Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct – Dec 2018
Many modes of supply chain attacks The dawn of the digital Manager Australian-made FLAIM Trainer The rise of hashgraph A cyber week in London – Part 2
$8.95 INC. GST
India’s Supreme Court reins in citizen profiling Biological Protection-In-Depth How to minimise roulette wheel motion blur Cyber Risk Meetup - Wrap-ups & Launches Resilient organisations begin with resilient people
Migrating to IP video SURVEILLANCE PLUS
Techtime
REINVENT OR BECOME OBSOLETE Keeping up in a Risky World 2018 One-Day Summit
Wednesday 14th November 2018 | Sydney TICKETS from $50
BUY ONE TICKET – get a second half price! Futurist Keynotes
▪ The Rising Imperative for Change ▪ Cultural Impacts of Royal Commissions: Reinventing Ourselves ▪ The Future of Working: Resolving the Cyber Skills Shortage ▪ Deep in the Dark Web.….what can you teach us? ▪ Industrial Disruption: How voice technologies and 3D printing are changing the game ▪ The Reinvention Effect ▪ Reimagining the Risk Professional of the Future
Shara Evans
Ross Dawson
Earn up to 8 CPE Special applies to all full-priced ticket categories
TO REGISTER: go to isaca.org/Sydney
Sponsorship enquiries: Marketing@isaca.org.au
Contents Editor's Desk 3 Frontline Many modes of supply chain attacks
8
Executive Editor / Director Chris Cubbage
The dawn of the digital Manager
Why digital transformation must incorporate security transformation
12
Director / Co-founder David Matrai
Australian-made FLAIM Trainer
14
The rise of hashgraph
16
India’s Supreme Court reins in citizen profiling
18
Biological Protection-In-Depth
20
How to minimise roulette wheel motion blur
24
Migrating to an IP video surveillance solution
28
Resilient organisations begin with resilient people
30
Risk Management – From SARs to Cryptocurrency
32
HID Global Consultant Roundtable 2
34
The future of innovation & the BIG CISO question?
32
Art Director Stefan Babij Correspondents Jane Lo Tony Campbell Sarosh Bana Bennett Ring
MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
CONNECT WITH US
10
digital Manager
Cyber Risk meetup launched in Singapore
36
The future of innovation & the BIG CISO question?
38
Cybersecurity in-depth in APAC
42
A Cyber Week in London - Part 2
44
Internet of Threats
50
TechTime - the latest news and products
54
Book review
58 Page 14 - Australian-made
FLAIM Trainer
OUR NETWORK
@AustCyberSecMag
www.youtube.com/user/MySecurityAustralia
chain attacks
Page 10 - The dawn of the
Cyber Risk Meetup
www.facebook.com/apsmagazine
www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about
Page 8 - Many modes of supply
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors www.australiancybersecuritymagazine.com.au
Page 18- India’s Supreme
Court reins in citizen profiling www.asiapacificsecuritymagazine.com
Jane Lo*
Tony Campbell*
Sarosh Bana*
Bennet Ring*
Dr Gavriel Schneider
Phillip Dimitri
www.aseantechsec.com
www.drasticnews.com
|
www.chiefit.me
Vlado Damjanovski Lance Krowitz
|
www.youtube.com/user/ MySecurityAustralia
4 | Australian Security Magazine
www.cctvbuyersguide.com
Also with Deborah Evans | Helen Masters | Benjamin Low
Page 20 - Biological ProtectionIn-Depth
Editor's Desk "China wants nothing less than to push the US from the Western Pacific and attempt to prevent us from coming to the aid of our allies. But they will fail” - US Vice President Mike Pence in his October 4 speech at The Hudson Institute, Washington, D.C
T
he security domain remains all encompassing, dictated by the context of the risk or threat. For the Australian security industry, the context should always be viewed internally and externally. Internal factors include, naturally, the needs and direction of the client organisation as well as the domestic threat environment and governance of the industry. However, externally, the macro factors of technological change, globalisation of supply chains and major power geo-politics in our region cannot be ignored. It would seem security advisors, directors, managers and government legislators need to get to a state of readiness for War. And consider for a moment the implications if we were ever to lose, There is little point in waiting for it to happen before planning and preparing, or worse, assuming it won't happen. Indeed, in a cyber security context, with the five eye nations now openly attributing cyber attacks against Russia and China, and Australia blocking Chinese technology companies from expanding in the market, the cyber war has already been declared. This is amidst so many other streams of dispute, including the unblinking rises in the ‘trade war’ and to concerning naval manoeuvres between China and US warships in the South China Sea. The West, including Australia, simply does not trust China. And the US is preparing itself for a serious fight. The 2018 Pentagon Report to Congress on China, stated “China’s military modernization targets capabilities with the potential to degrade core U.S. operational and technological advantages. To support this modernization, China uses a variety of methods to acquire foreign military and dual use technologies, including targeted foreign direct investment, cyber theft, and exploitation of private Chinese nationals’ access to these technologies. Several recent cases and indictments illustrate China’s use of intelligence services, computer intrusions, and other illicit approaches to obtain national security and exportrestricted technologies, controlled equipment, and other materials.” Mike Pence also raised an initiative that should concern Australia’s free society intimately. “By 2020, China’s rulers aim to implement an
Orwellian system premised on controlling virtually every facet of human life - the so-called “Social Credit Score.” In the words of that program’s official blueprint, it will “allow the trustworthy to roam everywhere under heaven, while making it hard for the discredited to take a single step.” Mike Pence continued, “Through the “Made in China 2025” plan, the Communist Party has set its sights on controlling 90 percent of the world’s most advanced industries, including robotics, biotechnology, and artificial intelligence. To win the commanding heights of the 21st century economy, Beijing has directed its bureaucrats and businesses to obtain American intellectual property –- the foundation of our economic leadership -– by any means necessary. Beijing now requires many American businesses, [and by default, Australian businesses] to hand over their trade secrets as the cost of doing business in China. It also coordinates and sponsors the acquisition of American firms to gain ownership of their creations. Worst of all, Chinese security agencies have masterminded the wholesale theft of American technology –- including cutting-edge military blueprints. And using that stolen technology, the Chinese Communist Party is turning ploughshares into swords on a massive scale.” Whilst the US and China continue along the Cold War path, ominous warnings are also explicitly being made from Israel against Iran. Efraim Inbar is the president of the Jerusalem Institute for Strategic Studies and has warned “ Israel has no choice but to wage war against Iranian entrenchment in Syria.” In the absence of a clear American or Turkish determination to confront Iranian encroachment, only Israel has the power to stop it…As the international community, including the US, has no appetite for a military confrontation with Iran, it is left to Israel to prevent its nuclearization. The only way to do it is by brute force, adding a new dimension to the war conducted already against Iran. This is an inevitable imperative for Jerusalem.” Any war involving Israel has global ramifications and should therefore be factored into an Australian context by local security advisors. Following the Bloomberg report “The Big
Hack”, Tony Campbell provides a timely article on supply chain attacks and how “more often than not, it’s easier for attackers to target your downstream suppliers and/or service providers, since you are likely to trust their products and services as being safe and secure.” Tony writes, “It might sound like fiction, but NSA documents released in Glen Greenwald’s book, No Place to Hide, show how the NSA’s Tailored Access Operations (TAO) unit intercepts computer and networking equipment being shipped to organisations they want under surveillance.” China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs is now accused of doing much the same, with installed micro-processers in a comprehensive ‘seeding attack’. Deborah Evans also provides yet another insightful biosecurity article and discusses the importance of broad-spectrum Biological Protection for the survival of mankind and with continued outbreaks becoming increasingly apparent. Progressive biodefence concepts incorporate protection from biological threats of a diverse nature, including those from naturally occurring, accidental and deliberate sources. Subsequently, biodefence concepts transcend military discourse and extend across disciplines and sectors. Whilst our Singapore Correspondent Jane Lo provides an ideal segway with her article which links SARS to Cryptocurrency and the need for an understanding of the diverse risks faced by an organisation being a key aspect of planning – reflecting the theme of the ARRC 2018 “Corporate Governance, Risk & Resilience Planning in Action’ Conference.’ And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. Sincerely, Chris Cubbage CPP, CISA, RSecP,
Australian Security Magazine | 5
00
R1 OVE ODES, EPIS ER OV
00 S 0 , 0 5 OAD NL
DOW
www.australiancybersecuritymagazine.com.au 6 | Australian Security Magazine
PODCAST HIGHLIGHT EPISODES Episode 103 – World-renowned cyber security expert, “The Ethical Hacker” – Oliver Stone’s cybersecurity adviser on “Snowden” and CEO of Estonia startup Seguru.io This is a broad interview with Ralph Echemendia, world-renowned cyber security expert, known internationally by his alter ego “The Ethical Hacker.” For over 20 years, Ralph has delivered training on hacking and other security information to corporations including the US Marine Corps, NASA, Google, Microsoft, Oracle, AMEX, Intel, Boeing, Symantec, and IBM.systems provides new business opportunities with developing smaller and lighter payloads.
Episode 109 – Cybernomics: Digital Asset Valuation & Cyber Risk Measurement with Dr. Keyun Ruan, Computer Scientist & Author “Digital Forensics” This interview with Dr. Keyun Ruan dives into her research in identifying the value of ‘cyber’ in business, establishing traceability for better risk management, analyzing the attacker’s role in cyber risk and the outlook for the future of cyber risk quantification. Dr. Keyun Ruan has worked as a PhD researcher at the Center of Cyber security and Cybercrime Investigation (University College, Dublin) and in cloud forensics at the Cyber Security Research Lab (EADS).
Episode 112 – Interview with the CEO of CyLon at ICE71, Singapore. CyLon is the world’s leading cybersecurity accelerator We sit down with Anton Opperman, CEO of CyLon at ICE71. CyLon is the world’s leading cybersecurity accelerator. Since launching in London in 2015 CyLon has run several accelerator programmes, successfully accelerating over 50 cybersecurity startups, many of which are now working with major global corporations, governments and world-leading investors. CyLon is working in partnership with Singtel Innov8 and NUS Enterprise to deliver the ICE71 Inspire and ICE71 Accelerate programmes.
Episode 107 – Child Cyber Security Ambassador & Child Hacker – Reuben Paul, 12, aka “RAPst4r”, the Founder of CyberShaolin Following his presentation on stage at Cyber Security Asia, Kuala Lumpur, we sat down with Reuben Paul, our youngest guest and Cyber Security Ambassador, Child Hacker, Black Belt in Shaolin Do Kung Fu, USA Gymnast, Video-gamer & Cyber Ninja. These are some of the growing titles used to describe 12-year-old Reuben Paul aka “RAPst4r”, the Founder of CyberShaolin.
Episode 117 – GDPR & Cambridge Analytica – A Cyber week in London with Jane Lo, Singapore Correspondent Jane started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore. er experience included using data predictive analytics for fraud at global financial institutions (Deustche Bank, JP Morgan) and advisory to financial institutions with PriceWaterHouseCoopers.
@BSidesPer 2018 Podcast series #BSidesPerth BSides Perth 2018 attracted over 300 delegates, including kids and families, to UWA Business School and along with t-shirts, beanies and tool kits, delegates also received a cool and unique handmade conference badge, using a NodeMCU ESP8266 WiFi SoC. Security BSides (commonly referred to as BSides) is a hacker convention, held amongst a growing eco-system of events in Australia and New Zealand that provide a community driven framework for information security conferences.
Data Centre Deep Dive with #DCDAustralia & #DCDSingapore IAs part of our Data Centre #DCD media partnership here is a series of interviews which deep dive into the Data Centre industry, recorded in August & September 2018 at Data Center Dynamics – DCD Australia, Sydney #DCDAustralia and DCD South East Asia in Singapore #DCDSingapore. • Business Drivers & Data Centres, with Stephen Worn, CTO & CEO DCD North America • Achieving sustainable data centres and the next Moore’s Law trends, with Prof. Ian Bitterlin, Leeds University • Is this the McDonalds of the DC industry? Meet Digital Realty, the world’s largest full scale data centre provider • How IoT data capture and processing is driving new edge-to-core data center network • Data Centre trends in the era of edge computing and security considerations around rapid deployment • The future of Data Centres in an age of robotics, AI, IoT, machine learning and AR/VR, Prof. Greg Sherry
Episode 100 – Intrepreneurship, SCADA systems and maritime supply chains Ken Soh, CEO of Athena Dynamics Pte Ltd speaks about his journey into Intrepreneurship, shipping and maritime security frameworks, SCADA Systems and the inspiration sourced from Israel. As CIO of BH Global Corporation, Ken’s journey got underway when the company funded a study week in Israel and he returned to Singapore as an Intrepreneur, the CEO of Athene Dynamics and servicing BH Global Corporation’s supply chain customers. Ken effectively turned the IT department into a profit centre and software distributor. With consideration to shipping and maritime security trends and supply chain security, we then dive into two of the company’s software products: Sasa Software is a 9-layer, ultra-deep-scanning anti-malware and sanitisation (CDR) solution augmentable by uni-directional data diodes with Wintel based proxies; and ICS2, a SCADA monitoring platform that specialises in real-time behavioural analytics of OPC data passively extracted from control systems.
www.australiancybersecuritymagazine.com.au Australian Security Magazine | 7
Frontline
Many modes of supply chain attacks
I Tony Campbell ASM Correspondant
t’s no secret that cyberattacks are on the rise. Furthermore, the threats posed by hacking and systems exploitation don’t exist in isolation in your technology platforms. More often than not, it’s easier for attackers to target your downstream suppliers and/or service providers, since you are likely to trust their products and services as being safe and secure. These sorts of attack are known as supply chain attacks and there are several modes of attack threat actors use to disrupt or compromise their targets. Let’s explore those modes of attack to give you an appropriate threat model to help you build resilience into your organisation’s supply chain. Physical Supply Chain Attacks On June 9th, 2010 in a remote outpost of the Punjab in Pakistan, the local Taliban militia claimed responsibility for an attack against a truck depot on the outskirts of Islamabad. The attack saw the destruction of 60 trucks, where some of those vehicles were carrying NATO supplies for troops based in Afghanistan. The motive, in this case, was service disruption. It is evident that the intent was to harm NATO’s capability, since the attackers didn’t try to hijack the convoy, destroying the cargo in the hope that their actions would reduce NATO’s capability to engage them in battle in Afghanistan. In the world of cyber security, physical attacks on the supply chain are also something to be concerned about. Take
8 | Australian Security Magazine
for example the threats of your computer systems being tampered with before they even arrive in your office. It might sound like fiction, but NSA documents released in Glen Greenwald’s book, No Place to Hide, show how the NSA’s Tailored Access Operations (TAO) unit intercepts computer and networking equipment being shipped to organisations they want under surveillance. There are even pictures of a workshop showing a special “load station”, where NSA engineers are implanting custom (malicious) firmware onto CISCO networking devices prior to them being shipped onto their destination. These are two different mode of physical attack, where the first is aimed at disruption and service degradation, while the second is an attack on confidentiality, since the aim there is remote control or data exfiltration. The first is an overt attack, still on the supply chain, while the second is covert and much harder to detect. Digital Supply Chain Attacks Off the shelf hardware and software, whether it’s from a bigname supplier or provided by one of the thousands of niche vendors out there, how do you know if the software you are installing on your systems or the hardware you are plugging into your network is secure? Case in point, back in 2016 the media had a field day
Frontline
“These are two different mode of physical attack, where the first is aimed at disruption and service degradation, while the second is an attack on confidentiality”
pressed to entertain helping in these supply chain attacks? Huawei has also been in the press recently for being banned in several Western countries due to its supposed tie to the Chinese government. So, the question is who can you trust? Coding and Open Source Libraries Even coding has its issues. No one writes every line of code in their application’s codebase anymore. Most of the time, open source libraries are linked into the main application to provide services such as security, identity and access management, cryptographic services, graphical interfaces and hardware access, all of which have functions that need the highest privileges on the system to run. Many applications are built entirely on openly available third-party platforms, such as gaming engines like Unity, Cryengine and Unreal. Each of these platforms offers all the core gaming capabilities, such as the physics processing needed for games appear like real life. So, how can you know, for sure, whether you can trust these? Building Trust in Your Supply Chain
when news broke of networking giant, Juniper Networks, announcement that they found, as they called it, unauthorized code embedded in their firewall operating system. To make matters worse, investigations showed that the rogue code appeared to have been included in many iterations and revisions of ScreenOS (their custom operating system used across many of their products), dating back as far as 2012. And what did this rogue code do? It allowed attackers to take complete control of Juniper NetScreen firewalls. That, unsurprisingly, for a suitably skilled hacker, is game over for the owner of the firewall. The story gets even more incredible after that, where it seems the NSA might have been responsible for the original back door, executing that attack (possible with permission from Juniper) to launch their own supply-chain attacks on foreign governments – now we are speculating, but it seems likely. For the whole story, read Wired’s coverage of it here: https://www.wired.com/2016/01/ new-discovery-around-juniper-backdoor-raises-morequestions-about-the-company/. This example shows how complex code systems can be corrupted and backdoors can go unnoticed for a very long time. Furthermore, companies that are requested to assist their government in their international espionage pursuits are stuck between a rock and a hard place. If you say no, could they put you under pressure to comply? Under a harsher oppressive government regime, how far could a company be
The problem with supply chain attacks is that you have little to no control of most of these issues. If you are buying networking equipment and run a secret government lab, your choice of vendor might well be limited to US manufacturers who are on the NSA’s friendly list. In the UK, CESG maintains a similar list, as does ASD in Australia. The vendors on these lists have gone through evaluation by these government entities, but this is usually only for the largest vendors, which also attracts the highest price tag. So, if you are on a tighter budget, it’s all about risk management, as is everything in security. You can grab some assurance in the form of a contract, where indemnity clauses could help you fix problems if they arise, and the supplier would attest to them fixing bugs and having no knowledge at the time of sale of any such authorised back doors or unpatched vulnerabilities. Again, there is no guarantee, but you’ve taken some steps to mitigate the risk. At least you have considered it and had the conversation. Supply chain attacks are a major concern for governments, financial companies and other such entities that carry massive national security and economic risks when they do business. However, most businesses won’t be targeted by national state actors, but due diligence is still required when you build and procure systems. Just take a beat the next time you ask your software development team to compile in a library from GitHub, without at least doing a cursory code review. Who knows, you might find a juicy vulnerability during the review and rake in a bug bounty in the process, after all most clouds have a silver lining.
