door access to the device, was an interesting development in the battle between public and private enterprise. In this instance, the decision was based on the views, morals and ethics of the leaders of Apple Inc. and that’s their prerogative. Government has the right to ask and Apple has the right to say no. If it’s a question of protecting citizens through cooperating in an investigation, rather than providing the keys to the castle, I don’t think there should be an issue. I few years ago I published an article entitled, “Trends in Anonymity Online – Implications for Security and Stability,” where I outlined the risks associated with how easy it is to obfuscate online activity combined with untraceable currencies. Underground websites, such as the Silkroad and Blackmarket were burgeoning, with global sales amounting to billions of dollars. Fast forward to today, and while Governments are savvier, shutting down similar nefarious websites much more quickly and frequently, as well as monitoring and indexing criminal activity on the deep web, this alternative web continues to be the focal point of crime and underground activity. Trend Micro recently published a study of the deep web and, although not all of the sites found in the study were of an illegal nature, a vast array of criminal enterprises are thriving there, peddling stolen or hacked accounts, drugs, weapons, fake passports, and even commissioned assassination. There is a massive difference in protecting privacy and personal information, as opposed to pure anonymity. For

many people, fears about privacy stem from the threat of identity theft, data breaches in organisations that collect our information, or embarrassment because of something you are doing (you might be a really big Brittany Spears fan, and not want your cool mates to find out). These fears are all rational fears but they are small in the context of national security. I honestly understand and get it, but you cannot and should not confuse the right to ‘some’ privacy with how your personal information is secured with the right to pure anonymity. Moreover, try not to idealise the whistleblowers, those people who have committed national treason and broken the laws of our nations by stealing secrets and handing them over to countries with significantly less civil liberties and human rights than our own. Snowden fled from the US where there is a Freedom House Global Freedom Index (GFI) score of 90 out of 100, and ranked 20 of 152 in the Human Freedom Index (HFI), to China which on the GFI scores 16 and ranks 132 on the HFI, the on to Russia with a GFI score of 22 and an HFI ranking of 111. Security is a Trade off There needs to be a mutually beneficial trade-off between governments having the right to monitor our communications, especially of suspected terrorists or criminals, in exchange for our right to privacy with the assurance that the government is protecting us from another attack. In the modern world, we all face a global threat from terrorism and the looming clouds of conflict across the South China Sea, North Korea and across the borders of Europe. The only way to build a safe future for us is to drop the ‘poor little me’ self-serving sensationalism and take it as read that national security agencies are in place to help us stay safe. Only then will we be in a position to act as a nation and remain safe together allowing the good good guys to focus on protecting us from the bad guys. My main advice, before you point the finger at the government, try reading the privacy policy of some of the online services you use every day, then you’ll see where your attention should really be focused. About the author Brian Henke is the CEO and founder of Insightful Futures, a Western Australian futures consultancy that provides deep insight into the long-term business objectives and challenges that affect businesses and governments from a global point of view. Insightful Futures combines the collective minds of their network of associate analysts to tackle some of the world’s biggest issues, now with subsidiary offices in London, England, and Washington DC, USA. See more at: http://insightfulfutures.global

Australian Security Magazine | 31

Cyber Security

Keeping your information secure in the cloud By Tony Campbell CISO Correspondent

32 | Australian Security Magazine

ffective communication skills are probably the most As the industry shifts to procuring IT services as utility-style operational expenses, cloud services have become the most pervasive and ubiquitous strategic driver in the IT boardroom. However, the more astute C-suite executives have held off, watching the technology sector take stock as some of the initial promises of the cloud have proved to be false. The reality of what’s best for big business has emerged as a hybrid approach, blending the best of selfmanaged IT, with locally-sourced, dedicated systems, along with publicly sourced, cloud-based IT. Furthermore, the transformation to hybrid cloud brings one more conundrum for the C-suite to concern themselves with, one that is yet to be fully addressed by industry. Information security and safety, in the new world of hybrid cloud, especially given the added complexity of new architectures, shifting hardware paradigms and brand new legal considerations, have become a major headache for many. There are a variety of challenges that cloud services present the business, all of which need to be assessed and addressed prior to jumping in. • Cloud services are usually provided on multi-tenancy platforms, which is how service providers keep their price down. For customers, this means your service is installed alongside services provided to another customer, with the configuration of the cloud service being the control sitting between each tenant. There are potential risks relating to information confidentiality and availability that need to be assessed and mitigated prior to adoption. • Accountability and responsibility remains paramount. The reality is that you never relinquish the accountability for your data security, however, we are seeing delegated responsibility for service and data security transferred to the service provider through the cloud services contract. This needs to be robust and tested through your own legal department – make sure not to simply sign on the dotted line and hope for the best just because you’re working with Amazon, Google or Microsoft. • Monitor your services. Services offered in the cloud are continually evolving, especially as new development paradigms are adopted by providers, such as Agile and DevOps, so you need to be continually monitoring the changes that are occurring in services you leverage, make

sure you understand the technical, procedural and legal implications of new features. The only effective way to make sure your business remains protected and your data stays safe and secure is to build a robust architecture as a building block in your enterprise architecture capability. This will allow businesses to assess all of the contractual aspects of the cloud service that needs to be discussed with potential providers prior to handing over the company credit card. Building a Hybrid Cloud Architecture Security is a process and needs to be a constituent part of everything your business does. You’ll need to start engineering security requirements from the outset of any new transformation project, making sure you establish a thorough test plan that will assure the security of your information in production. Just because you’re creating a new cloud-based business offering doesn’t mean you can cut corners and simply trust that the service provider will handle all of your security issues. If the worst happens and your information gets stolen, you’re still accountable in terms of regulators, your customers and the media. This is a mistake many cloud customers have made over the past few years, instead of going into discussions with service providers with mandatory requirements and skeptical mindset, subscribers are blindly adopting services without reading the terms and conditions. The only consistent and dependable way to address this is to adopt a robust approach to security architecture within your enterprise and ensure security requirements management (elicitation and testing) is at the heart of every single cloud project. Security controls must be developed that work for the entire organisation, even in the hybrid cloud environment. These should be derived from your enterprise security policy, as well as any governance, risk and compliance regulations that your industry imposes. Security controls govern how you meet the enterprise security requirements and dictate how application developers create compliant software that doesn’t put your data at risk. If you don’t adhere to this enterprise security architecture approach, you’ll run the risk of taking security for granted, while the reality is your data is less secure than it ever was.

Cyber Security

Cloud Service Providers There are various questions you can ask of service providers before you sign on the dotted line. Here are some of the considerations you need to discuss with your prospective hybrid cloud provider before committing to take on their services: • Which security and availability certifications does the provider hold? Are they available for inspection and are they current? Certifications won’t guarantee your security, but they do provide level of assurance that the provider has gone someway to mitigate the risks. For example, the ISO 27001 certification means the provider’s security controls, including those associated with people, processes and technology, are good enough to meet the needs of that audit. • If they have certification, what is the scope of the audit? The scope of any compliance audit is vitally important; if constrained to just one element of the service, you’ll need to ask more questions to see why it’s constrained and if it’s likely to be improved. It might be that they are taking a staged approach to certification so if they have a roadmap, ask to see it. If you can’t get a straight answer, walk away. • Ensure your data is stored in a jurisdiction you are happy with. If you need to ensure data sovereignty, then check that their systems never communicate outside your local borders. Some providers don’t even have local Australian or New Zealand-based data centres, so their services store data offshore. Is this a problem? It depends on the nature of the information you have. Government agencies that manage PROTECTED or SECRET classified information may not be allowed to use cloud services that have an overseas data centre. Remember too that your own law enforcement agencies won’t have jurisdiction to help recover data or investigate a breach if the systems are all overseas. • How are continuity incidents handled? Even if the primary datacentre is in Australia or New Zealand, you might be surprised to find that they failover to North America if there is an outage. That could lead to your systems suddenly storing data in another legal jurisdiction, something you’d not originally panned for. • What laws govern the way the cloud provider operates their company? If the provider is an American organisation, for example, your data and the way it’s handled might fall under the US legal system, hence allowing access by US law enforcement agencies under their own national law. • How do you leave the service? What if you decide to stop using the service? How do you ensure that all of your sensitive company information is removed from their disc and backups when you leave, since you don’t want copies lying around after you have stopped paying and auditing them. Technology The technology stack in a cloud implementation is complicated and can be difficult to assure, from a security perspective. This is a massive subject, way too big to cover

in one article, however, there are fundamental aspects of building secure cloud services that you must consider at the outset if the result is to be successful: 1) Access Control: Build a solution that extends your local identity and access management solution into the cloud and operates as an access control broker for third-party public cloud services, especially if there is no integration between your local directory and the end system. To address this, new systems, known as Cloud Access Security Brokers (CASBs), have been developed to provide policy enforcement, which situate between cloud service users and providers to manage access request. They offer services, such as authentication, single sign-on, credential mapping, profiling, encryption, tokenisation, comprehensive logging and alerting, and their security offering can be further bolstered with malware detection and intrusion prevention. 2) Firewalls and IPS: When you build systems in the cloud, you still need to provide the same network security controls you would in a locally installed environment. Most cloud service providers, such as Azure and Amazon Web Services provide virtual security appliances you can configure to meet the requirements of your security architectures, with rulesets, profiles and hack prevention modules all working in concert to protect your hybrid environment. You should also include intrusion prevention systems in your cloud installation to alert on and block any attempts at hacking your systems. In reality, you are no less exposed in the cloud as you would be in your own local data centre, so you need to replicate every one of the security systems you’d expect to locally in the cloud. 3) Testing: When you finish building your cloud solution, thoroughly test against every one of the security requirements your enterprise architecture team stipulated for this service. By conducting comprehensive security testing prior to switching over to live production, it ensures you catch non-compliances and can rectify them prior to opening up the attack surface. If you can’t meet a particular security requirements, or the controls prove to not mitigate enough of the risk, you can make a risk-balanced decision on how to proceed. Penetration testing of more complex systems, especially if they are handling sensitive business data, will give you an extra level of assurance that your information will remain secure once you go live. Conclusion Hybrid cloud systems are becoming the norm for many IT shops and business that rely on modern IT to do their business. From government departments to small businesses, everyone sees that cloud services have a lot to offer, helping executives better manage their IT budgets while removing a lot of the hassle that comes with managing physical data centres and the complexity of managing complex application systems. However, there are security trade-offs and with anything new and shiny, as cloud still is, it’s important to have a systematic and professional approach for adoption, where you do your homework and architect security solutions that are fit for purpose, robust and dependable. That way, your information remains safe and your business can continue to be profitable and successful for many years to come.

Australian Security Magazine | 33

Cyber Security

Big data & the internet Think you’re ready for Big Data and IoT? Standard tests are just not enough.

R By Areg Alimian Senior Director, Solutions Marketing, Ixia

34 | Australian Security Magazine

apid time to market is becoming increasingly important in the rollout of new applications and services, or, in simpler terms: everyone wants to be first. So new architectures are planned with virtual environments and hybrid clouds on the drawing board and implemented to then learn that customers complain about a loss of quality in VoIP service and online gamers for long ping times. This waiting for customer complaints is one of three basic ways to learn about the performance and resilience of your network, but certainly not the most promising. Waiting for a hacker attack to paralyse your network, is the second option, but its popularity has limits, too. The third option is called “test”. However, not all test methods are suitable for ensuring the availability of services and applications. Approaches to validation of performance and security, with no realistic assumptions about application loads and attack techniques, quickly lead to a false sense of security. Only tests based on realistic conditions receive reliable information about the behavior of the network and security infrastructure. Big Data and especially the internet of things (IoT) will generate significantly higher loads, and the best way to determine how a network will handle these loads is to make sure that each component required for the provision of services and applications, is tested under the most severe expected load conditions.

The best place to start is at the beginning The ‘connected world’ is no longer just a buzzword, it is reality. More than 5 billion devices are already connected to the Internet, and the rate of new connected devices will only accelerate with the proliferation of IoT. It is forecasted that by 2020, there will be about 50 billion devices connected to the Internet, 10 times more than there are today. Many of these devices run complex applications that need to communicate with each other around the clock. These increasing user endpoints not only automatically generate more data, they place greater demands on the performance and availability of a network infrastructure. In particular, Web 2.0, HD video, and social networking, combined with big data and IoT have a virtually unlimited hunger for bandwidth. In a report published in January 2016 entitled “ENISA Threat Landscape 2015” the European Agency for Network and Information Security (ENISA) stated that the number of DDoS attacks with a bandwidth of over 100 Gbps has doubled in 2015, and will continue to increase. Meeting these growing demands on a network infrastructure requires a massive upgrade to the data centre, ranging from migration of their top-of-rack to server connectivity from 10 GbE to 25 GbE and 50GbE, to enhancing the core network with 100 GbE technology. The expected result of this type of upgrade is significantly higher data rates with approximately the same footprint and power

Cyber Security

Customers and internal stakeholders do not care how many packets a web application firewall can inspect per second. They only care about the application response time, which depends on a number of factors. consumption, as well as a higher server density and reduced cost per bandwidth unit. But what guarantees do enterprises have that these expectations will be achieved under real world conditions? In addition, unique characteristics of network devices, storage, and security systems, coupled with the virtualisation of resources, the integration of cloud computing, as well as SaaS, can significantly slow the introduction and delivery of new services. To ensure the data rates needed to deliver new services anytime, anywhere, requires infrastructure tests that go above and beyond standard performance tests of individual components. Customers and internal stakeholders do not care how many packets a web application firewall can inspect per second. They only care about the application response time, which depends on a number of factors. These include the individual systems in the network and their interaction, the application specific protocols and traffic patterns, as well as the location, and time of day, of the security architecture. Therefore, it is imperative to test the entire delivery path of an application - end to end - under realistic conditions. This means using a realistic mix of applications and traffic workloads that recreate even the lowest layer protocols. Simple and standardised tests such as IO meters in complex environments are simply not enough. Testing under real conditions Enterprise data centres need a test environment that reflects their real load and actual traffic, including all applications and protocols, such as Facebook, Skype, Amazon EC2 / S3, SQL, SAP, Oracle, HTTP or IPSEC. Itâ&#x20AC;&#x2122;s meaningless, and dangerous, to test a data centre infrastructure with 200 Gbps of data, when the live network experiences peak loads of over 500 Gbps. Additionally, when testing, consider illegitimate traffic including increasingly frequent DDoS and synchronised attacks on multithreaded systems. Since attack patterns are constantly changing, timely and continuous tests are crucial. One way to ensure the consistency and timeliness of testing is to leverage an external service that can analyse current attack patterns and update the test environment continuously and automatically. Testing complex storage workloads can only be achieved with real traffic. Cache utilisation, deduplication, compression, as well as backup and recovery, must be tested with all protocols used -SMB2.1 / 3.0, NFS, CIFS, CDMI or iSCSI - and optionally tuned to ensure compliance with defined service levels. While the need for stringent testing is obvious for a new data centre, it is equally important when consolidating or integrating hybrid clouds. This is because each new application, and even updates and patches of existing