Australian Security Magazine | 9
Frontline
The dawn of the digital Manager By Helen Masters, Senior Vice President and General Manager, Asia-Pacific at Infor Systems
10 | Australian Security Magazine
T
hink about your boss. You may be experiencing a positive feeling due to their genuine support and encouragement — or you may have felt a tinge of frustration resulting from their controlling and authoritarian approach. So, the following news may be or may not be welcome: the role of manager (as you know them) is going the way of the dinosaur. We are incessantly bombarded with the message that artificial intelligence (AI) and robots will soon replace as many as half of today’s existing jobs. While there is undeniably an Orwellian fear associated with the future of work, we must step back and remember that we have already relinquished control to technology in other areas of our lives. Consider transportation: virtually all of us have ridden a train with no human conductor, self-driving cars are supposedly just around the corner, and soon airplanes may not even need a captain. So, is the notion of replacing your existing manager with a digital one that hard to imagine? And if you think this is a tale about the distant future, keep in mind that Gartner predicts in 2018 more than 3 million workers globally will be supervised by a ‘roboboss’. Operational Automation Before we wish them a bon voyage, it may be helpful to reiterate the actual role of a manager. The basic premise of “management” in most organisations is centred on the responsibility to monitor individuals and ensure compliance with policies/procedures. This is admittedly an oversimplification that excludes many other critical obligations, but it is nonetheless an accurate portrayal of most of their daily tasks. According to a recent study by Accenture, these administrative activities typically comprise 54% of a manager’s time. If time is money, that equates to some serious savings, especially if we can offload transactional tasks to someone (or something) else. Absent the influence of technology, the millennial generation has already begun to challenge the old-school, command-and-control form of management, in favour of new ways of engaging, enabling
78% of managers of managers said they would trust the advice of intelligent systems in helping them make better business decisions in the future. and empowering the workforce. These evolving social conventions, when combined with new technologies, paint a very different picture of the role of the manager in this new framework. Operational automation is arguably minute in comparison with the true value that comes with what many refer to as “augmented intelligence” instead of AI. All organisations rely on managers to make frequent decisions that fall into “gray areas.” Far too often, these decisions are based on all-too-human intuition (which is subject to attribution errors, unconscious biases and a host of other problematic elements that frequently prevent us from reaching the correct conclusion). Banishing bias What if you had 24/7 access to the relevant data you needed to make an evidence-based decision versus an intuition-driven choice? In a recent survey by Harvard Business Review, 78% of managers of managers said they would trust the advice of intelligent systems in helping them make better business decisions in the future. As the role of humans in the workplace evolves, there is an increased need to balance both technical and social skills. While some will continue to rage against the future of robots in the workplace, others will welcome having a digital manager to approve expense reports and PTO requests so we can focus on creating authentic, meaningful relationships with our people.
Frontline
Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups
• Government agencies
• Scale-ups
• Research organisations
• Corporates
• Educational institutions.
• Venture capital funds
AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.
The first step is to connect with us: www.austcyber.com
info@austcyber.com
+612 9239 3250
@AustCyber Australian Security Magazine | 11
Frontline
Why digital transformation must incorporate security transformation
E Philip Dimitriu Director of systems engineering, Australia and New Zealand, Palo Alto Networks
12 | Australian Security Magazine
ffective cyber defense must withstand changes to adversary tactics and tools that traditional nonintegrated “best of breed” approaches cannot address. It must address advanced unknown threats as well as known threats. Resiliency and defense across the Cyber Attack Chain comes from protecting and defending systems at all places in the network, across all network traffic on endpoints, in data centers, in remote locations, public and private clouds and at major Internet gateways. Philip Dimitriu, director of systems engineering, Australia and New Zealand, Palo Alto Networks, said, “Most business leaders are at a point where they fully understand the need for digital transformation and it can be frustrating for them to be told that they need to slow down or avoid implementing certain projects because existing security measures are inaccurate. “As more organisations embark on a digital transformation journey, many are finding their ambitions thwarted by a security infrastructure that can’t cope with the new environment. While it’s essential to leverage new and emerging technologies to achieve business goals, failing to secure these properly from the outset can open organisations up to significant security risks that can potentially negate any advantage derived from that technology. Therefore, businesses must consider a security transformation in parallel to any digital transformation projects. The answer is to secure it from
the outset.” One of the key stumbling blocks for organisations in the midst of digital transformation is overcoming cultural contributors to poor security. Philip Dimitriu added, “Ignorance can often be the biggest contributor to cyber incidents. Depending on the size and complexity of an organisation, multiple individuals, teams or governance committees, may be required to cascade security transformation. Organisations must adopt a prevention-oriented mindset if they want to have a chance at protecting themselves. When boiled down to its core, security transformation really means four key things, complete visibility accompanied by credible intelligence feeds, reducing the attack surface, prevent known threats, and prevent unknown threats. In organisations where a strong security mindset hasn’t always been part of the culture, it can be easy for people to make innocent mistakes that lead to cyberattacks. As with transformation of any sort, the first area for businesses to focus on is staff education – across the entire organisation, including IT. People unwittingly click on the wrong link or use the same password for every app, and suddenly the organisation is experiencing a cyberbreach. Organisations can mitigate this risk by providing comprehensive, regular security education to all team members. For example, security professionals need to
Frontline
“Businesses need a security solution that is tailored to their environment and can monitor, detect, and report on threats, automate workflows, and meet compliance requirements. Stopping sophisticated attacks requires a strong, strategic security posture. Businesses looking to digitally transform must ensure they build security considerations in from the outset to ensure success.”
teach employees how to spot malicious emails, reinforce the importance of strong, hard-to-guess passwords, and explain why they should never download apps without checking with the IT team. “Security is everyone’s responsibility. The more technology an organisation relies on, the more important it becomes that everyone does their part to keep the business safe.” A successful digital transformation, therefore, depends on the organisation being able to bring together the right people into agile teams so that they can begin to think differently and change the way they work to fully leverage the value of new technology tools. A strong security culture must be augmented by the right security tools. This includes automating the security response. It’s impossible to keep up with the speed and frequency of cyberattacks using manual resources. You must fight an automated adversary, with automated security processes.
Businesses therefore need to choose tools that don’t get in the way of agile business, while supporting workflow across the organisation. Businesses also must secure every aspect of the transformed enterprise, including cloud and endpoints. Most businesses have a mixture of on-premise and cloud-based workloads and data repositories. Each of these presents a potential entry point to the broader network for malicious attackers. Implementing strong security measures that protect on-premise infrastructure without similarly securing the cloud renders the on-premise security next-to-useless. Only by securing every potential entry point can organisations be satisfied that they have a strong security posture. Businesses should choose a security vendor capable of protecting every potential entry point regardless of where it sits. Furthermore, security services must share intelligence and automate enforcement so team members can confidently focus on core tasks. Philip Dimitriu said, “Businesses need a security solution that is tailored to their environment and can monitor, detect, and report on threats, automate workflows, and meet compliance requirements. Stopping sophisticated attacks requires a strong, strategic security posture. Businesses looking to digitally transform must ensure they build security considerations in from the outset to ensure success.”
Australian Security Magazine | 13
Frontline National
Australian-made FLAIM Trainer helps fight fire with the power of VR
V By Bennett Ring ASM Correspondent
14 | Australian Security Magazine
irtual Reality might be best known for its entertainment qualities, but it’s also set to revolutionise the way certain industries take part in training. For example, NASA has been using VR technology to train its astronauts in EVA walks for over two decades. Now two Australian companies have teamed up to bring VR to the art of firefighting, with the introduction of the the FLAIM Trainer training system. Created in a unique partnership between Dimension Data, a global technology integrator and managed services provider, and FLAIM Systems, a start-up wholly owned by Deakin University, the FLAIM Trainer aims to replicate the difficult and dangerous conditions that firefighters must face when training to fight fires. Rather than a simple Head Mounted Display (HMD) and motion controllers, the FLAIM system integrates the existing Vive HTC HMD into a full face-cover that replicates the breathing apparatus used by real firefighters. As a result, it doesn’t need to mimic smoke, as the closed-breathing system removes any externally inhaled smoke. This full-face mask is used in conjunction with a clothing system that includes heat generation components to mimic the harsh heat faced by
firefighters. Called Hitoe, it’s described as a “a wearable, biosensing nano-fibre vest which tracks electrocardiogram (ECG) readings and transmits them in real time for fitness analysis of firefighters during training.” This allows trainers to monitor the exact physical condition of trainees during the simulated fire situations. The analytics platform was originally designed by Dimension Data to monitor the performance of athletes in the Tour De France cycle race, but has since been modified for use in the FLAIM system. As well as the Hitoe vest and simulated breathing apparatus, the system also includes a virtual water hose which uses haptic simulation to deliver force feedback, allowing the user to get a feel for the strength of the flow of water under different pressures. Further optional extras include hose reels with a higher jet reaction force, augmented reality and 360 degree video training solutions, and real time performance data visualisation. The entire cost of each basic training unit is $40,000; according to James Mullins, Associate Professor, Deakin University and Chief Technology Officer of FLAIM Systems, a single week of real-world “hotfire” training can cost up to $50,000. The reusable nature of the FLAIM system thus represents a substantial cost saving in comparison.
National
condition and fitness levels. The FLAIM system has only recently reached the market, with customers already existing in Australia. It’s also being marketed internationally, and Mr Mullins describes the target customer base as, “….traditional fire departments/public safety, airfield rescue and firefighting, military, mining and industry and training service provider organisations.” According to Mr Mullins, the most difficult aspect in developing the simulation was accurately modelling the physical properties of fire, smoke, water and heat, which the system must do simultaneously, thus requiring significant computing power. While specifics weren’t given, the software runs on “high end PC systems”, allowing the company to use off-the-shelf components that are easy to upgrade and support. In future, the company aims to develop more scenarios that will be used as part of a subscription library, allowing customers to more accurately train for specific instances. There are also plans to add a first-aid component to the training system, as on-the-ground medical support is a huge part of a fire-fighters roles. As one of the most innovative VR training solutions found in the world, FLAIM again highlights Australia’s ground-breaking research in this field. Combined with other companies such as Opaque media, who are working with NASA on simulations, the land down under is well on its way to becoming a world leader in the field of VR.
It’s also fully portable, so can be used across an organisation’s various operations. It’s not intended to be a total replacement to real-world hotfire training though; rather it can reduce the preparation and length of hotfire training required to train a candidate, as well as increase the effectiveness of equipment familiarisation. Mr Mullins explained the various scenarios that FLAIM can mimic. “Our scenarios are designed to replicate real world effects of fire, smoke, water and heat. The environments in which the fire activity occurs also impacts the behaviour of each of these factors. The behaviour of these factors in a house fire are different to open-air bushfire scenarios. We have and continue to develop specific software models and scenarios to simulate with high fidelity the visual, sound and physical experience of firefighting.” During the training, data is captured via an analytics dashboard, and measures things such as smoke level, fire intensity, water jet reaction force and spray patterns. The system’s Hitoe bio-sensing tech also monitors how the firefighter is coping with the conditions, keeping track of the user’s heart rate, ECG and stress levels. This can then be used as a benchmark, to ensure the user is meeting required
The ‘go-to’ tool for leading professionals WEBINARS WHITEPAPERS UP COMING EVENTS CONFERENCES
promoteme@mysecuritymarketplace.com
www.mysecuritymarketplace.com Australian Security Magazine | 15
Cyber Security
The rise of hashgraph
H
edera Hashgraph recently secured $100 million in funding as it seeks to create a new commerce network based on its hashgraph consensus technology. (That’s just another term for a new distributed public ledger.) The US-based company, which will use the money to accelerate the development of key services, says the amount of money raised highlights how much potential it has to change the internet as we know it, and overcome some of the obstacles faced by cryptocurrency and blockchain companies. But what is hashgraph? And why should you be paying attention to it? Hashgraph is a distributed ledger technology, or DLT, developed by Leemon Baird, co-founder and CTO of Swirlds – a software platform for distributed applications. Hedera Hashgraph is a cryptocurrency based on the hashgraph algorithm. According to Baird, hashgraph – not blockchain – is the future of DLT. Why is hashgraph superior to blockchain? The main benefit hashgraph has over blockchain consensus mechanisms is fairness in transaction order. Use cases include high-frequency trading (HFT) on a stock exchange, where the millisecond transaction ordering offered by Hashgraph creates a ‘fair’ market. This fairness is achieved through a
16 | Australian Security Magazine
combination of mathematical proof and accurate timestamping. Then there are the transaction speeds. A common factor of debate among Bitcoin Core developers, for example, is that it increases block size within the blockchain to increase transactions per second, whereas events in hashgraph can be any size. When creating a new event, any new transaction/s, plus a few bytes for overhead, make up the entirety of the event size. Events can be anywhere from a few bytes (no transactions) to whatever size is required. Combine this with hashgraph’s consensus algorithm, ‘PoG’ (proof of gossip), where events within the graph ‘gossip’ to each other about all previous events, thus spreading ‘gossip about gossip’. Transaction speeds can now reach 250,000 per second, pre ‘lightning network’ equivalent and pre ‘sharding’. Also, hashgraph is completely secure with aBFT (asynchronous Byzantine Fault Tolerance), which is, in theory, the most secure version of BFT. Bitcoin is not. aBFT can overcome internal and external attacks. No one can influence the transaction order, as there is no mining. Since consensus is arrived at by randomly syncing with others, hashgraph doesn’t require large computation power like bitcoin does. This lowers transaction costs significantly.
Cyber Security
‘We think that will be incredibly important for things like the internet of things, where the things will discover each other and engage in commerce automatically in a micro economy,’ Harmon said in an interview with VentureBeat. enable is the micropayment. ‘We think that will be incredibly important for things like the internet of things, where the things will discover each other and engage in commerce automatically in a micro economy,’ Harmon said in an interview with VentureBeat. He also said it could enable high-throughput transactions for online games, where you can use the hashgraph to verify the authenticity of resources. Hedera Hashgraph is creating public applications programming interfaces to enable three services. It will: • •
•
Does hashgraph make blockchain obsolete? In short, no. Hashgraph is not without its flaws. In fact, it will face the same issues that other public blockchains are currently facing, and may not be able to maintain is security and performance. For example, the original bitcoin blockchain tended to hit its limit at only seven transactions per second, while Ethereum maxed out at around 15 transactions per second. Hashgraph currently scales only in relation to the number of transactions processed, but doesn’t scale with regard to the number of nodes in the network. This inherent limitation is often referred to as the ‘scaling problem’. This problem is often regarded as one of the main obstacles for cryptocurrencies to overcome. While we should appreciate the underlying technology in hashgraph, we should also appreciate the blockchain technology that has paved the way for it.
Create a cryptocurrency-as-a-service with native support for micropayments Create distributed file storage for the network that can be used by smart contracts, or programs that run on the public ledger Create smart contracts based on Ethereum’s scripting language, Solidity
That makes it possible to build distributed applications that run on the Hedera Network, Harmon said. Anthony Stevens is the founder and CEO of Digital Asset Ventures, a digital strategy and software development company. Digital Asset Ventures’ technology expertise is concentrated in three key areas: distributed ledger technology, artificial intelligence, and big data and data networks. Anthony is also the co-author of Chasing Digital: A Playbook for the New Economy (Wiley).