applications, can significantly alter the performance and response times of the network. DIY or TaaS? Ensuring optimal data centre performance not only requires investments in test systems, but also in the employees entrusted to manage it. In addition to the development and testing of a network infrastructure, equally important is the development of a qualified test team. Enterprises do not typically hire dedicated test engineers, and network and security architects are not always proficient in the design and execution of comprehensive tests to ensure their applications and IT systems can handle strenuous loads and sophisticated attacks. If budget is an issue, external TaaS offers (Testing as a Service) offerings can be a useful addition to an in-house solution, especially for larger projects. An external service provider can help determine which systems are the best fit within an existing environment, or before the rollout of a new demanding application such as online gaming. Performance and reliability tests of wireless environments or WAN assessments are other examples of complex projects for which an external TaaS service provider is well suited. So the choices are simple: wait for customer complaints to learn about the performance and resilience of your network; wait for a hacker attack to paralyse your network; or put your network and applications to the â&#x20AC;&#x153;realâ&#x20AC;? test with solutions and offerings that replicate your specific load requirements. No brainer.

Australian Security Magazine | 35

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

Safe

.a www

Post

alia

nsec

uritym

agaz

r er fo fronti tion New lobalisa the g rrorism of te $8.95

INC.

GST

ine.

com

.au

arch

Feb/M

2016

r Cybe y rit secu sea at

Time Tech

: ature ial fe RUM spec NELS FO

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

State ACA th tics IS , Per e tac kingference c n defe ce hac Con f o Ring to redu

ustr

ss sine g bu -high Takin rity sky u sec

Citie

55003/

d PP2

Approve

RNM

OVE

DIN

LEA

N COU

.au

ov 20

10110

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

Time Tech

n satio III icali Rad s – Part ria y s S e Prodc over d anlysis Cloupara g Teht ehackin e n ris inter on the

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

erl Cyb

lys HAN CanHaNOLOGY C TEC

Get each print issue per year for only $88.00

e chTim er-Te 2016 l Cyb ictions d Time Tech curity Pre Se

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

36 | Australian Security Magazine

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.

The DLINK 10 port DGS-1100-10MP and 26 port DGS-1100-26MP

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products Australian Security Magazine | 37

TechTime - latest news and products

D-Link launches new high power surveillancespecific switches in ANZ D-Link ANZ has expanded its family of Power over Ethernet (PoE) switches with two new models, the 10 port DGS-1100-10MP and 26 port DGS-1100-26MP, both specifically designed for surveillance applications. Critically both new switches have a significantly extended PoE budget, 6KV surge protection on all PoE ports, easy switch and network monitoring via a dashboard, automatic IP camera detection, automatic network topology detection, surveillance traffic optimisation and a setup wizard making them particularly straightforward to install and use. The dashboard, designed to be IP camera specific, also gives easy access to diagnostics and error management. Both new switches also have fibre uplink ports and support ERPS for the kind of extra redundancy, failsafe and instantaneous (sub-50ms) recovery options usually found in much higher-end switches. D-Link ANZ MD Graeme Reardon said, “The advantages of these new switches is that they are specifically designed for surveillance applications. This means extended PoE budget and surge protection on all PoE ports as standard, whichever model you choose. Also automatic detection of surveillance traffic means video streams get secure and high priority forwarding, which avoids lost frames and video distortion. Not only are Power over Ethernet (PoE) applications such as IP phones, cameras and intercom systems becoming

38 | Australian Security Magazine

more commonplace in the home and business environment but so is the need to simplify their installation. These new switches do just that and more, and with a Standard mode for IT professionals and a simple Surveillance mode for non-IT professionals, there are easy set-up and management options for all.” The new surveillance switches easily support high PoE power budgets for home and small businesses offering sophisticated PoE+ supporting up to 30 watts per port. This makes it easy to power and connect more PoE devices – such as VoIP phones, wireless access points or network cameras – simultaneously within a network. These features, combined with the ability to connect and deliver power to devices located away from conventional mains electricity outlets, make the new surveillance PoE switches an affordable and flexible option. DGS-1100-10MP+26MP_B1_Image L(Front) “The new D-Link 10 port DGS-1100-10MP surveillance switch atop the new D-Link 26 port DGS-1100-26MP surveillance switch” Ideal for homes and businesses of all sizes both the DGS-1100-10MP and the DGS-110026MP Smart switches come with Plug-and-Play installation options for a simple, DIY set up. As small businesses and their networks grow, traffic increases when additional devices and applications are added to the Ethernet infrastructure. The two new smart switches

in the DGS-1100 Series also make an ideal upgrade from an unmanaged network. Easy network management capabilities deliver added value at a fraction of the cost of other switches on the market. Functionality such as intelligent traffic management to reduce network load or stop unauthorised access, as well as network optimisation, can be performed through a web management interface or the D-Link Network Assistant Utility. The switches feature high-speed ports with fast Gigabit wired connectivity, plus full backwards compatibility for connections to older computers and equipment. Each of the new D-Link switches offers advanced green technology, so each helps conserve energy, without impacting performance. The Series 10 Port PoE Switch (DGS1100-10MP) is an entry-level smart switch that delivers up to 30 watts on eight PoE ports with a total power capability of 130 watts. Its RRP is $549.95 inc. GST. The Series 26 Port PoE Switch (DGS1100-26MP) is an entry-level smart switch that provides 24 PoE-enabled ports, with a total power capability of 370 watts, with all PoEenabled ports supporting up to 30 watts each at the PoE+ standard. Its RRP is $999.95 inc. GST. The new D-Link 10 port DGS-1100-10MP and 26 port DGS-1100-26MP surveillance switches are backed by D-Link’s Lifetime Warranty with Advanced Replacement service.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Pelco and PlateSmart Partner to deliver license plate recognition Pelco by Schneider Electric has announced that its VideoXpert™ video management platform is now integrated with PlateSmart’s ARES license plate recognition (LPR) system. The integration provides joint customers with an advanced, accurate and efficient suite of intelligent video analytics tools that compliment the rich video management functions delivered by Pelco VideoXpert. Integration with third-party technologies, such as PlateSmart, is part of the Pelco’s committment to developing customized solutions for end customers. As users capture growing amounts of video data, it is critical to deploy intelligent tools that enable video surveillance data to be immediately digestible to ensuresafety and security, and optimizing business efficiency. The combination of Pelco’s scalable and customizable VideoXpert VMS and the automated number plate recognition (ANPR) of PlateSmart’s ARES solution delivers end users with the ability to recognize key data points for identification and investigations accuracy. “To be the best, you have to work with the best, and Pelco is absolutely at the top of its game in the video surveillance marketplace,” said John Chigos, CEO, PlateSmart. “With all of the changes currently underway in the VMS market, we knew the time was right to closely partner with Pelco. ARES delivers a robust LPR-based video analytics to VideoXpert users, along with data integrity protection that enables users to ensure the availability of captured data.” More specifically, the Pelco and PlateSmart interface correlates data from license plate information and video surveillance systems and displays critical information and live video through a single, easy-to-deploy user interface. The integration enables three plug-in capabilities, including: LPR Overlay, which facilitates accurate and real-time monitoring of license plates by overlaying a camera-view window with a dynamic list of license plates captured by the system. This allows users to quickly and easily view critical license plate information – such as number and state. Plate Viewer displays essential metadata, such as time capture with timestamp details, the name of the camera, where the license plate was read, and source and images of the license plate. Alert Viewer, which enables expanded alert details and metadata, including identification of the standard operating procedure (SOP)

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

that triggered the alert as well as the alert type, code, category and priority previously defined by the alert SOP. “Pelco is focused on developing strategic relationships with innovative technology providers to increase customer efficiencies and capabilities,” said Jonathan Lewit, Director of Application Business, Pelco by Schneider Electric. “The integration of PlateSmart’s LPR technology and Pelco’s VideoXpert VMS delivers new levels of intelligence to joint customers who are looking for ways to incorporate advanced levels of situational awareness with incoming video data,” PlateSmart plugins for VideoXpert are available for download by Pelco customers on the Partner First website as part of the Pelco Partner First program. Visit partnerfirst.pelco. com for more information. About Pelco by Schneider Electric: Pelco by Schneider Electric is a world leader in the design, development and manufacture of IP-based video security systems, software

and services ideal for any industry. With a long and prestigious history of offering highquality products and exceptional customer service, Pelco has become a most sought-after supplier in the surveillance industry. The Pelco brand of products includes a wide range of IP-based cameras, discreet camera domes and enclosures, video management systems, thermal imaging products, extreme environment systems and much more – all in the neverending pursuit of achieving the highest level of customer satisfaction possible. For more information, visit www.pelco.com. About PlateSmart: PlateSmart has positioned itself as the worldwide brand leader of LPR Analytic Solutions by providing its software-only license plate recognition (LPR) solutions for mobile and fixed security applications. PlateSmart partners with the world’s largest camera and hardware manufacturers and system integrators to offer a full suite of software-based solutions. For more information, visit www.platesmart.com.

Australian Security Magazine | 39

TechTime - latest news and products

Genetec lifecycle management: expanded software, support and services framework

Genetec has announced Genetec Lifecycle Management (GLM), a new software, support and services offering. Lifecycle Management is available in two options: Genetec Assurance, which is free of charge for all new and existing customers, and Genetec Advantage, an optional premium paid-for option. Genetec Advantage includes premium collaborative support with advanced troubleshooting, dedicated support resources that includes up to 40 hours of consulting per year, access to all software releases, and proactive system health tools that help streamline maintenance, saving customers time and money. With Genetec Advantage, customers also have access to complimentary cloud services such as the addition of up to 100 Stratocast camera connections, and up to 100 terabytes of Cloud Archives storage to expand their system into the cloud, risk-free. â&#x20AC;&#x153;Our new support framework ensures that when customers invest in Genetec Security Center, they can count on a dedicated team of technical engineers to deliver quality support when they need it most. With Genetec Lifecycle

40 | Australian Security Magazine

Management, our customers will gain access to tools and resources to fully capitalize on their security investments. With Genetec Advantage, they will be able to unlock even greater services and benefits, to keep their organization at the forefront of our innovation and expertise,â&#x20AC;? said Michel Desgagne, Vice President of Operations at Genetec. For those who opt not to purchase Genetec Advantage, Genetec Assurance offers an initial period of increased support and software updates to facilitate system deployment. Throughout the lifetime of their Genetec product, customers with Genetec Assurance also have unlimited access to a wealth of selfservice tools and learning resources, and online technical assistance that is tracked through a personalized support dashboard to keep their system running as purchased. Genetec Lifecycle Management is now available. For pricing and details, please contact Genetec at sales@genetec.com or reach out to a Genetec regional sales manager or certified channel partner. For a complete list of features and benefit options available in

Genetec Assurance and Genetec Advantage, please visit the Genetec web site: www. genetec.com/support/lifecycle-management/ About Genetec Genetec develops open-architecture software, hardware and cloud-based services for the physical security and public safety industry. Its flagship product, Security Center, unifies IP-based access control, video surveillance and automatic license plate recognition (ALPR) into one platform. A global innovator since 1997, Genetec is headquartered in MontrĂŠal, Canada, and serves enterprise and government organizations via an integrated network of resellers, certified channel partners, integrators and consultants in over 80 countries. Genetec was founded on the principle of innovation and remains at the forefront of emerging technologies that unify IP physical security systems. For more information about Genetec, visit: www.genetec.com

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Milestone celebrates record number of supported devices, integrates NVRs as connected devices Milestone Systems, the open platform company in networked video management software (VMS), has released Device Pack 8.4 for partners and customers using Milestone XProtect video solutions. The bi-monthly device packs contain software updates for supporting new hardware. These updates are always top focus at Milestone. With this Device Pack Milestone reached a landmark 5,000 supported cameras and now supports 5,171 devices in total. Bosch AVIOTEC was announced as camera number 5,000 at the annual Milestone partner conference in February. The camera comes with analytic algorithms that identify smoke and flames. The embedded technology provides earlier detection of fires. There is also the ability to add visuals to fire detection, giving better situational awareness than traditional smoke or fire detectors. Helping customers to more flexibility with connected NVRs This Device Pack enables Dahua Network Video Recorders to be networked with XProtect.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