What does the future hold for hashgraph? Upcoming cryptocurrencies based on hashgraph will have to register with Hedera Hashgraph. They’ll also have to request tokens for vendors that accept virtual currencies running the hashgraph algorithm. According to Hashgraph Hedera CEO Mance Harmon, one of the things Hedera Hashgraph will
Australian Security Magazine | 17
Regional
India’s Supreme Court reins in citizen profiling
I By Sarosh Bana ASM Correspondent
18 | Australian Security Magazine
n a sharp rebuke to India’s civil libertarians, the country’s Supreme Court has upheld the constitutional validity of the biometric-based national identification platform called aadhaar that is widely viewed to be a tool of mass surveillance. Though in its majority verdict (with one judge completely dissenting), the five-judge constitutional bench of the apex court did reduce the scope of aadhaar’s application, an outright striking down of this personal data gathering medium would have grossly discomfited the Narendra Modi government. Prime Minister Modi had put his personal weight behind aadhaar and had his rightwing Bharatiya Janata Party (BJP)-led government push the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, through Parliament in March 2016. Modi had vigorously contested the ID platform ever since it was first mooted in 2010 by the previous Congress-led government, saying it violated one’s “constitutional right to privacy”, but changed his stance once he became Prime Minister in May 2014. An adverse verdict would have complicated his campaign for the 2019 general elections, his government
having already enrolled 1.22 billion aadhaar holders, 91 per cent of India’s overall population of 1.34 billion. While aadhaar was originally conceived as a means to provide efficient access to government welfare schemes meant largely for the underprivileged, the BJP government made it mandatory for accessing a host of services like opening and operating bank accounts, filing Income Tax returns, and for applying for cellphone services, passports, driving licences, house subsidy, school admissions, death certificates, train tickets, and even for supplementary meals at crèches and maternity benefits. Besides, permanent account number (PAN) cards, required for all banking services, would be unacceptable unless linked to aadhaar. In its ruling on the 27 writ petitions challenging the constitutional validity of aadhaar, the Supreme Court observed that the scheme empowers people on the margins of society, and its benefits far outweigh concerns about the violation of privacy and data breach. But it struck and read down certain sections of the Aadhaar Act, most significantly clarifying that the government cannot deny any benefits to
Regional
The government has said it was considering amendments to laws to get around the prohibitions imposed by the Supreme Court order.
any individual for not having an aadhaar number. “It would be appropriate if a suitable provision be made for providing alternative remedies,” it said. The Supreme Court also held that banks and other financial institutions, telecom services, private companies and educational institutes cannot seek aadhaar data for any services they render. The court, however, upheld Section 7 of the Aadhaar Act that mandates aadhaar for any government scheme that draws out of the consolidated fund of India, such as subsidised rations and LPG, and the employment guarantee scheme. Aadhaar will also be necessary for filing Income Tax returns, for applying for PAN and for linkage with PAN wherever the latter is mandatory, implicitly making aadhaar inevitable in such situations. Significantly, the Supreme Court forbade agencies from retaining beyond six months the authentication data of citizens who have enrolled for aadhaar. It urged the government to bring in a robust data protection regime, even while observing that there were “ample safeguards” for security and data privacy in the aadhaar mechanism. Noting
that collection, storage and use of data do not violate the fundamental Right to Privacy and the Aadhaar Act, the court deemed the archiving of such data and records for a period of five years “bad in law”. In his dissenting judgment, Justice D.Y. Chandrachud deemed aadhaar unconstitutional and its enaction as a “Money Bill” - thus bypassing the Rajya Sabha (Upper House of Parliament) - a “fraud on the Constitution”. India’s Constitution does not require any legislation notified to be a Money Bill by the Speaker of the Lok Sabha (Lower House) to be ratified by the Upper House, a procedure mandated for all other legislations. The Aadhaar Bill was considered to have not fulfilled any of the seven provisions for a Money Bill to be so designated, but as the Constitution holds the decision of the Speaker in this regard as final – and not open to judicial, Parliamentary or even a Presidential review – the BJP government opted for this method to push the Bill through, especially because it did not enjoy a majority in the Upper House. The Congress party and some of the petitioners have been heartened by Justice Chandrachud’s dissenting judgment and are planning to reopen the case by asking for a larger seven-judge Constitutional bench. Justice Chandrachud held: “Bypassing Rajya Sabha to pass Aadhaar Act amounts to subterfuge and the law can be struck down.” In his judgment, he said it was “impossible” to live in India without aadhaar, which is a violation of the Constitution, that there was absence of any regulatory mechanism to provide robust data protection, and that allowing private players to use aadhaar would lead to profiling that could be used to ascertain the political views of citizens. The government has said it was considering amendments to laws to get around the prohibitions imposed by the Supreme Court order. As the fingerprint and iris scans and documentation for aadhaar applications are done on computer, erratic, or lack of, electricity has proved a major hindrance. There have been numerous instances where the poor have suffered immeasurably for want of an aadhaar number. A crematorium refused to have the final rites performed on a body in the absence of the deceased’s aadhaar card. A child passed away in her father’s arms as the man could not have her admitted to hospital without an aadhaar card. Hearings on the aadhaar case had continued even as a nine-judge Constitutional bench of the Supreme Court had in August 2017 unanimously ruled that privacy was a fundamental right as it was intrinsic to right to life and personal liberty guaranteed in Article 21 of the Constitution. Petitioners in the aadhaar case had hoped for this verdict to have had an influence on their outcome.
Australian Security Magazine | 19
BioSecurity Special
Biological Protection-In-Depth: A closer look at biosecurity and biodefence strategy. By Deborah Evans
20 | Australian Security Magazine
T
he importance of broad-spectrum Biological Protection for the survival of mankind is becoming increasingly apparent. Ebola Virus, Hendra Virus, Nipah Virus, Severe Acute Respiratory Syndrome (SARS), Middle East Respiratory Syndrome (MERS), and Avian Influenza are just a handful of examples of pathogens recently causing or threatening widespread fatalities. They strike fear into the hearts of citizens and governments alike and for good reason... they have the potential to devastate lives, families, economies and destroy the social fabric of civil society. We are not immune from what we cannot see, and protection from biological threats is perhaps the most urgent human endeavour of the coming decades. Biosecurity and Biodefence are co-dependant strategies sitting under the broader concept of biological protection. Biodefence is multi-faceted, consisting of multidisciplinary measures implemented at a national level to protect both civilian and combatant populations from biological threats. Although biodefence is often thought of as being exclusively the domain of government and military, its concepts have evolved beyond a fundamental objective of defending against biological attack. Progressive biodefence concepts incorporate protection from biological threats of a diverse nature, including those from naturally occurring, accidental and deliberate sources. Subsequently, biodefence concepts
transcend military discourse and extend across disciplines and sectors. Such disciplines include security & law enforcement, intelligence, politics and governance, emergency management and national preparedness, the health sciences, agriculture, the environmental sciences, the life sciences as well as most of the technological fields and specialities. Biodefence is very much a collective effort – it permeates all sectors and is incorporated into disciplinary specific methodologies and practices in a myriad of ways. In the event of a biological incident, each discipline will uniquely contribute to form part of the immediate response and longterm recovery efforts. However, the practical challenges of implementing and achieving a cohesive structure to support biodefence objectives are momentous. Co-ordinating and balancing the agendas and objectives of multiple sectors and disciplines is intrinsically problematic. Immense changes in technology, research and environmental factors have further elevated the capacity for biological threats to circumvent existing defences. Subsequently, approaches to co-ordinating biosecurity and biodefence mechanisms must be revisited and redefined as part of global biodefence strategy. To assist in the facilitation of global biodefence efforts, a multidimensional Protection-in-depth (PID) framework may require development at an international level to better coordinate and formalise the existing structures designed
BioSecurity Special
to achieve biodefence. PID – the ‘Onion Ring Model’ is a security theory used extensively to create enhanced security by overlapping layers of protection and detection through the systematic application of sequential measures. Although PID is often used to achieve physical security, the theory may be applied to both biosecurity and biodefence to achieve a more cohesive level of biological threat protection. Protection-In-Depth for Biosecurity Biosecurity is a core component of biodefence prevention and detection strategy. Biosecurity refers to the policies and measures applied to biological agents and toxins to prevent their loss, theft, misuse, diversion, unauthorised access or intentional unauthorised release. Security of high consequence pathogens such as Ebola Virus, Marburg Virus or Botulinum toxin in laboratories for instance, is vital to prevent acquisition by terrorists or adversaries with malicious intent. As a result, high containment microbiological facilities containing security sensitive biological agents are required by law to have sufficient biosecurity measures in addition to biosafety procedures. In Australia, the Security Sensitive Biological Agents (SSBA) Standards prescribe the requirements for the secure handling, storage, disposal and transport of known and suspected SSBAs.
The SSBA security requirements encapsulate ProtectionIn-Depth (PID) security theory - facilities containing SSBAs are required to have a systematic approach to physical security, policies, procedures, and practices to sustain a high level of biosecurity. For instance, access control requirements for facilities containing Tier 1 agents include an electronic access control system for entry into the secure area perimeter, and an additional form for access to Tier 1 SSBAs. In addition, the required procedural measures include formal authorisation, maintenance of detailed access control records, management of access control tokens and extensive reporting and documentation. Collectively, the technologies, systems and procedures overlap one another to reduce the inherent vulnerabilities of each measure. Given the abundance of security technologies available, the sky is the limit in terms of creating an ultra-secure biological facility using advanced technologies, policies, procedures and practices through the application of PID theory. The possibilities are restricted only by budget and operational requirements, not by system capabilities. Systems such as biometric access control, smart CCTV with behavioural anomaly detection, integrated perimeter detection systems, and specialised air filtration pressure systems are all examples of technologies which may be implemented to create the desired level of PID. While the capabilities of these technologies are impressive, they are not without vulnerabilities and limitations – like most technologies they can be compromised or circumvented with the right knowledge, capability and opportunity. Hence the value of PID becomes apparent – each security measure must be thoroughly scrutinised to identify vulnerabilities before additional layers of protection can be implemented. In controlled environments such as microbiological or other high security facilities, this is certainly achievable. Elements of an entire facility such as geographical location, site, construction, policies, procedures, practices, personnel, and routines may be decided and controlled – and the security mechanisms can be constructed and adjusted accordingly. Thus, the number of ‘Onion Rings’ in the PID framework should correlate with the degree of control over the environment. In dynamic environments where control is limited, PID may still be achieved, but the approach must be multidimensional and fluid enough to reflect and accommodate shifts within the environment. Protection-In-Depth for Biodefence Biodefence operates in a highly dynamic environment. Preventing, detecting and responding to naturally occurring, accidental or deliberate biological threats becomes difficult when the threats are constantly changing. Antimicrobial resistance, synthetic recreation, genetic modification, gain-offunction research techniques, the emergence of novel viruses, and the natural evolution of pathogens all contribute to the unpredictable nature of biological threats. Human behaviour and movement further facilitate the ability of pathogens to succeed in self-propagation and dissemination. The microbial world is both phenomenal and incredibly frightening. There are many biodefence technologies which have been developed to bolster efforts in detecting and responding to
Australian Security Magazine | 21
BioSecurity Special
There are many biodefence technologies which have been developed to bolster efforts in detecting and responding to biological events.
22 | Australian Security Magazine
biological events. For instance, Biological Point Detection and Biological Standoff Detection systems are technologies used for the detection and identification of aerosolised biothreat agents within the environment. Point detection systems sample aerosolised particles at a fixed point and may be deployed in both internal or external environments such as in subways, shopping centres, airports or in open public spaces. The United States has point detection sensors deployed in approximately 30 major cities across the US as part of their BioWatch program. Advanced point detection systems such as Autonomous Pathogen Detection Systems (APDS) can operate continually and use both Multiplex Immunoassay and Polymerase Chain Reaction (PCR) techniques to detect and identify aerosolised agents. They are sophisticated, sensitive and reliable systems that can detect a biological attack in real time and support the prevention or reduction in civilian casualties as well as directing medical treatment requirements and decontamination efforts. Standoff detection systems are an alternative type of technology used for the detection of Chemical, Biological, Radiological or Nuclear (CBRN) events. Biological standoff detection systems analyse aerosolised clouds or plumes remotely, from up to tens of kilometres without the need for sampling. They use technologies such as Light Detection and Ranging (LIDAR) with Ultraviolet Laser Induced Fluorescence (UV-LIF) to read the biological signatures of particulate matter contained in the plume based on the optical signatures reflected in response to laser excitation. UV-LIF LIDAR systems are one of the most prominent emerging technologies for biological standoff detection. Like point detection systems, they can direct efforts to prevent or reduce civilian and combatant exposure to aerosolised biothreat agents as well as assist in investigation efforts to determine the threat source based on point of attack. Despite their sophistication however, these technologies are relatively limited in scope and application. Currently, point detection systems may only detect known agents – unknown DNA sequences from modified, enhanced or novel pathogens created in the laboratory may go undetected, or mistaken for non-virulent species. This is perhaps the most significant and problematic issue likely to dominate future biodefence discourse concerning biodefence technologies. Critics of the technology also argue that point detection systems may easily be circumvented if adversaries are aware of the location of sensors or launch a series of localised attacks to increase the probability of mass-casualty. Standoff detection systems using UV-LIF LIDAR have a limited detection range and have not yet overcome the challenges associated with ambient light increasing signal to noise ratios. This means the technology is less sensitive during daylight hours, reducing the likelihood of an aerosolised agent being detected. Perhaps the most fundamental issue with UVLIF excitation, is that many other harmless substances, amino acids and fluorophores such as pollens, plant debris, fuel oils and some agrochemicals are excited at the same wavelength as biological agents, making it more difficult to distinguish between virulent and benign aerosolised matter. These limitations demonstrate that although biodefence technologies are at the forefront of military and defence research, they are certainly not beyond the abilities of foreign
governments or other well-equipped actors to circumvent or defeat. The costs involved of extensive bio-surveillance to adequately monitor multi-penetration points such as dams, waterways, public airspace, agricultural and food facilities, may be exponential to the risk involved. The biodefence environment is vast and multidimensional - more than aerosolised biothreat agents exist, and subsequently vulnerabilities and limitations cannot be addressed by simply overlapping detection technologies, procedures and practices in the same manner as controlled environments such as high containment microbiological facilities. To apply PID to biodefence, the ‘Onion Rings’ must be three-dimensional - overlapping policies, measures and technologies across disciplines, sectors and jurisdictions. These mechanisms currently exist in the form of diagnostics, syndromic surveillance, environmental and other monitoring systems, although sometimes very loosely depending on the country or sector. To enhance biological preparedness, the biodefence framework must be revisited to systematically identify and address newly emerged biological threats and vulnerabilities. In a practical sense, this means addressing emerging risks such as those created by commercial development in fields such as synthetic genomics. For example; although commercial genomics companies cannot ship or otherwise supply whole sequences of high-consequence or prohibited pathogens, there is currently nothing in place to prevent individual gBlocks (sequence-verified, double-stranded DNA fragments) from being obtained in a manner which defeats existing flagging or biosecurity mechanisms. Another example is the biosecurity risk created by naturally occurring events such as the recent string of Ebola outbreaks. Clinical samples, waste, medical and laboratory equipment, unsecured burial sites and the mobility of infected patients facilitate not only the further spread of disease but may also provide a source for the acquisition of pathogens for biological agents. The threat of biological based ‘lone wolf ’ attacks is not a new concern, however the opportunity for malicious acquisition through naturally occurring events is rising. As a result of the dynamic nature of the threat environment, the PID framework must address vulnerabilities across the complete biological continuum - inclusive of naturally occurring, accidental and deliberate biothreats. A systematic approach to designing and constructing a multidimensional PID framework is vital, building on existing multidisciplinary, multi-sectoral and multijurisdictional mechanisms. The process must ensure that technologies, policies, procedures and practices are carefully selected and implemented to overlap and mitigate the vulnerabilities and limitations of each measure. The approach must also consider the establishment of pre-markers for biological events to ensure the domino effect of a coordinated biological response so that if one falls, they all fall. To achieve an effective biodefence structure, all disciplines must work collaboratively and with sufficient fluidity to incorporate and address emerging threats and newly identified vulnerabilities in the PID framework. This means that biodefence policy and strategy must become more accessible across disciplines and sectors, not withheld as the exclusive property of government and military. Progressive
BioSecurity Special
public discourse on biosecurity and biodefence issues must permeate and drive biodefence policy – thus, publicly acknowledging the need for collaboration on biodefence issues should be at the forefront of next generation biodefence policy. The US National Biodefense Strategy is an example of how governments and policymakers may approach dynamic biodefence needs which are beginning to transpire. The United States is Leading the Way in Biodefence Strategy The September 2018 release of the US National Biodefense Strategy emphasises the need for a multidisciplinary approach to biodefence with explicit direction and oversight. The Trump Administration intends to address biological threats through the development of a multi-sectoral and collaborative biodefence enterprise, with oversight from a Cabinet-level Biodefence Steering Committee. The National Biodefense Strategy calls for multi-sectoral cooperation for threat prevention and response, and a multidisciplinary approach to the prevention of disease emergence. The US approach demonstrates a maturation in biological preparedness, where biodefence policies and operations cease to exist solely behind the closed doors of Washington and are publicly acknowledged as the responsibility of multiple sectors. US Biodefence strategy is evolving in line with contemporary society to reflect the rapid ‘bio-commercialisation’ of
technology, materials, equipment and expertise. However, despite this refreshing evolution in biodefence strategy, there will undoubtedly be challenges and setbacks in establishing the functional and operational structures required to sustain such a strategy. How the US Biodefense Steering Committee facilitates the conflicting objectives, agendas and requirements of multiple sectors is sure to be appraised – and scrutinised by avid international observers. Regardless of potential obstacles, the US must be commended for leading the way in creating a biodefence interface which may facilitate collaborative efforts and actively seek the expertise of individuals and non-government enterprises. We must hope that other nations including Australia support and follow the US lead and produce an accessible biodefence strategy, drawing on the capabilities of multiple disciplines and sectors. We must also encourage policymakers to consider the use of contemporary models and frameworks such as PID to address the complex needs of biodefence in the current environment. Ultimately, global biodefence efforts require a collaborative approach to identify and address the limitations of the existing biodefence infrastructure. We need a united front. Humanity is more than capable of addressing biological threats, however the challenge lies in our ability to design and construct the protective framework in a peaceful and systematic way.
Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today
Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:
NATIONAL SECURITY
DEFENCE
BUSINESS
ACADEMIA
LAW ENFORCEMENT
REGULATION
BANKING & FINANCE
INTEGRITY COMMISSIONS
As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration
Supporting and representing intelligence professionals throughout their career lifetime
Sharing cutting edge and emerging global intelligence practices and enabling technologies
Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data
Do something positive for yourself and your career – join AIPIO today.
aipio.asn.au
Australian Security Magazine | 23
CyberCover CCTV Security Feature
How to minimise roulette wheel motion blur
By Vlado Damjanovski © Oct 2018 - vlado@vidilabs.com
24 | Australian Security Magazine
O
nce I was approached by a casino professional, asking me if I can help them find a camera with 60fps which they want to use with their roulette tables. First I asked him about the purpose for such camera, before I gave him my response. Certainly, I knew of a handful IP camera manufacturers that had in their range 60fps cameras (some even more than 60fps), but I somehow sensed that the question was based on the lack of understanding of how camera works (more specifically - the electronic shutter), rather than a real quest for a camera of high frame rate. Plus, high frame rate cameras are usually more expensive. When I was explained by the customer that the images from his roulette wheel winning numbers appeared very blurry, and customers were complaining about that, I knew what was problem. Cameras are often used to look at the roulette wheels, and display the winning number as soon as the roulette ball lands on a number. Casino dealers don’t wait for the roulette wheel to finish
spinning, as this takes quite some time, and players will not wait. The most practical thing for them is to wait until the ball, after jumping around, lands in the winning number area and while still spinning, they show a snap-shot image of the winning number on the large screen. The light conditions are usually very low, typically no more than 10lux at the gaming tables, which forces the cameras to expose each frame at least 1/25s (or 1/30s) in order to produce “live video.” It may well be that the exposure could be even longer if the cameras are left into Integration mode. The results are blurry videos of the roulette spinning wheels, with the hard-to-read numbers of the winning numbers. No wonder roulette players are not happy and are asking for better and faster information from the roulette tables. The customer that asked me this question, didn’t necessarily need a high frame rate camera, which would usually be more expensive. All he needed was to set the camera to a higher electronic shutter (Exposure), so that the motion blur from the roulette wheel was minimised
CCTV Cover Feature
Longer shutter - hard to see numbers
Shorter shutter - sharper winning numbers
Australian Security Magazine | 25
CCTV Cover Feature
to the level that clearly shows the ball and the winning numbers. What exposure do they need to set the camera to? This can easily be calculated by the ViDi Labs calculator application. In fact, one of the reason the ViDi Labs calculator was designed is to help with cases like this. Using the Sensor blur calculation, which is produced by a moving object with a known speed, a casino operator can calculate the most acceptable electronic shutter speed in order for the camera to see sharp winning numbers. A little bit of imagination and length measurement is required, but the hard work is done by the ViDi Labs calculator. Certainly, we all know that the shorter exposure you have, while keeping the same lens and F- stop, you would need more light for a good picture. It is however important to consider that every IP camera has built in AGC (Automatic Gain Control) which even when the light levels are lower - it will push the video signal to be close to the nominal values of full video (1 App in the analogue days, and around 800mVpp in the digital world). In our testing we have used in this example the following variables were used: • IP camera with 1/1.9� sensor
26 | Australian Security Magazine
CCTV Cover Feature
• HD Resolution = 1920 x 1080 Lens = 9mm • Distance from camera to the roulette wheel approx. 1.5m Using the ViDi Labs calc one can find out the longest exposure for the acceptable motion blur. The blur will always be there even at the shorter exposure, as the roulette wheel is still spinning, but it will be much sharper than having the default “live” exposure of 1/25s (or 1/30s) Our tests and experiments have shown that using high frame rate cameras, like for example 1/60s instead of 1/30s, will hardly reduce the motion blur. As it can be seen on the above screen-shot, there were around 21 pixels of blurriness produced on top of the actual roulette ball being 29 pixels (a total of 50 pixels in the horizontal direction). This effect makes the numbers still appear blurry. The ViDiLabs calc has calculated not very far from this, 22 pixels. By setting the camera electronic exposure to 1/250s, the resultant frozen image appears much sharper, and this time the roulette numbers can be clearly read. The ViDiLabs calculator indicated that we will have 5.3 pixels blur pixels when motion velocity is 3km/hr. This is sufficient to see clearer numbers of the roulette wheel. So, although we have not installed a higher frame rate camera (60fps or 120fps), we managed to still produce sharp video of 25fps by just setting the electronic exposure is set to 1/250s.
40 ms
Standard“live” exposure
Active exposure voltage
25 fps camera
1
2
3
4
5
6
...
25
Stop exposure voltage
<40 ms Active exposure voltage electronic shutter (1/30s, 1/60s, 1/100s, 1/200s, 1/500s)
25 fps camera
1
Electronic shutter ON (“live” exposure) 2
3
4
5
6
...
25
Stop exposure voltage
>40 ms Active exposure voltage
f - focal length
5 fps camera Stop exposure voltage
d - distance
1
2
...
5
1 second
w - hor. width of the view r - roulette wheel diameter
The meaning of electronic shutter
Australian Security Magazine | 27
CCTV Cover Feature
Migrating to an IP video surveillance solution All you need to know By Benjamin Low, Vice President, Asia Pacific, Milestone Systems
28 | Australian Security Magazine
T
he migration from analogue video surveillance to IP systems has been increasing for some time, driven by decreasing costs and rapid advances in new security technologies such as video analytics. As William Tan, director of global face recognition & surveillance, global safety division, NEC Corporation puts it: “The use of video analytics in surveillance systems improves operational efficiency as it eases the workload on security officers. Analytics add value and makes the IP camera system more intelligent in its work. Increasingly, government agencies are adopting safer city technologies such as facial recognition as they allow the authorities to have more "eyes" on the city than before.” IP systems allow vastly increased functionality, from analytics and the use of non-visual sensors like fire alarms to remote access from anywhere in the world, while giving organisations the flexibility to easily expand and reconfigure their network as necessary. Yet, even with all these benefits, IP solutions still offer the lowest Total Cost of Ownership (TCO).
IP systems also make storage more flexible and less costly. HC Chang, general manager, APAC (excluding China), Promise Technology, explains: “Analogue systems may require storage to be onsite, but if an installation has many sites, or sites that are geographically disparate, this may be difficult. IP systems allow storage to be placed wherever makes the most sense, making it easier to maintain and upgrade.” While the benefits make migrating an easy decision, the steps from analogue to IP should be carefully considered. At the start of the migration process there should be a full analysis of the organisation’s security requirements, looking in detail and the varying levels of security needed in different areas and sites. Once these requirements are known, it is then necessary to design a detailed blueprint for the new IP system. Once the blueprint is ready, it is then time to develop a plan for deployment. There are two options for any organisation looking to migrate to an IP network: upgrading the whole network in one go or upgrading in stages. Upgrading the whole system at once simply involves removing all the old equipment and installing the new IP
CCTV Cover Feature
Analogue systems may require storage to be onsite, but if an installation has many sites, or sites that are geographically disparate, this may be difficult. IP systems allow storage to be placed wherever makes the most sense, making it easier to maintain and upgrade.”
system. In a way this is the simpler option, as it means all the new IP features will be ready to go once installation is complete. However, installing all that equipment – not to mention the equipment itself – can be costly, especially for medium and large organisations with significant amounts of infrastructure and assets to replace. Another disadvantage of this option is the inevitable downtime between the old system going offline and the new system starting up. The cost pressures can be a challenge, while the downtime is unacceptable for most medium and large organisations, which is why the more popular option is to upgrade in phases. This is possible with IP surveillance systems because all cameras and sensors feed into a central VMS. The right VMS will be open source, meaning it will be able to manage feeds from many different types of visual and non-visual sensor, both legacy and new, from many different manufacturers, at the same time. This means a surveillance network can evolve in line with its requirements. This capability can be especially useful in large installations which have many different buildings and levels
of requirement from their surveillance. For instance, some areas may require higher security, with new high-resolution digital cameras and video analytics functions such as facial recognition. An important point to note here is that migrating to an IP system does not require the replacement of existing cable infrastructure. Winston Goh, head of marketing, South APAC, Axis Communications, notes: “Pulling out and replacing existing infrastructure, such as coaxial cables and analogue cameras, can be a very expensive process. The benefit of migrating to an IP solution is that converter devices can be used to convert the analogue signal to a digital one, so it can be fed into the VMS. This allows sections and assets to be upgraded in a way which suits the budget and requirements of each organisation. It also greatly reduces any installation downtime.” Once the deployment plan is ready, the phases of installation can begin. This starts with installing the VMS, which will be the heart of the network. Then you can begin installing new cameras and preparing old cameras to feed into the new VMS, as well as the necessary monitoring equipment such as PC monitors, at your own pace. The benefits to IP video surveillance systems are so numerous that migration is only a matter of time for most organisations. However, it’s likely most will opt for a phased approach, due to costs and downtime issues. These factors can be minimised if organisations invest the time in understanding their security needs and thoroughly planning implementation, meaning companies can reap the benefits of IP surveillance faster, where it’s needed.
Australian Security Magazine | 29
Frontline
Resilient organisations begin with people. Organisations have a duty
C By Lance Krowitz, Director, Risk 2 Solution South Africa (Pty) Ltd; and Dr Gavriel Schneider, CEO Risk 2 Solution Group
30 | Australian Security Magazine
yber security. Admission controls. Biometric security. Security guards and barricades. Electronic counterespionage measures. Large organisations do all these things as a matter of course. Despite this, they accept that risk is something that can only be minimised – it’s impossible to completely prevent. But all these measures (and more) are largely futile when you consider that the weakest point of vulnerability is your most valuable asset: your people. Employers and shareholders like Return on Investment (ROI) and rightly so. Human Resources people are tasked with developing their workforce in a manner that helps the organisation acquire new and vital skills. There are financial incentives too, often sponsored by the taxpayer to incentivise corporates to up-skill their people. These programmes centre on business skills, leadership, IT skills, Compliance, Occupational Health and Safety and similar training. But here’s the thing: we forget that those same people spend a large chunk of their non-working lives outside of our organisation, be it in the real world or the virtual one. From a
purely selfish perspective, they’re outside of the organisation’s ability to protect itself should they venture into dangerous territory in either of those dimensions. It’s a VUCA world after all... What is VUCA? Volatile, Uncertain, Complex, and Ambiguous. It’s an old description of the world that’s become repurposed to describe how crazy our environment has become (and continues to get) as we become more and more interconnected. And in the midst of all this our people are travelling long distances to and from work in any number of modes of transport. They walk down the block at lunchtime with their faces glued to the screen of the latest/ shiniest/newest/most powerful smartphone. They stop at traffic lights and take the opportunity to read that last text message that just got delivered. Is it any surprise we’re such soft targets? Any impact on that person is an impact on the organisation and there are any number of possible permutations. Employees suffer from flat tyres, muggings, carjacking, physical injuries, phishing scams, hacking of
Frontline
"The trick is to create awareness in our people of their environment and the possible risks therein. We should help them to listen to that little voice that is the mind’s way of pointing out that something doesn’t quite fit. "
h resilient y of care. online profiles, identity theft etc. These result in mundane time off work requests for admin (police reports, credit card and ID replacements etc) and for medical attention, or worst case scenario – the employee is incapacitated or deceased and is never returning to work. We don’t mitigate these risks and its common cause that they’re an expensive cost to the organisation. Enter the Whole of Person approach. We view the employee as the sum of their Work Life, Personal Life, Online Persona, and Virtual Life. Despite what some security managers might think, the organisation has very little influence over most of those. The obvious answer is that we need to get out of the old paradigm thinking of providing hard security measures via the workplace and adopt a newer approach – Let’s holistically make our people more aware of the threats out there and by doing so we make our organisation more resistant to an
adverse event and more resilient should one occur. The trick is to create awareness in our people of their environment and the possible risks therein. We should help them to listen to that little voice that is the mind’s way of pointing out that something doesn’t quite fit. We must give them the tools to plan for any eventuality so they can react appropriately. This might be as simple as deleting that strange looking email without clicking on the link, or crossing to the other side of the street because something ‘doesn’t feel quite right’. In short, we need to ‘Switch Them On’. And we need to do it in a balanced way so as not to create paranoia. As my colleague Dr Gav Schneider writes in his article published in Security Insider June/July 2018, page 26: Being paranoid is just as ineffective as not being aware at all. The goal is to enjoy life to the full whilst at the same time being more aware of what’s going on around you. I believe that the one cannot exist without the other, i.e. you can't truly squeeze the most out of life if you are paranoid or unaware. It is important that we teach our people to continually adjust the balance for themselves. We call this balancing act Dynamic Risk Equilibrium (DRE). How does an organisation achieve Switched-On people? Face to face training is first prize, but it’s expensive, time consuming, logistically demanding, and takes people away from their jobs when they should be productive. Our solution is the online approach which we believe gives the organisation the best bang for buck. It’s scalable, accessible from home or work, self-paced, and can reach the entire workforce. Simply put, the more people you reach the better the outcome. We won’t stop incidents from happening, but we can create stronger defences by strengthening our people.
About the Author Lance Krowitz is a director of Risk 2 Solution South Africa (Pty) Ltd and has business interests in the risk, training, and energy savings sectors. Lance’s background is in financial markets having successfully run small cap portfolios for a division of the Standard Bank Group, Africa’s largest bank. Since leaving the corporate environment Lance has invested in a number of small businesses in the energy, property, and finance sectors. He is well versed in financial services, asset management, and investment banking, and spends his leisure time with his wife and young son as well as participating in endurance fitness events such as Ironman and the Comrades Marathon.
Australian Security Magazine | 31
Cyber Security
Risk Management – From SARs to Cryptocurrency
By Jane Lo ASM Correspondent
What do SARS and Cryptocurrency have in common? SARs (Severe Acute Respiratory Syndrome), is a viral respiratory illness caused by a coronavirus. According to the World Health Organization (WHO) a total of 8,098 people worldwide became sick with SARs during the 2003 outbreak. Of these 774 died. The first case in Hong Kong was reported on 22th Feb 2003. It took another 2.5 weeks before a WHO worldwide alert was sent, and another 2 weeks for schools in Hong Kong to be closed. By the end of March, house containments were in place, but that did not stop the spreading of the disease which peaked on 20th April, when 12 deaths in a single day were reported.
“History is a tough teacher”, said Peter R. Morgan
Cryptocurrency
(VP, Clement Shield; former Assistant Commissioner
That is, a consolidated assessment of risks across business lines, products and locations.
(Ret.), Hong Kong Police) at the Asia Risk &
The stratospheric rise of BitCoin, from its humble
Resilience Conference 2018, (ARRC 2018, www.
beginning when 10,000 bought a developer 2 pizzas,
cryptocurrency and the activities surrounding
arrconference.com, Singapore Hilton, 29th August –
to trade as high as USD19,000, set off skepticisms
cryptocurrency trading and investment is but one
31st August 2018).
amidst a flurry of responses from regulators.
of the many vulnerabilities and risks that need to
The SARs outbreak taught the need for “Improved
Banking titans, Jamie Dimon of JPMorgan
Under this approach, identifying the role of
be managed.
Preparedness”. This included, according to Mr
famously said he would "fire in a second" any
Morgan, “increased Awareness”, “Effective Plans &
JPMorgan trader who was trading BitCoin; Some
organization is a key aspect of planning –
SOPs”, “Organisation capacity and readiness”.
countries have outright banned BitCoin trading;
reflecting the theme of the ARRC 2018 “Corporate
others see it as a solution to its struggling economy,
Governance, Risk & Resilience - Planning in Action.”
Dr. Attila Hertelendy (Professor, Georgetown University), speaking on “Leadership Lessons Learned in Managing Risk and Resilience from the
An understanding of risks faced by the
such as Venezuela. But the most cited reason for disparaging
Risk Management – the ISO 31000 framework
Global Health Security Perspective”, emphasized
BitCoin is its role in facilitating criminal activities. This
that “we should embrace a culture of forward-
is not surprising given that ransomware, illegal drugs,
International organization for Standardization
leaning proactivity and the benefits that can be
or stolen plastic demand payments in BitCoin. The
notes that “Risks affecting organizations can
derived from deliberate planning”.
seizure of 110,00 + BitCoin from the takedown of
have consequences in terms of economic
SilkRoad further linked BitCoin to illicit activities.
performance and professional reputation, as well
He also clarified that “plans are useless, planning is everything!”. This meant “exercises
In his talk “What has ERM got to do with
as environmental, safety and societal outcomes.
& drills” to put in practice the plans, which was
Anti-Money Laundering & Cryptocurrency”, Mr.
Therefore, managing risk effectively helps
echoed by Mr Morgan in his talk.
Dennis Lee (Risk and Compliance Director, Amicorp
organizations to perform well in an environment full
Trustees (Singapore) Limited), highlighted that these
of uncertainty”.
But what does “Improved Preparedness”, “Deliberate Planning” lessons learned from Health
concerns require a robust enterprise-wide risk
Security and SARs have to do with Cryptocurrency?
management approach.
32 | Australian Security Magazine
ISO 31000:2018, Risk management – Guidelines, provides principles, framework and a
process for managing risk – “can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment”. This is demonstrated by Er Lee Chuen Fei (Certification Lead, Council member, RIMAS) at “Workshop D: Implementation of the ISO31000:2018 – All you need to know”. The key themes of a risk management framework, starting with setting the “Scope/ Context and Criteria”, followed by “Risk Assessment”, and determining appropriate “Risk Treatment”, with regular “Monitoring & Review” are not unfamiliar to risk specialists. Ultimately, articulating the aims of the organization and linking to risks it faces means Dr. Attila Hertelendy (Professor, Georgetown University), speaking on “Leadership Lessons Learned in Managing Risk and Resilience from the Global Health Security Perspective”, Photo Credit: ARRC 2018. www.arrconference.com
“effectively understood, treated and managed” risks. “Reducing the likelihood” of an event or “reducing the consequence” in risk management are standard approaches – other options for consideration include accepting the risk, or transferring the risks through contract or insurance, or avoiding the risk altogether. Risk – opportunities and potential positive effects Notably, ISO31000 defines risk as "effect of uncertainty on objectives", which is a significant shift in paradigm from the previous definition of "chance or probability of loss". This new definition is a reference to positive consequences, or opportunities of uncertainty, as well as the negative ones viewed from the traditional prudent perspective. So, managing risks associated with
“Peter R. Morgan, (Assistant Commissioner (Ret.), Hong Kong Police) speaking on “15years on – Lessons Learnt from Hong Kong SARS outbreak in 2003”. Photo Credit: ARRC 2018. www.arrconference.com
developments that may contribute to more frequent health pandemic (e.g. denser cities spreading SARs and other diseases more rapidly), or, enabling more advanced cyber crimes (e.g. innovations underpinning cryptocurrencies) also means addressing the opportunities. One is “blockchain” which power the cryptocurrencies. This technology is being applied in logistics management to validate and track supplies, and in digital currencies such as the Singapore government’s issuance of a digital Singapore dollar on the blockchain for interbank payments that bypass the central bank. Indeed, Singapore's central bank head said he hoped the technologies underpinning cryptocurrencies such as blockchain would not be undermined by an eventual crash in the virtual currency. In other words, while cryptocurrencies may face risks limiting its expansion, the exciting
“What has ERM got to do with Anti-Money Laundering & Cryptocurrency”, Mr. Dennis Lee (Risk and Compliance Director, Amicorp Trustees (Singapore) Limited), Photo Credit: ARRC 2018. www.arrconference.com
opportunities to leverage off the blockchain ground breaking technology should not be overlooked.