This means that cameras connected to NVRs will be accessible to the Milestone VMS software, just like cameras connected to an encoder. Customers using supported NVRs now have the option of centralized control in addition to their existing ability to do local recordings on the recorder. The cameras connected to the NVR are seen by the VMS as ONVIF devices. The ability to network NVRs will help customers using Dahua-supported NVRs increase efficiency. This increased efficiency is a result of heightened situational awareness. In this instance retailers get greater opportunity to prevent losses by being alerted to behavior that traditionally points to theft incidents. Since camera feeds from the NVR are recorded using XProtect the video can now be used for video analytics. This opens new possibilities for business optimization. ONVIF support signals Milestone dedication to standards Milestone has always promoted driver standards like ONVIF and remains dedicated

to supporting the broadest range of cameras and devices on the market. In this Device Pack nearly 50 percent of all the cameras added to the Device Pack are ONVIF-based cameras. Milestone works closely with device manufacturers in the Camera Partner Program (CaPP) to achieve optimal interaction between their devices and the XProtect VMS. Before ONVIF-supported devices are listed in the supported hardware list on milestonesys. com, they have been tested to ensure 100% functionality with the XProtect open platform technology. Milestone is dedicated to shorter product development cycles that facilitate the partner communityâ&#x20AC;&#x2122;s ability to respond to ever-changing market demands. Device pack 8.4The Milestone XProtect Device Pack 8.4 is available now for download from http://pardot.milestonesys.com/e/53942/ support-download-software-/9w2sxv/288857795

Australian Security Magazine | 41

TechTime - latest news and products

Senstar adds video management software to Its security portfolio Senstar is pleased to announce the addition of a world-class video analytics and management system to its portfolio. With the acquisition of Waterloo, Ontario-based Aimetis, a global leader in intelligent IP video management software, Senstar is poised to offer its customers even more options for securing critical assets and infrastructure. Brian Rich, President of Senstar commented: “We are very excited to be offering an expanded portfolio of security products to the market. The Aimetis product offering complements that of Senstar, providing additional value for system integrators and customers all under one roof. Our customers can now enjoy our ‘one stop shop’ for outdoor sensors and integrated video assessment, as well as our ability to address new non-PIDS applications.”

Aimetis has created a scalable and easy to use platform that combines VMS with builtin analytics and centralized management. It can integrate with a wide variety of cameras. The ability to integrate with Senstar perimeter sensors will address the requirements of many markets including energy, transportation, corrections, military, health care, retail, and education. Both companies will be exhibiting at ISC West in Las Vegas April 6 to 8. Senstar’s booth (7071) will feature a demonstration of Aimetis video management software integrated with a range of Senstar perimeter sensors. It will showcase how the combination of leading technologies can provide a complete security solution. Aimetis will be located at booth 28055.

About Senstar Corporation Senstar, the trusted innovator safeguarding people, places and property, has been manufacturing, selling and supporting the world’s largest portfolio of perimeter intrusion detection sensor technologies for more than 30 years. Senstar is also a leading provider of life safety / emergency call solutions, as well as of a line of solutions that protect security networks against cyber threats and a cellular detection and location solution. Senstar’s products and solutions can be found around the world in more than 80 countries, in tens of thousands of sites including borders, ports, military and government, correctional facilities, and other critical sites. www.senstar.com www.YouTube.com/ SenstarCorp Twitter: @SenstarCorp

MDT Announces three-axis high-performance TMR linear magnetic field sensors MultiDimension Technology (MDT) announced TMR23xx series, a new lineup of three-axis high-performance Tunneling Magnetoresistance (TMR) linear magnetic field sensors. They are designed for a variety of application requirements, ranging from large dynamic range at +/-500 Oe, to ultra-high sensitivity at 100mV/V/Oe, along with excellent noise performance as low as 150pT /rtHz at 1Hz, in a compact LGA package as small as 4x4x2.5mm. They are best suited for highend industrial sensor applications, biomedical sensor applications, precision measurement of magnetic field, high-precision speed and position sensing, geomagnetic sensing, metal object detection, non-destructive testing (NDT), magnetic communication, 3D magnetic imaging, etc. “MDT’s new three-axis high-performance TMR magnetic sensors offer great versatility to many high-end applications that have already benefited from MDT’s TMR sensor technology, with outstanding low-noise, low-power and high-sensitivity performance that cannot be matched by any other semiconductor-based magnetic sensors, including Hall Effect, AMR (Anisotropic Magnetoresistance) and GMR (Giant Magnetoresistance). The new TMR23xx sensors integrate three high-performance TMR

42 | Australian Security Magazine

sensing devices for the X/Y/Z three-dimensional magnetic field measurement in a compact package or module. They provide the best option for our customers’ return-of-investment with small size, precise positioning of the X/Y/Z directions, reduced circuit complexity, and improved cost-effectiveness. Based on MDT’s in-depth expertise in design and manufacturing of TMR sensors, we can also offer custom designs of three-axis sensors that are specifically tailored to customer requirements,” said Dr. Song Xue , President and CEO of MultiDimension Technology. MDT is the first volume supplier of TMR sensors with multiple product portfolios. In addition to the TMR linear magnetic field sensors, MDT offers TMR magnetic switches , TMR angle sensors , TMR gear tooth sensors , and TMR magnetic image sensors . MDT also provides comprehensive service options

including custom designs, foundry service, and IP licensing for TMR/GMR/AMR sensors. About MDT MultiDimension Technology was founded in 2010 in Zhangjiagang, Jiangsu Province , China , with branch offices in Shanghai , Chengdu , Ningbo, China and San Jose, Calif. , USA. MDT has developed a unique intellectual property portfolio, and state-of-the-art manufacturing capabilities that can support volume production of high-performance, low-cost TMR magnetic sensors to satisfy the most demanding application needs. Led by its core management team of elite experts and veterans in magnetic sensor technology and engineering services, MDT is committed to creating added value for its customers and ensuring their success. For more information about MDT please visit http:// www.multidimensiontech.com .

Part Number

Supply Voltage (V)

Sensitivity (mV/V/Oe)

Resistance (kOhm)

Dynamic Range (Oe)

Noise (nT/rtHz @1Hz)

Form Factor

TMR2301

0-7

+/-500

100

LGA12L(4x4x2.5mm)

TMR2303

+/-150

LGA12L(5x5x2.5mm)

TMR2305

+/-10

LGA12L(5x5x2.5mm)

TMR2307

1.5

+/-30

LGA12L(7x7x2.5mm)

TMR2309

100

+/-8

1.5

module(9.5×9.5x6mm)

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

ACUO – CASA executive meeting discusses regulatory enforcement The President of ACUO, Mr Joe Urli, met with CASA’s CEO & Director of Aviation Safety, Mr Mark Skidmore on March 8th to discuss a raft of issues of high importance to certified UAV Operators. Top of ACUO’s list was visible and effective enforcement of current and future RPAS regulations. CroppedImage120120-ACUO-PresidentCASA-DAS-meeting-March-8-2016The increased use of consumer grade drones for commercial purposes, without registration or appropriate safety oversight from the aviation regulator, gives every indication of adversely impacting aviation and public safety. ATSB data since 2011 shows there has been a steady increase in the number of reported incidents between recreational drones and manned aircraft. In addition, public reports of recreational drone operators flying their aircraft within 3nm of an airport, flying over populous areas, often at night, and in direct contravention of the aviation regulations, are also increasing. To date CASA has applied a ‘soft policy’ approach to regulatory enforcement of UAV operators despite a large proportion of certified UAV operators beginning life uncertified. Mr Skidmore and Mr Urli both agreed that education is key to overcoming this situation, but that the challenges facing CASA are not unique to Australia alone, and enforcement will play an equally important role.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

ACUO strongly believe CASA’s ‘soft policy’ approach to enforcement is contributing to unacceptable levels of noncompliance across Australia, and that this needs to change. The UAV regulations have been in force here for more than a decade and CASA has reiterated publicly across all media formats, numerous times, the operating limits which govern all UAV operators, both recreational and commercial. Unless otherwise approved by CASA, the operating limits for all UAV operators in Australia are: • In Visual Line Of Sight (VLOS) of the UAV at all times • Under Day Visual Meteorological Conditions (VMC) only • Not above 400ft AGL • Not over Populous Areas • Not in Controlled Airspace • Not within 3nm of an aerodrome [including airports, helipads etc • Not within 30m of people, vessels or buildings Despite what popular opinion might have us believe there is currently NO regulatory exemption for UAVs under 2kgs. Furthermore, ALL commercial UAV operators require a UAV Operator Certificate (UOC) from CASA before they can operate legally. Without this certification, customers of illegal UAV operators

may not realise they are highly unlikely to be covered by Public Liability insurance should something go wrong with the aerial operation. And as any certified UAV Operator knows, this happens still too frequently and often without warning. As good as technology is becoming, there is no substitute for good risk management in this business. ACUO President, Joe Urli said, “ACUO will be re-focusing our efforts this year on wider public education and identifying illegal operators in Australia. Where found, the details of illegal operators will be forwarded to CASA for investigation and subsequent prosecution if found guilty.” The ACUO President finished by saying, “Certification and safety oversight are central to aviation and public safety. There is no excuse for ignorance of the law and for not being certified by CASA to operate commercially.” ACUO is the peak body for commercial unmanned aircraft systems operators in Australia. Established as a legal entity in March 2010, its membership base comprises one fifth of all entities holding Australian Civil Aviation Safety Authority UAV Operator Certificates. The association is chartered to promote the growth and the expansion of the commercial unmanned aircraft industry in Australia and to ensure the safe and orderly growth of the sector.

Australian Security Magazine | 43

TechTime - latest news and products

Akamai opens ‘Scrubbing Centre’ in Sydney to combat increasingly sophisticated DDoS attacks Akamai Technologies has announced the opening of a new, state-of-the-art data centre in Sydney, Australia, as part of its global expansion strategy. Fuelled by the increasing sophistication of distributed denial of service (DDoS) attacks, the company’s latest ‘scrubbing centre’ leverages a cloud-based approach to mitigate threats without causing significant business disruption. Part of Akamai’s DDoS fighting strategy, these globally distributed scrubbing centres essentially analyse incoming traffic, identify threats and remove malicious activities with minimal downtime for the end user or the network. Hence, when a DDoS attack against a client website is detected, all incoming site traffic is rerouted to one or more of Akamai’s global data centres. Malicious traffic is then “scrubbed” before the remaining clean traffic is routed back to the client’s network. “With an increased focus on end-user experience, application owners can no longer afford to invest in security solutions that compromise performance. Extending our global DDoS mitigation network with an Australian node enables Akamai to avoid the pitfalls of global latency and deliver a local user experience, whilst defending against attacks,” said Adam Riley, Regional Manager, ANZ, at Akamai. “The new scrubbing centre will offer Akamai more advanced forensics on attack activity in Australia, which will enable continuous refinements to the protection of our local clients. In addition, customers will benefit from improved network performance and reduced latency.” According to Akamai’s latest State of

44 | Australian Security Magazine

the Internet: Security Report published yesterday, the company saw a 149 per cent increase in total DDoS attacks globally for Q4 2015, compared to the same period in the previous year. The largest DDoS attack in Q4 2015 measured 309 Gbps, a sizeable jump in bandwidth from the largest attack in the previous quarter (149 Gbps). Asia Pacific markets continue to be a major source of attack traffic, with China returning to the number one spot in Q4 2015 at 28 per cent, followed by Turkey (22%), the US (15%) and Korea (9%). While attack traffic from the UK, which was the largest source the previous quarter, did not decrease overall, traffic had increased sufficiently from the top three markets to affect the relative rankings. “As DDoS attacks continue to increase in scale and complexity, Akamai also continuously looks at ways to expand our network capacity to ensure our clients are well-placed to defend

against these threats,” added Riley. With the latest expansion, Akamai’s global DDoS mitigation network now comprises scrubbing centres strategically located across North America, Europe and Asia Pacific. About Akamai As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Symantec introduces new era of advanced threat protection Symantec has introduced Symantec Advanced Threat Protection (ATP), the first solution that can detect and remediate advanced threats across control points, from a single console with just a click, all with no new endpoint agents to deploy. Advanced threats, such as ransomware, remote access trojans, advanced persistent threats (APTs) and zero day attacks, are on the rise and security professionals can no longer rely on using individual point products at each control point to stop them. The process of uncovering threat data across endpoint, network and email gateways is manual and time-consuming, which gives attackers an edge. Symantec ATP correlates suspicious activity across all control points and prioritizes the events that pose the most risk to an organization. Once a critical threat is identified, it can now be quickly contained and new instances can be blocked. Symantec ATP allows customers to: Uncover a full range of threats from APTs to zero day attacks across endpoint, network and email, with cross-control point detection and environmental search • Prioritize what matters most by correlating the threat intelligence from across local control points with all that Symantec sees globally through its massive telemetry • Remediate the threats fast through containment of endpoints and blocking new

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

•

instances across control points, with one click, from a single console Leverage existing investments in Symantec Endpoint Security and Email Security.cloud, without deploying any new endpoint agents

“Security professionals are constantly on their toes trying to monitor and prevent the next cyber-attack,” said Michael A. Brown, president and CEO, Symantec. “We’re moving the industry forward with Symantec Advanced Threat Protection by giving customers a complete picture of their entire enterprise from a single console. Now they can filter out the noise and quickly discover and remediate an attack.” Reducing the noise for customers with Symantec ATP happens in a few ways. First, Symantec’s massive global threat intelligence combined with local customer data means companies have a more accurate view of which threats pose the greatest risk inside their infrastructure. Additionally, Symantec ATP includes Symantec Cynic, a new cloud-based sandboxing and payload detonation service to discover and prioritize today’s most advanced threats. It also includes Synapse, a crosscontrol point correlation capability that collects suspicious activity across endpoints, networks and email to prioritize those that are of greatest risk to the organization. “Our new Synapse and Cynic technologies work together to provide up to 30 percent better

detection than existing products out there[1],” said Victor Law, Regional Director, Systems Engineering, Product and Consulting Services, Enterprise Security, Greater China Region, Symantec. “Before, a security professional would need to manually check to see if a suspicious file was properly blocked. With our new technologies built into Symantec ATP, we do the legwork for customers, cutting down on their search and remediation time.” “The average enterprise uses 75 distinct security products,” Law added. “That overload creates opportunity for attackers because it slows down detection. Symantec ATP allows security professionals to click once and remediate everywhere across all three control points.” Symantec ATP enhances existing installations of SymantecTM Endpoint Protection and Email Security.cloud without requiring any new endpoint agents. This allows customers to deploy a new installation of Symantec ATP in under an hour and search for attacks in minutes. The product can also export its rich intelligence into third party security incident event managers (SIEMs). As Symantec ATP evolves, the company plans to open it up to third party technology partners, including firewall and other security product vendors, allowing customers to enhance the value of their existing investments.