Australian Security Magazine | 33
Cyber Security L- R - Lawrence McKenna, Serra Luck, Bob Cross, Afiz Jabbar, Bob Firth, Luke Percy-Dove, Greg Lane, Shane Norton, Chris Cubbage
HID Global Consultant Roundtable Smart Buildings, mobility & outlook to the future
T
his is a special roundtable hosted by HID
The definition of intelligent buildings has been with
network design, resilience, availability, reliability
Global, as a forum in which senior Australian
us for quite some time.”
with cyber security, electronic security, physical
consultants share their thoughts on industry
“Some of the Singaporeans lead the first
security and that just to protect the network, not the
trends around smart buildings and mobility. This
foray into that space, certainly into the third-
actual building or the people, so they can maintain
recorded discussion, now available in a podcast,
generation technology buildings which I think at
that business and depend on that network to do
includes insights and experience on the evolution of
the time was roughly defined as highly integrated
whatever they need to do. It is something new that
end-user requirements, comments on industry best
building technologies that were enabling individual
has rapidly come to the fore in the last 24 months.
practices, and general expectations of what makes
occupants to control their own level of space,
a smart solution design.
comfort, and accessible amenity, at the device level.
the point, “everyone wants a smart building but may
Serra Luck, Vice President, End User and
Norman Disney & Young’s Afiz Jabbar raised
At the time, the device was nothing more than a PC.
not understand why they want it. We need to move
Consultant Business at HID Global highlighted, “The
Now I think the implementation of that concept is
beyond the technology to what the technology
motivation from HID’s prospective is creating the
little bit more ‘App’ based and mobile device based.
provides in the outcomes. What do we use all these
discussion on the physical security access control
But I think we are still talking about the same sort of
sensors for, what are we doing with the technology?
and we see a lot of influence coming from the IT
concepts. It is just that we have become a lot smart
The vision is good and there is demand, but what
side of the business with the Internet of Things
as to how we are implementing these concepts.”
are they doing with their smart building.
and seeing a lot of implementation around cloud
Greg Lane at Jacobs confirmed, “we are seeing
Luke Percy-Dove provides insight to the client’s
services. Service businesses ae coming in with a lot
a more educated client. Though in the high end
needs, “a big part of what we do is educating the
of integration and of course we see the impact on
security domain they understand what smart is,
clients and getting to the nuts and bolts of what the
the end user in that space. We are very much open
in terms of integration and may not want that in
problem is they want to solve and the best way of
to understanding what is motivating the customer
certain applications.”
determining that outcome.”
across the different vertical markets, what the
Lawrence McKenna of Wood & Grieve
Bob Firth outlined, “in terms of the architecture
change process is that is happening and we looked
Engineers highlighted, “it all depends on the
stage, there are some things you can’t bolt on later
to gather experts to share their views with us and
building owner or occupant and how much they
without enormous rework. Agreeing that we are all
learn from them.
want to invest. If it’s a building owner, and say a
going to be on the one network, agreeing that there
hospital, they definitely see a single integrated
is open standards, there may be middle ware that is
Shane Norton, who commenced, “the emergence
network and maintain that via their IT department
required, agree on the protocols early, allows you to
of smart buildings is not necessarily a new concept,
and seek to realise the cost savings as opposed
explore and expand as you go. Get those decisions
I think the way in which we do it certainly is but not
to having separate networks. But that opens an
wrong initially you can find it almost impossible to
the concept in itself. We have been talking about
entire issue around cyber dependency. Which is
retrofit some of the solutions or get the maximum
the implementation of first, second, third generation
something that is becoming more front and forward.
out of them. Planning ahead of time, what is the big
smart buildings in this region, since the late 1980’s.
That is a challenge within itself, trying to bring under
picture vision around the smart building or smart
The discussion was kindly opened by Arup’s
34 | Australian Security Magazine
environment is essential to getting the outcome
Shane Norton - Being able to advise accurately
decades thereafter. And for those buildings and that
at the end of the day. And you don’t necessarily
what those emerging technologies, trends, ways
function and amenity that that building provides
need to know everything you want to achieve,
of living in our cities are likely to be. Advising
to remain relevant throughout the entire lifecycle.
with some projects running seven years from initial
with some degree of accuracy on these and then
That’s the challenging prospect.
brief through to delivery so you don’t know what’s
allowing our clients to make informed decisions
going to be available but if you make those initial
based on that forward-looking perspective about
To listen to the full
decisions well you can enable yourself to add on
what they are going to invest in for their building
roundtable discussion
what happens to come out as the latest technology
assets now for when they will be built in a number
LISTEN HERE
evolves.”
of years’ time to be operational for a number of
Shane Norton, Associate | Leader – Resilience, Security & Risk Shane is Arup’s most experienced and knowledgeable Protective Security consultant (2ABC NSW Licenced Security Consultant, SCEC Approved Security Consultant) in the Australasia region, and fulfils various leadership positions across the firm; including the Resilience, Security and Risk (RSR) Skills Leader for the region, and the Team Leader for the New South Wales RSR business. As a Security Construction and Equipment Committee (SCEC) Approved Security Zone Consultant since 2006, Shane is a trusted adviser to all levels of Government and Australia’s most successful blue chip organisations. He is uniquely recognised for his high security but discrete designs in some of our region’s most beautiful and wellknown buildings.
Afiz Jabbar, Senior Security Consultant & Associate, Norman Disney & Young Afiz Jabbar has been working in the security industry for over 17 years and is a Senior Security Consultant and Associate with Norman Disney and Young (NDY) responsible for the design, engineering and management of a wide range of high level integrated CCTV, Video Analytic, Access Control, Intruder Detection and physical security systems across a broad spectrum of industries including Government, Custodial, Health and Education. As a SCEC Endorsed Security Zone Consultant, Afiz specialises in high security consulting and engineering solutions for Government agencies and has extensive knowledge and familiarity in key areas such as physical security, electronic systems technology and infrastructure.
Greg Lane, Section Leader, Melbourne Security, Jacobs Greg is a SCEC Endorsed Security Consultant with a Master of Security Management specialising in red teaming. As a Senior Security Consultant, Greg has worked with wide range of commercial and government clients to provide a range of risk and high security services, including the provision of SCEC security consultancy services. Greg has extensive experience in custodial security, protective security risk reviews, defence security (including Type 1), critical infrastructure security, physical and electronic security, IT security, information security, CPTED and risk management.
Luke Percy-Dove, Director, Matryx Consulting Luke is a 23 year veteran of the Australian security industry, has personally advised on security for organisations including ANZ, Lend Lease, Mercedes Benz, Ipoh Property, VISA Global Logistics, Vicinity Centres, Lend Lease, Colliers, Knight Frank Royal Australian Mint, Mirvac and DP World. He is an established writer, media commentator and expert witness on the latest technology, trends and developments in the global physical security market. Luke is also the Founder and CEO of Risk Dynamyx, an Australian technology company that has developed the first dynamic security risk management application for commercial property.
Bob Firth, Principal Consultant, ACAD Services Bob Firth is a Principal Consultant at ACAD Services and provides technology consulting services to corporate and government clients across a range of technologies including internet of things, security systems, building services networks, wi fi, control centres and smart buildings. Bob is currently working on a number of connected environments within office towers, shopping centres, hospitals, a roadway and a retirement village.
Lawrence McKenna, Telecommunications Section Manager, Wood & Grieve Engineers Lawrence has over 25 years of Telecommunications and ICT Systems Industry experience. Lawrence’s extensive ICT/telecommunication experience acquired from working 16 years with Queensland Rail, three years with Project Services (QLD Department of Works) and six years with SKM/Jacobs. Lawrence is currently a member of the following standards committees: • Standards Australia CT-001 (Communications Cabling) • Standards Australia CT-002 (Broadcasting and related services) • International Telecommunication Union ITU-T SG5 working group • International Telecommunication Union ITU-R ARSG-5 working group.
Australian Security Magazine | 35
Cyber Security MEETUP
Cyber Risk Meetup Interview with Shamane Tan, the Founder of Cyber Risk Meetup
2
018 has been an incredibly rich year, packed
it comes to experience. If we are patient enough,
(Shout out to Privasec for being our biggest
with conferences and events as the Cyber
there is so much that we can draw from their deep
supporter and for all their active contributions to
Security industry tries to keep up with trends
wells of knowledge. I started the Cyber Risk Meetup
the different industry events.) After a period of time,
and governance. In the midst of all that, there was
in Sydney in 2017 with the intention to create a
even strangers will become a friendly face and it
a meetup group that stood out amongst all other
platform where talented people can share their
helps to speak to a peer or one of the executives in
meetups and very quickly became known as a class
experiences and key learns. ‘It’s said that a wise
the same industry. I was recently watching Ocean’s
of its own. It was the Cyber Risk Meetup, which has
person learns from his mistakes. A wiser one learns
Eight on the plane and it’s interesting to see how
rapidly become a well-known favourite and one of
from others’ mistakes. But the wisest person of all
the bad girls had to collaborate together to pull off
those NEED TO ATTEND event.
learns from others’s successes.’ Hence, I wanted to
the biggest steal of the century. How much more
build a community where like-minded professionals
do we need to work together and be more active in
Cyber Risk Meetup on its uniqueness. As the APAC
can network with one another. In doing so, I find
sharing our ideas as we battle together to protect
Head of Cyber Risk Advisory with Privasec, a leading
out their actual challenges, and was inspired to
our loved ones and workforce in this digital age.
Cyber Security consulting firm, she also works with
organise my events around topics that industry
The meetups provide a fantastic opportunity for
her GRC and Technical Assurance team together
leaders are so passionate about! I never expected it
professionals, our new generation and the general
with the different CISOs to bridge security gaps in
to scale up the way it did.
public to come together and learn from one another
We interviewed Shamane Tan, the Founder of
organisations.
in a comfortable and safe environment. Indeed it
Q. How does it work? Q: Why do you do what you do? We meet up once every quarter and start off first In my last 9 years in this industry, if it’s one thing I
with networking over complimentary food and
learnt - is that people are our biggest wealth when
drinks courtesy of our Cyber Risk Meetup sponsors.
36 | Australian Security Magazine
takes a community to build a community.
Q. Share your vision for the Cyber Risk Meetups We are vendor agnostic and extremely big on encouraging new faces and voices in this industry. Our Cyber Riskers (that’s what we call our members) get to hear from renowned industry speakers that they do see at conferences but also get to hear from fresh new speakers. Most of them being a CISO have had extensive experience leading people but somehow had never put their hands up to speak. Imagine my great delight several of our Cyber Risk speakers were discovered through our events and now speaks at major national conferences.
Q. What was 2018 like? It was incredibly exciting. We are at 800 members in Sydney, and already at 400 members in Melbourne with our inaugural launch just early March this year. Cyber Risk Meetup saw a successful launch in Singapore in July and was closely followed by Brisbane this September. We have now crossed over the 1,500 members mark across Australasia. We are always oversubscribed and full house with more than 100 attendees turning up each time.
Q. Can you share some of Cyber Risk Meetup’s highlights? What I love about our meetups is that they are all so diverse. One moment I am in Melbourne hosting presentations on the evolution of Artificial Intelligence, and the next session, I am moderating C-suite discussion panels on CISO matters in Sydney. There was a really memorable session we organised around Data Privacy where we had two law partners taking opposite sides at a debate on GDPR and the impact of the NDB’s amendment. At another of our meetups, we had a clinical psychologist present on the human factor and the insider threat. Singapore also saw a mini Ted-Talk style Cyber series and we had various ASEAN Heads and CISOs exposing the secrets of the Hacker all the way to presenting on Machine Learning.
Q. What does the future look like for the Cyber Risk Meetups? We are very excited to launch Cyber Risk Meetup in Perth on the 19th of November, as part of WA Cyber Week as part of the WA AISA Cyber week. Also, for the first time ever, Cyber Risk Meetup will be running our very own Summit as a joint event with Privasec in Feb 2019. Do stay tuned for more details! Cyber Riskers can subscribe to the events at cyberriskmeetup.com
Australian Security Magazine | 37
MEETUP
The future of innovation & the BIG CISO question? Cyber Risk Meetup – Sydney Wrap-up
I
n support of ISACA’s SheLeadsTech initiative and
on aptitude rather than qualifications is also an
but CISOs may still be segregated to have policy
once again, months of hard work, the Cyber Risk
important factor, particularly in cybersecurity.
freedom and separate to operations. Organisation
Meetup moved on from a successful Singapore
Interestingly, but maybe not surprisingly, ‘return
size and maturity all has an influence on where the
meetup and back to Sydney. At the central high-rise
to work mothers’ and ‘military veterans’ have
CISO may sit.
offices of AWS, and sponsored further by Privasec,
both been shown to show positive aptitude for
nearly 150 cyber riskers heard from six special
cybersecurity. Maybe it’s the ‘battleground’ traits
is good! Anticipating the unexpected, being able
guests in an exclusive two segment panel session.
they share?
to adapt the language to stakeholders, be across
The Future of Innovation panel, moderated by
The younger generation are doing so much
What skills does a good CISO have? Paranoia
the C-Suite. Cybersecurity can be perceived as
Igor Shparberg, Director, e-Pocket (Int) and joined
more with technology and the expectation on
complex – trying to use analogies can help, such as
by Gillian Findlay, COO, Safety Culture, Frances
younger people will continue to be so much
brakes on a car are there for safety but allows the
Bouzo, Head of IT Security, iCare NSW, and Tabitha
more. However, the digital disruption is only just
car to drive faster. CISOs also need to understand
Bauer Executive Manager of Digital Assurance,
beginning. The way we recruit is still using tunnel
the business and the biggest hurdle can often be
CBA kicked off with ‘What gets you up in the
vision and we can learn a lot of lessons from the
the sales team – who and what is really driving the
morning?’ The panel entered a great discussion,
past – a good example is how start-ups can be a
business. Security should enable the business and
from finding offices for a start-up in Surry Hills,
source of learning for large enterprise and likewise
be engaged.
motivating young people, and through to building a
start-ups can learn from enterprise on how to scale.
commercial minded enterprise but that also makes
One good takeaway line was “We don’t have to
learning fast – is it a technical, people or process
people feel better. The things we see in cyber
reinvent, but we have to catch up!”
fail and then getting all the ducks in a row for
security is continually challenging and changing, so
The second panel, ‘Where do I put my CISOs?
Dealing with a breach is about learning – and
communications, legal and executive. If it’s a failure
it is self-motivating, but with young kids, the alarm
moderated by Cyber Risk Meetup organiser
in the risk assessment then the CISO hasn’t done
clock still helps!
Shamane Tan, APAC Cyber Security Advisor,
their job.
‘How do you keep up and translate it day to
Privasec was joined by Robert Lang, CTO,
With a packed room and nearly 100 on a
day?’ – “I hire people who are smarter than me”,
OpenMarkets, Stuart Mort, CTO – Cyber Security,
waiting list, this Cyber Risk Meetup was well served
said one panellist. Look at what’s coming. Put
Optus Business and Wouter Veugelen, CISO,
with great content, a fascinating networking mix, as
in automation and have a mix of people – the
Primary Healthcare. Matching the variety of the
well as great food and drink.
questions asked often creates learning and then
panel, was a variety of responses.
technically trying to continually improve and set the bar high in cybersecurity.
CISO’s should be their own line of business,
If you are looking for an event of quality networking and new connections, or you just want
was one view, though in contrast one panellist
to see what’s the Cyber Risk hype all about – visit
reported to the CIO. How to get cybersecurity
www.cyberiskmeetup.com and stay tuned for your
should do more with it and use it to our advantage,
embedded into the enterprise is a well-recognised
next complimentary meetup.
far more so as we work and think globally – in a
challenge. Too often plans are put in place after the
global industry with global resources. Recruiting
breach has occurred. Reporting to the CIO is okay
How important is diversity? In Australia we
38 | Australian Security Magazine
Cyber Risk Meetup
Australian Security Magazine | 39
Cyber Security MEETUP
Cyber Risk meetup launched in Singapore
I
t was indeed a very special and exclusive
guidance on what all businesses need to be
Head of Accenture’s Artificial Intelligence ASEAN
evening in Singapore last night where nearly
doing, particularly given the third party risks that
practice gave an eye-opening presentation on
70 guests were gathered and treated to the
supply chains carry in cyber environments – it
where AI is and likely to be taking us with his
insights of industry experts, including an APAC
is not just the big end of town taking the threat
Ted-Talk Session ‘Cyber Security & AI: A New
Chief Technology Officer, Chief Information Security
seriously – the larger enterprises are now making
Paradigm?’ – hang on to your hats folks – AI is
Officer and APAC Head of Security Intelligence, as
their suppliers accountable. Also an extra warning
taking us to a realm of making the unreal appear
well as Ted-talk style presentations on ‘Phishing
to cryptocurrency traders to take special care with
real – Fake News is just the start of where we are
versus Vishing’ and artificial intelligence and how
crypto-currencies and exchanges under sustained
likely to be heading.
Cyber is evolving with it.
and sophisticated attack.
With thanks to the venue host, JustCo,
Noordin, CISO at NTUC Link delivered an
Congratulations to Ms Yuk Lin for winning the evening’s door prize, a free conference pass to the
the meetup kicked off with a panel discussion
entertaining Ted-Talk Session ‘Are You Feeding
RSA APJ Conference 25 – 27 July in Singapore
addressing the impact of Singapore’s Cyber
The Phish?’ Getting an awareness campaign into
– Yuk worked hard to win by being the most
Security Act and the key regional trends being
an enterprise is no easy task, however Noordin’s
active Tweeter for the night #cyberriskmeetup –
observed. Cyber Risk Meetup Organiser
presentation showed it can be done, as well as the
Congratulations Yuk! And thanks for the great and
Shamane Tan was joined by Ian Yip, APAC CTO
grave importance on getting staff and stakeholders
to quote “awesome” feedback!
at McAfee, Ricardo Gonçalves, APAC Head
to STOP clicking on those links and worse – freely
of Security Intelligence at Barclays Group and
giving out their credentials!