Australian Security Magazine | 45

TechTime - latest news and products

Five BYOD disasters organisations can avoid with good planning The ‘bring-your-own-device’ (BYOD) approach to business technology has many advantages. If done correctly, it can boost productivity while lowering operational costs, according to NETSCOUT’s Fluke Networks Enterprise Solutions. Amit Rao, APAC Director, NETSCOUT’s Fluke Networks Enterprise Solutions, said, “BYOD powers business 24 hours a day, seven days a week without organisations having to staff the office around the clock. It can improve communications and lead to a happier workforce. “But there are downsides of BYOD that cannot be ignored. Without the right policies, and the IT infrastructure to back those policies up, organisations BYOD policies can lead to disaster.” Five BYOD disasters organisations need to know how to avoid 1) Employee lawsuits. Some hourly workers have sued their employers, claiming they were not paid for the overtime associated with using their device when off the clock. Other workers have sued over privacy issues, such as managers or IT personnel reading their personal messages or viewing their private photos. Organisations need to have clear policies stating who can view private information, under what circumstances, and what can be done with it. 2) Sensitive data moved to consumer cloud services. Consumer cloud storage services

like Dropbox, Google Drive, iDrive, Box, and others make it easy for workers to store critical or sensitive documents outside the domain of the IT staff. For example, a worker can easily snap a photo of a financial document or other intellectual property and upload it to Dropbox. Strict policies, backed by significant consequences can deter this kind of activity. Make sure policies are applied consistently across the organisation. 3) A decline in productivity. Facebook, Pinterest, Etsy, and YouTube are all excellent sources of entertainment for lunch and breaks, but serious time wasters during work hours. Organisations can blacklist these apps and sites but this can deteriorate the goodwill and morale fostered by initiating a BYOD policy. It is better for organisations to implement a rewards system for productivity that encourages workers to use these applications in their own time. 4) Employee abuse of reimbursement. Expensive overseas calls and text messages, receiving reimbursement for an entire family plan, charging the business for device upgrades, and putting termination fees on the company’s tab are just some of the ways employees can cheat their employers with BYOD reimbursement policies. The finance department should make sure it reviews reimbursement requests rigorously to keep these things from affecting company profits. 5) Technical issues. There are technical issues to consider with the BYOD approach, including

compatibility issues associated with the various devices that need to access the system. There are also significant security issues. Mobile devices are typically less protected and more vulnerable than corporate devices. The IT team also needs to ensure that the company has the bandwidth and infrastructure in place to cater for the influx of devices. Amit Rao said, “BYOD doesn’t just double the amount of demand on equipment, it can triple it. IT needs to work hard and plan to assure good network performance with the additional number of devices accessing corporate systems.” About NETSCOUT SYSTEMS, INC. NETSCOUT SYSTEMS is a market leader in real-time service assurance and cybersecurity solutions for today’s most demanding service provider, enterprise and government networks. NETSCOUT’s Adaptive Service Intelligence (ASI) technology continuously monitors the service delivery environment to identify performance issues and provides insight into network-based security threats, helping teams to quickly resolve issues that can cause business disruptions or impact user experience. NETSCOUT delivers unmatched service visibility and protects the digital infrastructure that supports our connected world. To learn more, visit www.netscout.com.

Cybercrime and the Deep Web Movies and crime shows have always alluded to a “global” underground network of organized crime where gangsters and criminals from all walks of life and nationalities converge to form a single malicious entity. The truth—at least when cybercriminals are concerned—is different, but close to what people think. Since we started delving into the Internet’s dark side, we uncovered at least six secret cybercriminal havens. The details we gathered can be found in the research papers we published on the cybercriminal underground markets of Russia, Japan, China, Germany, the United States and Canada (North America), and Brazil in 2015. [More on the Deep Web: Visit the Deep Web Threat Intelligence Center] This paper caps our 2015 Cybercriminal

46 | Australian Security Magazine

Underground Market Series by providing details about these different underground scenes. Find out why we say the cybercriminal underground is not a huge global conglomerate, but rather a wide-ranging cluster of “branches” that cater to various buyers with the unique sets of products and specializations that they offer. But though they work independently, some markets do collaborate with peers to give buyers what they want, as evidenced by the following highlights: global cybercrime underground map “View map: What makes each underground market unique?” • The Japanese underground is the only market that does not focus on traditional crimeware. This underground scene caters more to the taboo. • The German underground takes cues from

•

the Russian market. The Chinese underground serves as a hotbed for crimeware (particularly hardware) prototypes.

For more details on what the cybercriminal underground economy was like in 2015, view the attached research paper, Cybercrime and the Deep Web. Visit the Deep Web page for the latest news and information on the deep web, as well as more in-depth research on the different cybercriminal underground markets.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Threat of mobile malware rises as hummingbad attacks on android devices grow dramatically Check Point Software Technologies has revealed the most common malware families being used to attack organisations’ networks and mobile devices in Australia and New Zealand during February 2016. Check Point identified more than 1,400 different malware families globally during February. For the second month running, the Conficker, Sality, and Dorkbot families were the three most commonly used malware variants, collectively accounting for 39% of all attacks globally in February. However, Conficker and Sality were not included in the top 10 list in New Zealand, and only in the seventh and eighth position in Australia. On the contrary, Australia and New Zealand accounted for over 20 per cent of the global Torpig botnet detections in February. Check Point’s research also revealed the most prevalent mobile malware during February 2016, and once again attacks against Android devices were significantly more common than iOS. The top three mobile malware families were: Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises. AndroRAT – Malware that is able to pack itself with a legitimate mobile application and install without the user’s knowledge, allowing a hacker full remote control of an Android device. Xinyin – Observed as a Trojan-Clicker that performs Click Fraud on Chinese ad sites. For the first time, malware targeting mobiles was one of the top 10 most prevalent attack types, with the previously-unknown HummingBad <http://blog.checkpoint. com/2016/02/04/hummingbad-a-persistentmobile-chain-attack/> agent being the seventh most common malware detected targeting corporate networks and devices. Discovered by Check Point researchers, Hummingbad targets Android devices, establishing a persistent rootkit, installs fraudulent apps and enabling malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises, with the aim of intercepting corporate data. Nathan Shuchami, Head of Threat Prevention at Check Point said: “The rapid rise in attacks using Hummingbad highlights the real and present danger posed to business networks by unsecured mobile devices and the malware