Prashant Haldankar, Co-founder at Privasec, now operating in Singapore. Ricardo gave particular
Chris Cubbage, MySecurity Media welcoming Cyber Riskers
40 | Australian Security Magazine
And to top off a great night of food, drinks and networking, the charming Charles Crouspeyre,
Finally – a special thanks for the Platinum Sponsor – McAfee. We sat down with Ian Yip today to capture Ian’s insights to share further – share further on the Cyber Weekly Podcast - LISTEN HERE
Cyber Risk Meetup
Continuous Professional Development. It’s my Institute.
After 45 years the Institute continues to develop your knowledge and awareness of contemporary and leading edge security management best practice. Share in your expertise with other peers and develop your networks. Join our Institute and benefit from the following: · Networking Opportunities · Education & Professional Development · Seminars & Conferences · Peer Support Services · Advocacy VICTORIAN SECURITY INSTITUTE
vsi.org.au APPROVED SECURITY INDUSTRY ORGANISATION
Australian Security Magazine | 41
Cyber Security MEETUP
Cybersecurity in-depth in APAC Ian Yip, APAC CTO at McAfee
I
n this episode we are joined in Singapore by
administrator access to a PC, something great for
Ian Yip, APAC CTO at McAfee and discuss
solving IT challenges, but potentially devastating
the impact of Singapore’s Cyber Security Act
if in the wrong hands. In this instance, any hacker
and the key regional trends being observed. We
wanting to gain control of the airport’s system only
also discuss the business structure and scale of
needed a few dollars to access to a compromised
McAfee and dive into McAfee’s latest Threat Report,
machine and potentially carry out a myriad of large-
June 2018 with highlights around the latest cyber
scale attacks that could have severe consequences
campaigns – Gold Dragon Expands the Reach of
for the airport and its customers. For example, RDP
Olympics Attacks: Lazarus Rises Again, Targeting
can be used as an entry point to send spam, create
Cryptocurrency Users; and Advanced Data-Stealing
false security alerts, steal data, credentials and even
Implants GhostSecret and Bankshot Have Global
mine cryptocurrency. As we saw with the recent
Reach and Implications.
SamSam ransomware campaign against several US
Ian also provides valuable advice as to the vulnerabilities of blockchain technology and concludes with insight into communicating to
institutions, RDP was used to enact the attack and claim ransoms as high as $40k. Recent trends in dark web marketplaces are
the Enterprise C-Suite and an upcoming McAfee
also outlined in the research. One key finding is that
whitepaper.
RDP shops are growing in their size and abundance
Also in recent news, McAfee’s Advanced Threat
on the dark web – ranging from 15 to more than
Research team have revealed in an investigation
40,000 RDP connections for sale at Ultimate
into underground hacker marketplaces, a major
Anonymity Service (UAS), a Russian business and
international airport’s security system (including
the largest active shop they researched.
building security automation) for sale on the dark web via a Russian ‘RDP shop’. The asking price: just $10. Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote
42 | Australian Security Magazine
You can find further details of the attack in McAfee’s latest blog post.
Ian Yip, APAC CTO at McAfee
|
|
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au Australian Security Magazine | 43
Cyber Security - A Cyber week in London Part II
Everything has relevance but not everyone sees it A Cyber Week in London - PART II
International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018
By Jane Lo ASM Correspondent
“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website which attacker accessed a customer information
confidentiality’)”. -GDPR Article 5, Para 1(f), Principles relating
“TalkTalk’s failure to implement the most basic cyber
database), patching out-dated software (which
security measures allowed hackers to penetrate
could have fixed a bug that allowed the attacker
TalkTalk’s systems with ease. Yes hacking is wrong,
to bypass access restrictions), installing defenses
but that is not an excuse for companies to abdicate
against common hacking technique SQL injection
To secure personal data, explicit obligations
their security obligations. TalkTalk should and
used to access the data.
for “appropriate technical and organizational
could have done more to safeguard its customer information. It did not and we have taken action.”
measures” include, in a written data processing “Integrity and Confidentiality”
agreement, “pseudonymisation and encryption
- UK ICO’s Elizabeth Denham, 5th October 2016. TalkTalk Data Breach
of data”, “ensuring the confidentiality, integrity, "Appropriate technical and orgnisational measures
availability and resilience of processing systems
shall be taken against unauthorised or unlawful
and services”.
processing of personal data and against accidental UK ICO’s enforcement actions include fines against law enforcement agency after interview disk went missing and individual health practitioner for
loss or destruction of, or damage to, personal data." - UK Data Protection Act 1998, Principle 7 –
approach to security, and benchmarking against industry standards and best practices. A critical
of TalkTalk
without a valid legal reason.
which is enshrined in the UK Data Protection Act
of £500,000 ICO is empowered to apply, for
2018. Referring to the integrity and confidentiality
contraventions of Data Protection Act 1998.
components of under the classic “CIA” model
cases, bank account details and sort codes.
“Cyber Security is a Board Room Issue” “Today’s record fine acts as a warning to
(confidentiality, integrity, availability), GDPR
others that cyber security is not an IT issue, it is a
stipulates that data be
boardroom issue. Companies must be diligent and
personal data of 156,959 customers, including names, addresses, dates of birth, and in many
weaknesses and external malicious threats.
UK Data Protection Act 1998, is also key in GDPR
fine against TalkTalk, close to the maximum fine
data from a cyber attack resulted in a breach of
aspect is how governance and culture mitigate privacy hazards arising from internal policy
The principle that deals with security under the
TalkTalk’s failure to properly protect customer
Many of these requirements are not new but complying would necessitate a fresh review of
applicable during the 2016 data breach incident
unlawfully accessing a patient medical records
The highest profile is undoubtedly the £400,000
to processing of personal data
vigilant. They must do this not only because they “processed in a manner that ensures appropriate security of the personal data,
have a duty under law, but because they have a duty to their customers.”
including protection against unauthorized or
-- UK ICO’s Elizabeth Denham, 5th October
prevented if TalkTalk had taken basic steps,
unlawful processing and against accidental
2016, on issuing the largest fine, £400,000 to
such as infrastructure scanning (which could
loss, destruction or damage, using appropriate
have uncovered vulnerable websites through
technical or organizational measures (‘Integrity and
ICO found that the attack could have been
44 | Australian Security Magazine
TalkTalk
A Cyber week in London Part II - Cyber Security
Tone-from-the-Top, where the Board is highly
ICO’s enforcement actions highlighted that
engaged and understands what comprises
Privacy intrusions and data breaches can arise,
Information “Crown Jewels”, is a foundational
not only from Cyber Security lapses, but also the
converging in the Physical and Cyber space,
building block for effective cyber risk management.
exploitation of standard operation procedures.
Chairman and former UK Security Minister, Admiral
Establishing clear authorities and
Protection Bill a week later. Speaking on the increasingly merging of threats
The convergence of Physical and Cyber space
Lord West of Spithead GCB DSC PC, reminded
responsibilities, demonstrating commitment to risk
further opens up the attack surface for inadvertent
us, “The tragic events in Paris, Westminster and
mitigation, fostering risk communication are some
or deliberate intrusions.
Stockholm only serve to show that the terror and
areas where industry best practices recommend
Reflecting these emerging security themes,
cyber threats focused on disrupting our way of life
Boards oversight. TalkTalk’s data breach also
focused conferences such as “Facilities
have never been greater and arguably we have
emphasized that Board’s oversight of regular
Management Security”, “CNI Security” (Critical
never lived in a more uncertain and dangerous time.
National Infrastructure) in addition to “Cyber Data
It is vital that we get our approach to protecting
& Information Security” are hosted as part of the
our society and ourselves right. Security is all
International Security Expo 2018.
our business and the lines between what was
Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU (even those located outside the EU) and applies from 25th May 2018 onwards. Photo credit: St Albans Anglican.org
To find out more, under the invitation of
traditionally the defence market and what is the
independent assessments is essential to identifying
International Security Expo organizer (Peter Jones,
vulnerabilities and forming appropriate risk
CEO Nineteen Events), International Security
mitigation and incident response plans.
Expo Advisory Council member and OSP Cyber
also the Bank of England’s first ever CISO on
Simply: if it matters to the Board and senior
security market, are increasingly blurred.” We spoke to Don Randall MBE, who is
Academy’s Brand Ambassador (Don Randall MBE),
Cyber Security. He emphasized that: ‘The key to
management, then it will matter to everyone else
Managing Director (Tommy McCarthy), and Chief
successful prevention, detection and subsequent
across the organisation.
Legal Advisor (Sandip Patel QC), we attended the
prosecution is to understand the motivation of
International Security expo evening reception at
the attacker. Primarily people commit crime for
the House of Commons, Westminster - the venue
three reasons. One is they need to, they’re cash-
that would also see the 3rd reading of the UK Data
strapped, poverty-ridden and in such a bad state
All Threats, all hazards
The Queen’s Speech to Parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”
that the only way to go forward is to cross the line and commit a crime. The others are greedy, script kiddies who are in pursuit for peer recognition and want the power of the hacker, or those with an alternative motivation, the likes of terrorism.’ Addressing these motivations such as countering terrorism in the digital age increasingly forms part of the big data conversation– and how data is collected and used. “They will ruthlessly sell our details to loans and soft-porn companies but not give it to our democratically-elected government,” – Rt Hon Ben Wallace, The Minister for Security and Economic Crime, argued in a Sunday Times interview on 31st Dec 2017, that companies such as Facebook and Google made life too easy for
This relates to a warning to police staff as force fined GBP130k for losing rape victim interview. Photo Credit: UK ICO Twitter post., 6th Apr 2018
terrorists. The Minister’s interview comments came a week after Germany’s cartel office (FCO) issued a preliminary finding that Facebook is transferring data to third-parties and abusing its dominant position in the German market. The case is one of the first proceedings in today’s rapid technological progress, which combines the regulatory principles of data protection and antitrust law. Indeed, an increasingly complex web of these laws and cybersecurity laws, self-regulatory frameworks, best practices and business contracts govern the processing and safeguarding of information around the world, create new challenges for organisations. Day 4 - 3rd May – Data Protection by design, by default
This relates to a former employee of a Milton Keynes hospital trust, who has been prosecuted for accessing patient records without authorization. Photo Credit: UK ICO Twitter post., 23rd Apr 2018 Australian Security Magazine | 45
Cyber Security - A Cyber week in London Part II
From Left: Sandip Patel QC (OSP Cyber Academy Chief Legal Advisor), Ken McMillan (CEO Cap Badge Singapore), Peter Jones (CEO Nineteen Events International Security Expo 2018), Audrey Brown (M.D. Fuse Box), Admiral Lord West of Spithead GCB DSC PC (Chairman and former UK Security Minister), Thomas McCarthy (Managing Director OSP Cyber Academy). Photo Credit: OSP Cyber Academy.
Address by Chairman and former UK Security Minister, Admiral Lord West of Spithead GCB DSC PC.
context and purpose of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both a the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organization measures such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subject.” -
GDPR Article 25, Para 1, Data protection
by design and by default. “Data Protection by design, by default” considers data protection and privacy up-front, and proactively anticipates potential privacy invasion events – that is, practicing end-to-end security in the design and architecture of IT systems
Don Randall (right), Bank of England’s first Chief Information Security Officer, presented with Outstanding Security Performance Awards (OSPAs) on 1st March 2018 at The Royal Lancaster London. Left Rick Mountfield of SYInstitute, sponsor of the Lifetime Achievement Award, presenting the award to Don Randall.
GUEST SPEAKER: The Minister for Security and Economic Crime Rt Hon Ben Wallace MP, with Peter Jones CEO Nineteen Events (International Security Expo 2018). Photo Credit, International Security Expo .
The ICO has promoted privacy by design for years,
in the EU Data Protection Directive of 1995, retained
automatically protect personal data to meet the
and there’s plenty of guidance on our website.
in the GDPR, mean that organizations need to be
principles of personal data processing.
But in this context it means building data privacy
responsible and accountable for their processing of
and security into every part of your information
personal data.
processing, from the hardware and software to the procedures, guidelines, standards, and policies that
and business practices: Protect, Detect (initial
“Data Protection by design, by default” underpins accountability.
your organisation has or should have. – UK ICO Elizabeth Denham's speech at the
Accountability
of “legitimacy”, “proportionality” and “transparency”
46 | Australian Security Magazine
And, by default, the design and architecture of IT system and business practices should also
Recognising that 100% protection is neither practical nor effective, a risk-based approach – or tailoring protective measures to the risk of a processing activity - is central to “Data Protection This means building data protection in accordance with the risk profile of the operation.
Previously known as ‘privacy by design’, “Data
One example of how GDPR views this, is the
Protection by design, by default” has always been
requirements on “high-risk” activities.
part of data protection law. Under GDPR, it is now a legal requirement.
Accountability is not a new concept. Key principles
investigation) and Recovery (business continuity).
by design, by default”. Risk-Based approach
National Cyber Security Centre's CYBERUK 2018 event, Manchester Central, 12 April 2018.
analysis), Know, Response (e.g. incident reporting,
“Taking into account the state of the art, the cost of implementation and the nature, scope,
Data Protection Impact Assessment I hear and I forget, I see and I remember, I do and I understand - Confucius
A Cyber week in London Part II - Cyber Security
Specifically, before engaging in such an activity,
protection, including regimes of jurisdictions such
an organization may need to conduct a detailed
as EU, UK, Canada, Hong Kong, Australia and
privacy impact assessment – or “Data Protection
New Zealand, as well as the OECD Guidelines on
Impact Assessment” (DPIA).
the Protection of Privacy and Transborder Flow of
“Processing in particular using new
Personal Data, and the APEC Privacy Framework.
technologies” is considered a high-risk activity.
Since the introduction of GDPR, three public
Other high-risks activities under GDPR that
consultations had been conducted to seek
requires a DPIA are explicitly stipulated as follows:
feedback. A recent proposed change relates to how companies handle individuals' NRIC numbers,
A data protection impact assessment referred to
collects the physical NRIC or a copy of it.
in paragraph 1 shall in particular be required in the
NRIC (The National Registration Identity Card)
case of:
had been widely used in Singapore for a range of
a) a systematic and extensive evaluation of
activities by consumers, such as seeking medical
personal aspects relating to natural persons
treatment, borrowing books at the libraries, signing
which is based on automated processing,
up for restaurant promotions. PDPC acknowledged
including profiling, and on which decisions are
that, as “the NRIC number is a permanent and
based that produce legal effects concerning the
irreplaceable identifier which can be used to
natural person or similarly significantly affect
unlock large amounts of information relating to the
the natural person10;
individual, the indiscriminate collection and use of
b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1011; or c) a systematic monitoring of a publicly accessible
individuals’ NRIC numbers is of special concern Consideration of Commons amendments to the Bill took place in the House of Lords on 21 May. Both Houses agreed on the text of the Bill and completes the final stage of Royal Assent when the Bill becomes an Act of Parliament on 23rd May 2018.
area on a large scale”. – GDPR Article 35, Para 3 – Data protection impact assessment
as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud”. The latest guidelines addressed this concern, and proposed that organisations should not collect,
This is the largest reported data breach of
use or disclose an individual’s NRIC number or a
local information to date. In September 2014, the
copy of the NRIC, except when it is required under
names, contact numbers and residential addresses
the law or when it is necessary to verify the identity
Within this DPIA there needs to be a risk analysis
of 317,000 customers were leaked by karaoke chain
of the individual.
with probability and impact of a data breach,
K Box Entertainment Group due to lax security
using an industry benchmark such as NIST, British
measures.
GDPR-ready for Singapore organisations
Singapore’s Personal Data Protection Act 2012
An organization that is not established within the
(PDPA)
EU, or does not have an establishment in the EU,
Standards International, or ISO. As with other risk assessments, mitigation or measures to reduce probability and impact is integral. However, if the residual risk remains high,
can still fall within the GDPR’s scope.
supervisory authorities need to be informed (and
Singapore’s Personal Data Protection Act 2012
block the activity if it is deemed that “the controller
(PDPA) came into force with the formation of the
location of the processing, as does the previous EU
has insufficiently identified or mitigated the risk.”)
Personal Data Protection Commission.
Data Protection Directive, but also the location of
For organisiations whose core activities include
As with the data protection acts in UK and
Specifically, GDPR not only considers the
the individual whose data is being processed.
substantial monitoring or processing of personal
EU, Singapore’s PDPA governs the collection, use,
data, and who are required to hire a Data Protection
disclosure and care of personal data. It recognises
data of data subjects who are in the Union by a
Officer (DPO), the DPO would provide advice on
both the rights of individuals to protect their
controller or processor not established in the Union,
if and how the DPIA should be conducted, risk
personal data and the needs of organisations to
where the processing activities are related to:
migration measures and outcomes, and help
collect, use or disclose personal data for legitimate
monitor on going performance of the DPIA.
and reasonable purposes. Enforcement actions had been taken against
Day 5 - 4th May – What does it mean for
organisations as well as individuals for lax cyber
Singapore?
security procedures, unauthorized access and failure to take reasonable security measure in
"Uber's breach has affected a significant number of users in Singapore. The PDPC takes a serious view
document disposals.
GDPR applies to the processing of personal
a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) The monitoring of their behaviour as far as their behaviour takes place within the Union. – GDPR Article 3, Para 2- Territorial Scope.