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

that targets them. Organisations must start to protect their mobile devices with the same robust security as traditional PCs and networks as a matter of urgency. With the range of attack vectors open to hackers, adopting a holistic approach to security that includes mobile devices is critical in protecting both corporate networks and sensitive business data.” Australia and New Zealand Malware Concerns Indeed, malware has recently affected Australia’s big four bank’s mobile apps and although Android will continue to be a security concern, it is anticipated that consumers will experience more attacks on iOS because iPhones and iPads continue to gain popularly globally, making them prime, high-value targets for cybercriminals. David De Laine, Regional Managing Director, ANZ, Check Point, said, “It really is only a matter of time before cybercriminals climb over the App Store’s walled garden with APTs that utilise exploit packs to achieve privilege escalations, gaining full control over the attacked device. “Android malware will also become even more evasive. We’ll start seeing stenographic methods being used in the wild, like decoding executable payloads from strings hidden in image files. Stealth methods like this (in combination with obfuscation capabilities of off-the-shelf packers and custom encryption) will get much more complicated in 2016 as detection methods get smarter and become more accurate. “On top of these risks, we’ll experience a trend of cybercriminals using advanced techniques to not only take over and control individual devices but groups of multiple devices. Controlling one device is fun, but controlling an army of devices is a real moneymaker. Botnets are getting bigger and more well-orchestrated, giving hackers a range of malicious capabilities from massive spamming schemes and heavy DDOS attacks to cryptocurrency mining.” Last month, the Check Point research pinpointed Australia as number 82 and New Zealand as 62 on the list of 117 most risky countries in the world. Check Point’s threat index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time. The Threat Map

is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analysed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily. Below are the top three most commonly used malware variants and their definitions: Conficker – machines infected by Conficker are controlled by a botnet. It also disables security services, leaving computers even more vulnerable to other infections. Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware. Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as download additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks. Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/ threat-prevention-resources/index.html About Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. is the largest pure-play security vendor globally, provides industry-leading solutions, and protects customers from cyberattacks with an unmatched catch rate of malware and other types of attacks. Check Point offers a complete security architecture defending enterprises’ networks to mobile devices, in addition to the most comprehensive and intuitive security management. Check Point protects over 100,000 organizations of all sizes. At Check Point, we secure the future.

Australian Security Magazine | 47

REPORT TO THE PRESIDENT

Technology and the Future of Cities Executive Office of the President

President’s Council of Advisors on Science and Technology February 2016

Technology and the Future of Cities REPORT TO THE PRESIDENT: President’s Council of Advisors on Science and Technology (PCAST), February 2016

Have you recently published a security related book? Or have you just read a new, great security book? Please email us at editor@australiansecuritymagazine.com.au

48 | Australian Security Magazine

ith Australia’s latest Prime Minister calling for a focus on Innovation, Australia also faces the crossroads with the Federation and State Sovereignty. However, it is our local governments that are really on the frontline and how we manage our cities will impact the majority of the population. This report to the US President provides a direction and model to consider. Naturally it could, and indeed should, be read and adapted to the Australian context. Like Australia, challenges faced by Americans living in cities are not new, but they are being exacerbated by city growth and aging infrastructure. They include the following: • finding and acquiring a good job, a quality education, and appropriate training; • accessing services and products such as health care, child care, and fresh food; • living and working in safe and healthy environments; • efficiently using energy for buildings and transportation; and • reducing violence and insecurity. The report proposes, “Yet without help, many cities will be slow to realize the benefits of technology or may target investments in suboptimal ways. Cities need support to overcome a number of obstacles. Operating, maintaining, and financing existing services takes up the bulk of city governments’ time, energy, and resources and forces upon them a focus on short-term efficiency, often at the expense of long-term innovation.” “Districts offer larger cities the chance to take on these challenges in bite-sized stages. Neighbourhood councils, city-council districts, business improvement districts, tax districts, campuses (education, institutional, and commercial), Promise Zones, sanitation districts, and the many other forms of division and segmentation seen in the bigger cities make wide geographies and large constituencies manageable and serviceable. These districts are also a path to finding successful solutions that can then be extended to the larger area and population.” “Information and communication technologies (ICT), the proliferation of sensors (through the Internet of Things), converging data standards, and improvements in computational methods and technologies are also combining to provide new possibilities for the physical management and the socioeconomic development of cities. Local governments are looking to data and analytics technologies and creating pilot projects to improve their services. Technologies also influence patterns of behaviour. Digital and mobile technologies are making the connections between service providers and users tighter, faster, more personal, and more comprehensive. Sharingeconomy business models, which can scale rapidly using the Internet to funnel excess capacity into exchanges for peer-to-peer collaboration, are

emerging. Those models enable more efficient use of physical assets, such as cars or real estate, while also providing new sources of income to city residents.” “Cities are systems of systems, characterized by complex interactions between different sectors, such as transport and energy. The ‘City Web’ concept creates new opportunities for higherlevel integration and potential optimization across urban networks (such as mass transit and bike-share programs). It would naturally offer high-level support for goals such as sustainability, resiliency, accessibility, equity, transparency, security, and, of course, efficiency. To realize the City Web there must be research, development, and demonstration that go beyond today’s open or sharable data, APIs, and early successes in predictive analytics. For example, partnerships between cities and research institutions have potential not only to innovate and demonstrate such new capabilities but also to use research institutions as trusted third parties where data can be combined and analysed under rigorous controls.” The top three recommendations were as follows: RECOMMENDATION 1. The Secretary of Commerce, working with the Secretaries of Housing and Urban Development, Transportation, and Energy, should establish an interagency initiative, the Cities Innovation Technology Investment Initiative (CITII), which will encourage, coordinate, and support efforts to pioneer new models for technology-enhanced cities incorporating measurable goals for inclusion and equity. RECOMMENDATION 2. Because PCAST believes technology will play a crucial role in revitalizing low-income communities in cities across the United States, the Department of Housing and Urban Development (HUD) should embrace technological innovation as a key strategy for accomplishing its mission. RECOMMENDATION 3. The Administration should seek legislation enabling two financing programs that will support cities and municipalities to develop Urban Development Districts (UDDs) and to introduce significant new technology in their communities. The report is a recommended read for all levels of government and available at: https://www.whitehouse.gov/sites/ default/files/microsites/ostp/PCAST/pcast_ independence_tech__aging_report_final_0.pdf For more information about PCAST, see www. whitehouse.gov/ostp/pcast

CIOs, IT Leaders and decision makers • Big data • Communications • Cloud computing • Technology systems • Interviews with industry thought leaders plus much more.

DISASTER &

EMERGENCY

MANAGEMENT

Australian & New Zealand

Disaster and Emergency Management Conference 30 - 31 May 2016 I Jupiters Hotel, Gold Coast

anzdmc.com.au The Conference theme ‘EARTH, FIRE and RAIN’ will continue to examine issues that impact preparedness, resilience, response and capability.

The program will provide all participants with an opportunity to contribute, learn and network with peers. It will examine the lessons learnt from recent national and international events and provide a comprehensive forum to examine the expertise, competencies and systems relating to our preparedness and response. The Conference Program will include an extensive range of topics with Keynotes, Concurrent Sessions, Case Studies, Panel Discussions and Poster Presentations. TOPICS WILL INCLUDE:

• Consequence Management - from Preparation to Business Continuity

• International Response to Disasters

• Crisis Leadership

• The Recovery Process

• Psycho-Social Implications of Disaster Management

• Understanding and Enhancing Resilience

• Emerging Technology and Capability Needs

• Volunteers in Emergencies

• Urban Search and Rescue

bushfire&natural HAZARDS CRC