By regulating the flow of personal data
of data breaches and is investigating whether Uber
among organisations, ultimately, PDPA also aims
What does it mean for Singapore organisations?
has breached the data protection provisions of the
to strengthen Singapore’s competitiveness and
A Singapore e-commerce trader whose website is
Personal Data Protection Act (PDPA)."
position.
available in English and other European languages,
- Singapore Privacy watchdog, the Personal
and ships products to customers in the EU, is
Data Protection Commission (PDPC) said in Dec 2017, when it was reported that Personal
likely considered to be offering goods in the EU. A Development of Singapore’s PDPA
information of 380,000 people here, including
Singapore online behavioural advertising network or analytic company that processes personal data
names, e-mail addresses and mobile phone
The development of Singapore’s PDPA takes
of say, a Singaporean living in EU to offer tailored
numbers, were exposed when Uber was hacked.
into account international best practices on data
promotions is considered monitoring data subjects
Australian Security Magazine | 47
Cyber Security - A Cyber week in London Part II
“The most significant risks to individual's personal info are now driven by the use of new technologies” – Elizabeth Denham at Turing Institute as part of the Turing GDPR event. Photo Credit: UK ICO Twitter Post 23rd March 2018
communication speeds and falling costs of data storage and processing, innovations in the areas of mass data collection, automatic processing, and algorithmic programming give rise to fraud detection, behavioral analytics, ubiquitous surveillance and so on. Leveraging off technology for the legitimate interests and benefits for the customers and businesses promotes economic growth. Confidence and trust in the technology to securely capture, store and use information is essential to achieving this aim. GDPR focuses organisations towards achieving this aim. While there are certainly short to mediumterm costs for organisations to achieve compliance, data protection should also be seen as enabler of technological progress. Elizabeth Denham summed this up at her keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21st November 2016, “I wanted to make the point that I do not believe data protection law stands in the way of technological progress. The theme of my speech was privacy and innovation, not privacy or innovation.”
in the EU. In short, the territorial scope of GDPR means
Wrap-up - Privacy and Innovation
that a Singapore organisation that shares data or sells products and services within the EU, or
On 4th May 2018, UK ICO issued an order requiring
process data subjects in EU will be subjected to
SCL Elections, the British affiliate of Cambridge
GDPR. Moreover, as GDPR requires EU data
Analytica, to turn over all of the data it collected
controllers to only appoint GDPR-compliant
about a US-based academic David Carroll, or face
processors, any Singapore organisation that provide
criminal charges.
data processing service to data controllers within the EU will need to ensure it is GDPR-ready.
48 | Australian Security Magazine
Sheer processing power and ‘big data’ are accelerating technological capabilities. With high
LEADING CYBER SECURITY SUMMIT FOR SHIPPING, PORTS, MARITIME AND OFFSHORE OIL & GAS INDUSTRIES GLOBALLY COMES TO SINGAPORE!
2nd CYBER SECURITY FOR MARITIME
A Cyber week in London Part II - Cyber Security
SUMMIT 2018
■ Main Summit: 13 & 14 November 2018
■ Post-summit Workshops: 15 November 2018
■ Pre-summit Workshops: 12 November 2018
■ Venue: Copthorne King’s Hotel Singapore
DISCUSS & SHARE INSIGHTFUL EXPERIENCES ON DEALING WITH ALL MARITIME CYBER THREATS!
WHAT IS SO “WOW” ABOUT THIS SUMMIT?
HACKING VS DEFENCE TECHNIQUES DEMONSTRATION →
How tools using Shodan expose SCADA system, Database and Servers to cyber risk?
→
How intruders attack web application to steal data and information?
WHO SHOULD ATTEND? Heads/Senior Managers/Managers/ Engineers/Project Managers of: ↘
Information Security / Information Technology
↘
Information Systems
↘
Infrastructure Security
↘
Security
↘
Operations
↘
Emergency Management/Services
↘
Harbour Masters
5 FEATURED WORKSHOPS AVAILABLE!
A
Future of Maritime Industry: Preparing Yourself for the Port Automation & Cyber Risk
B
Proven IT Protection Techniques: Testing Your Maritime IT Security System Against Cyber Threats
C
Unplanned Outages on GPS: Executing Immediate Response towards Jamming or Spoofing of Signals
D
Defence Technique: Experiencing the Latest Attack Methodologies and How they Work on Ransomware Scenarios, Malware Threats & Phishing Attacks
E
Disaster Recovery & Business Contingency Management: Step-byStep Guide to Prepare, Response and Recover Your Business Operations from Cyber-Attacks
Contact Us Today! PHONE +65 63760908
EMAIL enquiry@equip-global.com
WEBSITE www.equip-global.com/cyber-security-for-maritime-summit-2018
Researched & Developed by: Australian Security Magazine | 49
Cyber Security “Forging a Trust and open Cyberspace” was the theme of the Singapore International Cyber Week 2018, held at SunTec Singapore Convention & Exhibition Centre, 18th – 20th September 2018. Photo Credit: Cyber Security Agency of Singapore – Governmentware 2018
Internet of Threats
By Jane Lo ASM Correspondent
The Fourth Industrial Revolution characterized
Asia, (19th-20th September, Marina Bay Sands
IoTroop/Reaper infected Cisco, TP-Link routers,
by billions of interconnected devices with
Expo & Convention Centre), we learn more about
web cameras.
unprecedented processing power and storage
outages and denial-of-service, breach of digital
capacity underscores the digitalisation wave
data and other threats.
sweeping through modern societies.
The symptoms of the infection were not obvious - many users may not even be aware that their devices were compromised and participated in
The Mirai worm and other case studies
a botnet attack.
health wearables, home security cameras are
Mirai was identified as the malware that matched
– only, for example, mere inconveniences from
becoming increasingly common. Beyond this
the tactics, techniques and procedures in the Dyn
completing an Amazon transaction.
diverse collection of consumer devices are
attack, compromising hundreds of thousands of
commercial applications such as specialised
devices - home routers, security cameras, baby
medical or smart logistics equipment. And
monitors – and bringing down the web in 2016 for
interacting with these devices include cloud
about 8 hours.
Devices such as smart appliances (TVs, refrigerators) connected to our phones,
and cellular technologies powering the digital connectivity.
Some may argue there was no real damage
Mirai brute-forced logins to these devices
But in some cases, there are genuine safety threats. Kaspersky Lab (Natalia Khudoklinova), at Internet of Things World Asia, pointed to a pacemaker manufacturer recalled by the FDA (The
using dictionary attacks, exploiting simple default
Food and Drug Administration) in 2017, which
password settings on devices. Breached devices
revealed that almost half a million devices contain
devices introduces a dynamic and vast cyber
became equipped with the malicious program
potential cyber-security issues.
network. What’s more, the increasing density
and in turn scanned for new victims to be similarly
opens additional entry points for malware to
infected. And so, victim devices carrying the
user could "access a patient's device using
establish foothold and facilitates the spreading
malware multiplied, spreading the infection through
commercially available equipment" and could
of infection.
the cyberspace.
"modify programming commands to the implanted
The rapid expansion of interconnected
In this set-up, voluminous digital data poses
Crossing borders and jurisdictions, the infection
If left unpatched, the FDA said an unauthorized
pacemaker, which could result in patient harm
privacy issues. Security of the infrastructure
effectively built a botnet army from which the actual
from rapid battery depletion or administration of
is also a concern. These risks associated with
denial-of-service attacks were launched. This
inappropriate pacing."
interconnected devices or internet-of-things
botnet attacked by sending exhaustive requests to
(IoT) are also known as the “Internet of Threats”.
Dyn’s data centres to jam the servers’ bandwidth,
endpoints and telecommunication equipment often ignore the basic principles of cybersecurity”.
Exploits of IoT brings disruption. At the
rendering them inaccessible. Ultimately, the failure of
Singapore International Cyber Week (18th- 20th
these servers to respond to legitimate requests shut
September, SunTec Singapore Convention &
down 80 websites, including Amazon and Google.
Exhibition Centre) and Internet of Things World
50 | Australian Security Magazine
A year later, a more sophisticated worm
Kaspersky Lab said “the manufacturers of IoT
These included: “devices are provided with preset passwords”, “network security configurations are weak” and “device software is not always
Cyber Security
Identifying unknown IoT devices and anomalous traffic The recent NIST’s “Draft Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks“ highlighted that “an authorized administrator, process, or device can directly access a conventional IT device’s firmware, operating system, and applications, fully manage the device and its software throughout the device’s lifecycle as needed, and monitor the internal characteristics and state of the device at all times”. “In contrast, many IoT devices are opaque, often referred to as “black boxes.” They provide little or no visibility into their state and composition, including the identity of any external services and systems they interact with, and little or no access to and management of their software and configuration.” “The organization may not know what capabilities an IoT device can provide or is currently providing. In extreme cases, it may be difficult to determine if a black box product is actually an IoT device because of the lack of transparency.” Understanding vulnerabilities requires identifying the devices on the network. Without a doubt, the dynamism and rapid growth of IoT networks makes this an extremely tricky task. At the Singapore International Cyber Week, we spoke to the team behind NUS-Singtel Cyber Security Research & Development Laboratory’s, which is developing a security platform that allows service Internet of Things World Asia, 19th-20th September 2018, Marina Bay Sands Expo & Convention Centre. Photo Credit: TechXLR8 Asia
providers to monitor, detect, and mitigate threats and unusual cyber activities in the IoT network. With the Zero Touch profiling, powered by Device Fingerprinting Technique (DEFT), and IoT security analytics capabilities developed by the team, potentially thousands of IoT devices connected to the network could be identified and tagged. Anomalous traffic originating from and targeting these devices can be monitored and tracked, and unfamiliar devices are flagged to security analysts for investigation.
“Elementary security mistake” - weak passwords The UK government recently released a “Secure by Design: Improving the cyber security of consumer Singapore International Cyber Week (SIWC) 2018. Opening address by Guest-of-Honour Mr. Teo Chee Hean, Deputy Prime Minister and Coordinating Minister for National Security, Singapore. Photo Credit: SICW 2018
Internet-of-Things Report”, focusing on the “Code of Practice for Industry on Consumer IoT”. One of its key proposals is “No default passwords – All IoT device passwords must be
updated, meaning devices run for years without
the safe execution of IoT system tasks, Kaspersky
unique and not resettable to any universal factory
updates and remain vulnerable to cybercriminal
Lab added.
default value”.
activity.” The need for IoT cybersecurity standards is
Often, complicating the challenges is that
It said: “many IoT devices are being sold
IoT devices run on processors that can cost a
with universal default usernames and passwords
clear. Standards bodies will need to classify IoT
mere fraction of a standard laptop – but unlike a
(such as “admin, admin”) which are expected to
security issues, examine potential threats, and
laptop, IoT devices do not have the memory and
be changed by the consumer. This has been the
determine how cybersecurity measures can support
processing to be secured properly.
source of many security issues in IoT and the
Australian Security Magazine | 51
Cyber Security
“user didn’t change the default password” story”. “Modern life depends on properly functioning IoT devices that are available when you need them, have integrity so you can trust them, and are confidential so they aren’t haring critical data with the wrong (nefarious) people. These basic principles of security were overlooked in the development of most IoT devices”. “Elementary security mistakes like allowing brute force attacks, default (sometimes hardcoded) admin credentials, allow operators can to launch an attack that takes out global Internet infrastructure”.
“Concerted Efforts” The complexity of IoT with the sheer number and variety of service providers, devices, firmware and software raises questions: To what extent can security control be shared? If something goes wrong, who’s responsible for the real-world effects? The role of standards, trust labels, regulations play a role in setting out a framework. For examples, the EU Cybersecurity Certification practice needs to be eliminated. Best practice
gain access to movements of these critical public
Scheme, the NIST draft Considerations for
on passwords and other authentication methods
services vehicles.
Managing Internet of Things (IoT) Cybersecurity
should be followed.” F5 Networks, Inc (Justin Shattuck, Principal
“We knew their routes to and from work, could watch as they responded to dispatch calls, and
and Privacy Risks highlight the considerations in establishing cybersecurity and privacy baselines.
Threat Researcher), at the SICW Internet of Things
could learn their patrol patterns. We could use
Security talk, highlighted the extreme vulnerability
sensitive information in the device configuration to
be deployed by 2020, the urgency to implement
of many emergency services vehicles due to use
infiltrate the networks these devices connected to,
security controls cannot be greater. This,
of onboard devices where security weaknesses
and possibly manipulate data. In the wrong hands,
Kaspersky labs said, required “concerted efforts”
– specifically through default login / password -
the information could be deadly.”
from “end device manufacturers; telecom device
expose sensitive details such as GPS coordinates. From tracking vehicles in real-time to identifying
Crucially he said “exploiting these devices is
With estimates of billions of IoT devices to
manufacturers; vendors of the basic hardware for
not done through a typical hardware or software
IoT and telecom devices; telecom service providers;
residential address in precincts where police
vulnerability. There is no weakness in the software to
application service providers in the IoT sphere;
officers took their vehicles home after shift end,
exploit. There’s no hacking of the hardware. This is a
system integrators working in the sphere of IoT and
external parties monitoring the GPS coordinates
weak admin user authentication exploit—the age-old
connected devices.”
52 | Australian Security Magazine
AUCKLAND | 27-29 November 2018 The Enterprise Digital Transformation New Zealand conference brings together leaders from a variety of industries to identify opportunities to develop digital capabilities for better customer service, engagement and delivery. Attendance at this timely event will give your digital transformation project the best chance of success. The event will include insightful case studies and interactive panel sessions covering the most pressing questionson digital transformation delivered by 25+ industry leaders.
QUOTE IT-10 WHEN REGISTERING TO RECIEVE 10% OFF YOUR TICKET PRICE
+64 9 890 9450
www.dte-nz.aventedge.com info@aventedge.com Australian Security Magazine | 53
TechTime - latest news and products
To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au
Latest News and Products
UNSW have developed a free app to collect eye witness accounts of crime iWitnessed was designed to help collect and preserve evidence about events you have experienced. It has a lot of useful features to help witnesses and victims of an incident: iWitnessed has been designed by Psychological scientists who are experts in eyewitness memory and police interviewing.
iWitnessed can be used for any type of event, ranging from traffic accidents to terrorism. It can also be used to document both one-off and recurring events. You can enter information as text or record your spoken responses if you prefer. You can add images such as photographs (e.g., of
location. If you are concerned about security you can choose to protect your entries with a PIN code. The information is stored on your device until you choose to send it to someone by email. iWitnessed provides direct links to
iWitnessed uses a guided recall procedure that has been designed to maximise the value of the information recorded while also helping protect your memory of the event.
people, places or injuries) or screenshots (e.g. of text messages, social media or emails). If you are online and give approval, each entry is ‘stamped’ with the date, time, and GPS
support services and information about the psychological effects of trauma. For more information visit https://sydney. edu.au/science/psychology/iWitnessed/
Milestone systems opens new regional headquarters in Melbourne Milestone Systems has opened a new office in Melbourne. The move follows the recent announcement of several new recruits to the Australian team and a global decree to increase innovation capacity by 45 percent by 2019 year-end. Milestone Systems’ new office is now the largest space dedicated to VMS in the country. It will be followed by a significant new innovation for the video and surveillance community, to be announced in early October. “The new office is purpose-designed to be open and accessible, much like our software. It is a modern, practical and functional space that also invites our partner community and guests into our professional world by being open
and welcoming,” said Jordan Cullis, Country Manager, South Pacific, Milestone Systems. The new space is now fully-functional and will be officially opened on October 3rd, when regional and global executives from Milestone Systems fly in to participate in the opening ceremony. Partners, customers and resellers will be welcomed by the Milestone Systems team and guests will be introduced to the latest major partner development – a world-first in the VMS space. “We have a lot of things moving in ANZ, momentum has built up significantly across a lot of different markets and we are keeping pace with that by expanding our team and resources. The growth is only going to escalate over the
coming months, and this office opening marks a significant investment to match that upward curve,” said Cullis. Milestone Systems’ new office is located at A5/8 Rogers St, Port Melbourne. About Milestone Systems Milestone Systems is a global industry leader in open platform IP video management software, founded in 1998 and now operating as a standalone company in the Canon Group. Milestone technology is easy to manage, reliable and proven in thousands of customer installations,
Hills boosts security business with new appointments Hills has recruited a raft of new sales talent to boost its security business across Australia and New Zealand (ANZ), naming Gary Hickey and Cliff Simons as the Regional Sales Managers for New South Wales/ACT and Victoria/Tasmania respectively. In addition, seven new account managers have been appointed across ANZ.
54 | Australian Security Magazine
“Cliff Simons joins Hills as Regional Sales Manager for Victoria/Tasmania” Simons returns to Hills after working for Hikvision Australia and Q Security Systems. Having worked in the security sector for over 20 years, Simons brings a wealth of industry experience and a vast catalogue of contacts to
the role. Hickey joins Hills after 6 years at Central Security Distribution Pty Ltd, and with twenty years’ experience in the industry, comes to the business with a strong background in enterprise level negotiations and a deep understanding of the Australian security landscape. Both Simons
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
and Hickey are tasked with accelerating Hill’s growth aspirations and ensuring continued sales momentum of exclusive vendor products including Genetec and United Technologies Corp (UTC). In addition to Simons and Hickey, Hills has also recruited seven new account managers across ANZ, including Troy Mercy, Peter Pereira and Dale Simons in Victoria/Tasmania, Ricardo Fernandez and Kevin Baik in NSW, Gavin Aquino in Western Australia, and Scott Hamilton in New Zealand. Hills CEO and Managing Director, David Lenz, said the appointment of new staff strengthened the sales capacity for the company’s security, surveillance and IT business. “Hills is investing heavily in people, processes and technology to deliver exceptional customer service,” Lenz said. “After achieving sales revenue growth in the security business over the last financial year, it’s important to maintain the momentum and invest in our sales staff to ensure we maintain our position as ANZ’s largest building security technology distributor,” he said.
“Hills Head of Security, Surveillance, IT and ATV, Roger Edgar welcomes Gary Hickey to Hills as Regional Sales Manager for NSW/ACT.” Hills Head of Security, Surveillance, IT and ATV, Roger Edgar, said the scope and expertise of the new appointments indicated Hills intent to secure new business and maintain its market leading position. “On the back of our success in winning major enterprise infrastructure projects over the
past 12 months we’ve sought to recruit a highly engaged team that builds upon existing talents, while growing specialist capabilities so we can provide purpose-built solutions across key verticals,” Edgar said. “The experience and insight that the new team brings will complement our online capabilities and lead the charge as we identify and develop opportunities for our partners to increase sales and grow market share.”
HID Global acquires crossmatch to expand in biometric identity management HID Global has acquired Crossmatch, a leader in biometric identity management and secure authentication solutions, from Francisco Partners. Crossmatch’s portfolio of products includes biometric identity management hardware and software that complement HID’s broad portfolio of trusted identity products and services, making HID Global one of the world’s major providers of fingerprint biometric technologies. Our acquisition of Crossmatch strengthens HID Global’s ability to offer innovative biometric identity solutions to hundreds of millions of users worldwide,” said Stefan Widing, President and CEO of HID Global. “Adding Crossmatch to our company will extend HID’s market leadership in the trusted identity space and allow us to fulfill the promise of biometrics in critical identity applications.” Founded in 1996 and based in Palm Beach Gardens, Florida, Crossmatch employs over 270 professionals across a global network of development hubs and strategic sales offices. With the acquisition, HID Global gains industry-leading biometric identity management solutions for civil government, defense and commercial applications, as well as a secure multifactor authentication software solution. Crossmatch’s public-sector biometrics business enhances HID’s reach into immigration
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
and border control, law enforcement, and military and defense markets with products and solutions that include criminal booking, rapid mobile identification, background checks, security clearance processing, military base access, counter-terrorism and mobile intelligence gathering, visa processing and citizen services. The Crossmatch commercial biometrics business extends HID’s portfolio to include a broad array of single finger readers, modules, sensors and software developer kits (SDKs) for multiple vertical markets including – retail, financial, healthcare and OEM markets. This is a global business supporting a large volume of integrated partners. Crossmatch is also a leading provider of single fingerprint sensors to point-of-sale (POS) terminal manufacturers and is integrated with the major POS software applications. HID also gains a unique secure authentication solution, DigitalPersona, that goes beyond the traditional multifactor approach to cybersecurity. DigitalPersona adds an array of risk-based factors, including behavioral biometrics, for secure, frictionless access to Windows and cloud, web, mobile and traditional applications. “I am very pleased that Crossmatch is joining the HID family. Countering today’s
advanced security threats requires innovative, comprehensive identity management solutions incorporating both biometric and non-biometric components. Our market-leading biometric identity management solutions and unique composite authentication solution perfectly complement HID’s already robust offerings. This will enable us to provide our global customers with an even broader range of trusted identity solutions, and our employees with increased opportunity for professional growth,” said Richard Agostinelli, CEO of Crossmatch. About Crossmatch Crossmatch® solutions solve security and identity management challenges for hundreds of millions of users around the world. Our proven DigitalPersona® composite authentication software is designed to provide the optimal set of authentication factors to meet today’s unique risk requirements and afford complete enterprise authentication coverage. Crossmatch identity management solutions include trusted biometric identity management hardware and software that deliver the highest quality and performance required for critical identity applications. Our solutions support the financial, retail, commercial, government, law enforcement and military markets in over 80 countries.
Australian Security Magazine | 55
TechTime - latest news and products
Patented technology puts Senstar at the forefront of pipeline leak detection Senstar is pleased to announce the FiberPatrol FP7000 system which enhances integrity management programs for both gas and liquidcarrying pipelines by providing early detection of leaks and third-party interference (TPI), and offers distinct performance advantages over other systems on the market. FiberPatrol FP7000 can also be used for fence-mounted intrusion detection. “Senstar products have been protecting critical above-ground infrastructure for the oil and gas industry for over 35 years, so it was a logical progression to apply our technologies to underground infrastructure,” said Product Manager Stewart Dewar. “We can now offer complete and integrated end-to-end pipeline security solution to customers in this market.” Using patented technology, the FP7000 allows for detection and location of small leaks faster and more accurately than traditional flow and pressure-monitoring solutions or other fiber-based solutions. Senstar Symphony VMS 7.1 Now Available Senstar has released the newest version of its Symphony video management software. The award winning Senstar Symphony delivers an all-in-one solution for video management, video analytics, perimeter intrusion detection system integration, and alarm management for deployments of all sizes. Key highlights: HTML5-based viewing client for live video, playback and alarm log Improved integration with Senstar perimeter intrusion detection sensors
New integrations such as Bosch alarm panel (B9512G) & S2 access control Out-of-box support for iOS and Android clients Updated Business Intelligence Reports BETA version of automatic license plate recognition detecting EU plates without requiring hardware dongle Video retention included in Enterprise Manager health packet, allowing users to see video storage indays across enterprise deployments Customers upgrading from a previous version of Aimetis Symphony will experience the new Senstar branding. New installations of Symphony will also be Senstar branded.
and operation of the electric grid distribution system. Requirement R5 mandates that operators implement physical security measures designed to collectively Deter, Detect, Delay, Assess, Communicate, and Respond to potential threats and vulnerabilities. Senstar, with its wide portfolio of perimeter intrusion detection sensors and video management software, can provide effective, field-proven solutions that assist operators in satisfying NERC CIP-014 recommendations. Check out Senstar’s new NERC CIP-014 compliance guide to see how individual Senstar products can be used to address specific security concerns.
Thin Client Videos Instructional Videos Now Available
Upcoming Training
Senstar’s Thin Client™ is a PC alternative designed to easily display 1080p video from 30+ network video manufacturers, as well as digital signage. To assist users, Senstar has produced five instructional videos which explain how to use the Thin Client as a standalone video decoder, how to use it with Symphony and video wall applications, and how to troubleshoot common issues. Helping Electrical Utilities to Address NERC CIP-014 Requirements The purpose of the NERC CIP-014 reliability standard is to protect electrical facilities from physical attacks that could threaten the stability
Senstar provides technical training for our Perimeter Intrusion Detection Systems (PIDs) and Video Management Systems (VMS) and analytics products. Classes are designed for new and existing system integrators, distributors, system administrators, and end users. They cover the design, installation, setup, and troubleshooting of our products in a handson classroom setting. Security Digest is dedicated to providing useful information about physical security. Written by Senstar’s industry experts, the posts cover a range a subjects related to perimeter intrusion detection, video management and analytics, personal duress, and cyber security. Visit Security Digest weekly to see new posts.
Seagate unveils industry’s most advanced 14TB data storage portfolio New feature-rich drives provide unmatched performance, allowing customers to maximise the value of their data Seagate Technology has launched the industry’s widest range of advanced 14TB hard drives, enhancing the company’s enterprise and specialty drive portfolio. Consisting of IronWolf® and IronWolf® Pro for network attached storage (NAS) applications, the BarraCuda® Pro desktop drive, surveillance-optimised SkyHawk™, and Exos™ X14 for hyperscale data centres, this purpose-built portfolio empowers customers to consume, manage and utilise digital data more effectively and efficiently
56 | Australian Security Magazine
while establishing new benchmarks in speed and capacity. With this offering, Seagate continues to lead the industry in driving data storage technology toward a lower cost per terabyte through hard drive optimisation, versatility of application, and unmatched capacity. Whether for personal use, creative and design computing, online gaming, or large-scale surveillance systems and hyperscale environments, Seagate drives are opening up new data management opportunities across a wide range of markets. “Data protection, management and archiving are no longer strictly the realm
of IT departments, but are now essential responsibilities for business owners, creative professionals, online gamers and PC users alike,” said Matt Rutledge, senior vice president of devices at Seagate. “We understand the critical nature of data in unlocking opportunities to efficiency. From the largest data centre to the personal user, our goal is to ensure every customer can access, store and transfer data quickly and reliably, whenever they need it and wherever they are.” IronWolf-Pro_MO-B_14TB_NE0008_HeroLeft_Hi-ResIronWolf & IronWolf Pro 14TB – the leader in NAS
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
TechTime - latest news and products
IronWolf and IronWolf Pro drives have continued to push boundaries for NAS applications, providing best-in-class reliability and performance for always-on environments. Trusted by the world’s top NAS vendors, IronWolf drives are built with multi-user environments in mind, which allows a workload rating up to 300TB/year allowing users to do more with their data and their NAS. The drives are optimised with AgileArray™ firmware for NAS servers to provide the customer with a host of benefits including: RAID performance, dual-plane balance, rotational vibration (RV) sensors, advanced power management and error recovery control. Additionally, customers get peace of mind with Seagate IronWolf Health Management and 2-year Seagate Rescue Data Recovery Services.* Health Management embedded analysis and recovery software works seamlessly with key NAS partner systems, providing comprehensive status updates and drive health analysis, allowing customers to be preventative, not just reactive. IronWolf and IronWolf Pro drives feature a 3-year and 5-year limited warranty respectively. “For many companies, data storage has become one of the fastest-growing parts of their IT infrastructure. Synology users will be excited by the new Seagate 14TB IronWolf drives,” said Vincent Tsai, product marketing manager at Synology Inc. “By collaborating seamlessly, Seagate and Synology deliver a reliable storage and backup solution for businesses to safeguard their valuable data.” BarraCuda14TB_Image_FrontBarraCuda Pro 14TB – versatile desktop performance As a result of the exponential rise of online interactions across a host of industries, and the constant demand for higher productivity, the BarraCuda Pro 3.5-inch HDD continues to offer professionals an ideal storage solution for desktop workstations or direct attached storage (DAS) systems. Creative professionals, small businesses and IT staff all have a need for large amounts of data to be delivered efficiently and protected properly. The BarraCuda Pro delivers industryleading 7200 RPM spin speed, along with 250mb/s data transfer rates and up to 256MB of cache, the highest available today, powered by Seagate’s Multi-Tier Caching Technology™ (MTC), delivering effortless performance in a massive 14TB of storage. Whether it be data-intensive editing of 8k video or the transfer of large files to an attached backup, the BarraCuda Pro gives customers speed, versatility and durability at an affordable cost, as well as the support of a 5-year limited warranty.
Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media
SkyHawk14TB_ FrontSkyHawk 14TB – optimised for surveillance The surveillance industry is rapidly evolving and the demand for higher video resolution, analytics, and longer retention requires much greater storage capacities. Seagate SkyHawk drives provide the optimum combination of performance, high capacity and reliability, the three most important needs for surveillance customers and integrators. With the ability to store over 9000 hours of HD video and up to 64 HD cameras,** the SkyHawk 14TB is optimised for DVRs and NVRs, tuned for 24/7 workloads, and equipped with ImagePerfect™ firmware to minimise dropped frames and downtime. Supported by a 3-year limited warranty, customers can also benefit from unique SkyHawk Health Management technology that actively monitors and analyzes drive health, empowering users to prevent, intervene and recover from potential anomalies. EXOS-X14_MO-B_14TB_NM0428_HeroLeft_Hi-ResExos X14 – hyperscale ready Built for the efficiency, reliability and security demands of the world’s most advanced hyperscale data centeres, Exos X14 drives offer enhanced areal density to deliver higher storage capabilities in a compact 3.5-inch form factor. Combined with the industry’s lowest power consumption and best performance in its class, the Exos X14 enables data centers to maximise storage capabilities while reducing complexity and operational costs. As the need for hyperscale and cloud storage increases exponentially, Seagate’s new Exos X14 drives deliver 40% more petabytes per rack compared to Exos 10TB drives, while maintaining the same small footprint. The helium-based Exos X14 also provides a 10% reduction in weight versus air nearline drives, and flexible formatting for wider integration options and support for a greater number of workloads. Exos X14 also ships in a modular enterprise system (Exos E 4U106) for easy scaling up to an unprecedented 1.4PB density. Anticipating global security demands, Exos X14 drives feature “always-on” Seagate Secure™ protection, effectively encrypting all data without performance degradation. Exos
X14 drives offer a 5-year limited warranty, and are designed to meet US Government Federal Information Processing Standard (FIPS) 140-2, Level 2 Security certification, as well as the Common Criteria for Information Technology Security Evaluation (CC) ISO/EIC 15408 compliance standard. The IronWolf and IronWolf Pro 14TB are now available in Australia at an MSRP of AU$889 and $979 respectively. Local availability and MSRP are TBA for the BarraCuda Pro 14TB, the SkyHawk 14TB and the Exos X14. You can find more information on Seagate’s new 14TB products at: https://www.seagate. com/internal-hard-drives/hdd/ *Seagate Rescue & Data Recovery Services available on IronWolf Pro version only. **Calculation based on H.264, 1M pixels, medium quality, 15FPS, 1 camera, and 24 hours of recording/day. About Seagate Seagate creates space for the human experience by innovating how data is stored, shared and used. Learn more at www.seagate. com. Follow Seagate on Twitter, Facebook, LinkedIn, Spiceworks, YouTube and subscribe to our blog.
Australian Security Magazine | 57
BOOK REVIEW | by CHRIS CUBBAGE This book starts at 2:30am. Waking to the news of a serious cyber security breach, this is a time as a Director or Executive you are best already prepared, rather than scrambling to get with the cyber jargon and have the first read of the Notifiable Data Breach legislation. There are new obligations and an ever increasing expectation on companies and organisations subject to the Privacy Act to get the response right. “In today’s highly and widely connected world no one is fully prepared. We need more books like this to lift our cyber resilience.” - David Spence, Chairman PayPal Australia
THE CYBER BREACH COMMUNICATION PLAYBOOK By Peter Coroneos and Michael Parker
As a ‘playbook’, the authors have set out to provide clear guidance of a practical nature, so that if organisations are faced with, say a ransomware demand, they have a decision-making framework to help ask the right questions. Providing a ready-made communication strategy, with sample statements for media and social media, and an internal capability in place that is based on ethics, openness and maintenance of public trust – this is a playbook best kept at the bedside just in case the early morning call does come in. The book delivers on equiping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.” And if you were going to seek advice, then the authors, Peter Coroneos and Michael Parker have the experience and qualifications to call on with confidence. "Cybercrime is a genuine existential threat to all of the organisations upon which our economy depends. This extremely useful playbook is a weapon for the good guys and should be compulsory reading for all executive and non-executive leaders." - Justin Milne, Chairman MYOB Holdings and Netcomm Wireless The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format with a focus on ‘The Context’, namely the cyberthreat landscape, ‘Best Practice Communication Model’, with the internal and external postures and decision-making framework, and then provides an assessment of recent case studies. The latter could be invaluable to many executives, as it includes the evaluation methodology and ten grade criteria in which they are most likely to be judged. These are best to get right to avoid ending up in playbooks of the future. Case studies kick off with the infamous Census DDoS attack, followed by Uber, Equifax, Australian Electoral Commission, Ticketmaster,
58 | Australian Security Magazine
Geoscience Australia, Republican National Convention, Target, Ashley Madison, TalkTalk, Yahoo, JP Morgan Chase & Co, Verizon and Pageup – quite the list! With six conclusions, one is drawn back to the start of the book to read a second time and ensure it’s understanding – best heed these, as follows; 1. Breaches will be reported by the media irrespective of your posture or preparedness. 2. The C-suite will be called to account and resignations often follow a large and poorly handled attack. 3. Brand and reputational damage can translate to major write-downs in valuation – and if you’re in the unfortunate position of being involved in a merger or acquisition at the time, expect headlines to be used as a huge negotiating lever against you. 4. The attacks which have occurred in the case studies were not particularly sophisticated not hard to prevent. 5. The cost of the damage far outweighs any investments in better security practices and communication preparedness that could or ought to have been taken. 6. In the end, the examples provided were all failures of governance. Boards are on notice that community, stakeholder and regulatory expectations are for the better performance all round. Watch out for out ‘Playbook’ giveaways and will be available on mysecuritymarketplace.com
BOOK REVIEW | by CHRIS CUBBAGE
CHASING DIGITAL A PLAY BOOK FOR THE NEW ECONOMY By Anthony Stevens and Louis Strauss
Anthony Stevens
A
uthors Anthony Stevens and Louis Strauss are both KPMG alumni who were inspired to write Chasing Digital after watching pre-digital incumbents (companies formed prior to the digital age) struggle with the colossal task of digital transformation. Outlining a comprehensive and detailed framework, this book is designed to help leaders redesign their organisation from the bottom up by leveraging their strengths to create a new competitive advantage in the digital economy. The book is roughly divided into three parts. In part one, you’ll discover how to lay the foundations of transformation. Anthony and Louis explain how to develop a considered strategy, grow a conducive culture and build a receptive organisational design. Then in part two, the focus shifts to building core digital capabilities. This involves taking advantage of data, harnessing artificial intelligence and embracing appropriate platforms. Finally, in part three, you’ll learn how to adapt the accelerators of change. Namely, navigating board expectations, mitigating potential roadblocks and making the right investments. All in all, this unique playbook will give you the tools and mindsets needed to not only survive but to thrive, and leave a legacy for future leaders and future generations. In a nutshell, you’ll learn how to: • Integrate technology into your business strategy and culture • Prioritise and manage your company’s digital transition • Create opportunities for fast and intentional digital growth • Learn how to minimise friction
with stakeholders Chasing Digital is a no-nonsense book that shows you how to cut through the jargon and hype, and focus on what is critical to undertaking a truly successful, companywide, digital transformation. In a world where digital is changing everything, Chasing Digital will help your organisation transition beyond old business models to adopt the new digital paradigm and a new era of business. Embrace the chase.
Australian Security Magazine | 59
OUR MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.
Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies
Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications
Your one-stop shop for all things CCTV, surveillance and detection technologies
The regionâ&#x20AC;&#x2122;s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations
Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android
E TUN IN ! NOW